javax.net.ssl.SSLPeerUnverifiedException Java Examples

/**
 * Returns the X509Certificate for the server this session is connected to. The certificate may be null.
 *
 * @param sslSession SSL session connected to upstream server
 * @return the X.509 certificate from the upstream server, or null if no certificate is available
 */
public static X509Certificate getServerCertificate(SSLSession sslSession) {
    Certificate[] peerCertificates;
    try {
        peerCertificates = sslSession.getPeerCertificates();
    } catch (SSLPeerUnverifiedException e) {
        peerCertificates = null;
    }

    if (peerCertificates != null && peerCertificates.length > 0) {
        Certificate peerCertificate = peerCertificates[0];
        if (peerCertificate != null && peerCertificate instanceof X509Certificate) {
            return (X509Certificate) peerCertificates[0];
        }
    }

    // no X.509 certificate was found for this server
    return null;
}
 

private static void matchDns(String hostname, List<San> sans) throws SSLPeerUnverifiedException {
    String host = hostname.toLowerCase(Locale.ROOT);

    if (host.isEmpty() || host.charAt(0) == '.' || host.endsWith("..")) {
        // Invalid hostname
        throw new SSLPeerUnverifiedException(String.format("Certificate for '%s' cannot match the Subject Alternative Names because it is invalid name", hostname));
    }

    for (San san : sans) {
        if (san.getType() == San.DNS && matchHost(host, san.getValue().toLowerCase(Locale.ROOT))) {
            if (logger.isDebugEnabled()) {
                logger.debug("Certificate for '{}' matched by DNS name '{}' of the Subject Alternative Names", host, san.getValue());
            }
            return;
        }
    }

    throw new SSLPeerUnverifiedException(String.format("Certificate for '%s' does not match any of the Subject Alternative Names: %s", hostname, sans));
}
 

protected void checkRequest(final RestRequest request, final RestChannel channel) {
    
    if(SSLRequestHelper.containsBadHeader(threadContext, "_opendistro_security_ssl_")) {
        final ElasticsearchException exception = ExceptionUtils.createBadHeaderException();
        errorHandler.logError(exception, request, 1);
        throw exception;
    }
    
    try {
        if(SSLRequestHelper.getSSLInfo(settings, configPath, request, null) == null) {
            logger.error("Not an SSL request");
            throw new ElasticsearchSecurityException("Not an SSL request", RestStatus.INTERNAL_SERVER_ERROR);
        }
    } catch (SSLPeerUnverifiedException e) {
        logger.error("No client certificates found but such are needed (Security 8).");
        errorHandler.logError(e, request, 0);
        throw ExceptionsHelper.convertToElastic(e);
    }
}
 

/**
 * Returns the server's certificate chain, or throws
 * SSLPeerUnverified Exception if
 * the server did not authenticate.
 */
public java.security.cert.Certificate[] getServerCertificates()
        throws SSLPeerUnverifiedException {
    if (cachedResponse != null) {
        List<java.security.cert.Certificate> l = ((SecureCacheResponse)cachedResponse).getServerCertificateChain();
        if (l == null) {
            return null;
        } else {
            return l.toArray(new java.security.cert.Certificate[0]);
        }
    }

    if (http == null) {
        throw new IllegalStateException("connection not yet open");
    } else {
        return (((HttpsClient)http).getServerCertificates ());
    }
}
 

private PublicKey fetchCertificate(ChannelHandlerContext ctx)
        throws SSLPeerUnverifiedException {
    SslHandler sslhandler = (SslHandler) ctx.channel().pipeline().get(SslHandler.class);

    logger.info(String.valueOf(ctx.channel().pipeline().names()));

