summaryrefslogtreecommitdiffstats
path: root/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
diff options
context:
space:
mode:
Diffstat (limited to 'jrt/src/com/yahoo/jrt/TlsCryptoSocket.java')
-rw-r--r--jrt/src/com/yahoo/jrt/TlsCryptoSocket.java22
1 files changed, 22 insertions, 0 deletions
diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index 31d76bc7362..e9f72ee12e0 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -8,13 +8,19 @@ import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.ClosedChannelException;
import java.nio.channels.SocketChannel;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Optional;
import java.util.logging.Logger;
+import static java.util.stream.Collectors.toList;
import static javax.net.ssl.SSLEngineResult.HandshakeStatus;
import static javax.net.ssl.SSLEngineResult.Status;
@@ -211,6 +217,22 @@ public class TlsCryptoSocket implements CryptoSocket {
return wrapBuffer.bytes() > 0 ? FlushResult.NEED_WRITE : FlushResult.DONE;
}
+ @Override
+ public Optional<SecurityContext> securityContext() {
+ try {
+ if (handshakeState != HandshakeState.COMPLETED) {
+ return Optional.empty();
+ }
+ List<X509Certificate> peerCertificateChain =
+ Arrays.stream(sslEngine.getSession().getPeerCertificates())
+ .map(X509Certificate.class::cast)
+ .collect(toList());
+ return Optional.of(new SecurityContext(peerCertificateChain));
+ } catch (SSLPeerUnverifiedException e) { // unverified peer: non-certificate based ciphers or peer did not provide a certificate
+ return Optional.of(new SecurityContext(List.of())); // secure connection, but peer does not have a certificate chain.
+ }
+ }
+
private boolean handshakeWrap() throws IOException {
SSLEngineResult result = sslEngineWrap(NULL_BUFFER);
switch (result.getStatus()) {