151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski/* 251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved. 351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * This code is free software; you can redistribute it and/or modify it 651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * under the terms of the GNU General Public License version 2 only, as 751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * published by the Free Software Foundation. Oracle designates this 851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * particular file as subject to the "Classpath" exception as provided 951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * by Oracle in the LICENSE file that accompanied this code. 1051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 1151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * This code is distributed in the hope that it will be useful, but WITHOUT 1251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 1351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 1451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * version 2 for more details (a copy is included in the LICENSE file that 1551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * accompanied this code). 1651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 1751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * You should have received a copy of the GNU General Public License version 1851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 2 along with this work; if not, write to the Free Software Foundation, 1951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 2151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * or visit www.oracle.com if you need additional information or have any 2351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * questions. 2451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 2551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 2651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskipackage sun.security.ssl; 2751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 2851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.net.Socket; 2951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 3051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.io.*; 3151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.util.*; 3251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.security.*; 3351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.security.cert.*; 3451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport java.security.cert.Certificate; 3551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 3651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport javax.net.ssl.*; 3751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 3851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskiimport sun.security.provider.certpath.AlgorithmChecker; 3951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 4051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskipublic abstract class SSLContextImpl extends SSLContextSpi { 4151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 4251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static final Debug debug = Debug.getInstance("ssl"); 4351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 4451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private final EphemeralKeyManager ephemeralKeyManager; 4551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private final SSLSessionContextImpl clientCache; 4651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private final SSLSessionContextImpl serverCache; 4751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 4851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private boolean isInitialized; 4951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 5051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private X509ExtendedKeyManager keyManager; 5151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private X509TrustManager trustManager; 5251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private SecureRandom secureRandom; 5351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 5451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // The default algrithm constraints 5551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private AlgorithmConstraints defaultAlgorithmConstraints = 5651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski new SSLAlgorithmConstraints(null); 5751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 5851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // supported and default protocols 5951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private ProtocolList defaultServerProtocolList; 6051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private ProtocolList defaultClientProtocolList; 6151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private ProtocolList supportedProtocolList; 6251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 6351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // supported and default cipher suites 6451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private CipherSuiteList defaultServerCipherSuiteList; 6551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private CipherSuiteList defaultClientCipherSuiteList; 6651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private CipherSuiteList supportedCipherSuiteList; 6751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 6851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLContextImpl() { 6951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ephemeralKeyManager = new EphemeralKeyManager(); 7051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski clientCache = new SSLSessionContextImpl(); 7151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski serverCache = new SSLSessionContextImpl(); 7251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 7351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 7451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski protected void engineInit(KeyManager[] km, TrustManager[] tm, 7551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SecureRandom sr) throws KeyManagementException { 7651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski isInitialized = false; 7751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski keyManager = chooseKeyManager(km); 7851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 7951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (tm == null) { 8051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski try { 8151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski TrustManagerFactory tmf = TrustManagerFactory.getInstance( 8251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski TrustManagerFactory.getDefaultAlgorithm()); 8351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski tmf.init((KeyStore)null); 8451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski tm = tmf.getTrustManagers(); 8551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } catch (Exception e) { 8651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // eat 8751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 8851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 8951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski trustManager = chooseTrustManager(tm); 9051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 9151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (sr == null) { 9251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski secureRandom = JsseJce.getSecureRandom(); 9351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 9451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (SunJSSE.isFIPS() && 9551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski (sr.getProvider() != SunJSSE.cryptoProvider)) { 9651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new KeyManagementException 9751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ("FIPS mode: SecureRandom must be from provider " 9851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski + SunJSSE.cryptoProvider.getName()); 9951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 10051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski secureRandom = sr; 10151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 10251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 10351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 10451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * The initial delay of seeding the random number generator 10551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * could be long enough to cause the initial handshake on our 10651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * first connection to timeout and fail. Make sure it is 10751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * primed and ready by getting some initial output from it. 10851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 10951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (debug != null && Debug.isOn("sslctx")) { 11051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println("trigger seeding of SecureRandom"); 11151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 11251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski secureRandom.nextInt(); 11351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (debug != null && Debug.isOn("sslctx")) { 11451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println("done seeding SecureRandom"); 11551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 11651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski isInitialized = true; 11751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 11851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 11951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private X509TrustManager chooseTrustManager(TrustManager[] tm) 12051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throws KeyManagementException { 12151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // We only use the first instance of X509TrustManager passed to us. 12251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski for (int i = 0; tm != null && i < tm.length; i++) { 12351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (tm[i] instanceof X509TrustManager) { 12451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (SunJSSE.isFIPS() && 12551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski !(tm[i] instanceof X509TrustManagerImpl)) { 12651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new KeyManagementException 12751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ("FIPS mode: only SunJSSE TrustManagers may be used"); 12851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 12951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 13051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (tm[i] instanceof X509ExtendedTrustManager) { 13151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return (X509TrustManager)tm[i]; 13251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 13351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return new AbstractTrustManagerWrapper( 13451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski (X509TrustManager)tm[i]); 13551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 13651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 13751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 13851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 13951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // nothing found, return a dummy X509TrustManager. 14051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return DummyX509TrustManager.INSTANCE; 14151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 14251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 14351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private X509ExtendedKeyManager chooseKeyManager(KeyManager[] kms) 14451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throws KeyManagementException { 14551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski for (int i = 0; kms != null && i < kms.length; i++) { 14651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski KeyManager km = kms[i]; 14751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (!(km instanceof X509KeyManager)) { 14851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski continue; 14951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 15051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (SunJSSE.isFIPS()) { 15151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // In FIPS mode, require that one of SunJSSE's own keymanagers 15251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // is used. Otherwise, we cannot be sure that only keys from 15351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // the FIPS token are used. 15451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if ((km instanceof X509KeyManagerImpl) 15551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski || (km instanceof SunX509KeyManagerImpl)) { 15651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return (X509ExtendedKeyManager)km; 15751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 15851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // throw exception, we don't want to silently use the 15951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // dummy keymanager without telling the user. 16051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new KeyManagementException 16151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ("FIPS mode: only SunJSSE KeyManagers may be used"); 16251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 16351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 16451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (km instanceof X509ExtendedKeyManager) { 16551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return (X509ExtendedKeyManager)km; 16651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 16751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (debug != null && Debug.isOn("sslctx")) { 16851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println( 16951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "X509KeyManager passed to " + 17051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "SSLContext.init(): need an " + 17151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "X509ExtendedKeyManager for SSLEngine use"); 17251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 17351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return new AbstractKeyManagerWrapper((X509KeyManager)km); 17451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 17551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 17651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // nothing found, return a dummy X509ExtendedKeyManager 17751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return DummyX509KeyManager.INSTANCE; 17851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 17951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 18051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski protected SSLSocketFactory engineGetSocketFactory() { 18151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (!isInitialized) { 18251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new IllegalStateException( 18351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "SSLContextImpl is not initialized"); 18451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 18551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return new SSLSocketFactoryImpl(this); 18651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 18751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 18851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski protected SSLServerSocketFactory engineGetServerSocketFactory() { 18951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (!isInitialized) { 19051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new IllegalStateException("SSLContext is not initialized"); 19151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 19251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return new SSLServerSocketFactoryImpl(this); 19351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 19451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 19551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski protected SSLEngine engineCreateSSLEngine() { 19651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (!isInitialized) { 19751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new IllegalStateException( 19851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "SSLContextImpl is not initialized"); 19951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 20051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return new SSLEngineImpl(this); 20151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 20251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 20351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski protected SSLEngine engineCreateSSLEngine(String host, int port) { 20451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (!isInitialized) { 20551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new IllegalStateException( 20651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "SSLContextImpl is not initialized"); 20751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 20851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return new SSLEngineImpl(this, host, port); 20951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 21051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 21151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski protected SSLSessionContext engineGetClientSessionContext() { 21251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return clientCache; 21351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 21451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 21551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski protected SSLSessionContext engineGetServerSessionContext() { 21651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return serverCache; 21751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 21851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 21951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SecureRandom getSecureRandom() { 22051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return secureRandom; 22151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 22251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 22351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski X509ExtendedKeyManager getX509KeyManager() { 22451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return keyManager; 22551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 22651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 22751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski X509TrustManager getX509TrustManager() { 22851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return trustManager; 22951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 23051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 23151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski EphemeralKeyManager getEphemeralKeyManager() { 23251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return ephemeralKeyManager; 23351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 23451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 23551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski abstract SSLParameters getDefaultServerSSLParams(); 23651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski abstract SSLParameters getDefaultClientSSLParams(); 23751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski abstract SSLParameters getSupportedSSLParams(); 23851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 23951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // Get suported ProtoclList. 24051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolList getSuportedProtocolList() { 24151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (supportedProtocolList == null) { 24251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedProtocolList = 24351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski new ProtocolList(getSupportedSSLParams().getProtocols()); 24451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 24551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 24651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return supportedProtocolList; 24751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 24851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 24951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // Get default ProtoclList. 25051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolList getDefaultProtocolList(boolean roleIsServer) { 25151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (roleIsServer) { 25251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultServerProtocolList == null) { 25351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultServerProtocolList = new ProtocolList( 25451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski getDefaultServerSSLParams().getProtocols()); 25551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 25651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 25751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultServerProtocolList; 25851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 25951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultClientProtocolList == null) { 26051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientProtocolList = new ProtocolList( 26151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski getDefaultClientSSLParams().getProtocols()); 26251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 26351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 26451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultClientProtocolList; 26551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 26651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 26751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 26851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // Get suported CipherSuiteList. 26951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski CipherSuiteList getSupportedCipherSuiteList() { 27051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // The maintenance of cipher suites needs to be synchronized. 27151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski synchronized (this) { 27251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // Clear cache of available ciphersuites. 27351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski clearAvailableCache(); 27451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 27551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (supportedCipherSuiteList == null) { 27651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedCipherSuiteList = getApplicableCipherSuiteList( 27751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski getSuportedProtocolList(), false); 27851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 27951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 28051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return supportedCipherSuiteList; 28151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 28251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 28351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 28451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // Get default CipherSuiteList. 28551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) { 28651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // The maintenance of cipher suites needs to be synchronized. 28751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski synchronized (this) { 28851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // Clear cache of available ciphersuites. 