jdk-sandbox: jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java@5e2d1edeb2c7 (annotated)

2 90ce3da70b43 Initial load duke parents: diff changeset	1	/*
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	2	* Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
2 90ce3da70b43 Initial load duke parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
90ce3da70b43 Initial load duke parents: diff changeset	4	*
90ce3da70b43 Initial load duke parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
90ce3da70b43 Initial load duke parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 2 diff changeset	7	* published by the Free Software Foundation. Oracle designates this
2 90ce3da70b43 Initial load duke parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 2 diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
2 90ce3da70b43 Initial load duke parents: diff changeset	10	*
90ce3da70b43 Initial load duke parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
90ce3da70b43 Initial load duke parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
90ce3da70b43 Initial load duke parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
90ce3da70b43 Initial load duke parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
90ce3da70b43 Initial load duke parents: diff changeset	15	* accompanied this code).
90ce3da70b43 Initial load duke parents: diff changeset	16	*
90ce3da70b43 Initial load duke parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
90ce3da70b43 Initial load duke parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
90ce3da70b43 Initial load duke parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
90ce3da70b43 Initial load duke parents: diff changeset	20	*
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 2 diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 2 diff changeset	22	* or visit www.oracle.com if you need additional information or have any
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 2 diff changeset	23	* questions.
2 90ce3da70b43 Initial load duke parents: diff changeset	24	*/
90ce3da70b43 Initial load duke parents: diff changeset	25
90ce3da70b43 Initial load duke parents: diff changeset	26	package sun.security.ssl;
90ce3da70b43 Initial load duke parents: diff changeset	27
90ce3da70b43 Initial load duke parents: diff changeset	28	import java.net.Socket;
90ce3da70b43 Initial load duke parents: diff changeset	29
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	30	import java.util.*;
2 90ce3da70b43 Initial load duke parents: diff changeset	31	import java.security.*;
90ce3da70b43 Initial load duke parents: diff changeset	32	import java.security.cert.*;
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	33	import java.security.cert.Certificate;
2 90ce3da70b43 Initial load duke parents: diff changeset	34
90ce3da70b43 Initial load duke parents: diff changeset	35	import javax.net.ssl.*;
90ce3da70b43 Initial load duke parents: diff changeset	36
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	37	import sun.security.provider.certpath.AlgorithmChecker;
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	38
2 90ce3da70b43 Initial load duke parents: diff changeset	39	public class SSLContextImpl extends SSLContextSpi {
90ce3da70b43 Initial load duke parents: diff changeset	40
90ce3da70b43 Initial load duke parents: diff changeset	41	private static final Debug debug = Debug.getInstance("ssl");
90ce3da70b43 Initial load duke parents: diff changeset	42
90ce3da70b43 Initial load duke parents: diff changeset	43	private final EphemeralKeyManager ephemeralKeyManager;
90ce3da70b43 Initial load duke parents: diff changeset	44	private final SSLSessionContextImpl clientCache;
90ce3da70b43 Initial load duke parents: diff changeset	45	private final SSLSessionContextImpl serverCache;
90ce3da70b43 Initial load duke parents: diff changeset	46
90ce3da70b43 Initial load duke parents: diff changeset	47	private boolean isInitialized;
90ce3da70b43 Initial load duke parents: diff changeset	48
90ce3da70b43 Initial load duke parents: diff changeset	49	private X509ExtendedKeyManager keyManager;
90ce3da70b43 Initial load duke parents: diff changeset	50	private X509TrustManager trustManager;
90ce3da70b43 Initial load duke parents: diff changeset	51	private SecureRandom secureRandom;
90ce3da70b43 Initial load duke parents: diff changeset	52
90ce3da70b43 Initial load duke parents: diff changeset	53	public SSLContextImpl() {
90ce3da70b43 Initial load duke parents: diff changeset	54	this(null);
90ce3da70b43 Initial load duke parents: diff changeset	55	}
90ce3da70b43 Initial load duke parents: diff changeset	56
90ce3da70b43 Initial load duke parents: diff changeset	57	SSLContextImpl(SSLContextImpl other) {
90ce3da70b43 Initial load duke parents: diff changeset	58	if (other == null) {
90ce3da70b43 Initial load duke parents: diff changeset	59	ephemeralKeyManager = new EphemeralKeyManager();
90ce3da70b43 Initial load duke parents: diff changeset	60	clientCache = new SSLSessionContextImpl();
90ce3da70b43 Initial load duke parents: diff changeset	61	serverCache = new SSLSessionContextImpl();
90ce3da70b43 Initial load duke parents: diff changeset	62	} else {
90ce3da70b43 Initial load duke parents: diff changeset	63	ephemeralKeyManager = other.ephemeralKeyManager;
90ce3da70b43 Initial load duke parents: diff changeset	64	clientCache = other.clientCache;
90ce3da70b43 Initial load duke parents: diff changeset	65	serverCache = other.serverCache;
90ce3da70b43 Initial load duke parents: diff changeset	66	}
90ce3da70b43 Initial load duke parents: diff changeset	67	}
90ce3da70b43 Initial load duke parents: diff changeset	68
