1 /*
2 * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 /*
27 * NOTE: this file was copied from javax.net.ssl.SSLSecurity,
28 * but was heavily modified to allow com.sun.* users to
29 * access providers written using the javax.sun.* APIs.
30 */
31
32 package com.sun.net.ssl;
33
34 import java.util.*;
35 import java.io.*;
36 import java.security.*;
37 import java.security.Provider.Service;
38 import java.net.Socket;
39
40 import sun.security.jca.*;
41
42 /**
43 * This class instantiates implementations of JSSE engine classes from
44 * providers registered with the java.security.Security object.
45 *
46 * @author Jan Luehe
47 * @author Jeff Nisewanger
48 * @author Brad Wetmore
49 */
50
51 final class SSLSecurity {
52
53 /*
54 * Don't let anyone instantiate this.
55 */
56 private SSLSecurity() {
57 }
58
59
60 // ProviderList.getService() is not accessible now, implement our own loop
61 private static Service getService(String type, String alg) {
62 ProviderList list = Providers.getProviderList();
63 for (Provider p : list.providers()) {
64 Service s = p.getService(type, alg);
65 if (s != null) {
66 return s;
67 }
68 }
69 return null;
70 }
71
72 /**
73 * The body of the driver for the getImpl method.
74 */
75 private static Object[] getImpl1(String algName, String engineType,
76 Service service) throws NoSuchAlgorithmException
77 {
78 Provider provider = service.getProvider();
79 String className = service.getClassName();
80 Class<?> implClass;
81 try {
82 ClassLoader cl = provider.getClass().getClassLoader();
83 if (cl == null) {
84 // system class
85 implClass = Class.forName(className);
86 } else {
87 implClass = cl.loadClass(className);
88 }
89 } catch (ClassNotFoundException e) {
90 throw new NoSuchAlgorithmException("Class " + className +
91 " configured for " +
92 engineType +
93 " not found: " +
94 e.getMessage());
95 } catch (SecurityException e) {
96 throw new NoSuchAlgorithmException("Class " + className +
97 " configured for " +
98 engineType +
99 " cannot be accessed: " +
100 e.getMessage());
101 }
102
103 /*
104 * JSSE 1.0, 1.0.1, and 1.0.2 used the com.sun.net.ssl API as the
105 * API was being developed. As JSSE was folded into the main
106 * release, it was decided to promote the com.sun.net.ssl API to
107 * be javax.net.ssl. It is desired to keep binary compatibility
108 * with vendors of JSSE implementation written using the
109 * com.sun.net.sll API, so we do this magic to handle everything.
110 *
111 * API used Implementation used Supported?
112 * ======== =================== ==========
113 * com.sun javax Yes
114 * com.sun com.sun Yes
115 * javax javax Yes
116 * javax com.sun Not Currently
117 *
118 * Make sure the implementation class is a subclass of the
119 * corresponding engine class.
120 *
121 * In wrapping these classes, there's no way to know how to
122 * wrap all possible classes that extend the TrustManager/KeyManager.
123 * We only wrap the x509 variants.
124 */
125
126 try { // catch instantiation errors
127
128 /*
129 * (The following Class.forName()s should alway work, because
130 * this class and all the SPI classes in javax.crypto are
131 * loaded by the same class loader.) That is, unless they
132 * give us a SPI class that doesn't exist, say SSLFoo,
133 * or someone has removed classes from the java.base module.
134 */
135
136 Class<?> typeClassJavax;
137 Class<?> typeClassCom;
138 Object obj = null;
139
140 /*
141 * Odds are more likely that we have a javax variant, try this
142 * first.
143 */
144 if (((typeClassJavax = Class.forName("javax.net.ssl." +
145 engineType + "Spi")) != null) &&
146 (checkSuperclass(implClass, typeClassJavax))) {
147
148 if (engineType.equals("SSLContext")) {
149 obj = new SSLContextSpiWrapper(algName, provider);
150 } else if (engineType.equals("TrustManagerFactory")) {
151 obj = new TrustManagerFactorySpiWrapper(algName, provider);
152 } else if (engineType.equals("KeyManagerFactory")) {
153 obj = new KeyManagerFactorySpiWrapper(algName, provider);
154 } else {
155 /*
156 * We should throw an error if we get
157 * something totally unexpected. Don't ever
158 * expect to see this one...