28951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski clearAvailableCache(); 29051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 29151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (roleIsServer) { 29251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultServerCipherSuiteList == null) { 29351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultServerCipherSuiteList = getApplicableCipherSuiteList( 29451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski getDefaultProtocolList(true), true); 29551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 29651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 29751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultServerCipherSuiteList; 29851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 29951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultClientCipherSuiteList == null) { 30051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientCipherSuiteList = getApplicableCipherSuiteList( 30151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski getDefaultProtocolList(false), true); 30251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 30351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 30451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultClientCipherSuiteList; 30551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 30651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 30751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 30851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 30951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 31051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Return whether a protocol list is the original default enabled 31151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() 31251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 31351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski boolean isDefaultProtocolList(ProtocolList protocols) { 31451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return (protocols == defaultServerProtocolList) || 31551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski (protocols == defaultClientProtocolList); 31651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 31751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 31851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 31951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 32051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Return the list of all available CipherSuites with a priority of 32151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * minPriority or above. 32251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 32351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private CipherSuiteList getApplicableCipherSuiteList( 32451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolList protocols, boolean onlyEnabled) { 32551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 32651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski int minPriority = CipherSuite.SUPPORTED_SUITES_PRIORITY; 32751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (onlyEnabled) { 32851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski minPriority = CipherSuite.DEFAULT_SUITES_PRIORITY; 32951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 33051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 33151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Collection<CipherSuite> allowedCipherSuites = 33251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski CipherSuite.allowedCipherSuites(); 33351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 33451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski TreeSet<CipherSuite> suites = new TreeSet<>(); 33551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (!(protocols.collection().isEmpty()) && 33651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski protocols.min.v != ProtocolVersion.NONE.v) { 33751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski for (CipherSuite suite : allowedCipherSuites) { 33851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (!suite.allowed || suite.priority < minPriority) { 33951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski continue; 34051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 34151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 34251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (suite.isAvailable() && 34351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski suite.obsoleted > protocols.min.v && 34451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski suite.supported <= protocols.max.v) { 34551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultAlgorithmConstraints.permits( 34651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), 34751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski suite.name, null)) { 34851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski suites.add(suite); 34951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 35051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else if (debug != null && 35151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Debug.isOn("sslctx") && Debug.isOn("verbose")) { 35251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (suite.obsoleted <= protocols.min.v) { 35351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println( 35451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "Ignoring obsoleted cipher suite: " + suite); 35551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else if (suite.supported > protocols.max.v) { 35651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println( 35751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "Ignoring unsupported cipher suite: " + suite); 35851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 35951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println( 36051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "Ignoring unavailable cipher suite: " + suite); 36151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 36251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 36351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 36451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 36551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 36651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return new CipherSuiteList(suites); 36751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 36851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 36951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 37051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Clear cache of available ciphersuites. If we support all ciphers 37151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * internally, there is no need to clear the cache and calling this 37251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * method has no effect. 37351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 37451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Note that every call to clearAvailableCache() and the maintenance of 37551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * cipher suites need to be synchronized with this instance. 37651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 37751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private void clearAvailableCache() { 37851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (CipherSuite.DYNAMIC_AVAILABILITY) { 37951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedCipherSuiteList = null; 38051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultServerCipherSuiteList = null; 38151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientCipherSuiteList = null; 38251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski CipherSuite.BulkCipher.clearAvailableCache(); 38351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski JsseJce.clearEcAvailable(); 38451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 38551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 38651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 38751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 38851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * The SSLContext implementation for TLS/SSL algorithm 38951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 39051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * SSL/TLS protocols specify the forward compatibility and version 39151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * roll-back attack protections, however, a number of SSL/TLS server 39251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * vendors did not implement these aspects properly, and some current 39351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * SSL/TLS servers may refuse to talk to a TLS 1.1 or later client. 39451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 39551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Considering above interoperability issues, SunJSSE will not set 39651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * TLS 1.1 and TLS 1.2 as the enabled protocols for client by default. 39751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 39851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * For SSL/TLS servers, there is no such interoperability issues as 39951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * SSL/TLS clients. In SunJSSE, TLS 1.1 or later version will be the 40051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * enabled protocols for server by default. 40151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 40251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * We may change the behavior when popular TLS/SSL vendors support TLS 40351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * forward compatibility properly. 40451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 40551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * SSLv2Hello is no longer necessary. This interoperability option was 40651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * put in place in the late 90's when SSLv3/TLS1.0 were relatively new 40751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * and there were a fair number of SSLv2-only servers deployed. Because 40851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * of the security issues in SSLv2, it is rarely (if ever) used, as 40951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * deployments should now be using SSLv3 and TLSv1. 41051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 41151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Considering the issues of SSLv2Hello, we should not enable SSLv2Hello 41251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * by default. Applications still can use it by enabling SSLv2Hello with 41351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * the series of setEnabledProtocols APIs. 41451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 41551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 41651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 41751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * The conservative SSLContext implementation for TLS, SSL, SSLv3 and 41851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * TLS10 algorithm. 41951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 42051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * This is a super class of DefaultSSLContext and TLS10Context. 