411 "Ignore unsupported cipher suite: " + suite);
412 }
413 }
414 }
415
416 return new ArrayList<>(suites);
417 }
418
419 /*
420 * Get the customized cipher suites specified by the given system property.
421 */
422 private static Collection<CipherSuite> getCustomizedCipherSuites(
423 String propertyName) {
424
425 String property = GetPropertyAction.privilegedGetProperty(propertyName);
426 if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
427 SSLLogger.fine(
428 "System property " + propertyName + " is set to '" +
429 property + "'");
430 }
431 if (property != null && property.length() != 0) {
432 // remove double quote marks from beginning/end of the property
433 if (property.length() > 1 && property.charAt(0) == '"' &&
434 property.charAt(property.length() - 1) == '"') {
435 property = property.substring(1, property.length() - 1);
436 }
437 }
438
439 if (property != null && property.length() != 0) {
440 String[] cipherSuiteNames = property.split(",");
441 Collection<CipherSuite> cipherSuites =
442 new ArrayList<>(cipherSuiteNames.length);
443 for (int i = 0; i < cipherSuiteNames.length; i++) {
444 cipherSuiteNames[i] = cipherSuiteNames[i].trim();
445 if (cipherSuiteNames[i].isEmpty()) {
446 continue;
447 }
448
449 CipherSuite suite;
450 try {
451 suite = CipherSuite.nameOf(cipherSuiteNames[i]);
452 } catch (IllegalArgumentException iae) {
453 if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
454 SSLLogger.fine(
455 "Unknown or unsupported cipher suite name: " +
456 cipherSuiteNames[i]);
457 }
458
459 continue;
820 new ArrayList<>();
821
822 // Don't want a java.lang.LinkageError for illegal system property.
823 //
824 // Please don't throw exception in this static block. Otherwise,
825 // java.lang.LinkageError may be thrown during the instantiation of
826 // the provider service. Instead, please handle the initialization
827 // exception in the caller's constructor.
828 static {
829 populate(JDK_TLS_CLIENT_PROTOCOLS, customizedClientProtocols);
830 populate(JDK_TLS_SERVER_PROTOCOLS, customizedServerProtocols);
831 }
832
833 private static void populate(String propname,
834 ArrayList<ProtocolVersion> arrayList) {
835 String property = GetPropertyAction.privilegedGetProperty(propname);
836 if (property == null) {
837 return;
838 }
839
840 if (property.length() != 0) {
841 // remove double quote marks from beginning/end of the property
842 if (property.length() > 1 && property.charAt(0) == '"' &&
843 property.charAt(property.length() - 1) == '"') {
844 property = property.substring(1, property.length() - 1);
845 }
846 }
847
848 if (property.length() != 0) {
849 String[] protocols = property.split(",");
850 for (int i = 0; i < protocols.length; i++) {
851 protocols[i] = protocols[i].trim();
852 // Is it a supported protocol name?
853 ProtocolVersion pv =
854 ProtocolVersion.nameOf(protocols[i]);
855 if (pv == null) {
856 reservedException = new IllegalArgumentException(
857 propname + ": " + protocols[i] +
858 " is not a supported SSL protocol name");
859 }
860
861 if (SunJSSE.isFIPS() &&
862 ((pv == ProtocolVersion.SSL30) ||
863 (pv == ProtocolVersion.SSL20Hello))) {
864 reservedException = new IllegalArgumentException(
865 propname + ": " + pv +
866 " is not FIPS compliant");
867
868 break;
1084 String defaultKeyStoreType = props.get("keyStoreType");
1085 String defaultKeyStoreProvider = props.get("keyStoreProvider");
1086 if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
1087 SSLLogger.fine("keyStore is : " + defaultKeyStore);
1088 SSLLogger.fine("keyStore type is : " +
1089 defaultKeyStoreType);
1090 SSLLogger.fine("keyStore provider is : " +
1091 defaultKeyStoreProvider);
1092 }
1093
1094 if (P11KEYSTORE.equals(defaultKeyStoreType) &&
1095 !NONE.equals(defaultKeyStore)) {
1096 throw new IllegalArgumentException("if keyStoreType is "
1097 + P11KEYSTORE + ", then keyStore must be " + NONE);
1098 }
1099
1100 FileInputStream fs = null;
1101 KeyStore ks = null;
1102 char[] passwd = null;
1103 try {
1104 if (defaultKeyStore.length() != 0 &&
1105 !NONE.equals(defaultKeyStore)) {
1106 fs = AccessController.doPrivileged(
1107 new PrivilegedExceptionAction<FileInputStream>() {
1108 @Override
1109 public FileInputStream run() throws Exception {
1110 return new FileInputStream(defaultKeyStore);
1111 }
1112 });
1113 }
1114
1115 String defaultKeyStorePassword = props.get("keyStorePasswd");
1116 if (defaultKeyStorePassword.length() != 0) {
1117 passwd = defaultKeyStorePassword.toCharArray();
1118 }
1119
1120 /**
1121 * Try to initialize key store.
