Search in sources :

Example 66 with MemoryAddress

use of jdk.incubator.foreign.MemoryAddress in project openj9 by eclipse.

the class StructTests2 method test_add2DoubleStructs_returnStructPointer_2.

@Test
public void test_add2DoubleStructs_returnStructPointer_2() throws Throwable {
    GroupLayout structLayout = MemoryLayout.structLayout(JAVA_DOUBLE.withName("elem1"), JAVA_DOUBLE.withName("elem2"));
    VarHandle doubleHandle1 = structLayout.varHandle(PathElement.groupElement("elem1"));
    VarHandle doubleHandle2 = structLayout.varHandle(PathElement.groupElement("elem2"));
    FunctionDescriptor fd = FunctionDescriptor.of(ADDRESS, ADDRESS, structLayout);
    NativeSymbol functionSymbol = nativeLibLookup.lookup("add2DoubleStructs_returnStructPointer").get();
    MethodHandle mh = clinker.downcallHandle(fd);
    try (ResourceScope scope = ResourceScope.newConfinedScope()) {
        SegmentAllocator allocator = SegmentAllocator.nativeAllocator(scope);
        MemorySegment structSegmt1 = allocator.allocate(structLayout);
        doubleHandle1.set(structSegmt1, 11.222D);
        doubleHandle2.set(structSegmt1, 22.333D);
        MemorySegment structSegmt2 = allocator.allocate(structLayout);
        doubleHandle1.set(structSegmt2, 33.444D);
        doubleHandle2.set(structSegmt2, 44.555D);
        MemoryAddress resultAddr = (MemoryAddress) mh.invoke(functionSymbol, structSegmt1, structSegmt2);
        Assert.assertEquals(resultAddr.get(JAVA_DOUBLE, 0), 44.666D, 0.001D);
        Assert.assertEquals(resultAddr.get(JAVA_DOUBLE, 8), 66.888D, 0.001D);
    }
}
Also used : NativeSymbol(jdk.incubator.foreign.NativeSymbol) VarHandle(java.lang.invoke.VarHandle) ResourceScope(jdk.incubator.foreign.ResourceScope) SegmentAllocator(jdk.incubator.foreign.SegmentAllocator) GroupLayout(jdk.incubator.foreign.GroupLayout) FunctionDescriptor(jdk.incubator.foreign.FunctionDescriptor) MemoryAddress(jdk.incubator.foreign.MemoryAddress) MemorySegment(jdk.incubator.foreign.MemorySegment) MethodHandle(java.lang.invoke.MethodHandle) Test(org.testng.annotations.Test)

Example 67 with MemoryAddress

use of jdk.incubator.foreign.MemoryAddress in project tomcat by apache.

the class OpenSSLContext method addCertificate.

