< prev index next >

src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java

Print this page
rev 52979 : 8215281: Use String.isEmpty() when applicable in java.base
Reviewed-by: TBD


 419                             "Ignore unsupported cipher suite: " + suite);
 420                 }
 421             }
 422         }
 423 
 424         return new ArrayList<>(suites);
 425     }
 426 
 427     /*
 428      * Get the customized cipher suites specified by the given system property.
 429      */
 430     private static Collection<CipherSuite> getCustomizedCipherSuites(
 431             String propertyName) {
 432 
 433         String property = GetPropertyAction.privilegedGetProperty(propertyName);
 434         if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
 435             SSLLogger.fine(
 436                     "System property " + propertyName + " is set to '" +
 437                     property + "'");
 438         }
 439         if (property != null && property.length() != 0) {
 440             // remove double quote marks from beginning/end of the property
 441             if (property.length() > 1 && property.charAt(0) == '"' &&
 442                     property.charAt(property.length() - 1) == '"') {
 443                 property = property.substring(1, property.length() - 1);
 444             }
 445         }
 446 
 447         if (property != null && property.length() != 0) {
 448             String[] cipherSuiteNames = property.split(",");
 449             Collection<CipherSuite> cipherSuites =
 450                         new ArrayList<>(cipherSuiteNames.length);
 451             for (int i = 0; i < cipherSuiteNames.length; i++) {
 452                 cipherSuiteNames[i] = cipherSuiteNames[i].trim();
 453                 if (cipherSuiteNames[i].isEmpty()) {
 454                     continue;
 455                 }
 456 
 457                 CipherSuite suite;
 458                 try {
 459                     suite = CipherSuite.nameOf(cipherSuiteNames[i]);
 460                 } catch (IllegalArgumentException iae) {
 461                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
 462                         SSLLogger.fine(
 463                                 "Unknown or unsupported cipher suite name: " +
 464                                 cipherSuiteNames[i]);
 465                     }
 466 
 467                     continue;


 828                 new ArrayList<>();
 829 
 830         // Don't want a java.lang.LinkageError for illegal system property.
 831         //
 832         // Please don't throw exception in this static block.  Otherwise,
 833         // java.lang.LinkageError may be thrown during the instantiation of
 834         // the provider service. Instead, please handle the initialization
 835         // exception in the caller's constructor.
 836         static {
 837             populate(JDK_TLS_CLIENT_PROTOCOLS, customizedClientProtocols);
 838             populate(JDK_TLS_SERVER_PROTOCOLS, customizedServerProtocols);
 839         }
 840 
 841         private static void populate(String propname,
 842                 ArrayList<ProtocolVersion> arrayList) {
 843             String property = GetPropertyAction.privilegedGetProperty(propname);
 844             if (property == null) {
 845                 return;
 846             }
 847 
 848             if (property.length() != 0) {
 849                 // remove double quote marks from beginning/end of the property
 850                 if (property.length() > 1 && property.charAt(0) == '"' &&
 851                         property.charAt(property.length() - 1) == '"') {
 852                     property = property.substring(1, property.length() - 1);
 853                 }
 854             }
 855 
 856             if (property.length() != 0) {
 857                 String[] protocols = property.split(",");
 858                 for (int i = 0; i < protocols.length; i++) {
 859                     protocols[i] = protocols[i].trim();
 860                     // Is it a supported protocol name?
 861                     ProtocolVersion pv =
 862                             ProtocolVersion.nameOf(protocols[i]);
 863                     if (pv == null) {
 864                         reservedException = new IllegalArgumentException(
 865                             propname + ": " + protocols[i] +
 866                             " is not a supported SSL protocol name");
 867                     }
 868 
 869                     if (SunJSSE.isFIPS() &&
 870                             ((pv == ProtocolVersion.SSL30) ||
 871                              (pv == ProtocolVersion.SSL20Hello))) {
 872                         reservedException = new IllegalArgumentException(
 873                                 propname + ": " + pv +
 874                                 " is not FIPS compliant");
 875 
 876                         break;


