Merged branch 'jetty-12.0.x' into 'jetty-12.1.x'.

Signed-off-by: Simone Bordet <[email protected]>

jetty-core/jetty-alpn/jetty-alpn-conscrypt-server/src/test/java/org/eclipse/jetty/alpn/conscrypt/server/ConscryptHTTP2ServerTest.java

@@ -56,6 +56,7 @@ public class ConscryptHTTP2ServerTest
         Security.addProvider(new OpenSSLProvider());
     }
 
+    private final HttpConfiguration httpsConfig = new HttpConfiguration();
     private final Server server = new Server();
 
     private SslContextFactory.Server newServerSslContextFactory()
@@ -90,9 +91,7 @@ private void configureSslContextFactory(SslContextFactory sslContextFactory)
     @BeforeEach
     public void startServer() throws Exception
     {
-        HttpConfiguration httpsConfig = new HttpConfiguration();
         httpsConfig.setSecureScheme("https");
-
         httpsConfig.setSendXPoweredBy(true);
         httpsConfig.setSendServerVersion(true);
         httpsConfig.addCustomizer(new SecureRequestCustomizer());
@@ -140,4 +139,12 @@ public void testSimpleRequest() throws Exception
             assertEquals(200, contentResponse.getStatus());
         }
     }
+
+    @Test
+    public void testSNIRequired() throws Exception
+    {
+        // The KeyStore contains 1 certificate with two DNS names.
+        httpsConfig.getCustomizer(SecureRequestCustomizer.class).setSniRequired(true);
+        testSimpleRequest();
+    }
 }

jetty-core/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java

@@ -17,6 +17,9 @@
 import java.security.cert.X509Certificate;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
+import javax.net.ssl.ExtendedSSLSession;
+import javax.net.ssl.SNIHostName;
+import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSession;
 
@@ -213,7 +216,7 @@ protected void checkSni(Request request, SSLSession session)
     {
         if (isSniRequired() || isSniHostCheck())
         {
-            String sniHost = (String)session.getValue(SslContextFactory.Server.SNI_HOST);
+            String sniHost = retrieveSni(request, session);
 
             X509 x509 = getX509(session);
             if (x509 == null)
@@ -230,6 +233,28 @@ protected void checkSni(Request request, SSLSession session)
         }
     }
 
+    protected String retrieveSni(Request request, SSLSession session)
+    {
+        // Quick retrieval of the SNI from a SSLSession attribute put by SniX509ExtendedKeyManager.
+        String sniHost = (String)session.getValue(SslContextFactory.Server.SNI_HOST);
+        if (sniHost != null)
+            return null;
+
+        // Some security providers (for example, Conscrypt) do not support
+        // SSLSession attributes, so perform a more expensive SNI retrieval.
+        if (session instanceof ExtendedSSLSession extended)
+        {
+            for (SNIServerName serverName : extended.getRequestedServerNames())
+            {
+                if (serverName instanceof SNIHostName hostName)
+                    return hostName.getAsciiName();
+            }
+        }
+
+        // Nothing more we can do.
+        return null;
+    }
+
     private X509 getX509(SSLSession session)
     {
         X509 x509 = (X509)session.getValue(X509_ATTRIBUTE);

jetty-core/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java

@@ -21,7 +21,6 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.LinkedHashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.function.UnaryOperator;
@@ -115,29 +114,32 @@ protected String chooseServerAlias(String keyType, Principal[] issuers, Collecti
             .forEach(alias -> aliasMap.put(getAliasMapper().apply(alias), alias));
 
         String host = null;
-        if (session instanceof ExtendedSSLSession)
+        if (session instanceof ExtendedSSLSession extended)
         {
-            List<SNIServerName> serverNames = ((ExtendedSSLSession)session).getRequestedServerNames();
-            if (serverNames != null)
+            for (SNIServerName serverName : extended.getRequestedServerNames())
             {
-                host = serverNames.stream()
-                    .findAny()
-                    .filter(SNIHostName.class::isInstance)
-                    .map(SNIHostName.class::cast)
-                    .map(SNIHostName::getAsciiName)
-                    .orElse(null);
+                if (serverName instanceof SNIHostName hostName)
+                {
+                    host = hostName.getAsciiName();
+                    break;
+                }
             }
         }
         if (host == null)
         {
             // Find our SNIMatcher.  There should only be one and it always matches (always returns true
             // from AliasSNIMatcher.matches), but it will capture the SNI Host if one was presented.
-            host = matchers == null ? null : matchers.stream()
-                .filter(SslContextFactory.AliasSNIMatcher.class::isInstance)
-                .map(SslContextFactory.AliasSNIMatcher.class::cast)
-                .findFirst()
-                .map(SslContextFactory.AliasSNIMatcher::getHost)
-                .orElse(null);
+            if (matchers != null)
+            {
+                for (SNIMatcher matcher : matchers)
+                {
+                    if (matcher instanceof SslContextFactory.AliasSNIMatcher aliasMatcher)
+                    {
+                        host = aliasMatcher.getHost();
+                        break;
+                    }
+                }
+            }
         }
         if (session != null && host != null)
             session.putValue(SslContextFactory.Server.SNI_HOST, host);