90ce3da70b43 Initial load duke parents: diff changeset	69	protected void engineInit(KeyManager[] km, TrustManager[] tm,
90ce3da70b43 Initial load duke parents: diff changeset	70	SecureRandom sr) throws KeyManagementException {
90ce3da70b43 Initial load duke parents: diff changeset	71	isInitialized = false;
90ce3da70b43 Initial load duke parents: diff changeset	72	keyManager = chooseKeyManager(km);
90ce3da70b43 Initial load duke parents: diff changeset	73
90ce3da70b43 Initial load duke parents: diff changeset	74	if (tm == null) {
90ce3da70b43 Initial load duke parents: diff changeset	75	try {
90ce3da70b43 Initial load duke parents: diff changeset	76	TrustManagerFactory tmf = TrustManagerFactory.getInstance(
90ce3da70b43 Initial load duke parents: diff changeset	77	TrustManagerFactory.getDefaultAlgorithm());
90ce3da70b43 Initial load duke parents: diff changeset	78	tmf.init((KeyStore)null);
90ce3da70b43 Initial load duke parents: diff changeset	79	tm = tmf.getTrustManagers();
90ce3da70b43 Initial load duke parents: diff changeset	80	} catch (Exception e) {
90ce3da70b43 Initial load duke parents: diff changeset	81	// eat
90ce3da70b43 Initial load duke parents: diff changeset	82	}
90ce3da70b43 Initial load duke parents: diff changeset	83	}
90ce3da70b43 Initial load duke parents: diff changeset	84	trustManager = chooseTrustManager(tm);
90ce3da70b43 Initial load duke parents: diff changeset	85
90ce3da70b43 Initial load duke parents: diff changeset	86	if (sr == null) {
90ce3da70b43 Initial load duke parents: diff changeset	87	secureRandom = JsseJce.getSecureRandom();
90ce3da70b43 Initial load duke parents: diff changeset	88	} else {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	89	if (SunJSSE.isFIPS() &&
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	90	(sr.getProvider() != SunJSSE.cryptoProvider)) {
2 90ce3da70b43 Initial load duke parents: diff changeset	91	throw new KeyManagementException
90ce3da70b43 Initial load duke parents: diff changeset	92	("FIPS mode: SecureRandom must be from provider "
90ce3da70b43 Initial load duke parents: diff changeset	93	+ SunJSSE.cryptoProvider.getName());
90ce3da70b43 Initial load duke parents: diff changeset	94	}
90ce3da70b43 Initial load duke parents: diff changeset	95	secureRandom = sr;
90ce3da70b43 Initial load duke parents: diff changeset	96	}
90ce3da70b43 Initial load duke parents: diff changeset	97
90ce3da70b43 Initial load duke parents: diff changeset	98	/*
90ce3da70b43 Initial load duke parents: diff changeset	99	* The initial delay of seeding the random number generator
90ce3da70b43 Initial load duke parents: diff changeset	100	* could be long enough to cause the initial handshake on our
90ce3da70b43 Initial load duke parents: diff changeset	101	* first connection to timeout and fail. Make sure it is
90ce3da70b43 Initial load duke parents: diff changeset	102	* primed and ready by getting some initial output from it.
90ce3da70b43 Initial load duke parents: diff changeset	103	*/
90ce3da70b43 Initial load duke parents: diff changeset	104	if (debug != null && Debug.isOn("sslctx")) {
90ce3da70b43 Initial load duke parents: diff changeset	105	System.out.println("trigger seeding of SecureRandom");
90ce3da70b43 Initial load duke parents: diff changeset	106	}
90ce3da70b43 Initial load duke parents: diff changeset	107	secureRandom.nextInt();
90ce3da70b43 Initial load duke parents: diff changeset	108	if (debug != null && Debug.isOn("sslctx")) {
90ce3da70b43 Initial load duke parents: diff changeset	109	System.out.println("done seeding SecureRandom");
90ce3da70b43 Initial load duke parents: diff changeset	110	}
90ce3da70b43 Initial load duke parents: diff changeset	111	isInitialized = true;
90ce3da70b43 Initial load duke parents: diff changeset	112	}
90ce3da70b43 Initial load duke parents: diff changeset	113
90ce3da70b43 Initial load duke parents: diff changeset	114	private X509TrustManager chooseTrustManager(TrustManager[] tm)
90ce3da70b43 Initial load duke parents: diff changeset	115	throws KeyManagementException {
90ce3da70b43 Initial load duke parents: diff changeset	116	// We only use the first instance of X509TrustManager passed to us.
90ce3da70b43 Initial load duke parents: diff changeset	117	for (int i = 0; tm != null && i < tm.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	118	if (tm[i] instanceof X509TrustManager) {
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	119	if (SunJSSE.isFIPS() &&
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	120	!(tm[i] instanceof X509TrustManagerImpl)) {
2 90ce3da70b43 Initial load duke parents: diff changeset	121	throw new KeyManagementException
90ce3da70b43 Initial load duke parents: diff changeset	122	("FIPS mode: only SunJSSE TrustManagers may be used");
90ce3da70b43 Initial load duke parents: diff changeset	123	}
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	124
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	125	if (tm[i] instanceof X509ExtendedTrustManager) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	126	return (X509TrustManager)tm[i];
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	127	} else {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	128	return new AbstractTrustManagerWrapper(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	129	(X509TrustManager)tm[i]);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	130	}
2 90ce3da70b43 Initial load duke parents: diff changeset	131	}
90ce3da70b43 Initial load duke parents: diff changeset	132	}
90ce3da70b43 Initial load duke parents: diff changeset	133
90ce3da70b43 Initial load duke parents: diff changeset	134	// nothing found, return a dummy X509TrustManager.
