From 0d91f33b799de1c16d9a048bb3a274b82a2ddc39 Mon Sep 17 00:00:00 2001
From: Greg Wilkins <gregw@webtide.com>
Date: Wed, 24 Mar 2021 05:17:40 +0800
Subject: [PATCH] Fix #6076 Protect from null local certificates (#6078)

Fix #6076 Protect from null local certificates
cache resulting X509 in session

Signed-off-by: Greg Wilkins <gregw@webtide.com>
---
 .../jetty/server/SecureRequestCustomizer.java | 30 ++++++++++---------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java b/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java
index c16069868b46..a66bc23e46ba 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java
@@ -13,6 +13,7 @@
 
 package org.eclipse.jetty.server;
 
+import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.HashSet;
 import java.util.Set;
@@ -52,6 +53,7 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer
     public static final String JAVAX_SERVLET_REQUEST_CIPHER_SUITE = "javax.servlet.request.cipher_suite";
     public static final String JAVAX_SERVLET_REQUEST_KEY_SIZE = "javax.servlet.request.key_size";
     public static final String JAVAX_SERVLET_REQUEST_SSL_SESSION_ID = "javax.servlet.request.ssl_session_id";
+    public static final String X509_CERT = "org.eclipse.jetty.server.x509_cert";
 
     private String sslSessionAttribute = "org.eclipse.jetty.servlet.request.ssl_session";
 
@@ -244,24 +246,24 @@ protected void customize(SSLEngine sslEngine, Request request)
         if (isSniRequired() || isSniHostCheck())
         {
             String sniHost = (String)sslSession.getValue(SslContextFactory.Server.SNI_HOST);
-            X509 cert = new X509(null, (X509Certificate)sslSession.getLocalCertificates()[0]);
-            String serverName = request.getServerName();
-            if (LOG.isDebugEnabled())
-                LOG.debug("Host={}, SNI={}, SNI Certificate={}", serverName, sniHost, cert);
-
-            if (isSniRequired())
+            X509 x509 = (X509)sslSession.getValue(X509_CERT);
+            if (x509 == null)
             {
-                if (sniHost == null)
-                    throw new BadMessageException(400, "Invalid SNI");
-                if (!cert.matches(sniHost))
+                Certificate[] certificates = sslSession.getLocalCertificates();
+                if (certificates == null || certificates.length == 0 || !(certificates[0] instanceof X509Certificate))
                     throw new BadMessageException(400, "Invalid SNI");
+                x509 = new X509(null, (X509Certificate)certificates[0]);
+                sslSession.putValue(X509_CERT, x509);
             }
+            String serverName = request.getServerName();
+            if (LOG.isDebugEnabled())
+                LOG.debug("Host={}, SNI={}, SNI Certificate={}", serverName, sniHost, x509);
 
-            if (isSniHostCheck())
-            {
-                if (!cert.matches(serverName))
-                    throw new BadMessageException(400, "Invalid SNI");
-            }
+            if (isSniRequired() && (sniHost == null || !x509.matches(sniHost)))
+                throw new BadMessageException(400, "Invalid SNI");
+
+            if (isSniHostCheck() && !x509.matches(serverName))
+                throw new BadMessageException(400, "Invalid SNI");
         }
 
         request.setAttributes(new SslAttributes(request, sslSession));