159 */
160 throw new IllegalStateException(
161 "Class " + implClass.getName() +
162 " unknown engineType wrapper:" + engineType);
163 }
164
165 } else if (((typeClassCom = Class.forName("com.sun.net.ssl." +
166 engineType + "Spi")) != null) &&
167 (checkSuperclass(implClass, typeClassCom))) {
168 obj = service.newInstance(null);
169 }
170
171 if (obj != null) {
172 return new Object[] { obj, provider };
173 } else {
174 throw new NoSuchAlgorithmException(
175 "Couldn't locate correct object or wrapper: " +
176 engineType + " " + algName);
177 }
178
179 } catch (ClassNotFoundException e) {
180 IllegalStateException exc = new IllegalStateException(
181 "Engine Class Not Found for " + engineType);
182 exc.initCause(e);
183 throw exc;
184 }
185 }
186
187 /**
188 * Returns an array of objects: the first object in the array is
189 * an instance of an implementation of the requested algorithm
190 * and type, and the second object in the array identifies the provider
191 * of that implementation.
192 * The <code>provName</code> argument can be null, in which case all
193 * configured providers will be searched in order of preference.
194 */
195 static Object[] getImpl(String algName, String engineType, String provName)
196 throws NoSuchAlgorithmException, NoSuchProviderException
197 {
198 Service service;
199 if (provName != null) {
200 ProviderList list = Providers.getProviderList();
201 Provider prov = list.getProvider(provName);
202 if (prov == null) {
203 throw new NoSuchProviderException("No such provider: " +
204 provName);
205 }
206 service = prov.getService(engineType, algName);
207 } else {
208 service = getService(engineType, algName);
209 }
210 if (service == null) {
211 throw new NoSuchAlgorithmException("Algorithm " + algName
212 + " not available");
213 }
214 return getImpl1(algName, engineType, service);
215 }
216
217
218 /**
219 * Returns an array of objects: the first object in the array is
220 * an instance of an implementation of the requested algorithm
221 * and type, and the second object in the array identifies the provider
222 * of that implementation.
223 * The <code>prov</code> argument can be null, in which case all
224 * configured providers will be searched in order of preference.
225 */
226 static Object[] getImpl(String algName, String engineType, Provider prov)
227 throws NoSuchAlgorithmException
228 {
229 Service service = prov.getService(engineType, algName);
230 if (service == null) {
231 throw new NoSuchAlgorithmException("No such algorithm: " +
232 algName);
233 }
234 return getImpl1(algName, engineType, service);
235 }
236
237 /*
238 * Checks whether one class is the superclass of another
239 */
240 private static boolean checkSuperclass(Class<?> subclass, Class<?> superclass) {
241 if ((subclass == null) || (superclass == null))
242 return false;
243
244 while (!subclass.equals(superclass)) {
245 subclass = subclass.getSuperclass();
246 if (subclass == null) {
247 return false;
248 }
249 }
250 return true;
251 }
252
253 /*
254 * Return at most the first "resize" elements of an array.
255 *
256 * Didn't want to use java.util.Arrays, as PJava may not have it.
257 */
258 static Object[] truncateArray(Object[] oldArray, Object[] newArray) {
259
260 for (int i = 0; i < newArray.length; i++) {
261 newArray[i] = oldArray[i];
262 }
263
264 return newArray;
265 }
266
267 }
268
269
270 /*
271 * =================================================================
272 * The remainder of this file is for the wrapper and wrapper-support
273 * classes. When SSLSecurity finds something which extends the
274 * javax.net.ssl.*Spi, we need to go grab a real instance of the
275 * thing that the Spi supports, and wrap into a com.sun.net.ssl.*Spi
276 * object. This also mean that anything going down into the SPI
277 * needs to be wrapped, as well as anything coming back up.
278 */
279 @SuppressWarnings("deprecation")
280 final class SSLContextSpiWrapper extends SSLContextSpi {
281
282 private javax.net.ssl.SSLContext theSSLContext;
283
284 SSLContextSpiWrapper(String algName, Provider prov) throws
285 NoSuchAlgorithmException {
286 theSSLContext = javax.net.ssl.SSLContext.getInstance(algName, prov);
287 }
288
289 @SuppressWarnings("deprecation")
290 protected void engineInit(KeyManager[] kma, TrustManager[] tma,
291 SecureRandom sr) throws KeyManagementException {
292
293 // Keep track of the actual number of array elements copied
294 int dst;
295 int src;
296 javax.net.ssl.KeyManager[] kmaw;
297 javax.net.ssl.TrustManager[] tmaw;
298
299 // Convert com.sun.net.ssl.kma to a javax.net.ssl.kma
300 // wrapper if need be.
