1 /*
2 * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.net.Socket;
29
30 import java.io.*;
31 import java.util.*;
32 import java.security.*;
33 import java.security.cert.*;
34 import java.security.cert.Certificate;
35
36 import javax.net.ssl.*;
37
38 import sun.security.provider.certpath.AlgorithmChecker;
39 import sun.security.action.GetPropertyAction;
40
41 public abstract class SSLContextImpl extends SSLContextSpi {
42
43 private static final Debug debug = Debug.getInstance("ssl");
44
45 private final EphemeralKeyManager ephemeralKeyManager;
46 private final SSLSessionContextImpl clientCache;
47 private final SSLSessionContextImpl serverCache;
48
49 private boolean isInitialized;
50
51 private X509ExtendedKeyManager keyManager;
52 private X509TrustManager trustManager;
53 private SecureRandom secureRandom;
54
55 // DTLS cookie exchange manager
56 private volatile HelloCookieManager helloCookieManager;
57
58 private final boolean clientEnableStapling = Debug.getBooleanProperty(
59 "jdk.tls.client.enableStatusRequestExtension", true);
60 private final boolean serverEnableStapling = Debug.getBooleanProperty(
61 "jdk.tls.server.enableStatusRequestExtension", false);
62 private volatile StatusResponseManager statusResponseManager;
63
64 SSLContextImpl() {
65 ephemeralKeyManager = new EphemeralKeyManager();
66 clientCache = new SSLSessionContextImpl();
67 serverCache = new SSLSessionContextImpl();
68 }
69
70 @Override
71 protected void engineInit(KeyManager[] km, TrustManager[] tm,
72 SecureRandom sr) throws KeyManagementException {
73 isInitialized = false;
74 keyManager = chooseKeyManager(km);
75
76 if (tm == null) {
77 try {
78 TrustManagerFactory tmf = TrustManagerFactory.getInstance(
79 TrustManagerFactory.getDefaultAlgorithm());
80 tmf.init((KeyStore)null);
81 tm = tmf.getTrustManagers();
82 } catch (Exception e) {
83 // eat
84 }
85 }
86 trustManager = chooseTrustManager(tm);
87
88 if (sr == null) {
89 secureRandom = JsseJce.getSecureRandom();
90 } else {
91 if (SunJSSE.isFIPS() &&
92 (sr.getProvider() != SunJSSE.cryptoProvider)) {
93 throw new KeyManagementException
94 ("FIPS mode: SecureRandom must be from provider "
95 + SunJSSE.cryptoProvider.getName());
96 }
97 secureRandom = sr;
98 }
99
100 /*
101 * The initial delay of seeding the random number generator
102 * could be long enough to cause the initial handshake on our
103 * first connection to timeout and fail. Make sure it is
104 * primed and ready by getting some initial output from it.
105 */
106 if (debug != null && Debug.isOn("sslctx")) {
107 System.out.println("trigger seeding of SecureRandom");
108 }
109 secureRandom.nextInt();
110 if (debug != null && Debug.isOn("sslctx")) {
111 System.out.println("done seeding SecureRandom");
112 }
113
114 isInitialized = true;
115 }
116
117 private X509TrustManager chooseTrustManager(TrustManager[] tm)
118 throws KeyManagementException {
119 // We only use the first instance of X509TrustManager passed to us.
120 for (int i = 0; tm != null && i < tm.length; i++) {
121 if (tm[i] instanceof X509TrustManager) {
122 if (SunJSSE.isFIPS() &&
123 !(tm[i] instanceof X509TrustManagerImpl)) {
124 throw new KeyManagementException
125 ("FIPS mode: only SunJSSE TrustManagers may be used");
126 }
127
128 if (tm[i] instanceof X509ExtendedTrustManager) {
129 return (X509TrustManager)tm[i];
130 } else {
131 return new AbstractTrustManagerWrapper(
132 (X509TrustManager)tm[i]);
133 }
134 }
135 }
136
137 // nothing found, return a dummy X509TrustManager.
138 return DummyX509TrustManager.INSTANCE;
139 }
140
141 private X509ExtendedKeyManager chooseKeyManager(KeyManager[] kms)
142 throws KeyManagementException {
143 for (int i = 0; kms != null && i < kms.length; i++) {
144 KeyManager km = kms[i];
145 if (!(km instanceof X509KeyManager)) {
146 continue;
147 }
148 if (SunJSSE.isFIPS()) {
149 // In FIPS mode, require that one of SunJSSE's own keymanagers
150 // is used. Otherwise, we cannot be sure that only keys from
151 // the FIPS token are used.
152 if ((km instanceof X509KeyManagerImpl)
153 || (km instanceof SunX509KeyManagerImpl)) {
154 return (X509ExtendedKeyManager)km;
155 } else {
156 // throw exception, we don't want to silently use the
157 // dummy keymanager without telling the user.
158 throw new KeyManagementException
159 ("FIPS mode: only SunJSSE KeyManagers may be used");
160 }
161 }
162 if (km instanceof X509ExtendedKeyManager) {
163 return (X509ExtendedKeyManager)km;
164 }
165 if (debug != null && Debug.isOn("sslctx")) {
166 System.out.println(
167 "X509KeyManager passed to " +
168 "SSLContext.init(): need an " +
169 "X509ExtendedKeyManager for SSLEngine use");
170 }
171 return new AbstractKeyManagerWrapper((X509KeyManager)km);
172 }
173
174 // nothing found, return a dummy X509ExtendedKeyManager
175 return DummyX509KeyManager.INSTANCE;
176 }
177
178 abstract SSLEngine createSSLEngineImpl();
179 abstract SSLEngine createSSLEngineImpl(String host, int port);
180
181 @Override
182 protected SSLEngine engineCreateSSLEngine() {
183 if (!isInitialized) {
184 throw new IllegalStateException("SSLContext is not initialized");
185 }
186 return createSSLEngineImpl();
187 }
188
189 @Override
190 protected SSLEngine engineCreateSSLEngine(String host, int port) {
191 if (!isInitialized) {
192 throw new IllegalStateException("SSLContext is not initialized");
193 }
194 return createSSLEngineImpl(host, port);
195 }
196
197 @Override
198 protected SSLSocketFactory engineGetSocketFactory() {
199 if (!isInitialized) {
200 throw new IllegalStateException("SSLContext is not initialized");
201 }
202 return new SSLSocketFactoryImpl(this);
203 }
204
205 @Override
206 protected SSLServerSocketFactory engineGetServerSocketFactory() {
207 if (!isInitialized) {
208 throw new IllegalStateException("SSLContext is not initialized");
209 }
210 return new SSLServerSocketFactoryImpl(this);
211 }
212
213 @Override
214 protected SSLSessionContext engineGetClientSessionContext() {
215 return clientCache;
216 }
217
218 @Override
219 protected SSLSessionContext engineGetServerSessionContext() {
220 return serverCache;
221 }
222
223 SecureRandom getSecureRandom() {
224 return secureRandom;
225 }
226
227 X509ExtendedKeyManager getX509KeyManager() {
228 return keyManager;
229 }
230
231 X509TrustManager getX509TrustManager() {
232 return trustManager;
233 }
234
235 EphemeralKeyManager getEphemeralKeyManager() {
236 return ephemeralKeyManager;
237 }
238
239 // Used for DTLS in server mode only, see ServerHandshaker.