private void addCertificate(SSLHostConfigCertificate certificate) throws Exception {
    var allocator = SegmentAllocator.ofScope(state.contextScope);
    int index = getCertificateIndex(certificate);
    // Load Server key and certificate
    if (certificate.getCertificateFile() != null) {
        // Set certificate
        // SSLContext.setCertificate(state.ctx,
        // SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()),
        // SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()),
        // certificate.getCertificateKeyPassword(), getCertificateIndex(certificate));
        var certificateFileNative = CLinker.toCString(SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()), state.contextScope);
        var certificateKeyFileNative = (certificate.getCertificateKeyFile() == null) ? certificateFileNative : CLinker.toCString(SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()), state.contextScope);
        MemoryAddress bio;
        MemoryAddress cert = MemoryAddress.NULL;
        MemoryAddress key = MemoryAddress.NULL;
        if (certificate.getCertificateFile().endsWith(".pkcs12")) {
            // Load pkcs12
            bio = BIO_new(BIO_s_file());
            // (int)BIO_ctrl(b,BIO_C_SET_FILENAME, BIO_CLOSE|BIO_FP_READ,(char *)(name))
            if (BIO_ctrl(bio, BIO_C_SET_FILENAME(), BIO_CLOSE() | BIO_FP_READ(), certificateFileNative) <= 0) {
                BIO_free(bio);
                log.error(sm.getString("openssl.errorLoadingCertificate", "[0]:" + certificate.getCertificateFile()));
                return;
            }
            MemoryAddress p12 = d2i_PKCS12_bio(bio, MemoryAddress.NULL);
            BIO_free(bio);
            if (MemoryAddress.NULL.equals(p12)) {
                log.error(sm.getString("openssl.errorLoadingCertificate", "[1]:" + certificate.getCertificateFile()));
                return;
            }
            MemoryAddress passwordAddress = MemoryAddress.NULL;
            int passwordLength = 0;
            String callbackPassword = certificate.getCertificateKeyPassword();
            if (callbackPassword != null && callbackPassword.length() > 0) {
                MemorySegment password = CLinker.toCString(callbackPassword, state.contextScope);
                passwordAddress = password.address();
                passwordLength = (int) (password.byteSize() - 1);
            }
            if (PKCS12_verify_mac(p12, passwordAddress, passwordLength) <= 0) {
                // Bad password
                log.error(sm.getString("openssl.errorLoadingCertificate", "[2]:" + certificate.getCertificateFile()));
                PKCS12_free(p12);
                return;
            }
            MemorySegment certPointer = allocator.allocate(CLinker.C_POINTER);
            MemorySegment keyPointer = allocator.allocate(CLinker.C_POINTER);
            if (PKCS12_parse(p12, passwordAddress, keyPointer, certPointer, MemoryAddress.NULL) <= 0) {
                log.error(sm.getString("openssl.errorLoadingCertificate", "[3]:" + certificate.getCertificateFile()));
                PKCS12_free(p12);
                return;
            }
            PKCS12_free(p12);
            cert = MemoryAccess.getAddress(certPointer);
            key = MemoryAccess.getAddress(keyPointer);
        } else {
            // Load key
            bio = BIO_new(BIO_s_file());
            // (int)BIO_ctrl(b,BIO_C_SET_FILENAME, BIO_CLOSE|BIO_FP_READ,(char *)(name))
            if (BIO_ctrl(bio, BIO_C_SET_FILENAME(), BIO_CLOSE() | BIO_FP_READ(), certificateKeyFileNative) <= 0) {
                BIO_free(bio);
                log.error(sm.getString("openssl.errorLoadingCertificate", certificate.getCertificateKeyFile()));
                return;
            }
            key = MemoryAddress.NULL;
            for (int i = 0; i < 3; i++) {
                try {
                    callbackPasswordTheadLocal.set(certificate.getCertificateKeyPassword());
                    key = PEM_read_bio_PrivateKey(bio, MemoryAddress.NULL, openSSLCallbackPassword, MemoryAddress.NULL);
                } finally {
                    callbackPasswordTheadLocal.set(null);
                }
                if (!MemoryAddress.NULL.equals(key)) {
                    break;
                }
                BIO_ctrl(bio, BIO_CTRL_RESET(), 0, MemoryAddress.NULL);
            }
            BIO_free(bio);
            if (MemoryAddress.NULL.equals(key)) {
                if (!MemoryAddress.NULL.equals(OpenSSLLifecycleListener.enginePointer)) {
                    key = ENGINE_load_private_key(OpenSSLLifecycleListener.enginePointer, certificateKeyFileNative, MemoryAddress.NULL, MemoryAddress.NULL);
                }
            }
            if (MemoryAddress.NULL.equals(key)) {
                log.error(sm.getString("openssl.errorLoadingCertificate", certificate.getCertificateKeyFile()));
                return;
            }
            // Load certificate
            bio = BIO_new(BIO_s_file());
            if (BIO_ctrl(bio, BIO_C_SET_FILENAME(), BIO_CLOSE() | BIO_FP_READ(), certificateFileNative) <= 0) {
                BIO_free(bio);