42151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 42251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @see SSLContext 42351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 42451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static class ConservativeSSLContext extends SSLContextImpl { 42551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // parameters 42651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static SSLParameters defaultServerSSLParams; 42751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static SSLParameters defaultClientSSLParams; 42851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static SSLParameters supportedSSLParams; 42951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 43051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski static { 43151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (SunJSSE.isFIPS()) { 43251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams = new SSLParameters(); 43351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams.setProtocols(new String[] { 43451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name, 43551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS11.name, 43651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS12.name 43751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 43851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 43951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultServerSSLParams = supportedSSLParams; 44051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 44151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams = new SSLParameters(); 44251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams.setProtocols(new String[] { 44351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name 44451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 44551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 44651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 44751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams = new SSLParameters(); 44851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams.setProtocols(new String[] { 44951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.SSL20Hello.name, 45051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.SSL30.name, 45151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name, 45251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS11.name, 45351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS12.name 45451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 45551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 45651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultServerSSLParams = supportedSSLParams; 45751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 45851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams = new SSLParameters(); 45951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams.setProtocols(new String[] { 46051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.SSL30.name, 46151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name 46251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 46351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 46451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 46551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 46651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLParameters getDefaultServerSSLParams() { 46751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultServerSSLParams; 46851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 46951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 47051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLParameters getDefaultClientSSLParams() { 47151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultClientSSLParams; 47251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 47351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 47451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLParameters getSupportedSSLParams() { 47551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return supportedSSLParams; 47651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 47751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 47851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 47951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 48051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * The SSLContext implementation for default algorithm 48151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 48251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @see SSLContext 48351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 48451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public static final class DefaultSSLContext extends ConservativeSSLContext { 48551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static final String NONE = "NONE"; 48651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static final String P11KEYSTORE = "PKCS11"; 48751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 48851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static volatile SSLContextImpl defaultImpl; 48951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 49051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static TrustManager[] defaultTrustManagers; 49151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static KeyManager[] defaultKeyManagers; 49251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 49351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public DefaultSSLContext() throws Exception { 49451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski try { 49551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski super.engineInit(getDefaultKeyManager(), 49651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski getDefaultTrustManager(), null); 49751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } catch (Exception e) { 49851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (debug != null && Debug.isOn("defaultctx")) { 49951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println("default context init failed: " + e); 50051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 50151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw e; 50251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 50351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 50451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultImpl == null) { 50551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultImpl = this; 50651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 50751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 50851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 50951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski protected void engineInit(KeyManager[] km, TrustManager[] tm, 51051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SecureRandom sr) throws KeyManagementException { 51151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new KeyManagementException 51251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ("Default SSLContext is initialized automatically"); 51351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 51451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 51551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski static synchronized SSLContextImpl getDefaultImpl() throws Exception { 51651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultImpl == null) { 51751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski new DefaultSSLContext(); 51851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 51951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultImpl; 52051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 52151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 52251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static synchronized TrustManager[] getDefaultTrustManager() 52351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throws Exception { 52451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultTrustManagers != null) { 52551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultTrustManagers; 52651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 52751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 52851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski KeyStore ks = 52951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx"); 53051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 53151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski TrustManagerFactory tmf = TrustManagerFactory.getInstance( 53251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski TrustManagerFactory.getDefaultAlgorithm()); 53351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski tmf.init(ks); 53451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultTrustManagers = tmf.getTrustManagers(); 53551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultTrustManagers; 53651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 53751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 53851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static synchronized KeyManager[] getDefaultKeyManager() 53951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throws Exception { 54051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultKeyManagers != null) { 54151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultKeyManagers; 54251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 54351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 54451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski final Map<String,String> props = new HashMap<>(); 54551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski AccessController.doPrivileged( 54651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski new PrivilegedExceptionAction<Object>() { 54751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public Object run() throws Exception { 54851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski props.put("keyStore", System.getProperty( 54951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "javax.net.ssl.keyStore", "")); 55051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski props.put("keyStoreType", System.getProperty( 55151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "javax.net.ssl.keyStoreType", 55251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski KeyStore.getDefaultType())); 55351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski props.put("keyStoreProvider", System.getProperty( 55451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "javax.net.ssl.keyStoreProvider", "")); 55551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski props.put("keyStorePasswd", System.getProperty( 55651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "javax.net.ssl.keyStorePassword", "")); 55751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return null; 55851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 55951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 56051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 56151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski final String defaultKeyStore = props.get("keyStore"); 56251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String defaultKeyStoreType = props.get("keyStoreType"); 56351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String defaultKeyStoreProvider = props.get("keyStoreProvider"); 56451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (debug != null && Debug.isOn("defaultctx")) { 56551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println("keyStore is : " + defaultKeyStore); 56651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println("keyStore type is : " + 56751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultKeyStoreType); 56851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println("keyStore provider is : " + 56951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultKeyStoreProvider); 57051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 57151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 57251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (P11KEYSTORE.equals(defaultKeyStoreType) && 57351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski !NONE.equals(defaultKeyStore)) { 57451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new IllegalArgumentException("if keyStoreType is " 57551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski + P11KEYSTORE + ", then keyStore must be " + NONE); 57651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 57751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 57851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski FileInputStream fs = null; 57951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultKeyStore.length() != 0 && !NONE.equals(defaultKeyStore)) { 58051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski fs = AccessController.doPrivileged( 58151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski new PrivilegedExceptionAction<FileInputStream>() { 58251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public FileInputStream run() throws Exception { 58351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return new FileInputStream(defaultKeyStore); 58451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 58551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 58651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 58751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 58851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String defaultKeyStorePassword = props.get("keyStorePasswd"); 58951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski char[] passwd = null; 59051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultKeyStorePassword.length() != 0) { 59151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski passwd = defaultKeyStorePassword.toCharArray(); 59251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 59351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 59451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 59551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Try to initialize key store. 