90ce3da70b43 Initial load duke parents: diff changeset	135	return DummyX509TrustManager.INSTANCE;
90ce3da70b43 Initial load duke parents: diff changeset	136	}
90ce3da70b43 Initial load duke parents: diff changeset	137
90ce3da70b43 Initial load duke parents: diff changeset	138	private X509ExtendedKeyManager chooseKeyManager(KeyManager[] kms)
90ce3da70b43 Initial load duke parents: diff changeset	139	throws KeyManagementException {
90ce3da70b43 Initial load duke parents: diff changeset	140	for (int i = 0; kms != null && i < kms.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	141	KeyManager km = kms[i];
90ce3da70b43 Initial load duke parents: diff changeset	142	if (km instanceof X509KeyManager == false) {
90ce3da70b43 Initial load duke parents: diff changeset	143	continue;
90ce3da70b43 Initial load duke parents: diff changeset	144	}
90ce3da70b43 Initial load duke parents: diff changeset	145	if (SunJSSE.isFIPS()) {
90ce3da70b43 Initial load duke parents: diff changeset	146	// In FIPS mode, require that one of SunJSSE's own keymanagers
90ce3da70b43 Initial load duke parents: diff changeset	147	// is used. Otherwise, we cannot be sure that only keys from
90ce3da70b43 Initial load duke parents: diff changeset	148	// the FIPS token are used.
90ce3da70b43 Initial load duke parents: diff changeset	149	if ((km instanceof X509KeyManagerImpl)
90ce3da70b43 Initial load duke parents: diff changeset	150	\|\| (km instanceof SunX509KeyManagerImpl)) {
90ce3da70b43 Initial load duke parents: diff changeset	151	return (X509ExtendedKeyManager)km;
90ce3da70b43 Initial load duke parents: diff changeset	152	} else {
90ce3da70b43 Initial load duke parents: diff changeset	153	// throw exception, we don't want to silently use the
90ce3da70b43 Initial load duke parents: diff changeset	154	// dummy keymanager without telling the user.
90ce3da70b43 Initial load duke parents: diff changeset	155	throw new KeyManagementException
90ce3da70b43 Initial load duke parents: diff changeset	156	("FIPS mode: only SunJSSE KeyManagers may be used");
90ce3da70b43 Initial load duke parents: diff changeset	157	}
90ce3da70b43 Initial load duke parents: diff changeset	158	}
90ce3da70b43 Initial load duke parents: diff changeset	159	if (km instanceof X509ExtendedKeyManager) {
90ce3da70b43 Initial load duke parents: diff changeset	160	return (X509ExtendedKeyManager)km;
90ce3da70b43 Initial load duke parents: diff changeset	161	}
90ce3da70b43 Initial load duke parents: diff changeset	162	if (debug != null && Debug.isOn("sslctx")) {
90ce3da70b43 Initial load duke parents: diff changeset	163	System.out.println(
90ce3da70b43 Initial load duke parents: diff changeset	164	"X509KeyManager passed to " +
90ce3da70b43 Initial load duke parents: diff changeset	165	"SSLContext.init(): need an " +
90ce3da70b43 Initial load duke parents: diff changeset	166	"X509ExtendedKeyManager for SSLEngine use");
90ce3da70b43 Initial load duke parents: diff changeset	167	}
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	168	return new AbstractKeyManagerWrapper((X509KeyManager)km);
2 90ce3da70b43 Initial load duke parents: diff changeset	169	}
90ce3da70b43 Initial load duke parents: diff changeset	170
90ce3da70b43 Initial load duke parents: diff changeset	171	// nothing found, return a dummy X509ExtendedKeyManager
90ce3da70b43 Initial load duke parents: diff changeset	172	return DummyX509KeyManager.INSTANCE;
90ce3da70b43 Initial load duke parents: diff changeset	173	}
90ce3da70b43 Initial load duke parents: diff changeset	174
90ce3da70b43 Initial load duke parents: diff changeset	175	protected SSLSocketFactory engineGetSocketFactory() {
90ce3da70b43 Initial load duke parents: diff changeset	176	if (!isInitialized) {
90ce3da70b43 Initial load duke parents: diff changeset	177	throw new IllegalStateException(
90ce3da70b43 Initial load duke parents: diff changeset	178	"SSLContextImpl is not initialized");
90ce3da70b43 Initial load duke parents: diff changeset	179	}
90ce3da70b43 Initial load duke parents: diff changeset	180	return new SSLSocketFactoryImpl(this);
90ce3da70b43 Initial load duke parents: diff changeset	181	}
90ce3da70b43 Initial load duke parents: diff changeset	182
90ce3da70b43 Initial load duke parents: diff changeset	183	protected SSLServerSocketFactory engineGetServerSocketFactory() {
90ce3da70b43 Initial load duke parents: diff changeset	184	if (!isInitialized) {
90ce3da70b43 Initial load duke parents: diff changeset	185	throw new IllegalStateException("SSLContext is not initialized");
90ce3da70b43 Initial load duke parents: diff changeset	186	}
90ce3da70b43 Initial load duke parents: diff changeset	187	return new SSLServerSocketFactoryImpl(this);
90ce3da70b43 Initial load duke parents: diff changeset	188	}
90ce3da70b43 Initial load duke parents: diff changeset	189
90ce3da70b43 Initial load duke parents: diff changeset	190	protected SSLEngine engineCreateSSLEngine() {
90ce3da70b43 Initial load duke parents: diff changeset	191	if (!isInitialized) {
90ce3da70b43 Initial load duke parents: diff changeset	192	throw new IllegalStateException(
90ce3da70b43 Initial load duke parents: diff changeset	193	"SSLContextImpl is not initialized");
90ce3da70b43 Initial load duke parents: diff changeset	194	}
90ce3da70b43 Initial load duke parents: diff changeset	195	return new SSLEngineImpl(this);
90ce3da70b43 Initial load duke parents: diff changeset	196	}
90ce3da70b43 Initial load duke parents: diff changeset	197
90ce3da70b43 Initial load duke parents: diff changeset	198	protected SSLEngine engineCreateSSLEngine(String host, int port) {
90ce3da70b43 Initial load duke parents: diff changeset	199	if (!isInitialized) {
90ce3da70b43 Initial load duke parents: diff changeset	200	throw new IllegalStateException(
90ce3da70b43 Initial load duke parents: diff changeset	201	"SSLContextImpl is not initialized");
90ce3da70b43 Initial load duke parents: diff changeset	202	}
90ce3da70b43 Initial load duke parents: diff changeset	203	return new SSLEngineImpl(this, host, port);
90ce3da70b43 Initial load duke parents: diff changeset	204	}
90ce3da70b43 Initial load duke parents: diff changeset	205
90ce3da70b43 Initial load duke parents: diff changeset	206	protected SSLSessionContext engineGetClientSessionContext() {
90ce3da70b43 Initial load duke parents: diff changeset	207	return clientCache;
90ce3da70b43 Initial load duke parents: diff changeset	208	}
90ce3da70b43 Initial load duke parents: diff changeset	209
90ce3da70b43 Initial load duke parents: diff changeset	210	protected SSLSessionContext engineGetServerSessionContext() {
90ce3da70b43 Initial load duke parents: diff changeset	211	return serverCache;