    X509Certificate cert = sslhandler.engine().getSession().getPeerCertificateChain()[0];
    PublicKey publicKey = cert.getPublicKey();
    Principal principal = cert.getSubjectDN();

    logger.info(
            " algorithm: {}, format: {}, class name: {}",
            publicKey.getAlgorithm(),
            publicKey.getFormat(),
            publicKey.getClass().getName());
    logger.info(
            " encoded: {}, hex encoded: {}",
            publicKey.getEncoded(),
            bytesToHex(publicKey.getEncoded()));
    logger.info(
            " principal name: {} ,principal class name: {}",
            principal.getName(),
            principal.getClass().getName());

    return publicKey;
}
 

/**
 * Returns the identity of the peer which was established as part of
 * defining the session.
 *
 * @return the peer's principal. Returns an X500Principal of the
 * end-entity certificate for X509-based cipher suites, and
 * Principal for Kerberos cipher suites.
 *
 * @throws SSLPeerUnverifiedException if the peer's identity has not
 *          been verified
 */
@Override
public Principal getPeerPrincipal()
            throws SSLPeerUnverifiedException
{
    if ((cipherSuite.keyExchange == K_KRB5) ||
        (cipherSuite.keyExchange == K_KRB5_EXPORT)) {
        if (peerPrincipal == null) {
            throw new SSLPeerUnverifiedException("peer not authenticated");
        } else {
            // Eliminate dependency on KerberosPrincipal
            return peerPrincipal;
        }
    }
    if (peerCerts == null) {
        throw new SSLPeerUnverifiedException("peer not authenticated");
    }
    return peerCerts[0].getSubjectX500Principal();
}
 

private static void matchDns(String hostname, List<San> sans) throws SSLPeerUnverifiedException {
    String host = hostname.toLowerCase(Locale.ROOT);

    if (host.isEmpty() || host.charAt(0) == '.' || host.endsWith("..")) {
        // Invalid hostname
        throw new SSLPeerUnverifiedException(String.format("Certificate for '%s' cannot match the Subject Alternative Names because it is invalid name", hostname));
    }

    for (San san : sans) {
        if (san.getType() == San.DNS && matchHost(host, san.getValue().toLowerCase(Locale.ROOT))) {
            if (logger.isDebugEnabled()) {
                logger.debug("Certificate for '{}' matched by DNS name '{}' of the Subject Alternative Names", host, san.getValue());
            }
            return;
        }
    }

    throw new SSLPeerUnverifiedException(String.format("Certificate for '%s' does not match any of the Subject Alternative Names: %s", hostname, sans));
}
 

/**
 * Return the cert chain presented by the peer in the
 * java.security.cert format.
 * Note: This method can be used only when using certificate-based
 * cipher suites; using it with non-certificate-based cipher suites,
 * such as Kerberos, will throw an SSLPeerUnverifiedException.
 *
 * @return array of peer X.509 certs, with the peer's own cert
 *  first in the chain, and with the "root" CA last.
 */
@Override
public java.security.cert.Certificate[] getPeerCertificates()
        throws SSLPeerUnverifiedException {
    //
    // clone to preserve integrity of session ... caller can't
    // change record of peer identity even by accident, much
    // less do it intentionally.
    //
    if ((cipherSuite.keyExchange == K_KRB5) ||
        (cipherSuite.keyExchange == K_KRB5_EXPORT)) {
        throw new SSLPeerUnverifiedException("no certificates expected"
                    + " for Kerberos cipher suites");
    }
    if (peerCerts == null) {
        throw new SSLPeerUnverifiedException("peer not authenticated");
    }
    // Certs are immutable objects, therefore we don't clone them.
    // But do need to clone the array, so that nothing is inserted
    // into peerCerts.
    return (java.security.cert.Certificate[])peerCerts.clone();
}
 

/**
 * Returns the server's certificate chain, or throws
 * SSLPeerUnverified Exception if
 * the server did not authenticate.
 */
public java.security.cert.Certificate[] getServerCertificates()
        throws SSLPeerUnverifiedException {
    if (cachedResponse != null) {
        List<java.security.cert.Certificate> l =
                ((SecureCacheResponse)cachedResponse)
                        .getServerCertificateChain();
        if (l == null) {
            return null;
        } else {
            return l.toArray(new java.security.cert.Certificate[0]);
        }
    }

    if (http == null) {
        throw new IllegalStateException("connection not yet open");
    } else {
        return (((HttpsClient)http).getServerCertificates ());
    }
}
 

