/*

 * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.ssl;

import java.net.Socket;

import java.io.*;

import java.util.*;

import java.security.*;

import java.security.cert.*;

import java.security.cert.Certificate;

import javax.net.ssl.*;

import sun.security.provider.certpath.AlgorithmChecker;

import sun.security.action.GetPropertyAction;

import sun.security.validator.Validator;

public abstract class SSLContextImpl extends SSLContextSpi {

    private static final Debug debug = Debug.getInstance("ssl");

    private final EphemeralKeyManager ephemeralKeyManager;

    private final SSLSessionContextImpl clientCache;

    private final SSLSessionContextImpl serverCache;

    private boolean isInitialized;

    private X509ExtendedKeyManager keyManager;

    private X509TrustManager trustManager;

    private SecureRandom secureRandom;

    // DTLS cookie exchange manager

    private volatile HelloCookieManager helloCookieManager;

    private final boolean clientEnableStapling = Debug.getBooleanProperty(

            "jdk.tls.client.enableStatusRequestExtension", true);

    private final boolean serverEnableStapling = Debug.getBooleanProperty(

            "jdk.tls.server.enableStatusRequestExtension", false);

    private final static Collection<CipherSuite> clientCustomizedCipherSuites =

            getCustomizedCipherSuites("jdk.tls.client.cipherSuites");

    private final static Collection<CipherSuite> serverCustomizedCipherSuites =

            getCustomizedCipherSuites("jdk.tls.server.cipherSuites");

    private volatile StatusResponseManager statusResponseManager;

    SSLContextImpl() {

        ephemeralKeyManager = new EphemeralKeyManager();

        clientCache = new SSLSessionContextImpl();

        serverCache = new SSLSessionContextImpl();

    }

    @Override

    protected void engineInit(KeyManager[] km, TrustManager[] tm,

                                SecureRandom sr) throws KeyManagementException {

        isInitialized = false;

        keyManager = chooseKeyManager(km);

        if (tm == null) {

            try {

                TrustManagerFactory tmf = TrustManagerFactory.getInstance(

                        TrustManagerFactory.getDefaultAlgorithm());

                tmf.init((KeyStore)null);

                tm = tmf.getTrustManagers();

            } catch (Exception e) {

                // eat

            }

        }

        trustManager = chooseTrustManager(tm);

        if (sr == null) {

            secureRandom = JsseJce.getSecureRandom();

        } else {

            if (SunJSSE.isFIPS() &&

                        (sr.getProvider() != SunJSSE.cryptoProvider)) {

                throw new KeyManagementException

                    ("FIPS mode: SecureRandom must be from provider "

                    + SunJSSE.cryptoProvider.getName());

            }

            secureRandom = sr;

        }

        /*

         * The initial delay of seeding the random number generator

         * could be long enough to cause the initial handshake on our

         * first connection to timeout and fail. Make sure it is

         * primed and ready by getting some initial output from it.

         */

        if (debug != null && Debug.isOn("sslctx")) {

            System.out.println("trigger seeding of SecureRandom");

        }

        secureRandom.nextInt();

        if (debug != null && Debug.isOn("sslctx")) {

            System.out.println("done seeding SecureRandom");

        }

        isInitialized = true;

    }

    private X509TrustManager chooseTrustManager(TrustManager[] tm)

            throws KeyManagementException {

        // We only use the first instance of X509TrustManager passed to us.

        for (int i = 0; tm != null && i < tm.length; i++) {

            if (tm[i] instanceof X509TrustManager) {

                if (SunJSSE.isFIPS() &&

                        !(tm[i] instanceof X509TrustManagerImpl)) {

                    throw new KeyManagementException

                        ("FIPS mode: only SunJSSE TrustManagers may be used");

                }

                if (tm[i] instanceof X509ExtendedTrustManager) {

                    return (X509TrustManager)tm[i];

                } else {

                    return new AbstractTrustManagerWrapper(

                                        (X509TrustManager)tm[i]);

                }

            }

        }

        // nothing found, return a dummy X509TrustManager.

        return DummyX509TrustManager.INSTANCE;

    }

    private X509ExtendedKeyManager chooseKeyManager(KeyManager[] kms)

            throws KeyManagementException {

        for (int i = 0; kms != null && i < kms.length; i++) {

            KeyManager km = kms[i];

            if (!(km instanceof X509KeyManager)) {

                continue;

            }

            if (SunJSSE.isFIPS()) {

                // In FIPS mode, require that one of SunJSSE's own keymanagers

                // is used. Otherwise, we cannot be sure that only keys from

                // the FIPS token are used.

                if ((km instanceof X509KeyManagerImpl)

                            || (km instanceof SunX509KeyManagerImpl)) {

                    return (X509ExtendedKeyManager)km;

                } else {

                    // throw exception, we don't want to silently use the

                    // dummy keymanager without telling the user.

                    throw new KeyManagementException

                        ("FIPS mode: only SunJSSE KeyManagers may be used");

