1 /*
   2  * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import sun.security.action.GetPropertyAction;
  29 
  30 import java.io.File;
  31 import java.io.FilePermission;
  32 import java.io.IOException;
  33 import java.security.AccessControlContext;
  34 import java.security.AccessController;
  35 import java.security.Principal;
  36 import java.security.PrivilegedAction;
  37 import java.security.SecureRandom;
  38 import java.util.*;
  39 
  40 /**
  41  * Models a service that provides support for a particular client key exchange
  42  * mode. Currently used to implement Kerberos-related cipher suites.
  43  *
  44  * @since 1.9
  45  */
  46 public interface ClientKeyExchangeService {
  47 
  48     static class Loader {
  49         private static final Map<String,ClientKeyExchangeService>
  50                 providers = new HashMap<>();
  51 
  52         static {
  53             final String key = "java.home";
  54             String path = AccessController.doPrivileged(
  55                     new GetPropertyAction(key), null,
  56                     new PropertyPermission(key, "read"));
  57             ServiceLoader<ClientKeyExchangeService> sc =
  58                     AccessController.doPrivileged(
  59                             (PrivilegedAction<ServiceLoader<ClientKeyExchangeService>>)
  60                                     () -> ServiceLoader.loadInstalled(ClientKeyExchangeService.class),
  61                             null,
  62                             new FilePermission(new File(path, "-").toString(), "read"));
  63             Iterator<ClientKeyExchangeService> iter = sc.iterator();
  64             while (iter.hasNext()) {
  65                 ClientKeyExchangeService cs = iter.next();
  66                 for (String ex: cs.supported()) {
  67                     providers.put(ex, cs);
  68                 }
  69             }
  70         }
  71 
  72     }
  73 
  74     public static ClientKeyExchangeService find(String ex) {
  75         return Loader.providers.get(ex);
  76     }
  77 
  78 
  79     /**
  80      * Returns the supported key exchange modes by this provider.
  81      * @return the supported key exchange modes
  82      */
  83     String[] supported();
  84 
  85     /**
  86      * Returns a generalized credential object on the server side. The server
  87      * side can use the info to determine if a cipher suite can be enabled.
  88      * @param acc the AccessControlContext of the SSL session
  89      * @return the credential object
  90      */
  91     Object getServiceCreds(AccessControlContext acc);
  92 
  93     /**
  94      * Returns the host name for a service principal. The info can be used in
  95      * SNI or host name verifier.
  96      * @param principal the principal of a service
  97      * @return the string formed host name
  98      */
  99     String getServiceHostName(Principal principal);
 100 
 101     /**
 102      * Returns whether the specified principal is related to the current
 103      * SSLSession. The info can be used to verify a SSL resume.
 104      * @param isClient if true called from client side, otherwise from server
 105      * @param acc the AccessControlContext of the SSL session
 106      * @param p the specified principal
 107      * @return true if related
 108      */
 109     boolean isRelated(boolean isClient, AccessControlContext acc, Principal p);
 110 
 111     /**
 112      * Creates the ClientKeyExchange object on the client side.
 113      * @param serverName the intented peer name
 114      * @param acc the AccessControlContext of the SSL session
 115      * @param protocolVersion the TLS protocol version
 116      * @param rand the SecureRandom that will used to generate the premaster
 117      * @return the new Exchanger object
 118      * @throws IOException if there is an error
 119      */
 120     ClientKeyExchange createClientExchange(String serverName, AccessControlContext acc,
 121             ProtocolVersion protocolVersion, SecureRandom rand) throws IOException;
 122 
 123     /**
 124      * Create the ClientKeyExchange on the server side.
 125      * @param protocolVersion the protocol version
 126      * @param clientVersion the input protocol version
 127      * @param rand a SecureRandom object used to generate premaster
 128      *             (if the server has to create one)
 129      * @param encodedTicket the ticket from client
 130      * @param encrypted the encrypted premaster secret from client
 131      * @param acc the AccessControlContext of the SSL session
 132      * @param ServiceCreds the service side credentials object as retrived from
 133      *                     {@link #getServiceCreds}
 134      * @return the new Exchanger object
 135      * @throws IOException if there is an error
 136      */
 137     ClientKeyExchange createServerExchange(
 138             ProtocolVersion protocolVersion, ProtocolVersion clientVersion,
 139             SecureRandom rand, byte[] encodedTicket, byte[] encrypted,
 140             AccessControlContext acc, Object ServiceCreds) throws IOException;
 141 }