@Override
    public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException, RenegotiationRequiredException {
        if (unverified != null) {
            throw unverified;
        }
        if (renegotiationRequiredException != null) {
            throw renegotiationRequiredException;
        }
        try {
            return session.getPeerCertificateChain();
        } catch (SSLPeerUnverifiedException e) {
//            try {
//                SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
//                if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
//                    renegotiationRequiredException = RENEGOTIATION_REQUIRED_EXCEPTION;
//                    throw renegotiationRequiredException;
//                }
//            } catch (IOException e1) {
//                //ignore, will not actually happen
//            }
            unverified = PEER_UNVERIFIED_EXCEPTION;
            throw unverified;
        }
    }
 

@Override
    public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException, RenegotiationRequiredException {
        if (unverified != null) {
            throw unverified;
        }
        if (renegotiationRequiredException != null) {
            throw renegotiationRequiredException;
        }
        try {
            return session.getPeerCertificates();
        } catch (SSLPeerUnverifiedException e) {
//            try {
//                SslClientAuthMode sslClientAuthMode = channel.getOption(Options.SSL_CLIENT_AUTH_MODE);
//                if (sslClientAuthMode == SslClientAuthMode.NOT_REQUESTED) {
//                    renegotiationRequiredException = RENEGOTIATION_REQUIRED_EXCEPTION;
//                    throw renegotiationRequiredException;
//                }
//            } catch (IOException e1) {
//                //ignore, will not actually happen
//            }
            unverified = PEER_UNVERIFIED_EXCEPTION;
            throw unverified;
        }
    }
 

private Certificate[] getPeerCertificates(HttpServerExchange exchange, SSLSessionInfo sslSession, SecurityContext securityContext)
                throws SSLPeerUnverifiedException {
    try {
        return sslSession.getPeerCertificates();
    } catch (RenegotiationRequiredException e) {
        // we only renegotiate if authentication is required
        if (forceRenegotiation && securityContext.isAuthenticationRequired()) {
            try {
                sslSession.renegotiate(exchange, SslClientAuthMode.REQUESTED);
                return sslSession.getPeerCertificates();
            } catch (IOException | RenegotiationRequiredException e1) {
                // ignore
            }
        }
    }
    throw new SSLPeerUnverifiedException("");
}
 

/**
 * Returns the identity of the peer which was established as part of
 * defining the session.
 *
 * @return the peer's principal. Returns an X500Principal of the
 * end-entity certificate for X509-based cipher suites, and
 * Principal for Kerberos cipher suites.
 *
 * @throws SSLPeerUnverifiedException if the peer's identity has not
 *          been verified
 */
@Override
public Principal getPeerPrincipal()
            throws SSLPeerUnverifiedException
{
    if ((cipherSuite.keyExchange == K_KRB5) ||
        (cipherSuite.keyExchange == K_KRB5_EXPORT)) {
        if (peerPrincipal == null) {
            throw new SSLPeerUnverifiedException("peer not authenticated");
        } else {
            // Eliminate dependency on KerberosPrincipal
            return peerPrincipal;
        }
    }
    if (peerCerts == null) {
        throw new SSLPeerUnverifiedException("peer not authenticated");
    }
    return peerCerts[0].getSubjectX500Principal();
}
 

@Override
public Uni<SecurityIdentity> authenticate(RoutingContext context,
        IdentityProviderManager identityProviderManager) {
    HttpServerRequest request = context.request();

    if (!request.isSSL()) {
        return Uni.createFrom().nullItem();
    }

    Certificate certificate;

    try {
        certificate = request.sslSession().getPeerCertificates()[0];
    } catch (SSLPeerUnverifiedException e) {
        return Uni.createFrom().nullItem();
    }

    return identityProviderManager
            .authenticate(new CertificateAuthenticationRequest(
                    new CertificateCredential(X509Certificate.class.cast(certificate))));
}
 

