240 |
240 |
241 EphemeralKeyManager getEphemeralKeyManager() { |
241 EphemeralKeyManager getEphemeralKeyManager() { |
242 return ephemeralKeyManager; |
242 return ephemeralKeyManager; |
243 } |
243 } |
244 |
244 |
245 // Used for DTLS in server mode only, see ServerHandshaker. |
245 // Used for DTLS in server mode only. |
246 HelloCookieManager getHelloCookieManager() { |
246 HelloCookieManager getHelloCookieManager(ProtocolVersion protocolVersion) { |
247 if (!isInitialized) { |
|
248 throw new IllegalStateException("SSLContext is not initialized"); |
|
249 } |
|
250 |
|
251 if (helloCookieManager != null) { |
247 if (helloCookieManager != null) { |
252 return helloCookieManager; |
248 return helloCookieManager.valueOf(protocolVersion); |
253 } |
249 } |
254 |
250 |
255 synchronized (this) { |
251 synchronized (this) { |
256 if (helloCookieManager == null) { |
252 if (helloCookieManager == null) { |
257 helloCookieManager = getHelloCookieManager(secureRandom); |
253 helloCookieManager = new HelloCookieManager(secureRandom); |
258 } |
254 } |
259 } |
255 } |
260 |
256 |
261 return helloCookieManager; |
257 return helloCookieManager.valueOf(protocolVersion); |
262 } |
|
263 |
|
264 HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) { |
|
265 throw new UnsupportedOperationException( |
|
266 "Cookie exchange applies to DTLS only"); |
|
267 } |
258 } |
268 |
259 |
269 StatusResponseManager getStatusResponseManager() { |
260 StatusResponseManager getStatusResponseManager() { |
270 if (serverEnableStapling && statusResponseManager == null) { |
261 if (serverEnableStapling && statusResponseManager == null) { |
271 synchronized (this) { |
262 synchronized (this) { |
272 if (statusResponseManager == null) { |
263 if (statusResponseManager == null) { |
273 if (debug != null && Debug.isOn("sslctx")) { |
264 if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) { |
274 System.out.println( |
265 SSLLogger.finest( |
275 "Initializing StatusResponseManager"); |
266 "Initializing StatusResponseManager"); |
276 } |
267 } |
277 statusResponseManager = new StatusResponseManager(); |
268 statusResponseManager = new StatusResponseManager(); |
278 } |
269 } |
279 } |
270 } |
280 } |
271 } |
281 |
272 |
282 return statusResponseManager; |
273 return statusResponseManager; |
283 } |
274 } |
284 |
275 |
285 // Get supported ProtocolList. |
276 // Get supported protocols. |
286 abstract ProtocolList getSuportedProtocolList(); |
277 abstract List<ProtocolVersion> getSuportedProtocolVersions(); |
287 |
278 |
288 // Get default ProtocolList for server mode. |
279 // Get default protocols for server mode. |
289 abstract ProtocolList getServerDefaultProtocolList(); |
280 abstract List<ProtocolVersion> getServerDefaultProtocolVersions(); |
290 |
281 |
291 // Get default ProtocolList for client mode. |
282 // Get default protocols for client mode. |
292 abstract ProtocolList getClientDefaultProtocolList(); |
283 abstract List<ProtocolVersion> getClientDefaultProtocolVersions(); |
293 |
284 |
294 // Get supported CipherSuiteList. |
285 // Get supported CipherSuite list. |
295 abstract CipherSuiteList getSupportedCipherSuiteList(); |
286 abstract List<CipherSuite> getSupportedCipherSuites(); |
296 |
287 |
297 // Get default CipherSuiteList for server mode. |
288 // Get default CipherSuite list for server mode. |
298 abstract CipherSuiteList getServerDefaultCipherSuiteList(); |
289 abstract List<CipherSuite> getServerDefaultCipherSuites(); |
299 |
290 |
300 // Get default CipherSuiteList for client mode. |
291 // Get default CipherSuite list for client mode. |
301 abstract CipherSuiteList getClientDefaultCipherSuiteList(); |
292 abstract List<CipherSuite> getClientDefaultCipherSuites(); |
302 |
293 |
303 // Get default ProtocolList. |
294 // Is the context for DTLS protocols? |
304 ProtocolList getDefaultProtocolList(boolean roleIsServer) { |
295 abstract boolean isDTLS(); |
305 return roleIsServer ? getServerDefaultProtocolList() |
296 |
306 : getClientDefaultProtocolList(); |
297 // Get default protocols. |
307 } |
298 List<ProtocolVersion> getDefaultProtocolVersions(boolean roleIsServer) { |
308 |
299 return roleIsServer ? getServerDefaultProtocolVersions() |
309 // Get default CipherSuiteList. |
300 : getClientDefaultProtocolVersions(); |
310 CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) { |
301 } |
311 return roleIsServer ? getServerDefaultCipherSuiteList() |
302 |
312 : getClientDefaultCipherSuiteList(); |
303 // Get default CipherSuite list. |
|
304 List<CipherSuite> getDefaultCipherSuites(boolean roleIsServer) { |
|
305 return roleIsServer ? getServerDefaultCipherSuites() |
|
306 : getClientDefaultCipherSuites(); |
313 } |
307 } |
314 |
308 |
315 /** |
309 /** |
316 * Return whether a protocol list is the original default enabled |