1092             String defaultKeyStoreType = props.get("keyStoreType");
1093             String defaultKeyStoreProvider = props.get("keyStoreProvider");
1094             if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
1095                 SSLLogger.fine("keyStore is : " + defaultKeyStore);
1096                 SSLLogger.fine("keyStore type is : " +
1097                                         defaultKeyStoreType);
1098                 SSLLogger.fine("keyStore provider is : " +
1099                                         defaultKeyStoreProvider);
1100             }
1101 
1102             if (P11KEYSTORE.equals(defaultKeyStoreType) &&
1103                     !NONE.equals(defaultKeyStore)) {
1104                 throw new IllegalArgumentException("if keyStoreType is "
1105                     + P11KEYSTORE + ", then keyStore must be " + NONE);
1106             }
1107 
1108             FileInputStream fs = null;
1109             KeyStore ks = null;
1110             char[] passwd = null;
1111             try {
1112                 if (defaultKeyStore.length() != 0 &&
1113                         !NONE.equals(defaultKeyStore)) {
1114                     fs = AccessController.doPrivileged(
1115                             new PrivilegedExceptionAction<FileInputStream>() {
1116                         @Override
1117                         public FileInputStream run() throws Exception {
1118                             return new FileInputStream(defaultKeyStore);
1119                         }
1120                     });
1121                 }
1122 
1123                 String defaultKeyStorePassword = props.get("keyStorePasswd");
1124                 if (defaultKeyStorePassword.length() != 0) {
1125                     passwd = defaultKeyStorePassword.toCharArray();
1126                 }
1127 
1128                 /**
1129                  * Try to initialize key store.
1130                  */
1131                 if ((defaultKeyStoreType.length()) != 0) {
1132                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
1133                         SSLLogger.finest("init keystore");
1134                     }
1135                     if (defaultKeyStoreProvider.length() == 0) {
1136                         ks = KeyStore.getInstance(defaultKeyStoreType);
1137                     } else {
1138                         ks = KeyStore.getInstance(defaultKeyStoreType,
1139                                             defaultKeyStoreProvider);
1140                     }
1141 
1142                     // if defaultKeyStore is NONE, fs will be null
1143                     ks.load(fs, passwd);
1144                 }
1145             } finally {
1146                 if (fs != null) {
1147                     fs.close();
1148                     fs = null;
1149                 }
1150             }
1151 
1152             /*
1153              * Try to initialize key manager.
1154              */
1155             if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {


1544     public void checkServerTrusted(X509Certificate[] chain, String authType,
1545             SSLEngine engine) throws CertificateException {
1546         tm.checkServerTrusted(chain, authType);
1547         checkAdditionalTrust(chain, authType, engine, false);
1548     }
1549 
1550     private void checkAdditionalTrust(X509Certificate[] chain, String authType,
1551                 Socket socket, boolean isClient) throws CertificateException {
1552         if (socket != null && socket.isConnected() &&
1553                                     socket instanceof SSLSocket) {
1554 
1555             SSLSocket sslSocket = (SSLSocket)socket;
1556             SSLSession session = sslSocket.getHandshakeSession();
1557             if (session == null) {
1558                 throw new CertificateException("No handshake session");
1559             }
1560 
1561             // check endpoint identity
1562             String identityAlg = sslSocket.getSSLParameters().
1563                                         getEndpointIdentificationAlgorithm();
1564             if (identityAlg != null && identityAlg.length() != 0) {
1565                 String hostname = session.getPeerHost();
1566                 X509TrustManagerImpl.checkIdentity(
1567                                     hostname, chain[0], identityAlg);
1568             }
1569 
1570             // try the best to check the algorithm constraints
1571             AlgorithmConstraints constraints;
1572             if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
1573                 if (session instanceof ExtendedSSLSession) {
1574                     ExtendedSSLSession extSession =
1575                                     (ExtendedSSLSession)session;
1576                     String[] peerSupportedSignAlgs =
1577                             extSession.getLocalSupportedSignatureAlgorithms();
1578 
1579                     constraints = new SSLAlgorithmConstraints(
1580                                     sslSocket, peerSupportedSignAlgs, true);
1581                 } else {
1582                     constraints =
1583                             new SSLAlgorithmConstraints(sslSocket, true);
1584                 }
1585             } else {
1586                 constraints = new SSLAlgorithmConstraints(sslSocket, true);
1587             }
1588 
1589             checkAlgorithmConstraints(chain, constraints, isClient);
1590         }
1591     }
1592 
1593     private void checkAdditionalTrust(X509Certificate[] chain, String authType,
1594             SSLEngine engine, boolean isClient) throws CertificateException {
1595         if (engine != null) {
1596             SSLSession session = engine.getHandshakeSession();
1597             if (session == null) {
1598                 throw new CertificateException("No handshake session");
1599             }
1600 
1601             // check endpoint identity
1602             String identityAlg = engine.getSSLParameters().
1603                                         getEndpointIdentificationAlgorithm();
1604             if (identityAlg != null && identityAlg.length() != 0) {
1605                 String hostname = session.getPeerHost();
1606                 X509TrustManagerImpl.checkIdentity(
1607                                     hostname, chain[0], identityAlg);
1608             }
1609 
1610             // try the best to check the algorithm constraints
1611             AlgorithmConstraints constraints;
1612             if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
1613                 if (session instanceof ExtendedSSLSession) {
1614                     ExtendedSSLSession extSession =
1615                                     (ExtendedSSLSession)session;
1616                     String[] peerSupportedSignAlgs =
1617                             extSession.getLocalSupportedSignatureAlgorithms();
1618 
1619                     constraints = new SSLAlgorithmConstraints(
1620                                     engine, peerSupportedSignAlgs, true);
1621                 } else {
1622                     constraints =
1623                             new SSLAlgorithmConstraints(engine, true);
1624                 }




 419                             "Ignore unsupported cipher suite: " + suite);
 420                 }
 421             }
 422         }
 423 
 424         return new ArrayList<>(suites);
 425     }
 426 
 427     /*
 428      * Get the customized cipher suites specified by the given system property.
 429      */
 430     private static Collection<CipherSuite> getCustomizedCipherSuites(
 431             String propertyName) {
 432 
 433         String property = GetPropertyAction.privilegedGetProperty(propertyName);
 434         if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
 435             SSLLogger.fine(
 436                     "System property " + propertyName + " is set to '" +
 437                     property + "'");
 438         }
 439         if (property != null && !property.isEmpty()) {
 440             // remove double quote marks from beginning/end of the property
 441             if (property.length() > 1 && property.charAt(0) == '"' &&
 442                     property.charAt(property.length() - 1) == '"') {
 443                 property = property.substring(1, property.length() - 1);
 444             }
 445         }
 446 
 447         if (property != null && !property.isEmpty()) {
 448             String[] cipherSuiteNames = property.split(",");
 449             Collection<CipherSuite> cipherSuites =
 450                         new ArrayList<>(cipherSuiteNames.length);
 451             for (int i = 0; i < cipherSuiteNames.length; i++) {
 452                 cipherSuiteNames[i] = cipherSuiteNames[i].trim();
 453                 if (cipherSuiteNames[i].isEmpty()) {
 454                     continue;
 455                 }
 456 
 457                 CipherSuite suite;
 458                 try {
 459                     suite = CipherSuite.nameOf(cipherSuiteNames[i]);
 460                 } catch (IllegalArgumentException iae) {
 461                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
 462                         SSLLogger.fine(
 463                                 "Unknown or unsupported cipher suite name: " +
 464                                 cipherSuiteNames[i]);
 465                     }
 466 
 467                     continue;


