/*

 * Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package javax.rmi.ssl;

import java.io.IOException;

import java.net.ServerSocket;

import java.net.Socket;

import java.rmi.server.RMIServerSocketFactory;

import java.util.Arrays;

import java.util.List;

import javax.net.ssl.SSLContext;

import javax.net.ssl.SSLServerSocketFactory;

import javax.net.ssl.SSLSocket;

import javax.net.ssl.SSLSocketFactory;

/**

 * <p>An <code>SslRMIServerSocketFactory</code> instance is used by the RMI

 * runtime in order to obtain server sockets for RMI calls via SSL.</p>

 *

 * <p>This class implements <code>RMIServerSocketFactory</code> over

 * the Secure Sockets Layer (SSL) or Transport Layer Security (TLS)

 * protocols.</p>

 *

 * <p>This class creates SSL sockets using the default

 * <code>SSLSocketFactory</code> (see {@link

 * SSLSocketFactory#getDefault}) or the default

 * <code>SSLServerSocketFactory</code> (see {@link

 * SSLServerSocketFactory#getDefault}) unless the

 * constructor taking an <code>SSLContext</code> is

 * used in which case the SSL sockets are created using

 * the <code>SSLSocketFactory</code> returned by

 * {@link SSLContext#getSocketFactory} or the

 * <code>SSLServerSocketFactory</code> returned by

 * {@link SSLContext#getServerSocketFactory}.

 *

 * When an <code>SSLContext</code> is not supplied all the instances of this

 * class share the same keystore, and the same truststore (when client

 * authentication is required by the server). This behavior can be modified

 * by supplying an already initialized <code>SSLContext</code> instance.

 *

 * @see javax.net.ssl.SSLSocketFactory

 * @see javax.net.ssl.SSLServerSocketFactory

 * @see javax.rmi.ssl.SslRMIClientSocketFactory

 * @since 1.5

 */

public class SslRMIServerSocketFactory implements RMIServerSocketFactory {

    /**

     * <p>Creates a new <code>SslRMIServerSocketFactory</code> with

     * the default SSL socket configuration.</p>

     *

     * <p>SSL connections accepted by server sockets created by this

     * factory have the default cipher suites and protocol versions

     * enabled and do not require client authentication.</p>

     */

    public SslRMIServerSocketFactory() {

        this(null, null, false);

    }

    /**

     * <p>Creates a new <code>SslRMIServerSocketFactory</code> with

     * the specified SSL socket configuration.</p>

     *

     * @param enabledCipherSuites names of all the cipher suites to

     * enable on SSL connections accepted by server sockets created by

     * this factory, or <code>null</code> to use the cipher suites

     * that are enabled by default

     *

     * @param enabledProtocols names of all the protocol versions to

     * enable on SSL connections accepted by server sockets created by

     * this factory, or <code>null</code> to use the protocol versions

     * that are enabled by default

     *

     * @param needClientAuth <code>true</code> to require client

     * authentication on SSL connections accepted by server sockets

     * created by this factory; <code>false</code> to not require

     * client authentication

     *

     * @exception IllegalArgumentException when one or more of the cipher

     * suites named by the <code>enabledCipherSuites</code> parameter is

     * not supported, when one or more of the protocols named by the

     * <code>enabledProtocols</code> parameter is not supported or when

     * a problem is encountered while trying to check if the supplied

     * cipher suites and protocols to be enabled are supported.

     *

     * @see SSLSocket#setEnabledCipherSuites

     * @see SSLSocket#setEnabledProtocols

     * @see SSLSocket#setNeedClientAuth

     */

    public SslRMIServerSocketFactory(

            String[] enabledCipherSuites,

            String[] enabledProtocols,

            boolean needClientAuth)

            throws IllegalArgumentException {

        this(null, enabledCipherSuites, enabledProtocols, needClientAuth);

    }

    /**

     * <p>Creates a new <code>SslRMIServerSocketFactory</code> with the

     * specified <code>SSLContext</code> and SSL socket configuration.</p>

     *

     * @param context the SSL context to be used for creating SSL sockets.

     * If <code>context</code> is null the default <code>SSLSocketFactory</code>

     * or the default <code>SSLServerSocketFactory</code> will be used to

     * create SSL sockets. Otherwise, the socket factory returned by

     * <code>SSLContext.getSocketFactory()</code> or

     * <code>SSLContext.getServerSocketFactory()</code> will be used instead.