310 * Return whether a protocol list is the original default enabled |
317 * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() |
311 * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() |
318 */ |
312 */ |
319 boolean isDefaultProtocolList(ProtocolList protocols) { |
313 boolean isDefaultProtocolVesions(List<ProtocolVersion> protocols) { |
320 return (protocols == getServerDefaultProtocolList()) || |
314 return (protocols == getServerDefaultProtocolVersions()) || |
321 (protocols == getClientDefaultProtocolList()); |
315 (protocols == getClientDefaultProtocolVersions()); |
322 } |
316 } |
323 |
317 |
324 /** |
318 /** |
325 * Return whether a protocol list is the original default enabled |
319 * Return whether a protocol list is the original default enabled |
326 * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() |
320 * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() |
327 */ |
321 */ |
328 boolean isDefaultCipherSuiteList(CipherSuiteList cipherSuites) { |
322 boolean isDefaultCipherSuiteList(List<CipherSuite> cipherSuites) { |
329 return (cipherSuites == getServerDefaultCipherSuiteList()) || |
323 return (cipherSuites == getServerDefaultCipherSuites()) || |
330 (cipherSuites == getClientDefaultCipherSuiteList()); |
324 (cipherSuites == getClientDefaultCipherSuites()); |
331 } |
325 } |
332 |
326 |
333 /** |
327 /** |
334 * Return whether client or server side stapling has been enabled |
328 * Return whether client or server side stapling has been enabled |
335 * for this SSLContextImpl |
329 * for this SSLContextImpl |
340 */ |
334 */ |
341 boolean isStaplingEnabled(boolean isClient) { |
335 boolean isStaplingEnabled(boolean isClient) { |
342 return isClient ? clientEnableStapling : serverEnableStapling; |
336 return isClient ? clientEnableStapling : serverEnableStapling; |
343 } |
337 } |
344 |
338 |
345 |
|
346 /* |
339 /* |
347 * Return the list of all available CipherSuites that are supported |
340 * Return the list of all available CipherSuites that are supported |
348 * using currently installed providers. |
341 * using currently installed providers. |
349 */ |
342 */ |
350 private static CipherSuiteList getApplicableSupportedCipherSuiteList( |
343 private static List<CipherSuite> getApplicableSupportedCipherSuites( |
351 ProtocolList protocols) { |
344 List<ProtocolVersion> protocols) { |
352 |
345 |
353 return getApplicableCipherSuiteList( |
346 return getApplicableCipherSuites( |
354 CipherSuite.allowedCipherSuites(), |
347 CipherSuite.allowedCipherSuites(), protocols); |
355 protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY); |
|
356 } |
348 } |
357 |
349 |
358 /* |
350 /* |
359 * Return the list of all available CipherSuites that are default enabled |
351 * Return the list of all available CipherSuites that are default enabled |
360 * in client or server side. |
352 * in client or server side. |
361 */ |
353 */ |
362 private static CipherSuiteList getApplicableEnabledCipherSuiteList( |
354 private static List<CipherSuite> getApplicableEnabledCipherSuites( |
363 ProtocolList protocols, boolean isClient) { |
355 List<ProtocolVersion> protocols, boolean isClient) { |
364 |
356 |
365 if (isClient) { |
357 if (isClient) { |
366 if (!clientCustomizedCipherSuites.isEmpty()) { |
358 if (!clientCustomizedCipherSuites.isEmpty()) { |
367 return getApplicableCipherSuiteList( |
359 return getApplicableCipherSuites( |
368 clientCustomizedCipherSuites, |
360 clientCustomizedCipherSuites, protocols); |
369 protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY); |
|
370 } |
361 } |
371 } else { |
362 } else { |
372 if (!serverCustomizedCipherSuites.isEmpty()) { |
363 if (!serverCustomizedCipherSuites.isEmpty()) { |
373 return getApplicableCipherSuiteList( |
364 return getApplicableCipherSuites( |
374 serverCustomizedCipherSuites, |
365 serverCustomizedCipherSuites, protocols); |
375 protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY); |
366 } |
376 } |
367 } |
377 } |
368 |
378 |
369 return getApplicableCipherSuites( |
379 return getApplicableCipherSuiteList( |
370 CipherSuite.defaultCipherSuites(), protocols); |
380 CipherSuite.allowedCipherSuites(), |
|
381 protocols, CipherSuite.DEFAULT_SUITES_PRIORITY); |
|
382 } |
371 } |
383 |
372 |
384 /* |
373 /* |
385 * Return the list of available CipherSuites which are applicable to |
374 * Return the list of available CipherSuites which are applicable to |
386 * the specified protocols. |
375 * the specified protocols. |
387 */ |
376 */ |
388 private static CipherSuiteList getApplicableCipherSuiteList( |
377 private static List<CipherSuite> getApplicableCipherSuites( |
389 Collection<CipherSuite> allowedCipherSuites, |
378 Collection<CipherSuite> allowedCipherSuites, |
390 ProtocolList protocols, int minPriority) { |