240 HelloCookieManager getHelloCookieManager() {
241 if (!isInitialized) {
242 throw new IllegalStateException("SSLContext is not initialized");
243 }
244
245 if (helloCookieManager != null) {
246 return helloCookieManager;
247 }
248
249 synchronized (this) {
250 if (helloCookieManager == null) {
251 helloCookieManager = getHelloCookieManager(secureRandom);
252 }
253 }
254
255 return helloCookieManager;
256 }
257
258 HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) {
259 throw new UnsupportedOperationException(
260 "Cookie exchange applies to DTLS only");
261 }
262
263 StatusResponseManager getStatusResponseManager() {
264 if (serverEnableStapling && statusResponseManager == null) {
265 synchronized (this) {
266 if (statusResponseManager == null) {
267 if (debug != null && Debug.isOn("sslctx")) {
268 System.out.println(
269 "Initializing StatusResponseManager");
270 }
271 statusResponseManager = new StatusResponseManager();
272 }
273 }
274 }
275
276 return statusResponseManager;
277 }
278
279 // Get supported ProtocolList.
280 abstract ProtocolList getSuportedProtocolList();
281
282 // Get default ProtocolList for server mode.
283 abstract ProtocolList getServerDefaultProtocolList();
284
285 // Get default ProtocolList for client mode.
286 abstract ProtocolList getClientDefaultProtocolList();
287
288 // Get supported CipherSuiteList.
289 abstract CipherSuiteList getSupportedCipherSuiteList();
290
291 // Get default CipherSuiteList for server mode.
292 abstract CipherSuiteList getServerDefaultCipherSuiteList();
293
294 // Get default CipherSuiteList for client mode.
295 abstract CipherSuiteList getClientDefaultCipherSuiteList();
296
297 // Get default ProtocolList.
298 ProtocolList getDefaultProtocolList(boolean roleIsServer) {
299 return roleIsServer ? getServerDefaultProtocolList()
300 : getClientDefaultProtocolList();
301 }
302
303 // Get default CipherSuiteList.
304 CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) {
305 return roleIsServer ? getServerDefaultCipherSuiteList()
306 : getClientDefaultCipherSuiteList();
307 }
308
309 /**
310 * Return whether a protocol list is the original default enabled
311 * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols()
312 */
313 boolean isDefaultProtocolList(ProtocolList protocols) {
314 return (protocols == getServerDefaultProtocolList()) ||
315 (protocols == getClientDefaultProtocolList());
316 }
317
318 /**
319 * Return whether a protocol list is the original default enabled
320 * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols()
321 */
322 boolean isDefaultCipherSuiteList(CipherSuiteList cipherSuites) {
323 return (cipherSuites == getServerDefaultCipherSuiteList()) ||
324 (cipherSuites == getClientDefaultCipherSuiteList());
325 }
326
327 /**
328 * Return whether client or server side stapling has been enabled
329 * for this SSLContextImpl
330 * @param isClient true if the caller is operating in a client side role,
331 * false if acting as a server.
332 * @return true if stapling has been enabled for the specified role, false
333 * otherwise.
334 */
335 boolean isStaplingEnabled(boolean isClient) {
336 return isClient ? clientEnableStapling : serverEnableStapling;
337 }
338
339 /*
340 * Return the list of all available CipherSuites with a priority of
341 * minPriority or above.
342 */
343 private static CipherSuiteList getApplicableCipherSuiteList(
344 ProtocolList protocols, boolean onlyEnabled) {
345
346 int minPriority = CipherSuite.SUPPORTED_SUITES_PRIORITY;
347 if (onlyEnabled) {
348 minPriority = CipherSuite.DEFAULT_SUITES_PRIORITY;
349 }
350
351 Collection<CipherSuite> allowedCipherSuites =
352 CipherSuite.allowedCipherSuites();
353
354 TreeSet<CipherSuite> suites = new TreeSet<>();
355 if (!(protocols.collection().isEmpty()) &&
356 protocols.min.v != ProtocolVersion.NONE.v) {
357 for (CipherSuite suite : allowedCipherSuites) {
358 if (!suite.allowed || suite.priority < minPriority) {
359 continue;
360 }
361
362 if (suite.isAvailable() &&
363 !protocols.min.obsoletes(suite) &&
364 protocols.max.supports(suite)) {
365 if (SSLAlgorithmConstraints.DEFAULT.permits(
366 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
367 suite.name, null)) {
368 suites.add(suite);
369 }
370 } else if (debug != null &&
371 Debug.isOn("sslctx") && Debug.isOn("verbose")) {
372 if (protocols.min.obsoletes(suite)) {
373 System.out.println(
374 "Ignoring obsoleted cipher suite: " + suite);
375 } else if (!protocols.max.supports(suite)) {
376 System.out.println(
377 "Ignoring unsupported cipher suite: " + suite);
378 } else {
379 System.out.println(
380 "Ignoring unavailable cipher suite: " + suite);
381 }
382 }
383 }
384 }
385
386 return new CipherSuiteList(suites);
387 }
388
389 private static String[] getAvailableProtocols(
390 ProtocolVersion[] protocolCandidates) {
391
392 List<String> availableProtocols = Collections.<String>emptyList();
393 if (protocolCandidates != null && protocolCandidates.length != 0) {
394 availableProtocols = new ArrayList<>(protocolCandidates.length);
395 for (ProtocolVersion p : protocolCandidates) {
396 if (ProtocolVersion.availableProtocols.contains(p)) {
397 availableProtocols.add(p.name);
398 }
399 }
400 }
401
402 return availableProtocols.toArray(new String[0]);
403 }
404
405
406 /*
407 * The SSLContext implementation for SSL/(D)TLS algorithm
408 *
409 * SSL/TLS protocols specify the forward compatibility and version
410 * roll-back attack protections, however, a number of SSL/TLS server
411 * vendors did not implement these aspects properly, and some current
412 * SSL/TLS servers may refuse to talk to a TLS 1.1 or later client.
413 *
414 * Considering above interoperability issues, SunJSSE will not set
415 * TLS 1.1 and TLS 1.2 as the enabled protocols for client by default.
416 *
417 * For SSL/TLS servers, there is no such interoperability issues as
418 * SSL/TLS clients. In SunJSSE, TLS 1.1 or later version will be the
419 * enabled protocols for server by default.
