jdk-sandbox: comparison src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java

equal deleted inserted replaced

-:356eaea05bf0
+:68fa3d4026ea
 /*
-* Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * questions.
 */
 package sun.security.ssl;
+import java.io.*;
 import java.net.Socket;
-import java.io.*;
-import java.util.*;
 import java.security.*;
 import java.security.cert.*;
-import java.security.cert.Certificate;
+import java.util.*;
 import javax.net.ssl.*;
+import sun.security.action.GetPropertyAction;
 import sun.security.provider.certpath.AlgorithmChecker;
-import sun.security.action.GetPropertyAction;
 import sun.security.validator.Validator;
+/**
+* Implementation of an SSLContext.
+*
+* Implementation note: Instances of this class and the child classes are
+* immutable, except that the context initialization (SSLContext.init()) may
+* reset the key, trust managers and source of secure random.
+*/
 public abstract class SSLContextImpl extends SSLContextSpi {
-private static final Debug debug = Debug.getInstance("ssl");
 private final EphemeralKeyManager ephemeralKeyManager;
 private final SSLSessionContextImpl clientCache;
 private final SSLSessionContextImpl serverCache;
 private X509ExtendedKeyManager keyManager;
 private X509TrustManager trustManager;
 private SecureRandom secureRandom;
 // DTLS cookie exchange manager
-private volatile HelloCookieManager helloCookieManager;
+private volatile HelloCookieManager.Builder helloCookieManagerBuilder;
-private final boolean clientEnableStapling = Debug.getBooleanProperty(
+private final boolean clientEnableStapling = Utilities.getBooleanProperty(
 "jdk.tls.client.enableStatusRequestExtension", true);
-private final boolean serverEnableStapling = Debug.getBooleanProperty(
+private final boolean serverEnableStapling = Utilities.getBooleanProperty(
 "jdk.tls.server.enableStatusRequestExtension", false);
-private final static Collection<CipherSuite> clientCustomizedCipherSuites =
+private static final Collection<CipherSuite> clientCustomizedCipherSuites =
 getCustomizedCipherSuites("jdk.tls.client.cipherSuites");
-private final static Collection<CipherSuite> serverCustomizedCipherSuites =
+private static final Collection<CipherSuite> serverCustomizedCipherSuites =
 getCustomizedCipherSuites("jdk.tls.server.cipherSuites");
 private volatile StatusResponseManager statusResponseManager;
 SSLContextImpl() {
 * The initial delay of seeding the random number generator
 * could be long enough to cause the initial handshake on our
 * first connection to timeout and fail. Make sure it is
 * primed and ready by getting some initial output from it.
 */
-if (debug != null && Debug.isOn("sslctx")) {
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
-System.out.println("trigger seeding of SecureRandom");
+SSLLogger.finest("trigger seeding of SecureRandom");
 }
 secureRandom.nextInt();
-if (debug != null && Debug.isOn("sslctx")) {
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
-System.out.println("done seeding SecureRandom");
+SSLLogger.finest("done seeding of SecureRandom");
 }
 isInitialized = true;
 }
 }
 }
 if (km instanceof X509ExtendedKeyManager) {
 return (X509ExtendedKeyManager)km;
 }
-if (debug != null && Debug.isOn("sslctx")) {
-System.out.println(
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
-"X509KeyManager passed to " +
+SSLLogger.warning(
-"SSLContext.init():  need an " +
+"X509KeyManager passed to SSLContext.init():  need an " +
 "X509ExtendedKeyManager for SSLEngine use");
 }
 return new AbstractKeyManagerWrapper((X509KeyManager)km);
 }
 EphemeralKeyManager getEphemeralKeyManager() {
 return ephemeralKeyManager;
 }
-// Used for DTLS in server mode only, see ServerHandshaker.
+// Used for DTLS in server mode only.
-HelloCookieManager getHelloCookieManager() {
+HelloCookieManager getHelloCookieManager(ProtocolVersion protocolVersion) {
-if (!isInitialized) {
+if (helloCookieManagerBuilder == null) {
-throw new IllegalStateException("SSLContext is not initialized");
+synchronized (this) {
-}
+if (helloCookieManagerBuilder == null) {
+helloCookieManagerBuilder =
-if (helloCookieManager != null) {
+new HelloCookieManager.Builder(secureRandom);
-return helloCookieManager;
+}
 }
+}
-synchronized (this) {
-if (helloCookieManager == null) {
+return helloCookieManagerBuilder.valueOf(protocolVersion);
-helloCookieManager = getHelloCookieManager(secureRandom);
-}
-}
-return helloCookieManager;
-}
-HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) {
-throw new UnsupportedOperationException(
-"Cookie exchange applies to DTLS only");
 }
 StatusResponseManager getStatusResponseManager() {
 if (serverEnableStapling && statusResponseManager == null) {
 synchronized (this) {
 if (statusResponseManager == null) {
-if (debug != null && Debug.isOn("sslctx")) {
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
-System.out.println(
+SSLLogger.finest(
 "Initializing StatusResponseManager");
 }
 statusResponseManager = new StatusResponseManager();
 }
 }
 }
 return statusResponseManager;
 }
-// Get supported ProtocolList.
+// Get supported protocols.
-abstract ProtocolList getSuportedProtocolList();
+abstract List<ProtocolVersion> getSupportedProtocolVersions();
-// Get default ProtocolList for server mode.
+// Get default protocols for server mode.
-abstract ProtocolList getServerDefaultProtocolList();
+abstract List<ProtocolVersion> getServerDefaultProtocolVersions();
-// Get default ProtocolList for client mode.
+// Get default protocols for client mode.
-abstract ProtocolList getClientDefaultProtocolList();
+abstract List<ProtocolVersion> getClientDefaultProtocolVersions();
-// Get supported CipherSuiteList.
+// Get supported CipherSuite list.
-abstract CipherSuiteList getSupportedCipherSuiteList();
+abstract List<CipherSuite> getSupportedCipherSuites();
-// Get default CipherSuiteList for server mode.
+// Get default CipherSuite list for server mode.
-abstract CipherSuiteList getServerDefaultCipherSuiteList();
+abstract List<CipherSuite> getServerDefaultCipherSuites();
-// Get default CipherSuiteList for client mode.
+// Get default CipherSuite list for client mode.
-abstract CipherSuiteList getClientDefaultCipherSuiteList();
+abstract List<CipherSuite> getClientDefaultCipherSuites();
-// Get default ProtocolList.
+// Is the context for DTLS protocols?
