src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
author wetmore
Fri, 11 May 2018 15:53:12 -0700
branchJDK-8145252-TLS13-branch
changeset 56542 56aaa6cb3693
parent 47216 71c04702a3d5
child 56611 f8f7e604e1f8
permissions -rw-r--r--
Initial TLSv1.3 Implementation
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     1
/*
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
     2
 * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
90ce3da70b43 Initial load
duke
parents:
diff changeset
     4
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
     5
 * This code is free software; you can redistribute it and/or modify it
90ce3da70b43 Initial load
duke
parents:
diff changeset
     6
 * under the terms of the GNU General Public License version 2 only, as
5506
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
     7
 * published by the Free Software Foundation.  Oracle designates this
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     8
 * particular file as subject to the "Classpath" exception as provided
5506
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
     9
 * by Oracle in the LICENSE file that accompanied this code.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    10
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    11
 * This code is distributed in the hope that it will be useful, but WITHOUT
90ce3da70b43 Initial load
duke
parents:
diff changeset
    12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
90ce3da70b43 Initial load
duke
parents:
diff changeset
    13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
90ce3da70b43 Initial load
duke
parents:
diff changeset
    14
 * version 2 for more details (a copy is included in the LICENSE file that
90ce3da70b43 Initial load
duke
parents:
diff changeset
    15
 * accompanied this code).
90ce3da70b43 Initial load
duke
parents:
diff changeset
    16
 *
90ce3da70b43 Initial load
duke
parents:
diff changeset
    17
 * You should have received a copy of the GNU General Public License version
90ce3da70b43 Initial load
duke
parents:
diff changeset
    18
 * 2 along with this work; if not, write to the Free Software Foundation,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    20
 *
5506
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
    21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
    22
 * or visit www.oracle.com if you need additional information or have any
202f599c92aa 6943119: Rebrand source copyright notices
ohair
parents: 2
diff changeset
    23
 * questions.
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    24
 */
90ce3da70b43 Initial load
duke
parents:
diff changeset
    25
90ce3da70b43 Initial load
duke
parents:
diff changeset
    26
package sun.security.ssl;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    27
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    28
import java.io.*;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    29
import java.net.Socket;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    30
import java.security.*;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    31
import java.security.cert.*;
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    32
import java.util.*;
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    33
import javax.net.ssl.*;
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    34
import sun.security.action.GetPropertyAction;
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
    35
import sun.security.provider.certpath.AlgorithmChecker;
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43009
diff changeset
    36
import sun.security.validator.Validator;
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
    37
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    38
/**
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    39
 * Implementation of an SSLContext.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    40
 *
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    41
 * Instances of this class are immutable after the context is initialized.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    42
 */
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    43
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    44
public abstract class SSLContextImpl extends SSLContextSpi {
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    45
90ce3da70b43 Initial load
duke
parents:
diff changeset
    46
    private final EphemeralKeyManager ephemeralKeyManager;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    47
    private final SSLSessionContextImpl clientCache;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    48
    private final SSLSessionContextImpl serverCache;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    49
90ce3da70b43 Initial load
duke
parents:
diff changeset
    50
    private boolean isInitialized;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    51
90ce3da70b43 Initial load
duke
parents:
diff changeset
    52
    private X509ExtendedKeyManager keyManager;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    53
    private X509TrustManager trustManager;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    54
    private SecureRandom secureRandom;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    55
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
    56
    // DTLS cookie exchange manager
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
    57
    private volatile HelloCookieManager helloCookieManager;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
    58
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    59
    private final boolean clientEnableStapling = Utilities.getBooleanProperty(
36132
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
    60
            "jdk.tls.client.enableStatusRequestExtension", true);
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    61
    private final boolean serverEnableStapling = Utilities.getBooleanProperty(
36132
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
    62
            "jdk.tls.server.enableStatusRequestExtension", false);
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    63
    private static final Collection<CipherSuite> clientCustomizedCipherSuites =
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
    64
            getCustomizedCipherSuites("jdk.tls.client.cipherSuites");
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
    65
    private static final Collection<CipherSuite> serverCustomizedCipherSuites =
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
    66
            getCustomizedCipherSuites("jdk.tls.server.cipherSuites");
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
    67
36132
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
    68
    private volatile StatusResponseManager statusResponseManager;
32032
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents: 30904
diff changeset
    69
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
    70
    SSLContextImpl() {
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
    71
        ephemeralKeyManager = new EphemeralKeyManager();
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
    72
        clientCache = new SSLSessionContextImpl();
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
    73
        serverCache = new SSLSessionContextImpl();
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    74
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
    75
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
    76
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    77
    protected void engineInit(KeyManager[] km, TrustManager[] tm,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    78
                                SecureRandom sr) throws KeyManagementException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
    79
        isInitialized = false;
90ce3da70b43 Initial load
duke
parents:
diff changeset
    80
        keyManager = chooseKeyManager(km);
90ce3da70b43 Initial load
duke
parents:
diff changeset
    81
90ce3da70b43 Initial load
duke
parents:
diff changeset
    82
        if (tm == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
    83
            try {
90ce3da70b43 Initial load
duke
parents:
diff changeset
    84
                TrustManagerFactory tmf = TrustManagerFactory.getInstance(
90ce3da70b43 Initial load
duke
parents:
diff changeset
    85
                        TrustManagerFactory.getDefaultAlgorithm());
90ce3da70b43 Initial load
duke
parents:
diff changeset
    86
                tmf.init((KeyStore)null);
90ce3da70b43 Initial load
duke
parents:
diff changeset
    87
                tm = tmf.getTrustManagers();
90ce3da70b43 Initial load
duke
parents:
diff changeset
    88
            } catch (Exception e) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
    89
                // eat
90ce3da70b43 Initial load
duke
parents:
diff changeset
    90
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
    91
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
    92
        trustManager = chooseTrustManager(tm);
90ce3da70b43 Initial load
duke
parents:
diff changeset
    93
90ce3da70b43 Initial load
duke
parents:
diff changeset
    94
        if (sr == null) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
    95
            secureRandom = JsseJce.getSecureRandom();
90ce3da70b43 Initial load
duke
parents:
diff changeset
    96
        } else {
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
    97
            if (SunJSSE.isFIPS() &&
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
    98
                        (sr.getProvider() != SunJSSE.cryptoProvider)) {
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    99
                throw new KeyManagementException
90ce3da70b43 Initial load
duke
parents:
diff changeset
   100
                    ("FIPS mode: SecureRandom must be from provider "
90ce3da70b43 Initial load
duke
parents:
diff changeset
   101
                    + SunJSSE.cryptoProvider.getName());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   102
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   103
            secureRandom = sr;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   104
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   105
90ce3da70b43 Initial load
duke
parents:
diff changeset
   106
        /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
   107
         * The initial delay of seeding the random number generator
90ce3da70b43 Initial load
duke
parents:
diff changeset
   108
         * could be long enough to cause the initial handshake on our
90ce3da70b43 Initial load
duke
parents:
diff changeset
   109
         * first connection to timeout and fail. Make sure it is
90ce3da70b43 Initial load
duke
parents:
diff changeset
   110
         * primed and ready by getting some initial output from it.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   111
         */
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   112
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   113
            SSLLogger.finest("trigger seeding of SecureRandom");
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   114
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   115
        secureRandom.nextInt();
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   116
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   117
            SSLLogger.finest("done seeding of SecureRandom");
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   118
        }
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   119
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   120
        isInitialized = true;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   121
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   122
90ce3da70b43 Initial load
duke
parents:
diff changeset
   123
    private X509TrustManager chooseTrustManager(TrustManager[] tm)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   124
            throws KeyManagementException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   125
        // We only use the first instance of X509TrustManager passed to us.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   126
        for (int i = 0; tm != null && i < tm.length; i++) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   127
            if (tm[i] instanceof X509TrustManager) {
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
   128
                if (SunJSSE.isFIPS() &&
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
   129
                        !(tm[i] instanceof X509TrustManagerImpl)) {
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   130
                    throw new KeyManagementException
90ce3da70b43 Initial load
duke
parents:
diff changeset
   131
                        ("FIPS mode: only SunJSSE TrustManagers may be used");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   132
                }
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
   133
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
   134
                if (tm[i] instanceof X509ExtendedTrustManager) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
   135
                    return (X509TrustManager)tm[i];
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
   136
                } else {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
   137
                    return new AbstractTrustManagerWrapper(
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
   138
                                        (X509TrustManager)tm[i]);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
   139
                }
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   140
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   141
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   142
90ce3da70b43 Initial load
duke
parents:
diff changeset
   143
        // nothing found, return a dummy X509TrustManager.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   144
        return DummyX509TrustManager.INSTANCE;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   145
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   146
90ce3da70b43 Initial load
duke
parents:
diff changeset
   147
    private X509ExtendedKeyManager chooseKeyManager(KeyManager[] kms)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   148
            throws KeyManagementException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   149
        for (int i = 0; kms != null && i < kms.length; i++) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   150
            KeyManager km = kms[i];
12874
14df9c7c18e1 7174244: NPE in Krb5ProxyImpl.getServerKeys()
xuelei
parents: 12677
diff changeset
   151
            if (!(km instanceof X509KeyManager)) {
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   152
                continue;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   153
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   154
            if (SunJSSE.isFIPS()) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   155
                // In FIPS mode, require that one of SunJSSE's own keymanagers
90ce3da70b43 Initial load
duke
parents:
diff changeset
   156
                // is used. Otherwise, we cannot be sure that only keys from
90ce3da70b43 Initial load
duke
parents:
diff changeset
   157
                // the FIPS token are used.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   158
                if ((km instanceof X509KeyManagerImpl)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   159
                            || (km instanceof SunX509KeyManagerImpl)) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   160
                    return (X509ExtendedKeyManager)km;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   161
                } else {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   162
                    // throw exception, we don't want to silently use the
90ce3da70b43 Initial load
duke
parents:
diff changeset
   163
                    // dummy keymanager without telling the user.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   164
                    throw new KeyManagementException
90ce3da70b43 Initial load
duke
parents:
diff changeset
   165
                        ("FIPS mode: only SunJSSE KeyManagers may be used");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   166
                }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   167
            }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   168
            if (km instanceof X509ExtendedKeyManager) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   169
