8254631: Better support ALPN byte wire values in SunJSSE

Reviewed-by: xuelei, dfuchs

Author: Bradford Wetmore

src/java.base/share/classes/javax/net/ssl/SSLEngine.java

@@ -336,6 +336,48 @@
  * started, an {@code SSLEngine} can not switch between client and server
  * modes, even when performing renegotiations.
  * <P>
+ * The ApplicationProtocol {@code String} values returned by the methods
+ * in this class are in the network byte representation sent by the peer.
+ * The bytes could be directly compared, or converted to its Unicode
+ * {code String} format for comparison.
+ *
+ * <blockquote><pre>
+ *     String networkString = sslEngine.getHandshakeApplicationProtocol();
+ *     byte[] bytes = networkString.getBytes(StandardCharsets.ISO_8859_1);
+ *
+ *     //
+ *     // Match using bytes:
+ *     //
+ *     //   "http/1.1"                       (7-bit ASCII values same in UTF-8)
+ *     //   MEETEI MAYEK LETTERS "HUK UN I"  (Unicode 0xabcd->0xabcf)
+ *     //
+ *     String HTTP1_1 = "http/1.1";
+ *     byte[] HTTP1_1_BYTES = HTTP1_1.getBytes(StandardCharsets.UTF_8);
+ *
+ *     byte[] HUK_UN_I_BYTES = new byte[] {
+ *         (byte) 0xab, (byte) 0xcd,
+ *         (byte) 0xab, (byte) 0xce,
+ *         (byte) 0xab, (byte) 0xcf};
+ *
+ *     if ((Arrays.compare(bytes, HTTP1_1_BYTES) == 0 )
+ *             || Arrays.compare(bytes, HUK_UN_I_BYTES) == 0) {
+ *        ...
+ *     }
+ *
+ *     //
+ *     // Alternatively match using string.equals() if we know the ALPN value
+ *     // was encoded from a {@code String} using a certain character set,
+ *     // for example {@code UTF-8}.  The ALPN value must first be properly
+ *     // decoded to a Unicode {@code String} before use.
+ *     //
+ *     String unicodeString = new String(bytes, StandardCharsets.UTF_8);
+ *     if (unicodeString.equals(HTTP1_1)
+ *             || unicodeString.equals("\u005cuabcd\u005cuabce\u005cuabcf")) {
+ *         ...
+ *     }
+ * </pre></blockquote>
+ *
+ * <P>
  * Applications might choose to process delegated tasks in different
  * threads.  When an {@code SSLEngine}
  * is created, the current {@link java.security.AccessControlContext}

src/java.base/share/classes/javax/net/ssl/SSLParameters.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -646,6 +646,27 @@ public String[] getApplicationProtocols() {
      * requested by the peer, the underlying protocol will determine what
      * action to take.  (For example, ALPN will send a
      * {@code "no_application_protocol"} alert and terminate the connection.)
+     * <p>
+     * The {@code String} values must be presented using the network
+     * byte representation expected by the peer.  For example, if an ALPN
+     * {@code String} should be exchanged using {@code UTF-8}, the
+     * {@code String} should be converted to its {@code byte[]} representation
+     * and stored as a byte-oriented {@code String} before calling this method.
+     *
+     * <blockquote><pre>
+     *     // MEETEI MAYEK LETTERS HUK UN I (Unicode 0xabcd->0xabcf): 2 bytes
+     *     byte[] bytes = "\u005cuabcd\u005cuabce\u005cuabcf"
+     *             .getBytes(StandardCharsets.UTF_8);
+     *     String HUK_UN_I = new String(bytes, StandardCharsets.ISO_8859_1);
+     *
+     *     // 0x00-0xFF:  1 byte
+     *     String rfc7301Grease8F = "\u005c008F\u005c008F";
+     *
+     *     SSLParameters p = sslSocket.getSSLParameters();
+     *     p.setApplicationProtocols(new String[] {
+     *             "h2", "http/1.1", rfc7301Grease8F, HUK_UN_I});
+     *     sslSocket.setSSLParameters(p);
+     * </pre></blockquote>
      *
      * @implSpec
      * This method will make a copy of the {@code protocols} array.

