src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
branchJDK-8145252-TLS13-branch
changeset 56542 56aaa6cb3693
child 56702 75527e40bdfd
equal deleted inserted replaced
56541:92cbbfc996f3 56542:56aaa6cb3693
       
     1 /*
       
     2  * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
       
     3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
       
     4  *
       
     5  * This code is free software; you can redistribute it and/or modify it
       
     6  * under the terms of the GNU General Public License version 2 only, as
       
     7  * published by the Free Software Foundation.  Oracle designates this
       
     8  * particular file as subject to the "Classpath" exception as provided
       
     9  * by Oracle in the LICENSE file that accompanied this code.
       
    10  *
       
    11  * This code is distributed in the hope that it will be useful, but WITHOUT
       
    12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
       
    13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
       
    14  * version 2 for more details (a copy is included in the LICENSE file that
       
    15  * accompanied this code).
       
    16  *
       
    17  * You should have received a copy of the GNU General Public License version
       
    18  * 2 along with this work; if not, write to the Free Software Foundation,
       
    19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
       
    20  *
       
    21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
       
    22  * or visit www.oracle.com if you need additional information or have any
       
    23  * questions.
       
    24  */
       
    25 
       
    26 package sun.security.ssl;
       
    27 
       
    28 import java.security.AccessControlContext;
       
    29 import java.security.AccessController;
       
    30 import java.security.AlgorithmConstraints;
       
    31 import java.security.NoSuchAlgorithmException;
       
    32 import java.security.PrivilegedActionException;
       
    33 import java.security.PrivilegedExceptionAction;
       
    34 import java.util.ArrayList;
       
    35 import java.util.Collection;
       
    36 import java.util.Collections;
       
    37 import java.util.HashMap;
       
    38 import java.util.List;
       
    39 import java.util.function.BiFunction;
       
    40 import javax.crypto.KeyGenerator;
       
    41 import javax.net.ssl.HandshakeCompletedListener;
       
    42 import javax.net.ssl.SNIMatcher;
       
    43 import javax.net.ssl.SNIServerName;
       
    44 import javax.net.ssl.SSLEngine;
       
    45 import javax.net.ssl.SSLParameters;
       
    46 import javax.net.ssl.SSLSocket;
       
    47 import sun.security.ssl.SSLExtension.ClientExtensions;
       
    48 import sun.security.ssl.SSLExtension.ServerExtensions;
       
    49 
       
    50 /**
       
    51  * SSL/(D)TLS configuration.
       
    52  */
       
    53 class SSLConfiguration implements Cloneable {
       
    54     // configurations with SSLParameters
       
    55     AlgorithmConstraints        algorithmConstraints;
       
    56     List<ProtocolVersion>       enabledProtocols;
       
    57     List<CipherSuite>           enabledCipherSuites;
       
    58     ClientAuthType              clientAuthType;
       
    59     String                      identificationProtocol;
       
    60     List<SNIServerName>         serverNames;
       
    61     Collection<SNIMatcher>      sniMatchers;
       
    62     String[]                    applicationProtocols;
       
    63     boolean                     preferLocalCipherSuites;
       
    64     boolean                     enableRetransmissions;
       
    65     int                         maximumPacketSize;
       
    66 
       
    67     // the maximum protocol version of enabled protocols
       
    68     ProtocolVersion             maximumProtocolVersion;
       
    69 
       
    70     // Configurations per SSLSocket or SSLEngine instance.
       
    71     boolean                     isClientMode;
       
    72     boolean                     enableSessionCreation;
       
    73 
       
    74     // the application layer protocol negotiation configuration
       
    75     BiFunction<SSLSocket, List<String>, String> socketAPSelector;
       
    76     BiFunction<SSLEngine, List<String>, String> engineAPSelector;
       
    77 
       
    78     HashMap<HandshakeCompletedListener, AccessControlContext>
       
    79                                 handshakeListeners;
       
    80 
       
    81     boolean                     noSniExtension;
       
    82     boolean                     noSniMatcher;
       
    83 
       
    84     // To switch off the extended_master_secret extension.
       
    85     static final boolean useExtendedMasterSecret;
       
    86 
       
    87     // Allow session resumption without Extended Master Secret extension.
       
    88     static final boolean allowLegacyResumption =
       
    89         Utilities.getBooleanProperty("jdk.tls.allowLegacyResumption", true);
       
    90 
       
    91     // Allow full handshake without Extended Master Secret extension.
       
    92     static final boolean allowLegacyMasterSecret =
       
    93         Utilities.getBooleanProperty("jdk.tls.allowLegacyMasterSecret", true);
       
    94 
       
    95     // Allow full handshake without Extended Master Secret extension.
       
