From 0d69bcaca8a9af188e0d93dfb3d4911113558ec9 Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@yahooinc.com>
Date: Thu, 21 Jul 2022 11:47:53 +0200
Subject: Get ConnectionAuthContext from SSL session after handshake is
 complete

Bound key-value pairs from SSL handshake session are now copied to the final SSL session object.
This simplifies the dataflow - not need to retrieve the instance right after our custom trust manager is invoked.
---
 jrt/src/com/yahoo/jrt/TlsCryptoSocket.java | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

(limited to 'jrt/src')

diff --git a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
index 13274dc3ba5..d83c1ee8baa 100644
--- a/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
+++ b/jrt/src/com/yahoo/jrt/TlsCryptoSocket.java
@@ -2,7 +2,8 @@
 package com.yahoo.jrt;
 
 import com.yahoo.security.tls.ConnectionAuthContext;
-import com.yahoo.security.tls.PeerAuthorizerTrustManager;
+import com.yahoo.security.tls.PeerAuthorizationFailedException;
+import com.yahoo.security.tls.TransportSecurityUtils;
 
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult;
@@ -97,15 +98,6 @@ public class TlsCryptoSocket implements CryptoSocket {
                     channelRead();
                     break;
                 case NEED_WORK:
-                    if (authContext == null) {
-                        PeerAuthorizerTrustManager.getConnectionAuthContext(sslEngine) // only available during handshake
-                                .ifPresent(ctx ->  {
-                                    if (!ctx.authorized()) {
-                                        metrics.incrementPeerAuthorizationFailures();
-                                    }
-                                    authContext = ctx;
-                                });
-                    }
                     break;
                 case COMPLETED:
                     return HandshakeState.COMPLETED;
@@ -122,6 +114,10 @@ public class TlsCryptoSocket implements CryptoSocket {
                         SSLSession session = sslEngine.getSession();
                         sessionApplicationBufferSize = session.getApplicationBufferSize();
                         sessionPacketBufferSize = session.getPacketBufferSize();
+                        authContext = TransportSecurityUtils.getConnectionAuthContext(session).orElseThrow();
+                        if (!authContext.authorized()) {
+                            metrics.incrementPeerAuthorizationFailures();
+                        }
                         log.fine(() -> String.format("Handshake complete: protocol=%s, cipherSuite=%s", session.getProtocol(), session.getCipherSuite()));
                         if (sslEngine.getUseClientMode()) {
                             metrics.incrementClientTlsConnectionsEstablished();
@@ -143,8 +139,7 @@ public class TlsCryptoSocket implements CryptoSocket {
                 }
             }
         } catch (SSLHandshakeException e) {
-            // sslEngine.getDelegatedTask().run() and handshakeWrap() may throw SSLHandshakeException, potentially handshakeUnwrap() and sslEngine.beginHandshake() as well.
-            if (authContext == null || authContext.authorized()) { // don't include handshake failures due from PeerAuthorizerTrustManager
+            if (!(e.getCause() instanceof PeerAuthorizationFailedException)) {
                 metrics.incrementTlsCertificateVerificationFailures();
             }
             throw e;
-- 
cgit v1.2.3