                }

            }

            if (km instanceof X509ExtendedKeyManager) {

                return (X509ExtendedKeyManager)km;

            }

            if (debug != null && Debug.isOn("sslctx")) {

                System.out.println(

                    "X509KeyManager passed to " +

                    "SSLContext.init():  need an " +

                    "X509ExtendedKeyManager for SSLEngine use");

            }

            return new AbstractKeyManagerWrapper((X509KeyManager)km);

        }

        // nothing found, return a dummy X509ExtendedKeyManager

        return DummyX509KeyManager.INSTANCE;

    }

    abstract SSLEngine createSSLEngineImpl();

    abstract SSLEngine createSSLEngineImpl(String host, int port);

    @Override

    protected SSLEngine engineCreateSSLEngine() {

        if (!isInitialized) {

            throw new IllegalStateException("SSLContext is not initialized");

        }

        return createSSLEngineImpl();

    }

    @Override

    protected SSLEngine engineCreateSSLEngine(String host, int port) {

        if (!isInitialized) {

            throw new IllegalStateException("SSLContext is not initialized");

        }

        return createSSLEngineImpl(host, port);

    }

    @Override

    protected SSLSocketFactory engineGetSocketFactory() {

        if (!isInitialized) {

            throw new IllegalStateException("SSLContext is not initialized");

        }

       return new SSLSocketFactoryImpl(this);

    }

    @Override

    protected SSLServerSocketFactory engineGetServerSocketFactory() {

        if (!isInitialized) {

            throw new IllegalStateException("SSLContext is not initialized");

        }

        return new SSLServerSocketFactoryImpl(this);

    }

    @Override

    protected SSLSessionContext engineGetClientSessionContext() {

        return clientCache;

    }

    @Override

    protected SSLSessionContext engineGetServerSessionContext() {

        return serverCache;

    }

    SecureRandom getSecureRandom() {

        return secureRandom;

    }

    X509ExtendedKeyManager getX509KeyManager() {

        return keyManager;

    }

    X509TrustManager getX509TrustManager() {

        return trustManager;

    }

    EphemeralKeyManager getEphemeralKeyManager() {

        return ephemeralKeyManager;

    }

    // Used for DTLS in server mode only, see ServerHandshaker.

    HelloCookieManager getHelloCookieManager() {

        if (!isInitialized) {

            throw new IllegalStateException("SSLContext is not initialized");

        }

        if (helloCookieManager != null) {

            return helloCookieManager;

        }

        synchronized (this) {

            if (helloCookieManager == null) {

                helloCookieManager = getHelloCookieManager(secureRandom);

            }

        }

        return helloCookieManager;

    }

    HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) {

        throw new UnsupportedOperationException(

                "Cookie exchange applies to DTLS only");

    }

    StatusResponseManager getStatusResponseManager() {

        if (serverEnableStapling && statusResponseManager == null) {

            synchronized (this) {

                if (statusResponseManager == null) {

                    if (debug != null && Debug.isOn("sslctx")) {

                        System.out.println(

                                "Initializing StatusResponseManager");

                    }

                    statusResponseManager = new StatusResponseManager();

                }

            }

        }

        return statusResponseManager;

    }

    // Get supported ProtocolList.

    abstract ProtocolList getSuportedProtocolList();

    // Get default ProtocolList for server mode.

    abstract ProtocolList getServerDefaultProtocolList();

    // Get default ProtocolList for client mode.

    abstract ProtocolList getClientDefaultProtocolList();

    // Get supported CipherSuiteList.

    abstract CipherSuiteList getSupportedCipherSuiteList();

    // Get default CipherSuiteList for server mode.

    abstract CipherSuiteList getServerDefaultCipherSuiteList();

    // Get default CipherSuiteList for client mode.

    abstract CipherSuiteList getClientDefaultCipherSuiteList();

    // Get default ProtocolList.

    ProtocolList getDefaultProtocolList(boolean roleIsServer) {

        return roleIsServer ? getServerDefaultProtocolList()

                            : getClientDefaultProtocolList();

    }

    // Get default CipherSuiteList.

    CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) {

        return roleIsServer ? getServerDefaultCipherSuiteList()

                            : getClientDefaultCipherSuiteList();

    }

    /**

     * Return whether a protocol list is the original default enabled

     * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()

     */

    boolean isDefaultProtocolList(ProtocolList protocols) {

        return (protocols == getServerDefaultProtocolList()) ||

               (protocols == getClientDefaultProtocolList());

    }

    /**

     * Return whether a protocol list is the original default enabled

     * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()

     */

    boolean isDefaultCipherSuiteList(CipherSuiteList cipherSuites) {

        return (cipherSuites == getServerDefaultCipherSuiteList()) ||

               (cipherSuites == getClientDefaultCipherSuiteList());

    }

    /**

     * Return whether client or server side stapling has been enabled

     * for this SSLContextImpl

     * @param isClient true if the caller is operating in a client side role,

     * false if acting as a server.

     * @return true if stapling has been enabled for the specified role, false

     * otherwise.

