1 /*
2 * Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package javax.rmi.ssl;
27
28 import java.io.IOException;
29 import java.net.InetAddress;
30 import java.net.ServerSocket;
31 import java.net.Socket;
32 import java.net.UnknownHostException;
33 import java.rmi.server.RMIServerSocketFactory;
34 import java.util.Arrays;
35 import java.util.List;
36 import javax.net.ssl.SSLContext;
37 import javax.net.ssl.SSLServerSocketFactory;
38 import javax.net.ssl.SSLSocket;
39 import javax.net.ssl.SSLSocketFactory;
40
41 /**
42 * <p>An <code>SslRMIServerSocketFactory</code> instance is used by the RMI
43 * runtime in order to obtain server sockets for RMI calls via SSL.</p>
44 *
45 * <p>This class implements <code>RMIServerSocketFactory</code> over
46 * the Secure Sockets Layer (SSL) or Transport Layer Security (TLS)
47 * protocols.</p>
48 *
49 * <p>This class creates SSL sockets using the default
50 * <code>SSLSocketFactory</code> (see {@link
51 * SSLSocketFactory#getDefault}) or the default
52 * <code>SSLServerSocketFactory</code> (see {@link
53 * SSLServerSocketFactory#getDefault}) unless the
54 * constructor taking an <code>SSLContext</code> is
55 * used in which case the SSL sockets are created using
56 * the <code>SSLSocketFactory</code> returned by
57 * {@link SSLContext#getSocketFactory} or the
58 * <code>SSLServerSocketFactory</code> returned by
59 * {@link SSLContext#getServerSocketFactory}.
60 *
61 * When an <code>SSLContext</code> is not supplied all the instances of this
62 * class share the same keystore, and the same truststore (when client
63 * authentication is required by the server). This behavior can be modified
64 * by supplying an already initialized <code>SSLContext</code> instance.
65 *
66 * @see javax.net.ssl.SSLSocketFactory
67 * @see javax.net.ssl.SSLServerSocketFactory
68 * @see javax.rmi.ssl.SslRMIClientSocketFactory
69 * @since 1.5
70 */
71 public class SslRMIServerSocketFactory implements RMIServerSocketFactory {
72
73 /**
74 * <p>Creates a new <code>SslRMIServerSocketFactory</code> with
75 * the default SSL socket configuration.</p>
76 *
77 * <p>SSL connections accepted by server sockets created by this
78 * factory have the default cipher suites and protocol versions
79 * enabled and do not require client authentication.</p>
80 */
81 public SslRMIServerSocketFactory() {
82 this(null, null, false);
83 }
84
85 /**
86 * <p>Creates a new <code>SslRMIServerSocketFactory</code> with
87 * the specified SSL socket configuration.</p>
88 *
89 * @param enabledCipherSuites names of all the cipher suites to
90 * enable on SSL connections accepted by server sockets created by
91 * this factory, or <code>null</code> to use the cipher suites
92 * that are enabled by default
93 *
94 * @param enabledProtocols names of all the protocol versions to
95 * enable on SSL connections accepted by server sockets created by
96 * this factory, or <code>null</code> to use the protocol versions
97 * that are enabled by default
98 *
99 * @param needClientAuth <code>true</code> to require client
100 * authentication on SSL connections accepted by server sockets
101 * created by this factory; <code>false</code> to not require
102 * client authentication
103 *
104 * @exception IllegalArgumentException when one or more of the cipher
105 * suites named by the <code>enabledCipherSuites</code> parameter is
106 * not supported, when one or more of the protocols named by the
107 * <code>enabledProtocols</code> parameter is not supported or when
108 * a problem is encountered while trying to check if the supplied
109 * cipher suites and protocols to be enabled are supported.
110 *
111 * @see SSLSocket#setEnabledCipherSuites
112 * @see SSLSocket#setEnabledProtocols
113 * @see SSLSocket#setNeedClientAuth
114 */
115 public SslRMIServerSocketFactory(
116 String[] enabledCipherSuites,
117 String[] enabledProtocols,
118 boolean needClientAuth)
119 throws IllegalArgumentException {
120 this(null, enabledCipherSuites, enabledProtocols, needClientAuth, null);
121 }
122
123 /**
124 * <p>Creates a new <code>SslRMIServerSocketFactory</code> with
125 * the specified SSL socket configuration.</p>
126 *
127 * @param enabledCipherSuites names of all the cipher suites to
128 * enable on SSL connections accepted by server sockets created by
129 * this factory, or <code>null</code> to use the cipher suites
130 * that are enabled by default
131 *
132 * @param enabledProtocols names of all the protocol versions to
133 * enable on SSL connections accepted by server sockets created by
134 * this factory, or <code>null</code> to use the protocol versions
135 * that are enabled by default
136 *
137 * @param needClientAuth <code>true</code> to require client
138 * authentication on SSL connections accepted by server sockets
139 * created by this factory; <code>false</code> to not require
140 * client authentication
141 *
142 * @param bindAddress the address to which to bind the
143 * server socket to, or <code>null</code> to bind to the wildcard
144 * address.
