ENT-1565 Documentation and Bugfix for native SSL (#1432)

* Add documentation for the useOpenSsl flag * Use delegation for wrapping unchanged methods (removing actual and potential bugs) * Replace reflective shorthands with proper argument names in wrappers. * Mention default for useOpenSsl in documentation
2025-05-11 13:03:08 +00:00 · 2018-10-02 13:41:15 +01:00 · 2018-10-02 13:41:15 +01:00 · ce9538f917
commit ce9538f917
parent 7b230de4d2
4 changed files with 25 additions and 56 deletions
--- a/docs/source/corda-configuration-file.rst
+++ b/docs/source/corda-configuration-file.rst
@ -297,6 +297,9 @@ absolute path to the node's base directory.
                        .. _Dropwizard: https://metrics.dropwizard.io/3.2.3/manual/third-party.html
                        .. _Introduction to New Relic for Java: https://docs.newrelic.com/docs/agents/java-agent/getting-started/introduction-new-relic-java

+:useOpenSsl:    If set to true, the node will use a native SSL implementation for TLS rather than the JVM SSL. The native SSL library currently
+                shipped with Corda Enterprise is BoringSsl. The default is to use JVM SSL, i.e. the flag being set to ``false``.
+
 :enterpriseConfiguration: Allows fine-grained controls of various features only available in the enterprise version of Corda.

    :tuning: Performance tuning parameters for Corda Enterprise
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/AliasProvidingKeyMangerWrapper.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/AliasProvidingKeyMangerWrapper.kt
@ -2,8 +2,6 @@ package net.corda.nodeapi.internal.protonwrapper.netty

 import java.net.Socket
 import java.security.Principal
-import java.security.PrivateKey
-import java.security.cert.X509Certificate
 import javax.net.ssl.SSLEngine
 import javax.net.ssl.X509ExtendedKeyManager
 import javax.net.ssl.X509KeyManager
@ -13,31 +11,15 @@ interface AliasProvidingKeyMangerWrapper : X509KeyManager {
 }


-class AliasProvidingKeyMangerWrapperImpl(private val keyManager: X509KeyManager) : AliasProvidingKeyMangerWrapper {
+class AliasProvidingKeyMangerWrapperImpl(private val keyManager: X509KeyManager) : AliasProvidingKeyMangerWrapper, X509KeyManager by keyManager {
    override var lastAlias: String? = null

-    override fun getClientAliases(p0: String?, p1: Array<out Principal>?): Array<String> {
-        return keyManager.getClientAliases(p0, p1)
+    override fun chooseServerAlias(keyType: String?, issuers: Array<out Principal>?, socket: Socket?): String? {
+        return storeIfNotNull { keyManager.chooseServerAlias(keyType, issuers, socket) }
    }

-    override fun getServerAliases(p0: String?, p1: Array<out Principal>?): Array<String> {
-        return getServerAliases(p0, p1)
-    }
-
-    override fun chooseServerAlias(p0: String?, p1: Array<out Principal>?, p2: Socket?): String? {
-        return storeIfNotNull { keyManager.chooseServerAlias(p0, p1, p2) }
-    }
-
-    override fun getCertificateChain(p0: String?): Array<X509Certificate> {
-        return keyManager.getCertificateChain(p0)
-    }
-
-    override fun getPrivateKey(p0: String?): PrivateKey {
-        return keyManager.getPrivateKey(p0)
-    }
-
-    override fun chooseClientAlias(p0: Array<out String>?, p1: Array<out Principal>?, p2: Socket?): String? {
-        return storeIfNotNull { keyManager.chooseClientAlias(p0, p1, p2) }
+    override fun chooseClientAlias(keyType: Array<out String>?, issuers: Array<out Principal>?, socket: Socket?): String? {
+        return storeIfNotNull { keyManager.chooseClientAlias(keyType, issuers, socket) }
    }

    private fun storeIfNotNull(func: () -> String?): String? {
@ -49,39 +31,23 @@ class AliasProvidingKeyMangerWrapperImpl(private val keyManager: X509KeyManager)
    }
 }

-class AliasProvidingExtendedKeyMangerWrapper(private val keyManager: X509ExtendedKeyManager) : X509ExtendedKeyManager(), AliasProvidingKeyMangerWrapper {
+class AliasProvidingExtendedKeyMangerWrapper(private val keyManager: X509ExtendedKeyManager) : X509ExtendedKeyManager(), X509KeyManager by keyManager, AliasProvidingKeyMangerWrapper {
    override var lastAlias: String? = null

-    override fun getClientAliases(p0: String?, p1: Array<out Principal>?): Array<String> {
-        return keyManager.getClientAliases(p0, p1)
+    override fun chooseServerAlias(keyType: String?, issuers: Array<out Principal>?, socket: Socket?): String? {
+        return storeIfNotNull { keyManager.chooseServerAlias(keyType, issuers, socket) }
    }