     */

    boolean isStaplingEnabled(boolean isClient) {

        return isClient ? clientEnableStapling : serverEnableStapling;

    }

    /*

     * Return the list of all available CipherSuites that are supported

     * using currently installed providers.

     */

    private static CipherSuiteList getApplicableSupportedCipherSuiteList(

            ProtocolList protocols) {

        return getApplicableCipherSuiteList(

                CipherSuite.allowedCipherSuites(),

                protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY);

    }

    /*

     * Return the list of all available CipherSuites that are default enabled

     * in client or server side.

     */

    private static CipherSuiteList getApplicableEnabledCipherSuiteList(

            ProtocolList protocols, boolean isClient) {

        if (isClient) {

            if (!clientCustomizedCipherSuites.isEmpty()) {

                return getApplicableCipherSuiteList(

                        clientCustomizedCipherSuites,

                        protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY);

            }

        } else {

            if (!serverCustomizedCipherSuites.isEmpty()) {

                return getApplicableCipherSuiteList(

                        serverCustomizedCipherSuites,

                        protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY);

            }

        }

        return getApplicableCipherSuiteList(

                CipherSuite.allowedCipherSuites(),

                protocols, CipherSuite.DEFAULT_SUITES_PRIORITY);

    }

    /*

     * Return the list of available CipherSuites which are applicable to

     * the specified protocols.

     */

    private static CipherSuiteList getApplicableCipherSuiteList(

            Collection<CipherSuite> allowedCipherSuites,

            ProtocolList protocols, int minPriority) {

        TreeSet<CipherSuite> suites = new TreeSet<>();

        if (!(protocols.collection().isEmpty()) &&

                protocols.min.v != ProtocolVersion.NONE.v) {

            for (CipherSuite suite : allowedCipherSuites) {

                if (!suite.allowed || suite.priority < minPriority) {

                    continue;

                }

                if (suite.isAvailable() &&

                        !protocols.min.obsoletes(suite) &&

                        protocols.max.supports(suite)) {

                    if (SSLAlgorithmConstraints.DEFAULT.permits(

                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),

                            suite.name, null)) {

                        suites.add(suite);

                    } else {

                        if (debug != null && Debug.isOn("sslctx") &&

                                Debug.isOn("verbose")) {

                            System.out.println(

                                    "Ignoring disabled cipher suite: " +

                                            suite.name);

                        }

                    }

                } else if (debug != null &&

                        Debug.isOn("sslctx") && Debug.isOn("verbose")) {

                    if (protocols.min.obsoletes(suite)) {

                        System.out.println(

                            "Ignoring obsoleted cipher suite: " + suite);

                    } else if (!protocols.max.supports(suite)) {

                        System.out.println(

                            "Ignoring unsupported cipher suite: " + suite);

                    } else {

                        System.out.println(

                            "Ignoring unavailable cipher suite: " + suite);

                    }

                }

            }

        }

        return new CipherSuiteList(suites);

    }

    /*

     * Get the customized cipher suites specified by the given system property.

     */

    private static Collection<CipherSuite> getCustomizedCipherSuites(

            String propertyName) {

        String property = GetPropertyAction.privilegedGetProperty(propertyName);

        if (debug != null && Debug.isOn("sslctx")) {

            System.out.println(

                    "System property " + propertyName + " is set to '" +

                    property + "'");

        }

        if (property != null && property.length() != 0) {

            // remove double quote marks from beginning/end of the property

            if (property.length() > 1 && property.charAt(0) == '"' &&

                    property.charAt(property.length() - 1) == '"') {

                property = property.substring(1, property.length() - 1);

            }

        }

        if (property != null && property.length() != 0) {

            String[] cipherSuiteNames = property.split(",");

            Collection<CipherSuite> cipherSuites =

                        new ArrayList<>(cipherSuiteNames.length);

            for (int i = 0; i < cipherSuiteNames.length; i++) {

                cipherSuiteNames[i] = cipherSuiteNames[i].trim();

                if (cipherSuiteNames[i].isEmpty()) {

                    continue;

                }

                CipherSuite suite;

                try {

                    suite = CipherSuite.valueOf(cipherSuiteNames[i]);

                } catch (IllegalArgumentException iae) {

                    if (debug != null && Debug.isOn("sslctx")) {

                        System.out.println(

                                "Unknown or unsupported cipher suite name: " +

                                cipherSuiteNames[i]);

                    }

                    continue;

                }

                if (suite.isAvailable()) {

                    cipherSuites.add(suite);

                } else {

                    if (debug != null && Debug.isOn("sslctx")) {

                        System.out.println(

                                "The current installed providers do not " +

                                "support cipher suite: " + cipherSuiteNames[i]);

                    }

                }

            }

            return cipherSuites;

        }

        return Collections.emptyList();

    }

    private static String[] getAvailableProtocols(

            ProtocolVersion[] protocolCandidates) {

        List<String> availableProtocols = Collections.<String>emptyList();

        if (protocolCandidates !=  null && protocolCandidates.length != 0) {