                return (X509ExtendedKeyManager)km;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   170
            }
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   171
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   172
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   173
                SSLLogger.warning(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   174
                    "X509KeyManager passed to SSLContext.init():  need an " +
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   175
                    "X509ExtendedKeyManager for SSLEngine use");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   176
            }
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
   177
            return new AbstractKeyManagerWrapper((X509KeyManager)km);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   178
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   179
90ce3da70b43 Initial load
duke
parents:
diff changeset
   180
        // nothing found, return a dummy X509ExtendedKeyManager
90ce3da70b43 Initial load
duke
parents:
diff changeset
   181
        return DummyX509KeyManager.INSTANCE;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   182
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   183
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   184
    abstract SSLEngine createSSLEngineImpl();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   185
    abstract SSLEngine createSSLEngineImpl(String host, int port);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   186
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   187
    @Override
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   188
    protected SSLEngine engineCreateSSLEngine() {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   189
        if (!isInitialized) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   190
            throw new IllegalStateException("SSLContext is not initialized");
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   191
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   192
        return createSSLEngineImpl();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   193
    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   194
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   195
    @Override
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   196
    protected SSLEngine engineCreateSSLEngine(String host, int port) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   197
        if (!isInitialized) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   198
            throw new IllegalStateException("SSLContext is not initialized");
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   199
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   200
        return createSSLEngineImpl(host, port);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   201
    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   202
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
   203
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   204
    protected SSLSocketFactory engineGetSocketFactory() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   205
        if (!isInitialized) {
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   206
            throw new IllegalStateException("SSLContext is not initialized");
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   207
        }
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   208
       return new SSLSocketFactoryImpl(this);
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   209
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   210
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
   211
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   212
    protected SSLServerSocketFactory engineGetServerSocketFactory() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   213
        if (!isInitialized) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   214
            throw new IllegalStateException("SSLContext is not initialized");
90ce3da70b43 Initial load
duke
parents:
diff changeset
   215
        }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   216
        return new SSLServerSocketFactoryImpl(this);
90ce3da70b43 Initial load
duke
parents:
diff changeset
   217
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   218
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
   219
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   220
    protected SSLSessionContext engineGetClientSessionContext() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   221
        return clientCache;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   222
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   223
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
   224
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   225
    protected SSLSessionContext engineGetServerSessionContext() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   226
        return serverCache;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   227
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   228
90ce3da70b43 Initial load
duke
parents:
diff changeset
   229
    SecureRandom getSecureRandom() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   230
        return secureRandom;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   231
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   232
90ce3da70b43 Initial load
duke
parents:
diff changeset
   233
    X509ExtendedKeyManager getX509KeyManager() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   234
        return keyManager;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   235
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   236
90ce3da70b43 Initial load
duke
parents:
diff changeset
   237
    X509TrustManager getX509TrustManager() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   238
        return trustManager;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   239
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   240
90ce3da70b43 Initial load
duke
parents:
diff changeset
   241
    EphemeralKeyManager getEphemeralKeyManager() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
   242
        return ephemeralKeyManager;
90ce3da70b43 Initial load
duke
parents:
diff changeset
   243
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
   244
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   245
    // Used for DTLS in server mode only.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   246
    HelloCookieManager getHelloCookieManager(ProtocolVersion protocolVersion) {
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   247
        if (helloCookieManager != null) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   248
            return helloCookieManager.valueOf(protocolVersion);
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   249
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   250
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   251
        synchronized (this) {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   252
            if (helloCookieManager == null) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   253
                helloCookieManager = new HelloCookieManager(secureRandom);
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   254
            }
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   255
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   256
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   257
        return helloCookieManager.valueOf(protocolVersion);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   258
    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   259
32032
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents: 30904
diff changeset
   260
    StatusResponseManager getStatusResponseManager() {
36132
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   261
        if (serverEnableStapling && statusResponseManager == null) {
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   262
            synchronized (this) {
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   263
                if (statusResponseManager == null) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   264
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   265
                        SSLLogger.finest(
36132
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   266
                                "Initializing StatusResponseManager");
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   267
                    }
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   268
                    statusResponseManager = new StatusResponseManager();
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   269
                }
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   270
            }
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   271
        }
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   272
32032
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents: 30904
diff changeset
   273
        return statusResponseManager;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents: 30904
diff changeset
   274
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents: 30904
diff changeset
   275
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   276
    // Get supported protocols.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   277
    abstract List<ProtocolVersion> getSuportedProtocolVersions();
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   278
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   279
    // Get default protocols for server mode.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   280
    abstract List<ProtocolVersion> getServerDefaultProtocolVersions();
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   281
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   282
    // Get default protocols for client mode.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   283
    abstract List<ProtocolVersion> getClientDefaultProtocolVersions();
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   284
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   285
    // Get supported CipherSuite list.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   286
    abstract List<CipherSuite> getSupportedCipherSuites();
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   287
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   288
    // Get default CipherSuite list for server mode.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   289
    abstract List<CipherSuite> getServerDefaultCipherSuites();
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   290
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   291
    // Get default CipherSuite list for client mode.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   292
    abstract List<CipherSuite> getClientDefaultCipherSuites();
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   293
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   294
    // Is the context for DTLS protocols?
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   295
    abstract boolean isDTLS();
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   296
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   297
    // Get default protocols.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   298
    List<ProtocolVersion> getDefaultProtocolVersions(boolean roleIsServer) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   299
        return roleIsServer ? getServerDefaultProtocolVersions()
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   300
                            : getClientDefaultProtocolVersions();
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   301
    }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   302
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   303
    // Get default CipherSuite list.
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   304
    List<CipherSuite> getDefaultCipherSuites(boolean roleIsServer) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   305
        return roleIsServer ? getServerDefaultCipherSuites()
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   306
                            : getClientDefaultCipherSuites();
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   307
    }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   308
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   309
    /**
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   310
     * Return whether a protocol list is the original default enabled
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   311
     * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   312
     */
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   313
    boolean isDefaultProtocolVesions(List<ProtocolVersion> protocols) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   314
        return (protocols == getServerDefaultProtocolVersions()) ||
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   315
               (protocols == getClientDefaultProtocolVersions());
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   316
    }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   317
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   318
    /**
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   319
     * Return whether a protocol list is the original default enabled
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   320
     * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   321
     */
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   322
    boolean isDefaultCipherSuiteList(List<CipherSuite> cipherSuites) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   323
        return (cipherSuites == getServerDefaultCipherSuites()) ||
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   324
               (cipherSuites == getClientDefaultCipherSuites());
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   325
    }
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   326
36132
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   327
    /**
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   328
     * Return whether client or server side stapling has been enabled
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   329
     * for this SSLContextImpl
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   330
     * @param isClient true if the caller is operating in a client side role,
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   331
     * false if acting as a server.
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   332
     * @return true if stapling has been enabled for the specified role, false
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   333
     * otherwise.
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   334
     */
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   335
    boolean isStaplingEnabled(boolean isClient) {
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   336
        return isClient ? clientEnableStapling : serverEnableStapling;
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   337
    }
c99a60377145 8145854: SSLContextImpl.statusResponseManager should be generated if required
jnimeh
parents: 34826
diff changeset
   338
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   339
    /*
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   340
     * Return the list of all available CipherSuites that are supported
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   341
     * using currently installed providers.
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   342
     */
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   343
    private static List<CipherSuite> getApplicableSupportedCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   344
            List<ProtocolVersion> protocols) {
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   345
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   346
        return getApplicableCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   347
                CipherSuite.allowedCipherSuites(), protocols);
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   348
    }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   349
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   350
    /*
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   351
     * Return the list of all available CipherSuites that are default enabled
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   352
     * in client or server side.
