Use UTF-8 for ALPN data, call updateSession()

It looks like UTF-8 is the desired encoding for ALPN data for compatibility with what the JCA and SunJSSE does: https://github.com/openjdk/jdk11u-dev/blob/master/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java#L100 Therefore we should make sure we encode our protocols the same way. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
dogtagpki · Oct 6, 2020 · 9d336c7 · 9d336c7
1 parent 6eaa12f
commit 9d336c7
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 20 deletions.
diff --git a/org/mozilla/jss/ssl/javax/JSSEngine.java b/org/mozilla/jss/ssl/javax/JSSEngine.java
@@ -1,5 +1,6 @@
 package org.mozilla.jss.ssl.javax;
 
+import java.nio.charset.StandardCharsets;
 import java.util.*;
 import java.util.concurrent.atomic.AtomicBoolean;
 import javax.net.ssl.*;
@@ -951,14 +952,14 @@ public String getHandshakeApplicationProtocol() {
     public byte[] getALPNWireData() {
         int length = 0;
         for (String protocol : alpn_protocols) {
-            length += 1 + protocol.getBytes().length;
+            length += 1 + protocol.getBytes(StandardCharsets.UTF_8).length;
         }
 
         byte[] result = new byte[length];
         int offset = 0;
 
         for (String protocol : alpn_protocols) {
-            byte[] p_bytes = protocol.getBytes();
+            byte[] p_bytes = protocol.getBytes(StandardCharsets.UTF_8);
             result[offset] = (byte) p_bytes.length;
             offset += 1;
             System.arraycopy(p_bytes, 0, result, offset, p_bytes.length);

diff --git a/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java b/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
@@ -1108,22 +1108,7 @@ private void updateHandshakeState() {
             handshake_state = SSLEngineResult.HandshakeStatus.FINISHED;
             unknown_state_count = 0;
 
-            // Only update peer certificate chain when we've finished
-            // handshaking.
-            try {
-                PK11Cert[] peer_chain = SSL.PeerCertificateChain(ssl_fd);
-                session.setPeerCertificates(peer_chain);
-            } catch (Exception e) {
-                String msg = "Unable to get peer's certificate chain: ";
-                msg += e.getMessage();
-
-                seen_exception = true;
-                ssl_exception = new SSLException(msg, e);
-            }
-
-            // Also update our session information here.
-            session.refreshData();
-
+            updateSession();
             return;
         }
 

diff --git a/org/mozilla/jss/ssl/javax/JSSParameters.java b/org/mozilla/jss/ssl/javax/JSSParameters.java
@@ -1,7 +1,8 @@
 package org.mozilla.jss.ssl.javax;
 
-import javax.net.ssl.*;
+import java.nio.charset.StandardCharsets;
 import java.util.*;
+import javax.net.ssl.*;
 
 import org.mozilla.jss.util.JDKCompat;
 import org.mozilla.jss.ssl.*;
@@ -206,7 +207,7 @@ public void setApplicationProtocols(String[] protocols) throws IllegalArgumentEx
 
         int index = 0;
         for (String protocol : protocols) {
-            if (protocol.length() > 255 || protocol.getBytes().length > 255) {
+            if (protocol.getBytes(StandardCharsets.UTF_8).length > 255) {
                 String msg = "Invalid application protocol " + protocol;
                 msg += ": standard allows up to 255 characters but was ";
                 msg += protocol.length();