Save This Page
Home » openjdk-7 » sun.security » ssl » [javadoc | source]
    1   /*
    2    * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
    3    * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
    4    *
    5    * This code is free software; you can redistribute it and/or modify it
    6    * under the terms of the GNU General Public License version 2 only, as
    7    * published by the Free Software Foundation.  Oracle designates this
    8    * particular file as subject to the "Classpath" exception as provided
    9    * by Oracle in the LICENSE file that accompanied this code.
   10    *
   11    * This code is distributed in the hope that it will be useful, but WITHOUT
   12    * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
   13    * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
   14    * version 2 for more details (a copy is included in the LICENSE file that
   15    * accompanied this code).
   16    *
   17    * You should have received a copy of the GNU General Public License version
   18    * 2 along with this work; if not, write to the Free Software Foundation,
   19    * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
   20    *
   21    * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
   22    * or visit www.oracle.com if you need additional information or have any
   23    * questions.
   24    */
   25   
   26   package sun.security.ssl;
   27   
   28   import java.net.Socket;
   29   
   30   import java.io;
   31   import java.util;
   32   import java.security;
   33   import java.security.cert;
   34   import java.security.cert.Certificate;
   35   
   36   import javax.net.ssl;
   37   
   38   import sun.security.provider.certpath.AlgorithmChecker;
   39   
   40   public abstract class SSLContextImpl extends SSLContextSpi {
   41   
   42       private static final Debug debug = Debug.getInstance("ssl");
   43   
   44       private final EphemeralKeyManager ephemeralKeyManager;
   45       private final SSLSessionContextImpl clientCache;
   46       private final SSLSessionContextImpl serverCache;
   47   
   48       private boolean isInitialized;
   49   
   50       private X509ExtendedKeyManager keyManager;
   51       private X509TrustManager trustManager;
   52       private SecureRandom secureRandom;
   53   
   54       // The default algrithm constraints
   55       private AlgorithmConstraints defaultAlgorithmConstraints =
   56                                    new SSLAlgorithmConstraints(null);
   57   
   58       // supported and default protocols
   59       private ProtocolList defaultServerProtocolList;
   60       private ProtocolList defaultClientProtocolList;
   61       private ProtocolList supportedProtocolList;
   62   
   63       // supported and default cipher suites
   64       private CipherSuiteList defaultServerCipherSuiteList;
   65       private CipherSuiteList defaultClientCipherSuiteList;
   66       private CipherSuiteList supportedCipherSuiteList;
   67   
   68       SSLContextImpl() {
   69           ephemeralKeyManager = new EphemeralKeyManager();
   70           clientCache = new SSLSessionContextImpl();
   71           serverCache = new SSLSessionContextImpl();
   72       }
   73   
   74       protected void engineInit(KeyManager[] km, TrustManager[] tm,
   75                                   SecureRandom sr) throws KeyManagementException {
   76           isInitialized = false;
   77           keyManager = chooseKeyManager(km);
   78   
   79           if (tm == null) {
   80               try {
   81                   TrustManagerFactory tmf = TrustManagerFactory.getInstance(
   82                           TrustManagerFactory.getDefaultAlgorithm());
   83                   tmf.init((KeyStore)null);
   84                   tm = tmf.getTrustManagers();
   85               } catch (Exception e) {
   86                   // eat
   87               }
   88           }
   89           trustManager = chooseTrustManager(tm);
   90   
   91           if (sr == null) {
   92               secureRandom = JsseJce.getSecureRandom();
   93           } else {
   94               if (SunJSSE.isFIPS() &&
   95                           (sr.getProvider() != SunJSSE.cryptoProvider)) {
   96                   throw new KeyManagementException
   97                       ("FIPS mode: SecureRandom must be from provider "
   98                       + SunJSSE.cryptoProvider.getName());
   99               }
  100               secureRandom = sr;
  101           }
  102   
  103           /*
  104            * The initial delay of seeding the random number generator
  105            * could be long enough to cause the initial handshake on our
  106            * first connection to timeout and fail. Make sure it is
  107            * primed and ready by getting some initial output from it.
  108            */
  109           if (debug != null && Debug.isOn("sslctx")) {
  110               System.out.println("trigger seeding of SecureRandom");
  111           }
  112           secureRandom.nextInt();
  113           if (debug != null && Debug.isOn("sslctx")) {
  114               System.out.println("done seeding SecureRandom");
  115           }
  116           isInitialized = true;
  117       }
  118   
  119       private X509TrustManager chooseTrustManager(TrustManager[] tm)
  120               throws KeyManagementException {
  121           // We only use the first instance of X509TrustManager passed to us.
  122           for (int i = 0; tm != null && i < tm.length; i++) {
  123               if (tm[i] instanceof X509TrustManager) {
  124                   if (SunJSSE.isFIPS() &&
  125                           !(tm[i] instanceof X509TrustManagerImpl)) {
  126                       throw new KeyManagementException
  127                           ("FIPS mode: only SunJSSE TrustManagers may be used");
  128                   }
  129   
  130                   if (tm[i] instanceof X509ExtendedTrustManager) {
  131                       return (X509TrustManager)tm[i];
  132                   } else {
  133                       return new AbstractTrustManagerWrapper(
  134                                           (X509TrustManager)tm[i]);
  135                   }
  136               }
  137           }
  138   
  139           // nothing found, return a dummy X509TrustManager.