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   353
     */
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   354
    private static List<CipherSuite> getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   355
            List<ProtocolVersion> protocols, boolean isClient) {
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   356
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   357
        if (isClient) {
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   358
            if (!clientCustomizedCipherSuites.isEmpty()) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   359
                return getApplicableCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   360
                        clientCustomizedCipherSuites, protocols);
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   361
            }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   362
        } else {
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   363
            if (!serverCustomizedCipherSuites.isEmpty()) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   364
                return getApplicableCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   365
                        serverCustomizedCipherSuites, protocols);
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   366
            }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   367
        }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   368
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   369
        return getApplicableCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   370
                CipherSuite.defaultCipherSuites(), protocols);
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   371
    }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   372
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   373
    /*
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   374
     * Return the list of available CipherSuites which are applicable to
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   375
     * the specified protocols.
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   376
     */
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   377
    private static List<CipherSuite> getApplicableCipherSuites(
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   378
            Collection<CipherSuite> allowedCipherSuites,
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   379
            List<ProtocolVersion> protocols) {
12874
14df9c7c18e1 7174244: NPE in Krb5ProxyImpl.getServerKeys()
xuelei
parents: 12677
diff changeset
   380
        TreeSet<CipherSuite> suites = new TreeSet<>();
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   381
        if (protocols != null && (!protocols.isEmpty())) {
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   382
            for (CipherSuite suite : allowedCipherSuites) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   383
                if (!suite.isAvailable()) {
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   384
                    continue;
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   385
                }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   386
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   387
                boolean isSupported = false;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   388
                for (ProtocolVersion protocol : protocols) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   389
                    if (!suite.supports(protocol)) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   390
                        continue;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   391
                    }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   392
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   393
                    if (SSLAlgorithmConstraints.DEFAULT.permits(
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   394
                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   395
                            suite.name, null)) {
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   396
                        suites.add(suite);
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   397
                        isSupported = true;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   398
                    } else if (SSLLogger.isOn &&
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   399
                            SSLLogger.isOn("ssl,sslctx,verbose")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   400
                        SSLLogger.fine(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   401
                                "Ignore disabled cipher suite: " + suite.name);
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   402
                    }
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   403
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   404
                    break;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   405
                }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   406
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   407
                if (!isSupported && SSLLogger.isOn &&
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   408
                        SSLLogger.isOn("ssl,sslctx,verbose")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   409
                    SSLLogger.finest(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   410
                            "Ignore unsupported cipher suite: " + suite);
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   411
                }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   412
            }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   413
        }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   414
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   415
        return Arrays.asList(suites.toArray(new CipherSuite[0]));
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   416
    }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   417
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   418
    /*
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   419
     * Get the customized cipher suites specified by the given system property.
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   420
     */
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   421
    private static Collection<CipherSuite> getCustomizedCipherSuites(
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   422
            String propertyName) {
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   423
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   424
        String property = GetPropertyAction.privilegedGetProperty(propertyName);
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   425
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   426
            SSLLogger.fine(
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   427
                    "System property " + propertyName + " is set to '" +
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   428
                    property + "'");
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   429
        }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   430
        if (property != null && property.length() != 0) {
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   431
            // remove double quote marks from beginning/end of the property
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   432
            if (property.length() > 1 && property.charAt(0) == '"' &&
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   433
                    property.charAt(property.length() - 1) == '"') {
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   434
                property = property.substring(1, property.length() - 1);
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   435
            }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   436
        }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   437
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   438
        if (property != null && property.length() != 0) {
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   439
            String[] cipherSuiteNames = property.split(",");
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   440
            Collection<CipherSuite> cipherSuites =
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   441
                        new ArrayList<>(cipherSuiteNames.length);
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   442
            for (int i = 0; i < cipherSuiteNames.length; i++) {
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   443
                cipherSuiteNames[i] = cipherSuiteNames[i].trim();
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   444
                if (cipherSuiteNames[i].isEmpty()) {
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   445
                    continue;
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   446
                }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   447
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   448
                CipherSuite suite;
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   449
                try {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   450
                    suite = CipherSuite.nameOf(cipherSuiteNames[i]);
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   451
                } catch (IllegalArgumentException iae) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   452
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   453
                        SSLLogger.fine(
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   454
                                "Unknown or unsupported cipher suite name: " +
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   455
                                cipherSuiteNames[i]);
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   456
                    }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   457
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   458
                    continue;
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   459
                }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   460
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   461
                if (suite != null && suite.isAvailable()) {
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   462
                    cipherSuites.add(suite);
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   463
                } else {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   464
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   465
                        SSLLogger.fine(
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   466
                                "The current installed providers do not " +
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   467
                                "support cipher suite: " + cipherSuiteNames[i]);
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   468
                    }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   469
                }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   470
            }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   471
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   472
            return cipherSuites;
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   473
        }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   474
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   475
        return Collections.emptyList();
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   476
    }
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   477
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   478
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   479
    private static List<ProtocolVersion> getAvailableProtocols(
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   480
            ProtocolVersion[] protocolCandidates) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   481
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   482
        List<ProtocolVersion> availableProtocols =
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   483
                Collections.<ProtocolVersion>emptyList();
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   484
        if (protocolCandidates !=  null && protocolCandidates.length != 0) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   485
            availableProtocols = new ArrayList<>(protocolCandidates.length);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   486
            for (ProtocolVersion p : protocolCandidates) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   487
                if (p.isAvailable) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   488
                    availableProtocols.add(p);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   489
                }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   490
            }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   491
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   492
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   493
        return availableProtocols;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   494
    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   495
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   496
    /*
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   497
     * The SSLContext implementation for SSL/(D)TLS algorithm
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   498
     *
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   499
     * SSL/TLS protocols specify the forward compatibility and version
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   500
     * roll-back attack protections, however, a number of SSL/TLS server
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   501
     * vendors did not implement these aspects properly, and some current
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   502
     * SSL/TLS servers may refuse to talk to a TLS 1.1 or later client.
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   503
     *
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   504
     * Considering above interoperability issues, SunJSSE will not set
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   505
     * TLS 1.1 and TLS 1.2 as the enabled protocols for client by default.
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   506
     *
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   507
     * For SSL/TLS servers, there is no such interoperability issues as
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   508
     * SSL/TLS clients. In SunJSSE, TLS 1.1 or later version will be the
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   509
     * enabled protocols for server by default.
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   510
     *
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   511
     * We may change the behavior when popular TLS/SSL vendors support TLS
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   512
     * forward compatibility properly.
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   513
     *
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   514
     * SSLv2Hello is no longer necessary.  This interoperability option was
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   515
     * put in place in the late 90's when SSLv3/TLS1.0 were relatively new
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   516
     * and there were a fair number of SSLv2-only servers deployed.  Because
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   517
     * of the security issues in SSLv2, it is rarely (if ever) used, as
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   518
     * deployments should now be using SSLv3 and TLSv1.
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   519
     *
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   520
     * Considering the issues of SSLv2Hello, we should not enable SSLv2Hello
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   521
     * by default. Applications still can use it by enabling SSLv2Hello with
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   522
     * the series of setEnabledProtocols APIs.
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   523
     */
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   524
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   525
    /*
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   526
     * The base abstract SSLContext implementation for the Transport Layer
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   527
     * Security (TLS) protocols.
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   528
     *
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   529
     * This abstract class encapsulates supported and the default server
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   530
     * SSL/TLS parameters.