                log.error(sm.getString("openssl.errorLoadingCertificate", certificate.getCertificateFile()));
                return;
            }
            try {
                callbackPasswordTheadLocal.set(certificate.getCertificateKeyPassword());
                cert = PEM_read_bio_X509_AUX(bio, MemoryAddress.NULL, openSSLCallbackPassword, MemoryAddress.NULL);
            } finally {
                callbackPasswordTheadLocal.set(null);
            }
            if (MemoryAddress.NULL.equals(cert) && /*int ERR_GET_REASON(unsigned long errcode) {
                         *    if (ERR_SYSTEM_ERROR(errcode))
                         *        return errcode & ERR_SYSTEM_MASK;
                         *    return errcode & ERR_REASON_MASK;
                         *}
                         *# define ERR_SYSTEM_ERROR(errcode)      (((errcode) & ERR_SYSTEM_FLAG) != 0)
                         *# define ERR_SYSTEM_FLAG                ((unsigned int)INT_MAX + 1)
                         *# define ERR_SYSTEM_MASK                ((unsigned int)INT_MAX)
                         *# define ERR_REASON_MASK                0X7FFFFF
                         */
            ((ERR_peek_last_error() & 0X7FFFFF) == PEM_R_NO_START_LINE())) {
                ERR_clear_error();
                BIO_ctrl(bio, BIO_CTRL_RESET(), 0, MemoryAddress.NULL);
                cert = d2i_X509_bio(bio, MemoryAddress.NULL);
            }
            BIO_free(bio);
            if (MemoryAddress.NULL.equals(cert)) {
                log.error(sm.getString("openssl.errorLoadingCertificate", certificate.getCertificateFile()));
                return;
            }
        }
        if (SSL_CTX_use_certificate(state.sslCtx, cert) <= 0) {
            logLastError(allocator, "openssl.errorLoadingCertificate");
            return;
        }
        if (SSL_CTX_use_PrivateKey(state.sslCtx, key) <= 0) {
            logLastError(allocator, "openssl.errorLoadingPrivateKey");
            return;
        }
        if (SSL_CTX_check_private_key(state.sslCtx) <= 0) {
            logLastError(allocator, "openssl.errorPrivateKeyCheck");
            return;
        }
        // Try to read DH parameters from the (first) SSLCertificateFile
        if (index == SSL_AIDX_RSA) {
            bio = BIO_new_file(certificateFileNative, CLinker.toCString("r", state.contextScope));
            var dh = PEM_read_bio_DHparams(bio, MemoryAddress.NULL, MemoryAddress.NULL, MemoryAddress.NULL);
            BIO_free(bio);
            // SSL_CTX_ctrl(sslCtx,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
            if (!MemoryAddress.NULL.equals(dh)) {
                SSL_CTX_ctrl(state.sslCtx, SSL_CTRL_SET_TMP_DH(), 0, dh);
                DH_free(dh);
            }
        }
        // Similarly, try to read the ECDH curve name from SSLCertificateFile...
        bio = BIO_new_file(certificateFileNative, CLinker.toCString("r", state.contextScope));
        var ecparams = PEM_read_bio_ECPKParameters(bio, MemoryAddress.NULL, MemoryAddress.NULL, MemoryAddress.NULL);
        BIO_free(bio);
        if (!MemoryAddress.NULL.equals(ecparams)) {
            int nid = EC_GROUP_get_curve_name(ecparams);
            var eckey = EC_KEY_new_by_curve_name(nid);
            // #  define SSL_CTX_set_tmp_ecdh(sslCtx,ecdh) \
            // SSL_CTX_ctrl(sslCtx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
            SSL_CTX_ctrl(state.sslCtx, SSL_CTRL_SET_TMP_ECDH(), 0, eckey);
            EC_KEY_free(eckey);
            EC_GROUP_free(ecparams);
        }
        // Set callback for DH parameters
        MemoryAddress openSSLCallbackTmpDH = CLinker.getInstance().upcallStub(openSSLCallbackTmpDHHandle, openSSLCallbackTmpDHFunctionDescriptor, state.contextScope);
        SSL_CTX_set_tmp_dh_callback(state.sslCtx, openSSLCallbackTmpDH);
        // Set certificate chain file
        if (certificate.getCertificateChainFile() != null) {
            var certificateChainFileNative = CLinker.toCString(SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), state.contextScope);
            // SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false);
            if (SSL_CTX_use_certificate_chain_file(state.sslCtx, certificateChainFileNative) <= 0) {
                log.error(sm.getString("openssl.errorLoadingCertificate", certificate.getCertificateChainFile()));
            }
        }
        // Set revocation
        // SSLContext.setCARevocation(state.ctx,
        // SSLHostConfig.adjustRelativePath(
        // sslHostConfig.getCertificateRevocationListFile()),
        // SSLHostConfig.adjustRelativePath(
        // sslHostConfig.getCertificateRevocationListPath()));
        MemoryAddress certificateStore = SSL_CTX_get_cert_store(state.sslCtx);
        if (sslHostConfig.getCertificateRevocationListFile() != null) {
            MemoryAddress x509Lookup = X509_STORE_add_lookup(certificateStore, X509_LOOKUP_file());
            var certificateRevocationListFileNative = CLinker.toCString(SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateRevocationListFile()), state.contextScope);