  140           return DummyX509TrustManager.INSTANCE;
  141       }
  142   
  143       private X509ExtendedKeyManager chooseKeyManager(KeyManager[] kms)
  144               throws KeyManagementException {
  145           for (int i = 0; kms != null && i < kms.length; i++) {
  146               KeyManager km = kms[i];
  147               if (km instanceof X509KeyManager == false) {
  148                   continue;
  149               }
  150               if (SunJSSE.isFIPS()) {
  151                   // In FIPS mode, require that one of SunJSSE's own keymanagers
  152                   // is used. Otherwise, we cannot be sure that only keys from
  153                   // the FIPS token are used.
  154                   if ((km instanceof X509KeyManagerImpl)
  155                               || (km instanceof SunX509KeyManagerImpl)) {
  156                       return (X509ExtendedKeyManager)km;
  157                   } else {
  158                       // throw exception, we don't want to silently use the
  159                       // dummy keymanager without telling the user.
  160                       throw new KeyManagementException
  161                           ("FIPS mode: only SunJSSE KeyManagers may be used");
  162                   }
  163               }
  164               if (km instanceof X509ExtendedKeyManager) {
  165                   return (X509ExtendedKeyManager)km;
  166               }
  167               if (debug != null && Debug.isOn("sslctx")) {
  168                   System.out.println(
  169                       "X509KeyManager passed to " +
  170                       "SSLContext.init():  need an " +
  171                       "X509ExtendedKeyManager for SSLEngine use");
  172               }
  173               return new AbstractKeyManagerWrapper((X509KeyManager)km);
  174           }
  175   
  176           // nothing found, return a dummy X509ExtendedKeyManager
  177           return DummyX509KeyManager.INSTANCE;
  178       }
  179   
  180       protected SSLSocketFactory engineGetSocketFactory() {
  181           if (!isInitialized) {
  182               throw new IllegalStateException(
  183                   "SSLContextImpl is not initialized");
  184           }
  185          return new SSLSocketFactoryImpl(this);
  186       }
  187   
  188       protected SSLServerSocketFactory engineGetServerSocketFactory() {
  189           if (!isInitialized) {
  190               throw new IllegalStateException("SSLContext is not initialized");
  191           }
  192           return new SSLServerSocketFactoryImpl(this);
  193       }
  194   
  195       protected SSLEngine engineCreateSSLEngine() {
  196           if (!isInitialized) {
  197               throw new IllegalStateException(
  198                   "SSLContextImpl is not initialized");
  199           }
  200           return new SSLEngineImpl(this);
  201       }
  202   
  203       protected SSLEngine engineCreateSSLEngine(String host, int port) {
  204           if (!isInitialized) {
  205               throw new IllegalStateException(
  206                   "SSLContextImpl is not initialized");
  207           }
  208           return new SSLEngineImpl(this, host, port);
  209       }
  210   
  211       protected SSLSessionContext engineGetClientSessionContext() {
  212           return clientCache;
  213       }
  214   
  215       protected SSLSessionContext engineGetServerSessionContext() {
  216           return serverCache;
  217       }
  218   
  219       SecureRandom getSecureRandom() {
  220           return secureRandom;
  221       }
  222   
  223       X509ExtendedKeyManager getX509KeyManager() {
  224           return keyManager;
  225       }
  226   
  227       X509TrustManager getX509TrustManager() {
  228           return trustManager;
  229       }
  230   
  231       EphemeralKeyManager getEphemeralKeyManager() {
  232           return ephemeralKeyManager;
  233       }
  234   
  235       abstract SSLParameters getDefaultServerSSLParams();
  236       abstract SSLParameters getDefaultClientSSLParams();
  237       abstract SSLParameters getSupportedSSLParams();
  238   
  239       // Get suported ProtoclList.
  240       ProtocolList getSuportedProtocolList() {
  241           if (supportedProtocolList == null) {
  242               supportedProtocolList =
  243                   new ProtocolList(getSupportedSSLParams().getProtocols());
  244           }
  245   
  246           return supportedProtocolList;
  247       }
  248   
  249       // Get default ProtoclList.
  250       ProtocolList getDefaultProtocolList(boolean roleIsServer) {
  251           if (roleIsServer) {
  252               if (defaultServerProtocolList == null) {
  253                   defaultServerProtocolList = new ProtocolList(
  254                           getDefaultServerSSLParams().getProtocols());
  255               }
  256   
  257               return defaultServerProtocolList;
  258           } else {
  259               if (defaultClientProtocolList == null) {
  260                   defaultClientProtocolList = new ProtocolList(
  261                           getDefaultClientSSLParams().getProtocols());
  262               }
  263   
  264               return defaultClientProtocolList;
  265           }
  266       }
  267   
  268       // Get suported CipherSuiteList.
  269       CipherSuiteList getSuportedCipherSuiteList() {
  270           // Clear cache of available ciphersuites.
  271           clearAvailableCache();
  272   
  273           if (supportedCipherSuiteList == null) {
  274               supportedCipherSuiteList =
  275                   getApplicableCipherSuiteList(getSuportedProtocolList(), false);
  276           }
  277   
  278           return supportedCipherSuiteList;
  279       }
  280   
  281       // Get default CipherSuiteList.
  282       CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) {
  283           // Clear cache of available ciphersuites.
