Skip to content

Commit cde16c9

Browse files
tomasstupkatomasstupka
committed
include default trust store to result from get_ca_certs and cet_store_stats
1 parent 1acd1fa commit cde16c9

File tree

2 files changed

+37
-33
lines changed

2 files changed

+37
-33
lines changed

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/ssl/PSSLContext.java

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@
7777
import java.security.cert.X509Certificate;
7878
import java.util.Collection;
7979
import java.util.EnumSet;
80+
import java.util.Enumeration;
8081
import java.util.HashSet;
8182
import java.util.List;
8283
import java.util.Set;
@@ -124,7 +125,7 @@ public PSSLContext(Object cls, Shape instanceShape, SSLMethod method, int verify
124125
}
125126

126127
@TruffleBoundary
127-
public KeyStore getCAKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
128+
private KeyStore getCAKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
128129
if (caKeystore == null) {
129130
caKeystore = KeyStore.getInstance("JKS");
130131

@@ -142,6 +143,25 @@ private KeyStore getChainKeyStore() throws KeyStoreException, IOException, NoSuc
142143
return chainKeystore;
143144
}
144145

146+
@TruffleBoundary
147+
public List<X509Certificate> getCACerts() throws KeyStoreException, NoSuchAlgorithmException {
148+
List<X509Certificate> result = new ArrayList<>();
149+
if (caKeystore != null) {
150+
Enumeration<String> aliases = caKeystore.aliases();
151+
while (aliases.hasMoreElements()) {
152+
X509Certificate cert = (X509Certificate) caKeystore.getCertificate(aliases.nextElement());
153+
result.add(cert);
154+
}
155+
}
156+
if (useDefaultTrustStore) {
157+
X509ExtendedTrustManager tm = getDefaultTrustManager();
158+
for (X509Certificate cert : tm.getAcceptedIssuers()) {
159+
result.add(cert);
160+
}
161+
}
162+
return result;
163+
}
164+
145165
public SSLMethod getMethod() {
146166
return method;
147167
}
@@ -174,7 +194,7 @@ void setCertChain(PrivateKey pk, char[] password, X509Certificate[] certs) throw
174194
}
175195

176196
void init() throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException, InvalidAlgorithmParameterException, IOException, CertificateException {
177-
X509ExtendedTrustManager defaultTrustManager = getDefaultTrustManagers();
197+
X509ExtendedTrustManager defaultTrustManager = getDefaultTrustManager();
178198
X509ExtendedTrustManager trustManager = getX509ExtendedTrustManager(getTrustManagerFactory(getCAKeyStore()).getTrustManagers());
179199
TrustManager tm = new DelegateTrustManager(trustManager, defaultTrustManager, verifyMode);
180200

@@ -188,7 +208,7 @@ void init() throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKey
188208
context.init(kms, new TrustManager[]{tm}, null);
189209
}
190210

191-
private X509ExtendedTrustManager getDefaultTrustManagers() throws KeyStoreException, NoSuchAlgorithmException {
211+
private X509ExtendedTrustManager getDefaultTrustManager() throws KeyStoreException, NoSuchAlgorithmException {
192212
if (useDefaultTrustStore) {
193213
TrustManagerFactory tmf = getTrustManagerFactory();
194214
tmf.init((KeyStore) null);

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/ssl/SSLContextBuiltins.java

Lines changed: 14 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -52,19 +52,16 @@
5252
import java.nio.charset.StandardCharsets;
5353
import java.security.InvalidAlgorithmParameterException;
5454
import java.security.KeyManagementException;
55-
import java.security.KeyStore;
5655
import java.security.KeyStoreException;
5756
import java.security.NoSuchAlgorithmException;
5857
import java.security.PrivateKey;
5958
import java.security.UnrecoverableKeyException;
6059
import java.security.cert.CRLException;
61-
import java.security.cert.Certificate;
6260
import java.security.cert.CertificateException;
6361
import java.security.cert.X509Certificate;
6462
import java.security.spec.InvalidKeySpecException;
6563
import java.util.ArrayList;
6664
import java.util.Collections;
67-
import java.util.Enumeration;
6865
import java.util.List;
6966
import java.util.logging.Level;
7067