src/java.base/share/classes/javax/net/ssl/SSLSocket.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -130,6 +130,47 @@
  * socket can not switch between client and server modes, even when
  * performing renegotiations.
  *
+ * <P> The ApplicationProtocol {@code String} values returned by the methods
+ * in this class are in the network byte representation sent by the peer.
+ * The bytes could be directly compared, or converted to its Unicode
+ * {code String} format for comparison.
+ *
+ * <blockquote><pre>
+ *     String networkString = sslSocket.getHandshakeApplicationProtocol();
+ *     byte[] bytes = networkString.getBytes(StandardCharsets.ISO_8859_1);
+ *
+ *     //
+ *     // Match using bytes:
+ *     //
+ *     //   "http/1.1"                       (7-bit ASCII values same in UTF-8)
+ *     //   MEETEI MAYEK LETTERS "HUK UN I"  (Unicode 0xabcd->0xabcf)
+ *     //
+ *     String HTTP1_1 = "http/1.1";
+ *     byte[] HTTP1_1_BYTES = HTTP1_1.getBytes(StandardCharsets.UTF_8);
+ *
+ *     byte[] HUK_UN_I_BYTES = new byte[] {
+ *         (byte) 0xab, (byte) 0xcd,
+ *         (byte) 0xab, (byte) 0xce,
+ *         (byte) 0xab, (byte) 0xcf};
+ *
+ *     if ((Arrays.compare(bytes, HTTP1_1_BYTES) == 0 )
+ *             || Arrays.compare(bytes, HUK_UN_I_BYTES) == 0) {
+ *        ...
+ *     }
+ *
+ *     //
+ *     // Alternatively match using string.equals() if we know the ALPN value
+ *     // was encoded from a {@code String} using a certain character set,
+ *     // for example {@code UTF-8}.  The ALPN value must first be properly
+ *     // decoded to a Unicode {@code String} before use.
+ *     //
+ *     String unicodeString = new String(bytes, StandardCharsets.UTF_8);
+ *     if (unicodeString.equals(HTTP1_1)
+ *             || unicodeString.equals("\u005cuabcd\u005cuabce\u005cuabcf")) {
+ *         ...
+ *     }
+ * </pre></blockquote>
+ *
  * @apiNote
  * When the connection is no longer needed, the client and server
  * applications should each close both sides of their respective connection.

src/java.base/share/classes/sun/security/ssl/AlpnExtension.java

@@ -27,7 +27,10 @@
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
-import java.nio.charset.StandardCharsets;
+import java.nio.charset.Charset;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.Security;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.LinkedList;
@@ -59,6 +62,20 @@ final class AlpnExtension {
 
     static final SSLStringizer alpnStringizer = new AlpnStringizer();
 
+    // Encoding Charset to convert between String and byte[]
+    static final Charset alpnCharset;
+
+    static {
+        String alpnCharsetString = AccessController.doPrivileged(
+                (PrivilegedAction<String>) ()
+                        -> Security.getProperty("jdk.tls.alpnCharset"));
+        if ((alpnCharsetString == null)
+                || (alpnCharsetString.length() == 0)) {
+            alpnCharsetString = "ISO_8859_1";
+        }
+        alpnCharset = Charset.forName(alpnCharsetString);
+    }
+
     /**
      * The "application_layer_protocol_negotiation" extension.
      *
@@ -101,7 +118,7 @@ private AlpnSpec(HandshakeContext hc,
                         "extension: empty application protocol name"));
                 }
 
-                String appProtocol = new String(bytes, StandardCharsets.UTF_8);
+                String appProtocol = new String(bytes, alpnCharset);
                 protocolNames.add(appProtocol);
             }
 
@@ -168,10 +185,10 @@ public byte[] produce(ConnectionContext context,
                 return null;
             }
 
-            // Produce the extension.
+            // Produce the extension:  first find the overall length
             int listLength = 0;     // ProtocolNameList length
             for (String ap : laps) {
-                int length = ap.getBytes(StandardCharsets.UTF_8).length;
+                int length = ap.getBytes(alpnCharset).length;
                 if (length == 0) {
                     // log the configuration problem
                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -223,8 +240,10 @@ public byte[] produce(ConnectionContext context,
             byte[] extData = new byte[listLength + 2];
             ByteBuffer m = ByteBuffer.wrap(extData);
             Record.putInt16(m, listLength);
+
+            // opaque ProtocolName<1..2^8-1>;
             for (String ap : laps) {
-                Record.putBytes8(m, ap.getBytes(StandardCharsets.UTF_8));
+                Record.putBytes8(m, ap.getBytes(alpnCharset));
             }
 
             // Update the context.
@@ -414,14 +433,14 @@ public byte[] produce(ConnectionContext context,
             }
 
             // opaque ProtocolName<1..2^8-1>, RFC 7301.
-            int listLen = shc.applicationProtocol.length() + 1;
-                                                        // 1: length byte
+            byte[] bytes = shc.applicationProtocol.getBytes(alpnCharset);
+            int listLen = bytes.length + 1;             // 1: length byte
+
             // ProtocolName protocol_name_list<2..2^16-1>, RFC 7301.
             byte[] extData = new byte[listLen + 2];     // 2: list length
             ByteBuffer m = ByteBuffer.wrap(extData);
             Record.putInt16(m, listLen);
-            Record.putBytes8(m,
-                    shc.applicationProtocol.getBytes(StandardCharsets.UTF_8));
+            Record.putBytes8(m, bytes);
 
             // Update the context.
             shc.conContext.applicationProtocol = shc.applicationProtocol;

src/java.base/share/conf/security/java.security

@@ -1309,3 +1309,13 @@ jdk.io.permissionsUseCanonicalPath=false
 # System value prevails. The default value of the property is "false".
 #
 #jdk.security.allowNonCaAnchor=true
+
+#
+# The default Character set name (java.nio.charset.Charset.forName())
+# for converting TLS ALPN values between byte arrays and Strings.
+# Prior versions of the JDK may use UTF-8 as the default charset. If
+# you experience interoperability issues, setting this property to UTF-8
+# may help.
+#
+# jdk.tls.alpnCharset=UTF-8
+jdk.tls.alpnCharset=ISO_8859_1