90ce3da70b43 Initial load duke parents: diff changeset	212	}
90ce3da70b43 Initial load duke parents: diff changeset	213
90ce3da70b43 Initial load duke parents: diff changeset	214	SecureRandom getSecureRandom() {
90ce3da70b43 Initial load duke parents: diff changeset	215	return secureRandom;
90ce3da70b43 Initial load duke parents: diff changeset	216	}
90ce3da70b43 Initial load duke parents: diff changeset	217
90ce3da70b43 Initial load duke parents: diff changeset	218	X509ExtendedKeyManager getX509KeyManager() {
90ce3da70b43 Initial load duke parents: diff changeset	219	return keyManager;
90ce3da70b43 Initial load duke parents: diff changeset	220	}
90ce3da70b43 Initial load duke parents: diff changeset	221
90ce3da70b43 Initial load duke parents: diff changeset	222	X509TrustManager getX509TrustManager() {
90ce3da70b43 Initial load duke parents: diff changeset	223	return trustManager;
90ce3da70b43 Initial load duke parents: diff changeset	224	}
90ce3da70b43 Initial load duke parents: diff changeset	225
90ce3da70b43 Initial load duke parents: diff changeset	226	EphemeralKeyManager getEphemeralKeyManager() {
90ce3da70b43 Initial load duke parents: diff changeset	227	return ephemeralKeyManager;
90ce3da70b43 Initial load duke parents: diff changeset	228	}
90ce3da70b43 Initial load duke parents: diff changeset	229
90ce3da70b43 Initial load duke parents: diff changeset	230	}
90ce3da70b43 Initial load duke parents: diff changeset	231
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	232
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	233	final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	234	implements X509TrustManager {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	235
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	236	private final X509TrustManager tm;
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	237
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	238	AbstractTrustManagerWrapper(X509TrustManager tm) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	239	this.tm = tm;
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	240	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	241
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	242	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	243	public void checkClientTrusted(X509Certificate[] chain, String authType)
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	244	throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	245	tm.checkClientTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	246	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	247
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	248	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	249	public void checkServerTrusted(X509Certificate[] chain, String authType)
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	250	throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	251	tm.checkServerTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	252	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	253
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	254	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	255	public X509Certificate[] getAcceptedIssuers() {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	256	return tm.getAcceptedIssuers();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	257	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	258
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	259	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	260	public void checkClientTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	261	Socket socket) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	262	tm.checkClientTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	263	checkAdditionalTrust(chain, authType, socket, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	264	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	265
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	266	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	267	public void checkServerTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	268	Socket socket) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	269	tm.checkServerTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	270	checkAdditionalTrust(chain, authType, socket, false);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	271	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	272
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	273	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	274	public void checkClientTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	275	SSLEngine engine) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	276	tm.checkClientTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	277	checkAdditionalTrust(chain, authType, engine, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	278	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	279
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	280	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	281	public void checkServerTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	282	SSLEngine engine) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	283	tm.checkServerTrusted(chain, authType);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	284	checkAdditionalTrust(chain, authType, engine, false);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	285	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	286
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	287	private void checkAdditionalTrust(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	288	Socket socket, boolean isClient) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	289	if (socket != null && socket.isConnected() &&
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	290	socket instanceof SSLSocket) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	291
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	292	SSLSocket sslSocket = (SSLSocket)socket;
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	293	SSLSession session = sslSocket.getHandshakeSession();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	294	if (session == null) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	295	throw new CertificateException("No handshake session");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	296	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	297
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	298	// check endpoint identity
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	299	String identityAlg = sslSocket.getSSLParameters().