@@ -125,6 +122,8 @@
125122
import com.oracle.truffle.api.frame.VirtualFrame;
126123
import com.oracle.truffle.api.interop.UnsupportedMessageException;
127124
import com.oracle.truffle.api.library.CachedLibrary;
125+
import java.security.cert.CertificateEncodingException;
126+
import java.security.cert.CertificateParsingException;
128127

129128
@CoreFunctions(extendClasses = PythonBuiltinClassType.PSSLContext)
130129
public class SSLContextBuiltins extends PythonBuiltins {
@@ -629,24 +628,15 @@ abstract static class CertStoreStatsNode extends PythonUnaryBuiltinNode {
629628
@Specialization
630629
Object storeStats(PSSLContext self) {
631630
try {
632-
KeyStore keystore = self.getCAKeyStore();
633-
Enumeration<String> aliases = keystore.aliases();
634631
int x509 = 0, crl = 0, ca = 0;
635-
while (aliases.hasMoreElements()) {
636-
String alias = aliases.nextElement();
637-
if (keystore.isCertificateEntry(alias)) {
638-
Certificate cert = keystore.getCertificate(alias);
639-
if (cert instanceof X509Certificate) {
640-
X509Certificate x509Cert = (X509Certificate) cert;
641-
boolean[] keyUsage = ((X509Certificate) cert).getKeyUsage();
642-
if (CertUtils.isCrl(keyUsage)) {
643-
crl++;
644-
} else {
645-
x509++;
646-
if (CertUtils.isCA(x509Cert, keyUsage)) {
647-
ca++;
648-
}
649-
}
632+
for (X509Certificate cert : self.getCACerts()) {
633+
boolean[] keyUsage = cert.getKeyUsage();
634+
if (CertUtils.isCrl(keyUsage)) {
635+
crl++;
636+
} else {
637+
x509++;
638+
if (CertUtils.isCA(cert, keyUsage)) {
639+
ca++;
650640
}
651641
}
652642
}
@@ -995,16 +985,13 @@ abstract static class GetCACerts extends PythonBinaryClinicBuiltinNode {
995985
Object getCerts(PSSLContext self, @SuppressWarnings("unused") boolean binary_form) {
996986
try {
997987
List<PDict> result = new ArrayList<>();
998-
KeyStore ks = self.getCAKeyStore();
999-
Enumeration<String> aliases = ks.aliases();
1000-
while (aliases.hasMoreElements()) {
1001-
X509Certificate cert = (X509Certificate) ks.getCertificate(aliases.nextElement());
988+
for (X509Certificate cert : self.getCACerts()) {
1002989
if (CertUtils.isCA(cert, cert.getKeyUsage())) {
1003990
result.add(CertUtils.decodeCertificate(cert));
1004991
}
1005992
}
1006993
return factory().createList(result.toArray(new Object[result.size()]));
1007-
} catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException ex) {
994+
} catch (KeyStoreException | NoSuchAlgorithmException | IOException | CertificateParsingException ex) {
1008995
throw PRaiseSSLErrorNode.raiseUncached(this, SSLErrorCode.ERROR_SSL, ex);
1009996
}
1010997
}
@@ -1014,16 +1001,13 @@ Object getCerts(PSSLContext self, @SuppressWarnings("unused") boolean binary_for
10141001
Object getCertsBinary(PSSLContext self, @SuppressWarnings("unused") boolean binary_form) {
10151002
try {
10161003
List<PBytes> result = new ArrayList<>();
1017-
KeyStore ks = self.getCAKeyStore();
1018-
Enumeration<String> aliases = ks.aliases();
1019-
while (aliases.hasMoreElements()) {
1020-
X509Certificate cert = (X509Certificate) ks.getCertificate(aliases.nextElement());
1004+
for (X509Certificate cert : self.getCACerts()) {
10211005
if (CertUtils.isCA(cert, cert.getKeyUsage())) {
10221006
result.add(factory().createBytes(cert.getEncoded()));
10231007
}
10241008
}
10251009
return factory().createList(result.toArray(new Object[result.size()]));
1026-
} catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException ex) {
1010+
} catch (KeyStoreException | NoSuchAlgorithmException | CertificateEncodingException ex) {
10271011
throw PRaiseSSLErrorNode.raiseUncached(this, SSLErrorCode.ERROR_SSL, ex);
10281012
}
10291013
}

0 commit comments

Comments
 (0)