< prev index next >

src/share/classes/sun/security/ssl/SSLContextImpl.java

Print this page
rev 11548 : 8133070: Hot lock on BulkCipher.isAvailable
Reviewed-by: mullan
Contributed-by: xuelei.fan@oracle.com, kungu.mjh@alibaba-inc.com

*** 1,7 **** /* ! * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this --- 1,7 ---- /* ! * Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this
*** 50,69 **** private X509ExtendedKeyManager keyManager; private X509TrustManager trustManager; private SecureRandom secureRandom; - // supported and default protocols - private ProtocolList defaultServerProtocolList; - private ProtocolList defaultClientProtocolList; - private ProtocolList supportedProtocolList; - - // supported and default cipher suites - private CipherSuiteList defaultServerCipherSuiteList; - private CipherSuiteList defaultClientCipherSuiteList; - private CipherSuiteList supportedCipherSuiteList; - SSLContextImpl() { ephemeralKeyManager = new EphemeralKeyManager(); clientCache = new SSLSessionContextImpl(); serverCache = new SSLSessionContextImpl(); } --- 50,59 ----
*** 189,215 **** if (!isInitialized) { throw new IllegalStateException("SSLContext is not initialized"); } return new SSLServerSocketFactoryImpl(this); } @Override protected SSLEngine engineCreateSSLEngine() { if (!isInitialized) { throw new IllegalStateException( "SSLContextImpl is not initialized"); } ! return new SSLEngineImpl(this); } @Override protected SSLEngine engineCreateSSLEngine(String host, int port) { if (!isInitialized) { throw new IllegalStateException( "SSLContextImpl is not initialized"); } ! return new SSLEngineImpl(this, host, port); } @Override protected SSLSessionContext engineGetClientSessionContext() { return clientCache; --- 179,207 ---- if (!isInitialized) { throw new IllegalStateException("SSLContext is not initialized"); } return new SSLServerSocketFactoryImpl(this); } + abstract SSLEngine createSSLEngineImpl(); + abstract SSLEngine createSSLEngineImpl(String host, int port); @Override protected SSLEngine engineCreateSSLEngine() { if (!isInitialized) { throw new IllegalStateException( "SSLContextImpl is not initialized"); } ! return createSSLEngineImpl(); } @Override protected SSLEngine engineCreateSSLEngine(String host, int port) { if (!isInitialized) { throw new IllegalStateException( "SSLContextImpl is not initialized"); } ! return createSSLEngineImpl(host, port); } @Override protected SSLSessionContext engineGetClientSessionContext() { return clientCache;
*** 234,332 **** EphemeralKeyManager getEphemeralKeyManager() { return ephemeralKeyManager; } - abstract SSLParameters getDefaultServerSSLParams(); - abstract SSLParameters getDefaultClientSSLParams(); - abstract SSLParameters getSupportedSSLParams(); // Get supported ProtocolList. ! ProtocolList getSuportedProtocolList() { ! if (supportedProtocolList == null) { ! supportedProtocolList = ! new ProtocolList(getSupportedSSLParams().getProtocols()); ! } ! return supportedProtocolList; ! } ! // Get default ProtocolList. ! ProtocolList getDefaultProtocolList(boolean roleIsServer) { ! if (roleIsServer) { ! if (defaultServerProtocolList == null) { ! defaultServerProtocolList = new ProtocolList( ! getDefaultServerSSLParams().getProtocols()); ! } ! ! return defaultServerProtocolList; ! } else { ! if (defaultClientProtocolList == null) { ! defaultClientProtocolList = new ProtocolList( ! getDefaultClientSSLParams().getProtocols()); ! } ! ! return defaultClientProtocolList; ! } ! } // Get supported CipherSuiteList. ! CipherSuiteList getSupportedCipherSuiteList() { ! // The maintenance of cipher suites needs to be synchronized. ! synchronized (this) { ! // Clear cache of available ciphersuites. ! clearAvailableCache(); ! if (supportedCipherSuiteList == null) { ! supportedCipherSuiteList = getApplicableCipherSuiteList( ! getSuportedProtocolList(), false); ! } ! return supportedCipherSuiteList; ! } } // Get default