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	300	getEndpointIdentificationAlgorithm();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	301	if (identityAlg != null && identityAlg.length() != 0) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	302	String hostname = session.getPeerHost();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	303	X509TrustManagerImpl.checkIdentity(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	304	hostname, chain[0], identityAlg);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	305	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	306
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	307	// try the best to check the algorithm constraints
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	308	ProtocolVersion protocolVersion =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	309	ProtocolVersion.valueOf(session.getProtocol());
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	310	AlgorithmConstraints constraints = null;
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	311	if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	312	if (session instanceof ExtendedSSLSession) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	313	ExtendedSSLSession extSession =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	314	(ExtendedSSLSession)session;
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	315	String[] peerSupportedSignAlgs =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	316	extSession.getLocalSupportedSignatureAlgorithms();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	317
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	318	constraints = new SSLAlgorithmConstraints(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	319	sslSocket, peerSupportedSignAlgs, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	320	} else {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	321	constraints =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	322	new SSLAlgorithmConstraints(sslSocket, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	323	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	324	} else {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	325	constraints = new SSLAlgorithmConstraints(sslSocket, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	326	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	327
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	328	AlgorithmChecker checker = new AlgorithmChecker(constraints);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	329	try {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	330	checker.init(false);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	331
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	332	// a forward checker, need to check from trust to target
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	333	for (int i = chain.length - 1; i >= 0; i--) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	334	Certificate cert = chain[i];
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	335	// We don't care about the unresolved critical extensions.
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	336	checker.check(cert, Collections.<String>emptySet());
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	337	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	338	} catch (CertPathValidatorException cpve) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	339	throw new CertificateException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	340	"Certificates does not conform to algorithm constraints");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	341	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	342	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	343	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	344
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	345	private void checkAdditionalTrust(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	346	SSLEngine engine, boolean isClient) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	347	if (engine != null) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	348	SSLSession session = engine.getHandshakeSession();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	349	if (session == null) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	350	throw new CertificateException("No handshake session");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	351	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	352
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	353	// check endpoint identity
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	354	String identityAlg = engine.getSSLParameters().
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	355	getEndpointIdentificationAlgorithm();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	356	if (identityAlg != null && identityAlg.length() != 0) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	357	String hostname = session.getPeerHost();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	358	X509TrustManagerImpl.checkIdentity(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	359	hostname, chain[0], identityAlg);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	360	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	361
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	362	// try the best to check the algorithm constraints
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	363	ProtocolVersion protocolVersion =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	364	ProtocolVersion.valueOf(session.getProtocol());
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	365	AlgorithmConstraints constraints = null;
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	366	if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	367	if (session instanceof ExtendedSSLSession) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	368	ExtendedSSLSession extSession =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	369	(ExtendedSSLSession)session;
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	370	String[] peerSupportedSignAlgs =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	371	extSession.getLocalSupportedSignatureAlgorithms();
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	372
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	373	constraints = new SSLAlgorithmConstraints(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	374	engine, peerSupportedSignAlgs, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	375	} else {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	376	constraints =
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	377	new SSLAlgorithmConstraints(engine, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	378	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	379	} else {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	380	constraints = new SSLAlgorithmConstraints(engine, true);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	381	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	382
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	383	AlgorithmChecker checker = new AlgorithmChecker(constraints);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	384	try {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	385	checker.init(false);
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	386
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	387	// A forward checker, need to check from trust to target
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	388	for (int i = chain.length - 1; i >= 0; i--) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	389	Certificate cert = chain[i];
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	390	// We don't care about the unresolved critical extensions.
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	391	checker.check(cert, Collections.<String>emptySet());
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	392	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	393	} catch (CertPathValidatorException cpve) {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	394	throw new CertificateException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	395	"Certificates does not conform to algorithm constraints");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	396	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	397	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	398	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	399	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	400
2 90ce3da70b43 Initial load duke parents: diff changeset	401	// Dummy X509TrustManager implementation, rejects all peer certificates.
90ce3da70b43 Initial load duke parents: diff changeset	402	// Used if the application did not specify a proper X509TrustManager.
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	403	final class DummyX509TrustManager extends X509ExtendedTrustManager
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	404	implements X509TrustManager {
2 90ce3da70b43 Initial load duke parents: diff changeset	405
90ce3da70b43 Initial load duke parents: diff changeset	406	static final X509TrustManager INSTANCE = new DummyX509TrustManager();
90ce3da70b43 Initial load duke parents: diff changeset	407
90ce3da70b43 Initial load duke parents: diff changeset	408	private DummyX509TrustManager() {
90ce3da70b43 Initial load duke parents: diff changeset	409	// empty
90ce3da70b43 Initial load duke parents: diff changeset	410	}
90ce3da70b43 Initial load duke parents: diff changeset	411
90ce3da70b43 Initial load duke parents: diff changeset	412	/*
90ce3da70b43 Initial load duke parents: diff changeset	413	* Given the partial or complete certificate chain
90ce3da70b43 Initial load duke parents: diff changeset	414	* provided by the peer, build a certificate path
90ce3da70b43 Initial load duke parents: diff changeset	415	* to a trusted root and return if it can be
90ce3da70b43 Initial load duke parents: diff changeset	416	* validated and is trusted for client SSL authentication.
