35 import java.util.Arrays;
36 import java.util.Collection;
37 import java.util.Collections;
38 import java.util.HashMap;
39 import java.util.List;
40 import java.util.function.BiFunction;
41 import javax.net.ssl.HandshakeCompletedListener;
42 import javax.net.ssl.SNIMatcher;
43 import javax.net.ssl.SNIServerName;
44 import javax.net.ssl.SSLEngine;
45 import javax.net.ssl.SSLParameters;
46 import javax.net.ssl.SSLSocket;
47 import sun.security.ssl.SSLExtension.ClientExtensions;
48 import sun.security.ssl.SSLExtension.ServerExtensions;
49
50 /**
51 * SSL/(D)TLS configuration.
52 */
53 final class SSLConfiguration implements Cloneable {
54 // configurations with SSLParameters
55 AlgorithmConstraints algorithmConstraints;
56 List<ProtocolVersion> enabledProtocols;
57 List<CipherSuite> enabledCipherSuites;
58 ClientAuthType clientAuthType;
59 String identificationProtocol;
60 List<SNIServerName> serverNames;
61 Collection<SNIMatcher> sniMatchers;
62 String[] applicationProtocols;
63 boolean preferLocalCipherSuites;
64 boolean enableRetransmissions;
65 int maximumPacketSize;
66
67 // the maximum protocol version of enabled protocols
68 ProtocolVersion maximumProtocolVersion;
69
70 // Configurations per SSLSocket or SSLEngine instance.
71 boolean isClientMode;
72 boolean enableSessionCreation;
73
74 // the application layer protocol negotiation configuration
75 BiFunction<SSLSocket, List<String>, String> socketAPSelector;
100 static final boolean acknowledgeCloseNotify = Utilities.getBooleanProperty(
101 "jdk.tls.acknowledgeCloseNotify", false);
102
103 // Is the extended_master_secret extension supported?
104 static {
105 boolean supportExtendedMasterSecret = Utilities.getBooleanProperty(
106 "jdk.tls.useExtendedMasterSecret", true);
107 if (supportExtendedMasterSecret) {
108 try {
109 JsseJce.getKeyGenerator("SunTlsExtendedMasterSecret");
110 } catch (NoSuchAlgorithmException nae) {
111 supportExtendedMasterSecret = false;
112 }
113 }
114 useExtendedMasterSecret = supportExtendedMasterSecret;
115 }
116
117 SSLConfiguration(SSLContextImpl sslContext, boolean isClientMode) {
118
119 // Configurations with SSLParameters, default values.
120 this.algorithmConstraints = SSLAlgorithmConstraints.DEFAULT;
121 this.enabledProtocols =
122 sslContext.getDefaultProtocolVersions(!isClientMode);
123 this.enabledCipherSuites =
124 sslContext.getDefaultCipherSuites(!isClientMode);
125 this.clientAuthType = ClientAuthType.CLIENT_AUTH_NONE;
126
127 this.identificationProtocol = null;
128 this.serverNames = Collections.<SNIServerName>emptyList();
129 this.sniMatchers = Collections.<SNIMatcher>emptyList();
130 this.preferLocalCipherSuites = false;
131
132 this.applicationProtocols = new String[0];
133 this.enableRetransmissions = sslContext.isDTLS();
134 this.maximumPacketSize = 0; // please reset it explicitly later
135
136 this.maximumProtocolVersion = ProtocolVersion.NONE;
137 for (ProtocolVersion pv : enabledProtocols) {
138 if (pv.compareTo(maximumProtocolVersion) > 0) {
139 this.maximumProtocolVersion = pv;
140 }
141 }
142
143 // Configurations per SSLSocket or SSLEngine instance.
