1 /* 2 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import sun.security.action.GetPropertyAction; 29 30 import java.io.File; 31 import java.io.FilePermission; 32 import java.io.IOException; 33 import java.security.AccessControlContext; 34 import java.security.AccessController; 35 import java.security.Principal; 36 import java.security.PrivilegedAction; 37 import java.security.SecureRandom; 38 import java.util.*; 39 40 /** 41 * Models a service that provides support for a particular client key exchange 42 * mode. Currently used to implement Kerberos-related cipher suites. 43 * 44 * @since 1.9 45 */ 46 public interface ClientKeyExchangeService { 47 48 static class Loader { 49 private static final Map<String,ClientKeyExchangeService> 50 providers = new HashMap<>(); 51 52 static { 53 final String key = "java.home"; 54 String path = AccessController.doPrivileged( 55 new GetPropertyAction(key), null, 56 new PropertyPermission(key, "read")); 57 ServiceLoader<ClientKeyExchangeService> sc = 58 AccessController.doPrivileged( 59 (PrivilegedAction<ServiceLoader<ClientKeyExchangeService>>) 60 () -> ServiceLoader.loadInstalled(ClientKeyExchangeService.class), 61 null, 62 new FilePermission(new File(path, "-").toString(), "read")); 63 Iterator<ClientKeyExchangeService> iter = sc.iterator(); 64 while (iter.hasNext()) { 65 ClientKeyExchangeService cs = iter.next(); 66 for (String ex: cs.supported()) { 67 providers.put(ex, cs); 68 } 69 } 70 } 71 72 } 73 74 public static ClientKeyExchangeService find(String ex) { 75 return Loader.providers.get(ex); 76 } 77 78 79 /** 80 * Returns the supported key exchange modes by this provider. 81 * @return the supported key exchange modes 82 */ 83 String[] supported(); 84 85 /** 86 * Returns a generalized credential object on the server side. The server 87 * side can use the info to determine if a cipher suite can be enabled. 88 * @param acc the AccessControlContext of the SSL session 89 * @return the credential object 90 */ 91 Object getServiceCreds(AccessControlContext acc); 92 93 /** 94 * Returns the host name for a service principal. The info can be used in 95 * SNI or host name verifier. 96 * @param principal the principal of a service 97 * @return the string formed host name 98 */ 99 String getServiceHostName(Principal principal); 100 101 /** 102 * Returns whether the specified principal is related to the current 103 * SSLSession. The info can be used to verify a SSL resume. 104 * @param isClient if true called from client side, otherwise from server 105 * @param acc the AccessControlContext of the SSL session 106 * @param p the specified principal 107 * @return true if related 108 */ 109 boolean isRelated(boolean isClient, AccessControlContext acc, Principal p); 110 111 /** 112 * Creates the ClientKeyExchange object on the client side. 113 * @param serverName the intented peer name 114 * @param acc the AccessControlContext of the SSL session 115 * @param protocolVersion the TLS protocol version 116 * @param rand the SecureRandom that will used to generate the premaster 117 * @return the new Exchanger object 118 * @throws IOException if there is an error 119 */ 120 ClientKeyExchange createClientExchange(String serverName, AccessControlContext acc, 121 ProtocolVersion protocolVersion, SecureRandom rand) throws IOException; 122 123 /** 124 * Create the ClientKeyExchange on the server side. 125 * @param protocolVersion the protocol version 126 * @param clientVersion the input protocol version 127 * @param rand a SecureRandom object used to generate premaster 128 * (if the server has to create one) 129 * @param encodedTicket the ticket from client 130 * @param encrypted the encrypted premaster secret from client 131 * @param acc the AccessControlContext of the SSL session 132 * @param ServiceCreds the service side credentials object as retrived from 133 * {@link #getServiceCreds} 134 * @return the new Exchanger object 135 * @throws IOException if there is an error 136 */ 137 ClientKeyExchange createServerExchange( 138 ProtocolVersion protocolVersion, ProtocolVersion clientVersion, 139 SecureRandom rand, byte[] encodedTicket, byte[] encrypted, 140 AccessControlContext acc, Object ServiceCreds) throws IOException; 141 }