  284           clearAvailableCache();
  285   
  286           if (roleIsServer) {
  287               if (defaultServerCipherSuiteList == null) {
  288                   defaultServerCipherSuiteList = getApplicableCipherSuiteList(
  289                           getDefaultProtocolList(true), true);
  290               }
  291   
  292               return defaultServerCipherSuiteList;
  293           } else {
  294               if (defaultClientCipherSuiteList == null) {
  295                   defaultClientCipherSuiteList = getApplicableCipherSuiteList(
  296                           getDefaultProtocolList(false), true);
  297               }
  298   
  299               return defaultClientCipherSuiteList;
  300           }
  301       }
  302   
  303       /**
  304        * Return whether a protocol list is the original default enabled
  305        * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()
  306        */
  307       boolean isDefaultProtocolList(ProtocolList protocols) {
  308           return (protocols == defaultServerProtocolList) ||
  309                  (protocols == defaultClientProtocolList);
  310       }
  311   
  312   
  313       /*
  314        * Return the list of all available CipherSuites with a priority of
  315        * minPriority or above.
  316        */
  317       private CipherSuiteList getApplicableCipherSuiteList(
  318               ProtocolList protocols, boolean onlyEnabled) {
  319   
  320           int minPriority = CipherSuite.SUPPORTED_SUITES_PRIORITY;
  321           if (onlyEnabled) {
  322               minPriority = CipherSuite.DEFAULT_SUITES_PRIORITY;
  323           }
  324   
  325           Collection<CipherSuite> allowedCipherSuites =
  326                                       CipherSuite.allowedCipherSuites();
  327   
  328           ArrayList<CipherSuite> suites = new ArrayList<>();
  329           if (!(protocols.collection().isEmpty()) &&
  330                   protocols.min.v != ProtocolVersion.NONE.v) {
  331               for (CipherSuite suite : allowedCipherSuites) {
  332                   if (suite.allowed == false || suite.priority < minPriority) {
  333                       continue;
  334                   }
  335   
  336                   if (suite.isAvailable() &&
  337                           suite.obsoleted > protocols.min.v &&
  338                           suite.supported <= protocols.max.v) {
  339                       if (defaultAlgorithmConstraints.permits(
  340                               EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
  341                               suite.name, null)) {
  342                           suites.add(suite);
  343                       }
  344                   } else if (debug != null &&
  345                           Debug.isOn("sslctx") && Debug.isOn("verbose")) {
  346                       if (suite.obsoleted <= protocols.min.v) {
  347                           System.out.println(
  348                               "Ignoring obsoleted cipher suite: " + suite);
  349                       } else if (suite.supported > protocols.max.v) {
  350                           System.out.println(
  351                               "Ignoring unsupported cipher suite: " + suite);
  352                       } else {
  353                           System.out.println(
  354                               "Ignoring unavailable cipher suite: " + suite);
  355                       }
  356                   }
  357               }
  358           }
  359   
  360           return new CipherSuiteList(suites);
  361       }
  362   
  363       /**
  364        * Clear cache of available ciphersuites. If we support all ciphers
  365        * internally, there is no need to clear the cache and calling this
  366        * method has no effect.
  367        */
  368       synchronized void clearAvailableCache() {
  369           if (CipherSuite.DYNAMIC_AVAILABILITY) {
  370               supportedCipherSuiteList = null;
  371               defaultServerCipherSuiteList = null;
  372               defaultClientCipherSuiteList = null;
  373               CipherSuite.BulkCipher.clearAvailableCache();
  374               JsseJce.clearEcAvailable();
  375           }
  376       }
  377   
  378       /*
  379        * The SSLContext implementation for TLS/SSL algorithm
  380        *
  381        * SSL/TLS protocols specify the forward compatibility and version
  382        * roll-back attack protections, however, a number of SSL/TLS server
  383        * vendors did not implement these aspects properly, and some current
  384        * SSL/TLS servers may refuse to talk to a TLS 1.1 or later client.
  385        *
  386        * Considering above interoperability issues, SunJSSE will not set
  387        * TLS 1.1 and TLS 1.2 as the enabled protocols for client by default.
  388        *
  389        * For SSL/TLS servers, there is no such interoperability issues as
  390        * SSL/TLS clients. In SunJSSE, TLS 1.1 or later version will be the
  391        * enabled protocols for server by default.
  392        *
  393        * We may change the behavior when popular TLS/SSL vendors support TLS
  394        * forward compatibility properly.
  395        *
  396        * SSLv2Hello is no longer necessary.  This interoperability option was
  397        * put in place in the late 90's when SSLv3/TLS1.0 were relatively new
  398        * and there were a fair number of SSLv2-only servers deployed.  Because
  399        * of the security issues in SSLv2, it is rarely (if ever) used, as
  400        * deployments should now be using SSLv3 and TLSv1.
  401        *
  402        * Considering the issues of SSLv2Hello, we should not enable SSLv2Hello
  403        * by default. Applications still can use it by enabling SSLv2Hello with
  404        * the series of setEnabledProtocols APIs.
  405        */
  406   
  407       /*
  408        * The conservative SSLContext implementation for TLS, SSL, SSLv3 and
  409        * TLS10 algorithm.
  410        *
  411        * This is a super class of DefaultSSLContext and TLS10Context.