144 this.isClientMode = isClientMode;
145 this.enableSessionCreation = true;
146 this.socketAPSelector = null;
147 this.engineAPSelector = null;
148
149 this.handshakeListeners = null;
150 this.noSniExtension = false;
151 this.noSniMatcher = false;
152 }
153
154 SSLParameters getSSLParameters() {
155 SSLParameters params = new SSLParameters();
156
157 params.setAlgorithmConstraints(this.algorithmConstraints);
158 params.setProtocols(ProtocolVersion.toStringArray(enabledProtocols));
159 params.setCipherSuites(CipherSuite.namesOf(enabledCipherSuites));
160 switch (this.clientAuthType) {
161 case CLIENT_AUTH_REQUIRED:
162 params.setNeedClientAuth(true);
163 break;
164 case CLIENT_AUTH_REQUESTED:
165 params.setWantClientAuth(true);
166 break;
167 default:
168 params.setWantClientAuth(false);
169 }
170 params.setEndpointIdentificationAlgorithm(this.identificationProtocol);
171
172 if (serverNames.isEmpty() && !noSniExtension) {
173 // 'null' indicates none has been set
174 params.setServerNames(null);
175 } else {
176 params.setServerNames(this.serverNames);
177 }
178
179 if (sniMatchers.isEmpty() && !noSniMatcher) {
180 // 'null' indicates none has been set
181 params.setSNIMatchers(null);
182 } else {
183 params.setSNIMatchers(this.sniMatchers);
184 }
185
186 params.setApplicationProtocols(this.applicationProtocols);
187 params.setUseCipherSuitesOrder(this.preferLocalCipherSuites);
188 params.setEnableRetransmissions(this.enableRetransmissions);
189 params.setMaximumPacketSize(this.maximumPacketSize);
190
191 return params;
192 }
193
194 void setSSLParameters(SSLParameters params) {
195 AlgorithmConstraints ac = params.getAlgorithmConstraints();
196 if (ac != null) {
197 this.algorithmConstraints = ac;
198 } // otherwise, use the default value
199
200 String[] sa = params.getCipherSuites();
201 if (sa != null) {
202 this.enabledCipherSuites = CipherSuite.validValuesOf(sa);
203 } // otherwise, use the default values
204
205 sa = params.getProtocols();
206 if (sa != null) {
207 this.enabledProtocols = ProtocolVersion.namesOf(sa);
208
209 this.maximumProtocolVersion = ProtocolVersion.NONE;
210 for (ProtocolVersion pv : enabledProtocols) {
211 if (pv.compareTo(maximumProtocolVersion) > 0) {
212 this.maximumProtocolVersion = pv;
213 }
214 }
215 } // otherwise, use the default values
216
217 if (params.getNeedClientAuth()) {
|
35 import java.util.Arrays;
36 import java.util.Collection;
37 import java.util.Collections;
38 import java.util.HashMap;
39 import java.util.List;
40 import java.util.function.BiFunction;
41 import javax.net.ssl.HandshakeCompletedListener;
42 import javax.net.ssl.SNIMatcher;
43 import javax.net.ssl.SNIServerName;
44 import javax.net.ssl.SSLEngine;
45 import javax.net.ssl.SSLParameters;
46 import javax.net.ssl.SSLSocket;
47 import sun.security.ssl.SSLExtension.ClientExtensions;
48 import sun.security.ssl.SSLExtension.ServerExtensions;
49
50 /**
51 * SSL/(D)TLS configuration.
52 */
53 final class SSLConfiguration implements Cloneable {
54 // configurations with SSLParameters
55 AlgorithmConstraints userSpecifiedAlgorithmConstraints;
56 List<ProtocolVersion> enabledProtocols;
57 List<CipherSuite> enabledCipherSuites;
58 ClientAuthType clientAuthType;
59 String identificationProtocol;
60 List<SNIServerName> serverNames;
61 Collection<SNIMatcher> sniMatchers;
62 String[] applicationProtocols;
63 boolean preferLocalCipherSuites;
64 boolean enableRetransmissions;
65 int maximumPacketSize;
66
67 // the maximum protocol version of enabled protocols
68 ProtocolVersion maximumProtocolVersion;
69
70 // Configurations per SSLSocket or SSLEngine instance.
71 boolean isClientMode;
72 boolean enableSessionCreation;
73
74 // the application layer protocol negotiation configuration
75 BiFunction<SSLSocket, List<String>, String> socketAPSelector;
100 static final boolean acknowledgeCloseNotify = Utilities.getBooleanProperty(
101 "jdk.tls.acknowledgeCloseNotify", false);
102
103 // Is the extended_master_secret extension supported?