-ProtocolList getDefaultProtocolList(boolean roleIsServer) {
+abstract boolean isDTLS();
-return roleIsServer ? getServerDefaultProtocolList()
-: getClientDefaultProtocolList();
+// Get default protocols.
-}
+List<ProtocolVersion> getDefaultProtocolVersions(boolean roleIsServer) {
+return roleIsServer ? getServerDefaultProtocolVersions()
-// Get default CipherSuiteList.
+: getClientDefaultProtocolVersions();
-CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) {
+}
-return roleIsServer ? getServerDefaultCipherSuiteList()
-: getClientDefaultCipherSuiteList();
+// Get default CipherSuite list.
+List<CipherSuite> getDefaultCipherSuites(boolean roleIsServer) {
+return roleIsServer ? getServerDefaultCipherSuites()
+: getClientDefaultCipherSuites();
 }
 /**
 * Return whether a protocol list is the original default enabled
 * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()
 */
-boolean isDefaultProtocolList(ProtocolList protocols) {
+boolean isDefaultProtocolVesions(List<ProtocolVersion> protocols) {
-return (protocols == getServerDefaultProtocolList()) ||
+return (protocols == getServerDefaultProtocolVersions()) ||
-(protocols == getClientDefaultProtocolList());
+(protocols == getClientDefaultProtocolVersions());
 }
 /**
 * Return whether a protocol list is the original default enabled
 * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()
 */
-boolean isDefaultCipherSuiteList(CipherSuiteList cipherSuites) {
+boolean isDefaultCipherSuiteList(List<CipherSuite> cipherSuites) {
-return (cipherSuites == getServerDefaultCipherSuiteList()) ||
+return (cipherSuites == getServerDefaultCipherSuites()) ||
-(cipherSuites == getClientDefaultCipherSuiteList());
+(cipherSuites == getClientDefaultCipherSuites());
 }
 /**
 * Return whether client or server side stapling has been enabled
 * for this SSLContextImpl
 */
 boolean isStaplingEnabled(boolean isClient) {
 return isClient ? clientEnableStapling : serverEnableStapling;
 }
 /*
 * Return the list of all available CipherSuites that are supported
 * using currently installed providers.
 */
-private static CipherSuiteList getApplicableSupportedCipherSuiteList(
+private static List<CipherSuite> getApplicableSupportedCipherSuites(
-ProtocolList protocols) {
+List<ProtocolVersion> protocols) {
-return getApplicableCipherSuiteList(
+return getApplicableCipherSuites(
-CipherSuite.allowedCipherSuites(),
+CipherSuite.allowedCipherSuites(), protocols);
-protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY);
 }
 /*
 * Return the list of all available CipherSuites that are default enabled
 * in client or server side.
 */
-private static CipherSuiteList getApplicableEnabledCipherSuiteList(
+private static List<CipherSuite> getApplicableEnabledCipherSuites(
-ProtocolList protocols, boolean isClient) {
+List<ProtocolVersion> protocols, boolean isClient) {
 if (isClient) {
 if (!clientCustomizedCipherSuites.isEmpty()) {
-return getApplicableCipherSuiteList(
+return getApplicableCipherSuites(
-clientCustomizedCipherSuites,
+clientCustomizedCipherSuites, protocols);
-protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY);
 }
 } else {
 if (!serverCustomizedCipherSuites.isEmpty()) {
-return getApplicableCipherSuiteList(
+return getApplicableCipherSuites(
-serverCustomizedCipherSuites,
+serverCustomizedCipherSuites, protocols);
-protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY);
+}
 }
-}
+return getApplicableCipherSuites(
-return getApplicableCipherSuiteList(
+CipherSuite.defaultCipherSuites(), protocols);
-CipherSuite.allowedCipherSuites(),
-protocols, CipherSuite.DEFAULT_SUITES_PRIORITY);
 }
 /*
 * Return the list of available CipherSuites which are applicable to
 * the specified protocols.
 */
-private static CipherSuiteList getApplicableCipherSuiteList(
+private static List<CipherSuite> getApplicableCipherSuites(
 Collection<CipherSuite> allowedCipherSuites,
-ProtocolList protocols, int minPriority) {
+List<ProtocolVersion> protocols) {
 TreeSet<CipherSuite> suites = new TreeSet<>();
-if (!(protocols.collection().isEmpty()) &&
+if (protocols != null && (!protocols.isEmpty())) {
-protocols.min.v != ProtocolVersion.NONE.v) {
 for (CipherSuite suite : allowedCipherSuites) {
-if (!suite.allowed || suite.priority < minPriority) {
+if (!suite.isAvailable()) {
 continue;
 }
-if (suite.isAvailable() &&
+boolean isSupported = false;
-!protocols.min.obsoletes(suite) &&
+for (ProtocolVersion protocol : protocols) {
-protocols.max.supports(suite)) {
+if (!suite.supports(protocol)) {
+continue;
+}
 if (SSLAlgorithmConstraints.DEFAULT.permits(
 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
 suite.name, null)) {
 suites.add(suite);
-} else {
+isSupported = true;
-if (debug != null && Debug.isOn("sslctx") &&
+} else if (SSLLogger.isOn &&
-Debug.isOn("verbose")) {
+SSLLogger.isOn("ssl,sslctx,verbose")) {
-System.out.println(
+SSLLogger.fine(
-"Ignoring disabled cipher suite: " +
+"Ignore disabled cipher suite: " + suite.name);
-suite.name);
-}
 }
-} else if (debug != null &&
-Debug.isOn("sslctx") && Debug.isOn("verbose")) {
+break;
-if (protocols.min.obsoletes(suite)) {
+}
-System.out.println(
-"Ignoring obsoleted cipher suite: " + suite);
+if (!isSupported && SSLLogger.isOn &&
-} else if (!protocols.max.supports(suite)) {
+SSLLogger.isOn("ssl,sslctx,verbose")) {
-System.out.println(
+SSLLogger.finest(
-"Ignoring unsupported cipher suite: " + suite);
+"Ignore unsupported cipher suite: " + suite);
-} else {
+}
-System.out.println(
+}
-"Ignoring unavailable cipher suite: " + suite);
+}
-}
-}
+return new ArrayList<>(suites);
-}
-}
-return new CipherSuiteList(suites);
 }
 /*
 * Get the customized cipher suites specified by the given system property.