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   531
     *
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   532
     * @see SSLContext
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   533
     */
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   534
    private abstract static class AbstractTLSContext extends SSLContextImpl {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   535
        private static final List<ProtocolVersion> supportedProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   536
        private static final List<ProtocolVersion> serverDefaultProtocols;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   537
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   538
        private static final List<CipherSuite> supportedCipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   539
        private static final List<CipherSuite> serverDefaultCipherSuites;
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   540
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   541
        static {
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   542
            if (SunJSSE.isFIPS()) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   543
                supportedProtocols = Arrays.asList(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   544
                    ProtocolVersion.TLS13,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   545
                    ProtocolVersion.TLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   546
                    ProtocolVersion.TLS11,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   547
                    ProtocolVersion.TLS10
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   548
                );
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   549
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   550
                serverDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   551
                        new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   552
                    ProtocolVersion.TLS13,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   553
                    ProtocolVersion.TLS12,
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   554
                    ProtocolVersion.TLS11,
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   555
                    ProtocolVersion.TLS10
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   556
                });
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   557
            } else {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   558
                supportedProtocols = Arrays.asList(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   559
                    ProtocolVersion.TLS13,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   560
                    ProtocolVersion.TLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   561
                    ProtocolVersion.TLS11,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   562
                    ProtocolVersion.TLS10,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   563
                    ProtocolVersion.SSL30,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   564
                    ProtocolVersion.SSL20Hello
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   565
                );
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   566
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   567
                serverDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   568
                        new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   569
                    ProtocolVersion.TLS13,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   570
                    ProtocolVersion.TLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   571
                    ProtocolVersion.TLS11,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   572
                    ProtocolVersion.TLS10,
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   573
                    ProtocolVersion.SSL30,
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   574
                    ProtocolVersion.SSL20Hello
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   575
                });
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   576
            }
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   577
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   578
            supportedCipherSuites = getApplicableSupportedCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   579
                    supportedProtocols);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   580
            serverDefaultCipherSuites = getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   581
                    serverDefaultProtocols, false);
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   582
        }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   583
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
   584
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   585
        List<ProtocolVersion> getSuportedProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   586
            return supportedProtocols;
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   587
        }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   588
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
   589
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   590
        List<CipherSuite> getSupportedCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   591
            return supportedCipherSuites;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   592
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   593
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   594
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   595
        List<ProtocolVersion> getServerDefaultProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   596
            return serverDefaultProtocols;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   597
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   598
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   599
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   600
        List<CipherSuite> getServerDefaultCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   601
            return serverDefaultCipherSuites;
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   602
        }
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   603
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   604
        @Override
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   605
        SSLEngine createSSLEngineImpl() {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   606
            return new SSLEngineImpl(this);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   607
        }
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   608
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   609
        @Override
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   610
        SSLEngine createSSLEngineImpl(String host, int port) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   611
            return new SSLEngineImpl(this, host, port);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   612
        }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   613
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   614
        @Override
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   615
        boolean isDTLS() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   616
            return false;
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   617
        }
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   618
    }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   619
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   620
    /*
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   621
     * The SSLContext implementation for SSLv3 and TLS10 algorithm
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   622
     *
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   623
     * @see SSLContext
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   624
     */
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   625
    public static final class TLS10Context extends AbstractTLSContext {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   626
        private static final List<ProtocolVersion> clientDefaultProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   627
        private static final List<CipherSuite> clientDefaultCipherSuites;
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   628
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   629
        static {
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   630
            if (SunJSSE.isFIPS()) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   631
                clientDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   632
                        new ProtocolVersion[] {
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   633
                    ProtocolVersion.TLS10
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   634
                });
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   635
            } else {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   636
                clientDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   637
                        new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   638
                    ProtocolVersion.TLS10,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   639
                    ProtocolVersion.SSL30
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   640
                });
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   641
            }
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   642
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   643
            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   644
                    clientDefaultProtocols, true);
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   645
        }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   646
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   647
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   648
        List<ProtocolVersion> getClientDefaultProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   649
            return clientDefaultProtocols;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   650
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   651
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   652
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   653
        List<CipherSuite> getClientDefaultCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   654
            return clientDefaultCipherSuites;
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   655
        }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   656
    }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   657
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   658
    /*
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   659
     * The SSLContext implementation for TLS11 algorithm
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   660
     *
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   661
     * @see SSLContext
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   662
     */
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   663
    public static final class TLS11Context extends AbstractTLSContext {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   664
        private static final List<ProtocolVersion> clientDefaultProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   665
        private static final List<CipherSuite> clientDefaultCipherSuites;
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   666
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   667
        static {
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   668
            if (SunJSSE.isFIPS()) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   669
                clientDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   670
                        new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   671
                    ProtocolVersion.TLS11,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   672
                    ProtocolVersion.TLS10
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   673
                });
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   674
            } else {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   675
                clientDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   676
                        new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   677
                    ProtocolVersion.TLS11,
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   678
                    ProtocolVersion.TLS10,
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   679
                    ProtocolVersion.SSL30
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   680
                });
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   681
            }
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   682
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   683
            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   684
                    clientDefaultProtocols, true);
40275
6a37d5a9619d 8162362: Introduce system property to control enabled ciphersuites
xuelei
parents: 37781
diff changeset
   685
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   686
        }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   687
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   688
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   689
        List<ProtocolVersion> getClientDefaultProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   690
            return clientDefaultProtocols;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   691
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   692
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   693
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   694
        List<CipherSuite> getClientDefaultCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   695
            return clientDefaultCipherSuites;
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   696
        }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   697
    }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   698
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   699
    /*
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   700
     * The SSLContext implementation for TLS12 algorithm
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   701
     *
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   702
     * @see SSLContext
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   703
     */
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   704
    public static final class TLS12Context extends AbstractTLSContext {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   705
        private static final List<ProtocolVersion> clientDefaultProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   706
        private static final List<CipherSuite> clientDefaultCipherSuites;
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   707
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   708
        static {
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   709
            if (SunJSSE.isFIPS()) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   710
                clientDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   711
                        new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   712
                    ProtocolVersion.TLS12,
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   713
                    ProtocolVersion.TLS11,
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   714
                    ProtocolVersion.TLS10
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   715
                });
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   716
            } else {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   717
                clientDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   718
                        new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   719
                    ProtocolVersion.TLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   720
                    ProtocolVersion.TLS11,
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   721
                    ProtocolVersion.TLS10,
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   722
                    ProtocolVersion.SSL30
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   723
                });
28555
c7bf34f7b215 8061210: Issues in TLS
xuelei
parents: 25859
diff changeset
   724
            }
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   725
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   726
            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   727
                    clientDefaultProtocols, true);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   728
        }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   729
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   730
        @Override
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   731
        List<ProtocolVersion> getClientDefaultProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   732
            return clientDefaultProtocols;
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   733
        }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   734
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   735
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   736
        List<CipherSuite> getClientDefaultCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   737
            return clientDefaultCipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   738
        }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   739
    }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   740
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   741
    /*
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   742
     * The SSLContext implementation for TLS1.3 algorithm
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   743
     *
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   744
     * @see SSLContext
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   745
     */
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   746
    public static final class TLS13Context extends AbstractTLSContext {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   747
        private static final List<ProtocolVersion> clientDefaultProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   748
        private static final List<CipherSuite> clientDefaultCipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   749
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   750
        static {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   751
            if (SunJSSE.isFIPS()) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   752
                clientDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   753
                        new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   754
                    ProtocolVersion.TLS13,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   755
                    ProtocolVersion.TLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   756
                    ProtocolVersion.TLS11,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   757
                    ProtocolVersion.TLS10
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   758
                });
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   759
            } else {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   760
                clientDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   761
                        new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   762
                    ProtocolVersion.TLS13,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   763
                    ProtocolVersion.TLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   764
                    ProtocolVersion.TLS11,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   765
                    ProtocolVersion.TLS10,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   766
                    ProtocolVersion.SSL30
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   767
                });
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   768
            }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   769
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   770
            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   771
                    clientDefaultProtocols, true);
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   772
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   773
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   774
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   775
        List<ProtocolVersion> getClientDefaultProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   776
            return clientDefaultProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   777
        }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   778
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   779
        @Override
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   780
        List<CipherSuite> getClientDefaultCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   781
            return clientDefaultCipherSuites;
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   782
        }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   783
    }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   784
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   785
    /*
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   786
     * The interface for the customized SSL/(D)TLS SSLContext.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   787
     *
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   788
     * @see SSLContext
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   789
     */
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   790
    private static class CustomizedSSLProtocols {
32649
2ee9017c7597 8136583: Core libraries should use blessed modifier order
martin
parents: 32032
diff changeset
   791
        private static final String PROPERTY_NAME = "jdk.tls.client.protocols";
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   792
        static IllegalArgumentException reservedException = null;
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   793
        static final ArrayList<ProtocolVersion>
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   794
                                customizedProtocols = new ArrayList<>();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   795
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   796
        // Don't want a java.lang.LinkageError for illegal system property.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   797
        //
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   798
        // Please don't throw exception in this static block.  Otherwise,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   799
        // java.lang.LinkageError may be thrown during the instantiation of
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   800
        // the provider service. Instead, please handle the initialization
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   801
        // exception in the caller's constructor.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   802
        static {
37781
71ed5645f17c 8155775: Re-examine naming of privileged methods to access System properties
redestad
parents: 37593
diff changeset
   803
            String property = GetPropertyAction
71ed5645f17c 8155775: Re-examine naming of privileged methods to access System properties
redestad
parents: 37593
diff changeset
   804
                    .privilegedGetProperty(PROPERTY_NAME);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   805
            if (property != null && property.length() != 0) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   806
                // remove double quote marks from beginning/end of the property
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   807
                if (property.length() > 1 && property.charAt(0) == '"' &&
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   808
                        property.charAt(property.length() - 1) == '"') {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   809
                    property = property.substring(1, property.length() - 1);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   810
                }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   811
            }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   812
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   813
            if (property != null && property.length() != 0) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   814
                String[] protocols = property.split(",");
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   815
                for (int i = 0; i < protocols.length; i++) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   816
                    protocols[i] = protocols[i].trim();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   817
                    // Is it a supported protocol name?