-    override fun getServerAliases(p0: String?, p1: Array<out Principal>?): Array<String> {
-        return keyManager.getServerAliases(p0, p1)
+    override fun chooseClientAlias(keyType: Array<out String>?, issuers: Array<out Principal>?, socket: Socket?): String? {
+        return storeIfNotNull { keyManager.chooseClientAlias(keyType, issuers, socket) }
    }

-    override fun chooseServerAlias(p0: String?, p1: Array<out Principal>?, p2: Socket?): String? {
-        return storeIfNotNull { keyManager.chooseServerAlias(p0, p1, p2) }
+    override fun chooseEngineClientAlias(keyType: Array<out String>?, issuers: Array<out Principal>?, engine: SSLEngine?): String? {
+        return storeIfNotNull { keyManager.chooseEngineClientAlias(keyType, issuers, engine) }
    }

-    override fun getCertificateChain(p0: String?): Array<X509Certificate> {
-        return keyManager.getCertificateChain(p0)
-    }
-
-    override fun getPrivateKey(p0: String?): PrivateKey {
-        return keyManager.getPrivateKey(p0)
-    }
-
-    override fun chooseClientAlias(p0: Array<out String>?, p1: Array<out Principal>?, p2: Socket?): String? {
-        return storeIfNotNull { keyManager.chooseClientAlias(p0, p1, p2) }
-    }
-
-    override fun chooseEngineClientAlias(p0: Array<out String>?, p1: Array<out Principal>?, p2: SSLEngine?): String? {
-        return storeIfNotNull { keyManager.chooseEngineClientAlias(p0, p1, p2) }
-    }
-
-    override fun chooseEngineServerAlias(p0: String?, p1: Array<out Principal>?, p2: SSLEngine?): String? {
-        return storeIfNotNull { keyManager.chooseEngineServerAlias(p0, p1, p2) }
+    override fun chooseEngineServerAlias(keyType: String?, issuers: Array<out Principal>?, engine: SSLEngine?): String? {
+        return storeIfNotNull { keyManager.chooseEngineServerAlias(keyType, issuers, engine) }
    }

    private fun storeIfNotNull(func: () -> String?): String? {
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/CertHoldingKeyManagerFactoryWrapper.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/CertHoldingKeyManagerFactoryWrapper.kt
@ -6,16 +6,16 @@ import javax.net.ssl.*


 class CertHoldingKeyManagerFactorySpiWrapper(private val factorySpi: KeyManagerFactorySpi) : KeyManagerFactorySpi() {
-    override fun engineInit(p0: KeyStore?, p1: CharArray?) {
+    override fun engineInit(keyStore: KeyStore?, password: CharArray?) {
        val engineInitMethod = KeyManagerFactorySpi::class.java.getDeclaredMethod("engineInit", KeyStore::class.java, CharArray::class.java)
        engineInitMethod.isAccessible = true
-        engineInitMethod.invoke(factorySpi, p0, p1)
+        engineInitMethod.invoke(factorySpi, keyStore, password)
    }

-    override fun engineInit(p0: ManagerFactoryParameters?) {
+    override fun engineInit(spec: ManagerFactoryParameters?) {
        val engineInitMethod = KeyManagerFactorySpi::class.java.getDeclaredMethod("engineInit", ManagerFactoryParameters::class.java)
        engineInitMethod.isAccessible = true
-        engineInitMethod.invoke(factorySpi, p0)
+        engineInitMethod.invoke(factorySpi, spec)
    }

    private fun getKeyManagersImpl(): Array<KeyManager> {
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/TrustManagerFactoryWrapper.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/protonwrapper/netty/TrustManagerFactoryWrapper.kt
@ -12,16 +12,16 @@ class LoggingTrustManagerFactorySpiWrapper(private val factorySpi: TrustManagerF
        return if (factorySpi is LoggingTrustManagerFactorySpiWrapper) trustManagers else trustManagers.filterIsInstance(X509ExtendedTrustManager::class.java).map { LoggingTrustManagerWrapper(it) }.toTypedArray()
    }

-    override fun engineInit(p0: KeyStore?) {
+    override fun engineInit(ks: KeyStore?) {
        val engineInitMethod = TrustManagerFactorySpi::class.java.getDeclaredMethod("engineInit", KeyStore::class.java)
        engineInitMethod.isAccessible = true
-        engineInitMethod.invoke(factorySpi, p0)
+        engineInitMethod.invoke(factorySpi, ks)
    }

-    override fun engineInit(p0: ManagerFactoryParameters?) {
+    override fun engineInit(spec: ManagerFactoryParameters?) {
        val engineInitMethod = TrustManagerFactorySpi::class.java.getDeclaredMethod("engineInit", ManagerFactoryParameters::class.java)
        engineInitMethod.isAccessible = true
-        engineInitMethod.invoke(factorySpi, p0)
+        engineInitMethod.invoke(factorySpi, spec)
    }
 }