90ce3da70b43 Initial load duke parents: diff changeset	417	* If not, it throws an exception.
90ce3da70b43 Initial load duke parents: diff changeset	418	*/
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	419	@Override
2 90ce3da70b43 Initial load duke parents: diff changeset	420	public void checkClientTrusted(X509Certificate[] chain, String authType)
90ce3da70b43 Initial load duke parents: diff changeset	421	throws CertificateException {
90ce3da70b43 Initial load duke parents: diff changeset	422	throw new CertificateException(
90ce3da70b43 Initial load duke parents: diff changeset	423	"No X509TrustManager implementation avaiable");
90ce3da70b43 Initial load duke parents: diff changeset	424	}
90ce3da70b43 Initial load duke parents: diff changeset	425
90ce3da70b43 Initial load duke parents: diff changeset	426	/*
90ce3da70b43 Initial load duke parents: diff changeset	427	* Given the partial or complete certificate chain
90ce3da70b43 Initial load duke parents: diff changeset	428	* provided by the peer, build a certificate path
90ce3da70b43 Initial load duke parents: diff changeset	429	* to a trusted root and return if it can be
90ce3da70b43 Initial load duke parents: diff changeset	430	* validated and is trusted for server SSL authentication.
90ce3da70b43 Initial load duke parents: diff changeset	431	* If not, it throws an exception.
90ce3da70b43 Initial load duke parents: diff changeset	432	*/
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	433	@Override
2 90ce3da70b43 Initial load duke parents: diff changeset	434	public void checkServerTrusted(X509Certificate[] chain, String authType)
90ce3da70b43 Initial load duke parents: diff changeset	435	throws CertificateException {
90ce3da70b43 Initial load duke parents: diff changeset	436	throw new CertificateException(
90ce3da70b43 Initial load duke parents: diff changeset	437	"No X509TrustManager implementation available");
90ce3da70b43 Initial load duke parents: diff changeset	438	}
90ce3da70b43 Initial load duke parents: diff changeset	439
90ce3da70b43 Initial load duke parents: diff changeset	440	/*
90ce3da70b43 Initial load duke parents: diff changeset	441	* Return an array of issuer certificates which are trusted
90ce3da70b43 Initial load duke parents: diff changeset	442	* for authenticating peers.
90ce3da70b43 Initial load duke parents: diff changeset	443	*/
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	444	@Override
2 90ce3da70b43 Initial load duke parents: diff changeset	445	public X509Certificate[] getAcceptedIssuers() {
90ce3da70b43 Initial load duke parents: diff changeset	446	return new X509Certificate[0];
90ce3da70b43 Initial load duke parents: diff changeset	447	}
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	448
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	449	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	450	public void checkClientTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	451	Socket socket) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	452	throw new CertificateException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	453	"No X509TrustManager implementation available");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	454	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	455
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	456	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	457	public void checkServerTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	458	Socket socket) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	459	throw new CertificateException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	460	"No X509TrustManager implementation available");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	461	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	462
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	463	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	464	public void checkClientTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	465	SSLEngine engine) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	466	throw new CertificateException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	467	"No X509TrustManager implementation available");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	468	}
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	469
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	470	@Override
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	471	public void checkServerTrusted(X509Certificate[] chain, String authType,
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	472	SSLEngine engine) throws CertificateException {
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	473	throw new CertificateException(
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	474	"No X509TrustManager implementation available");
5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	475	}
2 90ce3da70b43 Initial load duke parents: diff changeset	476	}
90ce3da70b43 Initial load duke parents: diff changeset	477
90ce3da70b43 Initial load duke parents: diff changeset	478	/*
90ce3da70b43 Initial load duke parents: diff changeset	479	* A wrapper class to turn a X509KeyManager into an X509ExtendedKeyManager
90ce3da70b43 Initial load duke parents: diff changeset	480	*/
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	481	final class AbstractKeyManagerWrapper extends X509ExtendedKeyManager {
2 90ce3da70b43 Initial load duke parents: diff changeset	482
90ce3da70b43 Initial load duke parents: diff changeset	483	private final X509KeyManager km;
