Skip to content

Commit

Permalink
8262186: Call X509KeyManager.chooseClientAlias once for all key types
Browse files Browse the repository at this point in the history
Reviewed-by: xuelei
  • Loading branch information
wangweij committed Aug 31, 2021
1 parent c1e0aac commit 3d657eb
Show file tree
Hide file tree
Showing 4 changed files with 296 additions and 151 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -1043,6 +1043,7 @@ private static SSLPossession choosePossession(
}

Collection<String> checkedKeyTypes = new HashSet<>();
List<String> supportedKeyTypes = new ArrayList<>();
for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
Expand All @@ -1051,6 +1052,7 @@ private static SSLPossession choosePossession(
}
continue;
}
checkedKeyTypes.add(ss.keyAlgorithm);

// Don't select a signature scheme unless we will be able to
// produce a CertificateVerify message later
Expand All @@ -1064,36 +1066,28 @@ private static SSLPossession choosePossession(
"Unable to produce CertificateVerify for " +
"signature scheme: " + ss.name);
}
checkedKeyTypes.add(ss.keyAlgorithm);
continue;
}

SSLAuthentication ka = X509Authentication.valueOf(ss);
X509Authentication ka = X509Authentication.valueOf(ss);
if (ka == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " + ss.name);
}
checkedKeyTypes.add(ss.keyAlgorithm);
continue;
}

SSLPossession pos = ka.createPossession(hc);
if (pos == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unavailable authentication scheme: " + ss.name);
}
continue;
}

return pos;
supportedKeyTypes.add(ss.keyAlgorithm);
}

if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning("No available authentication scheme");
SSLPossession pos = X509Authentication
.createPossession(hc, supportedKeyTypes.toArray(String[]::new));
if (pos == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning("No available authentication scheme");
}
}
return null;
return pos;
}

private byte[] onProduceCertificate(ClientHandshakeContext chc,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -731,6 +731,7 @@ private static SSLPossession choosePossession(HandshakeContext hc)
}

Collection<String> checkedKeyTypes = new HashSet<>();
List<String> supportedKeyTypes = new ArrayList<>();
for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
Expand All @@ -739,6 +740,7 @@ private static SSLPossession choosePossession(HandshakeContext hc)
}
continue;
}
checkedKeyTypes.add(ss.keyAlgorithm);

// Don't select a signature scheme unless we will be able to
// produce a CertificateVerify message later
Expand All @@ -752,36 +754,28 @@ private static SSLPossession choosePossession(HandshakeContext hc)
"Unable to produce CertificateVerify for " +
"signature scheme: " + ss.name);
}
checkedKeyTypes.add(ss.keyAlgorithm);
continue;
}

SSLAuthentication ka = X509Authentication.valueOf(ss);
X509Authentication ka = X509Authentication.valueOf(ss);
if (ka == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " + ss.name);
}
checkedKeyTypes.add(ss.keyAlgorithm);
continue;
}

SSLPossession pos = ka.createPossession(hc);
if (pos == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unavailable authentication scheme: " + ss.name);
}
continue;
}

return pos;
supportedKeyTypes.add(ss.keyAlgorithm);
}

if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning("No available authentication scheme");
SSLPossession pos = X509Authentication
.createPossession(hc, supportedKeyTypes.toArray(String[]::new));
if (pos == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning("No available authentication scheme");
}
}
return null;
return pos;
}
}

Expand Down

3 comments on commit 3d657eb

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@luchenlin
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/backport jdk11u-dev

@openjdk
Copy link

@openjdk openjdk bot commented on 3d657eb Mar 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@luchenlin Could not automatically backport 3d657eb0 to openjdk/jdk11u-dev due to conflicts in the following files:

  • src/java.base/share/classes/sun/security/ssl/X509Authentication.java

Please fetch the appropriate branch/commit and manually resolve these conflicts by using the following commands in your personal fork of openjdk/jdk11u-dev. Note: these commands are just some suggestions and you can use other equivalent commands you know.

# Fetch the up-to-date version of the target branch
$ git fetch --no-tags https://git.openjdk.org/jdk11u-dev.git master:master

# Check out the target branch and create your own branch to backport
$ git checkout master
$ git checkout -b backport-luchenlin-3d657eb0

# Fetch the commit you want to backport
$ git fetch --no-tags https://git.openjdk.org/jdk.git 3d657eb0a626e33995af5d5ddf12b26d06317962

# Backport the commit
$ git cherry-pick --no-commit 3d657eb0a626e33995af5d5ddf12b26d06317962
# Resolve conflicts now

# Commit the files you have modified
$ git add files/with/resolved/conflicts
$ git commit -m 'Backport 3d657eb0a626e33995af5d5ddf12b26d06317962'

Once you have resolved the conflicts as explained above continue with creating a pull request towards the openjdk/jdk11u-dev with the title Backport 3d657eb0a626e33995af5d5ddf12b26d06317962.

Below you can find a suggestion for the pull request body:

Hi all,

This pull request contains a backport of commit 3d657eb0 from the openjdk/jdk repository.

The commit being backported was authored by Weijun Wang on 31 Aug 2021 and was reviewed by Xue-Lei Andrew Fan.

Thanks!

Please sign in to comment.