420 *
421 * We may change the behavior when popular TLS/SSL vendors support TLS
422 * forward compatibility properly.
423 *
424 * SSLv2Hello is no longer necessary. This interoperability option was
425 * put in place in the late 90's when SSLv3/TLS1.0 were relatively new
426 * and there were a fair number of SSLv2-only servers deployed. Because
427 * of the security issues in SSLv2, it is rarely (if ever) used, as
428 * deployments should now be using SSLv3 and TLSv1.
429 *
430 * Considering the issues of SSLv2Hello, we should not enable SSLv2Hello
431 * by default. Applications still can use it by enabling SSLv2Hello with
432 * the series of setEnabledProtocols APIs.
433 */
434
435 /*
436 * The base abstract SSLContext implementation for the Transport Layer
437 * Security (TLS) protocols.
438 *
439 * This abstract class encapsulates supported and the default server
440 * SSL/TLS parameters.
441 *
442 * @see SSLContext
443 */
444 private abstract static class AbstractTLSContext extends SSLContextImpl {
445 private static final ProtocolList supportedProtocolList;
446 private static final ProtocolList serverDefaultProtocolList;
447
448 private static final CipherSuiteList supportedCipherSuiteList;
449 private static final CipherSuiteList serverDefaultCipherSuiteList;
450
451 static {
452 if (SunJSSE.isFIPS()) {
453 supportedProtocolList = new ProtocolList(new String[] {
454 ProtocolVersion.TLS10.name,
455 ProtocolVersion.TLS11.name,
456 ProtocolVersion.TLS12.name
457 });
458
459 serverDefaultProtocolList = new ProtocolList(
460 getAvailableProtocols(new ProtocolVersion[] {
461 ProtocolVersion.TLS10,
462 ProtocolVersion.TLS11,
463 ProtocolVersion.TLS12
464 }));
465 } else {
466 supportedProtocolList = new ProtocolList(new String[] {
467 ProtocolVersion.SSL20Hello.name,
468 ProtocolVersion.SSL30.name,
469 ProtocolVersion.TLS10.name,
470 ProtocolVersion.TLS11.name,
471 ProtocolVersion.TLS12.name
472 });
473
474 serverDefaultProtocolList = new ProtocolList(
475 getAvailableProtocols(new ProtocolVersion[] {
476 ProtocolVersion.SSL20Hello,
477 ProtocolVersion.SSL30,
478 ProtocolVersion.TLS10,
479 ProtocolVersion.TLS11,
480 ProtocolVersion.TLS12
481 }));
482 }
483
484 supportedCipherSuiteList = getApplicableCipherSuiteList(
485 supportedProtocolList, false); // all supported
486 serverDefaultCipherSuiteList = getApplicableCipherSuiteList(
487 serverDefaultProtocolList, true); // enabled only
488 }
489
490 @Override
491 ProtocolList getSuportedProtocolList() {
492 return supportedProtocolList;
493 }
494
495 @Override
496 CipherSuiteList getSupportedCipherSuiteList() {
497 return supportedCipherSuiteList;
498 }
499
500 @Override
501 ProtocolList getServerDefaultProtocolList() {
502 return serverDefaultProtocolList;
503 }
504
505 @Override
506 CipherSuiteList getServerDefaultCipherSuiteList() {
507 return serverDefaultCipherSuiteList;
508 }
509
510 @Override
511 SSLEngine createSSLEngineImpl() {
512 return new SSLEngineImpl(this, false);
513 }
514
515 @Override
516 SSLEngine createSSLEngineImpl(String host, int port) {
517 return new SSLEngineImpl(this, host, port, false);
518 }
519 }
520
521 /*
522 * The SSLContext implementation for SSLv3 and TLS10 algorithm
523 *
524 * @see SSLContext
525 */
526 public static final class TLS10Context extends AbstractTLSContext {
527 private static final ProtocolList clientDefaultProtocolList;
528 private static final CipherSuiteList clientDefaultCipherSuiteList;
529
530 static {
531 if (SunJSSE.isFIPS()) {
532 clientDefaultProtocolList = new ProtocolList(
533 getAvailableProtocols(new ProtocolVersion[] {
534 ProtocolVersion.TLS10
535 }));
536 } else {
537 clientDefaultProtocolList = new ProtocolList(
538 getAvailableProtocols(new ProtocolVersion[] {
539 ProtocolVersion.SSL30,
540 ProtocolVersion.TLS10
541 }));
542 }
543
544 clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
545 clientDefaultProtocolList, true); // enabled only
546 }
547
548 @Override
549 ProtocolList getClientDefaultProtocolList() {
550 return clientDefaultProtocolList;
551 }
552
553 @Override
554 CipherSuiteList getClientDefaultCipherSuiteList() {
555 return clientDefaultCipherSuiteList;
556 }
557 }
558
559 /*
560 * The SSLContext implementation for TLS11 algorithm
561 *
562 * @see SSLContext
563 */
564 public static final class TLS11Context extends AbstractTLSContext {
565 private static final ProtocolList clientDefaultProtocolList;
566 private static final CipherSuiteList clientDefaultCipherSuiteList;
567
568 static {
569 if (SunJSSE.isFIPS()) {
570 clientDefaultProtocolList = new ProtocolList(
571 getAvailableProtocols(new ProtocolVersion[] {
572 ProtocolVersion.TLS10,
573 ProtocolVersion.TLS11
574 }));
575 } else {
576 clientDefaultProtocolList = new ProtocolList(
577 getAvailableProtocols(new ProtocolVersion[] {
578 ProtocolVersion.SSL30,
579 ProtocolVersion.TLS10,
580 ProtocolVersion.TLS11
581 }));
582 }
583
584 clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
585 clientDefaultProtocolList, true); // enabled only
586 }
587
588 @Override
589 ProtocolList getClientDefaultProtocolList() {
590 return clientDefaultProtocolList;
591 }
592
593 @Override
594 CipherSuiteList getClientDefaultCipherSuiteList() {
595 return clientDefaultCipherSuiteList;
596 }
597 }
598
599 /*
600 * The SSLContext implementation for TLS12 algorithm
601 *
602 * @see SSLContext
603 */
604 public static final class TLS12Context extends AbstractTLSContext {
605 private static final ProtocolList clientDefaultProtocolList;
606 private static final CipherSuiteList clientDefaultCipherSuiteList;
607
608 static {
609 if (SunJSSE.isFIPS()) {
610 clientDefaultProtocolList = new ProtocolList(
611 getAvailableProtocols(new ProtocolVersion[] {
612 ProtocolVersion.TLS10,
613 ProtocolVersion.TLS11,
614 ProtocolVersion.TLS12
615 }));
616 } else {
617 clientDefaultProtocolList = new ProtocolList(
618 getAvailableProtocols(new ProtocolVersion[] {
619 ProtocolVersion.SSL30,
620 ProtocolVersion.TLS10,
621 ProtocolVersion.TLS11,
622 ProtocolVersion.TLS12
623 }));
624 }
625
626 clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
627 clientDefaultProtocolList, true); // enabled only
628 }
629
630 @Override
631 ProtocolList getClientDefaultProtocolList() {
632 return clientDefaultProtocolList;
633 }
634
635 @Override
636 CipherSuiteList getClientDefaultCipherSuiteList() {
637 return clientDefaultCipherSuiteList;
638 }
639 }
640
641 /*
642 * The interface for the customized SSL/(D)TLS SSLContext.
