BoringSSLCertificateVerifyCallback Class — netty Architecture

Architecture documentation for the BoringSSLCertificateVerifyCallback class in BoringSSLCertificateVerifyCallback.java from the netty codebase.

Class java

Entity Profile

Dependency Diagram

graph TD
  581c64f9_86e3_6d21_7ce3_ec0412545f34["BoringSSLCertificateVerifyCallback"]
  77ec2983_bf8c_210e_67d9_b547bbe46f4c["BoringSSLCertificateVerifyCallback.java"]
  581c64f9_86e3_6d21_7ce3_ec0412545f34 -->|defined in| 77ec2983_bf8c_210e_67d9_b547bbe46f4c
  87decf87_8961_8cac_bf3d_9bfb84d633d6["BoringSSLCertificateVerifyCallback()"]
  581c64f9_86e3_6d21_7ce3_ec0412545f34 -->|method| 87decf87_8961_8cac_bf3d_9bfb84d633d6
  6747e14f_2dd2_2bd1_22f3_cbc64acffb1d["verify()"]
  581c64f9_86e3_6d21_7ce3_ec0412545f34 -->|method| 6747e14f_2dd2_2bd1_22f3_cbc64acffb1d
  0d5e17f0_fb40_7067_6726_34868e4d0460["translateToError()"]
  581c64f9_86e3_6d21_7ce3_ec0412545f34 -->|method| 0d5e17f0_fb40_7067_6726_34868e4d0460

Relationship Graph

Source Code

codec-classes-quic/src/main/java/io/netty/handler/codec/quic/BoringSSLCertificateVerifyCallback.java lines 29–125

final class BoringSSLCertificateVerifyCallback {

    private static final boolean TRY_USING_EXTENDED_TRUST_MANAGER;
    static {
        boolean tryUsingExtendedTrustManager;
        try {
            Class.forName(X509ExtendedTrustManager.class.getName());
            tryUsingExtendedTrustManager = true;
        } catch (Throwable cause) {
            tryUsingExtendedTrustManager = false;
        }
        TRY_USING_EXTENDED_TRUST_MANAGER = tryUsingExtendedTrustManager;
    }

    private final QuicheQuicSslEngineMap engineMap;
    private final X509TrustManager manager;

    BoringSSLCertificateVerifyCallback(QuicheQuicSslEngineMap engineMap, @Nullable X509TrustManager manager) {
        this.engineMap = engineMap;
        this.manager = manager;
    }

    @SuppressWarnings("unused")
    int verify(long ssl, byte[][] x509, String authAlgorithm) {
        final QuicheQuicSslEngine engine = engineMap.get(ssl);
        if (engine == null) {
            // May be null if it was destroyed in the meantime.
            return BoringSSL.X509_V_ERR_UNSPECIFIED;
        }

        if (manager == null) {
            engineMap.remove(ssl);
            return BoringSSL.X509_V_ERR_UNSPECIFIED;
        }

        X509Certificate[] peerCerts = BoringSSL.certificates(x509);
        try {
            if (engine.getUseClientMode()) {
                if (TRY_USING_EXTENDED_TRUST_MANAGER && manager instanceof X509ExtendedTrustManager) {
                    ((X509ExtendedTrustManager) manager).checkServerTrusted(peerCerts, authAlgorithm, engine);
                } else {
                    manager.checkServerTrusted(peerCerts, authAlgorithm);
                }
            } else {
                if (TRY_USING_EXTENDED_TRUST_MANAGER && manager instanceof X509ExtendedTrustManager) {
                    ((X509ExtendedTrustManager) manager).checkClientTrusted(peerCerts, authAlgorithm, engine);
                } else {
                    manager.checkClientTrusted(peerCerts, authAlgorithm);
                }
            }
            return BoringSSL.X509_V_OK;
        } catch (Throwable cause) {
            engineMap.remove(ssl);
            // Try to extract the correct error code that should be used.
            if (cause instanceof OpenSslCertificateException) {
                // This will never return a negative error code as its validated when constructing the
                // OpenSslCertificateException.
                return ((OpenSslCertificateException) cause).errorCode();
            }
            if (cause instanceof CertificateExpiredException) {
                return BoringSSL.X509_V_ERR_CERT_HAS_EXPIRED;
            }
            if (cause instanceof CertificateNotYetValidException) {
                return BoringSSL.X509_V_ERR_CERT_NOT_YET_VALID;
            }
            return translateToError(cause);
        }
    }

    private static int translateToError(Throwable cause) {
        if (cause instanceof CertificateRevokedException) {
            return BoringSSL.X509_V_ERR_CERT_REVOKED;
        }

        // The X509TrustManagerImpl uses a Validator which wraps a CertPathValidatorException into
        // an CertificateException. So we need to handle the wrapped CertPathValidatorException to be
        // able to send the correct alert.
        Throwable wrapped = cause.getCause();
        while (wrapped != null) {
            if (wrapped instanceof CertPathValidatorException) {
                CertPathValidatorException ex = (CertPathValidatorException) wrapped;

Defined In

codec-classes-quic/src/main/java/io/netty/handler/codec/quic/BoringSSLCertificateVerifyCallback.java

Source

View on GitHub

Frequently Asked Questions

What is the BoringSSLCertificateVerifyCallback class?

BoringSSLCertificateVerifyCallback is a class in the netty codebase, defined in codec-classes-quic/src/main/java/io/netty/handler/codec/quic/BoringSSLCertificateVerifyCallback.java.

Where is BoringSSLCertificateVerifyCallback defined?

BoringSSLCertificateVerifyCallback is defined in codec-classes-quic/src/main/java/io/netty/handler/codec/quic/BoringSSLCertificateVerifyCallback.java at line 29.

Analyze Your Own Codebase

Get architecture documentation, dependency graphs, and domain analysis for your codebase in minutes.

Try Supermodel Free