1122 */
1123 if ((defaultKeyStoreType.length()) != 0) {
1124 if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
1125 SSLLogger.finest("init keystore");
1126 }
1127 if (defaultKeyStoreProvider.length() == 0) {
1128 ks = KeyStore.getInstance(defaultKeyStoreType);
1129 } else {
1130 ks = KeyStore.getInstance(defaultKeyStoreType,
1131 defaultKeyStoreProvider);
1132 }
1133
1134 // if defaultKeyStore is NONE, fs will be null
1135 ks.load(fs, passwd);
1136 }
1137 } finally {
1138 if (fs != null) {
1139 fs.close();
1140 fs = null;
1141 }
1142 }
1143
1144 /*
1145 * Try to initialize key manager.
1146 */
1147 if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
1521 public void checkServerTrusted(X509Certificate[] chain, String authType,
1522 SSLEngine engine) throws CertificateException {
1523 tm.checkServerTrusted(chain, authType);
1524 checkAdditionalTrust(chain, authType, engine, false);
1525 }
1526
1527 private void checkAdditionalTrust(X509Certificate[] chain, String authType,
1528 Socket socket, boolean isClient) throws CertificateException {
1529 if (socket != null && socket.isConnected() &&
1530 socket instanceof SSLSocket) {
1531
1532 SSLSocket sslSocket = (SSLSocket)socket;
1533 SSLSession session = sslSocket.getHandshakeSession();
1534 if (session == null) {
1535 throw new CertificateException("No handshake session");
1536 }
1537
1538 // check endpoint identity
1539 String identityAlg = sslSocket.getSSLParameters().
1540 getEndpointIdentificationAlgorithm();
1541 if (identityAlg != null && identityAlg.length() != 0) {
1542 String hostname = session.getPeerHost();
1543 X509TrustManagerImpl.checkIdentity(
1544 hostname, chain[0], identityAlg);
1545 }
1546
1547 // try the best to check the algorithm constraints
1548 AlgorithmConstraints constraints;
1549 if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
1550 if (session instanceof ExtendedSSLSession) {
1551 ExtendedSSLSession extSession =
1552 (ExtendedSSLSession)session;
1553 String[] peerSupportedSignAlgs =
1554 extSession.getLocalSupportedSignatureAlgorithms();
1555
1556 constraints = new SSLAlgorithmConstraints(
1557 sslSocket, peerSupportedSignAlgs, true);
1558 } else {
1559 constraints =
1560 new SSLAlgorithmConstraints(sslSocket, true);
1561 }
1562 } else {
1563 constraints = new SSLAlgorithmConstraints(sslSocket, true);
1564 }
1565
1566 checkAlgorithmConstraints(chain, constraints, isClient);
1567 }
1568 }
1569
1570 private void checkAdditionalTrust(X509Certificate[] chain, String authType,
1571 SSLEngine engine, boolean isClient) throws CertificateException {
1572 if (engine != null) {
1573 SSLSession session = engine.getHandshakeSession();
1574 if (session == null) {
1575 throw new CertificateException("No handshake session");
1576 }
1577
1578 // check endpoint identity
1579 String identityAlg = engine.getSSLParameters().
1580 getEndpointIdentificationAlgorithm();
1581 if (identityAlg != null && identityAlg.length() != 0) {
1582 String hostname = session.getPeerHost();
1583 X509TrustManagerImpl.checkIdentity(
1584 hostname, chain[0], identityAlg);
1585 }
1586
1587 // try the best to check the algorithm constraints
1588 AlgorithmConstraints constraints;
1589 if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
1590 if (session instanceof ExtendedSSLSession) {
1591 ExtendedSSLSession extSession =
1592 (ExtendedSSLSession)session;
1593 String[] peerSupportedSignAlgs =
1594 extSession.getLocalSupportedSignatureAlgorithms();
1595
1596 constraints = new SSLAlgorithmConstraints(
1597 engine, peerSupportedSignAlgs, true);
1598 } else {
1599 constraints =
1600 new SSLAlgorithmConstraints(engine, true);
1601 }
|
411 "Ignore unsupported cipher suite: " + suite);
412 }
413 }
414 }
415
416 return new ArrayList<>(suites);
417 }
418
419 /*
420 * Get the customized cipher suites specified by the given system property.