/**
 * Upgrades given Socket to be a SSLSocket.
 *
 * @throws IOException if an IO error was encountered during the upgrade handshake.
 * @throws RuntimeException if the upgrade negotiation failed.
 */
public static SSLSocket upgrade(SSLSocketFactory sslSocketFactory,
    HostnameVerifier hostnameVerifier, Socket socket, String host, int port,
    ConnectionSpec spec) throws IOException {
  Preconditions.checkNotNull(sslSocketFactory, "sslSocketFactory");
  Preconditions.checkNotNull(socket, "socket");
  Preconditions.checkNotNull(spec, "spec");
  SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(
      socket, host, port, true /* auto close */);
  spec.apply(sslSocket, false);
  String negotiatedProtocol = OkHttpProtocolNegotiator.get().negotiate(
      sslSocket, host, spec.supportsTlsExtensions() ? TLS_PROTOCOLS : null);
  Preconditions.checkState(
      TLS_PROTOCOLS.contains(Protocol.get(negotiatedProtocol)),
      "Only " + TLS_PROTOCOLS + " are supported, but negotiated protocol is %s",
      negotiatedProtocol);

  if (hostnameVerifier == null) {
    hostnameVerifier = OkHostnameVerifier.INSTANCE;
  }
  if (!hostnameVerifier.verify(canonicalizeHost(host), sslSocket.getSession())) {
    throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
  }
  return sslSocket;
}
 

/** Helper for asserting TLS info in SSLSession {@link io.grpc.ServerCall#getAttributes()} */
protected void assertX500SubjectDn(String tlsInfo) {
  TestServiceGrpc.TestServiceBlockingStub stub =
      blockingStub.withDeadlineAfter(5, TimeUnit.SECONDS);

  stub.unaryCall(SimpleRequest.getDefaultInstance());

  List<Certificate> certificates;
  SSLSession sslSession =
      serverCallCapture.get().getAttributes().get(Grpc.TRANSPORT_ATTR_SSL_SESSION);
  try {
    certificates = Arrays.asList(sslSession.getPeerCertificates());
  } catch (SSLPeerUnverifiedException e) {
    // Should never happen
    throw new AssertionError(e);
  }

  X509Certificate x509cert = (X509Certificate) certificates.get(0);

  assertEquals(1, certificates.size());
  assertEquals(tlsInfo, x509cert.getSubjectDN().toString());
}
 

@Test
public void wrongHostNameFailHostnameVerification() throws Exception {
  ManagedChannel channel = createChannelBuilder()
      .overrideAuthority(GrpcUtil.authorityFromHostAndPort(
          BAD_HOSTNAME, getPort()))
      .build();
  TestServiceGrpc.TestServiceBlockingStub blockingStub =
      TestServiceGrpc.newBlockingStub(channel);

  Throwable actualThrown = null;
  try {
    blockingStub.emptyCall(Empty.getDefaultInstance());
  } catch (Throwable t) {
    actualThrown = t;
  }
  assertNotNull("The rpc should have been failed due to hostname verification", actualThrown);
  Throwable cause = Throwables.getRootCause(actualThrown);
  assertTrue(
      "Failed by unexpected exception: " + cause, cause instanceof SSLPeerUnverifiedException);
  channel.shutdown();
}
 

/**
 * Returns the server's certificate chain, or throws
 * SSLPeerUnverified Exception if
 * the server did not authenticate.
 */
public java.security.cert.Certificate[] getServerCertificates()
        throws SSLPeerUnverifiedException {
    if (cachedResponse != null) {
        List<java.security.cert.Certificate> l = ((SecureCacheResponse)cachedResponse).getServerCertificateChain();
        if (l == null) {
            return null;
        } else {
            return l.toArray(new java.security.cert.Certificate[0]);
        }
    }

    if (http == null) {
        throw new IllegalStateException("connection not yet open");
    } else {
        return (((HttpsClient)http).getServerCertificates ());
    }
}
 

/**
 * Return the cert chain presented by the peer in the
 * java.security.cert format.
 * Note: This method can be used only when using certificate-based
 * cipher suites; using it with non-certificate-based cipher suites,
 * such as Kerberos, will throw an SSLPeerUnverifiedException.
 *
 * @return array of peer X.509 certs, with the peer's own cert
 *  first in the chain, and with the "root" CA last.
 */
@Override
public java.security.cert.Certificate[] getPeerCertificates()
        throws SSLPeerUnverifiedException {
    //
    // clone to preserve integrity of session ... caller can't
    // change record of peer identity even by accident, much
    // less do it intentionally.
    //
    if ((cipherSuite.keyExchange == K_KRB5) ||
        (cipherSuite.keyExchange == K_KRB5_EXPORT)) {
        throw new SSLPeerUnverifiedException("no certificates expected"
                    + " for Kerberos cipher suites");
    }
    if (peerCerts == null) {
        throw new SSLPeerUnverifiedException("peer not authenticated");
    }
    // Certs are immutable objects, therefore we don't clone them.
    // But do need to clone the array, so that nothing is inserted
    // into peerCerts.
    return (java.security.cert.Certificate[])peerCerts.clone();
}
 