            // X509_LOOKUP_ctrl(lookup,X509_L_FILE_LOAD,file,type,NULL)
            if (X509_LOOKUP_ctrl(x509Lookup, X509_L_FILE_LOAD(), certificateRevocationListFileNative, X509_FILETYPE_PEM(), MemoryAddress.NULL) <= 0) {
                log.error(sm.getString("openssl.errorLoadingCertificateRevocationList", sslHostConfig.getCertificateRevocationListFile()));
            }
        }
        if (sslHostConfig.getCertificateRevocationListPath() != null) {
            MemoryAddress x509Lookup = X509_STORE_add_lookup(certificateStore, X509_LOOKUP_hash_dir());
            var certificateRevocationListPathNative = CLinker.toCString(SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateRevocationListPath()), state.contextScope);
            // X509_LOOKUP_ctrl(lookup,X509_L_ADD_DIR,path,type,NULL)
            if (X509_LOOKUP_ctrl(x509Lookup, X509_L_ADD_DIR(), certificateRevocationListPathNative, X509_FILETYPE_PEM(), MemoryAddress.NULL) <= 0) {
                log.error(sm.getString("openssl.errorLoadingCertificateRevocationList", sslHostConfig.getCertificateRevocationListPath()));
            }
        }
        X509_STORE_set_flags(certificateStore, X509_V_FLAG_CRL_CHECK() | X509_V_FLAG_CRL_CHECK_ALL());
    } else {
        String alias = certificate.getCertificateKeyAlias();
        X509KeyManager x509KeyManager = certificate.getCertificateKeyManager();
        if (alias == null) {
            alias = "tomcat";
        }
        X509Certificate[] chain = x509KeyManager.getCertificateChain(alias);
        if (chain == null) {
            alias = findAlias(x509KeyManager, certificate);
            chain = x509KeyManager.getCertificateChain(alias);
        }
        PrivateKey key = x509KeyManager.getPrivateKey(alias);
        StringBuilder sb = new StringBuilder(BEGIN_KEY);
        sb.append(Base64.getMimeEncoder(64, new byte[] { '\n' }).encodeToString(key.getEncoded()));
        sb.append(END_KEY);
        // SSLContext.setCertificateRaw(state.ctx, chain[0].getEncoded(),
        // sb.toString().getBytes(StandardCharsets.US_ASCII),
        // getCertificateIndex(certificate));
        var rawCertificate = allocator.allocateArray(CLinker.C_CHAR, chain[0].getEncoded());
        var rawCertificatePointer = allocator.allocate(CLinker.C_POINTER, rawCertificate);
        var rawKey = allocator.allocateArray(CLinker.C_CHAR, sb.toString().getBytes(StandardCharsets.US_ASCII));
        var x509cert = d2i_X509(MemoryAddress.NULL, rawCertificatePointer, rawCertificate.byteSize());
        if (MemoryAddress.NULL.equals(x509cert)) {
            logLastError(allocator, "openssl.errorLoadingCertificate");
            return;
        }
        var bio = BIO_new(BIO_s_mem());
        BIO_write(bio, rawKey.address(), (int) rawKey.byteSize());
        MemoryAddress privateKeyAddress = PEM_read_bio_PrivateKey(bio, MemoryAddress.NULL, MemoryAddress.NULL, MemoryAddress.NULL);
        BIO_free(bio);
        if (MemoryAddress.NULL.equals(privateKeyAddress)) {
            logLastError(allocator, "openssl.errorLoadingPrivateKey");
            return;
        }
        if (SSL_CTX_use_certificate(state.sslCtx, x509cert) <= 0) {
            logLastError(allocator, "openssl.errorLoadingCertificate");
            return;
        }
        if (SSL_CTX_use_PrivateKey(state.sslCtx, privateKeyAddress) <= 0) {
            logLastError(allocator, "openssl.errorLoadingPrivateKey");
            return;
        }
        if (SSL_CTX_check_private_key(state.sslCtx) <= 0) {
            logLastError(allocator, "openssl.errorPrivateKeyCheck");
            return;
        }
        // Set callback for DH parameters
        MemoryAddress openSSLCallbackTmpDH = CLinker.getInstance().upcallStub(openSSLCallbackTmpDHHandle, openSSLCallbackTmpDHFunctionDescriptor, state.contextScope);
        SSL_CTX_set_tmp_dh_callback(state.sslCtx, openSSLCallbackTmpDH);
        for (int i = 1; i < chain.length; i++) {
            // SSLContext.addChainCertificateRaw(state.ctx, chain[i].getEncoded());
            var rawCertificateChain = allocator.allocateArray(CLinker.C_CHAR, chain[i].getEncoded());
            var rawCertificateChainPointer = allocator.allocate(CLinker.C_POINTER, rawCertificateChain);
            var x509certChain = d2i_X509(MemoryAddress.NULL, rawCertificateChainPointer, rawCertificateChain.byteSize());
            if (MemoryAddress.NULL.equals(x509certChain)) {
                logLastError(allocator, "openssl.errorLoadingCertificate");
                return;
            }
            // # define SSL_CTX_add0_chain_cert(sslCtx,x509) SSL_CTX_ctrl(sslCtx,SSL_CTRL_CHAIN_CERT,0,(char *)(x509))
            if (SSL_CTX_ctrl(state.sslCtx, SSL_CTRL_CHAIN_CERT(), 0, x509certChain) <= 0) {
                logLastError(allocator, "openssl.errorAddingCertificate");
                return;
            }
        }
    }
}
Also used : PrivateKey(java.security.PrivateKey) X509KeyManager(javax.net.ssl.X509KeyManager) MemoryAddress(jdk.incubator.foreign.MemoryAddress) AbstractEndpoint(org.apache.tomcat.util.net.AbstractEndpoint) MemorySegment(jdk.incubator.foreign.MemorySegment) X509Certificate(java.security.cert.X509Certificate)