 828                 new ArrayList<>();
 829 
 830         // Don't want a java.lang.LinkageError for illegal system property.
 831         //
 832         // Please don't throw exception in this static block.  Otherwise,
 833         // java.lang.LinkageError may be thrown during the instantiation of
 834         // the provider service. Instead, please handle the initialization
 835         // exception in the caller's constructor.
 836         static {
 837             populate(JDK_TLS_CLIENT_PROTOCOLS, customizedClientProtocols);
 838             populate(JDK_TLS_SERVER_PROTOCOLS, customizedServerProtocols);
 839         }
 840 
 841         private static void populate(String propname,
 842                 ArrayList<ProtocolVersion> arrayList) {
 843             String property = GetPropertyAction.privilegedGetProperty(propname);
 844             if (property == null) {
 845                 return;
 846             }
 847 
 848             if (!property.isEmpty()) {
 849                 // remove double quote marks from beginning/end of the property
 850                 if (property.length() > 1 && property.charAt(0) == '"' &&
 851                         property.charAt(property.length() - 1) == '"') {
 852                     property = property.substring(1, property.length() - 1);
 853                 }
 854             }
 855 
 856             if (!property.isEmpty()) {
 857                 String[] protocols = property.split(",");
 858                 for (int i = 0; i < protocols.length; i++) {
 859                     protocols[i] = protocols[i].trim();
 860                     // Is it a supported protocol name?
 861                     ProtocolVersion pv =
 862                             ProtocolVersion.nameOf(protocols[i]);
 863                     if (pv == null) {
 864                         reservedException = new IllegalArgumentException(
 865                             propname + ": " + protocols[i] +
 866                             " is not a supported SSL protocol name");
 867                     }
 868 
 869                     if (SunJSSE.isFIPS() &&
 870                             ((pv == ProtocolVersion.SSL30) ||
 871                              (pv == ProtocolVersion.SSL20Hello))) {
 872                         reservedException = new IllegalArgumentException(
 873                                 propname + ": " + pv +
 874                                 " is not FIPS compliant");
 875 
 876                         break;


1092             String defaultKeyStoreType = props.get("keyStoreType");
1093             String defaultKeyStoreProvider = props.get("keyStoreProvider");
1094             if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
1095                 SSLLogger.fine("keyStore is : " + defaultKeyStore);
1096                 SSLLogger.fine("keyStore type is : " +
1097                                         defaultKeyStoreType);
1098                 SSLLogger.fine("keyStore provider is : " +
1099                                         defaultKeyStoreProvider);
1100             }
1101 
1102             if (P11KEYSTORE.equals(defaultKeyStoreType) &&
1103                     !NONE.equals(defaultKeyStore)) {
1104                 throw new IllegalArgumentException("if keyStoreType is "
1105                     + P11KEYSTORE + ", then keyStore must be " + NONE);
1106             }
1107 
1108             FileInputStream fs = null;
1109             KeyStore ks = null;
1110             char[] passwd = null;
1111             try {
1112                 if (!defaultKeyStore.isEmpty() &&
1113                         !NONE.equals(defaultKeyStore)) {
1114                     fs = AccessController.doPrivileged(
1115                             new PrivilegedExceptionAction<FileInputStream>() {
1116                         @Override
1117                         public FileInputStream run() throws Exception {
1118                             return new FileInputStream(defaultKeyStore);
1119                         }
1120                     });
1121                 }
1122 
1123                 String defaultKeyStorePassword = props.get("keyStorePasswd");
1124                 if (!defaultKeyStorePassword.isEmpty()) {
1125                     passwd = defaultKeyStorePassword.toCharArray();
1126                 }
1127 
1128                 /**
1129                  * Try to initialize key store.
1130                  */
1131                 if ((defaultKeyStoreType.length()) != 0) {
1132                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
1133                         SSLLogger.finest("init keystore");
1134                     }
1135                     if (defaultKeyStoreProvider.isEmpty()) {
1136                         ks = KeyStore.getInstance(defaultKeyStoreType);
1137                     } else {
1138                         ks = KeyStore.getInstance(defaultKeyStoreType,
1139                                             defaultKeyStoreProvider);
1140                     }
1141 
1142                     // if defaultKeyStore is NONE, fs will be null
1143                     ks.load(fs, passwd);
1144                 }
1145             } finally {
1146                 if (fs != null) {
1147                     fs.close();
1148                     fs = null;
1149                 }
1150             }
1151 
1152             /*
1153              * Try to initialize key manager.
1154              */
1155             if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {


1544     public void checkServerTrusted(X509Certificate[] chain, String authType,
1545             SSLEngine engine) throws CertificateException {
1546         tm.checkServerTrusted(chain, authType);
1547         checkAdditionalTrust(chain, authType, engine, false);
1548     }
1549 
1550     private void checkAdditionalTrust(X509Certificate[] chain, String authType,
1551                 Socket socket, boolean isClient) throws CertificateException {
1552         if (socket != null && socket.isConnected() &&
1553                                     socket instanceof SSLSocket) {
1554 
1555             SSLSocket sslSocket = (SSLSocket)socket;
1556             SSLSession session = sslSocket.getHandshakeSession();
1557             if (session == null) {
1558                 throw new CertificateException("No handshake session");
1559             }
1560 
1561             // check endpoint identity
1562             String identityAlg = sslSocket.getSSLParameters().
1563                                         getEndpointIdentificationAlgorithm();
1564             if (identityAlg != null && !identityAlg.isEmpty()) {
1565                 String hostname = session.getPeerHost();
1566                 X509TrustManagerImpl.checkIdentity(
1567                                     hostname, chain[0], identityAlg);
1568             }
1569 
1570             // try the best to check the algorithm constraints
1571             AlgorithmConstraints constraints;
1572             if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
1573                 if (session instanceof ExtendedSSLSession) {
1574                     ExtendedSSLSession extSession =
1575                                     (ExtendedSSLSession)session;
1576                     String[] peerSupportedSignAlgs =
1577                             extSession.getLocalSupportedSignatureAlgorithms();
1578 
1579                     constraints = new SSLAlgorithmConstraints(
1580                                     sslSocket, peerSupportedSignAlgs, true);
1581                 } else {
1582                     constraints =
1583                             new SSLAlgorithmConstraints(sslSocket, true);
1584                 }
1585             } else {
1586                 constraints = new SSLAlgorithmConstraints(sslSocket, true);
1587             }
1588 
1589             checkAlgorithmConstraints(chain, constraints, isClient);
1590         }
1591     }
1592 
1593     private void checkAdditionalTrust(X509Certificate[] chain, String authType,
1594             SSLEngine engine, boolean isClient) throws CertificateException {
1595         if (engine != null) {
1596             SSLSession session = engine.getHandshakeSession();
1597             if (session == null) {
1598                 throw new CertificateException("No handshake session");
1599             }
1600 
1601             // check endpoint identity
1602             String identityAlg = engine.getSSLParameters().
1603                                         getEndpointIdentificationAlgorithm();
1604             if (identityAlg != null && !identityAlg.isEmpty()) {
1605                 String hostname = session.getPeerHost();
1606                 X509TrustManagerImpl.checkIdentity(
1607                                     hostname, chain[0], identityAlg);
1608             }
1609 
1610             // try the best to check the algorithm constraints
1611             AlgorithmConstraints constraints;
1612             if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
1613                 if (session instanceof ExtendedSSLSession) {
1614                     ExtendedSSLSession extSession =
1615                                     (ExtendedSSLSession)session;
1616                     String[] peerSupportedSignAlgs =
1617                             extSession.getLocalSupportedSignatureAlgorithms();
1618 
1619                     constraints = new SSLAlgorithmConstraints(
1620                                     engine, peerSupportedSignAlgs, true);
1621                 } else {
1622                     constraints =
1623                             new SSLAlgorithmConstraints(engine, true);
1624                 }


< prev index next >