finagle-core: UsingSslSessionInfo Fails When Local Certificates are Null

Problem / Solution `UsingSslSessionInfo` takes in an `SSLSession` and calls the session's `getLocalCertificates` method to retrieve the collection of local certificates sent as part of this `SSLSession`. However, that method can return 'null', and when it does, construction of `UsingSslSessionInfo` fails. Add a guard which checks for 'null'. JIRA Issues: CSL-8262 Differential Revision: https://phabricator.twitter.biz/D324499
twitter · Jun 7, 2019 · 8d98496 · 8d98496
1 parent a799e22
commit 8d98496
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -58,6 +58,9 @@ Runtime Behavior Changes
 Bug Fixes
 ~~~~~~~~~
 
+* finagle-core: `UsingSslSessionInfo` would fail to be constructed properly when
+  `SSLSession.getLocalCertificates` returns 'null'. ``PHAB_ID=D324499``
+
 * finagle-http: Finagle now properly sets the `Transport.peerCertificate` local context
   when using HTTP/2. ``PHAB_ID=D324392``
 

diff --git a/finagle-core/src/main/scala/com/twitter/finagle/ssl/session/UsingSslSessionInfo.scala b/finagle-core/src/main/scala/com/twitter/finagle/ssl/session/UsingSslSessionInfo.scala
@@ -50,8 +50,11 @@ private[finagle] final class UsingSslSessionInfo(val session: SSLSession) extend
    *
    * @return The sequence of local certificates sent.
    */
-  val localCertificates: Seq[X509Certificate] =
-    session.getLocalCertificates.toSeq.collect { case cert: X509Certificate => cert }
+  val localCertificates: Seq[X509Certificate] = {
+    val localCerts = session.getLocalCertificates
+    if (localCerts == null) Nil
+    else localCerts.toSeq.collect { case cert: X509Certificate => cert }
+  }
 
   /**
    * The `X509Certificate`s that were received from the peer during the SSL/TLS handshake.

diff --git a/finagle-core/src/test/scala/com/twitter/finagle/ssl/session/UsingSslSessionInfoTest.scala b/finagle-core/src/test/scala/com/twitter/finagle/ssl/session/UsingSslSessionInfoTest.scala
@@ -64,6 +64,17 @@ class UsingSslSessionInfoTest extends FunSuite with MockitoSugar {
     assert(sessionInfo.localCertificates.head.getSerialNumber == localSerialNumber)
   }
 
+  test("UsingSslSessionInfo works when local certificates are null") {
+    val nullLocalSession: SSLSession = mock[SSLSession]
+    when(nullLocalSession.getId).thenReturn(sessionID)
+    when(nullLocalSession.getLocalCertificates).thenReturn(null)
+    when(nullLocalSession.getPeerCertificates).thenReturn(Array[Certificate](peerCert))
+    when(nullLocalSession.getCipherSuite).thenReturn("my-made-up-cipher")
+
+    val sessionInfo: SslSessionInfo = new UsingSslSessionInfo(nullLocalSession)
+    assert(sessionInfo.localCertificates.length == 0)
+  }
+
   test("UsingSslSessionInfo returns a peer X509Certificate") {
     assert(sessionInfo.peerCertificates.length == 1)
     assert(sessionInfo.peerCertificates.head.getSerialNumber == peerSerialNumber)