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   818
                    ProtocolVersion pv =
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   819
                            ProtocolVersion.nameOf(protocols[i]);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   820
                    if (pv == null) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   821
                        reservedException = new IllegalArgumentException(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   822
                            PROPERTY_NAME + ": " + protocols[i] +
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   823
                            " is not a supported SSL protocol name");
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   824
                    }
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   825
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   826
                    if (SunJSSE.isFIPS() &&
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   827
                            ((pv == ProtocolVersion.SSL30) ||
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   828
                             (pv == ProtocolVersion.SSL20Hello))) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   829
                        reservedException = new IllegalArgumentException(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   830
                                PROPERTY_NAME + ": " + pv +
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   831
                                " is not FIPS compliant");
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   832
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   833
                        break;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   834
                    }
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   835
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   836
                    // ignore duplicated protocols
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   837
                    if (!customizedProtocols.contains(pv)) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   838
                        customizedProtocols.add(pv);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   839
                    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   840
                }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   841
            }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   842
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   843
    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   844
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   845
    /*
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   846
     * The SSLContext implementation for customized TLS protocols
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   847
     *
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   848
     * @see SSLContext
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   849
     */
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   850
    private static class CustomizedTLSContext extends AbstractTLSContext {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   851
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   852
        private static final List<ProtocolVersion> clientDefaultProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   853
        private static final List<CipherSuite> clientDefaultCipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   854
        private static final IllegalArgumentException reservedException;
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   855
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   856
        // Don't want a java.lang.LinkageError for illegal system property.
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   857
        //
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   858
        // Please don't throw exception in this static block.  Otherwise,
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   859
        // java.lang.LinkageError may be thrown during the instantiation of
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   860
        // the provider service. Instead, let's handle the initialization
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   861
        // exception in constructor.
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   862
        static {
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   863
            reservedException = CustomizedSSLProtocols.reservedException;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   864
            if (reservedException == null) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   865
                ArrayList<ProtocolVersion>
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   866
                        customizedTLSProtocols = new ArrayList<>();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   867
                for (ProtocolVersion protocol :
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   868
                        CustomizedSSLProtocols.customizedProtocols) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   869
                    if (!protocol.isDTLS) {
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   870
                        customizedTLSProtocols.add(protocol);
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   871
                    }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   872
                }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   873
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   874
                // candidates for available protocols
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   875
                ProtocolVersion[] candidates;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   876
                if (customizedTLSProtocols.isEmpty()) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   877
                    // Use the default enabled client protocols if no
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   878
                    // customized TLS protocols.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   879
                    if (SunJSSE.isFIPS()) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   880
                        candidates = new ProtocolVersion[] {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   881
                            ProtocolVersion.TLS13,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   882
                            ProtocolVersion.TLS12,
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   883
                            ProtocolVersion.TLS11,
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   884
                            ProtocolVersion.TLS10
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   885
                        };
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   886
                    } else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   887
                        candidates = new ProtocolVersion[] {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   888
                            ProtocolVersion.TLS13,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   889
                            ProtocolVersion.TLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   890
                            ProtocolVersion.TLS11,
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   891
                            ProtocolVersion.TLS10,
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   892
                            ProtocolVersion.SSL30
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   893
                        };
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   894
                    }
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   895
                } else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   896
                    // Use the customized TLS protocols.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   897
                    candidates =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   898
                            new ProtocolVersion[customizedTLSProtocols.size()];
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   899
                    candidates = customizedTLSProtocols.toArray(candidates);
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   900
                }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   901
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   902
                clientDefaultProtocols = getAvailableProtocols(candidates);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   903
                clientDefaultCipherSuites =
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   904
                        getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   905
                                clientDefaultProtocols, true);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   906
            } else {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   907
                clientDefaultProtocols = null;       // unlikely to be used
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   908
                clientDefaultCipherSuites = null;    // unlikely to be used
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   909
            }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   910
        }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   911
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   912
        protected CustomizedTLSContext() {
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   913
            if (reservedException != null) {
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   914
                throw reservedException;
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   915
            }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   916
        }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   917
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   918
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   919
        List<ProtocolVersion> getClientDefaultProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   920
            return clientDefaultProtocols;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   921
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   922
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   923
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   924
        List<CipherSuite> getClientDefaultCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   925
            return clientDefaultCipherSuites;
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   926
        }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   927
    }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   928
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   929
    /*
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   930
     * The SSLContext implementation for default "TLS" algorithm
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   931
     *
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   932
     * @see SSLContext
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   933
     */
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
   934
    public static final class TLSContext extends CustomizedTLSContext {
22068
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   935
        // use the default constructor and methods
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   936
    }
95a7a3cd72a0 7093640: Enable client-side TLS 1.2 by default
xuelei
parents: 21278
diff changeset
   937
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   938
    // lazy initialization holder class idiom for static default parameters
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   939
    //
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   940
    // See Effective Java Second Edition: Item 71.
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   941
    private static final class DefaultManagersHolder {
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   942
        private static final String NONE = "NONE";
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   943
        private static final String P11KEYSTORE = "PKCS11";
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   944
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   945
        private static final TrustManager[] trustManagers;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   946
        private static final KeyManager[] keyManagers;
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   947
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   948
        private static final Exception reservedException;
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   949
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   950
        static {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   951
            Exception reserved = null;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   952
            TrustManager[] tmMediator;
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   953
            try {
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   954
                tmMediator = getTrustManagers();
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   955
            } catch (Exception e) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   956
                reserved = e;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   957
                tmMediator = new TrustManager[0];
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   958
            }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   959
            trustManagers = tmMediator;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   960
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   961
            if (reserved == null) {
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   962
                KeyManager[] kmMediator;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   963
                try {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   964
                    kmMediator = getKeyManagers();
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   965
                } catch (Exception e) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   966
                    reserved = e;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   967
                    kmMediator = new KeyManager[0];
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   968
                }
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   969
                keyManagers = kmMediator;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   970
            } else {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   971
                keyManagers = new KeyManager[0];
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   972
            }
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   973
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
   974
            reservedException = reserved;
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   975
        }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   976
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   977
        private static TrustManager[] getTrustManagers() throws Exception {
43009
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   978
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   979
                    TrustManagerFactory.getDefaultAlgorithm());
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   980
            if ("SunJSSE".equals(tmf.getProvider().getName())) {
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   981
                // The implementation will load the default KeyStore
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   982
                // automatically.  Cached trust materials may be used
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   983
                // for performance improvement.
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   984
                tmf.init((KeyStore)null);
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   985
            } else {
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   986
                // Use the explicitly specified KeyStore for third party's
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   987
                // TrustManagerFactory implementation.
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   988
                KeyStore ks = TrustStoreManager.getTrustedKeyStore();
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   989
                tmf.init(ks);
5af9f7aa93e5 8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents: 42221
diff changeset
   990
            }
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   991
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   992
            return tmf.getTrustManagers();
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   993
        }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   994
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
   995
        private static KeyManager[] getKeyManagers() throws Exception {
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   996
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   997
            final Map<String,String> props = new HashMap<>();
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   998
            AccessController.doPrivileged(
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
   999
                        new PrivilegedExceptionAction<Object>() {
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1000
                @Override
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1001
                public Object run() throws Exception {
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1002
                    props.put("keyStore",  System.getProperty(
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1003
                                "javax.net.ssl.keyStore", ""));
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1004
                    props.put("keyStoreType", System.getProperty(
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1005
                                "javax.net.ssl.keyStoreType",
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1006
                                KeyStore.getDefaultType()));
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1007
                    props.put("keyStoreProvider", System.getProperty(
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1008
                                "javax.net.ssl.keyStoreProvider", ""));
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1009
                    props.put("keyStorePasswd", System.getProperty(
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1010
                                "javax.net.ssl.keyStorePassword", ""));
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1011
                    return null;
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1012
                }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1013
            });
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1014
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1015
            final String defaultKeyStore = props.get("keyStore");
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1016
            String defaultKeyStoreType = props.get("keyStoreType");
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1017
            String defaultKeyStoreProvider = props.get("keyStoreProvider");
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1018
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1019
                SSLLogger.fine("keyStore is : " + defaultKeyStore);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1020
                SSLLogger.fine("keyStore type is : " +
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1021
                                        defaultKeyStoreType);
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1022
                SSLLogger.fine("keyStore provider is : " +
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1023
                                        defaultKeyStoreProvider);
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1024
            }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1025
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1026
            if (P11KEYSTORE.equals(defaultKeyStoreType) &&
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1027
                    !NONE.equals(defaultKeyStore)) {
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1028
                throw new IllegalArgumentException("if keyStoreType is "
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1029
                    + P11KEYSTORE + ", then keyStore must be " + NONE);
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1030
            }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1031
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1032
            FileInputStream fs = null;
10125
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1033
            KeyStore ks = null;
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1034
            char[] passwd = null;
10125
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1035
            try {
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1036
                if (defaultKeyStore.length() != 0 &&
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1037
                        !NONE.equals(defaultKeyStore)) {
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1038
                    fs = AccessController.doPrivileged(
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1039
                            new PrivilegedExceptionAction<FileInputStream>() {
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1040
                        @Override
10125
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1041
                        public FileInputStream run() throws Exception {
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1042
                            return new FileInputStream(defaultKeyStore);
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1043
                        }
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1044
                    });
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1045
                }
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1046
10125
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1047
                String defaultKeyStorePassword = props.get("keyStorePasswd");
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1048
                if (defaultKeyStorePassword.length() != 0) {
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1049
                    passwd = defaultKeyStorePassword.toCharArray();
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1050
                }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1051
10125
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1052
                /**
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1053
                 * Try to initialize key store.