59651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 59751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski KeyStore ks = null; 59851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if ((defaultKeyStoreType.length()) != 0) { 59951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (debug != null && Debug.isOn("defaultctx")) { 60051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println("init keystore"); 60151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 60251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (defaultKeyStoreProvider.length() == 0) { 60351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ks = KeyStore.getInstance(defaultKeyStoreType); 60451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 60551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ks = KeyStore.getInstance(defaultKeyStoreType, 60651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultKeyStoreProvider); 60751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 60851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 60951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // if defaultKeyStore is NONE, fs will be null 61051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ks.load(fs, passwd); 61151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 61251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (fs != null) { 61351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski fs.close(); 61451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski fs = null; 61551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 61651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 61751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 61851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Try to initialize key manager. 61951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 62051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (debug != null && Debug.isOn("defaultctx")) { 62151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski System.out.println("init keymanager of type " + 62251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski KeyManagerFactory.getDefaultAlgorithm()); 62351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 62451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski KeyManagerFactory kmf = KeyManagerFactory.getInstance( 62551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski KeyManagerFactory.getDefaultAlgorithm()); 62651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 62751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (P11KEYSTORE.equals(defaultKeyStoreType)) { 62851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski kmf.init(ks, null); // do not pass key passwd if using token 62951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 63051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski kmf.init(ks, passwd); 63151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 63251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 63351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultKeyManagers = kmf.getKeyManagers(); 63451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultKeyManagers; 63551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 63651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 63751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 63851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 63951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * The SSLContext implementation for TLS, SSL, SSLv3 and TLS10 algorithm 64051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 64151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @see SSLContext 64251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 64351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public static final class TLS10Context extends ConservativeSSLContext { 64451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // use the default constructor and methods 64551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 64651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 64751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 64851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * The SSLContext implementation for TLS11 algorithm 64951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 65051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @see SSLContext 65151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 65251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public static final class TLS11Context extends SSLContextImpl { 65351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // parameters 65451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static SSLParameters defaultServerSSLParams; 65551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static SSLParameters defaultClientSSLParams; 65651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static SSLParameters supportedSSLParams; 65751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 65851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski static { 65951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (SunJSSE.isFIPS()) { 66051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams = new SSLParameters(); 66151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams.setProtocols(new String[] { 66251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name, 66351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS11.name, 66451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS12.name 66551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 66651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 66751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultServerSSLParams = supportedSSLParams; 66851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 66951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams = new SSLParameters(); 67051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams.setProtocols(new String[] { 67151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name, 67251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS11.name 67351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 67451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 67551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 67651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams = new SSLParameters(); 67751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams.setProtocols(new String[] { 67851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.SSL20Hello.name, 67951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.SSL30.name, 68051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name, 68151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS11.name, 68251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS12.name 68351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 68451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 68551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultServerSSLParams = supportedSSLParams; 68651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 68751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams = new SSLParameters(); 68851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams.setProtocols(new String[] { 68951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.SSL30.name, 69051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name, 69151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS11.name 69251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 69351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 69451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 69551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 69651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLParameters getDefaultServerSSLParams() { 69751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultServerSSLParams; 69851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 69951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 70051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLParameters getDefaultClientSSLParams() { 70151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultClientSSLParams; 70251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 70351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 70451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLParameters getSupportedSSLParams() { 70551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return supportedSSLParams; 70651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 70751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 70851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 70951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 71051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * The SSLContext implementation for TLS12 algorithm 71151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 71251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @see SSLContext 71351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 71451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public static final class TLS12Context extends SSLContextImpl { 71551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // parameters 71651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static SSLParameters defaultServerSSLParams; 71751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static SSLParameters defaultClientSSLParams; 71851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private static SSLParameters supportedSSLParams; 71951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 72051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski static { 72151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (SunJSSE.isFIPS()) { 72251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams = new SSLParameters(); 72351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams.setProtocols(new String[] { 72451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name, 72551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS11.name, 72651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS12.name 72751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 72851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 72951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultServerSSLParams = supportedSSLParams; 73051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 73151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams = new SSLParameters(); 73251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams.setProtocols(new String[] { 73351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name, 73451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS11.name, 73551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS12.name 73651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 