Skip to content

Commit

Permalink
Merge pull request #211 from cconlon/trustManagerExceptionMsg
Browse files Browse the repository at this point in the history
JSSE: pass lower level exception messages up during X509TrustManager peer verification
  • Loading branch information
JacobBarthelmeh authored Jul 19, 2024
2 parents 1e9509d + 112ac92 commit 3bca981
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 6 deletions.
22 changes: 18 additions & 4 deletions src/java/com/wolfssl/provider/jsse/WolfSSLInternalVerifyCb.java
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,8 @@ else if (this.callingEngine != null) {
}
} catch (CertificateException e) {
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"X509ExtendedTrustManager hostname verification failed");
"X509ExtendedTrustManager hostname verification failed: " +
e.getMessage());
return 0;
}

Expand All @@ -139,6 +140,17 @@ else if (this.callingEngine != null) {
private boolean VerifyCertChainWithTrustManager(X509Certificate[] certs,
String authType) {

WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"Verifying peer with X509TrustManager: " + this.tm);
if (this.tm instanceof X509ExtendedTrustManager) {
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"X509TrustManager of type X509ExtendedTrustManager");
}
else {
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"X509TrustManager of type X509TrustManager");
}

try {
/* Call TrustManager to do cert verification, should throw
* CertificateException if verification fails */
Expand Down Expand Up @@ -211,7 +223,8 @@ else if (this.callingEngine != null) {
} catch (Exception e) {
/* TrustManager rejected certificate, not valid */
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"TrustManager rejected certificates, verification failed");
"TrustManager rejected certificates, verification failed: " +
e.getMessage());
return false;
}

Expand Down Expand Up @@ -264,7 +277,8 @@ public int verifyCallback(int preverify_ok, long x509StorePtr) {
} catch (WolfSSLException e) {
/* failed to get certs from native, give app null array */
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"Failed to get certs from x509StorePtr, certs = null");
"Failed to get certs from x509StorePtr, certs = null: " +
e.getMessage());
certs = null;
}

Expand All @@ -282,7 +296,7 @@ public int verifyCallback(int preverify_ok, long x509StorePtr) {
/* failed to get cert array, give app empty array */
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"Failed to get X509Certificate[] array, set to " +
"empty array");
"empty array: " + ce.getMessage());
x509certs = new X509Certificate[0];
}

Expand Down
33 changes: 31 additions & 2 deletions src/java/com/wolfssl/provider/jsse/WolfSSLTrustX509.java
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,10 @@ private List<X509Certificate> certManagerVerify(
fullChain.add(rootCA);
}
}
else {
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"Not returning cert chain from verify, not requested");
}

return fullChain;
}
Expand Down Expand Up @@ -695,6 +699,9 @@ public void checkClientTrusted(X509Certificate[] certs, String type)

/* Verify cert chain, throw CertificateException if not valid */
certManagerVerify(certs, type, false);

WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"leaving checkClientTrusted(), success");
}

/**
Expand Down Expand Up @@ -733,6 +740,9 @@ public void checkClientTrusted(X509Certificate[] certs, String type,

/* Verify hostname if right criteria matches */
verifyHostname(certs[0], socket, null, false);

WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"leaving checkClientTrusted(Socket), success");
}

@Override
Expand All @@ -755,6 +765,9 @@ public void checkClientTrusted(X509Certificate[] certs, String type,

/* Verify hostname if right criteria matches */
verifyHostname(certs[0], null, engine, false);

WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"leaving checkClientTrusted(SSLEngine), success");
}

/**
Expand Down Expand Up @@ -787,6 +800,9 @@ public void checkServerTrusted(X509Certificate[] certs, String type)

/* Verify cert chain, throw CertificateException if not valid */
certManagerVerify(certs, type, false);

WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"leaving checkServerTrusted(certs, type), success");
}

@Override
Expand All @@ -809,6 +825,9 @@ public void checkServerTrusted(X509Certificate[] certs, String type,

/* Verify hostname if right criteria matches */
verifyHostname(certs[0], socket, null, true);

WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"leaving checkServerTrusted(certs, type, Socket), success");
}

@Override
Expand All @@ -831,6 +850,9 @@ public void checkServerTrusted(X509Certificate[] certs, String type,

/* Verify hostname if right criteria matches */
verifyHostname(certs[0], null, engine, true);

WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"leaving checkServerTrusted(certs, type, SSLEngine), success");
}

/**
Expand All @@ -851,10 +873,17 @@ public void checkServerTrusted(X509Certificate[] certs, String type,
public List<X509Certificate> checkServerTrusted(X509Certificate[] certs,
String type, String host) throws CertificateException {

List<X509Certificate> certList = null;

WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"entered checkServerTrusted()");
"entered checkServerTrusted(cert, type, host)");

certList = certManagerVerify(certs, type, true);

WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"leaving checkServerTrusted(certs, type, host), success");

return certManagerVerify(certs, type, true);
return certList;
}

/**
Expand Down

0 comments on commit 3bca981

Please sign in to comment.