    96     static final boolean useCompatibilityMode = Utilities.getBooleanProperty(
       
    97             "jdk.tls.client.useCompatibilityMode", true);
       
    98 
       
    99 // TODO: Please remove after TLS 1.3 draft interop testing
       
   100 // delete me
       
   101 static int tls13VN = 0x0304;
       
   102 
       
   103     // Is the extended_master_secret extension supported?
       
   104     static {
       
   105         boolean supportExtendedMasterSecret = true;
       
   106         try {
       
   107             KeyGenerator kg =
       
   108                 JsseJce.getKeyGenerator("SunTlsExtendedMasterSecret");
       
   109         } catch (NoSuchAlgorithmException nae) {
       
   110             supportExtendedMasterSecret = false;
       
   111         }
       
   112 
       
   113         if (supportExtendedMasterSecret) {
       
   114             useExtendedMasterSecret = Utilities.getBooleanProperty(
       
   115                     "jdk.tls.useExtendedMasterSecret", true);
       
   116         } else {
       
   117             useExtendedMasterSecret = false;
       
   118         }
       
   119 
       
   120 // delete me
       
   121 try {
       
   122     tls13VN =
       
   123         AccessController.doPrivileged(
       
   124             new PrivilegedExceptionAction<Integer>() {
       
   125                 @Override
       
   126                 public Integer run() throws Exception {
       
   127                     return Integer.parseInt(
       
   128                         System.getProperty("jdk.tls13.version", "0304"), 16);
       
   129                 }
       
   130             });
       
   131 } catch (PrivilegedActionException ex) {
       
   132     // blank
       
   133 }
       
   134     }
       
   135 
       
   136     SSLConfiguration(SSLContextImpl sslContext, boolean isClientMode) {
       
   137 
       
   138         // Configurations with SSLParameters, default values.
       
   139         this.algorithmConstraints = SSLAlgorithmConstraints.DEFAULT;
       
   140         this.enabledProtocols =
       
   141                 sslContext.getDefaultProtocolVersions(!isClientMode);
       
   142         this.enabledCipherSuites =
       
   143                 sslContext.getDefaultCipherSuites(!isClientMode);
       
   144         this.clientAuthType = ClientAuthType.CLIENT_AUTH_NONE;
       
   145 
       
   146         this.identificationProtocol = null;
       
   147         this.serverNames = Collections.<SNIServerName>emptyList();
       
   148         this.sniMatchers = Collections.<SNIMatcher>emptyList();
       
   149         this.preferLocalCipherSuites = false;
       
   150 
       
   151         this.applicationProtocols = new String[0];
       
   152         this.enableRetransmissions = sslContext.isDTLS();
       
   153         this.maximumPacketSize = 0;         // please reset it explicitly later
       
   154 
       
   155         this.maximumProtocolVersion = ProtocolVersion.NONE;
       
   156         for (ProtocolVersion pv : enabledProtocols) {
       
   157             if (pv.compareTo(maximumProtocolVersion) > 0) {
       
   158                 this.maximumProtocolVersion = pv;
       
   159             }
       
   160         }
       
   161 
       
   162         // Configurations per SSLSocket or SSLEngine instance.
       
   163         this.isClientMode = isClientMode;
       
   164         this.enableSessionCreation = true;
       
   165         this.socketAPSelector = null;
       
   166         this.engineAPSelector = null;
       
   167 
       
   168         this.handshakeListeners = null;
       
   169         this.noSniExtension = false;
       
   170         this.noSniMatcher = false;
       
   171     }
       
   172 
       
   173     SSLParameters getSSLParameters() {
       
   174         SSLParameters params = new SSLParameters();
       
   175 
       
   176         params.setAlgorithmConstraints(this.algorithmConstraints);
       
   177         params.setProtocols(ProtocolVersion.toStringArray(enabledProtocols));
       
   178         params.setCipherSuites(CipherSuite.namesOf(enabledCipherSuites));
       
   179         switch (this.clientAuthType) {
       
   180             case CLIENT_AUTH_REQUIRED:
       
   181                 params.setNeedClientAuth(true);
       
   182                 break;
       
   183             case CLIENT_AUTH_REQUESTED:
       
   184                 params.setWantClientAuth(true);
       
   185                 break;
       
   186             default:
       
   187                 params.setWantClientAuth(false);
       
   188         }
       
   189         params.setEndpointIdentificationAlgorithm(this.identificationProtocol);
       
   190 
       
   191         if (serverNames.isEmpty() && !noSniExtension) {
       
   192             // 'null' indicates none has been set
       
   193             params.setServerNames(null);
       