643 *
644 * @see SSLContext
645 */
646 private static class CustomizedSSLProtocols {
647 private static final String PROPERTY_NAME = "jdk.tls.client.protocols";
648 static IllegalArgumentException reservedException = null;
649 static ArrayList<ProtocolVersion>
650 customizedProtocols = new ArrayList<>();
651
652 // Don't want a java.lang.LinkageError for illegal system property.
653 //
654 // Please don't throw exception in this static block. Otherwise,
655 // java.lang.LinkageError may be thrown during the instantiation of
656 // the provider service. Instead, please handle the initialization
657 // exception in the caller's constructor.
658 static {
659 String property = AccessController.doPrivileged(
660 new GetPropertyAction(PROPERTY_NAME));
661 if (property != null && property.length() != 0) {
662 // remove double quote marks from beginning/end of the property
663 if (property.length() > 1 && property.charAt(0) == '"' &&
664 property.charAt(property.length() - 1) == '"') {
665 property = property.substring(1, property.length() - 1);
666 }
667 }
668
669 if (property != null && property.length() != 0) {
670 String[] protocols = property.split(",");
671 for (int i = 0; i < protocols.length; i++) {
672 protocols[i] = protocols[i].trim();
673 // Is it a supported protocol name?
674 try {
675 ProtocolVersion pro =
676 ProtocolVersion.valueOf(protocols[i]);
677
678 if (SunJSSE.isFIPS() &&
679 ((pro.v == ProtocolVersion.SSL30.v) ||
680 (pro.v == ProtocolVersion.SSL20Hello.v))) {
681 reservedException = new IllegalArgumentException(
682 PROPERTY_NAME + ": " + pro +
683 " is not FIPS compliant");
684
685 break;
686 }
687
688 // ignore duplicated protocols
689 if (!customizedProtocols.contains(pro)) {
690 customizedProtocols.add(pro);
691 }
692 } catch (IllegalArgumentException iae) {
693 reservedException = new IllegalArgumentException(
694 PROPERTY_NAME + ": " + protocols[i] +
695 " is not a standard SSL protocol name", iae);
696 }
697 }
698 }
699 }
700 }
701
702 /*
703 * The SSLContext implementation for customized TLS protocols
704 *
705 * @see SSLContext
706 */
707 private static class CustomizedTLSContext extends AbstractTLSContext {
708
709 private static final ProtocolList clientDefaultProtocolList;
710 private static final CipherSuiteList clientDefaultCipherSuiteList;
711
712 private static IllegalArgumentException reservedException = null;
713
714 // Don't want a java.lang.LinkageError for illegal system property.
715 //
716 // Please don't throw exception in this static block. Otherwise,
717 // java.lang.LinkageError may be thrown during the instantiation of
718 // the provider service. Instead, let's handle the initialization
719 // exception in constructor.
720 static {
721 reservedException = CustomizedSSLProtocols.reservedException;
722 if (reservedException == null) {
723 ArrayList<ProtocolVersion>
724 customizedTLSProtocols = new ArrayList<>();
725 for (ProtocolVersion protocol :
726 CustomizedSSLProtocols.customizedProtocols) {
727 if (!protocol.isDTLSProtocol()) {
728 customizedTLSProtocols.add(protocol);
729 }
730 }
731
732 // candidates for available protocols
733 ProtocolVersion[] candidates;
734 if (customizedTLSProtocols.isEmpty()) {
735 // Use the default enabled client protocols if no
736 // customized TLS protocols.
737 if (SunJSSE.isFIPS()) {
738 candidates = new ProtocolVersion[] {
739 ProtocolVersion.TLS10,
740 ProtocolVersion.TLS11,
741 ProtocolVersion.TLS12
742 };
743 } else {
744 candidates = new ProtocolVersion[] {
745 ProtocolVersion.SSL30,
746 ProtocolVersion.TLS10,
747 ProtocolVersion.TLS11,
748 ProtocolVersion.TLS12
749 };
750 }
751 } else {
752 // Use the customized TLS protocols.
753 candidates =
754 new ProtocolVersion[customizedTLSProtocols.size()];
755 candidates = customizedTLSProtocols.toArray(candidates);
756 }
757
758 clientDefaultProtocolList = new ProtocolList(
759 getAvailableProtocols(candidates));
760 clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
761 clientDefaultProtocolList, true); // enabled only
762 } else {
763 clientDefaultProtocolList = null; // unlikely to be used
764 clientDefaultCipherSuiteList = null; // unlikely to be used
765 }
766 }
767
768 protected CustomizedTLSContext() {
769 if (reservedException != null) {
770 throw reservedException;
771 }
772 }
773
774 @Override
775 ProtocolList getClientDefaultProtocolList() {
776 return clientDefaultProtocolList;
777 }
778
779 @Override
780 CipherSuiteList getClientDefaultCipherSuiteList() {
781 return clientDefaultCipherSuiteList;
782 }
783 }
784
785 /*
786 * The SSLContext implementation for default "TLS" algorithm
787 *
788 * @see SSLContext
789 */
790 public static final class TLSContext extends CustomizedTLSContext {
791 // use the default constructor and methods
792 }
793
794 // lazy initialization holder class idiom for static default parameters
795 //
796 // See Effective Java Second Edition: Item 71.