73751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 73851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 73951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams = new SSLParameters(); 74051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski supportedSSLParams.setProtocols(new String[] { 74151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.SSL20Hello.name, 74251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.SSL30.name, 74351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name, 74451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS11.name, 74551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS12.name 74651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 74751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 74851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultServerSSLParams = supportedSSLParams; 74951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 75051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams = new SSLParameters(); 75151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski defaultClientSSLParams.setProtocols(new String[] { 75251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.SSL30.name, 75351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS10.name, 75451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS11.name, 75551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.TLS12.name 75651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski }); 75751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 75851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 75951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 76051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLParameters getDefaultServerSSLParams() { 76151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultServerSSLParams; 76251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 76351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 76451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLParameters getDefaultClientSSLParams() { 76551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return defaultClientSSLParams; 76651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 76751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 76851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLParameters getSupportedSSLParams() { 76951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return supportedSSLParams; 77051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 77151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 77251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 77351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski} 77451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 77551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 77651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskifinal class AbstractTrustManagerWrapper extends X509ExtendedTrustManager 77751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski implements X509TrustManager { 77851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 77951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // the delegated trust manager 78051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private final X509TrustManager tm; 78151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 78251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski AbstractTrustManagerWrapper(X509TrustManager tm) { 78351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski this.tm = tm; 78451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 78551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 78651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 78751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkClientTrusted(X509Certificate[] chain, String authType) 78851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throws CertificateException { 78951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski tm.checkClientTrusted(chain, authType); 79051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 79151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 79251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 79351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkServerTrusted(X509Certificate[] chain, String authType) 79451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throws CertificateException { 79551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski tm.checkServerTrusted(chain, authType); 79651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 79751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 79851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 79951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public X509Certificate[] getAcceptedIssuers() { 80051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return tm.getAcceptedIssuers(); 80151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 80251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 80351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 80451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkClientTrusted(X509Certificate[] chain, String authType, 80551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Socket socket) throws CertificateException { 80651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski tm.checkClientTrusted(chain, authType); 80751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski checkAdditionalTrust(chain, authType, socket, true); 80851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 80951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 81051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 81151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkServerTrusted(X509Certificate[] chain, String authType, 81251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Socket socket) throws CertificateException { 81351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski tm.checkServerTrusted(chain, authType); 81451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski checkAdditionalTrust(chain, authType, socket, false); 81551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 81651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 81751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 81851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkClientTrusted(X509Certificate[] chain, String authType, 81951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLEngine engine) throws CertificateException { 82051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski tm.checkClientTrusted(chain, authType); 82151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski checkAdditionalTrust(chain, authType, engine, true); 82251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 82351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 82451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 82551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkServerTrusted(X509Certificate[] chain, String authType, 82651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLEngine engine) throws CertificateException { 82751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski tm.checkServerTrusted(chain, authType); 82851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski checkAdditionalTrust(chain, authType, engine, false); 82951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 83051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 83151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private void checkAdditionalTrust(X509Certificate[] chain, String authType, 83251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Socket socket, boolean isClient) throws CertificateException { 83351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (socket != null && socket.isConnected() && 83451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski socket instanceof SSLSocket) { 83551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 83651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLSocket sslSocket = (SSLSocket)socket; 83751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLSession session = sslSocket.getHandshakeSession(); 83851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (session == null) { 83951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new CertificateException("No handshake session"); 84051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 84151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 84251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // check endpoint identity 84351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String identityAlg = sslSocket.getSSLParameters(). 84451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski getEndpointIdentificationAlgorithm(); 84551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (identityAlg != null && identityAlg.length() != 0) { 84651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String hostname = session.getPeerHost(); 84751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski X509TrustManagerImpl.checkIdentity( 84851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski hostname, chain[0], identityAlg); 84951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 85051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 85151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // try the best to check the algorithm constraints 85251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion protocolVersion = 85351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.valueOf(session.getProtocol()); 85451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski AlgorithmConstraints constraints = null; 85551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 85651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (session instanceof ExtendedSSLSession) { 85751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ExtendedSSLSession extSession = 85851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski (ExtendedSSLSession)session; 85951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String[] peerSupportedSignAlgs = 86051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski extSession.getLocalSupportedSignatureAlgorithms(); 86151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 86251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski constraints = new SSLAlgorithmConstraints( 86351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski sslSocket, peerSupportedSignAlgs, true); 86451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 86551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski constraints = 86651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski new SSLAlgorithmConstraints(sslSocket, true); 86751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 86851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 86951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski constraints = new SSLAlgorithmConstraints(sslSocket, true); 87051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 87151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 87251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski checkAlgorithmConstraints(chain, constraints); 87351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 87451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 87551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 87651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private void checkAdditionalTrust(X509Certificate[] chain, String authType, 87751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLEngine engine, boolean isClient) throws CertificateException { 87851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (engine != null) { 87951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLSession session = engine.getHandshakeSession(); 88051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (session == null) { 88151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new CertificateException("No handshake session"); 88251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 88351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 88451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // check endpoint identity 88551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String identityAlg = engine.getSSLParameters(). 