CipherSuiteList. CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) { ! // The maintenance of cipher suites needs to be synchronized. ! synchronized (this) { ! // Clear cache of available ciphersuites. ! clearAvailableCache(); ! ! if (roleIsServer) { ! if (defaultServerCipherSuiteList == null) { ! defaultServerCipherSuiteList = getApplicableCipherSuiteList( ! getDefaultProtocolList(true), true); ! } ! ! return defaultServerCipherSuiteList; ! } else { ! if (defaultClientCipherSuiteList == null) { ! defaultClientCipherSuiteList = getApplicableCipherSuiteList( ! getDefaultProtocolList(false), true); ! } ! ! return defaultClientCipherSuiteList; ! } ! } } /** * Return whether a protocol list is the original default enabled * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() */ boolean isDefaultProtocolList(ProtocolList protocols) { ! return (protocols == defaultServerProtocolList) || ! (protocols == defaultClientProtocolList); } /* * Return the list of all available CipherSuites with a priority of * minPriority or above. */ ! private CipherSuiteList getApplicableCipherSuiteList( ProtocolList protocols, boolean onlyEnabled) { int minPriority = CipherSuite.SUPPORTED_SUITES_PRIORITY; if (onlyEnabled) { minPriority = CipherSuite.DEFAULT_SUITES_PRIORITY; --- 226,289 ---- EphemeralKeyManager getEphemeralKeyManager() { return ephemeralKeyManager; } // Get supported ProtocolList. ! abstract ProtocolList getSuportedProtocolList(); ! // Get default ProtocolList for server mode. ! abstract ProtocolList getServerDefaultProtocolList(); ! // Get default ProtocolList for client mode. ! abstract ProtocolList getClientDefaultProtocolList(); // Get supported CipherSuiteList. ! abstract CipherSuiteList getSupportedCipherSuiteList(); ! // Get default CipherSuiteList for server mode. ! abstract CipherSuiteList getServerDefaultCipherSuiteList(); ! // Get default CipherSuiteList for client mode. ! abstract CipherSuiteList getClientDefaultCipherSuiteList(); ! ! // Get default ProtocolList. ! ProtocolList getDefaultProtocolList(boolean roleIsServer) { ! return roleIsServer ? getServerDefaultProtocolList() ! : getClientDefaultProtocolList(); } // Get default CipherSuiteList. CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) { ! return roleIsServer ? getServerDefaultCipherSuiteList() ! : getClientDefaultCipherSuiteList(); } /** * Return whether a protocol list is the original default enabled * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() */ boolean isDefaultProtocolList(ProtocolList protocols) { ! return (protocols == getServerDefaultProtocolList()) || ! (protocols == getClientDefaultProtocolList()); } + /** + * Return whether a protocol list is the original default enabled + * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() + */ + boolean isDefaultCipherSuiteList(CipherSuiteList cipherSuites) { + return (cipherSuites == getServerDefaultCipherSuiteList()) || + (cipherSuites == getClientDefaultCipherSuiteList()); + } /* * Return the list of all available CipherSuites with a priority of * minPriority or above. */ ! private static CipherSuiteList getApplicableCipherSuiteList( ProtocolList protocols, boolean onlyEnabled) { int minPriority = CipherSuite.SUPPORTED_SUITES_PRIORITY; if (onlyEnabled) { minPriority = CipherSuite.DEFAULT_SUITES_PRIORITY;
*** 368,395 **** } return new CipherSuiteList(suites); } ! /** ! * Clear cache of available ciphersuites. If we support all ciphers ! * internally, there is no need to clear the cache and calling this ! * method has no effect. ! * ! * Note that every call to clearAvailableCache() and the maintenance of ! * cipher suites need to be synchronized with this instance. ! */ ! private void clearAvailableCache() { ! if (CipherSuite.DYNAMIC_AVAILABILITY) { ! supportedCipherSuiteList = null; ! defaultServerCipherSuiteList = null; ! defaultClientCipherSuiteList = null; ! CipherSuite.BulkCipher.clearAvailableCache(); ! JsseJce.clearEcAvailable(); } } /* * The SSLContext implementation for TLS/SSL algorithm * * SSL/TLS protocols specify the forward compatibility and version * roll-back attack protections, however, a number of SSL/TLS server --- 325,350 ---- } return new CipherSuiteList(suites); } ! private static String[] getAvailableProtocols( ! ProtocolVersion[] protocolCandidates) { ! ! List<String> availableProtocols = Collections.