  412        *
  413        * @see SSLContext
  414        */
  415       private static class ConservativeSSLContext extends SSLContextImpl {
  416           // parameters
  417           private static SSLParameters defaultServerSSLParams;
  418           private static SSLParameters defaultClientSSLParams;
  419           private static SSLParameters supportedSSLParams;
  420   
  421           static {
  422               if (SunJSSE.isFIPS()) {
  423                   supportedSSLParams = new SSLParameters();
  424                   supportedSSLParams.setProtocols(new String[] {
  425                       ProtocolVersion.TLS10.name,
  426                       ProtocolVersion.TLS11.name,
  427                       ProtocolVersion.TLS12.name
  428                   });
  429   
  430                   defaultServerSSLParams = supportedSSLParams;
  431   
  432                   defaultClientSSLParams = new SSLParameters();
  433                   defaultClientSSLParams.setProtocols(new String[] {
  434                       ProtocolVersion.TLS10.name
  435                   });
  436   
  437               } else {
  438                   supportedSSLParams = new SSLParameters();
  439                   supportedSSLParams.setProtocols(new String[] {
  440                       ProtocolVersion.SSL20Hello.name,
  441                       ProtocolVersion.SSL30.name,
  442                       ProtocolVersion.TLS10.name,
  443                       ProtocolVersion.TLS11.name,
  444                       ProtocolVersion.TLS12.name
  445                   });
  446   
  447                   defaultServerSSLParams = supportedSSLParams;
  448   
  449                   defaultClientSSLParams = new SSLParameters();
  450                   defaultClientSSLParams.setProtocols(new String[] {
  451                       ProtocolVersion.SSL30.name,
  452                       ProtocolVersion.TLS10.name
  453                   });
  454               }
  455           }
  456   
  457           SSLParameters getDefaultServerSSLParams() {
  458               return defaultServerSSLParams;
  459           }
  460   
  461           SSLParameters getDefaultClientSSLParams() {
  462               return defaultClientSSLParams;
  463           }
  464   
  465           SSLParameters getSupportedSSLParams() {
  466               return supportedSSLParams;
  467           }
  468       }
  469   
  470       /*
  471        * The SSLContext implementation for default algorithm
  472        *
  473        * @see SSLContext
  474        */
  475       public static final class DefaultSSLContext extends ConservativeSSLContext {
  476           private static final String NONE = "NONE";
  477           private static final String P11KEYSTORE = "PKCS11";
  478   
  479           private static volatile SSLContextImpl defaultImpl;
  480   
  481           private static TrustManager[] defaultTrustManagers;
  482           private static KeyManager[] defaultKeyManagers;
  483   
  484           public DefaultSSLContext() throws Exception {
  485               try {
  486                   super.engineInit(getDefaultKeyManager(),
  487                           getDefaultTrustManager(), null);
  488               } catch (Exception e) {
  489                   if (debug != null && Debug.isOn("defaultctx")) {
  490                       System.out.println("default context init failed: " + e);
  491                   }
  492                   throw e;
  493               }
  494   
  495               if (defaultImpl == null) {
  496                   defaultImpl = this;
  497               }
  498           }
  499   
  500           protected void engineInit(KeyManager[] km, TrustManager[] tm,
  501               SecureRandom sr) throws KeyManagementException {
  502               throw new KeyManagementException
  503                   ("Default SSLContext is initialized automatically");
  504           }
  505   
  506           static synchronized SSLContextImpl getDefaultImpl() throws Exception {
  507               if (defaultImpl == null) {
  508                   new DefaultSSLContext();
  509               }
  510               return defaultImpl;
  511           }
  512   
  513           private static synchronized TrustManager[] getDefaultTrustManager()
  514                   throws Exception {
  515               if (defaultTrustManagers != null) {
  516                   return defaultTrustManagers;
  517               }
  518   
  519               KeyStore ks =
  520                   TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");
  521   
  522               TrustManagerFactory tmf = TrustManagerFactory.getInstance(
  523                   TrustManagerFactory.getDefaultAlgorithm());
  524               tmf.init(ks);
  525               defaultTrustManagers = tmf.getTrustManagers();
  526               return defaultTrustManagers;
  527           }
  528   
  529           private static synchronized KeyManager[] getDefaultKeyManager()
  530                   throws Exception {
  531               if (defaultKeyManagers != null) {
  532                   return defaultKeyManagers;
  533               }
  534   
  535               final Map<String,String> props = new HashMap<>();
  536               AccessController.doPrivileged(
  537                           new PrivilegedExceptionAction<Object>() {
  538                   public Object run() throws Exception {
  539                       props.put("keyStore",  System.getProperty(
  540                                   "javax.net.ssl.keyStore", ""));
  541                       props.put("keyStoreType", System.getProperty(
  542                                   "javax.net.ssl.keyStoreType",
  543                                   KeyStore.getDefaultType()));
  544                       props.put("keyStoreProvider", System.getProperty(
  545                                   "javax.net.ssl.keyStoreProvider", ""));
  546                       props.put("keyStorePasswd", System.getProperty(
  547                                   "javax.net.ssl.keyStorePassword", ""));
  548                       return null;
  549                   }
  550               });
  551   
  552               final String defaultKeyStore = props.get("keyStore");
  553               String defaultKeyStoreType = props.get("keyStoreType");
  554               String defaultKeyStoreProvider = props.get("keyStoreProvider");
  555               if (debug != null && Debug.isOn("defaultctx")) {
  556                   System.out.println("keyStore is : " + defaultKeyStore);
  557                   System.out.println("keyStore type is : " +
  558                                           defaultKeyStoreType);
  559                   System.out.println("keyStore provider is : " +
  560                                           defaultKeyStoreProvider);
  561               }
  562   
  563               if (P11KEYSTORE.equals(defaultKeyStoreType) &&
  564                       !NONE.equals(defaultKeyStore)) {
  565                   throw new IllegalArgumentException("if keyStoreType is "
  566                       + P11KEYSTORE + ", then keyStore must be " + NONE);
  567               }
  568   
  569               FileInputStream fs = null;
  570               if (defaultKeyStore.length() != 0 && !NONE.equals(defaultKeyStore)) {
  571                   fs = AccessController.doPrivileged(
  572                           new PrivilegedExceptionAction<FileInputStream>() {
  573                       public FileInputStream run() throws Exception {
  574                           return new FileInputStream(defaultKeyStore);
  575                       }
  576                   });
  577               }
  578   
  579               String defaultKeyStorePassword = props.get("keyStorePasswd");
  580               char[] passwd = null;
  581               if (defaultKeyStorePassword.length() != 0) {
  582                   passwd = defaultKeyStorePassword.toCharArray();
  583               }
  584   
  585               /**
  586                * Try to initialize key store.