88651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski getEndpointIdentificationAlgorithm(); 88751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (identityAlg != null && identityAlg.length() != 0) { 88851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String hostname = session.getPeerHost(); 88951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski X509TrustManagerImpl.checkIdentity( 89051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski hostname, chain[0], identityAlg); 89151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 89251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 89351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // try the best to check the algorithm constraints 89451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion protocolVersion = 89551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ProtocolVersion.valueOf(session.getProtocol()); 89651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski AlgorithmConstraints constraints = null; 89751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 89851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (session instanceof ExtendedSSLSession) { 89951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski ExtendedSSLSession extSession = 90051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski (ExtendedSSLSession)session; 90151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String[] peerSupportedSignAlgs = 90251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski extSession.getLocalSupportedSignatureAlgorithms(); 90351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 90451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski constraints = new SSLAlgorithmConstraints( 90551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski engine, peerSupportedSignAlgs, true); 90651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 90751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski constraints = 90851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski new SSLAlgorithmConstraints(engine, true); 90951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 91051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } else { 91151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski constraints = new SSLAlgorithmConstraints(engine, true); 91251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 91351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 91451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski checkAlgorithmConstraints(chain, constraints); 91551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 91651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 91751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 91851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private void checkAlgorithmConstraints(X509Certificate[] chain, 91951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski AlgorithmConstraints constraints) throws CertificateException { 92051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 92151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski try { 92251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // Does the certificate chain end with a trusted certificate? 92351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski int checkedLength = chain.length - 1; 92451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 92551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Collection<X509Certificate> trustedCerts = new HashSet<>(); 92651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski X509Certificate[] certs = tm.getAcceptedIssuers(); 92751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if ((certs != null) && (certs.length > 0)){ 92851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Collections.addAll(trustedCerts, certs); 92951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 93051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 93151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (trustedCerts.contains(chain[checkedLength])) { 93251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski checkedLength--; 93351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 93451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 93551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // A forward checker, need to check from trust to target 93651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski if (checkedLength >= 0) { 93751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski AlgorithmChecker checker = new AlgorithmChecker(constraints); 93851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski checker.init(false); 93951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski for (int i = checkedLength; i >= 0; i--) { 94051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Certificate cert = chain[i]; 94151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // We don't care about the unresolved critical extensions. 94251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski checker.check(cert, Collections.<String>emptySet()); 94351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 94451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 94551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } catch (CertPathValidatorException cpve) { 94651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new CertificateException( 94751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "Certificates does not conform to algorithm constraints"); 94851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 94951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 95051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski} 95151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 95251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski// Dummy X509TrustManager implementation, rejects all peer certificates. 95351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski// Used if the application did not specify a proper X509TrustManager. 95451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskifinal class DummyX509TrustManager extends X509ExtendedTrustManager 95551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski implements X509TrustManager { 95651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 95751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski static final X509TrustManager INSTANCE = new DummyX509TrustManager(); 95851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 95951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private DummyX509TrustManager() { 96051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // empty 96151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 96251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 96351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 96451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Given the partial or complete certificate chain 96551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * provided by the peer, build a certificate path 96651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * to a trusted root and return if it can be 96751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * validated and is trusted for client SSL authentication. 96851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * If not, it throws an exception. 96951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 97051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 97151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkClientTrusted(X509Certificate[] chain, String authType) 97251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throws CertificateException { 97351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new CertificateException( 97451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "No X509TrustManager implementation avaiable"); 97551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 97651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 97751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 97851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Given the partial or complete certificate chain 97951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * provided by the peer, build a certificate path 98051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * to a trusted root and return if it can be 98151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * validated and is trusted for server SSL authentication. 98251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * If not, it throws an exception. 98351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 98451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 98551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkServerTrusted(X509Certificate[] chain, String authType) 98651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throws CertificateException { 98751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new CertificateException( 98851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "No X509TrustManager implementation available"); 98951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 99051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 99151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 99251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Return an array of issuer certificates which are trusted 99351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * for authenticating peers. 99451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 99551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 99651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public X509Certificate[] getAcceptedIssuers() { 99751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return new X509Certificate[0]; 99851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 99951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 100051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 100151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkClientTrusted(X509Certificate[] chain, String authType, 100251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Socket socket) throws CertificateException { 100351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new CertificateException( 100451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "No X509TrustManager implementation available"); 100551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 100651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 100751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 100851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkServerTrusted(X509Certificate[] chain, String authType, 100951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Socket socket) throws CertificateException { 101051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new CertificateException( 101151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "No X509TrustManager implementation available"); 101251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 101351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 101451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 101551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkClientTrusted(X509Certificate[] chain, String authType, 101651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLEngine engine) throws CertificateException { 101751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new CertificateException( 101851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "No X509TrustManager implementation available"); 101951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 102051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 102151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski @Override 102251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public void checkServerTrusted(X509Certificate[] chain, String authType, 