301 if (kma != null) {
302 kmaw = new javax.net.ssl.KeyManager[kma.length];
303 for (src = 0, dst = 0; src < kma.length; ) {
304 /*
305 * These key managers may implement both javax
306 * and com.sun interfaces, so if they do
307 * javax, there's no need to wrap them.
308 */
309 if (!(kma[src] instanceof javax.net.ssl.KeyManager)) {
310 /*
311 * Do we know how to convert them? If not, oh well...
312 * We'll have to drop them on the floor in this
313 * case, cause we don't know how to handle them.
314 * This will be pretty rare, but put here for
315 * completeness.
316 */
317 if (kma[src] instanceof X509KeyManager) {
318 kmaw[dst] = (javax.net.ssl.KeyManager)
319 new X509KeyManagerJavaxWrapper(
320 (X509KeyManager)kma[src]);
321 dst++;
322 }
323 } else {
324 // We can convert directly, since they implement.
325 kmaw[dst] = (javax.net.ssl.KeyManager)kma[src];
326 dst++;
327 }
328 src++;
329 }
330
331 /*
332 * If dst != src, there were more items in the original array
333 * than in the new array. Compress the new elements to avoid
334 * any problems down the road.
335 */
336 if (dst != src) {
337 kmaw = (javax.net.ssl.KeyManager [])
338 SSLSecurity.truncateArray(kmaw,
339 new javax.net.ssl.KeyManager [dst]);
340 }
341 } else {
342 kmaw = null;
343 }
344
345 // Now do the same thing with the TrustManagers.
346 if (tma != null) {
347 tmaw = new javax.net.ssl.TrustManager[tma.length];
348
349 for (src = 0, dst = 0; src < tma.length; ) {
350 /*
351 * These key managers may implement both...see above...
352 */
353 if (!(tma[src] instanceof javax.net.ssl.TrustManager)) {
354 // Do we know how to convert them?
355 if (tma[src] instanceof X509TrustManager) {
356 tmaw[dst] = (javax.net.ssl.TrustManager)
357 new X509TrustManagerJavaxWrapper(
358 (X509TrustManager)tma[src]);
359 dst++;
360 }
361 } else {
362 tmaw[dst] = (javax.net.ssl.TrustManager)tma[src];
363 dst++;
364 }
365 src++;
366 }
367
368 if (dst != src) {
369 tmaw = (javax.net.ssl.TrustManager [])
370 SSLSecurity.truncateArray(tmaw,
371 new javax.net.ssl.TrustManager [dst]);
372 }
373 } else {
374 tmaw = null;
375 }
376
377 theSSLContext.init(kmaw, tmaw, sr);
378 }
379
380 protected javax.net.ssl.SSLSocketFactory
381 engineGetSocketFactory() {
382 return theSSLContext.getSocketFactory();
383 }
384
385 protected javax.net.ssl.SSLServerSocketFactory
386 engineGetServerSocketFactory() {
387 return theSSLContext.getServerSocketFactory();
388 }
389
390 }
391
392 @SuppressWarnings("deprecation")
393 final class TrustManagerFactorySpiWrapper extends TrustManagerFactorySpi {
394
395 private javax.net.ssl.TrustManagerFactory theTrustManagerFactory;
396
397 TrustManagerFactorySpiWrapper(String algName, Provider prov) throws
398 NoSuchAlgorithmException {
399 theTrustManagerFactory =
400 javax.net.ssl.TrustManagerFactory.getInstance(algName, prov);
401 }
402
403 protected void engineInit(KeyStore ks) throws KeyStoreException {
404 theTrustManagerFactory.init(ks);
405 }
406
407 protected TrustManager[] engineGetTrustManagers() {
408
409 int dst;
410 int src;
411
412 javax.net.ssl.TrustManager[] tma =
413 theTrustManagerFactory.getTrustManagers();
414
415 TrustManager[] tmaw = new TrustManager[tma.length];
416
417 for (src = 0, dst = 0; src < tma.length; ) {
418 if (!(tma[src] instanceof com.sun.net.ssl.TrustManager)) {
419 // We only know how to wrap X509TrustManagers, as
420 // TrustManagers don't have any methods to wrap.