<String>emptyList(); ! if (protocolCandidates != null && protocolCandidates.length != 0) { ! availableProtocols = new ArrayList<>(protocolCandidates.length); ! for (ProtocolVersion p : protocolCandidates) { ! if (ProtocolVersion.availableProtocols.contains(p)) { ! availableProtocols.add(p.name); ! } } } + return availableProtocols.toArray(new String[0]); + } + /* * The SSLContext implementation for TLS/SSL algorithm * * SSL/TLS protocols specify the forward compatibility and version * roll-back attack protections, however, a number of SSL/TLS server
*** 416,785 **** * by default. Applications still can use it by enabling SSLv2Hello with * the series of setEnabledProtocols APIs. */ /* ! * The base abstract SSLContext implementation. * * This abstract class encapsulates supported and the default server ! * SSL parameters. * * @see SSLContext */ ! private abstract static class AbstractSSLContext extends SSLContextImpl { ! // parameters ! private static final SSLParameters defaultServerSSLParams; ! private static final SSLParameters supportedSSLParams; ! static { ! // supported SSL parameters ! supportedSSLParams = new SSLParameters(); ! ! // candidates for available protocols ! ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { ! supportedSSLParams.setProtocols(new String[] { ProtocolVersion.TLS10.name, ProtocolVersion.TLS11.name, ProtocolVersion.TLS12.name }); ! candidates = new ProtocolVersion[] { ProtocolVersion.TLS10, ProtocolVersion.TLS11, ProtocolVersion.TLS12 ! }; } else { ! supportedSSLParams.setProtocols(new String[] { ProtocolVersion.SSL20Hello.name, ProtocolVersion.SSL30.name, ProtocolVersion.TLS10.name, ProtocolVersion.TLS11.name, ProtocolVersion.TLS12.name }); ! candidates = new ProtocolVersion[] { ProtocolVersion.SSL20Hello, ProtocolVersion.SSL30, ProtocolVersion.TLS10, ProtocolVersion.TLS11, ProtocolVersion.TLS12 ! }; } ! defaultServerSSLParams = new SSLParameters(); ! defaultServerSSLParams.setProtocols( ! getAvailableProtocols(candidates).toArray(new String[0])); } @Override ! SSLParameters getDefaultServerSSLParams() { ! return defaultServerSSLParams; } @Override ! SSLParameters getSupportedSSLParams() { ! return supportedSSLParams; } ! static List<String> getAvailableProtocols( ! ProtocolVersion[] protocolCandidates) { ! ! List<String> availableProtocols = Collections.<String>emptyList(); ! if (protocolCandidates != null && protocolCandidates.length != 0) { ! availableProtocols = new ArrayList<>(protocolCandidates.length); ! for (ProtocolVersion p : protocolCandidates) { ! if (ProtocolVersion.availableProtocols.contains(p)) { ! availableProtocols.add(p.name); } } } ! return availableProtocols; } } /* * The SSLContext implementation for SSLv3 and TLS10 algorithm * * @see SSLContext */ ! public static final class TLS10Context extends AbstractSSLContext { ! private static final SSLParameters defaultClientSSLParams; static { - // candidates for available protocols - ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { ! candidates = new ProtocolVersion[] { ProtocolVersion.TLS10 ! }; } else { ! candidates = new ProtocolVersion[] { ProtocolVersion.SSL30, ProtocolVersion.TLS10 ! }; } ! defaultClientSSLParams = new SSLParameters(); ! defaultClientSSLParams.setProtocols( ! getAvailableProtocols(candidates).toArray(new String[0])); } @Override ! SSLParameters getDefaultClientSSLParams() { ! return defaultClientSSLParams; } } /* * The SSLContext implementation for TLS11 algorithm * * @see SSLContext */ ! public static final class TLS11Context extends