   194         } else {
       
   195             params.setServerNames(this.serverNames);
       
   196         }
       
   197 
       
   198         if (sniMatchers.isEmpty() && !noSniMatcher) {
       
   199             // 'null' indicates none has been set
       
   200             params.setSNIMatchers(null);
       
   201         } else {
       
   202             params.setSNIMatchers(this.sniMatchers);
       
   203         }
       
   204 
       
   205         params.setApplicationProtocols(this.applicationProtocols);
       
   206         params.setUseCipherSuitesOrder(this.preferLocalCipherSuites);
       
   207         params.setEnableRetransmissions(this.enableRetransmissions);
       
   208         params.setMaximumPacketSize(this.maximumPacketSize);
       
   209 
       
   210         return params;
       
   211     }
       
   212 
       
   213     void setSSLParameters(SSLParameters params) {
       
   214         AlgorithmConstraints ac = params.getAlgorithmConstraints();
       
   215         if (ac != null) {
       
   216             this.algorithmConstraints = ac;
       
   217         }   // otherwise, use the default value
       
   218 
       
   219         String[] sa = params.getCipherSuites();
       
   220         if (sa != null) {
       
   221             this.enabledCipherSuites = CipherSuite.validValuesOf(sa);
       
   222         }   // otherwise, use the default values
       
   223 
       
   224         sa = params.getProtocols();
       
   225         if (sa != null) {
       
   226             this.enabledProtocols = ProtocolVersion.namesOf(sa);
       
   227 
       
   228             this.maximumProtocolVersion = ProtocolVersion.NONE;
       
   229             for (ProtocolVersion pv : enabledProtocols) {
       
   230                 if (pv.compareTo(maximumProtocolVersion) > 0) {
       
   231                     this.maximumProtocolVersion = pv;
       
   232                 }
       
   233             }
       
   234         }   // otherwise, use the default values
       
   235 
       
   236         if (params.getNeedClientAuth()) {
       
   237             this.clientAuthType = ClientAuthType.CLIENT_AUTH_REQUIRED;
       
   238         } else if (params.getWantClientAuth()) {
       
   239             this.clientAuthType = ClientAuthType.CLIENT_AUTH_REQUESTED;
       
   240         } else {
       
   241             this.clientAuthType = ClientAuthType.CLIENT_AUTH_NONE;
       
   242         }
       
   243 
       
   244         String s = params.getEndpointIdentificationAlgorithm();
       
   245         if (s != null) {
       
   246             this.identificationProtocol = s;
       
   247         }   // otherwise, use the default value
       
   248 
       
   249         List<SNIServerName> sniNames = params.getServerNames();
       
   250         if (sniNames != null) {
       
   251             this.noSniExtension = sniNames.isEmpty();
       
   252             this.serverNames = sniNames;
       
   253         }   // null if none has been set
       
   254 
       
   255         Collection<SNIMatcher> matchers = params.getSNIMatchers();
       
   256         if (matchers != null) {
       
   257             this.noSniMatcher = matchers.isEmpty();
       
   258             this.sniMatchers = matchers;
       
   259         }   // null if none has been set
       
   260 
       
   261         sa = params.getApplicationProtocols();
       
   262         if (sa != null) {
       
   263             this.applicationProtocols = sa;
       
   264         }   // otherwise, use the default values
       
   265 
       
   266         this.preferLocalCipherSuites = params.getUseCipherSuitesOrder();
       
   267         this.enableRetransmissions = params.getEnableRetransmissions();
       
   268         this.maximumPacketSize = params.getMaximumPacketSize();
       
   269     }
       
   270 
       
   271     // SSLSocket only
       
   272     void addHandshakeCompletedListener(
       
   273             HandshakeCompletedListener listener) {
       
   274 
       
   275         if (handshakeListeners == null) {
       
   276             handshakeListeners = new HashMap<>(4);
       
   277         }
       
   278 
       
   279         handshakeListeners.put(listener, AccessController.getContext());
       
   280     }
       
   281 
       
   282     // SSLSocket only
       
   283     void removeHandshakeCompletedListener(
       
   284             HandshakeCompletedListener listener) {
       
   285 
       
   286         if (handshakeListeners == null) {
       
   287             throw new IllegalArgumentException("no listeners");
       
   288         }
       
   289 
       
   290         if (handshakeListeners.remove(listener) == null) {
       
   291             throw new IllegalArgumentException("listener not registered");
       
   292         }
       
   293 
       
   294         if (handshakeListeners.isEmpty()) {
       
   295             handshakeListeners = null;
       
   296         }
       
   297     }
       
   298 
       
   299     /**
       
   300      * Return true if the extension is available.
       