145 *
146 * @exception IllegalArgumentException when one or more of the cipher
147 * suites named by the <code>enabledCipherSuites</code> parameter is
148 * not supported, when one or more of the protocols named by the
149 * <code>enabledProtocols</code> parameter is not supported or when
150 * a problem is encountered while trying to check if the supplied
151 * cipher suites and protocols to be enabled are supported.
152 *
153 * @see SSLSocket#setEnabledCipherSuites
154 * @see SSLSocket#setEnabledProtocols
155 * @see SSLSocket#setNeedClientAuth
156 */
157 public SslRMIServerSocketFactory(
158 String[] enabledCipherSuites,
159 String[] enabledProtocols,
160 boolean needClientAuth,
161 String bindAddress)
162 throws IllegalArgumentException {
163 this(null, enabledCipherSuites, enabledProtocols, needClientAuth, bindAddress);
164 }
165
166 /**
167 * <p>Creates a new <code>SslRMIServerSocketFactory</code> with the
168 * specified <code>SSLContext</code> and SSL socket configuration.</p>
169 *
170 * @param context the SSL context to be used for creating SSL sockets.
171 * If <code>context</code> is null the default <code>SSLSocketFactory</code>
172 * or the default <code>SSLServerSocketFactory</code> will be used to
173 * create SSL sockets. Otherwise, the socket factory returned by
174 * <code>SSLContext.getSocketFactory()</code> or
175 * <code>SSLContext.getServerSocketFactory()</code> will be used instead.
176 *
177 * @param enabledCipherSuites names of all the cipher suites to
178 * enable on SSL connections accepted by server sockets created by
179 * this factory, or <code>null</code> to use the cipher suites
180 * that are enabled by default
181 *
182 * @param enabledProtocols names of all the protocol versions to
183 * enable on SSL connections accepted by server sockets created by
184 * this factory, or <code>null</code> to use the protocol versions
185 * that are enabled by default
186 *
187 * @param needClientAuth <code>true</code> to require client
188 * authentication on SSL connections accepted by server sockets
189 * created by this factory; <code>false</code> to not require
190 * client authentication
191 *
192 * @exception IllegalArgumentException when one or more of the cipher
193 * suites named by the <code>enabledCipherSuites</code> parameter is
194 * not supported, when one or more of the protocols named by the
195 * <code>enabledProtocols</code> parameter is not supported or when
196 * a problem is encountered while trying to check if the supplied
197 * cipher suites and protocols to be enabled are supported.
198 *
199 * @see SSLSocket#setEnabledCipherSuites
200 * @see SSLSocket#setEnabledProtocols
201 * @see SSLSocket#setNeedClientAuth
202 * @since 1.7
203 */
204 public SslRMIServerSocketFactory(
205 SSLContext context,
206 String[] enabledCipherSuites,
207 String[] enabledProtocols,
208 boolean needClientAuth)
209 throws IllegalArgumentException {
210 this(null, enabledCipherSuites, enabledProtocols, needClientAuth, null);
211 }
212
213 /**
214 * <p>Creates a new <code>SslRMIServerSocketFactory</code> with the
215 * specified <code>SSLContext</code> and SSL socket configuration.</p>
216 *
217 * @param context the SSL context to be used for creating SSL sockets.
218 * If <code>context</code> is null the default <code>SSLSocketFactory</code>
219 * or the default <code>SSLServerSocketFactory</code> will be used to
220 * create SSL sockets. Otherwise, the socket factory returned by
221 * <code>SSLContext.getSocketFactory()</code> or
222 * <code>SSLContext.getServerSocketFactory()</code> will be used instead.
223 *
224 * @param enabledCipherSuites names of all the cipher suites to
225 * enable on SSL connections accepted by server sockets created by
226 * this factory, or <code>null</code> to use the cipher suites
227 * that are enabled by default
228 *
229 * @param enabledProtocols names of all the protocol versions to
230 * enable on SSL connections accepted by server sockets created by
231 * this factory, or <code>null</code> to use the protocol versions
232 * that are enabled by default
233 *
234 * @param needClientAuth <code>true</code> to require client
235 * authentication on SSL connections accepted by server sockets
236 * created by this factory; <code>false</code> to not require
237 * client authentication
238 *
239 * @param bindAddress the address to which to bind the
240 * server socket to, or <code>null</code> to bind to the wildcard
241 * address.