/**
 * Return the cert chain presented by the peer.
 * Note: This method can be used only when using certificate-based
 * cipher suites; using it with non-certificate-based cipher suites,
 * such as Kerberos, will throw an SSLPeerUnverifiedException.
 *
 * @return array of peer X.509 certs, with the peer's own cert
 *  first in the chain, and with the "root" CA last.
 */
public X509Certificate[] getCertificateChain()
        throws SSLPeerUnverifiedException {
    /*
     * clone to preserve integrity of session ... caller can't
     * change record of peer identity even by accident, much
     * less do it intentionally.
     */
    if ((cipherSuite.keyExchange == K_KRB5) ||
        (cipherSuite.keyExchange == K_KRB5_EXPORT)) {
        throw new SSLPeerUnverifiedException("no certificates expected"
                    + " for Kerberos cipher suites");
    }
    if (peerCerts != null) {
        return peerCerts.clone();
    } else {
        throw new SSLPeerUnverifiedException("peer not authenticated");
    }
}
 

private static void matchIpv4(String ip, List<San> sans) throws SSLPeerUnverifiedException {
    for (San san : sans) {
        // IP must be case sensitive.
        if (San.IP == san.getType() && ip.equals(san.getValue())) {
            if (logger.isDebugEnabled()) {
                logger.debug("Certificate for '{}' matched by IPv4 value '{}' of the Subject Alternative Names", ip, san.getValue());
            }
            return;
        }
    }

    throw new SSLPeerUnverifiedException(String.format("Certificate for '%s' does not match any of the Subject Alternative Names: %s", ip, sans));
}
 

@Deprecated
@Override
public javax.security.cert.X509Certificate[] getPeerCertificateChain()
        throws SSLPeerUnverifiedException {
    // these are lazy created to reduce memory overhead
    javax.security.cert.X509Certificate[] c = x509PeerCerts;
    if (c == null) {
        byte[][] chain;
        synchronized (OpenSSLEngine.this) {
            if (destroyed || SSL.isInInit(ssl) != 0) {
                throw new SSLPeerUnverifiedException(sm.getString("engine.unverifiedPeer"));
            }
            chain = SSL.getPeerCertChain(ssl);
        }
        if (chain == null) {
            throw new SSLPeerUnverifiedException(sm.getString("engine.unverifiedPeer"));
        }
        javax.security.cert.X509Certificate[] peerCerts =
                new javax.security.cert.X509Certificate[chain.length];
        for (int i = 0; i < peerCerts.length; i++) {
            try {
                peerCerts[i] = javax.security.cert.X509Certificate.getInstance(chain[i]);
            } catch (javax.security.cert.CertificateException e) {
                throw new IllegalStateException(e);
            }
        }
        c = x509PeerCerts = peerCerts;
    }
    return c;
}
 

@Test
public void testSSLWithoutPeerCerts() throws Exception {
    httpRequestHeaders.add(SUBJECT_DN_HEADER, testUserCert.getSubjectDN().toString());
    httpRequestHeaders.add(ISSUER_DN_HEADER, testUserCert.getIssuerDN().toString());
    
    String expectedID = normalizeDN(testUserCert.getSubjectDN().getName()) + "<" + normalizeDN(testUserCert.getIssuerDN().getName()) + ">";
    
    expect(httpServerExchange.getConnection()).andReturn(serverConnection);
    expect(serverConnection.getSslSessionInfo()).andReturn(sslSessionInfo);
    expect(sslSessionInfo.getPeerCertificates()).andThrow(new SSLPeerUnverifiedException("no client cert"));
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders).times(2);
    expect(securityContext.getIdentityManager()).andReturn(identityManager);
    expect(identityManager.verify(eq(expectedID), isA(Credential.class))).andReturn(account);
    securityContext.authenticationComplete(account, "DATAWAVE-AUTH", false);
    long requestStartTime = System.nanoTime();
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    expect(httpServerExchange.getRequestStartTime()).andReturn(requestStartTime);
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    
    replayAll();
    