797 private static final class DefaultManagersHolder {
798 private static final String NONE = "NONE";
799 private static final String P11KEYSTORE = "PKCS11";
800
801 private static final TrustManager[] trustManagers;
802 private static final KeyManager[] keyManagers;
803
804 static Exception reservedException = null;
805
806 static {
807 TrustManager[] tmMediator;
808 try {
809 tmMediator = getTrustManagers();
810 } catch (Exception e) {
811 reservedException = e;
812 tmMediator = new TrustManager[0];
813 }
814 trustManagers = tmMediator;
815
816 if (reservedException == null) {
817 KeyManager[] kmMediator;
818 try {
819 kmMediator = getKeyManagers();
820 } catch (Exception e) {
821 reservedException = e;
822 kmMediator = new KeyManager[0];
823 }
824 keyManagers = kmMediator;
825 } else {
826 keyManagers = new KeyManager[0];
827 }
828 }
829
830 private static TrustManager[] getTrustManagers() throws Exception {
831 KeyStore ks =
832 TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");
833
834 TrustManagerFactory tmf = TrustManagerFactory.getInstance(
835 TrustManagerFactory.getDefaultAlgorithm());
836 tmf.init(ks);
837 return tmf.getTrustManagers();
838 }
839
840 private static KeyManager[] getKeyManagers() throws Exception {
841
842 final Map<String,String> props = new HashMap<>();
843 AccessController.doPrivileged(
844 new PrivilegedExceptionAction<Object>() {
845 @Override
846 public Object run() throws Exception {
847 props.put("keyStore", System.getProperty(
848 "javax.net.ssl.keyStore", ""));
849 props.put("keyStoreType", System.getProperty(
850 "javax.net.ssl.keyStoreType",
851 KeyStore.getDefaultType()));
852 props.put("keyStoreProvider", System.getProperty(
853 "javax.net.ssl.keyStoreProvider", ""));
854 props.put("keyStorePasswd", System.getProperty(
855 "javax.net.ssl.keyStorePassword", ""));
856 return null;
857 }
858 });
859
860 final String defaultKeyStore = props.get("keyStore");
861 String defaultKeyStoreType = props.get("keyStoreType");
862 String defaultKeyStoreProvider = props.get("keyStoreProvider");
863 if (debug != null && Debug.isOn("defaultctx")) {
864 System.out.println("keyStore is : " + defaultKeyStore);
865 System.out.println("keyStore type is : " +
866 defaultKeyStoreType);
867 System.out.println("keyStore provider is : " +
868 defaultKeyStoreProvider);
869 }
870
871 if (P11KEYSTORE.equals(defaultKeyStoreType) &&
872 !NONE.equals(defaultKeyStore)) {
873 throw new IllegalArgumentException("if keyStoreType is "
874 + P11KEYSTORE + ", then keyStore must be " + NONE);
875 }
876
877 FileInputStream fs = null;
878 KeyStore ks = null;
879 char[] passwd = null;
880 try {
881 if (defaultKeyStore.length() != 0 &&
882 !NONE.equals(defaultKeyStore)) {
883 fs = AccessController.doPrivileged(
884 new PrivilegedExceptionAction<FileInputStream>() {
885 @Override
886 public FileInputStream run() throws Exception {
887 return new FileInputStream(defaultKeyStore);
888 }
889 });
890 }
891
892 String defaultKeyStorePassword = props.get("keyStorePasswd");
893 if (defaultKeyStorePassword.length() != 0) {
894 passwd = defaultKeyStorePassword.toCharArray();
895 }
896
897 /**
898 * Try to initialize key store.
899 */
900 if ((defaultKeyStoreType.length()) != 0) {
901 if (debug != null && Debug.isOn("defaultctx")) {
902 System.out.println("init keystore");
903 }
904 if (defaultKeyStoreProvider.length() == 0) {
905 ks = KeyStore.getInstance(defaultKeyStoreType);
906 } else {
907 ks = KeyStore.getInstance(defaultKeyStoreType,
908 defaultKeyStoreProvider);
909 }
910
911 // if defaultKeyStore is NONE, fs will be null
912 ks.load(fs, passwd);
913 }
914 } finally {
915 if (fs != null) {
916 fs.close();
917 fs = null;
918 }
919 }
920
921 /*
922 * Try to initialize key manager.
923 */
924 if (debug != null && Debug.isOn("defaultctx")) {
925 System.out.println("init keymanager of type " +
926 KeyManagerFactory.getDefaultAlgorithm());
927 }
928 KeyManagerFactory kmf = KeyManagerFactory.getInstance(
929 KeyManagerFactory.getDefaultAlgorithm());
930
931 if (P11KEYSTORE.equals(defaultKeyStoreType)) {
932 kmf.init(ks, null); // do not pass key passwd if using token
933 } else {
934 kmf.init(ks, passwd);
935 }
936
937 return kmf.getKeyManagers();
938 }
939 }
940
941 // lazy initialization holder class idiom for static default parameters
942 //
943 // See Effective Java Second Edition: Item 71.
944 private static final class DefaultSSLContextHolder {
945
946 private static final SSLContextImpl sslContext;
947 static Exception reservedException = null;
948
949 static {
950 SSLContextImpl mediator = null;
951 if (DefaultManagersHolder.reservedException != null) {
952 reservedException = DefaultManagersHolder.reservedException;
953 } else {
954 try {
955 mediator = new DefaultSSLContext();
956 } catch (Exception e) {
957 reservedException = e;
958 }
959 }
960
961 sslContext = mediator;
962 }
963 }
964
965 /*
966 * The SSLContext implementation for default "Default" algorithm
967 *
968 * @see SSLContext
969 */
970 public static final class DefaultSSLContext extends CustomizedTLSContext {
971
972 // public constructor for SSLContext.getInstance("Default")
973 public DefaultSSLContext() throws Exception {
974 if (DefaultManagersHolder.reservedException != null) {
975 throw DefaultManagersHolder.reservedException;
976 }
977
978 try {
979 super.engineInit(DefaultManagersHolder.keyManagers,
980 DefaultManagersHolder.trustManagers, null);
981 } catch (Exception e) {
982 if (debug != null && Debug.isOn("defaultctx")) {
983 System.out.println("default context init failed: " + e);
984 }
985 throw e;
986 }
987 }
988
989 @Override
990 protected void engineInit(KeyManager[] km, TrustManager[] tm,
991 SecureRandom sr) throws KeyManagementException {
992 throw new KeyManagementException
993 ("Default SSLContext is initialized automatically");
994 }
995
996 static SSLContextImpl getDefaultImpl() throws Exception {
997 if (DefaultSSLContextHolder.reservedException != null) {
998 throw DefaultSSLContextHolder.reservedException;
999 }
1000
1001 return DefaultSSLContextHolder.sslContext;
1002 }
1003 }
1004
1005 /*
1006 * The base abstract SSLContext implementation for the Datagram Transport
1007 * Layer Security (DTLS) protocols.
1008 *
1009 * This abstract class encapsulates supported and the default server DTLS
1010 * parameters.
1011 *
1012 * @see SSLContext
1013 */
1014 private abstract static class AbstractDTLSContext extends SSLContextImpl {
1015 private static final ProtocolList supportedProtocolList;
1016 private static final ProtocolList serverDefaultProtocolList;
1017
1018 private static final CipherSuiteList supportedCipherSuiteList;
1019 private static final CipherSuiteList serverDefaultCipherSuiteList;
1020
1021 static {
1022 // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode.