     *

     * @param enabledCipherSuites names of all the cipher suites to

     * enable on SSL connections accepted by server sockets created by

     * this factory, or <code>null</code> to use the cipher suites

     * that are enabled by default

     *

     * @param enabledProtocols names of all the protocol versions to

     * enable on SSL connections accepted by server sockets created by

     * this factory, or <code>null</code> to use the protocol versions

     * that are enabled by default

     *

     * @param needClientAuth <code>true</code> to require client

     * authentication on SSL connections accepted by server sockets

     * created by this factory; <code>false</code> to not require

     * client authentication

     *

     * @exception IllegalArgumentException when one or more of the cipher

     * suites named by the <code>enabledCipherSuites</code> parameter is

     * not supported, when one or more of the protocols named by the

     * <code>enabledProtocols</code> parameter is not supported or when

     * a problem is encountered while trying to check if the supplied

     * cipher suites and protocols to be enabled are supported.

     *

     * @see SSLSocket#setEnabledCipherSuites

     * @see SSLSocket#setEnabledProtocols

     * @see SSLSocket#setNeedClientAuth

     * @since 1.7

     */

    public SslRMIServerSocketFactory(

            SSLContext context,

            String[] enabledCipherSuites,

            String[] enabledProtocols,

            boolean needClientAuth)

            throws IllegalArgumentException {

        // Initialize the configuration parameters.

        //

        this.enabledCipherSuites = enabledCipherSuites == null ?

            null : enabledCipherSuites.clone();

        this.enabledProtocols = enabledProtocols == null ?

            null : enabledProtocols.clone();

        this.needClientAuth = needClientAuth;

        // Force the initialization of the default at construction time,

        // rather than delaying it to the first time createServerSocket()

        // is called.

        //

        this.context = context;

        final SSLSocketFactory sslSocketFactory =

                context == null ?

                    getDefaultSSLSocketFactory() : context.getSocketFactory();

        SSLSocket sslSocket = null;

        if (this.enabledCipherSuites != null || this.enabledProtocols != null) {

            try {

                sslSocket = (SSLSocket) sslSocketFactory.createSocket();

            } catch (Exception e) {

                final String msg = "Unable to check if the cipher suites " +

                        "and protocols to enable are supported";

                throw (IllegalArgumentException)

                new IllegalArgumentException(msg).initCause(e);

            }

        }

        // Check if all the cipher suites and protocol versions to enable

        // are supported by the underlying SSL/TLS implementation and if

        // true create lists from arrays.

        //

        if (this.enabledCipherSuites != null) {

            sslSocket.setEnabledCipherSuites(this.enabledCipherSuites);

            enabledCipherSuitesList = Arrays.asList(this.enabledCipherSuites);

        }

        if (this.enabledProtocols != null) {

            sslSocket.setEnabledProtocols(this.enabledProtocols);

            enabledProtocolsList = Arrays.asList(this.enabledProtocols);

        }

    }

    /**

     * <p>Returns the names of the cipher suites enabled on SSL

     * connections accepted by server sockets created by this factory,

     * or <code>null</code> if this factory uses the cipher suites

     * that are enabled by default.</p>

     *

     * @return an array of cipher suites enabled, or <code>null</code>

     *

     * @see SSLSocket#setEnabledCipherSuites

     */

    public final String[] getEnabledCipherSuites() {

        return enabledCipherSuites == null ?

            null : enabledCipherSuites.clone();

    }

    /**

     * <p>Returns the names of the protocol versions enabled on SSL

     * connections accepted by server sockets created by this factory,

     * or <code>null</code> if this factory uses the protocol versions

     * that are enabled by default.</p>

     *

     * @return an array of protocol versions enabled, or

     * <code>null</code>

     *

     * @see SSLSocket#setEnabledProtocols

     */

    public final String[] getEnabledProtocols() {

        return enabledProtocols == null ?

            null : enabledProtocols.clone();

    }

    /**

     * <p>Returns <code>true</code> if client authentication is

     * required on SSL connections accepted by server sockets created

     * by this factory.</p>

     *

     * @return <code>true</code> if client authentication is required

     *

     * @see SSLSocket#setNeedClientAuth

     */

    public final boolean getNeedClientAuth() {

        return needClientAuth;

    }

    /**

     * <p>Creates a server socket that accepts SSL connections

     * configured according to this factory's SSL socket configuration

     * parameters.</p>

     */

    public ServerSocket createServerSocket(int port) throws IOException {

        final SSLSocketFactory sslSocketFactory =

                context == null ?

