Deny HTTP/3 connection creation for clients missing cert when needClientAuth is true

jetty-core/jetty-http3/jetty-http3-tests/pom.xml

@@ -66,4 +66,25 @@
     </dependency>
   </dependencies>
 
+  <profiles>
+    <profile>
+      <id>enable-foreign</id>
+      <activation>
+        <jdk>[22,)</jdk>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <artifactId>maven-surefire-plugin</artifactId>
+            <configuration>
+              <argLine>@{argLine}
+                ${jetty.surefire.argLine}
+                --enable-native-access=ALL-UNNAMED</argLine>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
+
 </project>

jetty-core/jetty-http3/jetty-http3-tests/src/test/java/org/eclipse/jetty/http3/tests/ClientServerTest.java

@@ -38,6 +38,7 @@
 import org.eclipse.jetty.http3.server.AbstractHTTP3ServerConnectionFactory;
 import org.eclipse.jetty.http3.server.internal.HTTP3SessionServer;
 import org.eclipse.jetty.quic.client.ClientQuicSession;
+import org.eclipse.jetty.quic.common.QuicErrorCode;
 import org.eclipse.jetty.quic.common.QuicSession;
 import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
@@ -640,4 +641,24 @@ public void onResponse(Stream.Client stream, HeadersFrame frame)
 
         assertTrue(responseLatch.await(5, TimeUnit.SECONDS));
     }
+
+    @Test
+    public void testMissingNeededClientCertificateDeniesConnection() throws Exception
+    {
+        start(new Session.Server.Listener() {});
+        connector.getQuicConfiguration().getSslContextFactory().setNeedClientAuth(true);
+
+        CountDownLatch latch = new CountDownLatch(1);
+        newSession(new Session.Client.Listener()
+        {
+            @Override
+            public void onDisconnect(Session session, long error, String reason)
+            {
+                assertEquals(QuicErrorCode.CONNECTION_REFUSED.code(), error);
+                assertEquals("missing_client_cert", reason);
+                latch.countDown();
+            }
+        });
+        assertTrue(latch.await(5, TimeUnit.SECONDS));
+    }
 }

jetty-core/jetty-http3/jetty-http3-tests/src/test/java/org/eclipse/jetty/http3/tests/IdleTimeoutTest.java

@@ -109,7 +109,7 @@ protected ServerQuicConnection newConnection(EndPoint endpoint)
                     @Override
                     protected ServerQuicSession newQuicSession(SocketAddress remoteAddress, QuicheConnection quicheConnection)
                     {
-                        return new ServerQuicSession(getExecutor(), getScheduler(), getByteBufferPool(), quicheConnection, this, remoteAddress, getQuicServerConnector())
+                        return new ServerQuicSession(getExecutor(), getScheduler(), getByteBufferPool(), quicheConnection, this, remoteAddress, getQuicServerConnector(), getQuicConfiguration())
                         {
                             @Override
                             public int flush(long streamId, ByteBuffer buffer, boolean last) throws IOException

jetty-core/jetty-quic/jetty-quic-client/pom.xml

@@ -73,7 +73,7 @@
             <configuration>
               <argLine>@{argLine}
                 ${jetty.surefire.argLine}
-                --enable-native-access org.eclipse.jetty.quic.quiche.foreign</argLine>
+                --enable-native-access=ALL-UNNAMED</argLine>
             </configuration>
           </plugin>
         </plugins>

jetty-core/jetty-quic/jetty-quic-client/src/main/java/org/eclipse/jetty/quic/client/ClientQuicSession.java

@@ -74,6 +74,12 @@ protected ProtocolSession createProtocolSession()
         return new ClientProtocolSession(this);
     }
 
+    @Override
+    protected boolean validateNewlyEstablishedConnection()
+    {
+        return true;
+    }
+
     @Override
     public Connection newConnection(QuicStreamEndPoint endPoint)
     {

jetty-core/jetty-quic/jetty-quic-common/src/main/java/org/eclipse/jetty/quic/common/QuicSession.java

