From 19414f5329516b61e0264da87d4ed7a36be02a89 Mon Sep 17 00:00:00 2001 From: Patrick Peer Date: Wed, 25 Jan 2023 15:45:03 +0100 Subject: [PATCH] Preserving order of enabled cipher suites and enabled protocols --- .../engine/ssl/DefaultSslContextFactory.java | 166 +++++++----------- 1 file changed, 65 insertions(+), 101 deletions(-) diff --git a/modules/org.restlet/src/main/java/org/restlet/engine/ssl/DefaultSslContextFactory.java b/modules/org.restlet/src/main/java/org/restlet/engine/ssl/DefaultSslContextFactory.java index 0430abcce6..1cb92b8a4b 100644 --- a/modules/org.restlet/src/main/java/org/restlet/engine/ssl/DefaultSslContextFactory.java +++ b/modules/org.restlet/src/main/java/org/restlet/engine/ssl/DefaultSslContextFactory.java @@ -29,6 +29,7 @@ import java.security.SecureRandom; import java.util.Arrays; import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.net.ssl.SSLContext; @@ -503,25 +504,15 @@ public String getSecureRandomAlgorithm() { * The initial cipher suites to restrict. * @return The selected cipher suites. */ - public String[] getSelectedCipherSuites(String[] supportedCipherSuites) { - Set resultSet = new HashSet(); - - if (supportedCipherSuites != null) { - for (String supportedCipherSuite : supportedCipherSuites) { - if (((getEnabledCipherSuites() == null) || Arrays.asList( - getEnabledCipherSuites()) - .contains(supportedCipherSuite)) - && ((getDisabledCipherSuites() == null) || !Arrays - .asList(getDisabledCipherSuites()).contains( - supportedCipherSuite))) { - resultSet.add(supportedCipherSuite); - } - } - } - - String[] result = new String[resultSet.size()]; - return resultSet.toArray(result); - } + public String[] getSelectedCipherSuites(String[] supportedCipherSuites) { + if (supportedCipherSuites != null) { + String[] enabledSuites = getEnabledCipherSuites(); + String[] disabledSuites = getDisabledCipherSuites(); + return selectStrings(new HashSet<>(Arrays.asList(supportedCipherSuites)), enabledSuites, disabledSuites); + } else { + return new String[0]; + } + } /** * Returns the selected SSL protocols. The selection is the subset of @@ -533,22 +524,34 @@ public String[] getSelectedCipherSuites(String[] supportedCipherSuites) { * @return The selected SSL protocols. */ public String[] getSelectedSslProtocols(String[] supportedProtocols) { - Set resultSet = new HashSet(); - - if (supportedProtocols != null) { - for (String supportedProtocol : supportedProtocols) { - if (((getEnabledProtocols() == null) || Arrays.asList( - getEnabledProtocols()).contains(supportedProtocol)) - && ((getDisabledProtocols() == null) || !Arrays.asList( - getDisabledProtocols()).contains( - supportedProtocol))) { - resultSet.add(supportedProtocol); - } - } - } + if (supportedProtocols != null) { + String[] enabledProtocols = getEnabledProtocols(); + String[] disabledProtocols = getDisabledProtocols(); + return selectStrings(new HashSet<>(Arrays.asList(supportedProtocols)), enabledProtocols, disabledProtocols); + } else { + return new String[0]; + } + } + + private String[] selectStrings(Set supportedStrings, String[] whitelist, String[] blacklist) { + Set selectedStrings = new LinkedHashSet(); + + if (whitelist != null) { + for (String whitelistedString : whitelist) { + if (supportedStrings.contains(whitelistedString)) { + selectedStrings.add(whitelistedString); + } + } + } else { + // no whitelist was set => select all supported suites + selectedStrings.addAll(supportedStrings); + } - String[] result = new String[resultSet.size()]; - return resultSet.toArray(result); + if (blacklist != null) { + selectedStrings.removeAll(Arrays.asList(blacklist)); + } + + return selectedStrings.toArray(new String[selectedStrings.size()]); } /** @@ -607,84 +610,34 @@ public String getTrustStoreType() { */ @Override public void init(Series helperParameters) { - // Parses and set the disabled cipher suites - String[] disabledCipherSuitesArray = helperParameters - .getValuesArray("disabledCipherSuites"); - Set disabledCipherSuites = new HashSet(); - - for (String disabledCipherSuiteSeries : disabledCipherSuitesArray) { - for (String disabledCipherSuite : disabledCipherSuiteSeries - .split(" ")) { - disabledCipherSuites.add(disabledCipherSuite); - } - } - - if (disabledCipherSuites.size() > 0) { - disabledCipherSuitesArray = new String[disabledCipherSuites.size()]; - disabledCipherSuites.toArray(disabledCipherSuitesArray); - setDisabledCipherSuites(disabledCipherSuitesArray); + String[] disabledCipherSuites = splitAndRemoveDuplicates(helperParameters.getValuesArray("disabledCipherSuites"), " "); + if (disabledCipherSuites.length > 0) { + setDisabledCipherSuites(disabledCipherSuites); } else { setDisabledCipherSuites(null); } - // Parses and set the disabled protocols - String[] disabledProtocolsArray = helperParameters - .getValuesArray("disabledProtocols"); - Set disabledProtocols = new HashSet(); - - for (String disabledProtocolsSeries : disabledProtocolsArray) { - for (String disabledProtocol : disabledProtocolsSeries.split(" ")) { - disabledProtocols.add(disabledProtocol); - } - } - - if (disabledProtocols.size() > 0) { - disabledProtocolsArray = new String[disabledProtocols.size()]; - disabledProtocols.toArray(disabledProtocolsArray); - setDisabledProtocols(disabledProtocolsArray); + String[] disabledProtocols = splitAndRemoveDuplicates(helperParameters.getValuesArray("disabledProtocols"), " "); + if (disabledProtocols.length > 0) { + setDisabledProtocols(disabledProtocols); } else { - setDisabledProtocols(null); - } - - // Parses and set the enabled cipher suites - String[] enabledCipherSuitesArray = helperParameters - .getValuesArray("enabledCipherSuites"); - Set enabledCipherSuites = new HashSet(); - - for (String enabledCipherSuiteSeries : enabledCipherSuitesArray) { - for (String enabledCipherSuite : enabledCipherSuiteSeries - .split(" ")) { - enabledCipherSuites.add(enabledCipherSuite); - } + setDisabledProtocols(null); } - if (enabledCipherSuites.size() > 0) { - enabledCipherSuitesArray = new String[enabledCipherSuites.size()]; - enabledCipherSuites.toArray(enabledCipherSuitesArray); - setEnabledCipherSuites(enabledCipherSuitesArray); + String[] enabledCipherSuites = splitAndRemoveDuplicates(helperParameters.getValuesArray("enabledCipherSuites"), " "); + if (enabledCipherSuites.length > 0) { + setEnabledCipherSuites(enabledCipherSuites); } else { - setEnabledCipherSuites(null); + setEnabledCipherSuites(null); } - - // Parses and set the enabled protocols - String[] enabledProtocolsArray = helperParameters - .getValuesArray("enabledProtocols"); - Set enabledProtocols = new HashSet(); - - for (String enabledProtocolSeries : enabledProtocolsArray) { - for (String enabledProtocol : enabledProtocolSeries.split(" ")) { - enabledProtocols.add(enabledProtocol); - } - } - - if (enabledProtocols.size() > 0) { - enabledProtocolsArray = new String[enabledProtocols.size()]; - enabledProtocols.toArray(enabledProtocolsArray); - setEnabledProtocols(enabledProtocolsArray); + + String[] enabledProtocols = splitAndRemoveDuplicates(helperParameters.getValuesArray("enabledProtocols"), " "); + if (enabledCipherSuites.length > 0) { + setEnabledProtocols(enabledProtocols); } else { - setEnabledProtocols(null); + setEnabledProtocols(null); } - + setKeyManagerAlgorithm(helperParameters.getFirstValue( "keyManagerAlgorithm", true, System.getProperty( "ssl.KeyManagerFactory.algorithm", "SunX509"))); @@ -720,6 +673,17 @@ public void init(Series helperParameters) { .getFirstValue("wantClientAuthentication", true, "false"))); } + private String[] splitAndRemoveDuplicates(String[] strings, String delimiter) { + Set set = new LinkedHashSet(); + for (String string : strings) { + for (String token : string.split(delimiter)) { + set.add(token); + } + } + return set.toArray(String[]::new); + } + + /** * Indicates if we require client certificate authentication. *