379 List<ProtocolVersion> protocols) { |
391 |
|
392 TreeSet<CipherSuite> suites = new TreeSet<>(); |
380 TreeSet<CipherSuite> suites = new TreeSet<>(); |
393 if (!(protocols.collection().isEmpty()) && |
381 if (protocols != null && (!protocols.isEmpty())) { |
394 protocols.min.v != ProtocolVersion.NONE.v) { |
|
395 for (CipherSuite suite : allowedCipherSuites) { |
382 for (CipherSuite suite : allowedCipherSuites) { |
396 if (!suite.allowed || suite.priority < minPriority) { |
383 if (!suite.isAvailable()) { |
397 continue; |
384 continue; |
398 } |
385 } |
399 |
386 |
400 if (suite.isAvailable() && |
387 boolean isSupported = false; |
401 !protocols.min.obsoletes(suite) && |
388 for (ProtocolVersion protocol : protocols) { |
402 protocols.max.supports(suite)) { |
389 if (!suite.supports(protocol)) { |
|
390 continue; |
|
391 } |
|
392 |
403 if (SSLAlgorithmConstraints.DEFAULT.permits( |
393 if (SSLAlgorithmConstraints.DEFAULT.permits( |
404 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), |
394 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), |
405 suite.name, null)) { |
395 suite.name, null)) { |
406 suites.add(suite); |
396 suites.add(suite); |
407 } else { |
397 isSupported = true; |
408 if (debug != null && Debug.isOn("sslctx") && |
398 } else if (SSLLogger.isOn && |
409 Debug.isOn("verbose")) { |
399 SSLLogger.isOn("ssl,sslctx,verbose")) { |
410 System.out.println( |
400 SSLLogger.fine( |
411 "Ignoring disabled cipher suite: " + |
401 "Ignore disabled cipher suite: " + suite.name); |
412 suite.name); |
|
413 } |
|
414 } |
402 } |
415 } else if (debug != null && |
403 |
416 Debug.isOn("sslctx") && Debug.isOn("verbose")) { |
404 break; |
417 if (protocols.min.obsoletes(suite)) { |
405 } |
418 System.out.println( |
406 |
419 "Ignoring obsoleted cipher suite: " + suite); |
407 if (!isSupported && SSLLogger.isOn && |
420 } else if (!protocols.max.supports(suite)) { |
408 SSLLogger.isOn("ssl,sslctx,verbose")) { |
421 System.out.println( |
409 SSLLogger.finest( |
422 "Ignoring unsupported cipher suite: " + suite); |
410 "Ignore unsupported cipher suite: " + suite); |
423 } else { |
411 } |
424 System.out.println( |
412 } |
425 "Ignoring unavailable cipher suite: " + suite); |
413 } |
426 } |
414 |
427 } |
415 return Arrays.asList(suites.toArray(new CipherSuite[0])); |
428 } |
|
429 } |
|
430 |
|
431 return new CipherSuiteList(suites); |
|
432 } |
416 } |
433 |
417 |
434 /* |
418 /* |
435 * Get the customized cipher suites specified by the given system property. |
419 * Get the customized cipher suites specified by the given system property. |
436 */ |
420 */ |
437 private static Collection<CipherSuite> getCustomizedCipherSuites( |
421 private static Collection<CipherSuite> getCustomizedCipherSuites( |
438 String propertyName) { |
422 String propertyName) { |
439 |
423 |
440 String property = GetPropertyAction.privilegedGetProperty(propertyName); |
424 String property = GetPropertyAction.privilegedGetProperty(propertyName); |
441 if (debug != null && Debug.isOn("sslctx")) { |
425 if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) { |
442 System.out.println( |
426 SSLLogger.fine( |
443 "System property " + propertyName + " is set to '" + |
427 "System property " + propertyName + " is set to '" + |
444 property + "'"); |
428 property + "'"); |
445 } |
429 } |
446 if (property != null && property.length() != 0) { |
430 if (property != null && property.length() != 0) { |
447 // remove double quote marks from beginning/end of the property |
431 // remove double quote marks from beginning/end of the property |
546 * SSL/TLS parameters. |
530 * SSL/TLS parameters. |
547 * |
531 * |
548 * @see SSLContext |
532 * @see SSLContext |
549 */ |
533 */ |
550 private abstract static class AbstractTLSContext extends SSLContextImpl { |
534 private abstract static class AbstractTLSContext extends SSLContextImpl { |
551 private static final ProtocolList supportedProtocolList; |
535 private static final List<ProtocolVersion> supportedProtocols; |
552 private static final ProtocolList serverDefaultProtocolList; |
536 private static final List<ProtocolVersion> serverDefaultProtocols; |
553 |
537 |
554 private static final CipherSuiteList supportedCipherSuiteList; |
538 private static final List<CipherSuite> supportedCipherSuites; |
555 private static final CipherSuiteList serverDefaultCipherSuiteList; |
539 private static final List<CipherSuite> serverDefaultCipherSuites; |
556 |
540 |
557 static { |
541 static { |
558 if (SunJSSE.isFIPS()) { |
542 if (SunJSSE.isFIPS()) { |
559 supportedProtocolList = new ProtocolList(new String[] { |
543 supportedProtocols = Arrays.asList( |
560 ProtocolVersion.TLS10.name, |
544 ProtocolVersion.TLS13, |
561 ProtocolVersion.TLS11.name, |
545 ProtocolVersion.TLS12, |
562 ProtocolVersion.TLS12.name |
