1 /* 2 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import sun.security.action.GetPropertyAction; 29 30 import java.io.File; 31 import java.io.FilePermission; 32 import java.io.IOException; 33 import java.security.AccessControlContext; 34 import java.security.AccessController; 35 import java.security.Principal; 36 import java.security.PrivilegedAction; 37 import java.security.SecureRandom; 38 import java.util.*; 39 40 /** 41 * Models a service that provides support for a particular client key exchange 42 * mode. Currently used to implement Kerberos-related cipher suites. 43 * 44 * @since 9 45 */ 46 public interface ClientKeyExchangeService { 47 48 static class Loader { 49 private static final Map<String,ClientKeyExchangeService> 50 providers = new HashMap<>(); 51 52 static { 53 String path = GetPropertyAction.getProperty("java.home"); 54 ServiceLoader<ClientKeyExchangeService> sc = 55 AccessController.doPrivileged( 56 (PrivilegedAction<ServiceLoader<ClientKeyExchangeService>>) 57 () -> ServiceLoader.loadInstalled(ClientKeyExchangeService.class), 58 null, 59 new FilePermission(new File(path, "-").toString(), "read")); 60 Iterator<ClientKeyExchangeService> iter = sc.iterator(); 61 while (iter.hasNext()) { 62 ClientKeyExchangeService cs = iter.next(); 63 for (String ex: cs.supported()) { 64 providers.put(ex, cs); 65 } 66 } 67 } 68 69 } 70 71 public static ClientKeyExchangeService find(String ex) { 72 return Loader.providers.get(ex); 73 } 74 75 76 /** 77 * Returns the supported key exchange modes by this provider. 78 * @return the supported key exchange modes 79 */ 80 String[] supported(); 81 82 /** 83 * Returns a generalized credential object on the server side. The server 84 * side can use the info to determine if a cipher suite can be enabled. 85 * @param acc the AccessControlContext of the SSL session 86 * @return the credential object 87 */ 88 Object getServiceCreds(AccessControlContext acc); 89 90 /** 91 * Returns the host name for a service principal. The info can be used in 92 * SNI or host name verifier. 93 * @param principal the principal of a service 94 * @return the string formed host name 95 */ 96 String getServiceHostName(Principal principal); 97 98 /** 99 * Returns whether the specified principal is related to the current 100 * SSLSession. The info can be used to verify a SSL resume. 101 * @param isClient if true called from client side, otherwise from server 102 * @param acc the AccessControlContext of the SSL session 103 * @param p the specified principal 104 * @return true if related 105 */ 106 boolean isRelated(boolean isClient, AccessControlContext acc, Principal p); 107 108 /** 109 * Creates the ClientKeyExchange object on the client side. 110 * @param serverName the intented peer name 111 * @param acc the AccessControlContext of the SSL session 112 * @param protocolVersion the TLS protocol version 113 * @param rand the SecureRandom that will used to generate the premaster 114 * @return the new Exchanger object 115 * @throws IOException if there is an error 116 */ 117 ClientKeyExchange createClientExchange(String serverName, AccessControlContext acc, 118 ProtocolVersion protocolVersion, SecureRandom rand) throws IOException; 119 120 /** 121 * Create the ClientKeyExchange on the server side. 122 * @param protocolVersion the protocol version 123 * @param clientVersion the input protocol version 124 * @param rand a SecureRandom object used to generate premaster 125 * (if the server has to create one) 126 * @param encodedTicket the ticket from client 127 * @param encrypted the encrypted premaster secret from client 128 * @param acc the AccessControlContext of the SSL session 129 * @param ServiceCreds the service side credentials object as retrived from 130 * {@link #getServiceCreds} 131 * @return the new Exchanger object 132 * @throws IOException if there is an error 133 */ 134 ClientKeyExchange createServerExchange( 135 ProtocolVersion protocolVersion, ProtocolVersion clientVersion, 136 SecureRandom rand, byte[] encodedTicket, byte[] encrypted, 137 AccessControlContext acc, Object ServiceCreds) throws IOException; 138 }