421 if (tma[src] instanceof javax.net.ssl.X509TrustManager) {
422 tmaw[dst] = (TrustManager)
423 new X509TrustManagerComSunWrapper(
424 (javax.net.ssl.X509TrustManager)tma[src]);
425 dst++;
426 }
427 } else {
428 tmaw[dst] = (TrustManager)tma[src];
429 dst++;
430 }
431 src++;
432 }
433
434 if (dst != src) {
435 tmaw = (TrustManager [])
436 SSLSecurity.truncateArray(tmaw, new TrustManager [dst]);
437 }
438
439 return tmaw;
440 }
441
442 }
443
444 @SuppressWarnings("deprecation")
445 final class KeyManagerFactorySpiWrapper extends KeyManagerFactorySpi {
446
447 private javax.net.ssl.KeyManagerFactory theKeyManagerFactory;
448
449 KeyManagerFactorySpiWrapper(String algName, Provider prov) throws
450 NoSuchAlgorithmException {
451 theKeyManagerFactory =
452 javax.net.ssl.KeyManagerFactory.getInstance(algName, prov);
453 }
454
455 protected void engineInit(KeyStore ks, char[] password)
456 throws KeyStoreException, NoSuchAlgorithmException,
457 UnrecoverableKeyException {
458 theKeyManagerFactory.init(ks, password);
459 }
460
461 protected KeyManager[] engineGetKeyManagers() {
462
463 int dst;
464 int src;
465
466 javax.net.ssl.KeyManager[] kma =
467 theKeyManagerFactory.getKeyManagers();
468
469 KeyManager[] kmaw = new KeyManager[kma.length];
470
471 for (src = 0, dst = 0; src < kma.length; ) {
472 if (!(kma[src] instanceof com.sun.net.ssl.KeyManager)) {
473 // We only know how to wrap X509KeyManagers, as
474 // KeyManagers don't have any methods to wrap.
475 if (kma[src] instanceof javax.net.ssl.X509KeyManager) {
476 kmaw[dst] = (KeyManager)
477 new X509KeyManagerComSunWrapper(
478 (javax.net.ssl.X509KeyManager)kma[src]);
479 dst++;
480 }
481 } else {
482 kmaw[dst] = (KeyManager)kma[src];
483 dst++;
484 }
485 src++;
486 }
487
488 if (dst != src) {
489 kmaw = (KeyManager [])
490 SSLSecurity.truncateArray(kmaw, new KeyManager [dst]);
491 }
492
493 return kmaw;
494 }
495
496 }
497
498 // =================================
499
500 @SuppressWarnings("deprecation")
501 final class X509KeyManagerJavaxWrapper implements
502 javax.net.ssl.X509KeyManager {
503
504 private X509KeyManager theX509KeyManager;
505
506 X509KeyManagerJavaxWrapper(X509KeyManager obj) {
507 theX509KeyManager = obj;
508 }
509
510 public String[] getClientAliases(String keyType, Principal[] issuers) {
511 return theX509KeyManager.getClientAliases(keyType, issuers);
512 }
513
514 public String chooseClientAlias(String[] keyTypes, Principal[] issuers,
515 Socket socket) {
516 String retval;
517
518 if (keyTypes == null) {
519 return null;
520 }
521
522 /*
523 * Scan the list, look for something we can pass back.
524 */
525 for (int i = 0; i < keyTypes.length; i++) {
526 if ((retval = theX509KeyManager.chooseClientAlias(keyTypes[i],
527 issuers)) != null)
528 return retval;
529 }
530 return null;
531
532 }
533
534 /*
535 * JSSE 1.0.x was only socket based, but it's possible someone might
536 * want to install a really old provider. We should at least
537 * try to be nice.
538 */
539 public String chooseEngineClientAlias(
540 String[] keyTypes, Principal[] issuers,
541 javax.net.ssl.SSLEngine engine) {
542 String retval;
543
544 if (keyTypes == null) {
545 return null;
546 }
547
548 /*
549 * Scan the list, look for something we can pass back.
550 */
551 for (int i = 0; i < keyTypes.length; i++) {
552 if ((retval = theX509KeyManager.chooseClientAlias(keyTypes[i],
553 issuers)) != null)
554 return retval;
555 }
556
557 return null;
558 }
559
560 public String[] getServerAliases(String keyType, Principal[] issuers) {
561 return theX509KeyManager.getServerAliases(keyType, issuers);
562 }
563
564 public String chooseServerAlias(String keyType, Principal[] issuers,
565 Socket socket) {
566
567 if (keyType == null) {
568 return null;
569 }
570 return theX509KeyManager.chooseServerAlias(keyType, issuers);
571 }
572
573 /*
574 * JSSE 1.0.x was only socket based, but it's possible someone might
575 * want to install a really old provider. We should at least
576 * try to be nice.
