1 /* 2 * Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package javax.rmi.ssl; 27 28 import java.io.IOException; 29 import java.net.InetAddress; 30 import java.net.ServerSocket; 31 import java.net.Socket; 32 import java.net.UnknownHostException; 33 import java.rmi.server.RMIServerSocketFactory; 34 import java.util.Arrays; 35 import java.util.List; 36 import javax.net.ssl.SSLContext; 37 import javax.net.ssl.SSLServerSocketFactory; 38 import javax.net.ssl.SSLSocket; 39 import javax.net.ssl.SSLSocketFactory; 40 41 /** 42 * <p>An <code>SslRMIServerSocketFactory</code> instance is used by the RMI 43 * runtime in order to obtain server sockets for RMI calls via SSL.</p> 44 * 45 * <p>This class implements <code>RMIServerSocketFactory</code> over 46 * the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) 47 * protocols.</p> 48 * 49 * <p>This class creates SSL sockets using the default 50 * <code>SSLSocketFactory</code> (see {@link 51 * SSLSocketFactory#getDefault}) or the default 52 * <code>SSLServerSocketFactory</code> (see {@link 53 * SSLServerSocketFactory#getDefault}) unless the 54 * constructor taking an <code>SSLContext</code> is 55 * used in which case the SSL sockets are created using 56 * the <code>SSLSocketFactory</code> returned by 57 * {@link SSLContext#getSocketFactory} or the 58 * <code>SSLServerSocketFactory</code> returned by 59 * {@link SSLContext#getServerSocketFactory}. 60 * 61 * When an <code>SSLContext</code> is not supplied all the instances of this 62 * class share the same keystore, and the same truststore (when client 63 * authentication is required by the server). This behavior can be modified 64 * by supplying an already initialized <code>SSLContext</code> instance. 65 * 66 * @see javax.net.ssl.SSLSocketFactory 67 * @see javax.net.ssl.SSLServerSocketFactory 68 * @see javax.rmi.ssl.SslRMIClientSocketFactory 69 * @since 1.5 70 */ 71 public class SslRMIServerSocketFactory implements RMIServerSocketFactory { 72 73 /** 74 * <p>Creates a new <code>SslRMIServerSocketFactory</code> with 75 * the default SSL socket configuration.</p> 76 * 77 * <p>SSL connections accepted by server sockets created by this 78 * factory have the default cipher suites and protocol versions 79 * enabled and do not require client authentication.</p> 80 */ 81 public SslRMIServerSocketFactory() { 82 this(null, null, false); 83 } 84 85 /** 86 * <p>Creates a new <code>SslRMIServerSocketFactory</code> with 87 * the specified SSL socket configuration.</p> 88 * 89 * @param enabledCipherSuites names of all the cipher suites to 90 * enable on SSL connections accepted by server sockets created by 91 * this factory, or <code>null</code> to use the cipher suites 92 * that are enabled by default 93 * 94 * @param enabledProtocols names of all the protocol versions to 95 * enable on SSL connections accepted by server sockets created by 96 * this factory, or <code>null</code> to use the protocol versions 97 * that are enabled by default 98 * 99 * @param needClientAuth <code>true</code> to require client 100 * authentication on SSL connections accepted by server sockets 101 * created by this factory; <code>false</code> to not require 102 * client authentication 103 * 104 * @exception IllegalArgumentException when one or more of the cipher 105 * suites named by the <code>enabledCipherSuites</code> parameter is 106 * not supported, when one or more of the protocols named by the 107 * <code>enabledProtocols</code> parameter is not supported or when 108 * a problem is encountered while trying to check if the supplied 109 * cipher suites and protocols to be enabled are supported. 110 * 111 * @see SSLSocket#setEnabledCipherSuites 112 * @see SSLSocket#setEnabledProtocols 113 * @see SSLSocket#setNeedClientAuth 114 */ 115 public SslRMIServerSocketFactory( 116 String[] enabledCipherSuites, 117 String[] enabledProtocols, 118 boolean needClientAuth) 119 throws IllegalArgumentException { 120 this(null, enabledCipherSuites, enabledProtocols, needClientAuth, null); 121 } 122 123 /** 124 * <p>Creates a new <code>SslRMIServerSocketFactory</code> with 125 * the specified SSL socket configuration.</p> 126 * 127 * @param enabledCipherSuites names of all the cipher suites to 128 * enable on SSL connections accepted by server sockets created by 129 * this factory, or <code>null</code> to use the cipher suites 130 * that are enabled by default 131 * 132 * @param enabledProtocols names of all the protocol versions to 133 * enable on SSL connections accepted by server sockets created by 134 * this factory, or <code>null</code> to use the protocol versions 135 * that are enabled by default 136 * 137 * @param needClientAuth <code>true</code> to require client 138 * authentication on SSL connections accepted by server sockets 139 * created by this factory; <code>false</code> to not require 140 * client authentication 141 * 142 * @param bindAddress the address to which to bind the 143 * server socket to, or <code>null</code> to bind to the wildcard 144 * address. 