    AuthenticationMechanismOutcome outcome = datawaveAuthenticationMechanism.authenticate(httpServerExchange, securityContext);
    assertEquals(AuthenticationMechanismOutcome.AUTHENTICATED, outcome);
    assertFalse(httpResponseHeaders.contains(DatawaveAuthenticationMechanism.HEADER_PROXIED_ENTITIES_ACCEPTED));
    
    verifyAll();
}
 

/**
 * Returns the server's principal, or throws SSLPeerUnverifiedException
 * if the server did not authenticate.
 */
Principal getPeerPrincipal()
        throws SSLPeerUnverifiedException
{
    if (cachedResponse != null) {
        return ((SecureCacheResponse)cachedResponse).getPeerPrincipal();
    }

    if (http == null) {
        throw new IllegalStateException("connection not yet open");
    } else {
        return (((HttpsClient)http).getPeerPrincipal());
    }
}
 

@Override
public void userEventTriggered(final ChannelHandlerContext ctx, final Object evt) throws Exception {

    if (!(evt instanceof SslHandshakeCompletionEvent)) {
        super.userEventTriggered(ctx, evt);
        return;
    }

    final SslHandshakeCompletionEvent sslHandshakeCompletionEvent = (SslHandshakeCompletionEvent) evt;

    if (!sslHandshakeCompletionEvent.isSuccess()) {
        log.trace("Handshake failed", sslHandshakeCompletionEvent.cause());
        return;
    }

    final Channel channel = ctx.channel();

    try {
        final SslHandler sslHandler = (SslHandler) channel.pipeline().get(ChannelHandlerNames.SSL_HANDLER);

        final SSLSession session = sslHandler.engine().getSession();
        final Certificate[] peerCertificates = session.getPeerCertificates();
        final SslClientCertificate sslClientCertificate = new SslClientCertificateImpl(peerCertificates);
        channel.attr(ChannelAttributes.AUTH_CERTIFICATE).set(sslClientCertificate);

    } catch (final SSLPeerUnverifiedException e) {
        handleSslPeerUnverifiedException(channel, e);

    } catch (final ClassCastException e2) {
        eventLog.clientWasDisconnected(channel, "SSL handshake failed");
        channel.close();
        throw new RuntimeException("Not able to get SslHandler from pipeline", e2);
    }

    channel.pipeline().remove(this);

}
 

private static boolean isEndpointProblem(Throwable t) {
    return t instanceof InvalidSessionResourceException
            || t instanceof EndpointNotFoundException
            || t instanceof ConnectException
            || t instanceof SocketTimeoutException
            || t instanceof SSLHandshakeException
            || t instanceof SSLPeerUnverifiedException;
}
 

private X509Certificate getX509Certificate() {
    try {
        X509Certificate[] certChain = sslHandler.engine().getSession().getPeerCertificateChain();
        if (certChain.length > 0) {
            return certChain[0];
        }
    } catch (SSLPeerUnverifiedException e) {
        log.warn(e.getMessage());
        return null;
    }
    return null;
}
 

private static Principal getPeerPrincipal(SSLSession session)
        throws SSLPeerUnverifiedException {
    Principal principal;
    try {
        principal = session.getPeerPrincipal();
    } catch (AbstractMethodError e) {
        // if the JSSE provider does not support it, return null, since
        // we need it only for Kerberos.
        principal = null;
    }
    return principal;
}
 

@Override
public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
    Certificate[] peer = getPeerCertificates();
    // No need for null or length > 0 is needed as this is done in getPeerCertificates()
    // already.
    return ((java.security.cert.X509Certificate) peer[0]).getSubjectX500Principal();
}
 

@Override
public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
    synchronized (ReferenceCountedOpenSslEngine.this) {
        if (isEmpty(peerCerts)) {
            throw new SSLPeerUnverifiedException("peer not verified");
        }
        return peerCerts.clone();
    }
}