 */
 private static Collection<CipherSuite> getCustomizedCipherSuites(
 String propertyName) {
 String property = GetPropertyAction.privilegedGetProperty(propertyName);
-if (debug != null && Debug.isOn("sslctx")) {
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
-System.out.println(
+SSLLogger.fine(
 "System property " + propertyName + " is set to '" +
 property + "'");
 }
 if (property != null && property.length() != 0) {
 // remove double quote marks from beginning/end of the property
 continue;
 }
 CipherSuite suite;
 try {
-suite = CipherSuite.valueOf(cipherSuiteNames[i]);
+suite = CipherSuite.nameOf(cipherSuiteNames[i]);
 } catch (IllegalArgumentException iae) {
-if (debug != null && Debug.isOn("sslctx")) {
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
-System.out.println(
+SSLLogger.fine(
 "Unknown or unsupported cipher suite name: " +
 cipherSuiteNames[i]);
 }
 continue;
 }
-if (suite.isAvailable()) {
+if (suite != null && suite.isAvailable()) {
 cipherSuites.add(suite);
 } else {
-if (debug != null && Debug.isOn("sslctx")) {
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
-System.out.println(
+SSLLogger.fine(
 "The current installed providers do not " +
 "support cipher suite: " + cipherSuiteNames[i]);
 }
 }
 }
 return Collections.emptyList();
 }
-private static String[] getAvailableProtocols(
+private static List<ProtocolVersion> getAvailableProtocols(
 ProtocolVersion[] protocolCandidates) {
-List<String> availableProtocols = Collections.<String>emptyList();
+List<ProtocolVersion> availableProtocols =
-if (protocolCandidates !=  null && protocolCandidates.length != 0) {
+Collections.<ProtocolVersion>emptyList();
+if (protocolCandidates != null && protocolCandidates.length != 0) {
 availableProtocols = new ArrayList<>(protocolCandidates.length);
 for (ProtocolVersion p : protocolCandidates) {
-if (ProtocolVersion.availableProtocols.contains(p)) {
+if (p.isAvailable) {
-availableProtocols.add(p.name);
+availableProtocols.add(p);
 }
 }
 }
-return availableProtocols.toArray(new String[0]);
+return availableProtocols;
 }
 /*
 * The SSLContext implementation for SSL/(D)TLS algorithm
 *
 * SSL/TLS protocols specify the forward compatibility and version
 * SSL/TLS parameters.
 *
 * @see SSLContext
 */
 private abstract static class AbstractTLSContext extends SSLContextImpl {
-private static final ProtocolList supportedProtocolList;
+private static final List<ProtocolVersion> supportedProtocols;
-private static final ProtocolList serverDefaultProtocolList;
+private static final List<ProtocolVersion> serverDefaultProtocols;
-private static final CipherSuiteList supportedCipherSuiteList;
+private static final List<CipherSuite> supportedCipherSuites;
-private static final CipherSuiteList serverDefaultCipherSuiteList;
+private static final List<CipherSuite> serverDefaultCipherSuites;
 static {
 if (SunJSSE.isFIPS()) {
-supportedProtocolList = new ProtocolList(new String[] {
+supportedProtocols = Arrays.asList(
-ProtocolVersion.TLS10.name,
+ProtocolVersion.TLS13,
-ProtocolVersion.TLS11.name,
+ProtocolVersion.TLS12,
-ProtocolVersion.TLS12.name
+ProtocolVersion.TLS11,
+ProtocolVersion.TLS10
+);
+serverDefaultProtocols = getAvailableProtocols(
+new ProtocolVersion[] {
+ProtocolVersion.TLS13,
+ProtocolVersion.TLS12,
+ProtocolVersion.TLS11,
+ProtocolVersion.TLS10
 });
+} else {
-serverDefaultProtocolList = new ProtocolList(
+supportedProtocols = Arrays.asList(
-getAvailableProtocols(new ProtocolVersion[] {
+ProtocolVersion.TLS13,
+ProtocolVersion.TLS12,
+ProtocolVersion.TLS11,
 ProtocolVersion.TLS10,
+ProtocolVersion.SSL30,
+ProtocolVersion.SSL20Hello
+);
+serverDefaultProtocols = getAvailableProtocols(
+new ProtocolVersion[] {
+ProtocolVersion.TLS13,
+ProtocolVersion.TLS12,
 ProtocolVersion.TLS11,
-ProtocolVersion.TLS12
+ProtocolVersion.TLS10,
-}));
+ProtocolVersion.SSL30,
+ProtocolVersion.SSL20Hello
+});
+}
+supportedCipherSuites = getApplicableSupportedCipherSuites(
+supportedProtocols);
+serverDefaultCipherSuites = getApplicableEnabledCipherSuites(
+serverDefaultProtocols, false);
+}
+@Override
+List<ProtocolVersion> getSupportedProtocolVersions() {
+return supportedProtocols;
+}
+@Override
+List<CipherSuite> getSupportedCipherSuites() {
+return supportedCipherSuites;
+}
+@Override
+List<ProtocolVersion> getServerDefaultProtocolVersions() {
+return serverDefaultProtocols;
+}
+@Override
+List<CipherSuite> getServerDefaultCipherSuites() {
+return serverDefaultCipherSuites;
+}
+@Override
+SSLEngine createSSLEngineImpl() {
+return new SSLEngineImpl(this);
+}
+@Override
+SSLEngine createSSLEngineImpl(String host, int port) {
+return new SSLEngineImpl(this, host, port);
+}
+@Override
+boolean isDTLS() {
+return false;
+}
+static ProtocolVersion[] getSupportedProtocols() {
+if (SunJSSE.isFIPS()) {
+return new ProtocolVersion[] {
+ProtocolVersion.TLS13,
+ProtocolVersion.TLS12,
+ProtocolVersion.TLS11,
+ProtocolVersion.TLS10
+};
 } else {
-supportedProtocolList = new ProtocolList(new String[] {
+return new ProtocolVersion[]{
-ProtocolVersion.SSL20Hello.name,
+ProtocolVersion.TLS13,
-ProtocolVersion.SSL30.name,
+ProtocolVersion.TLS12,
-ProtocolVersion.TLS10.name,
+ProtocolVersion.TLS11,
-ProtocolVersion.TLS11.name,
+ProtocolVersion.TLS10,
-ProtocolVersion.TLS12.name
+ProtocolVersion.SSL30,
-});
+ProtocolVersion.SSL20Hello
+};
-serverDefaultProtocolList = new ProtocolList(
+}
-getAvailableProtocols(new ProtocolVersion[] {
-ProtocolVersion.SSL20Hello,
-ProtocolVersion.SSL30,
-ProtocolVersion.TLS10,
-ProtocolVersion.TLS11,
-ProtocolVersion.TLS12
-}));
-}
-supportedCipherSuiteList = getApplicableSupportedCipherSuiteList(
-supportedProtocolList);
-serverDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
-serverDefaultProtocolList, false);
-}
-@Override
-ProtocolList getSuportedProtocolList() {
-return supportedProtocolList;
-}
-@Override
-CipherSuiteList getSupportedCipherSuiteList() {
-return supportedCipherSuiteList;
-}
-@Override
-ProtocolList getServerDefaultProtocolList() {
-return serverDefaultProtocolList;
-}
-@Override
-CipherSuiteList getServerDefaultCipherSuiteList() {
-return serverDefaultCipherSuiteList;