102351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski SSLEngine engine) throws CertificateException { 102451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski throw new CertificateException( 102551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski "No X509TrustManager implementation available"); 102651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 102751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski} 102851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 102951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski/* 103051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * A wrapper class to turn a X509KeyManager into an X509ExtendedKeyManager 103151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 103251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskifinal class AbstractKeyManagerWrapper extends X509ExtendedKeyManager { 103351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 103451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private final X509KeyManager km; 103551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 103651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski AbstractKeyManagerWrapper(X509KeyManager km) { 103751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski this.km = km; 103851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 103951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 104051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String[] getClientAliases(String keyType, Principal[] issuers) { 104151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return km.getClientAliases(keyType, issuers); 104251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 104351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 104451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String chooseClientAlias(String[] keyType, Principal[] issuers, 104551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Socket socket) { 104651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return km.chooseClientAlias(keyType, issuers, socket); 104751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 104851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 104951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String[] getServerAliases(String keyType, Principal[] issuers) { 105051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return km.getServerAliases(keyType, issuers); 105151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 105251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 105351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String chooseServerAlias(String keyType, Principal[] issuers, 105451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Socket socket) { 105551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return km.chooseServerAlias(keyType, issuers, socket); 105651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 105751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 105851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public X509Certificate[] getCertificateChain(String alias) { 105951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return km.getCertificateChain(alias); 106051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 106151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 106251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public PrivateKey getPrivateKey(String alias) { 106351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return km.getPrivateKey(alias); 106451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 106551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 106651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // Inherit chooseEngineClientAlias() and chooseEngineServerAlias() from 106751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // X509ExtendedKeymanager. It defines them to return null; 106851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski} 106951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 107051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 107151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski// Dummy X509KeyManager implementation, never returns any certificates/keys. 107251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski// Used if the application did not specify a proper X509TrustManager. 107351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebskifinal class DummyX509KeyManager extends X509ExtendedKeyManager { 107451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 107551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski static final X509ExtendedKeyManager INSTANCE = new DummyX509KeyManager(); 107651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 107751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski private DummyX509KeyManager() { 107851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski // empty 107951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 108051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 108151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 108251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Get the matching aliases for authenticating the client side of a secure 108351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * socket given the public key type and the list of 108451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * certificate issuer authorities recognized by the peer (if any). 108551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 108651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String[] getClientAliases(String keyType, Principal[] issuers) { 108751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return null; 108851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 108951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 109051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 109151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Choose an alias to authenticate the client side of a secure 109251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * socket given the public key type and the list of 109351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * certificate issuer authorities recognized by the peer (if any). 109451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 109551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String chooseClientAlias(String[] keyTypes, Principal[] issuers, 109651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Socket socket) { 109751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return null; 109851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 109951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 110051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 110151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Choose an alias to authenticate the client side of an 110251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * engine given the public key type and the list of 110351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * certificate issuer authorities recognized by the peer (if any). 110451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 110551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String chooseEngineClientAlias( 110651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String[] keyTypes, Principal[] issuers, SSLEngine engine) { 110751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return null; 110851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 110951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 111051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 111151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Get the matching aliases for authenticating the server side of a secure 111251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * socket given the public key type and the list of 111351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * certificate issuer authorities recognized by the peer (if any). 111451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 111551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String[] getServerAliases(String keyType, Principal[] issuers) { 111651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return null; 111751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 111851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 111951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 112051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Choose an alias to authenticate the server side of a secure 112151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * socket given the public key type and the list of 112251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * certificate issuer authorities recognized by the peer (if any). 112351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 112451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String chooseServerAlias(String keyType, Principal[] issuers, 112551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski Socket socket) { 112651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return null; 112751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 112851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 112951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 113051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Choose an alias to authenticate the server side of an engine 113151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * given the public key type and the list of 113251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * certificate issuer authorities recognized by the peer (if any). 113351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 113451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public String chooseEngineServerAlias( 113551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski String keyType, Principal[] issuers, SSLEngine engine) { 113651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return null; 113751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 113851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 113951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /** 114051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Returns the certificate chain associated with the given alias. 114151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 114251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param alias the alias name 114351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 114451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @return the certificate chain (ordered with the user's certificate first 114551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * and the root certificate authority last) 114651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 114751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public X509Certificate[] getCertificateChain(String alias) { 114851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return null; 114951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 115051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski 115151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski /* 115251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * Returns the key associated with the given alias, using the given 115351b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * password to recover it. 115451b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 115551b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @param alias the alias name 115651b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * 115751b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski * @return the requested key 115851b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski */ 115951b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski public PrivateKey getPrivateKey(String alias) { 116051b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski return null; 116151b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski } 116251b1b6997fd3f980076b8081f7f1165ccc2a4008Piotr Jastrzebski} 1163