Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
8254631: Better support ALPN byte wire values in SunJSSE
Reviewed-by: xuelei, dfuchs
  • Loading branch information
Bradford Wetmore committed Dec 2, 2020
1 parent 541c7f7 commit fe5cccc
Show file tree
Hide file tree
Showing 6 changed files with 450 additions and 11 deletions.
42 changes: 42 additions & 0 deletions src/java.base/share/classes/javax/net/ssl/SSLEngine.java
Expand Up @@ -336,6 +336,48 @@
* started, an {@code SSLEngine} can not switch between client and server
* modes, even when performing renegotiations.
* <P>
* The ApplicationProtocol {@code String} values returned by the methods
* in this class are in the network byte representation sent by the peer.
* The bytes could be directly compared, or converted to its Unicode
* {code String} format for comparison.
*
* <blockquote><pre>
* String networkString = sslEngine.getHandshakeApplicationProtocol();
* byte[] bytes = networkString.getBytes(StandardCharsets.ISO_8859_1);
*
* //
* // Match using bytes:
* //
* // "http/1.1" (7-bit ASCII values same in UTF-8)
* // MEETEI MAYEK LETTERS "HUK UN I" (Unicode 0xabcd->0xabcf)
* //
* String HTTP1_1 = "http/1.1";
* byte[] HTTP1_1_BYTES = HTTP1_1.getBytes(StandardCharsets.UTF_8);
*
* byte[] HUK_UN_I_BYTES = new byte[] {
* (byte) 0xab, (byte) 0xcd,
* (byte) 0xab, (byte) 0xce,
* (byte) 0xab, (byte) 0xcf};
*
* if ((Arrays.compare(bytes, HTTP1_1_BYTES) == 0 )
* || Arrays.compare(bytes, HUK_UN_I_BYTES) == 0) {
* ...
* }
*
* //
* // Alternatively match using string.equals() if we know the ALPN value
* // was encoded from a {@code String} using a certain character set,
* // for example {@code UTF-8}. The ALPN value must first be properly
* // decoded to a Unicode {@code String} before use.
* //
* String unicodeString = new String(bytes, StandardCharsets.UTF_8);
* if (unicodeString.equals(HTTP1_1)
* || unicodeString.equals("\u005cuabcd\u005cuabce\u005cuabcf")) {
* ...
* }
* </pre></blockquote>
*
* <P>
* Applications might choose to process delegated tasks in different
* threads. When an {@code SSLEngine}
* is created, the current {@link java.security.AccessControlContext}
Expand Down
23 changes: 22 additions & 1 deletion src/java.base/share/classes/javax/net/ssl/SSLParameters.java
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -646,6 +646,27 @@ public String[] getApplicationProtocols() {
* requested by the peer, the underlying protocol will determine what
* action to take. (For example, ALPN will send a
* {@code "no_application_protocol"} alert and terminate the connection.)
* <p>
* The {@code String} values must be presented using the network
* byte representation expected by the peer. For example, if an ALPN
* {@code String} should be exchanged using {@code UTF-8}, the
* {@code String} should be converted to its {@code byte[]} representation
* and stored as a byte-oriented {@code String} before calling this method.
*
* <blockquote><pre>
* // MEETEI MAYEK LETTERS HUK UN I (Unicode 0xabcd->0xabcf): 2 bytes
* byte[] bytes = "\u005cuabcd\u005cuabce\u005cuabcf"
* .getBytes(StandardCharsets.UTF_8);
* String HUK_UN_I = new String(bytes, StandardCharsets.ISO_8859_1);
*
* // 0x00-0xFF: 1 byte
* String rfc7301Grease8F = "\u005c008F\u005c008F";
*
* SSLParameters p = sslSocket.getSSLParameters();
* p.setApplicationProtocols(new String[] {
* "h2", "http/1.1", rfc7301Grease8F, HUK_UN_I});
* sslSocket.setSSLParameters(p);
* </pre></blockquote>
*
* @implSpec
* This method will make a copy of the {@code protocols} array.
Expand Down
43 changes: 42 additions & 1 deletion src/java.base/share/classes/javax/net/ssl/SSLSocket.java
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -130,6 +130,47 @@
* socket can not switch between client and server modes, even when
* performing renegotiations.
*
* <P> The ApplicationProtocol {@code String} values returned by the methods
* in this class are in the network byte representation sent by the peer.
* The bytes could be directly compared, or converted to its Unicode
* {code String} format for comparison.
*
* <blockquote><pre>
* String networkString = sslSocket.getHandshakeApplicationProtocol();
* byte[] bytes = networkString.getBytes(StandardCharsets.ISO_8859_1);
*
* //
* // Match using bytes:
* //
* // "http/1.1" (7-bit ASCII values same in UTF-8)
* // MEETEI MAYEK LETTERS "HUK UN I" (Unicode 0xabcd->0xabcf)
* //
* String HTTP1_1 = "http/1.1";
* byte[] HTTP1_1_BYTES = HTTP1_1.getBytes(StandardCharsets.UTF_8);
*
* byte[] HUK_UN_I_BYTES = new byte[] {
* (byte) 0xab, (byte) 0xcd,
* (byte) 0xab, (byte) 0xce,
* (byte) 0xab, (byte) 0xcf};
*
* if ((Arrays.compare(bytes, HTTP1_1_BYTES) == 0 )
* || Arrays.compare(bytes, HUK_UN_I_BYTES) == 0) {
* ...
* }
*
* //
* // Alternatively match using string.equals() if we know the ALPN value
* // was encoded from a {@code String} using a certain character set,
* // for example {@code UTF-8}. The ALPN value must first be properly
* // decoded to a Unicode {@code String} before use.
* //
* String unicodeString = new String(bytes, StandardCharsets.UTF_8);
* if (unicodeString.equals(HTTP1_1)
* || unicodeString.equals("\u005cuabcd\u005cuabce\u005cuabcf")) {
* ...
* }
* </pre></blockquote>
*
* @apiNote
* When the connection is no longer needed, the client and server
* applications should each close both sides of their respective connection.
Expand Down
37 changes: 28 additions & 9 deletions src/java.base/share/classes/sun/security/ssl/AlpnExtension.java
Expand Up @@ -27,7 +27,10 @@