-}
-@Override
-SSLEngine createSSLEngineImpl() {
-return new SSLEngineImpl(this, false);
-}
-@Override
-SSLEngine createSSLEngineImpl(String host, int port) {
-return new SSLEngineImpl(this, host, port, false);
 }
 }
 /*
 * The SSLContext implementation for SSLv3 and TLS10 algorithm
 *
 * @see SSLContext
 */
 public static final class TLS10Context extends AbstractTLSContext {
-private static final ProtocolList clientDefaultProtocolList;
+private static final List<ProtocolVersion> clientDefaultProtocols;
-private static final CipherSuiteList clientDefaultCipherSuiteList;
+private static final List<CipherSuite> clientDefaultCipherSuites;
 static {
 if (SunJSSE.isFIPS()) {
-clientDefaultProtocolList = new ProtocolList(
+clientDefaultProtocols = getAvailableProtocols(
-getAvailableProtocols(new ProtocolVersion[] {
+new ProtocolVersion[] {
 ProtocolVersion.TLS10
-}));
+});
 } else {
-clientDefaultProtocolList = new ProtocolList(
+clientDefaultProtocols = getAvailableProtocols(
-getAvailableProtocols(new ProtocolVersion[] {
+new ProtocolVersion[] {
-ProtocolVersion.SSL30,
+ProtocolVersion.TLS10,
-ProtocolVersion.TLS10
+ProtocolVersion.SSL30
-}));
+});
 }
-clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
+clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
-clientDefaultProtocolList, true);
+clientDefaultProtocols, true);
 }
 @Override
-ProtocolList getClientDefaultProtocolList() {
+List<ProtocolVersion> getClientDefaultProtocolVersions() {
-return clientDefaultProtocolList;
+return clientDefaultProtocols;
 }
 @Override
-CipherSuiteList getClientDefaultCipherSuiteList() {
+List<CipherSuite> getClientDefaultCipherSuites() {
-return clientDefaultCipherSuiteList;
+return clientDefaultCipherSuites;
 }
 }
 /*
 * The SSLContext implementation for TLS11 algorithm
 *
 * @see SSLContext
 */
 public static final class TLS11Context extends AbstractTLSContext {
-private static final ProtocolList clientDefaultProtocolList;
+private static final List<ProtocolVersion> clientDefaultProtocols;
-private static final CipherSuiteList clientDefaultCipherSuiteList;
+private static final List<CipherSuite> clientDefaultCipherSuites;
 static {
 if (SunJSSE.isFIPS()) {
-clientDefaultProtocolList = new ProtocolList(
+clientDefaultProtocols = getAvailableProtocols(
-getAvailableProtocols(new ProtocolVersion[] {
+new ProtocolVersion[] {
+ProtocolVersion.TLS11,
+ProtocolVersion.TLS10
+});
+} else {
+clientDefaultProtocols = getAvailableProtocols(
+new ProtocolVersion[] {
+ProtocolVersion.TLS11,
 ProtocolVersion.TLS10,
-ProtocolVersion.TLS11
+ProtocolVersion.SSL30
-}));
+});
-} else {
+}
-clientDefaultProtocolList = new ProtocolList(
-getAvailableProtocols(new ProtocolVersion[] {
+clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
-ProtocolVersion.SSL30,
+clientDefaultProtocols, true);
-ProtocolVersion.TLS10,
-ProtocolVersion.TLS11
+}
-}));
-}
+@Override
+List<ProtocolVersion> getClientDefaultProtocolVersions() {
-clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
+return clientDefaultProtocols;
-clientDefaultProtocolList, true);
+}
-}
+@Override
+List<CipherSuite> getClientDefaultCipherSuites() {
-@Override
+return clientDefaultCipherSuites;
-ProtocolList getClientDefaultProtocolList() {
-return clientDefaultProtocolList;
-}
-@Override
-CipherSuiteList getClientDefaultCipherSuiteList() {
-return clientDefaultCipherSuiteList;
 }
 }
 /*
 * The SSLContext implementation for TLS12 algorithm
 *
 * @see SSLContext
 */
 public static final class TLS12Context extends AbstractTLSContext {
-private static final ProtocolList clientDefaultProtocolList;
+private static final List<ProtocolVersion> clientDefaultProtocols;
-private static final CipherSuiteList clientDefaultCipherSuiteList;
+private static final List<CipherSuite> clientDefaultCipherSuites;
 static {
 if (SunJSSE.isFIPS()) {
-clientDefaultProtocolList = new ProtocolList(
+clientDefaultProtocols = getAvailableProtocols(
-getAvailableProtocols(new ProtocolVersion[] {
+new ProtocolVersion[] {
+ProtocolVersion.TLS12,
+ProtocolVersion.TLS11,
+ProtocolVersion.TLS10
+});
+} else {
+clientDefaultProtocols = getAvailableProtocols(
+new ProtocolVersion[] {
+ProtocolVersion.TLS12,
+ProtocolVersion.TLS11,
 ProtocolVersion.TLS10,
+ProtocolVersion.SSL30
+});
+}
+clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
+clientDefaultProtocols, true);
+}
+@Override
+List<ProtocolVersion> getClientDefaultProtocolVersions() {
+return clientDefaultProtocols;
+}
+@Override
+List<CipherSuite> getClientDefaultCipherSuites() {
+return clientDefaultCipherSuites;
+}
+}
+/*
+* The SSLContext implementation for TLS1.3 algorithm
+*
+* @see SSLContext
+*/
+public static final class TLS13Context extends AbstractTLSContext {
+private static final List<ProtocolVersion> clientDefaultProtocols;
+private static final List<CipherSuite> clientDefaultCipherSuites;
+static {
+if (SunJSSE.isFIPS()) {
+clientDefaultProtocols = getAvailableProtocols(
+new ProtocolVersion[] {
+ProtocolVersion.TLS13,
+ProtocolVersion.TLS12,
 ProtocolVersion.TLS11,
-ProtocolVersion.TLS12
+ProtocolVersion.TLS10
-}));
+});
 } else {
-clientDefaultProtocolList = new ProtocolList(
+clientDefaultProtocols = getAvailableProtocols(
-getAvailableProtocols(new ProtocolVersion[] {
+new ProtocolVersion[] {
-ProtocolVersion.SSL30,
+ProtocolVersion.TLS13,
+ProtocolVersion.TLS12,
+ProtocolVersion.TLS11,
 ProtocolVersion.TLS10,
-ProtocolVersion.TLS11,
+ProtocolVersion.SSL30
-ProtocolVersion.TLS12
+});
-}));
+}
-}
+clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
-clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
+clientDefaultProtocols, true);
-clientDefaultProtocolList, true);
+}
-}
+@Override
-@Override
+List<ProtocolVersion> getClientDefaultProtocolVersions() {
-ProtocolList getClientDefaultProtocolList() {
+return clientDefaultProtocols;
-return clientDefaultProtocolList;
+}
-}
+@Override
-@Override
+List<CipherSuite> getClientDefaultCipherSuites() {
-CipherSuiteList getClientDefaultCipherSuiteList() {
+return clientDefaultCipherSuites;
-return clientDefaultCipherSuiteList;
 }
 }
 /*
 * The interface for the customized SSL/(D)TLS SSLContext.
