BouncyCastleAlpnSslUtils needs to use the correct SSLEngine class as … (#15630)

normanmaurer · web-flow · commit bbacc6b687a7 · 2025-09-08T10:44:15.000+02:00
…otherwise it will fail to init static fields. Motivation: We recently did some changes related to how BouncyCastle is loaded and while doing so introduce a regression which would cause NPE's later on once BouncyCastle was detected and used and we tried to apply ALPN later on. This regression was introduced by #15533 The problem was that we used the wrong class to try to obtain the Method instances via reflection. This failed as the class itself is package-private and so did not allow to access the methods. To fix this we need to ensure we use the public interface that is used by BouncyCastle and not the implemention class itself. Beside this we also should be more defensive and only try to use ALPN via BouncyCastle if we can obtain the Methods in the first place. Modifications: - Fix refelective access - Add more guards - Add unit test Result: Fixes #15627
diff --git a/handler/src/main/java/io/netty/handler/ssl/BouncyCastleAlpnSslUtils.java b/handler/src/main/java/io/netty/handler/ssl/BouncyCastleAlpnSslUtils.java
@@ -26,6 +26,7 @@
 import java.lang.reflect.Proxy;
 import java.security.AccessController;
 import java.security.PrivilegedExceptionAction;
+import java.security.SecureRandom;
 import java.util.List;
 import java.util.function.BiFunction;
 import javax.net.ssl.SSLContext;
@@ -43,6 +44,7 @@ final class BouncyCastleAlpnSslUtils {
     private static final Method GET_HANDSHAKE_APPLICATION_PROTOCOL_SELECTOR;
     private static final Class<?> BC_APPLICATION_PROTOCOL_SELECTOR;
     private static final Method BC_APPLICATION_PROTOCOL_SELECTOR_SELECT;
+    private static final boolean SUPPORTED;
 
     static {
         Method setApplicationProtocols;
@@ -52,18 +54,26 @@ final class BouncyCastleAlpnSslUtils {
         Method getHandshakeApplicationProtocolSelector;
         Method bcApplicationProtocolSelectorSelect;
         Class<?> bcApplicationProtocolSelector;
+        boolean supported;
 
         try {
             if (!BouncyCastleUtil.isBcTlsAvailable()) {
                 throw new IllegalStateException(BouncyCastleUtil.unavailabilityCauseBcTls());
             }
-            SSLContext context = getSSLContext(BouncyCastleUtil.getBcProviderJsse());
+            SSLContext context = getSSLContext(BouncyCastleUtil.getBcProviderJsse(), new SecureRandom());
             SSLEngine engine = context.createSSLEngine();
-            final Class<? extends SSLEngine> engineClass = engine.getClass();
+            Class<? extends SSLEngine> engineClass = engine.getClass();
+            // We need to use the class returned by BounceCastleUtil below to access the methods as the engine
+            // returned by createSSLEngine might be package-private and so would not allow us to access the methods
+            // even thought the interface itself that it implements is public and so the methods are public.
+            // See https://github.com/netty/netty/issues/15627
+            final Class<? extends SSLEngine> bcEngineClass = BouncyCastleUtil.getBcSSLEngineClass();
+            if (bcEngineClass == null || !bcEngineClass.isAssignableFrom(engineClass)) {
+                throw new IllegalStateException("Unexpected engine class: " + engineClass);
+            }
 
             final SSLParameters bcSslParameters = engine.getSSLParameters();
             final Class<?> bCSslParametersClass = bcSslParameters.getClass();
-
             setApplicationProtocols = AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
                 @Override
                 public Method run() throws Exception {
@@ -75,15 +85,15 @@ public Method run() throws Exception {
             getApplicationProtocol = AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
                 @Override
                 public Method run() throws Exception {
-                    return engineClass.getMethod("getApplicationProtocol");
+                    return bcEngineClass.getMethod("getApplicationProtocol");
                 }
             });
             getApplicationProtocol.invoke(engine);
 
             getHandshakeApplicationProtocol = AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
                 @Override
                 public Method run() throws Exception {
-                    return engineClass.getMethod("getHandshakeApplicationProtocol");
+                    return bcEngineClass.getMethod("getHandshakeApplicationProtocol");
                 }
             });
             getHandshakeApplicationProtocol.invoke(engine);
@@ -104,7 +114,7 @@ public Method run() throws Exception {
                     AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
                         @Override
                         public Method run() throws Exception {
-                            return engineClass.getMethod("setBCHandshakeApplicationProtocolSelector",
+                            return bcEngineClass.getMethod("setBCHandshakeApplicationProtocolSelector",
                                     testBCApplicationProtocolSelector);
                         }
                     });
@@ -113,10 +123,11 @@ public Method run() throws Exception {
                     AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
                         @Override
                         public Method run() throws Exception {
-                            return engineClass.getMethod("getBCHandshakeApplicationProtocolSelector");
+                            return bcEngineClass.getMethod("getBCHandshakeApplicationProtocolSelector");
                         }
                     });
             getHandshakeApplicationProtocolSelector.invoke(engine);
+            supported = true;
         } catch (Throwable t) {
             logger.error("Unable to initialize BouncyCastleAlpnSslUtils.", t);
             setApplicationProtocols = null;
@@ -126,6 +137,7 @@ public Method run() throws Exception {
             getHandshakeApplicationProtocolSelector = null;
             bcApplicationProtocolSelectorSelect = null;
             bcApplicationProtocolSelector = null;
+            supported = false;
         }
         SET_APPLICATION_PROTOCOLS = setApplicationProtocols;
         GET_APPLICATION_PROTOCOL = getApplicationProtocol;
@@ -134,6 +146,7 @@ public Method run() throws Exception {
         GET_HANDSHAKE_APPLICATION_PROTOCOL_SELECTOR = getHandshakeApplicationProtocolSelector;
         BC_APPLICATION_PROTOCOL_SELECTOR_SELECT = bcApplicationProtocolSelectorSelect;
         BC_APPLICATION_PROTOCOL_SELECTOR = bcApplicationProtocolSelector;
+        SUPPORTED = supported;
     }
 