104 static {
105 boolean supportExtendedMasterSecret = Utilities.getBooleanProperty(
106 "jdk.tls.useExtendedMasterSecret", true);
107 if (supportExtendedMasterSecret) {
108 try {
109 JsseJce.getKeyGenerator("SunTlsExtendedMasterSecret");
110 } catch (NoSuchAlgorithmException nae) {
111 supportExtendedMasterSecret = false;
112 }
113 }
114 useExtendedMasterSecret = supportExtendedMasterSecret;
115 }
116
117 SSLConfiguration(SSLContextImpl sslContext, boolean isClientMode) {
118
119 // Configurations with SSLParameters, default values.
120 this.userSpecifiedAlgorithmConstraints =
121 SSLAlgorithmConstraints.DEFAULT;
122 this.enabledProtocols =
123 sslContext.getDefaultProtocolVersions(!isClientMode);
124 this.enabledCipherSuites =
125 sslContext.getDefaultCipherSuites(!isClientMode);
126 this.clientAuthType = ClientAuthType.CLIENT_AUTH_NONE;
127
128 this.identificationProtocol = null;
129 this.serverNames = Collections.<SNIServerName>emptyList();
130 this.sniMatchers = Collections.<SNIMatcher>emptyList();
131 this.preferLocalCipherSuites = false;
132
133 this.applicationProtocols = new String[0];
134 this.enableRetransmissions = sslContext.isDTLS();
135 this.maximumPacketSize = 0; // please reset it explicitly later
136
137 this.maximumProtocolVersion = ProtocolVersion.NONE;
138 for (ProtocolVersion pv : enabledProtocols) {
139 if (pv.compareTo(maximumProtocolVersion) > 0) {
140 this.maximumProtocolVersion = pv;
141 }
142 }
143
144 // Configurations per SSLSocket or SSLEngine instance.
145 this.isClientMode = isClientMode;
146 this.enableSessionCreation = true;
147 this.socketAPSelector = null;
148 this.engineAPSelector = null;
149
150 this.handshakeListeners = null;
151 this.noSniExtension = false;
152 this.noSniMatcher = false;
153 }
154
155 SSLParameters getSSLParameters() {
156 SSLParameters params = new SSLParameters();
157
158 params.setAlgorithmConstraints(this.userSpecifiedAlgorithmConstraints);
159 params.setProtocols(ProtocolVersion.toStringArray(enabledProtocols));
160 params.setCipherSuites(CipherSuite.namesOf(enabledCipherSuites));
161 switch (this.clientAuthType) {
162 case CLIENT_AUTH_REQUIRED:
163 params.setNeedClientAuth(true);
164 break;
165 case CLIENT_AUTH_REQUESTED:
166 params.setWantClientAuth(true);
167 break;
168 default:
169 params.setWantClientAuth(false);
170 }
171 params.setEndpointIdentificationAlgorithm(this.identificationProtocol);
172
173 if (serverNames.isEmpty() && !noSniExtension) {
174 // 'null' indicates none has been set
175 params.setServerNames(null);
176 } else {
177 params.setServerNames(this.serverNames);
178 }
179
180 if (sniMatchers.isEmpty() && !noSniMatcher) {
181 // 'null' indicates none has been set
182 params.setSNIMatchers(null);
183 } else {
184 params.setSNIMatchers(this.sniMatchers);
185 }
186
187 params.setApplicationProtocols(this.applicationProtocols);
188 params.setUseCipherSuitesOrder(this.preferLocalCipherSuites);
189 params.setEnableRetransmissions(this.enableRetransmissions);
190 params.setMaximumPacketSize(this.maximumPacketSize);
191
192 return params;
193 }
194
195 void setSSLParameters(SSLParameters params) {
196 AlgorithmConstraints ac = params.getAlgorithmConstraints();
197 if (ac != null) {
198 this.userSpecifiedAlgorithmConstraints = ac;
199 } // otherwise, use the default value
200
201 String[] sa = params.getCipherSuites();
202 if (sa != null) {
203 this.enabledCipherSuites = CipherSuite.validValuesOf(sa);
204 } // otherwise, use the default values
205
206 sa = params.getProtocols();
207 if (sa != null) {
208 this.enabledProtocols = ProtocolVersion.namesOf(sa);
209
210 this.maximumProtocolVersion = ProtocolVersion.NONE;
211 for (ProtocolVersion pv : enabledProtocols) {
212 if (pv.compareTo(maximumProtocolVersion) > 0) {
213 this.maximumProtocolVersion = pv;
214 }
215 }
216 } // otherwise, use the default values
217
218 if (params.getNeedClientAuth()) {
|