Example 68 with MemoryAddress

use of jdk.incubator.foreign.MemoryAddress in project tomcat by apache.

the class OpenSSLContext method init.

/**
 * Setup the SSL_CTX.
 *
 * @param kms Must contain a KeyManager of the type
 *            {@code OpenSSLKeyManager}
 * @param tms Must contain a TrustManager of the type
 *            {@code X509TrustManager}
 * @param sr Is not used for this implementation.
 */
@Override
public synchronized void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) {
    if (initialized) {
        log.warn(sm.getString("openssl.doubleInit"));
        return;
    }
    try {
        if (sslHostConfig.getInsecureRenegotiation()) {
            SSL_CTX_set_options(state.sslCtx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION());
        } else {
            SSL_CTX_clear_options(state.sslCtx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION());
        }
        // client's)
        if (sslHostConfig.getHonorCipherOrder()) {
            SSL_CTX_set_options(state.sslCtx, SSL_OP_CIPHER_SERVER_PREFERENCE());
        } else {
            SSL_CTX_clear_options(state.sslCtx, SSL_OP_CIPHER_SERVER_PREFERENCE());
        }
        // Disable compression if requested
        if (sslHostConfig.getDisableCompression()) {
            SSL_CTX_set_options(state.sslCtx, SSL_OP_NO_COMPRESSION());
        } else {
            SSL_CTX_clear_options(state.sslCtx, SSL_OP_NO_COMPRESSION());
        }
        // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy
        if (sslHostConfig.getDisableSessionTickets()) {
            SSL_CTX_set_options(state.sslCtx, SSL_OP_NO_TICKET());
        } else {
            SSL_CTX_clear_options(state.sslCtx, SSL_OP_NO_TICKET());
        }
        // List the ciphers that the client is permitted to negotiate
        if (SSL_CTX_set_cipher_list(state.sslCtx, CLinker.toCString(sslHostConfig.getCiphers(), state.contextScope)) <= 0) {
            log.warn(sm.getString("engine.failedCipherSuite", sslHostConfig.getCiphers()));
        }
        if (certificate.getCertificateFile() == null) {
            certificate.setCertificateKeyManager(OpenSSLUtil.chooseKeyManager(kms));
        }
        addCertificate(certificate);
        // Client certificate verification
        int value = 0;
        switch(sslHostConfig.getCertificateVerification()) {
            case NONE:
                value = SSL_VERIFY_NONE();
                break;
            case OPTIONAL:
                value = SSL_VERIFY_PEER();
                break;
            case OPTIONAL_NO_CA:
                value = OPTIONAL_NO_CA;
                break;
            case REQUIRED:
                value = SSL_VERIFY_FAIL_IF_NO_PEER_CERT();
                break;
        }
        // SSLContext.setVerify(state.ctx, value, sslHostConfig.getCertificateVerificationDepth());
        if (SSL_CTX_set_default_verify_paths(state.sslCtx) > 0) {
            var store = SSL_CTX_get_cert_store(state.sslCtx);
            X509_STORE_set_flags(store, 0);
        }
        // Set int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) callback
        MemoryAddress openSSLCallbackVerify = CLinker.getInstance().upcallStub(openSSLCallbackVerifyHandle, openSSLCallbackVerifyFunctionDescriptor, state.contextScope);
        // Leave this just in case but in Tomcat this is always set again by the engine
        SSL_CTX_set_verify(state.sslCtx, value, openSSLCallbackVerify);
        // Trust and certificate verification
        var allocator = SegmentAllocator.ofScope(state.contextScope);
        if (tms != null) {
            // Client certificate verification based on custom trust managers
            state.x509TrustManager = chooseTrustManager(tms);
            MemoryAddress openSSLCallbackCertVerify = CLinker.getInstance().upcallStub(openSSLCallbackCertVerifyHandle, openSSLCallbackCertVerifyFunctionDescriptor, state.contextScope);
            SSL_CTX_set_cert_verify_callback(state.sslCtx, openSSLCallbackCertVerify, state.sslCtx);
            // an acceptable certificate
            for (X509Certificate caCert : state.x509TrustManager.getAcceptedIssuers()) {
                // SSLContext.addClientCACertificateRaw(state.ctx, caCert.getEncoded());
                var rawCACertificate = allocator.allocateArray(CLinker.C_CHAR, caCert.getEncoded());
                var rawCACertificatePointer = allocator.allocate(CLinker.C_POINTER, rawCACertificate);
                var x509CACert = d2i_X509(MemoryAddress.NULL, rawCACertificatePointer, rawCACertificate.byteSize());
                if (MemoryAddress.NULL.equals(x509CACert)) {
                    logLastError(allocator, "openssl.errorLoadingCertificate");
                } else if (SSL_CTX_add_client_CA(state.sslCtx, x509CACert) <= 0) {
                    logLastError(allocator, "openssl.errorAddingCertificate");
                } else if (log.isDebugEnabled()) {
                    log.debug(sm.getString("openssl.addedClientCaCert", caCert.toString()));
                }
            }
        } else {
            // Client certificate verification based on trusted CA files and dirs
            // SSLContext.setCACertificate(state.ctx,
            // SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()),
            // SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
            MemorySegment caCertificateFileNative = sslHostConfig.getCaCertificateFile() != null ? CLinker.toCString(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()), state.contextScope) : null;