     private BouncyCastleAlpnSslUtils() {
@@ -222,4 +235,8 @@ static BiFunction<SSLEngine, List<String>, String> getHandshakeApplicationProtoc
             throw new IllegalStateException(ex);
         }
     }
+
+    static boolean isAlpnSupported() {
+        return SUPPORTED;
+    }
 }
diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java b/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java
@@ -29,7 +29,7 @@
 public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicationProtocolNegotiator {
     private static final boolean AVAILABLE = Conscrypt.isAvailable() ||
                                              JdkAlpnSslUtils.supportsAlpn() ||
-                                             BouncyCastleUtil.isBcTlsAvailable();
+            (BouncyCastleUtil.isBcTlsAvailable() && BouncyCastleAlpnSslUtils.isAlpnSupported());
 
     private static final SslEngineWrapperFactory ALPN_WRAPPER = AVAILABLE ? new AlpnWrapper() : new FailureWrapper();
 
@@ -132,7 +132,7 @@ public SSLEngine wrapSslEngine(SSLEngine engine, ByteBufAllocator alloc,
                 return isServer ? ConscryptAlpnSslEngine.newServerEngine(engine, alloc, applicationNegotiator)
                         : ConscryptAlpnSslEngine.newClientEngine(engine, alloc, applicationNegotiator);
             }
-            if (BouncyCastleUtil.isBcJsseInUse(engine)) {
+            if (BouncyCastleUtil.isBcJsseInUse(engine) && BouncyCastleAlpnSslUtils.isAlpnSupported()) {
                 return new BouncyCastleAlpnSslEngine(engine, applicationNegotiator, isServer);
             }
             // ALPN support was recently backported to Java8 as
diff --git a/handler/src/main/java/io/netty/handler/ssl/SslUtils.java b/handler/src/main/java/io/netty/handler/ssl/SslUtils.java
@@ -34,6 +34,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.Provider;
+import java.security.SecureRandom;
 import java.util.Collections;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -272,13 +273,18 @@ private static SSLContext newInitContext(Provider provider)
 
     static SSLContext getSSLContext(Provider provider)
             throws NoSuchAlgorithmException, KeyManagementException, NoSuchProviderException {
+        return getSSLContext(provider, null);
+    }
+
+    static SSLContext getSSLContext(Provider provider, SecureRandom secureRandom)
+            throws NoSuchAlgorithmException, KeyManagementException, NoSuchProviderException {
         final SSLContext context;
         if (provider == null) {
             context = SSLContext.getInstance(getTlsVersion());
         } else {
             context = SSLContext.getInstance(getTlsVersion(), provider);
         }
-        context.init(null, new TrustManager[0], null);
+        context.init(null, new TrustManager[0], secureRandom);
         return context;
     }
 
diff --git a/handler/src/main/java/io/netty/handler/ssl/util/BouncyCastleUtil.java b/handler/src/main/java/io/netty/handler/ssl/util/BouncyCastleUtil.java
@@ -132,6 +132,17 @@ public static Provider getBcProviderJsse() {
         return provider;
     }
 
+    /**
+     * Returns the public {@link SSLEngine} sub-class that is used by bouncy-castle or {@code null} if
+     * it can't be loaded.
+     *
+     * @return engine class.
+     */
+    public static Class<? extends SSLEngine> getBcSSLEngineClass() {
+        ensureLoaded();
+        return bcSSLEngineClass;
+    }
+
     /**
      * Reset the loaded providers. Useful for testing, to redo the loading under different conditions.
      */
diff --git a/handler/src/test/java/io/netty/handler/ssl/BouncyCastleEngineAlpnTest.java b/handler/src/test/java/io/netty/handler/ssl/BouncyCastleEngineAlpnTest.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright 2025 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.ssl;
+
+import io.netty.handler.ssl.util.BouncyCastleUtil;
+import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
+import org.junit.jupiter.api.Test;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import java.security.Provider;
+import java.security.SecureRandom;
+import java.util.List;
+import java.util.function.BiFunction;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class BouncyCastleEngineAlpnTest {
+
+    @Test
+    public void testBouncyCastleSSLEngineSupportsAlpn() throws Exception {
+        Provider bouncyCastleProvider = new BouncyCastleJsseProvider();
+        SSLContext context = SslUtils.getSSLContext(bouncyCastleProvider, new SecureRandom());
+        SSLEngine engine = context.createSSLEngine();
+        assertTrue(BouncyCastleUtil.isBcJsseInUse(engine));
+        assertTrue(BouncyCastleAlpnSslUtils.isAlpnSupported());
+
+        BouncyCastleAlpnSslEngine alpnSslEngine = new BouncyCastleAlpnSslEngine(
+                engine, new JdkAlpnApplicationProtocolNegotiator("fake"), true);
+
+        // Call methods to ensure these not throw.
+        alpnSslEngine.setHandshakeApplicationProtocolSelector(new BiFunction<SSLEngine, List<String>, String>() {
+            @Override
+            public String apply(SSLEngine sslEngine, List<String> strings) {
+                return "fake";
+            }
+        });
+        // Check that none of the methods will throw.
+        alpnSslEngine.getHandshakeApplicationProtocolSelector();
+        alpnSslEngine.setNegotiatedApplicationProtocol("fake");
+        alpnSslEngine.getNegotiatedApplicationProtocol();
+    }
+}