546 ProtocolVersion.TLS11, |
|
547 ProtocolVersion.TLS10 |
|
548 ); |
|
549 |
|
550 serverDefaultProtocols = getAvailableProtocols( |
|
551 new ProtocolVersion[] { |
|
552 ProtocolVersion.TLS13, |
|
553 ProtocolVersion.TLS12, |
|
554 ProtocolVersion.TLS11, |
|
555 ProtocolVersion.TLS10 |
563 }); |
556 }); |
564 |
557 } else { |
565 serverDefaultProtocolList = new ProtocolList( |
558 supportedProtocols = Arrays.asList( |
566 getAvailableProtocols(new ProtocolVersion[] { |
559 ProtocolVersion.TLS13, |
|
560 ProtocolVersion.TLS12, |
|
561 ProtocolVersion.TLS11, |
567 ProtocolVersion.TLS10, |
562 ProtocolVersion.TLS10, |
|
563 ProtocolVersion.SSL30, |
|
564 ProtocolVersion.SSL20Hello |
|
565 ); |
|
566 |
|
567 serverDefaultProtocols = getAvailableProtocols( |
|
568 new ProtocolVersion[] { |
|
569 ProtocolVersion.TLS13, |
|
570 ProtocolVersion.TLS12, |
568 ProtocolVersion.TLS11, |
571 ProtocolVersion.TLS11, |
569 ProtocolVersion.TLS12 |
572 ProtocolVersion.TLS10, |
570 })); |
573 ProtocolVersion.SSL30, |
571 } else { |
574 ProtocolVersion.SSL20Hello |
572 supportedProtocolList = new ProtocolList(new String[] { |
|
573 ProtocolVersion.SSL20Hello.name, |
|
574 ProtocolVersion.SSL30.name, |
|
575 ProtocolVersion.TLS10.name, |
|
576 ProtocolVersion.TLS11.name, |
|
577 ProtocolVersion.TLS12.name |
|
578 }); |
575 }); |
579 |
576 } |
580 serverDefaultProtocolList = new ProtocolList( |
577 |
581 getAvailableProtocols(new ProtocolVersion[] { |
578 supportedCipherSuites = getApplicableSupportedCipherSuites( |
582 ProtocolVersion.SSL20Hello, |
579 supportedProtocols); |
583 ProtocolVersion.SSL30, |
580 serverDefaultCipherSuites = getApplicableEnabledCipherSuites( |
584 ProtocolVersion.TLS10, |
581 serverDefaultProtocols, false); |
585 ProtocolVersion.TLS11, |
582 } |
586 ProtocolVersion.TLS12 |
583 |
587 })); |
584 @Override |
588 } |
585 List<ProtocolVersion> getSuportedProtocolVersions() { |
589 |
586 return supportedProtocols; |
590 supportedCipherSuiteList = getApplicableSupportedCipherSuiteList( |
587 } |
591 supportedProtocolList); |
588 |
592 serverDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
589 @Override |
593 serverDefaultProtocolList, false); |
590 List<CipherSuite> getSupportedCipherSuites() { |
594 } |
591 return supportedCipherSuites; |
595 |
592 } |
596 @Override |
593 |
597 ProtocolList getSuportedProtocolList() { |
594 @Override |
598 return supportedProtocolList; |
595 List<ProtocolVersion> getServerDefaultProtocolVersions() { |
599 } |
596 return serverDefaultProtocols; |
600 |
597 } |
601 @Override |
598 |
602 CipherSuiteList getSupportedCipherSuiteList() { |
599 @Override |
603 return supportedCipherSuiteList; |
600 List<CipherSuite> getServerDefaultCipherSuites() { |
604 } |
601 return serverDefaultCipherSuites; |
605 |
|
606 @Override |
|
607 ProtocolList getServerDefaultProtocolList() { |
|
608 return serverDefaultProtocolList; |
|
609 } |
|
610 |
|
611 @Override |
|
612 CipherSuiteList getServerDefaultCipherSuiteList() { |
|
613 return serverDefaultCipherSuiteList; |
|
614 } |
602 } |
615 |
603 |
616 @Override |
604 @Override |
617 SSLEngine createSSLEngineImpl() { |
605 SSLEngine createSSLEngineImpl() { |
618 return new SSLEngineImpl(this, false); |
606 return new SSLEngineImpl(this); |
619 } |
607 } |
620 |
608 |
621 @Override |
609 @Override |
622 SSLEngine createSSLEngineImpl(String host, int port) { |
610 SSLEngine createSSLEngineImpl(String host, int port) { |
623 return new SSLEngineImpl(this, host, port, false); |
611 return new SSLEngineImpl(this, host, port); |
|
612 } |
|
613 |
|
614 @Override |
|
615 boolean isDTLS() { |
|
616 return false; |
624 } |
617 } |
625 } |
618 } |
626 |
619 |
627 /* |
620 /* |
628 * The SSLContext implementation for SSLv3 and TLS10 algorithm |
621 * The SSLContext implementation for SSLv3 and TLS10 algorithm |
629 * |
622 * |
630 * @see SSLContext |
623 * @see SSLContext |
631 */ |
624 */ |
632 public static final class TLS10Context extends AbstractTLSContext { |
625 public static final class TLS10Context extends AbstractTLSContext { |
633 private static final ProtocolList clientDefaultProtocolList; |
626 private static final List<ProtocolVersion> clientDefaultProtocols; |
634 private static final CipherSuiteList clientDefaultCipherSuiteList; |
627 private static final List<CipherSuite> clientDefaultCipherSuites; |
635 |
628 |
636 static { |
629 static { |
637 if (SunJSSE.isFIPS()) { |
630 if (SunJSSE.isFIPS()) { |
638 clientDefaultProtocolList = new ProtocolList( |
631 clientDefaultProtocols = getAvailableProtocols( |
639 getAvailableProtocols(new ProtocolVersion[] { |
632 new ProtocolVersion[] { |
640 ProtocolVersion.TLS10 |
633 ProtocolVersion.TLS10 |
641 })); |
634 }); |
642 } else { |
635 } else { |
643 clientDefaultProtocolList = new ProtocolList( |