90ce3da70b43 Initial load duke parents: diff changeset	484
7043 5e2d1edeb2c7 6916074: Add support for TLS 1.2 xuelei parents: 5506 diff changeset	485	AbstractKeyManagerWrapper(X509KeyManager km) {
2 90ce3da70b43 Initial load duke parents: diff changeset	486	this.km = km;
90ce3da70b43 Initial load duke parents: diff changeset	487	}
90ce3da70b43 Initial load duke parents: diff changeset	488
90ce3da70b43 Initial load duke parents: diff changeset	489	public String[] getClientAliases(String keyType, Principal[] issuers) {
90ce3da70b43 Initial load duke parents: diff changeset	490	return km.getClientAliases(keyType, issuers);
90ce3da70b43 Initial load duke parents: diff changeset	491	}
90ce3da70b43 Initial load duke parents: diff changeset	492
90ce3da70b43 Initial load duke parents: diff changeset	493	public String chooseClientAlias(String[] keyType, Principal[] issuers,
90ce3da70b43 Initial load duke parents: diff changeset	494	Socket socket) {
90ce3da70b43 Initial load duke parents: diff changeset	495	return km.chooseClientAlias(keyType, issuers, socket);
90ce3da70b43 Initial load duke parents: diff changeset	496	}
90ce3da70b43 Initial load duke parents: diff changeset	497
90ce3da70b43 Initial load duke parents: diff changeset	498	public String[] getServerAliases(String keyType, Principal[] issuers) {
90ce3da70b43 Initial load duke parents: diff changeset	499	return km.getServerAliases(keyType, issuers);
90ce3da70b43 Initial load duke parents: diff changeset	500	}
90ce3da70b43 Initial load duke parents: diff changeset	501
90ce3da70b43 Initial load duke parents: diff changeset	502	public String chooseServerAlias(String keyType, Principal[] issuers,
90ce3da70b43 Initial load duke parents: diff changeset	503	Socket socket) {
90ce3da70b43 Initial load duke parents: diff changeset	504	return km.chooseServerAlias(keyType, issuers, socket);
90ce3da70b43 Initial load duke parents: diff changeset	505	}
90ce3da70b43 Initial load duke parents: diff changeset	506
90ce3da70b43 Initial load duke parents: diff changeset	507	public X509Certificate[] getCertificateChain(String alias) {
90ce3da70b43 Initial load duke parents: diff changeset	508	return km.getCertificateChain(alias);
90ce3da70b43 Initial load duke parents: diff changeset	509	}
90ce3da70b43 Initial load duke parents: diff changeset	510
90ce3da70b43 Initial load duke parents: diff changeset	511	public PrivateKey getPrivateKey(String alias) {
90ce3da70b43 Initial load duke parents: diff changeset	512	return km.getPrivateKey(alias);
90ce3da70b43 Initial load duke parents: diff changeset	513	}
90ce3da70b43 Initial load duke parents: diff changeset	514
90ce3da70b43 Initial load duke parents: diff changeset	515	// Inherit chooseEngineClientAlias() and chooseEngineServerAlias() from
90ce3da70b43 Initial load duke parents: diff changeset	516	// X509ExtendedKeymanager. It defines them to return null;
90ce3da70b43 Initial load duke parents: diff changeset	517	}
90ce3da70b43 Initial load duke parents: diff changeset	518
90ce3da70b43 Initial load duke parents: diff changeset	519
90ce3da70b43 Initial load duke parents: diff changeset	520	// Dummy X509KeyManager implementation, never returns any certificates/keys.
90ce3da70b43 Initial load duke parents: diff changeset	521	// Used if the application did not specify a proper X509TrustManager.
90ce3da70b43 Initial load duke parents: diff changeset	522	final class DummyX509KeyManager extends X509ExtendedKeyManager {
90ce3da70b43 Initial load duke parents: diff changeset	523
90ce3da70b43 Initial load duke parents: diff changeset	524	static final X509ExtendedKeyManager INSTANCE = new DummyX509KeyManager();
90ce3da70b43 Initial load duke parents: diff changeset	525
90ce3da70b43 Initial load duke parents: diff changeset	526	private DummyX509KeyManager() {
90ce3da70b43 Initial load duke parents: diff changeset	527	// empty
90ce3da70b43 Initial load duke parents: diff changeset	528	}
90ce3da70b43 Initial load duke parents: diff changeset	529
90ce3da70b43 Initial load duke parents: diff changeset	530	/*
90ce3da70b43 Initial load duke parents: diff changeset	531	* Get the matching aliases for authenticating the client side of a secure
90ce3da70b43 Initial load duke parents: diff changeset	532	* socket given the public key type and the list of
90ce3da70b43 Initial load duke parents: diff changeset	533	* certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load duke parents: diff changeset	534	*/
90ce3da70b43 Initial load duke parents: diff changeset	535	public String[] getClientAliases(String keyType, Principal[] issuers) {
90ce3da70b43 Initial load duke parents: diff changeset	536	return null;
90ce3da70b43 Initial load duke parents: diff changeset	537	}
90ce3da70b43 Initial load duke parents: diff changeset	538
90ce3da70b43 Initial load duke parents: diff changeset	539	/*
90ce3da70b43 Initial load duke parents: diff changeset	540	* Choose an alias to authenticate the client side of a secure
90ce3da70b43 Initial load duke parents: diff changeset	541	* socket given the public key type and the list of
90ce3da70b43 Initial load duke parents: diff changeset	542	* certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load duke parents: diff changeset	543	*/
90ce3da70b43 Initial load duke parents: diff changeset	544	public String chooseClientAlias(String[] keyTypes, Principal[] issuers,
90ce3da70b43 Initial load duke parents: diff changeset	545	Socket socket) {
90ce3da70b43 Initial load duke parents: diff changeset	546	return null;
90ce3da70b43 Initial load duke parents: diff changeset	547	}