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1054
                 */
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1055
                if ((defaultKeyStoreType.length()) != 0) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1056
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1057
                        SSLLogger.finest("init keystore");
10125
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1058
                    }
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1059
                    if (defaultKeyStoreProvider.length() == 0) {
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1060
                        ks = KeyStore.getInstance(defaultKeyStoreType);
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1061
                    } else {
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1062
                        ks = KeyStore.getInstance(defaultKeyStoreType,
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1063
                                            defaultKeyStoreProvider);
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1064
                    }
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1065
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1066
                    // if defaultKeyStore is NONE, fs will be null
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1067
                    ks.load(fs, passwd);
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1068
                }
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1069
            } finally {
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1070
                if (fs != null) {
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1071
                    fs.close();
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1072
                    fs = null;
c70d99150c40 7059709: close the IO in a final block
xuelei
parents: 9246
diff changeset
  1073
                }
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1074
            }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1075
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1076
            /*
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1077
             * Try to initialize key manager.
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1078
             */
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1079
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1080
                SSLLogger.fine("init keymanager of type " +
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1081
                    KeyManagerFactory.getDefaultAlgorithm());
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1082
            }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1083
            KeyManagerFactory kmf = KeyManagerFactory.getInstance(
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1084
                KeyManagerFactory.getDefaultAlgorithm());
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1085
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1086
            if (P11KEYSTORE.equals(defaultKeyStoreType)) {
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1087
                kmf.init(ks, null); // do not pass key passwd if using token
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1088
            } else {
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1089
                kmf.init(ks, passwd);
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1090
            }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1091
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1092
            return kmf.getKeyManagers();
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1093
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1094
    }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1095
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1096
    // lazy initialization holder class idiom for static default parameters
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1097
    //
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1098
    // See Effective Java Second Edition: Item 71.
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1099
    private static final class DefaultSSLContextHolder {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1100
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1101
        private static final SSLContextImpl sslContext;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1102
        static Exception reservedException = null;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1103
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1104
        static {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1105
            SSLContextImpl mediator = null;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1106
            if (DefaultManagersHolder.reservedException != null) {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1107
                reservedException = DefaultManagersHolder.reservedException;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1108
            } else {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1109
                try {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1110
                    mediator = new DefaultSSLContext();
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1111
                } catch (Exception e) {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1112
                    reservedException = e;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1113
                }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1114
            }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1115
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1116
            sslContext = mediator;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1117
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1118
    }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1119
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1120
    /*
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1121
     * The SSLContext implementation for default "Default" algorithm
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1122
     *
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1123
     * @see SSLContext
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1124
     */
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1125
    public static final class DefaultSSLContext extends CustomizedTLSContext {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1126
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1127
        // public constructor for SSLContext.getInstance("Default")
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1128
        public DefaultSSLContext() throws Exception {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1129
            if (DefaultManagersHolder.reservedException != null) {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1130
                throw DefaultManagersHolder.reservedException;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1131
            }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1132
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1133
            try {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1134
                super.engineInit(DefaultManagersHolder.keyManagers,
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1135
                        DefaultManagersHolder.trustManagers, null);
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1136
            } catch (Exception e) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1137
                if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1138
                    SSLLogger.fine("default context init failed: ", e);
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1139
                }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1140
                throw e;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1141
            }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1142
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1143
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1144
        @Override
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1145
        protected void engineInit(KeyManager[] km, TrustManager[] tm,
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1146
            SecureRandom sr) throws KeyManagementException {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1147
            throw new KeyManagementException
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1148
                ("Default SSLContext is initialized automatically");
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1149
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1150
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1151
        static SSLContextImpl getDefaultImpl() throws Exception {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1152
            if (DefaultSSLContextHolder.reservedException != null) {
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1153
                throw DefaultSSLContextHolder.reservedException;
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1154
            }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1155
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1156
            return DefaultSSLContextHolder.sslContext;
9246
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1157
        }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1158
    }
c459f79af46b 6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled
xuelei
parents: 7043
diff changeset
  1159
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1160
    /*
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1161
     * The base abstract SSLContext implementation for the Datagram Transport
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1162
     * Layer Security (DTLS) protocols.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1163
     *
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1164
     * This abstract class encapsulates supported and the default server DTLS
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1165
     * parameters.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1166
     *
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1167
     * @see SSLContext
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1168
     */
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1169
    private abstract static class AbstractDTLSContext extends SSLContextImpl {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1170
        private static final List<ProtocolVersion> supportedProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1171
        private static final List<ProtocolVersion> serverDefaultProtocols;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1172
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1173
        private static final List<CipherSuite> supportedCipherSuites;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1174
        private static final List<CipherSuite> serverDefaultCipherSuites;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1175
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1176
        static {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1177
            // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode.
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1178
            supportedProtocols = Arrays.asList(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1179
                ProtocolVersion.DTLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1180
                ProtocolVersion.DTLS10
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1181
            );
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1182
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1183
            // available protocols for server mode
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1184
            serverDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1185
                    new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1186
                ProtocolVersion.DTLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1187
                ProtocolVersion.DTLS10
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1188
            });
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1189
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1190
            supportedCipherSuites = getApplicableSupportedCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1191
                    supportedProtocols);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1192
            serverDefaultCipherSuites = getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1193
                    serverDefaultProtocols, false);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1194
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1195
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1196
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1197
        List<ProtocolVersion> getSuportedProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1198
            return supportedProtocols;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1199
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1200
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1201
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1202
        List<CipherSuite> getSupportedCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1203
            return supportedCipherSuites;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1204
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1205
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1206
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1207
        List<ProtocolVersion> getServerDefaultProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1208
            return serverDefaultProtocols;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1209
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1210
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1211
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1212
        List<CipherSuite> getServerDefaultCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1213
            return serverDefaultCipherSuites;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1214
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1215
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1216
        @Override
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1217
        SSLEngine createSSLEngineImpl() {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1218
            return new SSLEngineImpl(this);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1219
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1220
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1221
        @Override
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1222
        SSLEngine createSSLEngineImpl(String host, int port) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1223
            return new SSLEngineImpl(this, host, port);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1224
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1225
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1226
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1227
        boolean isDTLS() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1228
            return true;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1229
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1230
    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1231
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1232
    /*
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1233
     * The SSLContext implementation for DTLSv1.0 algorithm.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1234
     *
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1235
     * @see SSLContext
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1236
     */
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1237
    public static final class DTLS10Context extends AbstractDTLSContext {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1238
        private static final List<ProtocolVersion> clientDefaultProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1239
        private static final List<CipherSuite> clientDefaultCipherSuites;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1240
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1241
        static {
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1242
            // available protocols for client mode
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1243
            clientDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1244
                    new ProtocolVersion[] {
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1245
                ProtocolVersion.DTLS10
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1246
            });
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1247
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1248
            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1249
                    clientDefaultProtocols, true);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1250
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1251
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1252
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1253
        List<ProtocolVersion> getClientDefaultProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1254
            return clientDefaultProtocols;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1255
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1256
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1257
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1258
        List<CipherSuite> getClientDefaultCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1259
            return clientDefaultCipherSuites;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1260
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1261
    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1262
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1263
    /*
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1264
     * The SSLContext implementation for DTLSv1.2 algorithm.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1265
     *
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1266
     * @see SSLContext
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1267
     */
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1268
    public static final class DTLS12Context extends AbstractDTLSContext {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1269
        private static final List<ProtocolVersion> clientDefaultProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1270
        private static final List<CipherSuite> clientDefaultCipherSuites;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1271
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1272
        static {
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1273
            // available protocols for client mode
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1274
            clientDefaultProtocols = getAvailableProtocols(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1275
                    new ProtocolVersion[] {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1276
                ProtocolVersion.DTLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1277
                ProtocolVersion.DTLS10
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1278
            });
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1279
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1280
            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1281
                    clientDefaultProtocols, true);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1282
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1283
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1284
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1285
        List<ProtocolVersion> getClientDefaultProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1286
            return clientDefaultProtocols;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1287
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1288
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1289
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1290
        List<CipherSuite> getClientDefaultCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1291
            return clientDefaultCipherSuites;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1292
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1293
    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1294
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1295
    /*
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1296
     * The SSLContext implementation for customized TLS protocols
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1297
     *
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1298
     * @see SSLContext
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1299
     */
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1300
    private static class CustomizedDTLSContext extends AbstractDTLSContext {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1301
        private static final List<ProtocolVersion> clientDefaultProtocols;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1302
        private static final List<CipherSuite> clientDefaultCipherSuites;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1303
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1304
        private static IllegalArgumentException reservedException = null;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1305
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1306
        // Don't want a java.lang.LinkageError for illegal system property.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1307
        //
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1308
        // Please don't throw exception in this static block.  Otherwise,
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1309
        // java.lang.LinkageError may be thrown during the instantiation of
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1310
        // the provider service. Instead, let's handle the initialization
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1311
        // exception in constructor.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1312
        static {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1313
            reservedException = CustomizedSSLProtocols.reservedException;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1314
            if (reservedException == null) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1315
                ArrayList<ProtocolVersion>
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1316
                        customizedDTLSProtocols = new ArrayList<>();
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1317
                for (ProtocolVersion protocol :
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1318
                        CustomizedSSLProtocols.customizedProtocols) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1319
                    if (protocol.isDTLS) {
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1320
                        customizedDTLSProtocols.add(protocol);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1321
                    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1322
                }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1323
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1324
                // candidates for available protocols
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1325
                ProtocolVersion[] candidates;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1326
                if (customizedDTLSProtocols.isEmpty()) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1327
                    // Use the default enabled client protocols if no
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1328
                    // customized TLS protocols.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1329
                    //
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1330
                    // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1331
                    candidates = new ProtocolVersion[] {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1332
                        ProtocolVersion.DTLS12,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1333
                        ProtocolVersion.DTLS10
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1334
                    };
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1335
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1336
                } else {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1337
                    // Use the customized TLS protocols.