                    getDefaultSSLSocketFactory() : context.getSocketFactory();

        return new ServerSocket(port) {

            public Socket accept() throws IOException {

                Socket socket = super.accept();

                SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(

                        socket, socket.getInetAddress().getHostName(),

                        socket.getPort(), true);

                sslSocket.setUseClientMode(false);

                if (enabledCipherSuites != null) {

                    sslSocket.setEnabledCipherSuites(enabledCipherSuites);

                }

                if (enabledProtocols != null) {

                    sslSocket.setEnabledProtocols(enabledProtocols);

                }

                sslSocket.setNeedClientAuth(needClientAuth);

                return sslSocket;

            }

        };

    }

    /**

     * <p>Indicates whether some other object is "equal to" this one.</p>

     *

     * <p>Two <code>SslRMIServerSocketFactory</code> objects are equal

     * if they have been constructed with the same SSL context and

     * SSL socket configuration parameters.</p>

     *

     * <p>A subclass should override this method (as well as

     * {@link #hashCode()}) if it adds instance state that affects

     * equality.</p>

     */

    public boolean equals(Object obj) {

        if (obj == null) return false;

        if (obj == this) return true;

        if (!(obj instanceof SslRMIServerSocketFactory))

            return false;

        SslRMIServerSocketFactory that = (SslRMIServerSocketFactory) obj;

        return (getClass().equals(that.getClass()) && checkParameters(that));

    }

    private boolean checkParameters(SslRMIServerSocketFactory that) {

        // SSL context

        //

        if (context == null ? that.context != null : !context.equals(that.context))

            return false;

        // needClientAuth flag

        //

        if (needClientAuth != that.needClientAuth)

            return false;

        // enabledCipherSuites

        //

        if ((enabledCipherSuites == null && that.enabledCipherSuites != null) ||

                (enabledCipherSuites != null && that.enabledCipherSuites == null))

            return false;

        if (enabledCipherSuites != null && that.enabledCipherSuites != null) {

            List<String> thatEnabledCipherSuitesList =

                    Arrays.asList(that.enabledCipherSuites);

            if (!enabledCipherSuitesList.equals(thatEnabledCipherSuitesList))

                return false;

        }

        // enabledProtocols

        //

        if ((enabledProtocols == null && that.enabledProtocols != null) ||

                (enabledProtocols != null && that.enabledProtocols == null))

            return false;

        if (enabledProtocols != null && that.enabledProtocols != null) {

            List<String> thatEnabledProtocolsList =

                    Arrays.asList(that.enabledProtocols);

            if (!enabledProtocolsList.equals(thatEnabledProtocolsList))

                return false;

        }

        return true;

    }

    /**

     * <p>Returns a hash code value for this

     * <code>SslRMIServerSocketFactory</code>.</p>

     *

     * @return a hash code value for this

     * <code>SslRMIServerSocketFactory</code>.

     */

    public int hashCode() {

        return getClass().hashCode() +

                (context == null ? 0 : context.hashCode()) +

                (needClientAuth ? Boolean.TRUE.hashCode() : Boolean.FALSE.hashCode()) +

                (enabledCipherSuites == null ? 0 : enabledCipherSuitesList.hashCode()) +

                (enabledProtocols == null ? 0 : enabledProtocolsList.hashCode());

    }

    // We use a static field because:

    //

    //    SSLSocketFactory.getDefault() always returns the same object

    //    (at least on Sun's implementation), and we want to make sure

    //    that the Javadoc & the implementation stay in sync.

    //

    // If someone needs to have different SslRMIServerSocketFactory

    // factories with different underlying SSLSocketFactory objects

    // using different keystores and truststores, he/she can always

    // use the constructor that takes an SSLContext as input.

    //

    private static SSLSocketFactory defaultSSLSocketFactory = null;

    private static synchronized SSLSocketFactory getDefaultSSLSocketFactory() {

        if (defaultSSLSocketFactory == null)

            defaultSSLSocketFactory =

                    (SSLSocketFactory) SSLSocketFactory.getDefault();

        return defaultSSLSocketFactory;

    }

    private final String[] enabledCipherSuites;

    private final String[] enabledProtocols;

    private final boolean needClientAuth;

    private List<String> enabledCipherSuitesList;

    private List<String> enabledProtocolsList;

    private SSLContext context;

}