242 *
243 * @exception IllegalArgumentException when one or more of the cipher
244 * suites named by the <code>enabledCipherSuites</code> parameter is
245 * not supported, when one or more of the protocols named by the
246 * <code>enabledProtocols</code> parameter is not supported or when
247 * a problem is encountered while trying to check if the supplied
248 * cipher suites and protocols to be enabled are supported.
249 *
250 * @see SSLSocket#setEnabledCipherSuites
251 * @see SSLSocket#setEnabledProtocols
252 * @see SSLSocket#setNeedClientAuth
253 */
254 public SslRMIServerSocketFactory(
255 SSLContext context,
256 String[] enabledCipherSuites,
257 String[] enabledProtocols,
258 boolean needClientAuth,
259 String bindAddress)
260 throws IllegalArgumentException {
261 // Initialize the configuration parameters.
262 //
263 this.enabledCipherSuites = enabledCipherSuites == null ?
264 null : enabledCipherSuites.clone();
265 this.enabledProtocols = enabledProtocols == null ?
266 null : enabledProtocols.clone();
267 this.needClientAuth = needClientAuth;
268
269 // Force the initialization of the default at construction time,
270 // rather than delaying it to the first time createServerSocket()
271 // is called.
272 //
273 this.context = context;
274 final SSLSocketFactory sslSocketFactory =
275 context == null ?
276 getDefaultSSLSocketFactory() : context.getSocketFactory();
277 SSLSocket sslSocket = null;
278 if (this.enabledCipherSuites != null || this.enabledProtocols != null) {
279 try {
280 sslSocket = (SSLSocket) sslSocketFactory.createSocket();
281 } catch (Exception e) {
282 final String msg = "Unable to check if the cipher suites " +
283 "and protocols to enable are supported";
284 throw (IllegalArgumentException)
285 new IllegalArgumentException(msg).initCause(e);
286 }
287 }
288
289 // Check if all the cipher suites and protocol versions to enable
290 // are supported by the underlying SSL/TLS implementation and if
291 // true create lists from arrays.
292 //
293 if (this.enabledCipherSuites != null) {
294 sslSocket.setEnabledCipherSuites(this.enabledCipherSuites);
295 enabledCipherSuitesList = Arrays.asList(this.enabledCipherSuites);
296 }
297 if (this.enabledProtocols != null) {
298 sslSocket.setEnabledProtocols(this.enabledProtocols);
299 enabledProtocolsList = Arrays.asList(this.enabledProtocols);
300 }
301 this.bindAddress = bindAddress;
302 }
303
304 /**
305 * <p>Returns the names of the cipher suites enabled on SSL
306 * connections accepted by server sockets created by this factory,
307 * or <code>null</code> if this factory uses the cipher suites
308 * that are enabled by default.</p>
309 *
310 * @return an array of cipher suites enabled, or <code>null</code>
311 *
312 * @see SSLSocket#setEnabledCipherSuites
313 */
314 public final String[] getEnabledCipherSuites() {
315 return enabledCipherSuites == null ?
316 null : enabledCipherSuites.clone();
317 }
318
319 /**
320 * <p>Returns the names of the protocol versions enabled on SSL
321 * connections accepted by server sockets created by this factory,
322 * or <code>null</code> if this factory uses the protocol versions
323 * that are enabled by default.</p>
324 *
325 * @return an array of protocol versions enabled, or
326 * <code>null</code>
327 *
328 * @see SSLSocket#setEnabledProtocols
329 */
330 public final String[] getEnabledProtocols() {
331 return enabledProtocols == null ?
