CORDA-2001 - SNI header for future inter-op (#3977)

2025-02-28 20:06:25 +00:00 · 2018-09-21 10:15:40 +01:00 · 2018-09-21 10:15:40 +01:00 · 2a522c9f05
commit 2a522c9f05
parent d19e953700
2 changed files with 19 additions and 1 deletions
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/AMQPClient.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/AMQPClient.kt
@ -107,7 +107,7 @@ class AMQPClient(val targets: List<NetworkHostAndPort>,

        override fun initChannel(ch: SocketChannel) {
            val pipeline = ch.pipeline()
-            val handler = createClientSslHelper(parent.currentTarget, keyManagerFactory, trustManagerFactory)
+            val handler = createClientSslHelper(parent.currentTarget, parent.allowedRemoteLegalNames, keyManagerFactory, trustManagerFactory)
            pipeline.addLast("sslHandler", handler)
            if (parent.trace) pipeline.addLast("logger", LoggingHandler(LogLevel.INFO))
            pipeline.addLast(AMQPChannelHandler(false,
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/SSLHelper.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/SSLHelper.kt
@ -1,14 +1,20 @@
 package net.corda.nodeapi.internal.protonwrapper.netty

 import io.netty.handler.ssl.SslHandler
+import net.corda.core.crypto.SecureHash
+import net.corda.core.identity.CordaX500Name
 import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.nodeapi.ArtemisTcpTransport
 import java.security.SecureRandom
 import javax.net.ssl.KeyManagerFactory
+import javax.net.ssl.SNIHostName
 import javax.net.ssl.SSLContext
 import javax.net.ssl.TrustManagerFactory

+private const val HOSTNAME_FORMAT = "%s.corda.net"
+
 internal fun createClientSslHelper(target: NetworkHostAndPort,
+                                   expectedRemoteLegalNames: Set<CordaX500Name>,
                                   keyManagerFactory: KeyManagerFactory,
                                   trustManagerFactory: TrustManagerFactory): SslHandler {
    val sslContext = SSLContext.getInstance("TLS")
@ -20,6 +26,11 @@ internal fun createClientSslHelper(target: NetworkHostAndPort,
    sslEngine.enabledProtocols = ArtemisTcpTransport.TLS_VERSIONS.toTypedArray()
    sslEngine.enabledCipherSuites = ArtemisTcpTransport.CIPHER_SUITES.toTypedArray()
    sslEngine.enableSessionCreation = true
+    if (expectedRemoteLegalNames.size == 1) {
+        val sslParameters = sslEngine.sslParameters
+        sslParameters.serverNames = listOf(SNIHostName(x500toHostName(expectedRemoteLegalNames.single())))
+        sslEngine.sslParameters = sslParameters
+    }
    return SslHandler(sslEngine)
 }

@ -36,4 +47,11 @@ internal fun createServerSslHelper(keyManagerFactory: KeyManagerFactory,
    sslEngine.enabledCipherSuites = ArtemisTcpTransport.CIPHER_SUITES.toTypedArray()
    sslEngine.enableSessionCreation = true
    return SslHandler(sslEngine)
+}
+
+internal fun x500toHostName(x500Name: CordaX500Name): String {
+    val secureHash = SecureHash.sha256(x500Name.toString())
+    // RFC 1035 specifies a limit 255 bytes for hostnames with each label being 63 bytes or less. Due to this, the string
+    // representation of the SHA256 hash is truncated to 32 characters.
+    return String.format(HOSTNAME_FORMAT, secureHash.toString().substring(0..32).toLowerCase())
 }