 *
 * @see SSLContext
 */
 private static class CustomizedSSLProtocols {
-private static final String PROPERTY_NAME = "jdk.tls.client.protocols";
+private static final String JDK_TLS_CLIENT_PROTOCOLS =
+"jdk.tls.client.protocols";
+private static final String JDK_TLS_SERVER_PROTOCOLS =
+"jdk.tls.server.protocols";
 static IllegalArgumentException reservedException = null;
-static ArrayList<ProtocolVersion>
+static final ArrayList<ProtocolVersion> customizedClientProtocols =
-customizedProtocols = new ArrayList<>();
+new ArrayList<>();
+static final ArrayList<ProtocolVersion> customizedServerProtocols =
+new ArrayList<>();
 // Don't want a java.lang.LinkageError for illegal system property.
 //
 // Please don't throw exception in this static block.  Otherwise,
 // java.lang.LinkageError may be thrown during the instantiation of
 // the provider service. Instead, please handle the initialization
 // exception in the caller's constructor.
 static {
-String property = GetPropertyAction
+populate(JDK_TLS_CLIENT_PROTOCOLS, customizedClientProtocols);
-.privilegedGetProperty(PROPERTY_NAME);
+populate(JDK_TLS_SERVER_PROTOCOLS, customizedServerProtocols);
-if (property != null && property.length() != 0) {
+}
+private static void populate(String propname,
+ArrayList<ProtocolVersion> arrayList) {
+String property = GetPropertyAction.privilegedGetProperty(propname);
+if (property == null) {
+return;
+}
+if (property.length() != 0) {
 // remove double quote marks from beginning/end of the property
 if (property.length() > 1 && property.charAt(0) == '"' &&
 property.charAt(property.length() - 1) == '"') {
 property = property.substring(1, property.length() - 1);
 }
 }
-if (property != null && property.length() != 0) {
+if (property.length() != 0) {
 String[] protocols = property.split(",");
 for (int i = 0; i < protocols.length; i++) {
 protocols[i] = protocols[i].trim();
 // Is it a supported protocol name?
-try {
+ProtocolVersion pv =
-ProtocolVersion pro =
+ProtocolVersion.nameOf(protocols[i]);
-ProtocolVersion.valueOf(protocols[i]);
+if (pv == null) {
-if (SunJSSE.isFIPS() &&
-((pro.v == ProtocolVersion.SSL30.v) ||
-(pro.v == ProtocolVersion.SSL20Hello.v))) {
-reservedException = new IllegalArgumentException(
-PROPERTY_NAME + ": " + pro +
-" is not FIPS compliant");
-break;
-}
-// ignore duplicated protocols
-if (!customizedProtocols.contains(pro)) {
-customizedProtocols.add(pro);
-}
-} catch (IllegalArgumentException iae) {
 reservedException = new IllegalArgumentException(
-PROPERTY_NAME + ": " + protocols[i] +
+propname + ": " + protocols[i] +
-" is not a standard SSL protocol name", iae);
+" is not a supported SSL protocol name");
 }
+if (SunJSSE.isFIPS() &&
+((pv == ProtocolVersion.SSL30) ||
+(pv == ProtocolVersion.SSL20Hello))) {
+reservedException = new IllegalArgumentException(
+propname + ": " + pv +
+" is not FIPS compliant");
+break;
+}
+// ignore duplicated protocols
+if (!arrayList.contains(pv)) {
+arrayList.add(pv);
+}
 }
 }
 }
 }
 *
 * @see SSLContext
 */
 private static class CustomizedTLSContext extends AbstractTLSContext {
-private static final ProtocolList clientDefaultProtocolList;
+private static final List<ProtocolVersion> clientDefaultProtocols;
-private static final CipherSuiteList clientDefaultCipherSuiteList;
+private static final List<ProtocolVersion> serverDefaultProtocols;
+private static final List<CipherSuite> clientDefaultCipherSuites;
-private static IllegalArgumentException reservedException = null;
+private static final List<CipherSuite> serverDefaultCipherSuites;
+private static final IllegalArgumentException reservedException;
 // Don't want a java.lang.LinkageError for illegal system property.
 //
 // Please don't throw exception in this static block.  Otherwise,
 // java.lang.LinkageError may be thrown during the instantiation of
 // the provider service. Instead, let's handle the initialization
 // exception in constructor.
 static {
 reservedException = CustomizedSSLProtocols.reservedException;
 if (reservedException == null) {
-ArrayList<ProtocolVersion>
+clientDefaultProtocols = customizedProtocols(true,
-customizedTLSProtocols = new ArrayList<>();
+CustomizedSSLProtocols.customizedClientProtocols);
-for (ProtocolVersion protocol :
+serverDefaultProtocols = customizedProtocols(false,
-CustomizedSSLProtocols.customizedProtocols) {
+CustomizedSSLProtocols.customizedServerProtocols);
-if (!protocol.isDTLSProtocol()) {
-customizedTLSProtocols.add(protocol);
+clientDefaultCipherSuites =
-}
+getApplicableEnabledCipherSuites(
-}
+clientDefaultProtocols, true);
+serverDefaultCipherSuites =
-// candidates for available protocols
+getApplicableEnabledCipherSuites(
-ProtocolVersion[] candidates;
+serverDefaultProtocols, false);
-if (customizedTLSProtocols.isEmpty()) {
-// Use the default enabled client protocols if no
+} else {
-// customized TLS protocols.