  587                */
  588               KeyStore ks = null;
  589               if ((defaultKeyStoreType.length()) != 0) {
  590                   if (debug != null && Debug.isOn("defaultctx")) {
  591                       System.out.println("init keystore");
  592                   }
  593                   if (defaultKeyStoreProvider.length() == 0) {
  594                       ks = KeyStore.getInstance(defaultKeyStoreType);
  595                   } else {
  596                       ks = KeyStore.getInstance(defaultKeyStoreType,
  597                                           defaultKeyStoreProvider);
  598                   }
  599   
  600                   // if defaultKeyStore is NONE, fs will be null
  601                   ks.load(fs, passwd);
  602               }
  603               if (fs != null) {
  604                   fs.close();
  605                   fs = null;
  606               }
  607   
  608               /*
  609                * Try to initialize key manager.
  610                */
  611               if (debug != null && Debug.isOn("defaultctx")) {
  612                   System.out.println("init keymanager of type " +
  613                       KeyManagerFactory.getDefaultAlgorithm());
  614               }
  615               KeyManagerFactory kmf = KeyManagerFactory.getInstance(
  616                   KeyManagerFactory.getDefaultAlgorithm());
  617   
  618               if (P11KEYSTORE.equals(defaultKeyStoreType)) {
  619                   kmf.init(ks, null); // do not pass key passwd if using token
  620               } else {
  621                   kmf.init(ks, passwd);
  622               }
  623   
  624               defaultKeyManagers = kmf.getKeyManagers();
  625               return defaultKeyManagers;
  626           }
  627       }
  628   
  629       /*
  630        * The SSLContext implementation for TLS, SSL, SSLv3 and TLS10 algorithm
  631        *
  632        * @see SSLContext
  633        */
  634       public static final class TLS10Context extends ConservativeSSLContext {
  635           // use the default constructor and methods
  636       }
  637   
  638       /*
  639        * The SSLContext implementation for TLS11 algorithm
  640        *
  641        * @see SSLContext
  642        */
  643       public static final class TLS11Context extends SSLContextImpl {
  644           // parameters
  645           private static SSLParameters defaultServerSSLParams;
  646           private static SSLParameters defaultClientSSLParams;
  647           private static SSLParameters supportedSSLParams;
  648   
  649           static {
  650               if (SunJSSE.isFIPS()) {
  651                   supportedSSLParams = new SSLParameters();
  652                   supportedSSLParams.setProtocols(new String[] {
  653                       ProtocolVersion.TLS10.name,
  654                       ProtocolVersion.TLS11.name,
  655                       ProtocolVersion.TLS12.name
  656                   });
  657   
  658                   defaultServerSSLParams = supportedSSLParams;
  659   
  660                   defaultClientSSLParams = new SSLParameters();
  661                   defaultClientSSLParams.setProtocols(new String[] {
  662                       ProtocolVersion.TLS10.name,
  663                       ProtocolVersion.TLS11.name
  664                   });
  665   
  666               } else {
  667                   supportedSSLParams = new SSLParameters();
  668                   supportedSSLParams.setProtocols(new String[] {
  669                       ProtocolVersion.SSL20Hello.name,
  670                       ProtocolVersion.SSL30.name,
  671                       ProtocolVersion.TLS10.name,
  672                       ProtocolVersion.TLS11.name,
  673                       ProtocolVersion.TLS12.name
  674                   });
  675   
  676                   defaultServerSSLParams = supportedSSLParams;
  677   
  678                   defaultClientSSLParams = new SSLParameters();
  679                   defaultClientSSLParams.setProtocols(new String[] {
  680                       ProtocolVersion.SSL30.name,
  681                       ProtocolVersion.TLS10.name,
  682                       ProtocolVersion.TLS11.name
  683                   });
  684               }
  685           }
  686   
  687           SSLParameters getDefaultServerSSLParams() {
  688               return defaultServerSSLParams;
  689           }
  690   
  691           SSLParameters getDefaultClientSSLParams() {
  692               return defaultClientSSLParams;
  693           }
  694   
  695           SSLParameters getSupportedSSLParams() {
  696               return supportedSSLParams;
  697           }
  698       }
  699   
  700       /*
  701        * The SSLContext implementation for TLS12 algorithm
  702        *
  703        * @see SSLContext
  704        */
  705       public static final class TLS12Context extends SSLContextImpl {
  706           // parameters
  707           private static SSLParameters defaultServerSSLParams;
  708           private static SSLParameters defaultClientSSLParams;
  709           private static SSLParameters supportedSSLParams;
  710   
  711           static {
  712               if (SunJSSE.isFIPS()) {
  713                   supportedSSLParams = new SSLParameters();
  714                   supportedSSLParams.setProtocols(new String[] {
  715                       ProtocolVersion.TLS10.name,
  716                       ProtocolVersion.TLS11.name,
  717                       ProtocolVersion.TLS12.name
  718                   });
  719   
  720                   defaultServerSSLParams = supportedSSLParams;
  721   
  722                   defaultClientSSLParams = new SSLParameters();
  723                   defaultClientSSLParams.setProtocols(new String[] {
  724                       ProtocolVersion.TLS10.name,
  725                       ProtocolVersion.TLS11.name,
  726                       ProtocolVersion.TLS12.name
  727                   });
  728   
  729               } else {
  730                   supportedSSLParams = new SSLParameters();
  731                   supportedSSLParams.setProtocols(new String[] {