1023 supportedProtocolList = new ProtocolList(new String[] {
1024 ProtocolVersion.DTLS10.name,
1025 ProtocolVersion.DTLS12.name
1026 });
1027
1028 // available protocols for server mode
1029 serverDefaultProtocolList = new ProtocolList(
1030 getAvailableProtocols(new ProtocolVersion[] {
1031 ProtocolVersion.DTLS10,
1032 ProtocolVersion.DTLS12
1033 }));
1034
1035 supportedCipherSuiteList = getApplicableCipherSuiteList(
1036 supportedProtocolList, false); // all supported
1037 serverDefaultCipherSuiteList = getApplicableCipherSuiteList(
1038 serverDefaultProtocolList, true); // enabled only
1039 }
1040
1041 @Override
1042 ProtocolList getSuportedProtocolList() {
1043 return supportedProtocolList;
1044 }
1045
1046 @Override
1047 CipherSuiteList getSupportedCipherSuiteList() {
1048 return supportedCipherSuiteList;
1049 }
1050
1051 @Override
1052 ProtocolList getServerDefaultProtocolList() {
1053 return serverDefaultProtocolList;
1054 }
1055
1056 @Override
1057 CipherSuiteList getServerDefaultCipherSuiteList() {
1058 return serverDefaultCipherSuiteList;
1059 }
1060
1061 @Override
1062 SSLEngine createSSLEngineImpl() {
1063 return new SSLEngineImpl(this, true);
1064 }
1065
1066 @Override
1067 SSLEngine createSSLEngineImpl(String host, int port) {
1068 return new SSLEngineImpl(this, host, port, true);
1069 }
1070
1071 @Override
1072 HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) {
1073 return new HelloCookieManager(secureRandom);
1074 }
1075 }
1076
1077 /*
1078 * The SSLContext implementation for DTLSv1.0 algorithm.
1079 *
1080 * @see SSLContext
1081 */
1082 public static final class DTLS10Context extends AbstractDTLSContext {
1083 private static final ProtocolList clientDefaultProtocolList;
1084 private static final CipherSuiteList clientDefaultCipherSuiteList;
1085
1086 static {
1087 // available protocols for client mode
1088 clientDefaultProtocolList = new ProtocolList(
1089 getAvailableProtocols(new ProtocolVersion[] {
1090 ProtocolVersion.DTLS10
1091 }));
1092
1093 clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
1094 clientDefaultProtocolList, true); // enabled only
1095 }
1096
1097 @Override
1098 ProtocolList getClientDefaultProtocolList() {
1099 return clientDefaultProtocolList;
1100 }
1101
1102 @Override
1103 CipherSuiteList getClientDefaultCipherSuiteList() {
1104 return clientDefaultCipherSuiteList;
1105 }
1106 }
1107
1108 /*
1109 * The SSLContext implementation for DTLSv1.2 algorithm.
1110 *
1111 * @see SSLContext
1112 */
1113 public static final class DTLS12Context extends AbstractDTLSContext {
1114 private static final ProtocolList clientDefaultProtocolList;
1115 private static final CipherSuiteList clientDefaultCipherSuiteList;
1116
1117 static {
1118 // available protocols for client mode
1119 clientDefaultProtocolList = new ProtocolList(
1120 getAvailableProtocols(new ProtocolVersion[] {
1121 ProtocolVersion.DTLS10,
1122 ProtocolVersion.DTLS12
1123 }));
1124
1125 clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
1126 clientDefaultProtocolList, true); // enabled only
1127 }
1128
1129 @Override
1130 ProtocolList getClientDefaultProtocolList() {
1131 return clientDefaultProtocolList;
1132 }
1133
1134 @Override
1135 CipherSuiteList getClientDefaultCipherSuiteList() {
1136 return clientDefaultCipherSuiteList;
1137 }
1138 }
1139
1140 /*
1141 * The SSLContext implementation for customized TLS protocols
1142 *
1143 * @see SSLContext
1144 */
1145 private static class CustomizedDTLSContext extends AbstractDTLSContext {
1146 private static final ProtocolList clientDefaultProtocolList;
1147 private static final CipherSuiteList clientDefaultCipherSuiteList;
1148
1149 private static IllegalArgumentException reservedException = null;
1150
1151 // Don't want a java.lang.LinkageError for illegal system property.
1152 //
1153 // Please don't throw exception in this static block. Otherwise,
1154 // java.lang.LinkageError may be thrown during the instantiation of
1155 // the provider service. Instead, let's handle the initialization
1156 // exception in constructor.
1157 static {
1158 reservedException = CustomizedSSLProtocols.reservedException;
1159 if (reservedException == null) {
1160 ArrayList<ProtocolVersion>
1161 customizedDTLSProtocols = new ArrayList<>();
1162 for (ProtocolVersion protocol :
1163 CustomizedSSLProtocols.customizedProtocols) {
1164 if (protocol.isDTLSProtocol()) {
1165 customizedDTLSProtocols.add(protocol);
1166 }
1167 }
1168
1169 // candidates for available protocols
1170 ProtocolVersion[] candidates;
1171 if (customizedDTLSProtocols.isEmpty()) {
1172 // Use the default enabled client protocols if no
1173 // customized TLS protocols.
1174 //
1175 // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode.
1176 candidates = new ProtocolVersion[] {
1177 ProtocolVersion.DTLS10,
1178 ProtocolVersion.DTLS12
1179 };
1180
1181 } else {
1182 // Use the customized TLS protocols.