636 clientDefaultProtocols = getAvailableProtocols( |
644 getAvailableProtocols(new ProtocolVersion[] { |
637 new ProtocolVersion[] { |
645 ProtocolVersion.SSL30, |
638 ProtocolVersion.TLS10, |
646 ProtocolVersion.TLS10 |
639 ProtocolVersion.SSL30 |
647 })); |
640 }); |
648 } |
641 } |
649 |
642 |
650 clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
643 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
651 clientDefaultProtocolList, true); |
644 clientDefaultProtocols, true); |
652 } |
645 } |
653 |
646 |
654 @Override |
647 @Override |
655 ProtocolList getClientDefaultProtocolList() { |
648 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
656 return clientDefaultProtocolList; |
649 return clientDefaultProtocols; |
657 } |
650 } |
658 |
651 |
659 @Override |
652 @Override |
660 CipherSuiteList getClientDefaultCipherSuiteList() { |
653 List<CipherSuite> getClientDefaultCipherSuites() { |
661 return clientDefaultCipherSuiteList; |
654 return clientDefaultCipherSuites; |
662 } |
655 } |
663 } |
656 } |
664 |
657 |
665 /* |
658 /* |
666 * The SSLContext implementation for TLS11 algorithm |
659 * The SSLContext implementation for TLS11 algorithm |
667 * |
660 * |
668 * @see SSLContext |
661 * @see SSLContext |
669 */ |
662 */ |
670 public static final class TLS11Context extends AbstractTLSContext { |
663 public static final class TLS11Context extends AbstractTLSContext { |
671 private static final ProtocolList clientDefaultProtocolList; |
664 private static final List<ProtocolVersion> clientDefaultProtocols; |
672 private static final CipherSuiteList clientDefaultCipherSuiteList; |
665 private static final List<CipherSuite> clientDefaultCipherSuites; |
673 |
666 |
674 static { |
667 static { |
675 if (SunJSSE.isFIPS()) { |
668 if (SunJSSE.isFIPS()) { |
676 clientDefaultProtocolList = new ProtocolList( |
669 clientDefaultProtocols = getAvailableProtocols( |
677 getAvailableProtocols(new ProtocolVersion[] { |
670 new ProtocolVersion[] { |
|
671 ProtocolVersion.TLS11, |
|
672 ProtocolVersion.TLS10 |
|
673 }); |
|
674 } else { |
|
675 clientDefaultProtocols = getAvailableProtocols( |
|
676 new ProtocolVersion[] { |
|
677 ProtocolVersion.TLS11, |
678 ProtocolVersion.TLS10, |
678 ProtocolVersion.TLS10, |
679 ProtocolVersion.TLS11 |
679 ProtocolVersion.SSL30 |
680 })); |
680 }); |
681 } else { |
681 } |
682 clientDefaultProtocolList = new ProtocolList( |
682 |
683 getAvailableProtocols(new ProtocolVersion[] { |
683 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
684 ProtocolVersion.SSL30, |
684 clientDefaultProtocols, true); |
685 ProtocolVersion.TLS10, |
685 |
686 ProtocolVersion.TLS11 |
686 } |
687 })); |
687 |
688 } |
688 @Override |
689 |
689 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
690 clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
690 return clientDefaultProtocols; |
691 clientDefaultProtocolList, true); |
691 } |
692 |
692 |
693 } |
693 @Override |
694 |
694 List<CipherSuite> getClientDefaultCipherSuites() { |
695 @Override |
695 return clientDefaultCipherSuites; |
696 ProtocolList getClientDefaultProtocolList() { |
|
697 return clientDefaultProtocolList; |
|
698 } |
|
699 |
|
700 @Override |
|
701 CipherSuiteList getClientDefaultCipherSuiteList() { |
|
702 return clientDefaultCipherSuiteList; |
|
703 } |
696 } |
704 } |
697 } |
705 |
698 |
706 /* |
699 /* |
707 * The SSLContext implementation for TLS12 algorithm |
700 * The SSLContext implementation for TLS12 algorithm |
708 * |
701 * |
709 * @see SSLContext |
702 * @see SSLContext |
710 */ |
703 */ |
711 public static final class TLS12Context extends AbstractTLSContext { |
704 public static final class TLS12Context extends AbstractTLSContext { |
712 private static final ProtocolList clientDefaultProtocolList; |
705 private static final List<ProtocolVersion> clientDefaultProtocols; |
713 private static final CipherSuiteList clientDefaultCipherSuiteList; |
706 private static final List<CipherSuite> clientDefaultCipherSuites; |
714 |
707 |
715 static { |
708 static { |
716 if (SunJSSE.isFIPS()) { |
709 if (SunJSSE.isFIPS()) { |
717 clientDefaultProtocolList = new ProtocolList( |
710 clientDefaultProtocols = getAvailableProtocols( |
718 getAvailableProtocols(new ProtocolVersion[] { |
711 new ProtocolVersion[] { |
|
712 ProtocolVersion.TLS12, |
|
713 ProtocolVersion.TLS11, |
|
714 ProtocolVersion.TLS10 |
|
715 }); |
|
716 } else { |
|
717 clientDefaultProtocols = getAvailableProtocols( |
|
718 new ProtocolVersion[] { |
|
719 ProtocolVersion.TLS12, |
|
720 ProtocolVersion.TLS11, |
719 ProtocolVersion.TLS10, |
721 ProtocolVersion.TLS10, |
|
722 ProtocolVersion.SSL30 |
|
723 }); |
|
724 } |
|
725 |
|
726 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
|
727 clientDefaultProtocols, true); |
|
728 } |
|
729 |
|
730 @Override |