AbstractSSLContext { ! private static final SSLParameters defaultClientSSLParams; static { - // candidates for available protocols - ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { ! candidates = new ProtocolVersion[] { ProtocolVersion.TLS10, ProtocolVersion.TLS11 ! }; } else { ! candidates = new ProtocolVersion[] { ProtocolVersion.SSL30, ProtocolVersion.TLS10, ProtocolVersion.TLS11 ! }; } ! defaultClientSSLParams = new SSLParameters(); ! defaultClientSSLParams.setProtocols( ! getAvailableProtocols(candidates).toArray(new String[0])); } @Override ! SSLParameters getDefaultClientSSLParams() { ! return defaultClientSSLParams; } } /* * The SSLContext implementation for TLS12 algorithm * * @see SSLContext */ ! public static final class TLS12Context extends AbstractSSLContext { ! private static final SSLParameters defaultClientSSLParams; static { - // candidates for available protocols - ProtocolVersion[] candidates; if (SunJSSE.isFIPS()) { ! candidates = new ProtocolVersion[] { ProtocolVersion.TLS10, ProtocolVersion.TLS11, ProtocolVersion.TLS12 ! }; } else { ! candidates = new ProtocolVersion[] { ProtocolVersion.SSL30, ProtocolVersion.TLS10, ProtocolVersion.TLS11, ProtocolVersion.TLS12 ! }; } ! defaultClientSSLParams = new SSLParameters(); ! defaultClientSSLParams.setProtocols( ! getAvailableProtocols(candidates).toArray(new String[0])); } @Override ! SSLParameters getDefaultClientSSLParams() { ! return defaultClientSSLParams; } } /* ! * The SSLContext implementation for customized TLS protocols * * @see SSLContext */ ! private static class CustomizedSSLContext extends AbstractSSLContext { private static final String PROPERTY_NAME = "jdk.tls.client.protocols"; ! private static final SSLParameters defaultClientSSLParams; ! private static IllegalArgumentException reservedException = null; // Don't want a java.lang.LinkageError for illegal system property. // // Please don't throw exception in this static block. Otherwise, // java.lang.LinkageError may be thrown during the instantiation of ! // the provider service. Instead, let's handle the initialization ! // exception in constructor. static { - // candidates for available protocols - ProtocolVersion[] candidates; - String property = AccessController.doPrivileged( new GetPropertyAction(PROPERTY_NAME)); ! if (property == null || property.length() == 0) { ! // the default enabled client TLS protocols ! if (SunJSSE.isFIPS()) { ! candidates = new ProtocolVersion[] { ! ProtocolVersion.TLS10, ! ProtocolVersion.TLS11, ! ProtocolVersion.TLS12 ! }; ! } else { ! candidates = new ProtocolVersion[] { ! ProtocolVersion.SSL30, ! ProtocolVersion.TLS10, ! ProtocolVersion.TLS11, ! ProtocolVersion.TLS12 ! }; ! } ! } else { // remove double quote marks from beginning/end of the property if (property.length() > 1 && property.charAt(0) == '"' && property.charAt(property.length() - 1) == '"') { property = property.substring(1, property.length() - 1); } - - String[] protocols = null; - if (property != null && property.length() != 0) { - protocols = property.split(","); - } else { - reservedException = new IllegalArgumentException( - "No protocol specified in " + - PROPERTY_NAME + " system property"); - protocols = new String[0]; } ! candidates = new ProtocolVersion[protocols.length]; for (int i = 0; i < protocols.length; i++) { protocols[i] = protocols[i].trim(); // Is it a supported protocol name? try { ! candidates[i] = ProtocolVersion.valueOf(protocols[i]); ! } catch (IllegalArgumentException iae) { reservedException = new IllegalArgumentException( ! PROPERTY_NAME + ": " + protocols[i] + ! " is not a standard SSL/TLS protocol name", iae); break; } - } ! if ((reservedException == null) && SunJSSE.isFIPS()) { ! for (ProtocolVersion protocolVersion : candidates) { ! if (ProtocolVersion.SSL20Hello.v == protocolVersion.v || ! ProtocolVersion.SSL30.v == protocolVersion.v) { reservedException = new IllegalArgumentException( ! PROPERTY_NAME + ": " + protocolVersion + ! " is not FIPS compliant"); } } } } ! defaultClientSSLParams = new SSLParameters(); if (reservedException == null) { ! defaultClientSSLParams.setProtocols( ! getAvailableProtocols(candidates).toArray(new String[0])); } } ! protected CustomizedSSLContext() { if (reservedException != null) { throw reservedException; } } @Override ! SSLParameters getDefaultClientSSLParams() { ! return defaultClientSSLParams; } } /* * The SSLContext implementation for default "TLS" algorithm * * @see SSLContext */ ! public static final class TLSContext extends CustomizedSSLContext { // use the default constructor and methods } ! /* ! * The SSLContext implementation for default "Default" algorithm ! * ! * @see SSLContext ! */ ! public static final class DefaultSSLContext extends CustomizedSSLContext { private static final String NONE = "NONE"; private static final String P11KEYSTORE = "PKCS11"; ! private static volatile SSLContextImpl defaultImpl; ! private static TrustManager[] defaultTrustManagers; ! private static KeyManager[] defaultKeyManagers; ! public DefaultSSLContext() throws Exception { try { ! super.engineInit(getDefaultKeyManager(), ! getDefaultTrustManager(), null); } catch (Exception e) { ! if (debug != null && Debug.isOn("defaultctx")) { ! System.out.println("default context init failed: " + e); ! } ! throw e; ! } ! ! if (defaultImpl == null) { ! defaultImpl = this; ! } ! } ! ! @Override ! protected void engineInit(KeyManager[] km, TrustManager[] tm, ! SecureRandom sr) throws KeyManagementException { ! throw new KeyManagementException ! ("Default SSLContext is initialized automatically"); } ! static synchronized SSLContextImpl getDefaultImpl() throws Exception { ! if (defaultImpl == null) { ! new DefaultSSLContext(); } ! return defaultImpl; } - - private static synchronized TrustManager[] getDefaultTrustManager() - throws Exception { - if (defaultTrustManagers != null) { - return defaultTrustManagers; } KeyStore ks = TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx"); TrustManagerFactory tmf = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); ! defaultTrustManagers = tmf.getTrustManagers(); ! return defaultTrustManagers; } ! private static synchronized KeyManager[] getDefaultKeyManager() ! throws Exception { ! if (defaultKeyManagers != null) { ! return defaultKeyManagers; ! } final Map<String,String> props = new HashMap<>(); AccessController.doPrivileged( new PrivilegedExceptionAction<Object>() { @Override --- 371,783 ---- * by default. Applications still can use it by enabling SSLv2Hello with * the series of setEnabledProtocols APIs. */ /* ! * The base abstract SSLContext implementation for the Transport Layer ! * Security (TLS) protocols. * * This abstract class encapsulates supported and the default server ! * SSL/TLS parameters. * * @see SSLContext */ ! private abstract static class AbstractTLSContext extends SSLContextImpl { ! private static final ProtocolList supportedProtocolList; ! private static final ProtocolList serverDefaultProtocolList; ! private static final CipherSuiteList supportedCipherSuiteList; ! private static final CipherSuiteList serverDefaultCipherSuiteList; + static { if (SunJSSE.isFIPS()) { ! supportedProtocolList = new ProtocolList(new String[] { ProtocolVersion.TLS10.name, ProtocolVersion.TLS11.name, ProtocolVersion.TLS12.name }); ! serverDefaultProtocolList = new ProtocolList( ! getAvailableProtocols(new ProtocolVersion[] { ProtocolVersion.TLS10, ProtocolVersion.TLS11, ProtocolVersion.TLS12 ! })); } else { ! supportedProtocolList = new ProtocolList(new String[] { ProtocolVersion.SSL20Hello.name, ProtocolVersion.SSL30.name, ProtocolVersion.TLS10.name, ProtocolVersion.TLS11.name, ProtocolVersion.TLS12.name }); ! serverDefaultProtocolList = new ProtocolList( ! getAvailableProtocols(new ProtocolVersion[] { ProtocolVersion.SSL20Hello, ProtocolVersion.SSL30, ProtocolVersion.TLS10, ProtocolVersion.TLS11, ProtocolVersion.TLS12 ! })); } ! supportedCipherSuiteList = getApplicableCipherSuiteList( ! supportedProtocolList, false); // all supported ! serverDefaultCipherSuiteList = getApplicableCipherSuiteList( ! serverDefaultProtocolList, true); // enabled only } @Override ! ProtocolList getSuportedProtocolList() { ! return supportedProtocolList; } @Override ! CipherSuiteList getSupportedCipherSuiteList() { ! return supportedCipherSuiteList; } ! @Override ! ProtocolList getServerDefaultProtocolList() { ! return serverDefaultProtocolList; } + + @Override + CipherSuiteList getServerDefaultCipherSuiteList() { + return serverDefaultCipherSuiteList; } + + @Override + SSLEngine createSSLEngineImpl() { + return new SSLEngineImpl(this); } ! @Override ! SSLEngine createSSLEngineImpl(String host, int port) { ! return new SSLEngineImpl(this, host, port); } } /* * The SSLContext implementation for SSLv3 and TLS10 algorithm * * @see SSLContext */ ! public static final class TLS10Context extends AbstractTLSContext { ! private static final ProtocolList clientDefaultProtocolList; ! private static final CipherSuiteList clientDefaultCipherSuiteList; static { if (SunJSSE.isFIPS()) { ! clientDefaultProtocolList = new ProtocolList( ! getAvailableProtocols(new ProtocolVersion[] { ProtocolVersion.TLS10 ! })); } else { ! clientDefaultProtocolList = new ProtocolList( ! getAvailableProtocols(new ProtocolVersion[] { ProtocolVersion.SSL30, ProtocolVersion.TLS10 ! })); ! } ! ! clientDefaultCipherSuiteList = getApplicableCipherSuiteList( ! clientDefaultProtocolList, true); // enabled only } ! @Override ! ProtocolList getClientDefaultProtocolList() { ! return clientDefaultProtocolList; } @Override ! CipherSuiteList getClientDefaultCipherSuiteList() { ! return clientDefaultCipherSuiteList; } } /* * The SSLContext implementation for TLS11 algorithm * * @see SSLContext */ ! public static final class TLS11Context extends AbstractTLSContext { ! private static final ProtocolList clientDefaultProtocolList; ! private static final CipherSuiteList clientDefaultCipherSuiteList; static { if (SunJSSE.isFIPS()) { ! clientDefaultProtocolList = new ProtocolList( ! getAvailableProtocols(new ProtocolVersion[] { ProtocolVersion.TLS10, ProtocolVersion.TLS11 ! })); } else { ! clientDefaultProtocolList = new ProtocolList( ! getAvailableProtocols(new ProtocolVersion[] { ProtocolVersion.SSL30, ProtocolVersion.TLS10, ProtocolVersion.TLS11 ! })); } ! clientDefaultCipherSuiteList = getApplicableCipherSuiteList( ! clientDefaultProtocolList, true); // enabled only } @Override ! ProtocolList getClientDefaultProtocolList() { ! return clientDefaultProtocolList; ! } ! ! @Override ! CipherSuiteList getClientDefaultCipherSuiteList() { ! return clientDefaultCipherSuiteList; } } /* * The SSLContext implementation for TLS12 algorithm * * @see SSLContext */ ! public static final class TLS12Context extends AbstractTLSContext { ! private static final ProtocolList clientDefaultProtocolList; ! private static final CipherSuiteList clientDefaultCipherSuiteList; static { if (SunJSSE.isFIPS()) { ! clientDefaultProtocolList = new ProtocolList( ! getAvailableProtocols(new ProtocolVersion[] { ProtocolVersion.TLS10, ProtocolVersion.TLS11, ProtocolVersion.TLS12 ! })); } else { ! clientDefaultProtocolList = new ProtocolList( ! getAvailableProtocols(new ProtocolVersion[] { ProtocolVersion.SSL30, ProtocolVersion.TLS10, ProtocolVersion.TLS11, ProtocolVersion.TLS12 ! })); ! } ! ! clientDefaultCipherSuiteList = getApplicableCipherSuiteList( ! clientDefaultProtocolList, true); // enabled only } ! @Override ! ProtocolList getClientDefaultProtocolList() { ! return clientDefaultProtocolList; } @Override ! CipherSuiteList getClientDefaultCipherSuiteList() { ! return clientDefaultCipherSuiteList; } } /* ! * The interface for the customized SSL/(D)TLS SSLContext. * * @see SSLContext */ ! private static class CustomizedSSLProtocols { private static final