GP-1 Corrected OpenTrustManager.getAcceptedIssuers return value

Ghidra/Features/GhidraServer/src/main/java/ghidra/server/security/PKIAuthenticationModule.java

@@ -4,9 +4,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -51,7 +51,7 @@ public class PKIAuthenticationModule implements AuthenticationModule {
 			throws IOException, CertificateException {
 		this.anonymousAllowed = anonymousAllowed;
 		authorities = ApplicationKeyManagerUtils.getTrustedIssuers();
-		if (authorities == null) {
+		if (authorities == null || authorities.length == 0) {
 			throw new IOException("trusted PKI Certificate Authorities have not been configured");
 		}
 	}
@@ -73,8 +73,8 @@ public class PKIAuthenticationModule implements AuthenticationModule {
 			byte[] token = TokenGenerator.getNewToken(TOKEN_SIZE);
 			boolean usingSelfSignedCert =
 				ApplicationKeyManagerFactory.usingGeneratedSelfSignedCertificate();
-			SignedToken signedToken = ApplicationKeyManagerUtils.getSignedToken(
-				usingSelfSignedCert ? null : authorities, token);
+			SignedToken signedToken = ApplicationKeyManagerUtils
+					.getSignedToken(usingSelfSignedCert ? null : authorities, token);
 			sigCb = new SignatureCallback(authorities, token, signedToken.signature);
 		}
 		catch (Throwable t) {
@@ -107,9 +107,9 @@ public class PKIAuthenticationModule implements AuthenticationModule {
 
 		SignatureCallback sigCb = null;
 		if (callbacks != null) {
-			for (int i = 0; i < callbacks.length; i++) {
-				if (callbacks[i] instanceof SignatureCallback) {
-					sigCb = (SignatureCallback) callbacks[i];
+			for (Callback callback : callbacks) {
+				if (callback instanceof SignatureCallback) {
+					sigCb = (SignatureCallback) callback;
 					break;
 				}
 			}

Ghidra/Framework/Generic/src/main/java/ghidra/net/ApplicationKeyManagerUtils.java

@@ -4,9 +4,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -88,7 +88,8 @@ public class ApplicationKeyManagerUtils {
 	/**
 	 * Sign the supplied token byte array using an installed certificate from
 	 * one of the specified authorities
-	 * @param authorities trusted certificate authorities
+	 * @param authorities trusted certificate authorities used to constrain client certificate
+	 *   (may be null or empty array if CA constraint does not matter).
 	 * @param token token byte array
 	 * @return signed token object
 	 * @throws NoSuchAlgorithmException algorithym associated within signing certificate not found
@@ -108,8 +109,8 @@ public class ApplicationKeyManagerUtils {
 					continue;
 				}
 				X509KeyManager x509KeyManager = (X509KeyManager) keyManager;
-				String alias = x509KeyManager.chooseClientAlias(new String[] { RSA_TYPE },
-					authorities, null);
+				String alias =
+					x509KeyManager.chooseClientAlias(new String[] { RSA_TYPE }, authorities, null);
 				if (alias != null) {
 					privateKey = x509KeyManager.getPrivateKey(alias);
 					certificateChain = x509KeyManager.getCertificateChain(alias);
@@ -155,9 +156,9 @@ public class ApplicationKeyManagerUtils {
 	}
 
 	/**
-	 * Verify that the specified sigBytes reflect my signature of the specified
-	 * token.
-	 * @param authorities trusted certificate authorities
+	 * Verify that the specified sigBytes reflect my signature of the specified token.
+	 * @param authorities trusted certificate authorities used to constrain client certificate
+	 *   (may be null or empty array if CA constraint does not matter).
 	 * @param token byte array token
 	 * @param signature token signature
 	 * @return true if signature is my signature
@@ -199,7 +200,7 @@ public class ApplicationKeyManagerUtils {
 			}
 			X509TrustManager x509TrustManager = (X509TrustManager) trustManager;
 			X509Certificate[] acceptedIssuers = x509TrustManager.getAcceptedIssuers();
-			if (acceptedIssuers != null) {
+			if (acceptedIssuers != null && acceptedIssuers.length != 0) {
 				openTrust = false;
 				for (X509Certificate trustedCert : acceptedIssuers) {
 					set.add(trustedCert.getSubjectX500Principal());
@@ -356,8 +357,7 @@ public class ApplicationKeyManagerUtils {
 						"Unsupported certificate type: " + caCert.getType());
 				}
 				X509Certificate caX509Cert = (X509Certificate) caCert;
-				caX500Name =
-					new X500Name(caX509Cert.getSubjectX500Principal().getName());
+				caX500Name = new X500Name(caX509Cert.getSubjectX500Principal().getName());
 				keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment);
 				issuerKey = caEntry.getPrivateKey();
 			}

Ghidra/Framework/Generic/src/main/java/ghidra/net/ApplicationTrustManagerFactory.java

@@ -4,9 +4,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -235,7 +235,7 @@ public class ApplicationTrustManagerFactory {
 		 */
 		@Override
 		public X509Certificate[] getAcceptedIssuers() {
-			return null; // no CA's have been stipulated
+			return NO_CERTS; // no CA's have been stipulated
 		}
 
 	}