+// unlikely to be used
-if (SunJSSE.isFIPS()) {
+clientDefaultProtocols = null;
-candidates = new ProtocolVersion[] {
+serverDefaultProtocols = null;
-ProtocolVersion.TLS10,
+clientDefaultCipherSuites = null;
-ProtocolVersion.TLS11,
+serverDefaultCipherSuites = null;
-ProtocolVersion.TLS12
+}
-};
+}
-} else {
-candidates = new ProtocolVersion[] {
+private static List<ProtocolVersion> customizedProtocols(
-ProtocolVersion.SSL30,
+boolean client, List<ProtocolVersion> customized) {
-ProtocolVersion.TLS10,
+List<ProtocolVersion> refactored = new ArrayList<>();
-ProtocolVersion.TLS11,
+for (ProtocolVersion pv : customized) {
-ProtocolVersion.TLS12
+if (!pv.isDTLS) {
-};
+refactored.add(pv);
 }
+}
+// Use the default enabled protocols if no customization
+ProtocolVersion[] candidates;
+if (refactored.isEmpty()) {
+if (client) {
+candidates = getProtocols();
 } else {
-// Use the customized TLS protocols.
+candidates = getSupportedProtocols();
-candidates =
+}
-new ProtocolVersion[customizedTLSProtocols.size()];
-candidates = customizedTLSProtocols.toArray(candidates);
-}
-clientDefaultProtocolList = new ProtocolList(
-getAvailableProtocols(candidates));
-clientDefaultCipherSuiteList =
-getApplicableEnabledCipherSuiteList(
-clientDefaultProtocolList, true);
 } else {
-clientDefaultProtocolList = null;       // unlikely to be used
+// Use the customized TLS protocols.
-clientDefaultCipherSuiteList = null;    // unlikely to be used
+candidates =
+refactored.toArray(new ProtocolVersion[refactored.size()]);
+}
+return getAvailableProtocols(candidates);
+}
+static ProtocolVersion[] getProtocols() {
+if (SunJSSE.isFIPS()) {
+return new ProtocolVersion[]{
+ProtocolVersion.TLS13,
+ProtocolVersion.TLS12,
+ProtocolVersion.TLS11,
+ProtocolVersion.TLS10
+};
+} else {
+return new ProtocolVersion[]{
+ProtocolVersion.TLS13,
+ProtocolVersion.TLS12,
+ProtocolVersion.TLS11,
+ProtocolVersion.TLS10,
+ProtocolVersion.SSL30
+};
 }
 }
 protected CustomizedTLSContext() {
 if (reservedException != null) {
 throw reservedException;
 }
 }
 @Override
-ProtocolList getClientDefaultProtocolList() {
+List<ProtocolVersion> getClientDefaultProtocolVersions() {
-return clientDefaultProtocolList;
+return clientDefaultProtocols;
 }
 @Override
-CipherSuiteList getClientDefaultCipherSuiteList() {
+List<ProtocolVersion> getServerDefaultProtocolVersions() {
-return clientDefaultCipherSuiteList;
+return serverDefaultProtocols;
 }
+@Override
+List<CipherSuite> getClientDefaultCipherSuites() {
+return clientDefaultCipherSuites;
+}
+@Override
+List<CipherSuite> getServerDefaultCipherSuites() {
+return serverDefaultCipherSuites;
+}
 }
 /*
 * The SSLContext implementation for default "TLS" algorithm
 *
 private static final String P11KEYSTORE = "PKCS11";
 private static final TrustManager[] trustManagers;
 private static final KeyManager[] keyManagers;
-static Exception reservedException = null;
+private static final Exception reservedException;
 static {
+Exception reserved = null;
 TrustManager[] tmMediator;
 try {
 tmMediator = getTrustManagers();
 } catch (Exception e) {
-reservedException = e;
+reserved = e;
 tmMediator = new TrustManager[0];
 }
 trustManagers = tmMediator;
-if (reservedException == null) {
+if (reserved == null) {
 KeyManager[] kmMediator;
 try {
 kmMediator = getKeyManagers();
 } catch (Exception e) {
-reservedException = e;
+reserved = e;
 kmMediator = new KeyManager[0];
 }
 keyManagers = kmMediator;
 } else {
 keyManagers = new KeyManager[0];
 }
+reservedException = reserved;
 }
 private static TrustManager[] getTrustManagers() throws Exception {
 TrustManagerFactory tmf = TrustManagerFactory.getInstance(
 TrustManagerFactory.getDefaultAlgorithm());
 });
 final String defaultKeyStore = props.get("keyStore");
 String defaultKeyStoreType = props.get("keyStoreType");
 String defaultKeyStoreProvider = props.get("keyStoreProvider");
-if (debug != null && Debug.isOn("defaultctx")) {
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
-System.out.println("keyStore is : " + defaultKeyStore);
+SSLLogger.fine("keyStore is : " + defaultKeyStore);
-System.out.println("keyStore type is : " +
+SSLLogger.fine("keyStore type is : " +
 defaultKeyStoreType);
-System.out.println("keyStore provider is : " +
+SSLLogger.fine("keyStore provider is : " +
 defaultKeyStoreProvider);
 }
 if (P11KEYSTORE.equals(defaultKeyStoreType) &&
 !NONE.equals(defaultKeyStore)) {
 /**
 * Try to initialize key store.
 */
 if ((defaultKeyStoreType.length()) != 0) {
-if (debug != null && Debug.isOn("defaultctx")) {
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
-System.out.println("init keystore");
+SSLLogger.finest("init keystore");
 }
 if (defaultKeyStoreProvider.length() == 0) {
 ks = KeyStore.getInstance(defaultKeyStoreType);
 } else {
 ks = KeyStore.getInstance(defaultKeyStoreType,
 }
 /*
 * Try to initialize key manager.
 */
-if (debug != null && Debug.isOn("defaultctx")) {
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
-System.out.println("init keymanager of type " +
+SSLLogger.fine("init keymanager of type " +
 KeyManagerFactory.getDefaultAlgorithm());
 }
 KeyManagerFactory kmf = KeyManagerFactory.getInstance(
 KeyManagerFactory.getDefaultAlgorithm());
 try {
 super.engineInit(DefaultManagersHolder.keyManagers,
 DefaultManagersHolder.trustManagers, null);
 } catch (Exception e) {
-if (debug != null && Debug.isOn("defaultctx")) {
+if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
-System.out.println("default context init failed: " + e);
+SSLLogger.fine("default context init failed: ", e);
 }
 throw e;
 }
 }
 * parameters.