  732                       ProtocolVersion.SSL20Hello.name,
  733                       ProtocolVersion.SSL30.name,
  734                       ProtocolVersion.TLS10.name,
  735                       ProtocolVersion.TLS11.name,
  736                       ProtocolVersion.TLS12.name
  737                   });
  738   
  739                   defaultServerSSLParams = supportedSSLParams;
  740   
  741                   defaultClientSSLParams = new SSLParameters();
  742                   defaultClientSSLParams.setProtocols(new String[] {
  743                       ProtocolVersion.SSL30.name,
  744                       ProtocolVersion.TLS10.name,
  745                       ProtocolVersion.TLS11.name,
  746                       ProtocolVersion.TLS12.name
  747                   });
  748               }
  749           }
  750   
  751           SSLParameters getDefaultServerSSLParams() {
  752               return defaultServerSSLParams;
  753           }
  754   
  755           SSLParameters getDefaultClientSSLParams() {
  756               return defaultClientSSLParams;
  757           }
  758   
  759           SSLParameters getSupportedSSLParams() {
  760               return supportedSSLParams;
  761           }
  762       }
  763   
  764   }
  765   
  766   
  767   final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
  768               implements X509TrustManager {
  769   
  770       private final X509TrustManager tm;
  771   
  772       AbstractTrustManagerWrapper(X509TrustManager tm) {
  773           this.tm = tm;
  774       }
  775   
  776       @Override
  777       public void checkClientTrusted(X509Certificate[] chain, String authType)
  778           throws CertificateException {
  779           tm.checkClientTrusted(chain, authType);
  780       }
  781   
  782       @Override
  783       public void checkServerTrusted(X509Certificate[] chain, String authType)
  784           throws CertificateException {
  785           tm.checkServerTrusted(chain, authType);
  786       }
  787   
  788       @Override
  789       public X509Certificate[] getAcceptedIssuers() {
  790           return tm.getAcceptedIssuers();
  791       }
  792   
  793       @Override
  794       public void checkClientTrusted(X509Certificate[] chain, String authType,
  795                   Socket socket) throws CertificateException {
  796           tm.checkClientTrusted(chain, authType);
  797           checkAdditionalTrust(chain, authType, socket, true);
  798       }
  799   
  800       @Override
  801       public void checkServerTrusted(X509Certificate[] chain, String authType,
  802               Socket socket) throws CertificateException {
  803           tm.checkServerTrusted(chain, authType);
  804           checkAdditionalTrust(chain, authType, socket, false);
  805       }
  806   
  807       @Override
  808       public void checkClientTrusted(X509Certificate[] chain, String authType,
  809               SSLEngine engine) throws CertificateException {
  810           tm.checkClientTrusted(chain, authType);
  811           checkAdditionalTrust(chain, authType, engine, true);
  812       }
  813   
  814       @Override
  815       public void checkServerTrusted(X509Certificate[] chain, String authType,
  816               SSLEngine engine) throws CertificateException {
  817           tm.checkServerTrusted(chain, authType);
  818           checkAdditionalTrust(chain, authType, engine, false);
  819       }
  820   
  821       private void checkAdditionalTrust(X509Certificate[] chain, String authType,
  822                   Socket socket, boolean isClient) throws CertificateException {
  823           if (socket != null && socket.isConnected() &&
  824                                       socket instanceof SSLSocket) {
  825   
  826               SSLSocket sslSocket = (SSLSocket)socket;
  827               SSLSession session = sslSocket.getHandshakeSession();
  828               if (session == null) {
  829                   throw new CertificateException("No handshake session");
  830               }
  831   
  832               // check endpoint identity
  833               String identityAlg = sslSocket.getSSLParameters().
  834                                           getEndpointIdentificationAlgorithm();
  835               if (identityAlg != null && identityAlg.length() != 0) {
  836                   String hostname = session.getPeerHost();
  837                   X509TrustManagerImpl.checkIdentity(
  838                                       hostname, chain[0], identityAlg);
  839               }
  840   
  841               // try the best to check the algorithm constraints
  842               ProtocolVersion protocolVersion =
  843                   ProtocolVersion.valueOf(session.getProtocol());
  844               AlgorithmConstraints constraints = null;
  845               if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
  846                   if (session instanceof ExtendedSSLSession) {
  847                       ExtendedSSLSession extSession =
  848                                       (ExtendedSSLSession)session;
  849                       String[] peerSupportedSignAlgs =
  850                               extSession.getLocalSupportedSignatureAlgorithms();
  851   
  852                       constraints = new SSLAlgorithmConstraints(
  853                                       sslSocket, peerSupportedSignAlgs, true);
  854                   } else {
  855                       constraints =
  856                               new SSLAlgorithmConstraints(sslSocket, true);
  857                   }
  858               } else {
  859                   constraints = new SSLAlgorithmConstraints(sslSocket, true);
  860               }
  861   
  862               AlgorithmChecker checker = new AlgorithmChecker(constraints);
  863               try {
  864                   checker.init(false);
  865   
  866                   // a forward checker, need to check from trust to target
  867                   for (int i = chain.length - 1; i >= 0; i--) {
  868                       Certificate cert = chain[i];
  869                       // We don't care about the unresolved critical extensions.
