Get ConnectionAuthContext from SSL session after handshake is complete

Bound key-value pairs from SSL handshake session are now copied to the final SSL session object. This simplifies the dataflow - not need to retrieve the instance right after our custom trust manager is invoked.
author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-21 11:47:53 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-21 15:30:19 +0200
commit: 0d69bcaca8a9af188e0d93dfb3d4911113558ec9 (patch)
tree: 45a37849e1ad4a9511a07e80e2a8861b8bc70b5c /jrt
parent: 37b82350dd673de1d7375c01838123bf0b1e1a91 (diff)
1 files changed, 7 insertions, 12 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index 13274dc3ba5..d83c1ee8baa 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -2,7 +2,8 @@
 package com.yahoo.jrt;
 
 import com.yahoo.security.tls.ConnectionAuthContext;
-import com.yahoo.security.tls.PeerAuthorizerTrustManager;
+import com.yahoo.security.tls.PeerAuthorizationFailedException;
+import com.yahoo.security.tls.TransportSecurityUtils;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
@@ -97,15 +98,6 @@ public class TlsCryptoSocket implements CryptoSocket {
                     channelRead();
                     break;
                 case NEED_WORK:
-                    if (authContext == null) {
-                        PeerAuthorizerTrustManager.getConnectionAuthContext(sslEngine) // only available during handshake
-                                .ifPresent(ctx ->  {
-                                    if (!ctx.authorized()) {
-                                        metrics.incrementPeerAuthorizationFailures();
-                                    }
-                                    authContext = ctx;
-                                });
-                    }
                     break;
                 case COMPLETED:
                     return HandshakeState.COMPLETED;
@@ -122,6 +114,10 @@ public class TlsCryptoSocket implements CryptoSocket {
                         SSLSession session = sslEngine.getSession();
                         sessionApplicationBufferSize = session.getApplicationBufferSize();
                         sessionPacketBufferSize = session.getPacketBufferSize();
+                        authContext = TransportSecurityUtils.getConnectionAuthContext(session).orElseThrow();
+                        if (!authContext.authorized()) {
+                            metrics.incrementPeerAuthorizationFailures();
+                        }
                         log.fine(() -> String.format("Handshake complete: protocol=%s, cipherSuite=%s", session.getProtocol(), session.getCipherSuite()));
                         if (sslEngine.getUseClientMode()) {
                             metrics.incrementClientTlsConnectionsEstablished();
@@ -143,8 +139,7 @@ public class TlsCryptoSocket implements CryptoSocket {
                 }
             }
         } catch (SSLHandshakeException e) {
-            // sslEngine.getDelegatedTask().run() and handshakeWrap() may throw SSLHandshakeException, potentially handshakeUnwrap() and sslEngine.beginHandshake() as well.
-            if (authContext == null || authContext.authorized()) { // don't include handshake failures due from PeerAuthorizerTrustManager
+            if (!(e.getCause() instanceof PeerAuthorizationFailedException)) {
                 metrics.incrementTlsCertificateVerificationFailures();
             }
             throw e;
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-21 11:47:53 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-21 15:30:19 +0200
commit	0d69bcaca8a9af188e0d93dfb3d4911113558ec9 (patch)
tree	45a37849e1ad4a9511a07e80e2a8861b8bc70b5c /jrt
parent	37b82350dd673de1d7375c01838123bf0b1e1a91 (diff)