332 null : enabledProtocols.clone();
333 }
334
335 /**
336 * <p>Returns <code>true</code> if client authentication is
337 * required on SSL connections accepted by server sockets created
338 * by this factory.</p>
339 *
340 * @return <code>true</code> if client authentication is required
341 *
342 * @see SSLSocket#setNeedClientAuth
343 */
344 public final boolean getNeedClientAuth() {
345 return needClientAuth;
346 }
347
348 /**
349 * <p>Creates a server socket that accepts SSL connections
350 * configured according to this factory's SSL socket configuration
351 * parameters.</p>
352 */
353 public ServerSocket createServerSocket(int port) throws IOException {
354 if (this.bindAddress == null) {
355 return new SslServerSocket(port);
356 } else {
357 try {
358 InetAddress addr = InetAddress.getByName(bindAddress);
359 return new SslServerSocket(port, 0, addr);
360 } catch (UnknownHostException e) {
361 return new SslServerSocket(port);
362 }
363 }
364 }
365
366 /**
367 * <p>Indicates whether some other object is "equal to" this one.</p>
368 *
369 * <p>Two <code>SslRMIServerSocketFactory</code> objects are equal
370 * if they have been constructed with the same SSL context and
371 * SSL socket configuration parameters.</p>
372 *
373 * <p>A subclass should override this method (as well as
374 * {@link #hashCode()}) if it adds instance state that affects
375 * equality.</p>
376 */
377 public boolean equals(Object obj) {
378 if (obj == null) return false;
379 if (obj == this) return true;
380 if (!(obj instanceof SslRMIServerSocketFactory))
381 return false;
382 SslRMIServerSocketFactory that = (SslRMIServerSocketFactory) obj;
383 return (getClass().equals(that.getClass()) && checkParameters(that));
384 }
385
386 private boolean checkParameters(SslRMIServerSocketFactory that) {
387 // SSL context
388 //
389 if (context == null ? that.context != null : !context.equals(that.context))
390 return false;
391
392 // needClientAuth flag
393 //
394 if (needClientAuth != that.needClientAuth)
395 return false;
396
397 // enabledCipherSuites
398 //
399 if ((enabledCipherSuites == null && that.enabledCipherSuites != null) ||
400 (enabledCipherSuites != null && that.enabledCipherSuites == null))
401 return false;
402 if (enabledCipherSuites != null && that.enabledCipherSuites != null) {
403 List<String> thatEnabledCipherSuitesList =
404 Arrays.asList(that.enabledCipherSuites);
405 if (!enabledCipherSuitesList.equals(thatEnabledCipherSuitesList))
406 return false;
407 }
408
409 // enabledProtocols
410 //
411 if ((enabledProtocols == null && that.enabledProtocols != null) ||
412 (enabledProtocols != null && that.enabledProtocols == null))
413 return false;
414 if (enabledProtocols != null && that.enabledProtocols != null) {
415 List<String> thatEnabledProtocolsList =
416 Arrays.asList(that.enabledProtocols);
417 if (!enabledProtocolsList.equals(thatEnabledProtocolsList))
418 return false;
419 }
420
421 return true;
422 }
423
424 /**
425 * <p>Returns a hash code value for this
426 * <code>SslRMIServerSocketFactory</code>.</p>
427 *
428 * @return a hash code value for this
429 * <code>SslRMIServerSocketFactory</code>.
430 */
431 public int hashCode() {
432 return getClass().hashCode() +
433 (context == null ? 0 : context.hashCode()) +
434 (needClientAuth ? Boolean.TRUE.hashCode() : Boolean.FALSE.hashCode()) +
435 (enabledCipherSuites == null ? 0 : enabledCipherSuitesList.hashCode()) +
436 (enabledProtocols == null ? 0 : enabledProtocolsList.hashCode());
437 }
438
439 // We use a static field because:
440 //
441 // SSLSocketFactory.getDefault() always returns the same object
442 // (at least on Sun's implementation), and we want to make sure
443 // that the Javadoc & the implementation stay in sync.
444 //
445 // If someone needs to have different SslRMIServerSocketFactory
446 // factories with different underlying SSLSocketFactory objects
447 // using different keystores and truststores, he/she can always
448 // use the constructor that takes an SSLContext as input.
449 //
450 private static SSLSocketFactory defaultSSLSocketFactory = null;
451
452 private static synchronized SSLSocketFactory getDefaultSSLSocketFactory() {
453 if (defaultSSLSocketFactory == null)
454 defaultSSLSocketFactory =
455 (SSLSocketFactory) SSLSocketFactory.getDefault();
456 return defaultSSLSocketFactory;
457 }
458
459 private final String[] enabledCipherSuites;
460 private final String[] enabledProtocols;
461 private final boolean needClientAuth;
462 private List<String> enabledCipherSuitesList;
463 private List<String> enabledProtocolsList;
464 private SSLContext context;
465 private final String bindAddress;
466
467 private class SslServerSocket extends ServerSocket {
468
469 private SslServerSocket(int port) throws IOException {
470 super(port);
471 }
472
473 private SslServerSocket(int port, int backlog, InetAddress bindAddr) throws IOException {
474 super(port, backlog, bindAddr);
475 }
476
477 @Override
478 public Socket accept() throws IOException {
479 final SSLSocketFactory sslSocketFactory =
480 context == null ?
481 getDefaultSSLSocketFactory() : context.getSocketFactory();
482 Socket socket = super.accept();
483 SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(
484 socket, socket.getInetAddress().getHostName(),
485 socket.getPort(), true);
486 sslSocket.setUseClientMode(false);
487 if (enabledCipherSuites != null) {
488 sslSocket.setEnabledCipherSuites(enabledCipherSuites);
489 }
490 if (enabledProtocols != null) {
491 sslSocket.setEnabledProtocols(enabledProtocols);
492 }
493 sslSocket.setNeedClientAuth(needClientAuth);
494 return sslSocket;
495 }
496 }
497 }