   301      */
       
   302     boolean isAvailable(SSLExtension extension) {
       
   303         for (ProtocolVersion protocolVersion : enabledProtocols) {
       
   304             if (extension.isAvailable(protocolVersion)) {
       
   305                 if (isClientMode ?
       
   306                         ClientExtensions.defaults.contains(extension) :
       
   307                         ServerExtensions.defaults.contains(extension)) {
       
   308                     return true;
       
   309                 }
       
   310             }
       
   311         }
       
   312 
       
   313         return false;
       
   314     }
       
   315 
       
   316     /**
       
   317      * Return true if the extension is available for the specific protocol.
       
   318      */
       
   319     boolean isAvailable(SSLExtension extension,
       
   320             ProtocolVersion protocolVersion) {
       
   321         return extension.isAvailable(protocolVersion) &&
       
   322                 (isClientMode ? ClientExtensions.defaults.contains(extension) :
       
   323                                 ServerExtensions.defaults.contains(extension));
       
   324     }
       
   325 
       
   326     /**
       
   327      * Get the enabled extensions for the specific handshake message.
       
   328      *
       
   329      * Used to consume handshake extensions.
       
   330      */
       
   331     SSLExtension[] getEnabledExtensions(SSLHandshake handshakeType) {
       
   332         List<SSLExtension> extensions = new ArrayList<>();
       
   333         for (SSLExtension extension : SSLExtension.values()) {
       
   334             if (extension.handshakeType == handshakeType) {
       
   335                 if (isAvailable(extension)) {
       
   336                     extensions.add(extension);
       
   337                 }
       
   338             }
       
   339         }
       
   340 
       
   341         return extensions.toArray(new SSLExtension[0]);
       
   342     }
       
   343 
       
   344     /**
       
   345      * Get the enabled extensions for the specific handshake message
       
   346      * and the specific protocol version.
       
   347      *
       
   348      * Used to produce handshake extensions after handshake protocol
       
   349      * version negotiation.
       
   350      */
       
   351     SSLExtension[] getEnabledExtensions(
       
   352             SSLHandshake handshakeType, ProtocolVersion protocolVersion) {
       
   353         List<SSLExtension> extensions = new ArrayList<>();
       
   354         for (SSLExtension extension : SSLExtension.values()) {
       
   355             if (extension.handshakeType == handshakeType) {
       
   356                 if (isAvailable(extension) &&
       
   357                         extension.isAvailable(protocolVersion)) {
       
   358                     extensions.add(extension);
       
   359                 }
       
   360             }
       
   361         }
       
   362 
       
   363         return extensions.toArray(new SSLExtension[0]);
       
   364     }
       
   365 
       
   366     /**
       
   367      * Get the enabled extensions for the specific handshake message
       
   368      * and the specific protocol versions.
       
   369      *
       
   370      * Used to produce ClientHello extensions before handshake protocol
       
   371      * version negotiation.
       
   372      */
       
   373     SSLExtension[] getEnabledExtensions(
       
   374             SSLHandshake handshakeType, List<ProtocolVersion> activeProtocols) {
       
   375         List<SSLExtension> extensions = new ArrayList<>();
       
   376         for (SSLExtension extension : SSLExtension.values()) {
       
   377             if (extension.handshakeType == handshakeType) {
       
   378                 if (!isAvailable(extension)) {
       
   379                     continue;
       
   380                 }
       
   381 
       
   382                 for (ProtocolVersion protocolVersion : activeProtocols) {
       
   383                     if (extension.isAvailable(protocolVersion)) {
       
   384                         extensions.add(extension);
       
   385                         break;
       
   386                     }
       
   387                 }
       
   388             }
       
   389         }
       
   390 
       
   391         return extensions.toArray(new SSLExtension[0]);
       
   392     }
       
   393 
       
   394     @Override
       
   395     @SuppressWarnings({"unchecked", "CloneDeclaresCloneNotSupported"})
       
   396     public Object clone() {
       
   397         // Note that only references to the configurations are copied.
       
   398         try {
       
   399             SSLConfiguration config = (SSLConfiguration)super.clone();
       
   400             if (handshakeListeners != null) {
       
   401                 config.handshakeListeners =
       
   402                     (HashMap<HandshakeCompletedListener, AccessControlContext>)
       
   403                             handshakeListeners.clone();
       
   404             }
       
   405 
       
   406             return config;
       
   407         } catch (CloneNotSupportedException cnse) {
       
   408             // unlikely
       
   409         }
       
   410 
       
   411         return null;    // unlikely
       
   412     }
       
   413 }