1183 candidates =
1184 new ProtocolVersion[customizedDTLSProtocols.size()];
1185 candidates = customizedDTLSProtocols.toArray(candidates);
1186 }
1187
1188 clientDefaultProtocolList = new ProtocolList(
1189 getAvailableProtocols(candidates));
1190 clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
1191 clientDefaultProtocolList, true); // enabled only
1192 } else {
1193 clientDefaultProtocolList = null; // unlikely to be used
1194 clientDefaultCipherSuiteList = null; // unlikely to be used
1195 }
1196 }
1197
1198 protected CustomizedDTLSContext() {
1199 if (reservedException != null) {
1200 throw reservedException;
1201 }
1202 }
1203
1204 @Override
1205 ProtocolList getClientDefaultProtocolList() {
1206 return clientDefaultProtocolList;
1207 }
1208
1209 @Override
1210 CipherSuiteList getClientDefaultCipherSuiteList() {
1211 return clientDefaultCipherSuiteList;
1212 }
1213 }
1214
1215 /*
1216 * The SSLContext implementation for default "DTLS" algorithm
1217 *
1218 * @see SSLContext
1219 */
1220 public static final class DTLSContext extends CustomizedDTLSContext {
1221 // use the default constructor and methods
1222 }
1223
1224 }
1225
1226
1227 final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
1228 implements X509TrustManager {
1229
1230 // the delegated trust manager
1231 private final X509TrustManager tm;
1232
1233 AbstractTrustManagerWrapper(X509TrustManager tm) {
1234 this.tm = tm;
1235 }
1236
1237 @Override
1238 public void checkClientTrusted(X509Certificate[] chain, String authType)
1239 throws CertificateException {
1240 tm.checkClientTrusted(chain, authType);
1241 }
1242
1243 @Override
1244 public void checkServerTrusted(X509Certificate[] chain, String authType)
1245 throws CertificateException {
1246 tm.checkServerTrusted(chain, authType);
1247 }
1248
1249 @Override
1250 public X509Certificate[] getAcceptedIssuers() {
1251 return tm.getAcceptedIssuers();
1252 }
1253
1254 @Override
1255 public void checkClientTrusted(X509Certificate[] chain, String authType,
1256 Socket socket) throws CertificateException {
1257 tm.checkClientTrusted(chain, authType);
1258 checkAdditionalTrust(chain, authType, socket, true);
1259 }
1260
1261 @Override
1262 public void checkServerTrusted(X509Certificate[] chain, String authType,
1263 Socket socket) throws CertificateException {
1264 tm.checkServerTrusted(chain, authType);
1265 checkAdditionalTrust(chain, authType, socket, false);
1266 }
1267
1268 @Override
1269 public void checkClientTrusted(X509Certificate[] chain, String authType,
1270 SSLEngine engine) throws CertificateException {
1271 tm.checkClientTrusted(chain, authType);
1272 checkAdditionalTrust(chain, authType, engine, true);
1273 }
1274
1275 @Override
1276 public void checkServerTrusted(X509Certificate[] chain, String authType,
1277 SSLEngine engine) throws CertificateException {
1278 tm.checkServerTrusted(chain, authType);
1279 checkAdditionalTrust(chain, authType, engine, false);
1280 }
1281
1282 private void checkAdditionalTrust(X509Certificate[] chain, String authType,
1283 Socket socket, boolean isClient) throws CertificateException {
1284 if (socket != null && socket.isConnected() &&
1285 socket instanceof SSLSocket) {
1286
1287 SSLSocket sslSocket = (SSLSocket)socket;
1288 SSLSession session = sslSocket.getHandshakeSession();
1289 if (session == null) {
1290 throw new CertificateException("No handshake session");
1291 }
1292
1293 // check endpoint identity
1294 String identityAlg = sslSocket.getSSLParameters().
1295 getEndpointIdentificationAlgorithm();
1296 if (identityAlg != null && identityAlg.length() != 0) {
1297 String hostname = session.getPeerHost();
1298 X509TrustManagerImpl.checkIdentity(
1299 hostname, chain[0], identityAlg);
1300 }
1301
1302 // try the best to check the algorithm constraints
1303 ProtocolVersion protocolVersion =
1304 ProtocolVersion.valueOf(session.getProtocol());
1305 AlgorithmConstraints constraints = null;
1306 if (protocolVersion.useTLS12PlusSpec()) {
1307 if (session instanceof ExtendedSSLSession) {
1308 ExtendedSSLSession extSession =
1309 (ExtendedSSLSession)session;
1310 String[] peerSupportedSignAlgs =
1311 extSession.getLocalSupportedSignatureAlgorithms();
1312
1313 constraints = new SSLAlgorithmConstraints(
1314 sslSocket, peerSupportedSignAlgs, true);
1315 } else {
1316 constraints =
1317 new SSLAlgorithmConstraints(sslSocket, true);
1318 }
1319 } else {
1320 constraints = new SSLAlgorithmConstraints(sslSocket, true);
1321 }
1322
1323 checkAlgorithmConstraints(chain, constraints);
1324 }
1325 }
1326
1327 private void checkAdditionalTrust(X509Certificate[] chain, String authType,
1328 SSLEngine engine, boolean isClient) throws CertificateException {
1329 if (engine != null) {
1330 SSLSession session = engine.getHandshakeSession();
1331 if (session == null) {
1332 throw new CertificateException("No handshake session");
1333 }
1334
1335 // check endpoint identity
1336 String identityAlg = engine.getSSLParameters().
1337 getEndpointIdentificationAlgorithm();
1338 if (identityAlg != null && identityAlg.length() != 0) {
1339 String hostname = session.getPeerHost();
1340 X509TrustManagerImpl.checkIdentity(
1341 hostname, chain[0], identityAlg);
1342 }
1343
1344 // try the best to check the algorithm constraints
1345 ProtocolVersion protocolVersion =
1346 ProtocolVersion.valueOf(session.getProtocol());
1347 AlgorithmConstraints constraints = null;
1348 if (protocolVersion.useTLS12PlusSpec()) {
1349 if (session instanceof ExtendedSSLSession) {
1350 ExtendedSSLSession extSession =
1351 (ExtendedSSLSession)session;
1352 String[] peerSupportedSignAlgs =
1353 extSession.getLocalSupportedSignatureAlgorithms();
1354
1355 constraints = new SSLAlgorithmConstraints(
1356 engine, peerSupportedSignAlgs, true);
1357 } else {
1358 constraints =
1359 new SSLAlgorithmConstraints(engine, true);
1360 }
1361 } else {
1362 constraints = new SSLAlgorithmConstraints(engine, true);
1363 }
1364
1365 checkAlgorithmConstraints(chain, constraints);
1366 }
1367 }
1368
1369 private void checkAlgorithmConstraints(X509Certificate[] chain,
1370 AlgorithmConstraints constraints) throws CertificateException {
1371
1372 try {
1373 // Does the certificate chain end with a trusted certificate?
1374 int checkedLength = chain.length - 1;
1375
1376 Collection<X509Certificate> trustedCerts = new HashSet<>();
1377 X509Certificate[] certs = tm.getAcceptedIssuers();
1378 if ((certs != null) && (certs.length > 0)){
1379 Collections.addAll(trustedCerts, certs);
1380 }
1381
1382 if (trustedCerts.contains(chain[checkedLength])) {
1383 checkedLength--;
1384 }
1385
1386 // A forward checker, need to check from trust to target
1387 if (checkedLength >= 0) {
1388 AlgorithmChecker checker = new AlgorithmChecker(constraints);
1389 checker.init(false);
1390 for (int i = checkedLength; i >= 0; i--) {
1391 Certificate cert = chain[i];
1392 // We don't care about the unresolved critical extensions.
1393 checker.check(cert, Collections.<String>emptySet());
1394 }
1395 }
1396 } catch (CertPathValidatorException cpve) {
1397 throw new CertificateException(
1398 "Certificates does not conform to algorithm constraints");
1399 }
1400 }
1401 }
1402
1403 // Dummy X509TrustManager implementation, rejects all peer certificates.
1404 // Used if the application did not specify a proper X509TrustManager.
1405 final class DummyX509TrustManager extends X509ExtendedTrustManager
1406 implements X509TrustManager {
1407
1408 static final X509TrustManager INSTANCE = new DummyX509TrustManager();
1409
1410 private DummyX509TrustManager() {
1411 // empty
1412 }
1413
1414 /*
1415 * Given the partial or complete certificate chain
1416 * provided by the peer, build a certificate path
1417 * to a trusted root and return if it can be
1418 * validated and is trusted for client SSL authentication.
