From 986a9ef6217b6b0aa52558fd3a48434526ac0b13 Mon Sep 17 00:00:00 2001 From: Eirik Bjorsnos Date: Sat, 15 Apr 2023 14:40:07 +0200 Subject: [PATCH] Reduce exposure to the deprecated for-removal javax.security.cert APIs --- .../java/org/conscrypt/ActiveSession.java | 32 ------------------- .../java/org/conscrypt/ConscryptSession.java | 9 ++++++ .../java/org/conscrypt/ExternalSession.java | 6 ---- .../conscrypt/Java7ExtendedSSLSession.java | 6 ---- .../java/org/conscrypt/SSLNullSession.java | 7 ---- .../src/main/java/org/conscrypt/SSLUtils.java | 22 ------------- .../java/org/conscrypt/SessionSnapshot.java | 11 ------- .../javax/net/ssl/SSLSessionTest.java | 28 ---------------- .../SSLSocketVersionCompatibilityTest.java | 7 ---- 9 files changed, 9 insertions(+), 119 deletions(-) diff --git a/common/src/main/java/org/conscrypt/ActiveSession.java b/common/src/main/java/org/conscrypt/ActiveSession.java index 4e3a4e8f6..a11943f2b 100644 --- a/common/src/main/java/org/conscrypt/ActiveSession.java +++ b/common/src/main/java/org/conscrypt/ActiveSession.java @@ -41,8 +41,6 @@ final class ActiveSession implements ConscryptSession { private String peerHost; private int peerPort = -1; private long lastAccessedTime = 0; - @SuppressWarnings("deprecation") - private volatile javax.security.cert.X509Certificate[] peerCertificateChain; private X509Certificate[] localCertificates; private X509Certificate[] peerCertificates; private byte[] peerCertificateOcspData; @@ -193,36 +191,6 @@ public Certificate[] getLocalCertificates() { return localCertificates == null ? null : localCertificates.clone(); } - /** - * Returns the certificate(s) of the peer in this SSL session - * used in the handshaking phase of the connection. - * Please notice hat this method is superseded by - * getPeerCertificates(). - * @return an array of X509 certificates (the peer's one first and then - * eventually that of the certification authority) or null if no - * certificate were used during the SSL connection. - * @throws SSLPeerUnverifiedException if either a non-X.509 certificate - * was used (i.e. Kerberos certificates) or the peer could not - * be verified. - */ - @Override - @SuppressWarnings("deprecation") // Public API - public javax.security.cert.X509Certificate[] getPeerCertificateChain() - throws SSLPeerUnverifiedException { - if (!Platform.isJavaxCertificateSupported()) { - throw new UnsupportedOperationException("Use getPeerCertificates() instead"); - } - - checkPeerCertificatesPresent(); - // TODO(nathanmittler): Should we clone? - javax.security.cert.X509Certificate[] result = peerCertificateChain; - if (result == null) { - // single-check idiom - peerCertificateChain = result = SSLUtils.toCertificateChain(peerCertificates); - } - return result; - } - @Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { checkPeerCertificatesPresent(); diff --git a/common/src/main/java/org/conscrypt/ConscryptSession.java b/common/src/main/java/org/conscrypt/ConscryptSession.java index ce89b418b..4069858ee 100644 --- a/common/src/main/java/org/conscrypt/ConscryptSession.java +++ b/common/src/main/java/org/conscrypt/ConscryptSession.java @@ -53,5 +53,14 @@ interface ConscryptSession extends SSLSession { @Override X509Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException; + @Override + @SuppressWarnings("deprecation") + default javax.security.cert.X509Certificate[] getPeerCertificateChain() + throws SSLPeerUnverifiedException { + throw new UnsupportedOperationException( + "This method is deprecated and marked for removal. Use the " + + "getPeerCertificates() method instead."); + } + String getApplicationProtocol(); } diff --git a/common/src/main/java/org/conscrypt/ExternalSession.java b/common/src/main/java/org/conscrypt/ExternalSession.java index 0d6057a34..66ffcd516 100644 --- a/common/src/main/java/org/conscrypt/ExternalSession.java +++ b/common/src/main/java/org/conscrypt/ExternalSession.java @@ -110,12 +110,6 @@ public Certificate[] getLocalCertificates() { return provider.provideSession().getLocalCertificates(); } - @Override - @SuppressWarnings("deprecation") // Public API - public javax.security.cert.X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { - return provider.provideSession().getPeerCertificateChain(); - } - @Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return provider.provideSession().getPeerPrincipal(); diff --git a/common/src/main/java/org/conscrypt/Java7ExtendedSSLSession.java b/common/src/main/java/org/conscrypt/Java7ExtendedSSLSession.java index aae280066..361d8a246 100644 --- a/common/src/main/java/org/conscrypt/Java7ExtendedSSLSession.java +++ b/common/src/main/java/org/conscrypt/Java7ExtendedSSLSession.java @@ -132,12 +132,6 @@ public final Certificate[] getLocalCertificates() { return delegate.getLocalCertificates(); } - @Override - @SuppressWarnings("deprecation") // Public API - public final javax.security.cert.X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { - return delegate.getPeerCertificateChain(); - } - @Override public final Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return delegate.getPeerPrincipal(); diff --git a/common/src/main/java/org/conscrypt/SSLNullSession.java b/common/src/main/java/org/conscrypt/SSLNullSession.java index 69d6337a3..9ca5f0e0e 100644 --- a/common/src/main/java/org/conscrypt/SSLNullSession.java +++ b/common/src/main/java/org/conscrypt/SSLNullSession.java @@ -115,13 +115,6 @@ public int getPacketBufferSize() { return NativeConstants.SSL3_RT_MAX_PACKET_SIZE; } - @Override - @SuppressWarnings("deprecation") // Public API - public javax.security.cert.X509Certificate[] getPeerCertificateChain() - throws SSLPeerUnverifiedException { - throw new SSLPeerUnverifiedException("No peer certificate"); - } - @Override public X509Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { throw new SSLPeerUnverifiedException("No peer certificate"); diff --git a/common/src/main/java/org/conscrypt/SSLUtils.java b/common/src/main/java/org/conscrypt/SSLUtils.java index 39eb05a42..29b9bc7ca 100644 --- a/common/src/main/java/org/conscrypt/SSLUtils.java +++ b/common/src/main/java/org/conscrypt/SSLUtils.java @@ -313,28 +313,6 @@ static byte[][] encodeSubjectX509Principals(X509Certificate[] certificates) return principalBytes; } - /** - * Converts the peer certificates into a cert chain. - */ - @SuppressWarnings("deprecation") // Used in public Conscrypt APIs - static javax.security.cert.X509Certificate[] toCertificateChain(X509Certificate[] certificates) - throws SSLPeerUnverifiedException { - try { - javax.security.cert.X509Certificate[] chain = - new javax.security.cert.X509Certificate[certificates.length]; - - for (int i = 0; i < certificates.length; i++) { - byte[] encoded = certificates[i].getEncoded(); - chain[i] = javax.security.cert.X509Certificate.getInstance(encoded); - } - return chain; - } catch (CertificateEncodingException | javax.security.cert.CertificateException e) { - SSLPeerUnverifiedException exception = new SSLPeerUnverifiedException(e.getMessage()); - exception.initCause(e); - throw exception; - } - } - /** * Calculates the minimum bytes required in the encrypted output buffer for the given number of * plaintext source bytes. diff --git a/common/src/main/java/org/conscrypt/SessionSnapshot.java b/common/src/main/java/org/conscrypt/SessionSnapshot.java index 1fc708c5e..8880b8333 100644 --- a/common/src/main/java/org/conscrypt/SessionSnapshot.java +++ b/common/src/main/java/org/conscrypt/SessionSnapshot.java @@ -140,17 +140,6 @@ public Certificate[] getLocalCertificates() { return null; } - @Override - @SuppressWarnings("deprecation") // Public API - public javax.security.cert.X509Certificate[] getPeerCertificateChain() - throws SSLPeerUnverifiedException { - if (!Platform.isJavaxCertificateSupported()) { - throw new UnsupportedOperationException("Use getPeerCertificates() instead"); - } - - throw new SSLPeerUnverifiedException("No peer certificates"); - } - @Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { throw new SSLPeerUnverifiedException("No peer certificates"); diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSessionTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSessionTest.java index 9f99c1f82..2ebae67cc 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSessionTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSessionTest.java @@ -190,34 +190,6 @@ public void test_SSLSession_getPacketBufferSize() { s.close(); } - @Test - public void test_SSLSession_getPeerCertificateChain() throws Exception { - TestSSLSessions s = TestSSLSessions.create(); - try { - s.invalid.getPeerCertificateChain(); - fail(); - } catch (SSLPeerUnverifiedException expected) { - // Ignored. - } catch (UnsupportedOperationException e) { - if (!StandardNames.IS_15_OR_UP) { - fail("Should only throw UnsupportedOperationException on OpenJDK 15 or up"); - } - } - assertNotNull(s.client.getPeerCertificates()); - TestKeyStore.assertChainLength(s.client.getPeerCertificates()); - try { - assertNull(s.server.getPeerCertificateChain()); - fail(); - } catch (SSLPeerUnverifiedException expected) { - // Ignored. - } catch (UnsupportedOperationException e) { - if (!StandardNames.IS_15_OR_UP) { - fail("Should only throw UnsupportedOperationException on OpenJDK 15 or up"); - } - } - s.close(); - } - @Test public void test_SSLSession_getPeerCertificates() throws Exception { TestSSLSessions s = TestSSLSessions.create(); diff --git a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java index 5ce4d5ff8..ac29f0201 100644 --- a/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java +++ b/common/src/test/java/org/conscrypt/javax/net/ssl/SSLSocketVersionCompatibilityTest.java @@ -371,8 +371,6 @@ public void handshakeCompleted(HandshakeCompletedEvent event) { String cipherSuite = event.getCipherSuite(); Certificate[] localCertificates = event.getLocalCertificates(); Certificate[] peerCertificates = event.getPeerCertificates(); - javax.security.cert.X509Certificate[] peerCertificateChain = - event.getPeerCertificateChain(); Principal peerPrincipal = event.getPeerPrincipal(); Principal localPrincipal = event.getLocalPrincipal(); socket = event.getSocket(); @@ -401,11 +399,6 @@ public void handshakeCompleted(HandshakeCompletedEvent event) { .assertServerCertificateChain(c.clientTrustManager, peerCertificates); TestSSLContext .assertCertificateInKeyStore(peerCertificates[0], c.serverKeyStore); - assertNotNull(peerCertificateChain); - TestKeyStore.assertChainLength(peerCertificateChain); - assertNotNull(peerCertificateChain[0]); - TestSSLContext.assertCertificateInKeyStore( - peerCertificateChain[0].getSubjectDN(), c.serverKeyStore); assertNotNull(peerPrincipal); TestSSLContext.assertCertificateInKeyStore(peerPrincipal, c.serverKeyStore); assertNull(localPrincipal);