577 */
578 public String chooseEngineServerAlias(
579 String keyType, Principal[] issuers,
580 javax.net.ssl.SSLEngine engine) {
581
582 if (keyType == null) {
583 return null;
584 }
585 return theX509KeyManager.chooseServerAlias(keyType, issuers);
586 }
587
588 public java.security.cert.X509Certificate[]
589 getCertificateChain(String alias) {
590 return theX509KeyManager.getCertificateChain(alias);
591 }
592
593 public PrivateKey getPrivateKey(String alias) {
594 return theX509KeyManager.getPrivateKey(alias);
595 }
596 }
597
598 @SuppressWarnings("deprecation")
599 final class X509TrustManagerJavaxWrapper implements
600 javax.net.ssl.X509TrustManager {
601
602 private X509TrustManager theX509TrustManager;
603
604 X509TrustManagerJavaxWrapper(X509TrustManager obj) {
605 theX509TrustManager = obj;
606 }
607
608 public void checkClientTrusted(
609 java.security.cert.X509Certificate[] chain, String authType)
610 throws java.security.cert.CertificateException {
611 if (!theX509TrustManager.isClientTrusted(chain)) {
612 throw new java.security.cert.CertificateException(
613 "Untrusted Client Certificate Chain");
614 }
615 }
616
617 public void checkServerTrusted(
618 java.security.cert.X509Certificate[] chain, String authType)
619 throws java.security.cert.CertificateException {
620 if (!theX509TrustManager.isServerTrusted(chain)) {
621 throw new java.security.cert.CertificateException(
622 "Untrusted Server Certificate Chain");
623 }
624 }
625
626 public java.security.cert.X509Certificate[] getAcceptedIssuers() {
627 return theX509TrustManager.getAcceptedIssuers();
628 }
629 }
630
631 @SuppressWarnings("deprecation")
632 final class X509KeyManagerComSunWrapper implements X509KeyManager {
633
634 private javax.net.ssl.X509KeyManager theX509KeyManager;
635
636 X509KeyManagerComSunWrapper(javax.net.ssl.X509KeyManager obj) {
637 theX509KeyManager = obj;
638 }
639
640 public String[] getClientAliases(String keyType, Principal[] issuers) {
641 return theX509KeyManager.getClientAliases(keyType, issuers);
642 }
643
644 public String chooseClientAlias(String keyType, Principal[] issuers) {
645 String [] keyTypes = new String [] { keyType };
646 return theX509KeyManager.chooseClientAlias(keyTypes, issuers, null);
647 }
648
649 public String[] getServerAliases(String keyType, Principal[] issuers) {
650 return theX509KeyManager.getServerAliases(keyType, issuers);
651 }
652
653 public String chooseServerAlias(String keyType, Principal[] issuers) {
654 return theX509KeyManager.chooseServerAlias(keyType, issuers, null);
655 }
656
657 public java.security.cert.X509Certificate[]
658 getCertificateChain(String alias) {
659 return theX509KeyManager.getCertificateChain(alias);
660 }
661
662 public PrivateKey getPrivateKey(String alias) {
663 return theX509KeyManager.getPrivateKey(alias);
664 }
665 }
666
667 @SuppressWarnings("deprecation")
668 final class X509TrustManagerComSunWrapper implements X509TrustManager {
669
670 private javax.net.ssl.X509TrustManager theX509TrustManager;
671
672 X509TrustManagerComSunWrapper(javax.net.ssl.X509TrustManager obj) {
673 theX509TrustManager = obj;
674 }
675
676 public boolean isClientTrusted(
677 java.security.cert.X509Certificate[] chain) {
678 try {
679 theX509TrustManager.checkClientTrusted(chain, "UNKNOWN");
680 return true;
681 } catch (java.security.cert.CertificateException e) {
682 return false;
683 }
684 }
685
686 public boolean isServerTrusted(
687 java.security.cert.X509Certificate[] chain) {
688 try {
689 theX509TrustManager.checkServerTrusted(chain, "UNKNOWN");
690 return true;
691 } catch (java.security.cert.CertificateException e) {
692 return false;
693 }
694 }
695
696 public java.security.cert.X509Certificate[] getAcceptedIssuers() {
697 return theX509TrustManager.getAcceptedIssuers();
698 }
699 }