 *
 * @see SSLContext
 */
 private abstract static class AbstractDTLSContext extends SSLContextImpl {
-private static final ProtocolList supportedProtocolList;
+private static final List<ProtocolVersion> supportedProtocols;
-private static final ProtocolList serverDefaultProtocolList;
+private static final List<ProtocolVersion> serverDefaultProtocols;
-private static final CipherSuiteList supportedCipherSuiteList;
+private static final List<CipherSuite> supportedCipherSuites;
-private static final CipherSuiteList serverDefaultCipherSuiteList;
+private static final List<CipherSuite> serverDefaultCipherSuites;
 static {
 // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode.
-supportedProtocolList = new ProtocolList(new String[] {
+supportedProtocols = Arrays.asList(
-ProtocolVersion.DTLS10.name,
+ProtocolVersion.DTLS12,
-ProtocolVersion.DTLS12.name
+ProtocolVersion.DTLS10
+);
+// available protocols for server mode
+serverDefaultProtocols = getAvailableProtocols(
+new ProtocolVersion[] {
+ProtocolVersion.DTLS12,
+ProtocolVersion.DTLS10
 });
-// available protocols for server mode
+supportedCipherSuites = getApplicableSupportedCipherSuites(
-serverDefaultProtocolList = new ProtocolList(
+supportedProtocols);
-getAvailableProtocols(new ProtocolVersion[] {
+serverDefaultCipherSuites = getApplicableEnabledCipherSuites(
-ProtocolVersion.DTLS10,
+serverDefaultProtocols, false);
-ProtocolVersion.DTLS12
+}
-}));
+@Override
-supportedCipherSuiteList = getApplicableSupportedCipherSuiteList(
+List<ProtocolVersion> getSupportedProtocolVersions() {
-supportedProtocolList);
+return supportedProtocols;
-serverDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
+}
-serverDefaultProtocolList, false);
-}
+@Override
+List<CipherSuite> getSupportedCipherSuites() {
-@Override
+return supportedCipherSuites;
-ProtocolList getSuportedProtocolList() {
+}
-return supportedProtocolList;
-}
+@Override
+List<ProtocolVersion> getServerDefaultProtocolVersions() {
-@Override
+return serverDefaultProtocols;
-CipherSuiteList getSupportedCipherSuiteList() {
+}
-return supportedCipherSuiteList;
-}
+@Override
+List<CipherSuite> getServerDefaultCipherSuites() {
-@Override
+return serverDefaultCipherSuites;
-ProtocolList getServerDefaultProtocolList() {
-return serverDefaultProtocolList;
-}
-@Override
-CipherSuiteList getServerDefaultCipherSuiteList() {
-return serverDefaultCipherSuiteList;
 }
 @Override
 SSLEngine createSSLEngineImpl() {
-return new SSLEngineImpl(this, true);
+return new SSLEngineImpl(this);
 }
 @Override
 SSLEngine createSSLEngineImpl(String host, int port) {
-return new SSLEngineImpl(this, host, port, true);
+return new SSLEngineImpl(this, host, port);
 }
 @Override
-HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) {
+boolean isDTLS() {
-return new HelloCookieManager(secureRandom);
+return true;
 }
 }
 /*
 * The SSLContext implementation for DTLSv1.0 algorithm.
 *
 * @see SSLContext
 */
 public static final class DTLS10Context extends AbstractDTLSContext {
-private static final ProtocolList clientDefaultProtocolList;
+private static final List<ProtocolVersion> clientDefaultProtocols;
-private static final CipherSuiteList clientDefaultCipherSuiteList;
+private static final List<CipherSuite> clientDefaultCipherSuites;
 static {
 // available protocols for client mode
-clientDefaultProtocolList = new ProtocolList(
+clientDefaultProtocols = getAvailableProtocols(
-getAvailableProtocols(new ProtocolVersion[] {
+new ProtocolVersion[] {
 ProtocolVersion.DTLS10
-}));
+});
-clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
+clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
-clientDefaultProtocolList, true);
+clientDefaultProtocols, true);
 }
 @Override
-ProtocolList getClientDefaultProtocolList() {
+List<ProtocolVersion> getClientDefaultProtocolVersions() {
-return clientDefaultProtocolList;
+return clientDefaultProtocols;
 }
 @Override
-CipherSuiteList getClientDefaultCipherSuiteList() {
+List<CipherSuite> getClientDefaultCipherSuites() {
-return clientDefaultCipherSuiteList;
+return clientDefaultCipherSuites;
 }
 }
 /*
 * The SSLContext implementation for DTLSv1.2 algorithm.
 *
 * @see SSLContext
 */
 public static final class DTLS12Context extends AbstractDTLSContext {
-private static final ProtocolList clientDefaultProtocolList;
+private static final List<ProtocolVersion> clientDefaultProtocols;
-private static final CipherSuiteList clientDefaultCipherSuiteList;
+private static final List<CipherSuite> clientDefaultCipherSuites;
 static {
 // available protocols for client mode
-clientDefaultProtocolList = new ProtocolList(
+clientDefaultProtocols = getAvailableProtocols(
-getAvailableProtocols(new ProtocolVersion[] {
+new ProtocolVersion[] {
-ProtocolVersion.DTLS10,
+ProtocolVersion.DTLS12,
-ProtocolVersion.DTLS12
+ProtocolVersion.DTLS10
-}));
+});
-clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
+clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
-clientDefaultProtocolList, true);
+clientDefaultProtocols, true);
 }
 @Override
-ProtocolList getClientDefaultProtocolList() {
+List<ProtocolVersion> getClientDefaultProtocolVersions() {
-return clientDefaultProtocolList;
+return clientDefaultProtocols;
 }
 @Override
-CipherSuiteList getClientDefaultCipherSuiteList() {
+List<CipherSuite> getClientDefaultCipherSuites() {
-return clientDefaultCipherSuiteList;
+return clientDefaultCipherSuites;
 }
 }
 /*
 * The SSLContext implementation for customized TLS protocols
 *
 * @see SSLContext
 */
 private static class CustomizedDTLSContext extends AbstractDTLSContext {
-private static final ProtocolList clientDefaultProtocolList;
+private static final List<ProtocolVersion> clientDefaultProtocols;
-private static final CipherSuiteList clientDefaultCipherSuiteList;
+private static final List<ProtocolVersion> serverDefaultProtocols;
+private static final List<CipherSuite> clientDefaultCipherSuites;
+private static final List<CipherSuite> serverDefaultCipherSuites;
 private static IllegalArgumentException reservedException = null;
 // Don't want a java.lang.LinkageError for illegal system property.