145 * 146 * @exception IllegalArgumentException when one or more of the cipher 147 * suites named by the <code>enabledCipherSuites</code> parameter is 148 * not supported, when one or more of the protocols named by the 149 * <code>enabledProtocols</code> parameter is not supported or when 150 * a problem is encountered while trying to check if the supplied 151 * cipher suites and protocols to be enabled are supported. 152 * 153 * @see SSLSocket#setEnabledCipherSuites 154 * @see SSLSocket#setEnabledProtocols 155 * @see SSLSocket#setNeedClientAuth 156 */ 157 public SslRMIServerSocketFactory( 158 String[] enabledCipherSuites, 159 String[] enabledProtocols, 160 boolean needClientAuth, 161 String bindAddress) 162 throws IllegalArgumentException { 163 this(null, enabledCipherSuites, enabledProtocols, needClientAuth, bindAddress); 164 } 165 166 /** 167 * <p>Creates a new <code>SslRMIServerSocketFactory</code> with the 168 * specified <code>SSLContext</code> and SSL socket configuration.</p> 169 * 170 * @param context the SSL context to be used for creating SSL sockets. 171 * If <code>context</code> is null the default <code>SSLSocketFactory</code> 172 * or the default <code>SSLServerSocketFactory</code> will be used to 173 * create SSL sockets. Otherwise, the socket factory returned by 174 * <code>SSLContext.getSocketFactory()</code> or 175 * <code>SSLContext.getServerSocketFactory()</code> will be used instead. 176 * 177 * @param enabledCipherSuites names of all the cipher suites to 178 * enable on SSL connections accepted by server sockets created by 179 * this factory, or <code>null</code> to use the cipher suites 180 * that are enabled by default 181 * 182 * @param enabledProtocols names of all the protocol versions to 183 * enable on SSL connections accepted by server sockets created by 184 * this factory, or <code>null</code> to use the protocol versions 185 * that are enabled by default 186 * 187 * @param needClientAuth <code>true</code> to require client 188 * authentication on SSL connections accepted by server sockets 189 * created by this factory; <code>false</code> to not require 190 * client authentication 191 * 192 * @exception IllegalArgumentException when one or more of the cipher 193 * suites named by the <code>enabledCipherSuites</code> parameter is 194 * not supported, when one or more of the protocols named by the 195 * <code>enabledProtocols</code> parameter is not supported or when 196 * a problem is encountered while trying to check if the supplied 197 * cipher suites and protocols to be enabled are supported. 198 * 199 * @see SSLSocket#setEnabledCipherSuites 200 * @see SSLSocket#setEnabledProtocols 201 * @see SSLSocket#setNeedClientAuth 202 * @since 1.7 203 */ 204 public SslRMIServerSocketFactory( 205 SSLContext context, 206 String[] enabledCipherSuites, 207 String[] enabledProtocols, 208 boolean needClientAuth) 209 throws IllegalArgumentException { 210 this(null, enabledCipherSuites, enabledProtocols, needClientAuth, null); 211 } 212 213 /** 214 * <p>Creates a new <code>SslRMIServerSocketFactory</code> with the 215 * specified <code>SSLContext</code> and SSL socket configuration.</p> 216 * 217 * @param context the SSL context to be used for creating SSL sockets. 218 * If <code>context</code> is null the default <code>SSLSocketFactory</code> 219 * or the default <code>SSLServerSocketFactory</code> will be used to 220 * create SSL sockets. Otherwise, the socket factory returned by 221 * <code>SSLContext.getSocketFactory()</code> or 222 * <code>SSLContext.getServerSocketFactory()</code> will be used instead. 223 * 224 * @param enabledCipherSuites names of all the cipher suites to 225 * enable on SSL connections accepted by server sockets created by 226 * this factory, or <code>null</code> to use the cipher suites 227 * that are enabled by default 228 * 229 * @param enabledProtocols names of all the protocol versions to 230 * enable on SSL connections accepted by server sockets created by 231 * this factory, or <code>null</code> to use the protocol versions 232 * that are enabled by default 233 * 234 * @param needClientAuth <code>true</code> to require client 235 * authentication on SSL connections accepted by server sockets 236 * created by this factory; <code>false</code> to not require 237 * client authentication 238 * 239 * @param bindAddress the address to which to bind the 240 * server socket to, or <code>null</code> to bind to the wildcard 241 * address. 