Fail to load keystore is alias is provided but does not exist

Fixes eclipse-vertx#3969 When a keystore alias is provided, we remove non matching aliases when loading the keystore. But then if the alias is wrong, no feedback is provided to the user (eventually the handshake fails of course). With this change, we fail early if the keystore alias does not exist. Signed-off-by: Thomas Segismont <[email protected]>
tsegismont · Jun 22, 2021 · 8c3e502 · 8c3e502
1 parent 137409b
commit 8c3e502
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 28 deletions.
diff --git a/src/main/java/io/vertx/core/net/impl/KeyStoreHelper.java b/src/main/java/io/vertx/core/net/impl/KeyStoreHelper.java
@@ -19,11 +19,7 @@
 
 import javax.naming.ldap.LdapName;
 import javax.naming.ldap.Rdn;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.*;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -35,22 +31,12 @@
 import java.security.cert.X509Certificate;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Base64;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
+import java.util.*;
 import java.util.function.BiFunction;
 import java.util.function.Supplier;
-import java.util.stream.Collectors;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 /**
@@ -222,6 +208,9 @@ public static KeyStore loadKeyStore(String type, String provider, String passwor
       ks.load(in, password != null ? password.toCharArray() : null);
     }
     if (alias != null) {
+      if (!ks.containsAlias(alias)) {
+        throw new IllegalArgumentException("alias does not exist in the keystore: " + alias);
+      }
       List<String> ksAliases = Collections.list(ks.aliases());
       for (String ksAlias : ksAliases) {
         if (!alias.equals(ksAlias)) {

diff --git a/src/test/java/io/vertx/core/net/NetTest.java b/src/test/java/io/vertx/core/net/NetTest.java
@@ -16,31 +16,33 @@
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.ChannelPipeline;
 import io.netty.channel.ConnectTimeoutException;
-import io.netty.handler.codec.http.*;
 import io.netty.handler.codec.http.HttpMethod;
 import io.netty.handler.codec.http.HttpVersion;
+import io.netty.handler.codec.http.*;
 import io.netty.util.internal.PlatformDependent;
 import io.vertx.core.*;
 import io.vertx.core.buffer.Buffer;
 import io.vertx.core.eventbus.Message;
 import io.vertx.core.eventbus.MessageConsumer;
 import io.vertx.core.http.*;
 import io.vertx.core.impl.ConcurrentHashSet;
-import io.vertx.core.net.impl.HAProxyMessageCompletionHandler;
-import io.vertx.core.net.impl.NetSocketInternal;
 import io.vertx.core.impl.VertxInternal;
-import io.vertx.core.json.JsonArray;
-import io.vertx.core.json.JsonObject;
 import io.vertx.core.impl.logging.Logger;
 import io.vertx.core.impl.logging.LoggerFactory;
+import io.vertx.core.json.JsonArray;
+import io.vertx.core.json.JsonObject;
+import io.vertx.core.net.impl.HAProxyMessageCompletionHandler;
 import io.vertx.core.net.impl.NetServerImpl;
+import io.vertx.core.net.impl.NetSocketInternal;
 import io.vertx.core.net.impl.VertxHandler;
 import io.vertx.core.streams.ReadStream;
-import io.vertx.test.core.*;
+import io.vertx.test.core.CheckingSender;
+import io.vertx.test.core.TestUtils;
+import io.vertx.test.core.VertxTestBase;
+import io.vertx.test.netty.TestLoggerFactory;
 import io.vertx.test.proxy.*;
 import io.vertx.test.tls.Cert;
 import io.vertx.test.tls.Trust;
-import io.vertx.test.netty.TestLoggerFactory;
 import org.junit.Assume;
 import org.junit.Rule;
 import org.junit.Test;
@@ -50,8 +52,10 @@
 import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
-import javax.security.cert.X509Certificate;
-import java.io.*;
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.OutputStreamWriter;
 import java.net.InetSocketAddress;
 import java.nio.charset.StandardCharsets;
 import java.security.cert.Certificate;
@@ -64,6 +68,7 @@
 import java.util.function.Consumer;
 
 import static io.vertx.test.core.TestUtils.*;
+import static org.hamcrest.CoreMatchers.*;
 
 /**
  * @author <a href="http://tfox.org">Tim Fox</a>
@@ -1484,6 +1489,21 @@ public void testServerCertificateMultiple() throws Exception {
     assertEquals("precious", cnOf(test.clientPeerCert()));
   }
 
+  @Test
+  public void testServerCertificateMultipleWrongAlias() throws Exception {
+    TLSTest test = new TLSTest()
+      .serverCert(Cert.MULTIPLE_JKS_WRONG_ALIAS)
+      .clientTrustAll(true);
+    test.setupServer(true);
+    server.listen(test.bindAddress, onFailure(t -> {
+      assertThat(t, is(instanceOf(VertxException.class)));
+      assertThat(t.getCause(), is(instanceOf(IllegalArgumentException.class)));
+      assertThat(t.getCause().getMessage(), containsString("alias does not exist in the keystore"));
+      testComplete();
+    }));
+    await();
+  }
+
   void testTLS(Cert<?> clientCert, Trust<?> clientTrust,
                Cert<?> serverCert, Trust<?> serverTrust,
     boolean requireClientAuth, boolean clientTrustAll,
@@ -1614,7 +1634,7 @@ public Certificate clientPeerCert() {
       return clientPeerCert;
     }
 
-    void run(boolean shouldPass) {
+    void setupServer(boolean shouldPass) {
       server.close();
       NetServerOptions options = new NetServerOptions();
       if (!startTLS) {
@@ -1693,7 +1713,12 @@ void run(boolean shouldPass) {
           }
         });
       };
-      server.connectHandler(serverHandler).listen(bindAddress, onSuccess(ar -> {
+      server.connectHandler(serverHandler);
+    }
+
+    void run(boolean shouldPass) {
+      setupServer(shouldPass);
+      server.listen(bindAddress, onSuccess(ar -> {
         client.close();
         NetClientOptions clientOptions = new NetClientOptions();
         if (!startTLS) {

diff --git a/src/test/java/io/vertx/test/tls/Cert.java b/src/test/java/io/vertx/test/tls/Cert.java
@@ -49,5 +49,6 @@ public interface Cert<K extends KeyCertOptions> extends Supplier<K> {
       .addKeyPath("tls/host4-key.pem").addCertPath("tls/host4-cert.pem")
       .addKeyPath("tls/host5-key.pem").addCertPath("tls/host5-cert.pem");
   Cert<JksOptions> MULTIPLE_JKS = () -> new JksOptions().setPath("tls/multiple.jks").setPassword("wibble").setAlias("precious");
+  Cert<JksOptions> MULTIPLE_JKS_WRONG_ALIAS = () -> new JksOptions().setPath("tls/multiple.jks").setPassword("wibble").setAlias("preciouss");
 
 }