421 */
422 private static Collection<CipherSuite> getCustomizedCipherSuites(
423 String propertyName) {
424
425 String property = GetPropertyAction.privilegedGetProperty(propertyName);
426 if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
427 SSLLogger.fine(
428 "System property " + propertyName + " is set to '" +
429 property + "'");
430 }
431 if (property != null && !property.isEmpty()) {
432 // remove double quote marks from beginning/end of the property
433 if (property.length() > 1 && property.charAt(0) == '"' &&
434 property.charAt(property.length() - 1) == '"') {
435 property = property.substring(1, property.length() - 1);
436 }
437 }
438
439 if (property != null && !property.isEmpty()) {
440 String[] cipherSuiteNames = property.split(",");
441 Collection<CipherSuite> cipherSuites =
442 new ArrayList<>(cipherSuiteNames.length);
443 for (int i = 0; i < cipherSuiteNames.length; i++) {
444 cipherSuiteNames[i] = cipherSuiteNames[i].trim();
445 if (cipherSuiteNames[i].isEmpty()) {
446 continue;
447 }
448
449 CipherSuite suite;
450 try {
451 suite = CipherSuite.nameOf(cipherSuiteNames[i]);
452 } catch (IllegalArgumentException iae) {
453 if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
454 SSLLogger.fine(
455 "Unknown or unsupported cipher suite name: " +
456 cipherSuiteNames[i]);
457 }
458
459 continue;
820 new ArrayList<>();
821
822 // Don't want a java.lang.LinkageError for illegal system property.
823 //
824 // Please don't throw exception in this static block. Otherwise,
825 // java.lang.LinkageError may be thrown during the instantiation of
826 // the provider service. Instead, please handle the initialization
827 // exception in the caller's constructor.
828 static {
829 populate(JDK_TLS_CLIENT_PROTOCOLS, customizedClientProtocols);
830 populate(JDK_TLS_SERVER_PROTOCOLS, customizedServerProtocols);
831 }
832
833 private static void populate(String propname,
834 ArrayList<ProtocolVersion> arrayList) {
835 String property = GetPropertyAction.privilegedGetProperty(propname);
836 if (property == null) {
837 return;
838 }
839
840 if (!property.isEmpty()) {
841 // remove double quote marks from beginning/end of the property
842 if (property.length() > 1 && property.charAt(0) == '"' &&
843 property.charAt(property.length() - 1) == '"') {
844 property = property.substring(1, property.length() - 1);
845 }
846 }
847
848 if (!property.isEmpty()) {
849 String[] protocols = property.split(",");
850 for (int i = 0; i < protocols.length; i++) {
851 protocols[i] = protocols[i].trim();
852 // Is it a supported protocol name?
853 ProtocolVersion pv =
854 ProtocolVersion.nameOf(protocols[i]);
855 if (pv == null) {
856 reservedException = new IllegalArgumentException(
857 propname + ": " + protocols[i] +
858 " is not a supported SSL protocol name");
859 }
860
861 if (SunJSSE.isFIPS() &&
862 ((pv == ProtocolVersion.SSL30) ||
863 (pv == ProtocolVersion.SSL20Hello))) {
864 reservedException = new IllegalArgumentException(
865 propname + ": " + pv +
866 " is not FIPS compliant");
867
868 break;
1084 String defaultKeyStoreType = props.get("keyStoreType");
1085 String defaultKeyStoreProvider = props.get("keyStoreProvider");
1086 if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
1087 SSLLogger.fine("keyStore is : " + defaultKeyStore);
1088 SSLLogger.fine("keyStore type is : " +
1089 defaultKeyStoreType);
1090 SSLLogger.fine("keyStore provider is : " +
1091 defaultKeyStoreProvider);
1092 }
1093
1094 if (P11KEYSTORE.equals(defaultKeyStoreType) &&
1095 !NONE.equals(defaultKeyStore)) {
1096 throw new IllegalArgumentException("if keyStoreType is "
1097 + P11KEYSTORE + ", then keyStore must be " + NONE);
1098 }
1099
1100 FileInputStream fs = null;
1101 KeyStore ks = null;
1102 char[] passwd = null;
1103 try {
1104 if (!defaultKeyStore.isEmpty() &&
1105 !NONE.equals(defaultKeyStore)) {
1106 fs = AccessController.doPrivileged(
1107 new PrivilegedExceptionAction<FileInputStream>() {
1108 @Override
1109 public FileInputStream run() throws Exception {
1110 return new FileInputStream(defaultKeyStore);
1111 }
1112 });
1113 }
1114
1115 String defaultKeyStorePassword = props.get("keyStorePasswd");
1116 if (!defaultKeyStorePassword.isEmpty()) {
1117 passwd = defaultKeyStorePassword.toCharArray();
1118 }
1119
1120 /**
1121 * Try to initialize key store.