String PROPERTY_NAME = "jdk.tls.client.protocols"; ! static IllegalArgumentException reservedException = null; ! static ArrayList<ProtocolVersion> ! customizedProtocols = new ArrayList<>(); // Don't want a java.lang.LinkageError for illegal system property. // // Please don't throw exception in this static block. Otherwise, // java.lang.LinkageError may be thrown during the instantiation of ! // the provider service. Instead, please handle the initialization ! // exception in the caller's constructor. static { String property = AccessController.doPrivileged( new GetPropertyAction(PROPERTY_NAME)); ! if (property != null && property.length() != 0) { // remove double quote marks from beginning/end of the property if (property.length() > 1 && property.charAt(0) == '"' && property.charAt(property.length() - 1) == '"') { property = property.substring(1, property.length() - 1); } } ! if (property != null && property.length() != 0) { ! String[] protocols = property.split(","); for (int i = 0; i < protocols.length; i++) { protocols[i] = protocols[i].trim(); // Is it a supported protocol name? try { ! ProtocolVersion pro = ! ProtocolVersion.valueOf(protocols[i]); ! ! if (SunJSSE.isFIPS() && ! ((pro.v == ProtocolVersion.SSL30.v) || ! (pro.v == ProtocolVersion.SSL20Hello.v))) { reservedException = new IllegalArgumentException( ! PROPERTY_NAME + ": " + pro + ! " is not FIPS compliant"); ! break; } ! // ignore duplicated protocols ! if (!customizedProtocols.contains(pro)) { ! customizedProtocols.add(pro); ! } ! } catch (IllegalArgumentException iae) { reservedException = new IllegalArgumentException( ! PROPERTY_NAME + ": " + protocols[i] + ! " is not a standard SSL protocol name", iae); ! } } } } } ! /* ! * The SSLContext implementation for customized TLS protocols ! * ! * @see SSLContext ! */ ! private static class CustomizedTLSContext extends AbstractTLSContext { ! ! private static final ProtocolList clientDefaultProtocolList; ! private static final CipherSuiteList clientDefaultCipherSuiteList; ! ! private static IllegalArgumentException reservedException = null; ! ! // Don't want a java.lang.LinkageError for illegal system property. ! // ! // Please don't throw exception in this static block. Otherwise, ! // java.lang.LinkageError may be thrown during the instantiation of ! // the provider service. Instead, let's handle the initialization ! // exception in constructor. ! static { ! reservedException = CustomizedSSLProtocols.reservedException; if (reservedException == null) { ! ArrayList<ProtocolVersion> ! customizedTLSProtocols = new ArrayList<>(); ! for (ProtocolVersion protocol : ! CustomizedSSLProtocols.customizedProtocols) { ! customizedTLSProtocols.add(protocol); ! } ! ! // candidates for available protocols ! ProtocolVersion[] candidates; ! if (customizedTLSProtocols.isEmpty()) { ! // Use the default enabled client protocols if no ! // customized TLS protocols. ! if (SunJSSE.isFIPS()) { ! candidates = new ProtocolVersion[] { ! ProtocolVersion.TLS10, ! ProtocolVersion.TLS11, ! ProtocolVersion.TLS12 ! }; ! } else { ! candidates = new ProtocolVersion[] { ! ProtocolVersion.SSL30, ! ProtocolVersion.TLS10, ! ProtocolVersion.TLS11, ! ProtocolVersion.TLS12 ! }; ! } ! } else { ! // Use the customized TLS protocols. ! candidates = ! new ProtocolVersion[customizedTLSProtocols.size()]; ! candidates = customizedTLSProtocols.toArray(candidates); ! } ! ! clientDefaultProtocolList = new ProtocolList( ! getAvailableProtocols(candidates)); ! clientDefaultCipherSuiteList = getApplicableCipherSuiteList( ! clientDefaultProtocolList, true); // enabled only ! } else { ! clientDefaultProtocolList = null; // unlikely to be used ! clientDefaultCipherSuiteList = null; // unlikely to be used } } ! protected CustomizedTLSContext() { if (reservedException != null) { throw reservedException; } } @Override ! ProtocolList getClientDefaultProtocolList() { ! return clientDefaultProtocolList; ! } ! ! @Override ! CipherSuiteList getClientDefaultCipherSuiteList() { ! return clientDefaultCipherSuiteList; } } /* * The SSLContext implementation for default "TLS" algorithm * * @see SSLContext */ ! public static final class TLSContext extends CustomizedTLSContext { // use the default constructor and methods } ! // lazy initialization holder class idiom for static default parameters ! // ! // See Effective Java Second Edition: Item 71. ! private static final class DefaultManagersHolder { private static final String NONE = "NONE"; private static final String P11KEYSTORE = "PKCS11"; ! private static final TrustManager[] trustManagers; ! private static final KeyManager[] keyManagers; ! static Exception reservedException = null; ! static { ! TrustManager[] tmMediator; try { ! tmMediator = getTrustManagers(); } catch (Exception e) { ! reservedException = e; ! tmMediator = new TrustManager[0]; } + trustManagers = tmMediator; ! if (reservedException == null) { ! KeyManager[] kmMediator; ! try { ! kmMediator = getKeyManagers(); ! } catch (Exception e) { ! reservedException = e; ! kmMediator = new KeyManager[0]; } ! keyManagers = kmMediator; ! } else { ! keyManagers = new KeyManager[0]; } } + private static TrustManager[] getTrustManagers() throws Exception { KeyStore ks = TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx"); TrustManagerFactory tmf = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); ! return tmf.getTrustManagers(); } ! private static KeyManager[] getKeyManagers() throws Exception { final Map<String,String> props = new HashMap<>(); AccessController.doPrivileged( new PrivilegedExceptionAction<Object>() { @Override
*** 872,886 **** kmf.init(ks, null); // do not pass key passwd if using token } else { kmf.init(ks, passwd); } ! defaultKeyManagers = kmf.getKeyManagers(); ! return defaultKeyManagers; } } } final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager implements X509TrustManager { --- 870,948 ---- kmf.init(ks, null); // do not pass key passwd if using token } else { kmf.init(ks, passwd); } ! return kmf.getKeyManagers(); ! } ! } ! ! // lazy initialization holder class idiom for static default parameters ! // ! // See Effective Java Second Edition: Item 71. ! private static final class DefaultSSLContextHolder { ! ! private static final SSLContextImpl sslContext; ! static Exception reservedException = null; ! ! static { ! SSLContextImpl mediator = null; ! if (DefaultManagersHolder.reservedException != null) { ! reservedException = DefaultManagersHolder.reservedException; ! } else { ! try { ! mediator = new DefaultSSLContext(); ! } catch (Exception e) { ! reservedException = e; ! } ! } ! ! sslContext = mediator; ! } ! } ! ! /* ! * The SSLContext implementation for default "Default" algorithm ! * ! * @see SSLContext ! */ ! public static final class DefaultSSLContext extends CustomizedTLSContext { ! ! // public constructor for SSLContext.getInstance("Default") ! public DefaultSSLContext() throws Exception { ! if (DefaultManagersHolder.reservedException != null) { ! throw DefaultManagersHolder.reservedException; ! } ! ! try { ! super.engineInit(DefaultManagersHolder.keyManagers, ! DefaultManagersHolder.trustManagers, null); ! } catch (Exception e) { ! if (debug != null && Debug.isOn("defaultctx")) { ! System.out.println("default context init failed: " + e); ! } ! throw e; ! } ! } ! ! @Override ! protected void engineInit(KeyManager[] km, TrustManager[] tm, ! SecureRandom sr) throws KeyManagementException { ! throw new KeyManagementException ! ("Default SSLContext is initialized automatically"); ! } ! ! static SSLContextImpl getDefaultImpl() throws Exception { ! if (DefaultSSLContextHolder.reservedException != null) { ! throw DefaultSSLContextHolder.reservedException; ! } ! ! return DefaultSSLContextHolder.sslContext; } } + } final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager implements X509TrustManager {
< prev index next >