1419 * If not, it throws an exception.
1420 */
1421 @Override
1422 public void checkClientTrusted(X509Certificate[] chain, String authType)
1423 throws CertificateException {
1424 throw new CertificateException(
1425 "No X509TrustManager implementation avaiable");
1426 }
1427
1428 /*
1429 * Given the partial or complete certificate chain
1430 * provided by the peer, build a certificate path
1431 * to a trusted root and return if it can be
1432 * validated and is trusted for server SSL authentication.
1433 * If not, it throws an exception.
1434 */
1435 @Override
1436 public void checkServerTrusted(X509Certificate[] chain, String authType)
1437 throws CertificateException {
1438 throw new CertificateException(
1439 "No X509TrustManager implementation available");
1440 }
1441
1442 /*
1443 * Return an array of issuer certificates which are trusted
1444 * for authenticating peers.
1445 */
1446 @Override
1447 public X509Certificate[] getAcceptedIssuers() {
1448 return new X509Certificate[0];
1449 }
1450
1451 @Override
1452 public void checkClientTrusted(X509Certificate[] chain, String authType,
1453 Socket socket) throws CertificateException {
1454 throw new CertificateException(
1455 "No X509TrustManager implementation available");
1456 }
1457
1458 @Override
1459 public void checkServerTrusted(X509Certificate[] chain, String authType,
1460 Socket socket) throws CertificateException {
1461 throw new CertificateException(
1462 "No X509TrustManager implementation available");
1463 }
1464
1465 @Override
1466 public void checkClientTrusted(X509Certificate[] chain, String authType,
1467 SSLEngine engine) throws CertificateException {
1468 throw new CertificateException(
1469 "No X509TrustManager implementation available");
1470 }
1471
1472 @Override
1473 public void checkServerTrusted(X509Certificate[] chain, String authType,
1474 SSLEngine engine) throws CertificateException {
1475 throw new CertificateException(
1476 "No X509TrustManager implementation available");
1477 }
1478 }
1479
1480 /*
1481 * A wrapper class to turn a X509KeyManager into an X509ExtendedKeyManager
1482 */
1483 final class AbstractKeyManagerWrapper extends X509ExtendedKeyManager {
1484
1485 private final X509KeyManager km;
1486
1487 AbstractKeyManagerWrapper(X509KeyManager km) {
1488 this.km = km;
1489 }
1490
1491 @Override
1492 public String[] getClientAliases(String keyType, Principal[] issuers) {
1493 return km.getClientAliases(keyType, issuers);
1494 }
1495
1496 @Override
1497 public String chooseClientAlias(String[] keyType, Principal[] issuers,
1498 Socket socket) {
1499 return km.chooseClientAlias(keyType, issuers, socket);
1500 }
1501
1502 @Override
1503 public String[] getServerAliases(String keyType, Principal[] issuers) {
1504 return km.getServerAliases(keyType, issuers);
1505 }
1506
1507 @Override
1508 public String chooseServerAlias(String keyType, Principal[] issuers,
1509 Socket socket) {
1510 return km.chooseServerAlias(keyType, issuers, socket);
1511 }
1512
1513 @Override
1514 public X509Certificate[] getCertificateChain(String alias) {
1515 return km.getCertificateChain(alias);
1516 }
1517
1518 @Override
1519 public PrivateKey getPrivateKey(String alias) {
1520 return km.getPrivateKey(alias);
1521 }
1522
1523 // Inherit chooseEngineClientAlias() and chooseEngineServerAlias() from
1524 // X509ExtendedKeymanager. It defines them to return null;
1525 }
1526
1527
1528 // Dummy X509KeyManager implementation, never returns any certificates/keys.
1529 // Used if the application did not specify a proper X509TrustManager.
1530 final class DummyX509KeyManager extends X509ExtendedKeyManager {
1531
1532 static final X509ExtendedKeyManager INSTANCE = new DummyX509KeyManager();
1533
1534 private DummyX509KeyManager() {
1535 // empty
1536 }
1537
1538 /*
1539 * Get the matching aliases for authenticating the client side of a secure
1540 * socket given the public key type and the list of
1541 * certificate issuer authorities recognized by the peer (if any).
1542 */
1543 @Override
1544 public String[] getClientAliases(String keyType, Principal[] issuers) {
1545 return null;
1546 }
1547
1548 /*
1549 * Choose an alias to authenticate the client side of a secure
1550 * socket given the public key type and the list of
1551 * certificate issuer authorities recognized by the peer (if any).
1552 */
1553 @Override
1554 public String chooseClientAlias(String[] keyTypes, Principal[] issuers,
1555 Socket socket) {
1556 return null;
1557 }
1558
1559 /*
1560 * Choose an alias to authenticate the client side of an
1561 * engine given the public key type and the list of
1562 * certificate issuer authorities recognized by the peer (if any).
1563 */
1564 @Override
1565 public String chooseEngineClientAlias(
1566 String[] keyTypes, Principal[] issuers, SSLEngine engine) {
1567 return null;
1568 }
1569
1570 /*
1571 * Get the matching aliases for authenticating the server side of a secure
1572 * socket given the public key type and the list of
1573 * certificate issuer authorities recognized by the peer (if any).
1574 */
1575 @Override
1576 public String[] getServerAliases(String keyType, Principal[] issuers) {
1577 return null;
1578 }
1579
1580 /*
1581 * Choose an alias to authenticate the server side of a secure
1582 * socket given the public key type and the list of
1583 * certificate issuer authorities recognized by the peer (if any).
1584 */
1585 @Override
1586 public String chooseServerAlias(String keyType, Principal[] issuers,
1587 Socket socket) {
1588 return null;
1589 }
1590
1591 /*
1592 * Choose an alias to authenticate the server side of an engine
1593 * given the public key type and the list of
1594 * certificate issuer authorities recognized by the peer (if any).
1595 */
1596 @Override
1597 public String chooseEngineServerAlias(
1598 String keyType, Principal[] issuers, SSLEngine engine) {
1599 return null;
1600 }
1601
1602 /**
1603 * Returns the certificate chain associated with the given alias.
1604 *
1605 * @param alias the alias name
1606 *
1607 * @return the certificate chain (ordered with the user's certificate first
1608 * and the root certificate authority last)
1609 */
1610 @Override
1611 public X509Certificate[] getCertificateChain(String alias) {
1612 return null;
1613 }
1614
1615 /*
1616 * Returns the key associated with the given alias, using the given
1617 * password to recover it.
1618 *
1619 * @param alias the alias name
1620 *
1621 * @return the requested key
1622 */
1623 @Override
1624 public PrivateKey getPrivateKey(String alias) {
1625 return null;
1626 }
1627 }