1b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin/* 2b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Copyright 2014 The Android Open Source Project 3b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 4b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Licensed under the Apache License, Version 2.0 (the "License"); 5b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * you may not use this file except in compliance with the License. 6b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * You may obtain a copy of the License at 7b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 8b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * http://www.apache.org/licenses/LICENSE-2.0 9b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 10b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Unless required by applicable law or agreed to in writing, software 11b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * distributed under the License is distributed on an "AS IS" BASIS, 12b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * See the License for the specific language governing permissions and 14b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * limitations under the License. 15b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 16b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 17b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubinpackage android.net; 18b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 19fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubinimport com.android.org.conscrypt.PSKKeyManager; 20b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubinimport java.net.Socket; 21b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubinimport javax.crypto.SecretKey; 22b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubinimport javax.net.ssl.SSLEngine; 23b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 24b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin/** 25b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Provider of key material for pre-shared key (PSK) key exchange used in TLS-PSK cipher suites. 26b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 27b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <h3>Overview of TLS-PSK</h3> 28b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 29b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>TLS-PSK is a set of TLS/SSL cipher suites which rely on a symmetric pre-shared key (PSK) to 30b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * secure the TLS/SSL connection and mutually authenticate its peers. These cipher suites may be 31b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * a more natural fit compared to conventional public key based cipher suites in some scenarios 32b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * where communication between peers is bootstrapped via a separate step (for example, a pairing 33b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * step) and requires both peers to authenticate each other. In such scenarios a symmetric key (PSK) 34b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * can be exchanged during the bootstrapping step, removing the need to generate and exchange public 35b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * key pairs and X.509 certificates.</p> 36b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 37b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>When a TLS-PSK cipher suite is used, both peers have to use the same key for the TLS/SSL 38b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * handshake to succeed. Thus, both peers are implicitly authenticated by a successful handshake. 39b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * This removes the need to use a {@code TrustManager} in conjunction with this {@code KeyManager}. 40b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * </p> 41b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 42b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <h3>Supporting multiple keys</h3> 43b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 44fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * <p>A peer may have multiple keys to choose from. To help choose the right key, during the 45fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * handshake the server can provide a <em>PSK identity hint</em> to the client, and the client can 46fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * provide a <em>PSK identity</em> to the server. The contents of these two pieces of information 47fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * are specific to application-level protocols.</p> 48b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 49b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p><em>NOTE: Both the PSK identity hint and the PSK identity are transmitted in cleartext. 50b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Moreover, these data are received and processed prior to peer having been authenticated. Thus, 51b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * they must not contain or leak key material or other sensitive information, and should be 52b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * treated (e.g., parsed) with caution, as untrusted data.</em></p> 53b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 54b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>The high-level flow leading to peers choosing a key during TLS/SSL handshake is as follows: 55b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <ol> 56b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>Server receives a handshake request from client. 57b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>Server replies, optionally providing a PSK identity hint to client.</li> 58b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>Client chooses the key.</li> 59b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>Client provides a PSK identity of the chosen key to server.</li> 60b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>Server chooses the key.</li> 61b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * </ol></p> 62b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 63b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>In the flow above, either peer can signal that they do not have a suitable key, in which case 64b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * the the handshake will be aborted immediately. This may enable a network attacker who does not 65b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * know the key to learn which PSK identity hints or PSK identities are supported. If this is a 66b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * concern then a randomly generated key should be used in the scenario where no key is available. 67b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * This will lead to the handshake aborting later, due to key mismatch -- same as in the scenario 68b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * where a key is available -- making it appear to the attacker that all PSK identity hints and PSK 69b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * identities are supported.</p> 70b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 71b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <h3>Maximum sizes</h3> 72b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 73b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <p>The maximum supported sizes are as follows: 74b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <ul> 75b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>256 bytes for keys (see {@link #MAX_KEY_LENGTH_BYTES}),</li> 76b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <li>128 bytes for PSK identity and PSK identity hint (in modified UTF-8 representation) (see 77b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * {@link #MAX_IDENTITY_LENGTH_BYTES} and {@link #MAX_IDENTITY_HINT_LENGTH_BYTES}).</li> 78b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * </ul></p> 79b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 80fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * <h3>Subclassing</h3> 81fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * Subclasses should normally provide their own implementation of {@code getKey} because the default 82fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * implementation returns no key, which aborts the handshake. 83fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * 848e93f0c3bc8497a7ca1ce97a3bd8948612d52c1eAlex Klyubin * <h3>Known issues</h3> 858e93f0c3bc8497a7ca1ce97a3bd8948612d52c1eAlex Klyubin * The implementation of {@code ECDHE_PSK} cipher suites in API Level 21 contains a bug which breaks 868e93f0c3bc8497a7ca1ce97a3bd8948612d52c1eAlex Klyubin * compatibility with other implementations. {@code ECDHE_PSK} cipher suites are enabled by default 878e93f0c3bc8497a7ca1ce97a3bd8948612d52c1eAlex Klyubin * on platforms with API Level 21 when an {@code SSLContext} is initialized with a 888e93f0c3bc8497a7ca1ce97a3bd8948612d52c1eAlex Klyubin * {@code PskKeyManager}. A workaround is to disable {@code ECDHE_PSK} cipher suites on platforms 898e93f0c3bc8497a7ca1ce97a3bd8948612d52c1eAlex Klyubin * with API Level 21. 908e93f0c3bc8497a7ca1ce97a3bd8948612d52c1eAlex Klyubin * 91b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <h3>Example</h3> 92b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * The following example illustrates how to create an {@code SSLContext} which enables the use of 93b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * TLS-PSK in {@code SSLSocket}, {@code SSLServerSocket} and {@code SSLEngine} instances obtained 94b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * from it. 95b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * <pre> {@code 96fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * PskKeyManager pskKeyManager = ...; 97b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 98b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * SSLContext sslContext = SSLContext.getInstance("TLS"); 99b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * sslContext.init( 10071fbb81b14958b80fe55738607740c6630e4e9daNeil Fuller * new KeyManager[] { pskKeyManager }, 101b56f21270af1d091fa7db988c57e2170bd53f683Alex Klyubin * new TrustManager[0], // No TrustManagers needed for TLS-PSK 102b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * null // Use the default source of entropy 103b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * ); 104b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 105b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * SSLSocket sslSocket = (SSLSocket) sslContext.getSocketFactory().createSocket(...); 106b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * }</pre> 107b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 108fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubinpublic abstract class PskKeyManager implements PSKKeyManager { 109b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin // IMPLEMENTATION DETAILS: This class exists only because the default implemenetation of the 110b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin // TLS/SSL JSSE provider (currently Conscrypt) cannot depend on Android framework classes. 