  870                       checker.check(cert, Collections.<String>emptySet());
  871                   }
  872               } catch (CertPathValidatorException cpve) {
  873                   throw new CertificateException(
  874                       "Certificates does not conform to algorithm constraints");
  875               }
  876           }
  877       }
  878   
  879       private void checkAdditionalTrust(X509Certificate[] chain, String authType,
  880               SSLEngine engine, boolean isClient) throws CertificateException {
  881           if (engine != null) {
  882               SSLSession session = engine.getHandshakeSession();
  883               if (session == null) {
  884                   throw new CertificateException("No handshake session");
  885               }
  886   
  887               // check endpoint identity
  888               String identityAlg = engine.getSSLParameters().
  889                                           getEndpointIdentificationAlgorithm();
  890               if (identityAlg != null && identityAlg.length() != 0) {
  891                   String hostname = session.getPeerHost();
  892                   X509TrustManagerImpl.checkIdentity(
  893                                       hostname, chain[0], identityAlg);
  894               }
  895   
  896               // try the best to check the algorithm constraints
  897               ProtocolVersion protocolVersion =
  898                   ProtocolVersion.valueOf(session.getProtocol());
  899               AlgorithmConstraints constraints = null;
  900               if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
  901                   if (session instanceof ExtendedSSLSession) {
  902                       ExtendedSSLSession extSession =
  903                                       (ExtendedSSLSession)session;
  904                       String[] peerSupportedSignAlgs =
  905                               extSession.getLocalSupportedSignatureAlgorithms();
  906   
  907                       constraints = new SSLAlgorithmConstraints(
  908                                       engine, peerSupportedSignAlgs, true);
  909                   } else {
  910                       constraints =
  911                               new SSLAlgorithmConstraints(engine, true);
  912                   }
  913               } else {
  914                   constraints = new SSLAlgorithmConstraints(engine, true);
  915               }
  916   
  917               AlgorithmChecker checker = new AlgorithmChecker(constraints);
  918               try {
  919                   checker.init(false);
  920   
  921                   // A forward checker, need to check from trust to target
  922                   for (int i = chain.length - 1; i >= 0; i--) {
  923                       Certificate cert = chain[i];
  924                       // We don't care about the unresolved critical extensions.
  925                       checker.check(cert, Collections.<String>emptySet());
  926                   }
  927               } catch (CertPathValidatorException cpve) {
  928                   throw new CertificateException(
  929                       "Certificates does not conform to algorithm constraints");
  930               }
  931           }
  932       }
  933   }
  934   
  935   // Dummy X509TrustManager implementation, rejects all peer certificates.
  936   // Used if the application did not specify a proper X509TrustManager.
  937   final class DummyX509TrustManager extends X509ExtendedTrustManager
  938               implements X509TrustManager {
  939   
  940       static final X509TrustManager INSTANCE = new DummyX509TrustManager();
  941   
  942       private DummyX509TrustManager() {
  943           // empty
  944       }
  945   
  946       /*
  947        * Given the partial or complete certificate chain
  948        * provided by the peer, build a certificate path
  949        * to a trusted root and return if it can be
  950        * validated and is trusted for client SSL authentication.
  951        * If not, it throws an exception.
  952        */
  953       @Override
  954       public void checkClientTrusted(X509Certificate[] chain, String authType)
  955           throws CertificateException {
  956           throw new CertificateException(
  957               "No X509TrustManager implementation avaiable");
  958       }
  959   
  960       /*
  961        * Given the partial or complete certificate chain
  962        * provided by the peer, build a certificate path
  963        * to a trusted root and return if it can be
  964        * validated and is trusted for server SSL authentication.
  965        * If not, it throws an exception.
  966        */
  967       @Override
  968       public void checkServerTrusted(X509Certificate[] chain, String authType)
  969           throws CertificateException {
  970           throw new CertificateException(
  971               "No X509TrustManager implementation available");
  972       }
  973   
  974       /*
  975        * Return an array of issuer certificates which are trusted
  976        * for authenticating peers.