@@ -319,6 +319,9 @@ public Runnable process(SocketAddress remoteAddress, ByteBuffer cipherBufferIn)
             ProtocolSession protocol = protocolSession;
             if (protocol == null)
             {
+                if (!validateNewlyEstablishedConnection())
+                    return null;
+
                 protocolSession = protocol = createProtocolSession();
                 addManaged(protocol);
             }
@@ -343,6 +346,11 @@ protected Runnable pollTask()
 
     protected abstract ProtocolSession createProtocolSession();
 
+    /**
+     * @return true if the connection is valid, false otherwise.
+     */
+    protected abstract boolean validateNewlyEstablishedConnection();
+
     List<Long> getWritableStreamIds()
     {
         return quicheConnection.writableStreamIds();

jetty-core/jetty-quic/jetty-quic-quiche/jetty-quic-quiche-common/src/main/java/org/eclipse/jetty/quic/quiche/PemExporter.java

@@ -80,6 +80,9 @@ public static Path[] exportKeyPair(KeyStore keyStore, String alias, char[] keyPa
         try (OutputStream os = Files.newOutputStream(paths[1]))
         {
             Certificate[] certChain = keyStore.getCertificateChain(alias);
+            if (certChain == null)
+                throw new IllegalArgumentException("Alias does not exist in key store: " + alias);
+
             for (Certificate cert : certChain)
                 writeAsPEM(os, cert);
             Files.setPosixFilePermissions(paths[1], Set.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE));

jetty-core/jetty-quic/jetty-quic-server/src/main/java/org/eclipse/jetty/quic/server/ServerQuicConnection.java

@@ -123,7 +123,7 @@ protected QuicSession createSession(SocketAddress remoteAddress, ByteBuffer ciph
 
     protected ServerQuicSession newQuicSession(SocketAddress remoteAddress, QuicheConnection quicheConnection)
     {
-        return new ServerQuicSession(getExecutor(), getScheduler(), getByteBufferPool(), quicheConnection, this, remoteAddress, getQuicServerConnector());
+        return new ServerQuicSession(getExecutor(), getScheduler(), getByteBufferPool(), quicheConnection, this, remoteAddress, getQuicServerConnector(), quicConfiguration);
     }
 
     @Override

jetty-core/jetty-quic/jetty-quic-server/src/main/java/org/eclipse/jetty/quic/server/ServerQuicSession.java

@@ -26,6 +26,7 @@
 import org.eclipse.jetty.io.RuntimeIOException;
 import org.eclipse.jetty.quic.common.ProtocolSession;
 import org.eclipse.jetty.quic.common.QuicConnection;
+import org.eclipse.jetty.quic.common.QuicErrorCode;
 import org.eclipse.jetty.quic.common.QuicSession;
 import org.eclipse.jetty.quic.common.QuicStreamEndPoint;
 import org.eclipse.jetty.quic.quiche.QuicheConnection;
@@ -44,12 +45,14 @@
 public class ServerQuicSession extends QuicSession implements CyclicTimeouts.Expirable
 {
     private final Connector connector;
+    private final ServerQuicConfiguration quicConfiguration;
     private long expireNanoTime = Long.MAX_VALUE;
 
-    public ServerQuicSession(Executor executor, Scheduler scheduler, ByteBufferPool bufferPool, QuicheConnection quicheConnection, QuicConnection connection, SocketAddress remoteAddress, Connector connector)
+    public ServerQuicSession(Executor executor, Scheduler scheduler, ByteBufferPool bufferPool, QuicheConnection quicheConnection, QuicConnection connection, SocketAddress remoteAddress, Connector connector, ServerQuicConfiguration quicConfiguration)
     {
         super(executor, scheduler, bufferPool, quicheConnection, connection, remoteAddress);
         this.connector = connector;
+        this.quicConfiguration = quicConfiguration;
     }
 
     @Override
@@ -67,6 +70,18 @@ protected ProtocolSession createProtocolSession()
         return new ServerProtocolSession(this);
     }
 
+    @Override
+    protected boolean validateNewlyEstablishedConnection()
+    {
+        if (quicConfiguration.getSslContextFactory().getNeedClientAuth() && getPeerCertificates() == null)
+        {
+            outwardClose(QuicErrorCode.CONNECTION_REFUSED.code(), "missing_client_cert");
+            flush();
+            return false;
+        }
+        return true;
+    }
+
     @Override
     public Connection newConnection(QuicStreamEndPoint endPoint)
     {