            MemorySegment caCertificatePathNative = sslHostConfig.getCaCertificatePath() != null ? CLinker.toCString(SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()), state.contextScope) : null;
            if (SSL_CTX_load_verify_locations(state.sslCtx, caCertificateFileNative == null ? MemoryAddress.NULL : caCertificateFileNative, caCertificatePathNative == null ? MemoryAddress.NULL : caCertificatePathNative) <= 0) {
                logLastError(allocator, "openssl.errorConfiguringLocations");
            } else {
                var caCerts = SSL_CTX_get_client_CA_list(state.sslCtx);
                if (MemoryAddress.NULL.equals(caCerts)) {
                    caCerts = SSL_load_client_CA_file(caCertificateFileNative);
                    if (!MemoryAddress.NULL.equals(caCerts)) {
                        SSL_CTX_set_client_CA_list(state.sslCtx, caCerts);
                    }
                } else {
                    if (SSL_add_file_cert_subjects_to_stack(caCerts, caCertificateFileNative) <= 0) {
                        caCerts = MemoryAddress.NULL;
                    }
                }
                if (MemoryAddress.NULL.equals(caCerts)) {
                    log.warn(sm.getString("openssl.noCACerts"));
                }
            }
        }
        if (state.negotiableProtocols != null && state.negotiableProtocols.size() > 0) {
            // int openSSLCallbackAlpnSelectProto(MemoryAddress ssl, MemoryAddress out, MemoryAddress outlen,
            // MemoryAddress in, int inlen, MemoryAddress arg
            MemoryAddress openSSLCallbackAlpnSelectProto = CLinker.getInstance().upcallStub(openSSLCallbackAlpnSelectProtoHandle, openSSLCallbackAlpnSelectProtoFunctionDescriptor, state.contextScope);
            SSL_CTX_set_alpn_select_cb(state.sslCtx, openSSLCallbackAlpnSelectProto, state.sslCtx);
        // Skip NPN (annoying and likely not useful anymore)
        // SSLContext.setNpnProtos(state.ctx, protocolsArray, SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
        }
        // Apply OpenSSLConfCmd if used
        OpenSSLConf openSslConf = sslHostConfig.getOpenSslConf();
        if (openSslConf != null && !MemoryAddress.NULL.equals(state.confCtx)) {
            // Check OpenSSLConfCmd if used
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("openssl.checkConf"));
            }
            try {
                if (!checkConf(openSslConf)) {
                    log.error(sm.getString("openssl.errCheckConf"));
                    throw new Exception(sm.getString("openssl.errCheckConf"));
                }
            } catch (Exception e) {
                throw new Exception(sm.getString("openssl.errCheckConf"), e);
            }
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("openssl.applyConf"));
            }
            try {
                if (!applyConf(openSslConf)) {
                    log.error(sm.getString("openssl.errApplyConf"));
                    throw new SSLException(sm.getString("openssl.errApplyConf"));
                }
            } catch (Exception e) {
                throw new SSLException(sm.getString("openssl.errApplyConf"), e);
            }
            // Reconfigure the enabled protocols
            long opts = SSL_CTX_get_options(state.sslCtx);
            List<String> enabled = new ArrayList<>();
            // Seems like there is no way to explicitly disable SSLv2Hello
            // in OpenSSL so it is always enabled
            enabled.add(Constants.SSL_PROTO_SSLv2Hello);
            if ((opts & SSL_OP_NO_TLSv1()) == 0) {
                enabled.add(Constants.SSL_PROTO_TLSv1);
            }
            if ((opts & SSL_OP_NO_TLSv1_1()) == 0) {
                enabled.add(Constants.SSL_PROTO_TLSv1_1);
            }
            if ((opts & SSL_OP_NO_TLSv1_2()) == 0) {
                enabled.add(Constants.SSL_PROTO_TLSv1_2);
            }
            if ((opts & SSL_OP_NO_TLSv1_3()) == 0) {
                enabled.add(Constants.SSL_PROTO_TLSv1_3);
            }
            if ((opts & SSL_OP_NO_SSLv2()) == 0) {
                enabled.add(Constants.SSL_PROTO_SSLv2);
            }
            if ((opts & SSL_OP_NO_SSLv3()) == 0) {
                enabled.add(Constants.SSL_PROTO_SSLv3);
            }
            sslHostConfig.setEnabledProtocols(enabled.toArray(new String[0]));
            // Reconfigure the enabled ciphers
            sslHostConfig.setEnabledCiphers(getCiphers(state.sslCtx));
        }
        sessionContext = new OpenSSLSessionContext(this);
        // If client authentication is being used, OpenSSL requires that
        // this is set so always set it in case an app is configured to
        // require it
        sessionContext.setSessionIdContext(DEFAULT_SESSION_ID_CONTEXT);
        sslHostConfig.setOpenSslContext(state.sslCtx.toRawLongValue());
        initialized = true;
    } catch (Exception e) {
        log.warn(sm.getString("openssl.errorSSLCtxInit"), e);
        destroy();
    }
}
Also used : ArrayList(java.util.ArrayList) OpenSSLConf(org.apache.tomcat.util.net.openssl.OpenSSLConf) SSLException(javax.net.ssl.SSLException) AbstractEndpoint(org.apache.tomcat.util.net.AbstractEndpoint) X509Certificate(java.security.cert.X509Certificate) MemorySegment(jdk.incubator.foreign.MemorySegment) CertificateException(java.security.cert.CertificateException) SSLException(javax.net.ssl.SSLException) MemoryAddress(jdk.incubator.foreign.MemoryAddress)