1122 */
1123 if ((defaultKeyStoreType.length()) != 0) {
1124 if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
1125 SSLLogger.finest("init keystore");
1126 }
1127 if (defaultKeyStoreProvider.isEmpty()) {
1128 ks = KeyStore.getInstance(defaultKeyStoreType);
1129 } else {
1130 ks = KeyStore.getInstance(defaultKeyStoreType,
1131 defaultKeyStoreProvider);
1132 }
1133
1134 // if defaultKeyStore is NONE, fs will be null
1135 ks.load(fs, passwd);
1136 }
1137 } finally {
1138 if (fs != null) {
1139 fs.close();
1140 fs = null;
1141 }
1142 }
1143
1144 /*
1145 * Try to initialize key manager.
1146 */
1147 if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
1521 public void checkServerTrusted(X509Certificate[] chain, String authType,
1522 SSLEngine engine) throws CertificateException {
1523 tm.checkServerTrusted(chain, authType);
1524 checkAdditionalTrust(chain, authType, engine, false);
1525 }
1526
1527 private void checkAdditionalTrust(X509Certificate[] chain, String authType,
1528 Socket socket, boolean isClient) throws CertificateException {
1529 if (socket != null && socket.isConnected() &&
1530 socket instanceof SSLSocket) {
1531
1532 SSLSocket sslSocket = (SSLSocket)socket;
1533 SSLSession session = sslSocket.getHandshakeSession();
1534 if (session == null) {
1535 throw new CertificateException("No handshake session");
1536 }
1537
1538 // check endpoint identity
1539 String identityAlg = sslSocket.getSSLParameters().
1540 getEndpointIdentificationAlgorithm();
1541 if (identityAlg != null && !identityAlg.isEmpty()) {
1542 String hostname = session.getPeerHost();
1543 X509TrustManagerImpl.checkIdentity(
1544 hostname, chain[0], identityAlg);
1545 }
1546
1547 // try the best to check the algorithm constraints
1548 AlgorithmConstraints constraints;
1549 if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
1550 if (session instanceof ExtendedSSLSession) {
1551 ExtendedSSLSession extSession =
1552 (ExtendedSSLSession)session;
1553 String[] peerSupportedSignAlgs =
1554 extSession.getLocalSupportedSignatureAlgorithms();
1555
1556 constraints = new SSLAlgorithmConstraints(
1557 sslSocket, peerSupportedSignAlgs, true);
1558 } else {
1559 constraints =
1560 new SSLAlgorithmConstraints(sslSocket, true);
1561 }
1562 } else {
1563 constraints = new SSLAlgorithmConstraints(sslSocket, true);
1564 }
1565
1566 checkAlgorithmConstraints(chain, constraints, isClient);
1567 }
1568 }
1569
1570 private void checkAdditionalTrust(X509Certificate[] chain, String authType,
1571 SSLEngine engine, boolean isClient) throws CertificateException {
1572 if (engine != null) {
1573 SSLSession session = engine.getHandshakeSession();
1574 if (session == null) {
1575 throw new CertificateException("No handshake session");
1576 }
1577
1578 // check endpoint identity
1579 String identityAlg = engine.getSSLParameters().
1580 getEndpointIdentificationAlgorithm();
1581 if (identityAlg != null && !identityAlg.isEmpty()) {
1582 String hostname = session.getPeerHost();
1583 X509TrustManagerImpl.checkIdentity(
1584 hostname, chain[0], identityAlg);
1585 }
1586
1587 // try the best to check the algorithm constraints
1588 AlgorithmConstraints constraints;
1589 if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
1590 if (session instanceof ExtendedSSLSession) {
1591 ExtendedSSLSession extSession =
1592 (ExtendedSSLSession)session;
1593 String[] peerSupportedSignAlgs =
1594 extSession.getLocalSupportedSignatureAlgorithms();
1595
1596 constraints = new SSLAlgorithmConstraints(
1597 engine, peerSupportedSignAlgs, true);
1598 } else {
1599 constraints =
1600 new SSLAlgorithmConstraints(engine, true);
1601 }
|