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1338
                    candidates =
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1339
                            new ProtocolVersion[customizedDTLSProtocols.size()];
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1340
                    candidates = customizedDTLSProtocols.toArray(candidates);
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1341
                }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1342
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1343
                clientDefaultProtocols = getAvailableProtocols(candidates);
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1344
                clientDefaultCipherSuites =
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1345
                        getApplicableEnabledCipherSuites(
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1346
                                clientDefaultProtocols, true);
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1347
            } else {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1348
                clientDefaultProtocols = null;       // unlikely to be used
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1349
                clientDefaultCipherSuites = null;    // unlikely to be used
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1350
            }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1351
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1352
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1353
        protected CustomizedDTLSContext() {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1354
            if (reservedException != null) {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1355
                throw reservedException;
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1356
            }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1357
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1358
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1359
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1360
        List<ProtocolVersion> getClientDefaultProtocolVersions() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1361
            return clientDefaultProtocols;
34826
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1362
        }
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1363
4bbdce2630f8 8133070: Hot lock on BulkCipher.isAvailable
xuelei
parents: 32649
diff changeset
  1364
        @Override
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1365
        List<CipherSuite> getClientDefaultCipherSuites() {
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1366
            return clientDefaultCipherSuites;
30904
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1367
        }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1368
    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1369
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1370
    /*
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1371
     * The SSLContext implementation for default "DTLS" algorithm
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1372
     *
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1373
     * @see SSLContext
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1374
     */
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1375
    public static final class DTLSContext extends CustomizedDTLSContext {
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1376
        // use the default constructor and methods
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1377
    }
ec0224270f90 8043758: Datagram Transport Layer Security (DTLS)
xuelei
parents: 28555
diff changeset
  1378
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1379
}
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1380
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1381
final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1382
            implements X509TrustManager {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1383
11037
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1384
    // the delegated trust manager
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1385
    private final X509TrustManager tm;
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1386
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1387
    AbstractTrustManagerWrapper(X509TrustManager tm) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1388
        this.tm = tm;
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1389
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1390
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1391
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1392
    public void checkClientTrusted(X509Certificate[] chain, String authType)
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1393
        throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1394
        tm.checkClientTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1395
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1396
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1397
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1398
    public void checkServerTrusted(X509Certificate[] chain, String authType)
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1399
        throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1400
        tm.checkServerTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1401
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1402
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1403
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1404
    public X509Certificate[] getAcceptedIssuers() {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1405
        return tm.getAcceptedIssuers();
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1406
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1407
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1408
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1409
    public void checkClientTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1410
                Socket socket) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1411
        tm.checkClientTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1412
        checkAdditionalTrust(chain, authType, socket, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1413
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1414
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1415
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1416
    public void checkServerTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1417
            Socket socket) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1418
        tm.checkServerTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1419
        checkAdditionalTrust(chain, authType, socket, false);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1420
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1421
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1422
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1423
    public void checkClientTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1424
            SSLEngine engine) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1425
        tm.checkClientTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1426
        checkAdditionalTrust(chain, authType, engine, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1427
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1428
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1429
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1430
    public void checkServerTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1431
            SSLEngine engine) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1432
        tm.checkServerTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1433
        checkAdditionalTrust(chain, authType, engine, false);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1434
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1435
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1436
    private void checkAdditionalTrust(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1437
                Socket socket, boolean isClient) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1438
        if (socket != null && socket.isConnected() &&
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1439
                                    socket instanceof SSLSocket) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1440
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1441
            SSLSocket sslSocket = (SSLSocket)socket;
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1442
            SSLSession session = sslSocket.getHandshakeSession();
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1443
            if (session == null) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1444
                throw new CertificateException("No handshake session");
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1445
            }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1446
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1447
            // check endpoint identity
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1448
            String identityAlg = sslSocket.getSSLParameters().
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1449
                                        getEndpointIdentificationAlgorithm();
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1450
            if (identityAlg != null && identityAlg.length() != 0) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1451
                String hostname = session.getPeerHost();
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1452
                X509TrustManagerImpl.checkIdentity(
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1453
                                    hostname, chain[0], identityAlg);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1454
            }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1455
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1456
            // try the best to check the algorithm constraints
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1457
            AlgorithmConstraints constraints;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1458
            if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1459
                if (session instanceof ExtendedSSLSession) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1460
                    ExtendedSSLSession extSession =
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1461
                                    (ExtendedSSLSession)session;
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1462
                    String[] peerSupportedSignAlgs =
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1463
                            extSession.getLocalSupportedSignatureAlgorithms();
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1464
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1465
                    constraints = new SSLAlgorithmConstraints(
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1466
                                    sslSocket, peerSupportedSignAlgs, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1467
                } else {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1468
                    constraints =
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1469
                            new SSLAlgorithmConstraints(sslSocket, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1470
                }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1471
            } else {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1472
                constraints = new SSLAlgorithmConstraints(sslSocket, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1473
            }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1474
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43009
diff changeset
  1475
            checkAlgorithmConstraints(chain, constraints, isClient);
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1476
        }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1477
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1478
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1479
    private void checkAdditionalTrust(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1480
            SSLEngine engine, boolean isClient) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1481
        if (engine != null) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1482
            SSLSession session = engine.getHandshakeSession();
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1483
            if (session == null) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1484
                throw new CertificateException("No handshake session");
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1485
            }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1486
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1487
            // check endpoint identity
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1488
            String identityAlg = engine.getSSLParameters().
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1489
                                        getEndpointIdentificationAlgorithm();
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1490
            if (identityAlg != null && identityAlg.length() != 0) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1491
                String hostname = session.getPeerHost();
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1492
                X509TrustManagerImpl.checkIdentity(
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1493
                                    hostname, chain[0], identityAlg);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1494
            }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1495
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1496
            // try the best to check the algorithm constraints
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1497
            AlgorithmConstraints constraints;
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1498
            if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1499
                if (session instanceof ExtendedSSLSession) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1500
                    ExtendedSSLSession extSession =
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1501
                                    (ExtendedSSLSession)session;
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1502
                    String[] peerSupportedSignAlgs =
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1503
                            extSession.getLocalSupportedSignatureAlgorithms();
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1504
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1505
                    constraints = new SSLAlgorithmConstraints(
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1506
                                    engine, peerSupportedSignAlgs, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1507
                } else {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1508
                    constraints =
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1509
                            new SSLAlgorithmConstraints(engine, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1510
                }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1511
            } else {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1512
                constraints = new SSLAlgorithmConstraints(engine, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1513
            }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1514
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43009
diff changeset
  1515
            checkAlgorithmConstraints(chain, constraints, isClient);
11037
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1516
        }
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1517
    }
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1518
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1519
    private void checkAlgorithmConstraints(X509Certificate[] chain,
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1520
            AlgorithmConstraints constraints,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1521
            boolean isClient) throws CertificateException {
11037
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1522
        try {
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1523
            // Does the certificate chain end with a trusted certificate?