import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.nio.charset.Charset;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.Security;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedList;
Expand Down Expand Up @@ -59,6 +62,20 @@ final class AlpnExtension {

static final SSLStringizer alpnStringizer = new AlpnStringizer();

// Encoding Charset to convert between String and byte[]
static final Charset alpnCharset;

static {
String alpnCharsetString = AccessController.doPrivileged(
(PrivilegedAction<String>) ()
-> Security.getProperty("jdk.tls.alpnCharset"));
if ((alpnCharsetString == null)
|| (alpnCharsetString.length() == 0)) {
alpnCharsetString = "ISO_8859_1";
}
alpnCharset = Charset.forName(alpnCharsetString);
}

/**
* The "application_layer_protocol_negotiation" extension.
*
Expand Down Expand Up @@ -101,7 +118,7 @@ private AlpnSpec(HandshakeContext hc,
"extension: empty application protocol name"));
}

String appProtocol = new String(bytes, StandardCharsets.UTF_8);
String appProtocol = new String(bytes, alpnCharset);
protocolNames.add(appProtocol);
}

Expand Down Expand Up @@ -168,10 +185,10 @@ public byte[] produce(ConnectionContext context,
return null;
}

// Produce the extension.
// Produce the extension: first find the overall length
int listLength = 0; // ProtocolNameList length
for (String ap : laps) {
int length = ap.getBytes(StandardCharsets.UTF_8).length;
int length = ap.getBytes(alpnCharset).length;
if (length == 0) {
// log the configuration problem
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
Expand Down Expand Up @@ -223,8 +240,10 @@ public byte[] produce(ConnectionContext context,
byte[] extData = new byte[listLength + 2];
ByteBuffer m = ByteBuffer.wrap(extData);
Record.putInt16(m, listLength);

// opaque ProtocolName<1..2^8-1>;
for (String ap : laps) {
Record.putBytes8(m, ap.getBytes(StandardCharsets.UTF_8));
Record.putBytes8(m, ap.getBytes(alpnCharset));
}

// Update the context.
Expand Down Expand Up @@ -414,14 +433,14 @@ public byte[] produce(ConnectionContext context,
}

// opaque ProtocolName<1..2^8-1>, RFC 7301.
int listLen = shc.applicationProtocol.length() + 1;
// 1: length byte
byte[] bytes = shc.applicationProtocol.getBytes(alpnCharset);
int listLen = bytes.length + 1; // 1: length byte

// ProtocolName protocol_name_list<2..2^16-1>, RFC 7301.
byte[] extData = new byte[listLen + 2]; // 2: list length
ByteBuffer m = ByteBuffer.wrap(extData);
Record.putInt16(m, listLen);
Record.putBytes8(m,
shc.applicationProtocol.getBytes(StandardCharsets.UTF_8));
Record.putBytes8(m, bytes);

// Update the context.
shc.conContext.applicationProtocol = shc.applicationProtocol;
Expand Down
10 changes: 10 additions & 0 deletions src/java.base/share/conf/security/java.security
Expand Up @@ -1309,3 +1309,13 @@ jdk.io.permissionsUseCanonicalPath=false
# System value prevails. The default value of the property is "false".
#
#jdk.security.allowNonCaAnchor=true

#
# The default Character set name (java.nio.charset.Charset.forName())
# for converting TLS ALPN values between byte arrays and Strings.
# Prior versions of the JDK may use UTF-8 as the default charset. If
# you experience interoperability issues, setting this property to UTF-8
# may help.
#
# jdk.tls.alpnCharset=UTF-8
jdk.tls.alpnCharset=ISO_8859_1

1 comment on commit fe5cccc

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.