242 * 243 * @exception IllegalArgumentException when one or more of the cipher 244 * suites named by the <code>enabledCipherSuites</code> parameter is 245 * not supported, when one or more of the protocols named by the 246 * <code>enabledProtocols</code> parameter is not supported or when 247 * a problem is encountered while trying to check if the supplied 248 * cipher suites and protocols to be enabled are supported. 249 * 250 * @see SSLSocket#setEnabledCipherSuites 251 * @see SSLSocket#setEnabledProtocols 252 * @see SSLSocket#setNeedClientAuth 253 */ 254 public SslRMIServerSocketFactory( 255 SSLContext context, 256 String[] enabledCipherSuites, 257 String[] enabledProtocols, 258 boolean needClientAuth, 259 String bindAddress) 260 throws IllegalArgumentException { 261 // Initialize the configuration parameters. 262 // 263 this.enabledCipherSuites = enabledCipherSuites == null ? 264 null : enabledCipherSuites.clone(); 265 this.enabledProtocols = enabledProtocols == null ? 266 null : enabledProtocols.clone(); 267 this.needClientAuth = needClientAuth; 268 269 // Force the initialization of the default at construction time, 270 // rather than delaying it to the first time createServerSocket() 271 // is called. 272 // 273 this.context = context; 274 final SSLSocketFactory sslSocketFactory = 275 context == null ? 276 getDefaultSSLSocketFactory() : context.getSocketFactory(); 277 SSLSocket sslSocket = null; 278 if (this.enabledCipherSuites != null || this.enabledProtocols != null) { 279 try { 280 sslSocket = (SSLSocket) sslSocketFactory.createSocket(); 281 } catch (Exception e) { 282 final String msg = "Unable to check if the cipher suites " + 283 "and protocols to enable are supported"; 284 throw (IllegalArgumentException) 285 new IllegalArgumentException(msg).initCause(e); 286 } 287 } 288 289 // Check if all the cipher suites and protocol versions to enable 290 // are supported by the underlying SSL/TLS implementation and if 291 // true create lists from arrays. 292 // 293 if (this.enabledCipherSuites != null) { 294 sslSocket.setEnabledCipherSuites(this.enabledCipherSuites); 295 enabledCipherSuitesList = Arrays.asList(this.enabledCipherSuites); 296 } 297 if (this.enabledProtocols != null) { 298 sslSocket.setEnabledProtocols(this.enabledProtocols); 299 enabledProtocolsList = Arrays.asList(this.enabledProtocols); 300 } 301 this.bindAddress = bindAddress; 302 } 303 304 /** 305 * <p>Returns the names of the cipher suites enabled on SSL 306 * connections accepted by server sockets created by this factory, 307 * or <code>null</code> if this factory uses the cipher suites 308 * that are enabled by default.</p> 309 * 310 * @return an array of cipher suites enabled, or <code>null</code> 311 * 312 * @see SSLSocket#setEnabledCipherSuites 313 */ 314 public final String[] getEnabledCipherSuites() { 315 return enabledCipherSuites == null ? 316 null : enabledCipherSuites.clone(); 317 } 318 319 /** 320 * <p>Returns the names of the protocol versions enabled on SSL 321 * connections accepted by server sockets created by this factory, 322 * or <code>null</code> if this factory uses the protocol versions 323 * that are enabled by default.</p> 324 * 325 * @return an array of protocol versions enabled, or 326 * <code>null</code> 327 * 328 * @see SSLSocket#setEnabledProtocols 329 */ 330 public final String[] getEnabledProtocols() { 331 return enabledProtocols == null ? 332 null : enabledProtocols.clone(); 333 } 334 335 /** 336 * <p>Returns <code>true</code> if client authentication is 337 * required on SSL connections accepted by server sockets created 338 * by this factory.</p> 339 * 340 * @return <code>true</code> if client authentication is required 341 * 342 * @see SSLSocket#setNeedClientAuth 343 */ 344 public final boolean getNeedClientAuth() { 345 return needClientAuth; 346 } 347 348 /** 349 * <p>Creates a server socket that accepts SSL connections 350 * configured according to this factory's SSL socket configuration 351 * parameters.</p> 352 */ 353 public ServerSocket createServerSocket(int port) throws IOException { 354 if (this.bindAddress == null) { 355 return new SslServerSocket(port); 356 } else { 357 try { 358 InetAddress addr = InetAddress.getByName(bindAddress); 359 return new SslServerSocket(port, 0, addr); 360 } catch (UnknownHostException e) { 361 return new SslServerSocket(port); 362 } 363 } 364 } 365 366 /** 367 * <p>Indicates whether some other object is "equal to" this one.