  977        */
  978       @Override
  979       public X509Certificate[] getAcceptedIssuers() {
  980           return new X509Certificate[0];
  981       }
  982   
  983       @Override
  984       public void checkClientTrusted(X509Certificate[] chain, String authType,
  985                   Socket socket) throws CertificateException {
  986           throw new CertificateException(
  987               "No X509TrustManager implementation available");
  988       }
  989   
  990       @Override
  991       public void checkServerTrusted(X509Certificate[] chain, String authType,
  992               Socket socket) throws CertificateException {
  993           throw new CertificateException(
  994               "No X509TrustManager implementation available");
  995       }
  996   
  997       @Override
  998       public void checkClientTrusted(X509Certificate[] chain, String authType,
  999               SSLEngine engine) throws CertificateException {
 1000           throw new CertificateException(
 1001               "No X509TrustManager implementation available");
 1002       }
 1003   
 1004       @Override
 1005       public void checkServerTrusted(X509Certificate[] chain, String authType,
 1006               SSLEngine engine) throws CertificateException {
 1007           throw new CertificateException(
 1008               "No X509TrustManager implementation available");
 1009       }
 1010   }
 1011   
 1012   /*
 1013    * A wrapper class to turn a X509KeyManager into an X509ExtendedKeyManager
 1014    */
 1015   final class AbstractKeyManagerWrapper extends X509ExtendedKeyManager {
 1016   
 1017       private final X509KeyManager km;
 1018   
 1019       AbstractKeyManagerWrapper(X509KeyManager km) {
 1020           this.km = km;
 1021       }
 1022   
 1023       public String[] getClientAliases(String keyType, Principal[] issuers) {
 1024           return km.getClientAliases(keyType, issuers);
 1025       }
 1026   
 1027       public String chooseClientAlias(String[] keyType, Principal[] issuers,
 1028               Socket socket) {
 1029           return km.chooseClientAlias(keyType, issuers, socket);
 1030       }
 1031   
 1032       public String[] getServerAliases(String keyType, Principal[] issuers) {
 1033           return km.getServerAliases(keyType, issuers);
 1034       }
 1035   
 1036       public String chooseServerAlias(String keyType, Principal[] issuers,
 1037               Socket socket) {
 1038           return km.chooseServerAlias(keyType, issuers, socket);
 1039       }
 1040   
 1041       public X509Certificate[] getCertificateChain(String alias) {
 1042           return km.getCertificateChain(alias);
 1043       }
 1044   
 1045       public PrivateKey getPrivateKey(String alias) {
 1046           return km.getPrivateKey(alias);
 1047       }
 1048   
 1049       // Inherit chooseEngineClientAlias() and chooseEngineServerAlias() from
 1050       // X509ExtendedKeymanager. It defines them to return null;
 1051   }
 1052   
 1053   
 1054   // Dummy X509KeyManager implementation, never returns any certificates/keys.
 1055   // Used if the application did not specify a proper X509TrustManager.
 1056   final class DummyX509KeyManager extends X509ExtendedKeyManager {
 1057   
 1058       static final X509ExtendedKeyManager INSTANCE = new DummyX509KeyManager();
 1059   
 1060       private DummyX509KeyManager() {
 1061           // empty
 1062       }
 1063   
 1064       /*
 1065        * Get the matching aliases for authenticating the client side of a secure
 1066        * socket given the public key type and the list of
 1067        * certificate issuer authorities recognized by the peer (if any).
 1068        */
 1069       public String[] getClientAliases(String keyType, Principal[] issuers) {
 1070           return null;
 1071       }
 1072   
 1073       /*
 1074        * Choose an alias to authenticate the client side of a secure
 1075        * socket given the public key type and the list of
 1076        * certificate issuer authorities recognized by the peer (if any).
 1077        */
 1078       public String chooseClientAlias(String[] keyTypes, Principal[] issuers,
 1079               Socket socket) {
 1080           return null;
 1081       }
 1082   
 1083       /*
 1084        * Choose an alias to authenticate the client side of an
 1085        * engine given the public key type and the list of
 1086        * certificate issuer authorities recognized by the peer (if any).
 1087        */
 1088       public String chooseEngineClientAlias(
 1089               String[] keyTypes, Principal[] issuers, SSLEngine engine) {
 1090           return null;
 1091       }
 1092   
 1093       /*
 1094        * Get the matching aliases for authenticating the server side of a secure
 1095        * socket given the public key type and the list of
 1096        * certificate issuer authorities recognized by the peer (if any).
 1097        */
 1098       public String[] getServerAliases(String keyType, Principal[] issuers) {
 1099           return null;
 1100       }
 1101   
 1102       /*
 1103        * Choose an alias to authenticate the server side of a secure
 1104        * socket given the public key type and the list of
 1105        * certificate issuer authorities recognized by the peer (if any).
 1106        */
 1107       public String chooseServerAlias(String keyType, Principal[] issuers,
 1108               Socket socket) {
 1109           return null;
 1110       }
 1111   
 1112       /*
 1113        * Choose an alias to authenticate the server side of an engine
 1114        * given the public key type and the list of
 1115        * certificate issuer authorities recognized by the peer (if any).
 1116        */
 1117       public String chooseEngineServerAlias(
 1118               String keyType, Principal[] issuers, SSLEngine engine) {
 1119           return null;
 1120       }
 1121   
 1122       /**
 1123        * Returns the certificate chain associated with the given alias.
 1124        *
 1125        * @param alias the alias name
 1126        *
 1127        * @return the certificate chain (ordered with the user's certificate first
 1128        * and the root certificate authority last)
 1129        */
 1130       public X509Certificate[] getCertificateChain(String alias) {
 1131           return null;
 1132       }
 1133   
 1134       /*
 1135        * Returns the key associated with the given alias, using the given
 1136        * password to recover it.
 1137        *
 1138        * @param alias the alias name
 1139        *
 1140        * @return the requested key
 1141        */
 1142       public PrivateKey getPrivateKey(String alias) {
 1143           return null;
 1144       }
 1145   }

Save This Page
Home » openjdk-7 » sun.security » ssl » [javadoc | source]