|
731 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
|
732 return clientDefaultProtocols; |
|
733 } |
|
734 |
|
735 @Override |
|
736 List<CipherSuite> getClientDefaultCipherSuites() { |
|
737 return clientDefaultCipherSuites; |
|
738 } |
|
739 } |
|
740 |
|
741 /* |
|
742 * The SSLContext implementation for TLS1.3 algorithm |
|
743 * |
|
744 * @see SSLContext |
|
745 */ |
|
746 public static final class TLS13Context extends AbstractTLSContext { |
|
747 private static final List<ProtocolVersion> clientDefaultProtocols; |
|
748 private static final List<CipherSuite> clientDefaultCipherSuites; |
|
749 |
|
750 static { |
|
751 if (SunJSSE.isFIPS()) { |
|
752 clientDefaultProtocols = getAvailableProtocols( |
|
753 new ProtocolVersion[] { |
|
754 ProtocolVersion.TLS13, |
|
755 ProtocolVersion.TLS12, |
720 ProtocolVersion.TLS11, |
756 ProtocolVersion.TLS11, |
721 ProtocolVersion.TLS12 |
757 ProtocolVersion.TLS10 |
722 })); |
758 }); |
723 } else { |
759 } else { |
724 clientDefaultProtocolList = new ProtocolList( |
760 clientDefaultProtocols = getAvailableProtocols( |
725 getAvailableProtocols(new ProtocolVersion[] { |
761 new ProtocolVersion[] { |
726 ProtocolVersion.SSL30, |
762 ProtocolVersion.TLS13, |
|
763 ProtocolVersion.TLS12, |
|
764 ProtocolVersion.TLS11, |
727 ProtocolVersion.TLS10, |
765 ProtocolVersion.TLS10, |
728 ProtocolVersion.TLS11, |
766 ProtocolVersion.SSL30 |
729 ProtocolVersion.TLS12 |
767 }); |
730 })); |
768 } |
731 } |
769 |
732 |
770 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
733 clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
771 clientDefaultProtocols, true); |
734 clientDefaultProtocolList, true); |
772 } |
735 } |
773 |
736 |
774 @Override |
737 @Override |
775 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
738 ProtocolList getClientDefaultProtocolList() { |
776 return clientDefaultProtocols; |
739 return clientDefaultProtocolList; |
777 } |
740 } |
778 |
741 |
779 @Override |
742 @Override |
780 List<CipherSuite> getClientDefaultCipherSuites() { |
743 CipherSuiteList getClientDefaultCipherSuiteList() { |
781 return clientDefaultCipherSuites; |
744 return clientDefaultCipherSuiteList; |
|
745 } |
782 } |
746 } |
783 } |
747 |
784 |
748 /* |
785 /* |
749 * The interface for the customized SSL/(D)TLS SSLContext. |
786 * The interface for the customized SSL/(D)TLS SSLContext. |
841 if (customizedTLSProtocols.isEmpty()) { |
876 if (customizedTLSProtocols.isEmpty()) { |
842 // Use the default enabled client protocols if no |
877 // Use the default enabled client protocols if no |
843 // customized TLS protocols. |
878 // customized TLS protocols. |
844 if (SunJSSE.isFIPS()) { |
879 if (SunJSSE.isFIPS()) { |
845 candidates = new ProtocolVersion[] { |
880 candidates = new ProtocolVersion[] { |
846 ProtocolVersion.TLS10, |
881 ProtocolVersion.TLS13, |
|
882 ProtocolVersion.TLS12, |
847 ProtocolVersion.TLS11, |
883 ProtocolVersion.TLS11, |
848 ProtocolVersion.TLS12 |
884 ProtocolVersion.TLS10 |
849 }; |
885 }; |
850 } else { |
886 } else { |
851 candidates = new ProtocolVersion[] { |
887 candidates = new ProtocolVersion[] { |
852 ProtocolVersion.SSL30, |
888 ProtocolVersion.TLS13, |
|
889 ProtocolVersion.TLS12, |
|
890 ProtocolVersion.TLS11, |
853 ProtocolVersion.TLS10, |
891 ProtocolVersion.TLS10, |
854 ProtocolVersion.TLS11, |
892 ProtocolVersion.SSL30 |
855 ProtocolVersion.TLS12 |
|
856 }; |
893 }; |
857 } |
894 } |
858 } else { |
895 } else { |
859 // Use the customized TLS protocols. |
896 // Use the customized TLS protocols. |
860 candidates = |
897 candidates = |
861 new ProtocolVersion[customizedTLSProtocols.size()]; |
898 new ProtocolVersion[customizedTLSProtocols.size()]; |
862 candidates = customizedTLSProtocols.toArray(candidates); |
899 candidates = customizedTLSProtocols.toArray(candidates); |
863 } |
900 } |
864 |
901 |
865 clientDefaultProtocolList = new ProtocolList( |
902 clientDefaultProtocols = getAvailableProtocols(candidates); |
866 getAvailableProtocols(candidates)); |
903 clientDefaultCipherSuites = |
867 clientDefaultCipherSuiteList = |
904 getApplicableEnabledCipherSuites( |
868 getApplicableEnabledCipherSuiteList( |
905 clientDefaultProtocols, true); |
869 clientDefaultProtocolList, true); |
|
870 } else { |
906 } else { |
871 clientDefaultProtocolList = null; // unlikely to be used |
907 clientDefaultProtocols = null; // unlikely to be used |
872 clientDefaultCipherSuiteList = null; // unlikely to be used |
908 clientDefaultCipherSuites = null; // unlikely to be used |
873 } |
909 } |
874 } |
910 } |
875 |
911 |
876 protected CustomizedTLSContext() { |
912 protected CustomizedTLSContext() { |
877 if (reservedException != null) { |
913 if (reservedException != null) { |
878 throw reservedException; |
914 throw reservedException; |
879 } |