111b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin // As a result, this framework class simply extends the PSKKeyManager interface from Conscrypt 112b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin // without adding any new methods or fields. Moreover, for technical reasons (Conscrypt classes 113b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin // are "hidden") this class replaces the Javadoc of Conscrypt's PSKKeyManager. 114b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 115b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 116b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Maximum supported length (in bytes) for PSK identity hint (in modified UTF-8 representation). 117b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 118fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin public static final int MAX_IDENTITY_HINT_LENGTH_BYTES = 119fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin PSKKeyManager.MAX_IDENTITY_HINT_LENGTH_BYTES; 120b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 121b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** Maximum supported length (in bytes) for PSK identity (in modified UTF-8 representation). */ 122fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin public static final int MAX_IDENTITY_LENGTH_BYTES = PSKKeyManager.MAX_IDENTITY_LENGTH_BYTES; 123b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 124b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** Maximum supported length (in bytes) for PSK. */ 125fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin public static final int MAX_KEY_LENGTH_BYTES = PSKKeyManager.MAX_KEY_LENGTH_BYTES; 126b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 127b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 128b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK identity hint to report to the client to help agree on the PSK for the provided 129b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * socket. 130b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 131fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * <p> 132fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * The default implementation returns {@code null}. 133fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * 134b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return PSK identity hint to be provided to the client or {@code null} to provide no hint. 135b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 136b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 137fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin public String chooseServerKeyIdentityHint(Socket socket) { 138fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin return null; 139fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin } 140b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 141b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 142b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK identity hint to report to the client to help agree on the PSK for the provided 143b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * engine. 144b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 145fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * <p> 146fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * The default implementation returns {@code null}. 147fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * 148b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return PSK identity hint to be provided to the client or {@code null} to provide no hint. 149b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 150b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 151fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin public String chooseServerKeyIdentityHint(SSLEngine engine) { 152fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin return null; 153fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin } 154b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 155b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 156b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK identity to report to the server to help agree on the PSK for the provided 157b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * socket. 158b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 159fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * <p> 160fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * The default implementation returns an empty string. 161fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * 162b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identityHint identity hint provided by the server or {@code null} if none provided. 163b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 164b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return PSK identity to provide to the server. {@code null} is permitted but will be 165b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * converted into an empty string. 166b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 167b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 168fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin public String chooseClientKeyIdentity(String identityHint, Socket socket) { 169fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin return ""; 170fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin } 171b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 172b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 173b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK identity to report to the server to help agree on the PSK for the provided 174b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * engine. 175b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 176fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * <p> 177fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * The default implementation returns an empty string. 178fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * 179b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identityHint identity hint provided by the server or {@code null} if none provided. 180b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 181b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return PSK identity to provide to the server. {@code null} is permitted but will be 182b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * converted into an empty string. 183b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 184b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 185fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin public String chooseClientKeyIdentity(String identityHint, SSLEngine engine) { 186fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin return ""; 187fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin } 188b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 189b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 190b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK to use for the provided socket. 191b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 192fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * <p> 193fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * The default implementation returns {@code null}. 194fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * 195b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identityHint identity hint provided by the server to help select the key or 196b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * {@code null} if none provided. 197b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identity identity provided by the client to help select the key. 198b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 199b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return key or {@code null} to signal to peer that no suitable key is available and to abort 200b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * the handshake. 201b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 202b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 203fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin public SecretKey getKey(String identityHint, String identity, Socket socket) { 204fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin return null; 205fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin } 206b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin 207b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin /** 208b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * Gets the PSK to use for the provided engine. 209b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 210fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * <p> 211fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * The default implementation returns {@code null}. 212fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin * 213b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identityHint identity hint provided by the server to help select the key or 214b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * {@code null} if none provided. 215b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @param identity identity provided by the client to help select the key. 216b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * 217b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * @return key or {@code null} to signal to peer that no suitable key is available and to abort 218b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin * the handshake. 219b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin */ 220b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin @Override 221fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin public SecretKey getKey(String identityHint, String identity, SSLEngine engine) { 222fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin return null; 223fcd8b20e09ca066da6d2564935d8dbfff2777547Alex Klyubin } 224b0d1d914073256db05aa33feb6b2d6018802635eAlex Klyubin} 225