Example 69 with MemoryAddress

use of jdk.incubator.foreign.MemoryAddress in project tomcat by apache.

the class OpenSSLContext method openSSLCallbackCertVerify.

public static int openSSLCallbackCertVerify(MemoryAddress x509_ctx, MemoryAddress param) {
    if (log.isDebugEnabled()) {
        log.debug("Certificate verification");
    }
    if (MemoryAddress.NULL.equals(param)) {
        return 0;
    }
    ContextState state = getState(param);
    if (state == null) {
        log.warn(sm.getString("context.noSSL", Long.valueOf(param.toRawLongValue())));
        return 0;
    }
    MemoryAddress ssl = X509_STORE_CTX_get_ex_data(x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
    MemoryAddress /*STACK_OF(X509)*/
    sk = X509_STORE_CTX_get0_untrusted(x509_ctx);
    int len = OPENSSL_sk_num(sk);
    byte[][] certificateChain = new byte[len][];
    try (var scope = ResourceScope.newConfinedScope()) {
        var allocator = SegmentAllocator.ofScope(scope);
        for (int i = 0; i < len; i++) {
            MemoryAddress /*(X509*)*/
            x509 = OPENSSL_sk_value(sk, i);
            MemorySegment bufPointer = allocator.allocate(CLinker.C_POINTER, MemoryAddress.NULL);
            int length = i2d_X509(x509, bufPointer);
            if (length < 0) {
                certificateChain[i] = new byte[0];
                continue;
            }
            MemoryAddress buf = MemoryAccess.getAddress(bufPointer);
            certificateChain[i] = buf.asSegment(length, scope).toByteArray();
            // OPENSSL_free macro
            CRYPTO_free(buf, MemoryAddress.NULL, 0);
        }
        MemoryAddress cipher = SSL_get_current_cipher(ssl);
        String authMethod = (MemoryAddress.NULL.equals(cipher)) ? "UNKNOWN" : getCipherAuthenticationMethod(SSL_CIPHER_get_auth_nid(cipher), SSL_CIPHER_get_kx_nid(cipher));
        X509Certificate[] peerCerts = certificates(certificateChain);
        try {
            state.x509TrustManager.checkClientTrusted(peerCerts, authMethod);
            return 1;
        } catch (Exception e) {
            log.debug(sm.getString("openssl.certificateVerificationFailed"), e);
        }
    }
    return 0;
}
Also used : MemoryAddress(jdk.incubator.foreign.MemoryAddress) AbstractEndpoint(org.apache.tomcat.util.net.AbstractEndpoint) MemorySegment(jdk.incubator.foreign.MemorySegment) X509Certificate(java.security.cert.X509Certificate) CertificateException(java.security.cert.CertificateException) SSLException(javax.net.ssl.SSLException)