90ce3da70b43 Initial load duke parents: diff changeset	548
90ce3da70b43 Initial load duke parents: diff changeset	549	/*
90ce3da70b43 Initial load duke parents: diff changeset	550	* Choose an alias to authenticate the client side of an
90ce3da70b43 Initial load duke parents: diff changeset	551	* engine given the public key type and the list of
90ce3da70b43 Initial load duke parents: diff changeset	552	* certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load duke parents: diff changeset	553	*/
90ce3da70b43 Initial load duke parents: diff changeset	554	public String chooseEngineClientAlias(
90ce3da70b43 Initial load duke parents: diff changeset	555	String[] keyTypes, Principal[] issuers, SSLEngine engine) {
90ce3da70b43 Initial load duke parents: diff changeset	556	return null;
90ce3da70b43 Initial load duke parents: diff changeset	557	}
90ce3da70b43 Initial load duke parents: diff changeset	558
90ce3da70b43 Initial load duke parents: diff changeset	559	/*
90ce3da70b43 Initial load duke parents: diff changeset	560	* Get the matching aliases for authenticating the server side of a secure
90ce3da70b43 Initial load duke parents: diff changeset	561	* socket given the public key type and the list of
90ce3da70b43 Initial load duke parents: diff changeset	562	* certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load duke parents: diff changeset	563	*/
90ce3da70b43 Initial load duke parents: diff changeset	564	public String[] getServerAliases(String keyType, Principal[] issuers) {
90ce3da70b43 Initial load duke parents: diff changeset	565	return null;
90ce3da70b43 Initial load duke parents: diff changeset	566	}
90ce3da70b43 Initial load duke parents: diff changeset	567
90ce3da70b43 Initial load duke parents: diff changeset	568	/*
90ce3da70b43 Initial load duke parents: diff changeset	569	* Choose an alias to authenticate the server side of a secure
90ce3da70b43 Initial load duke parents: diff changeset	570	* socket given the public key type and the list of
90ce3da70b43 Initial load duke parents: diff changeset	571	* certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load duke parents: diff changeset	572	*/
90ce3da70b43 Initial load duke parents: diff changeset	573	public String chooseServerAlias(String keyType, Principal[] issuers,
90ce3da70b43 Initial load duke parents: diff changeset	574	Socket socket) {
90ce3da70b43 Initial load duke parents: diff changeset	575	return null;
90ce3da70b43 Initial load duke parents: diff changeset	576	}
90ce3da70b43 Initial load duke parents: diff changeset	577
90ce3da70b43 Initial load duke parents: diff changeset	578	/*
90ce3da70b43 Initial load duke parents: diff changeset	579	* Choose an alias to authenticate the server side of an engine
90ce3da70b43 Initial load duke parents: diff changeset	580	* given the public key type and the list of
90ce3da70b43 Initial load duke parents: diff changeset	581	* certificate issuer authorities recognized by the peer (if any).
90ce3da70b43 Initial load duke parents: diff changeset	582	*/
90ce3da70b43 Initial load duke parents: diff changeset	583	public String chooseEngineServerAlias(
90ce3da70b43 Initial load duke parents: diff changeset	584	String keyType, Principal[] issuers, SSLEngine engine) {
90ce3da70b43 Initial load duke parents: diff changeset	585	return null;
90ce3da70b43 Initial load duke parents: diff changeset	586	}
90ce3da70b43 Initial load duke parents: diff changeset	587
90ce3da70b43 Initial load duke parents: diff changeset	588	/**
90ce3da70b43 Initial load duke parents: diff changeset	589	* Returns the certificate chain associated with the given alias.
90ce3da70b43 Initial load duke parents: diff changeset	590	*
90ce3da70b43 Initial load duke parents: diff changeset	591	* @param alias the alias name
90ce3da70b43 Initial load duke parents: diff changeset	592	*
90ce3da70b43 Initial load duke parents: diff changeset	593	* @return the certificate chain (ordered with the user's certificate first
90ce3da70b43 Initial load duke parents: diff changeset	594	* and the root certificate authority last)
90ce3da70b43 Initial load duke parents: diff changeset	595	*/
90ce3da70b43 Initial load duke parents: diff changeset	596	public X509Certificate[] getCertificateChain(String alias) {
90ce3da70b43 Initial load duke parents: diff changeset	597	return null;
90ce3da70b43 Initial load duke parents: diff changeset	598	}
90ce3da70b43 Initial load duke parents: diff changeset	599
90ce3da70b43 Initial load duke parents: diff changeset	600	/*
90ce3da70b43 Initial load duke parents: diff changeset	601	* Returns the key associated with the given alias, using the given
90ce3da70b43 Initial load duke parents: diff changeset	602	* password to recover it.
90ce3da70b43 Initial load duke parents: diff changeset	603	*
90ce3da70b43 Initial load duke parents: diff changeset	604	* @param alias the alias name
90ce3da70b43 Initial load duke parents: diff changeset	605	*
90ce3da70b43 Initial load duke parents: diff changeset	606	* @return the requested key
90ce3da70b43 Initial load duke parents: diff changeset	607	*/
90ce3da70b43 Initial load duke parents: diff changeset	608	public PrivateKey getPrivateKey(String alias) {
90ce3da70b43 Initial load duke parents: diff changeset	609	return null;
90ce3da70b43 Initial load duke parents: diff changeset	610	}
90ce3da70b43 Initial load duke parents: diff changeset	611	}

author	xuelei
	Mon, 01 Nov 2010 22:02:35 -0700
changeset 7043	5e2d1edeb2c7
parent 5506	202f599c92aa
child 9246	c459f79af46b
permissions	-rw-r--r--