915 } |
880 } |
916 } |
881 |
917 |
882 @Override |
918 @Override |
883 ProtocolList getClientDefaultProtocolList() { |
919 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
884 return clientDefaultProtocolList; |
920 return clientDefaultProtocols; |
885 } |
921 } |
886 |
922 |
887 @Override |
923 @Override |
888 CipherSuiteList getClientDefaultCipherSuiteList() { |
924 List<CipherSuite> getClientDefaultCipherSuites() { |
889 return clientDefaultCipherSuiteList; |
925 return clientDefaultCipherSuites; |
890 } |
926 } |
891 } |
927 } |
892 |
928 |
893 /* |
929 /* |
894 * The SSLContext implementation for default "TLS" algorithm |
930 * The SSLContext implementation for default "TLS" algorithm |
1126 * parameters. |
1165 * parameters. |
1127 * |
1166 * |
1128 * @see SSLContext |
1167 * @see SSLContext |
1129 */ |
1168 */ |
1130 private abstract static class AbstractDTLSContext extends SSLContextImpl { |
1169 private abstract static class AbstractDTLSContext extends SSLContextImpl { |
1131 private static final ProtocolList supportedProtocolList; |
1170 private static final List<ProtocolVersion> supportedProtocols; |
1132 private static final ProtocolList serverDefaultProtocolList; |
1171 private static final List<ProtocolVersion> serverDefaultProtocols; |
1133 |
1172 |
1134 private static final CipherSuiteList supportedCipherSuiteList; |
1173 private static final List<CipherSuite> supportedCipherSuites; |
1135 private static final CipherSuiteList serverDefaultCipherSuiteList; |
1174 private static final List<CipherSuite> serverDefaultCipherSuites; |
1136 |
1175 |
1137 static { |
1176 static { |
1138 // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode. |
1177 // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode. |
1139 supportedProtocolList = new ProtocolList(new String[] { |
1178 supportedProtocols = Arrays.asList( |
1140 ProtocolVersion.DTLS10.name, |
1179 ProtocolVersion.DTLS12, |
1141 ProtocolVersion.DTLS12.name |
1180 ProtocolVersion.DTLS10 |
|
1181 ); |
|
1182 |
|
1183 // available protocols for server mode |
|
1184 serverDefaultProtocols = getAvailableProtocols( |
|
1185 new ProtocolVersion[] { |
|
1186 ProtocolVersion.DTLS12, |
|
1187 ProtocolVersion.DTLS10 |
1142 }); |
1188 }); |
1143 |
1189 |
1144 // available protocols for server mode |
1190 supportedCipherSuites = getApplicableSupportedCipherSuites( |
1145 serverDefaultProtocolList = new ProtocolList( |
1191 supportedProtocols); |
1146 getAvailableProtocols(new ProtocolVersion[] { |
1192 serverDefaultCipherSuites = getApplicableEnabledCipherSuites( |
1147 ProtocolVersion.DTLS10, |
1193 serverDefaultProtocols, false); |
1148 ProtocolVersion.DTLS12 |
1194 } |
1149 })); |
1195 |
1150 |
1196 @Override |
1151 supportedCipherSuiteList = getApplicableSupportedCipherSuiteList( |
1197 List<ProtocolVersion> getSuportedProtocolVersions() { |
1152 supportedProtocolList); |
1198 return supportedProtocols; |
1153 serverDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
1199 } |
1154 serverDefaultProtocolList, false); |
1200 |
1155 } |
1201 @Override |
1156 |
1202 List<CipherSuite> getSupportedCipherSuites() { |
1157 @Override |
1203 return supportedCipherSuites; |
1158 ProtocolList getSuportedProtocolList() { |
1204 } |
1159 return supportedProtocolList; |
1205 |
1160 } |
1206 @Override |
1161 |
1207 List<ProtocolVersion> getServerDefaultProtocolVersions() { |
1162 @Override |
1208 return serverDefaultProtocols; |
1163 CipherSuiteList getSupportedCipherSuiteList() { |
1209 } |
1164 return supportedCipherSuiteList; |
1210 |
1165 } |
1211 @Override |
1166 |
1212 List<CipherSuite> getServerDefaultCipherSuites() { |
1167 @Override |
1213 return serverDefaultCipherSuites; |
1168 ProtocolList getServerDefaultProtocolList() { |
|
1169 return serverDefaultProtocolList; |
|
1170 } |
|
1171 |
|
1172 @Override |
|
1173 CipherSuiteList getServerDefaultCipherSuiteList() { |
|
1174 return serverDefaultCipherSuiteList; |
|
1175 } |
1214 } |
1176 |
1215 |
1177 @Override |
1216 @Override |
1178 SSLEngine createSSLEngineImpl() { |
1217 SSLEngine createSSLEngineImpl() { |
1179 return new SSLEngineImpl(this, true); |
1218 return new SSLEngineImpl(this); |
1180 } |
1219 } |
1181 |
1220 |
1182 @Override |
1221 @Override |
1183 SSLEngine createSSLEngineImpl(String host, int port) { |
1222 SSLEngine createSSLEngineImpl(String host, int port) { |
1184 return new SSLEngineImpl(this, host, port, true); |
1223 return new SSLEngineImpl(this, host, port); |
1185 } |
1224 } |
1186 |
1225 |
1187 @Override |
1226 @Override |
1188 HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) { |
1227 boolean isDTLS() { |
1189 return new HelloCookieManager(secureRandom); |
1228 return true; |
1190 } |
1229 } |
1191 } |
1230 } |
1192 |
1231 |
1193 /* |
1232 /* |