Example 70 with MemoryAddress

use of jdk.incubator.foreign.MemoryAddress in project openj9 by eclipse.

the class StructTests method test_add2ShortStructs_returnStructPointer.

@Test
public void test_add2ShortStructs_returnStructPointer() throws Throwable {
    GroupLayout structLayout = MemoryLayout.ofStruct(C_SHORT.withName("elem1"), C_SHORT.withName("elem2"));
    VarHandle shortHandle1 = structLayout.varHandle(short.class, PathElement.groupElement("elem1"));
    VarHandle shortHandle2 = structLayout.varHandle(short.class, PathElement.groupElement("elem2"));
    MethodType mt = MethodType.methodType(MemoryAddress.class, MemoryAddress.class, MemorySegment.class);
    FunctionDescriptor fd = FunctionDescriptor.of(C_POINTER, C_POINTER, structLayout);
    Symbol functionSymbol = nativeLib.lookup("add2ShortStructs_returnStructPointer").get();
    MethodHandle mh = clinker.downcallHandle(functionSymbol, mt, fd);
    MemorySegment structSegmt1 = MemorySegment.allocateNative(structLayout);
    shortHandle1.set(structSegmt1, (short) 56);
    shortHandle2.set(structSegmt1, (short) 45);
    MemorySegment structSegmt2 = MemorySegment.allocateNative(structLayout);
    shortHandle1.set(structSegmt2, (short) 78);
    shortHandle2.set(structSegmt2, (short) 67);
    MemoryAddress resultAddr = (MemoryAddress) mh.invokeExact(structSegmt1.address(), structSegmt2);
    MemorySegment resultSegmt = resultAddr.asSegmentRestricted(structLayout.byteSize());
    Assert.assertEquals((short) shortHandle1.get(resultSegmt), (short) 134);
    Assert.assertEquals((short) shortHandle2.get(resultSegmt), (short) 112);
    structSegmt1.close();
    structSegmt2.close();
    resultSegmt.close();
}
Also used : MethodType(java.lang.invoke.MethodType) VarHandle(java.lang.invoke.VarHandle) Symbol(jdk.incubator.foreign.LibraryLookup.Symbol) GroupLayout(jdk.incubator.foreign.GroupLayout) FunctionDescriptor(jdk.incubator.foreign.FunctionDescriptor) MemoryAddress(jdk.incubator.foreign.MemoryAddress) MemorySegment(jdk.incubator.foreign.MemorySegment) MethodHandle(java.lang.invoke.MethodHandle) Test(org.testng.annotations.Test)

Aggregations

MemoryAddress (jdk.incubator.foreign.MemoryAddress)136 Test (org.testng.annotations.Test)131 MethodHandle (java.lang.invoke.MethodHandle)127 FunctionDescriptor (jdk.incubator.foreign.FunctionDescriptor)127 MemorySegment (jdk.incubator.foreign.MemorySegment)102 MethodType (java.lang.invoke.MethodType)93 GroupLayout (jdk.incubator.foreign.GroupLayout)80 VarHandle (java.lang.invoke.VarHandle)78 ResourceScope (jdk.incubator.foreign.ResourceScope)65 SegmentAllocator (jdk.incubator.foreign.SegmentAllocator)64 Addressable (jdk.incubator.foreign.Addressable)63 NativeSymbol (jdk.incubator.foreign.NativeSymbol)34 Symbol (jdk.incubator.foreign.LibraryLookup.Symbol)30 AbstractEndpoint (org.apache.tomcat.util.net.AbstractEndpoint)4 X509Certificate (java.security.cert.X509Certificate)3 CertificateException (java.security.cert.CertificateException)2 ArrayList (java.util.ArrayList)2 SSLException (javax.net.ssl.SSLException)2 PrivateKey (java.security.PrivateKey)1 X509KeyManager (javax.net.ssl.X509KeyManager)1