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1524
            int checkedLength = chain.length - 1;
12302
0c8557ba0b8f 7142172: Custom TrustManagers that return null for getAcceptedIssuers will NPE
wetmore
parents: 11037
diff changeset
  1525
0c8557ba0b8f 7142172: Custom TrustManagers that return null for getAcceptedIssuers will NPE
wetmore
parents: 11037
diff changeset
  1526
            Collection<X509Certificate> trustedCerts = new HashSet<>();
0c8557ba0b8f 7142172: Custom TrustManagers that return null for getAcceptedIssuers will NPE
wetmore
parents: 11037
diff changeset
  1527
            X509Certificate[] certs = tm.getAcceptedIssuers();
0c8557ba0b8f 7142172: Custom TrustManagers that return null for getAcceptedIssuers will NPE
wetmore
parents: 11037
diff changeset
  1528
            if ((certs != null) && (certs.length > 0)){
0c8557ba0b8f 7142172: Custom TrustManagers that return null for getAcceptedIssuers will NPE
wetmore
parents: 11037
diff changeset
  1529
                Collections.addAll(trustedCerts, certs);
0c8557ba0b8f 7142172: Custom TrustManagers that return null for getAcceptedIssuers will NPE
wetmore
parents: 11037
diff changeset
  1530
            }
0c8557ba0b8f 7142172: Custom TrustManagers that return null for getAcceptedIssuers will NPE
wetmore
parents: 11037
diff changeset
  1531
11037
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1532
            if (trustedCerts.contains(chain[checkedLength])) {
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1533
                    checkedLength--;
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1534
            }
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1535
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1536
            // A forward checker, need to check from trust to target
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1537
            if (checkedLength >= 0) {
43701
fe8c324ba97c 8160655: Fix denyAfter and usage types for security properties
ascarpino
parents: 43009
diff changeset
  1538
                AlgorithmChecker checker =
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1539
                    new AlgorithmChecker(constraints, null,
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1540
                            (isClient ? Validator.VAR_TLS_CLIENT :
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1541
                                        Validator.VAR_TLS_SERVER));
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1542
                checker.init(false);
11037
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1543
                for (int i = checkedLength; i >= 0; i--) {
56542
56aaa6cb3693 Initial TLSv1.3 Implementation
wetmore
parents: 47216
diff changeset
  1544
                    X509Certificate cert = chain[i];
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1545
                    // We don't care about the unresolved critical extensions.
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1546
                    checker.check(cert, Collections.<String>emptySet());
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1547
                }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1548
            }
11037
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1549
        } catch (CertPathValidatorException cpve) {
03c29eb4afa0 7113275: compatibility issue with MD2 trust anchor and old X509TrustManager
xuelei
parents: 10125
diff changeset
  1550
            throw new CertificateException(
40700
b75806acf716 8164846: CertificateException missing cause of underlying exception
coffeys
parents: 40275
diff changeset
  1551
                "Certificates do not conform to algorithm constraints", cpve);
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1552
        }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1553
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1554
}
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1555
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1556
// Dummy X509TrustManager implementation, rejects all peer certificates.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1557
// Used if the application did not specify a proper X509TrustManager.
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1558
final class DummyX509TrustManager extends X509ExtendedTrustManager
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1559
            implements X509TrustManager {
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1560
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1561
    static final X509TrustManager INSTANCE = new DummyX509TrustManager();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1562
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1563
    private DummyX509TrustManager() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1564
        // empty
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1565
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1566
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1567
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1568
     * Given the partial or complete certificate chain
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1569
     * provided by the peer, build a certificate path
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1570
     * to a trusted root and return if it can be
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1571
     * validated and is trusted for client SSL authentication.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1572
     * If not, it throws an exception.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1573
     */
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1574
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1575
    public void checkClientTrusted(X509Certificate[] chain, String authType)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1576
        throws CertificateException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1577
        throw new CertificateException(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1578
            "No X509TrustManager implementation avaiable");
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1579
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1580
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1581
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1582
     * Given the partial or complete certificate chain
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1583
     * provided by the peer, build a certificate path
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1584
     * to a trusted root and return if it can be
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1585
     * validated and is trusted for server SSL authentication.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1586
     * If not, it throws an exception.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1587
     */
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1588
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1589
    public void checkServerTrusted(X509Certificate[] chain, String authType)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1590
        throws CertificateException {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1591
        throw new CertificateException(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1592
            "No X509TrustManager implementation available");
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1593
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1594
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1595
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1596
     * Return an array of issuer certificates which are trusted
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1597
     * for authenticating peers.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1598
     */
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1599
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1600
    public X509Certificate[] getAcceptedIssuers() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1601
        return new X509Certificate[0];
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1602
    }
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1603
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1604
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1605
    public void checkClientTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1606
                Socket socket) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1607
        throw new CertificateException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1608
            "No X509TrustManager implementation available");
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1609
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1610
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1611
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1612
    public void checkServerTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1613
            Socket socket) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1614
        throw new CertificateException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1615
            "No X509TrustManager implementation available");
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1616
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1617
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1618
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1619
    public void checkClientTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1620
            SSLEngine engine) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1621
        throw new CertificateException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1622
            "No X509TrustManager implementation available");
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1623
    }
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1624
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1625
    @Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1626
    public void checkServerTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1627
            SSLEngine engine) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1628
        throw new CertificateException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1629
            "No X509TrustManager implementation available");
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1630
    }
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1631
}
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1632
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1633
/*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1634
 * A wrapper class to turn a X509KeyManager into an X509ExtendedKeyManager
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1635
 */
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1636
final class AbstractKeyManagerWrapper extends X509ExtendedKeyManager {
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1637
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1638
    private final X509KeyManager km;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1639
7043
5e2d1edeb2c7 6916074: Add support for TLS 1.2
xuelei
parents: 5506
diff changeset
  1640
    AbstractKeyManagerWrapper(X509KeyManager km) {
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1641
        this.km = km;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1642
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1643
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1644
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1645
    public String[] getClientAliases(String keyType, Principal[] issuers) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1646
        return km.getClientAliases(keyType, issuers);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1647
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1648
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1649
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1650
    public String chooseClientAlias(String[] keyType, Principal[] issuers,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1651
            Socket socket) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1652
        return km.chooseClientAlias(keyType, issuers, socket);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1653
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1654
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1655
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1656
    public String[] getServerAliases(String keyType, Principal[] issuers) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1657
        return km.getServerAliases(keyType, issuers);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1658
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1659
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1660
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1661
    public String chooseServerAlias(String keyType, Principal[] issuers,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1662
            Socket socket) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1663
        return km.chooseServerAlias(keyType, issuers, socket);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1664
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1665
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1666
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1667
    public X509Certificate[] getCertificateChain(String alias) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1668
        return km.getCertificateChain(alias);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1669
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1670
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1671
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1672
    public PrivateKey getPrivateKey(String alias) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1673
        return km.getPrivateKey(alias);
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1674
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1675
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1676
    // Inherit chooseEngineClientAlias() and chooseEngineServerAlias() from
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1677
    // X509ExtendedKeymanager. It defines them to return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1678
}
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1679
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1680
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1681
// Dummy X509KeyManager implementation, never returns any certificates/keys.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1682
// Used if the application did not specify a proper X509TrustManager.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1683
final class DummyX509KeyManager extends X509ExtendedKeyManager {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1684
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1685
    static final X509ExtendedKeyManager INSTANCE = new DummyX509KeyManager();
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1686
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1687
    private DummyX509KeyManager() {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1688
        // empty
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1689
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1690
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1691
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1692
     * Get the matching aliases for authenticating the client side of a secure
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1693
     * socket given the public key type and the list of
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1694
     * certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1695
     */
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1696
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1697
    public String[] getClientAliases(String keyType, Principal[] issuers) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1698
        return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1699
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1700
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1701
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1702
     * Choose an alias to authenticate the client side of a secure
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1703
     * socket given the public key type and the list of
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1704
     * certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1705
     */
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1706
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1707
    public String chooseClientAlias(String[] keyTypes, Principal[] issuers,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1708
            Socket socket) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1709
        return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1710
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1711
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1712
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1713
     * Choose an alias to authenticate the client side of an
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1714
     * engine given the public key type and the list of
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1715
     * certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1716
     */
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1717
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1718
    public String chooseEngineClientAlias(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1719
            String[] keyTypes, Principal[] issuers, SSLEngine engine) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1720
        return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1721
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1722
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1723
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1724
     * Get the matching aliases for authenticating the server side of a secure
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1725
     * socket given the public key type and the list of
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1726
     * certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1727
     */
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1728
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1729
    public String[] getServerAliases(String keyType, Principal[] issuers) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1730
        return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1731
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1732
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1733
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1734
     * Choose an alias to authenticate the server side of a secure
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1735
     * socket given the public key type and the list of
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1736
     * certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1737
     */
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1738
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1739
    public String chooseServerAlias(String keyType, Principal[] issuers,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1740
            Socket socket) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1741
        return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1742
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1743
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1744
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1745
     * Choose an alias to authenticate the server side of an engine
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1746
     * given the public key type and the list of
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1747
     * certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1748
     */
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1749
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1750
    public String chooseEngineServerAlias(
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1751
            String keyType, Principal[] issuers, SSLEngine engine) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1752
        return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1753
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1754
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1755
    /**
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1756
     * Returns the certificate chain associated with the given alias.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1757
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1758
     * @param alias the alias name
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1759
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1760
     * @return the certificate chain (ordered with the user's certificate first
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1761
     * and the root certificate authority last)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1762
     */
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1763
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1764
    public X509Certificate[] getCertificateChain(String alias) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1765
        return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1766
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1767
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1768
    /*
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1769
     * Returns the key associated with the given alias, using the given
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1770
     * password to recover it.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1771
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1772
     * @param alias the alias name
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1773
     *
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1774
     * @return the requested key
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1775
     */
14664
e71aa0962e70 8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents: 13815
diff changeset
  1776
    @Override
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1777
    public PrivateKey getPrivateKey(String alias) {
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1778
        return null;
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1779
    }
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1780
}