1194 * The SSLContext implementation for DTLSv1.0 algorithm. |
1233 * The SSLContext implementation for DTLSv1.0 algorithm. |
1195 * |
1234 * |
1196 * @see SSLContext |
1235 * @see SSLContext |
1197 */ |
1236 */ |
1198 public static final class DTLS10Context extends AbstractDTLSContext { |
1237 public static final class DTLS10Context extends AbstractDTLSContext { |
1199 private static final ProtocolList clientDefaultProtocolList; |
1238 private static final List<ProtocolVersion> clientDefaultProtocols; |
1200 private static final CipherSuiteList clientDefaultCipherSuiteList; |
1239 private static final List<CipherSuite> clientDefaultCipherSuites; |
1201 |
1240 |
1202 static { |
1241 static { |
1203 // available protocols for client mode |
1242 // available protocols for client mode |
1204 clientDefaultProtocolList = new ProtocolList( |
1243 clientDefaultProtocols = getAvailableProtocols( |
1205 getAvailableProtocols(new ProtocolVersion[] { |
1244 new ProtocolVersion[] { |
1206 ProtocolVersion.DTLS10 |
1245 ProtocolVersion.DTLS10 |
1207 })); |
1246 }); |
1208 |
1247 |
1209 clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
1248 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
1210 clientDefaultProtocolList, true); |
1249 clientDefaultProtocols, true); |
1211 } |
1250 } |
1212 |
1251 |
1213 @Override |
1252 @Override |
1214 ProtocolList getClientDefaultProtocolList() { |
1253 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
1215 return clientDefaultProtocolList; |
1254 return clientDefaultProtocols; |
1216 } |
1255 } |
1217 |
1256 |
1218 @Override |
1257 @Override |
1219 CipherSuiteList getClientDefaultCipherSuiteList() { |
1258 List<CipherSuite> getClientDefaultCipherSuites() { |
1220 return clientDefaultCipherSuiteList; |
1259 return clientDefaultCipherSuites; |
1221 } |
1260 } |
1222 } |
1261 } |
1223 |
1262 |
1224 /* |
1263 /* |
1225 * The SSLContext implementation for DTLSv1.2 algorithm. |
1264 * The SSLContext implementation for DTLSv1.2 algorithm. |
1226 * |
1265 * |
1227 * @see SSLContext |
1266 * @see SSLContext |
1228 */ |
1267 */ |
1229 public static final class DTLS12Context extends AbstractDTLSContext { |
1268 public static final class DTLS12Context extends AbstractDTLSContext { |
1230 private static final ProtocolList clientDefaultProtocolList; |
1269 private static final List<ProtocolVersion> clientDefaultProtocols; |
1231 private static final CipherSuiteList clientDefaultCipherSuiteList; |
1270 private static final List<CipherSuite> clientDefaultCipherSuites; |
1232 |
1271 |
1233 static { |
1272 static { |
1234 // available protocols for client mode |
1273 // available protocols for client mode |
1235 clientDefaultProtocolList = new ProtocolList( |
1274 clientDefaultProtocols = getAvailableProtocols( |
1236 getAvailableProtocols(new ProtocolVersion[] { |
1275 new ProtocolVersion[] { |
1237 ProtocolVersion.DTLS10, |
1276 ProtocolVersion.DTLS12, |
1238 ProtocolVersion.DTLS12 |
1277 ProtocolVersion.DTLS10 |
1239 })); |
1278 }); |
1240 |
1279 |
1241 clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
1280 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
1242 clientDefaultProtocolList, true); |
1281 clientDefaultProtocols, true); |
1243 } |
1282 } |
1244 |
1283 |
1245 @Override |
1284 @Override |
1246 ProtocolList getClientDefaultProtocolList() { |
1285 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
1247 return clientDefaultProtocolList; |
1286 return clientDefaultProtocols; |
1248 } |
1287 } |
1249 |
1288 |
1250 @Override |
1289 @Override |
1251 CipherSuiteList getClientDefaultCipherSuiteList() { |
1290 List<CipherSuite> getClientDefaultCipherSuites() { |
1252 return clientDefaultCipherSuiteList; |
1291 return clientDefaultCipherSuites; |
1253 } |
1292 } |
1254 } |
1293 } |
1255 |
1294 |
1256 /* |
1295 /* |
1257 * The SSLContext implementation for customized TLS protocols |
1296 * The SSLContext implementation for customized TLS protocols |
1258 * |
1297 * |
1259 * @see SSLContext |
1298 * @see SSLContext |
1260 */ |
1299 */ |
1261 private static class CustomizedDTLSContext extends AbstractDTLSContext { |
1300 private static class CustomizedDTLSContext extends AbstractDTLSContext { |
1262 private static final ProtocolList clientDefaultProtocolList; |
1301 private static final List<ProtocolVersion> clientDefaultProtocols; |
1263 private static final CipherSuiteList clientDefaultCipherSuiteList; |
1302 private static final List<CipherSuite> clientDefaultCipherSuites; |
1264 |
1303 |
1265 private static IllegalArgumentException reservedException = null; |
1304 private static IllegalArgumentException reservedException = null; |
1266 |
1305 |
1267 // Don't want a java.lang.LinkageError for illegal system property. |
1306 // Don't want a java.lang.LinkageError for illegal system property. |
1268 // |
1307 // |