 //
 // the provider service. Instead, let's handle the initialization
 // exception in constructor.
 static {
 reservedException = CustomizedSSLProtocols.reservedException;
 if (reservedException == null) {
-ArrayList<ProtocolVersion>
+clientDefaultProtocols = customizedProtocols(true,
-customizedDTLSProtocols = new ArrayList<>();
+CustomizedSSLProtocols.customizedClientProtocols);
-for (ProtocolVersion protocol :
+serverDefaultProtocols = customizedProtocols(false,
-CustomizedSSLProtocols.customizedProtocols) {
+CustomizedSSLProtocols.customizedServerProtocols);
-if (protocol.isDTLSProtocol()) {
-customizedDTLSProtocols.add(protocol);
+clientDefaultCipherSuites =
-}
+getApplicableEnabledCipherSuites(
-}
+clientDefaultProtocols, true);
+serverDefaultCipherSuites =
-// candidates for available protocols
+getApplicableEnabledCipherSuites(
-ProtocolVersion[] candidates;
+serverDefaultProtocols, false);
-if (customizedDTLSProtocols.isEmpty()) {
-// Use the default enabled client protocols if no
-// customized TLS protocols.
-//
-// Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode.
-candidates = new ProtocolVersion[] {
-ProtocolVersion.DTLS10,
-ProtocolVersion.DTLS12
-};
-} else {
-// Use the customized TLS protocols.
-candidates =
-new ProtocolVersion[customizedDTLSProtocols.size()];
-candidates = customizedDTLSProtocols.toArray(candidates);
-}
-clientDefaultProtocolList = new ProtocolList(
-getAvailableProtocols(candidates));
-clientDefaultCipherSuiteList =
-getApplicableEnabledCipherSuiteList(
-clientDefaultProtocolList, true);
 } else {
-clientDefaultProtocolList = null;       // unlikely to be used
+// unlikely to be used
-clientDefaultCipherSuiteList = null;    // unlikely to be used
+clientDefaultProtocols = null;
-}
+serverDefaultProtocols = null;
+clientDefaultCipherSuites = null;
+serverDefaultCipherSuites = null;
+}
+}
+private static List<ProtocolVersion> customizedProtocols(boolean client,
+List<ProtocolVersion> customized) {
+List<ProtocolVersion> refactored = new ArrayList<>();
+for (ProtocolVersion pv : customized) {
+if (pv.isDTLS) {
+refactored.add(pv);
+}
+}
+ProtocolVersion[] candidates;
+// Use the default enabled protocols if no customization
+if (refactored.isEmpty()) {
+candidates = new ProtocolVersion[]{
+ProtocolVersion.DTLS12,
+ProtocolVersion.DTLS10
+};
+if (!client)
+return Arrays.asList(candidates);
+} else {
+// Use the customized TLS protocols.
+candidates =
+new ProtocolVersion[customized.size()];
+candidates = customized.toArray(candidates);
+}
+return getAvailableProtocols(candidates);
 }
 protected CustomizedDTLSContext() {
 if (reservedException != null) {
 throw reservedException;
 }
 }
 @Override
-ProtocolList getClientDefaultProtocolList() {
+List<ProtocolVersion> getClientDefaultProtocolVersions() {
-return clientDefaultProtocolList;
+return clientDefaultProtocols;
 }
 @Override
-CipherSuiteList getClientDefaultCipherSuiteList() {
+List<ProtocolVersion> getServerDefaultProtocolVersions() {
-return clientDefaultCipherSuiteList;
+return serverDefaultProtocols;
+}
+@Override
+List<CipherSuite> getClientDefaultCipherSuites() {
+return clientDefaultCipherSuites;
+}
+@Override
+List<CipherSuite> getServerDefaultCipherSuites() {
+return serverDefaultCipherSuites;
 }
 }
 /*
 * The SSLContext implementation for default "DTLS" algorithm
 public static final class DTLSContext extends CustomizedDTLSContext {
 // use the default constructor and methods
 }
 }
 final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
 implements X509TrustManager {
 // the delegated trust manager
 X509TrustManagerImpl.checkIdentity(
 hostname, chain[0], identityAlg);
 }
 // try the best to check the algorithm constraints
-ProtocolVersion protocolVersion =
+AlgorithmConstraints constraints;
-ProtocolVersion.valueOf(session.getProtocol());
+if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
-AlgorithmConstraints constraints = null;
-if (protocolVersion.useTLS12PlusSpec()) {
 if (session instanceof ExtendedSSLSession) {
 ExtendedSSLSession extSession =
 (ExtendedSSLSession)session;
 String[] peerSupportedSignAlgs =
 extSession.getLocalSupportedSignatureAlgorithms();
 X509TrustManagerImpl.checkIdentity(
 hostname, chain[0], identityAlg);
 }
 // try the best to check the algorithm constraints
-ProtocolVersion protocolVersion =
+AlgorithmConstraints constraints;
-ProtocolVersion.valueOf(session.getProtocol());
+if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
-AlgorithmConstraints constraints = null;
-if (protocolVersion.useTLS12PlusSpec()) {
 if (session instanceof ExtendedSSLSession) {
 ExtendedSSLSession extSession =
 (ExtendedSSLSession)session;
 String[] peerSupportedSignAlgs =
 extSession.getLocalSupportedSignatureAlgorithms();
 checkAlgorithmConstraints(chain, constraints, isClient);
 }
 }
 private void checkAlgorithmConstraints(X509Certificate[] chain,
-AlgorithmConstraints constraints, boolean isClient) throws CertificateException {
+AlgorithmConstraints constraints,
+boolean isClient) throws CertificateException {
 try {
 // Does the certificate chain end with a trusted certificate?
 int checkedLength = chain.length - 1;
 Collection<X509Certificate> trustedCerts = new HashSet<>();
 }
 // A forward checker, need to check from trust to target
 if (checkedLength >= 0) {
 AlgorithmChecker checker =
 new AlgorithmChecker(constraints, null,
-(isClient ? Validator.VAR_TLS_CLIENT : Validator.VAR_TLS_SERVER));
+(isClient ? Validator.VAR_TLS_CLIENT :
+Validator.VAR_TLS_SERVER));
 checker.init(false);
 for (int i = checkedLength; i >= 0; i--) {
-Certificate cert = chain[i];
+X509Certificate cert = chain[i];
 // We don't care about the unresolved critical extensions.
 checker.check(cert, Collections.<String>emptySet());
 }
 }
 } catch (CertPathValidatorException cpve) {

changeset 50768	68fa3d4026ea
parent 47216	71c04702a3d5
child 51771	1f805481d8de