</p> 368 * 369 * <p>Two <code>SslRMIServerSocketFactory</code> objects are equal 370 * if they have been constructed with the same SSL context and 371 * SSL socket configuration parameters.</p> 372 * 373 * <p>A subclass should override this method (as well as 374 * {@link #hashCode()}) if it adds instance state that affects 375 * equality.</p> 376 */ 377 public boolean equals(Object obj) { 378 if (obj == null) return false; 379 if (obj == this) return true; 380 if (!(obj instanceof SslRMIServerSocketFactory)) 381 return false; 382 SslRMIServerSocketFactory that = (SslRMIServerSocketFactory) obj; 383 return (getClass().equals(that.getClass()) && checkParameters(that)); 384 } 385 386 private boolean checkParameters(SslRMIServerSocketFactory that) { 387 // SSL context 388 // 389 if (context == null ? that.context != null : !context.equals(that.context)) 390 return false; 391 392 // needClientAuth flag 393 // 394 if (needClientAuth != that.needClientAuth) 395 return false; 396 397 // enabledCipherSuites 398 // 399 if ((enabledCipherSuites == null && that.enabledCipherSuites != null) || 400 (enabledCipherSuites != null && that.enabledCipherSuites == null)) 401 return false; 402 if (enabledCipherSuites != null && that.enabledCipherSuites != null) { 403 List<String> thatEnabledCipherSuitesList = 404 Arrays.asList(that.enabledCipherSuites); 405 if (!enabledCipherSuitesList.equals(thatEnabledCipherSuitesList)) 406 return false; 407 } 408 409 // enabledProtocols 410 // 411 if ((enabledProtocols == null && that.enabledProtocols != null) || 412 (enabledProtocols != null && that.enabledProtocols == null)) 413 return false; 414 if (enabledProtocols != null && that.enabledProtocols != null) { 415 List<String> thatEnabledProtocolsList = 416 Arrays.asList(that.enabledProtocols); 417 if (!enabledProtocolsList.equals(thatEnabledProtocolsList)) 418 return false; 419 } 420 421 return true; 422 } 423 424 /** 425 * <p>Returns a hash code value for this 426 * <code>SslRMIServerSocketFactory</code>.</p> 427 * 428 * @return a hash code value for this 429 * <code>SslRMIServerSocketFactory</code>. 430 */ 431 public int hashCode() { 432 return getClass().hashCode() + 433 (context == null ? 0 : context.hashCode()) + 434 (needClientAuth ? Boolean.TRUE.hashCode() : Boolean.FALSE.hashCode()) + 435 (enabledCipherSuites == null ? 0 : enabledCipherSuitesList.hashCode()) + 436 (enabledProtocols == null ? 0 : enabledProtocolsList.hashCode()); 437 } 438 439 // We use a static field because: 440 // 441 // SSLSocketFactory.getDefault() always returns the same object 442 // (at least on Sun's implementation), and we want to make sure 443 // that the Javadoc & the implementation stay in sync. 444 // 445 // If someone needs to have different SslRMIServerSocketFactory 446 // factories with different underlying SSLSocketFactory objects 447 // using different keystores and truststores, he/she can always 448 // use the constructor that takes an SSLContext as input. 449 // 450 private static SSLSocketFactory defaultSSLSocketFactory = null; 451 452 private static synchronized SSLSocketFactory getDefaultSSLSocketFactory() { 453 if (defaultSSLSocketFactory == null) 454 defaultSSLSocketFactory = 455 (SSLSocketFactory) SSLSocketFactory.getDefault(); 456 return defaultSSLSocketFactory; 457 } 458 459 private final String[] enabledCipherSuites; 460 private final String[] enabledProtocols; 461 private final boolean needClientAuth; 462 private List<String> enabledCipherSuitesList; 463 private List<String> enabledProtocolsList; 464 private SSLContext context; 465 private final String bindAddress; 466 467 private class SslServerSocket extends ServerSocket { 468 469 private SslServerSocket(int port) throws IOException { 470 super(port); 471 } 472 473 private SslServerSocket(int port, int backlog, InetAddress bindAddr) throws IOException { 474 super(port, backlog, bindAddr); 475 } 476 477 @Override 478 public Socket accept() throws IOException { 479 final SSLSocketFactory sslSocketFactory = 480 context == null ? 481 getDefaultSSLSocketFactory() : context.getSocketFactory(); 482 Socket socket = super.accept(); 483 SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket( 484 socket, socket.getInetAddress().getHostName(), 485 socket.getPort(), true); 486 sslSocket.setUseClientMode(false); 487 if (enabledCipherSuites != null) { 488 sslSocket.setEnabledCipherSuites(enabledCipherSuites); 489 } 490 if (enabledProtocols != null) { 491 sslSocket.setEnabledProtocols(enabledProtocols); 492 } 493 sslSocket.setNeedClientAuth(needClientAuth); 494 return sslSocket; 495 } 496 } 497 }