240 |
242 |
241 EphemeralKeyManager getEphemeralKeyManager() { |
243 EphemeralKeyManager getEphemeralKeyManager() { |
242 return ephemeralKeyManager; |
244 return ephemeralKeyManager; |
243 } |
245 } |
244 |
246 |
245 // Used for DTLS in server mode only, see ServerHandshaker. |
247 // Used for DTLS in server mode only. |
246 HelloCookieManager getHelloCookieManager() { |
248 HelloCookieManager getHelloCookieManager(ProtocolVersion protocolVersion) { |
247 if (!isInitialized) { |
249 if (helloCookieManagerBuilder == null) { |
248 throw new IllegalStateException("SSLContext is not initialized"); |
250 synchronized (this) { |
249 } |
251 if (helloCookieManagerBuilder == null) { |
250 |
252 helloCookieManagerBuilder = |
251 if (helloCookieManager != null) { |
253 new HelloCookieManager.Builder(secureRandom); |
252 return helloCookieManager; |
254 } |
253 } |
255 } |
254 |
256 } |
255 synchronized (this) { |
257 |
256 if (helloCookieManager == null) { |
258 return helloCookieManagerBuilder.valueOf(protocolVersion); |
257 helloCookieManager = getHelloCookieManager(secureRandom); |
|
258 } |
|
259 } |
|
260 |
|
261 return helloCookieManager; |
|
262 } |
|
263 |
|
264 HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) { |
|
265 throw new UnsupportedOperationException( |
|
266 "Cookie exchange applies to DTLS only"); |
|
267 } |
259 } |
268 |
260 |
269 StatusResponseManager getStatusResponseManager() { |
261 StatusResponseManager getStatusResponseManager() { |
270 if (serverEnableStapling && statusResponseManager == null) { |
262 if (serverEnableStapling && statusResponseManager == null) { |
271 synchronized (this) { |
263 synchronized (this) { |
272 if (statusResponseManager == null) { |
264 if (statusResponseManager == null) { |
273 if (debug != null && Debug.isOn("sslctx")) { |
265 if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) { |
274 System.out.println( |
266 SSLLogger.finest( |
275 "Initializing StatusResponseManager"); |
267 "Initializing StatusResponseManager"); |
276 } |
268 } |
277 statusResponseManager = new StatusResponseManager(); |
269 statusResponseManager = new StatusResponseManager(); |
278 } |
270 } |
279 } |
271 } |
280 } |
272 } |
281 |
273 |
282 return statusResponseManager; |
274 return statusResponseManager; |
283 } |
275 } |
284 |
276 |
285 // Get supported ProtocolList. |
277 // Get supported protocols. |
286 abstract ProtocolList getSuportedProtocolList(); |
278 abstract List<ProtocolVersion> getSupportedProtocolVersions(); |
287 |
279 |
288 // Get default ProtocolList for server mode. |
280 // Get default protocols for server mode. |
289 abstract ProtocolList getServerDefaultProtocolList(); |
281 abstract List<ProtocolVersion> getServerDefaultProtocolVersions(); |
290 |
282 |
291 // Get default ProtocolList for client mode. |
283 // Get default protocols for client mode. |
292 abstract ProtocolList getClientDefaultProtocolList(); |
284 abstract List<ProtocolVersion> getClientDefaultProtocolVersions(); |
293 |
285 |
294 // Get supported CipherSuiteList. |
286 // Get supported CipherSuite list. |
295 abstract CipherSuiteList getSupportedCipherSuiteList(); |
287 abstract List<CipherSuite> getSupportedCipherSuites(); |
296 |
288 |
297 // Get default CipherSuiteList for server mode. |
289 // Get default CipherSuite list for server mode. |
298 abstract CipherSuiteList getServerDefaultCipherSuiteList(); |
290 abstract List<CipherSuite> getServerDefaultCipherSuites(); |
299 |
291 |
300 // Get default CipherSuiteList for client mode. |
292 // Get default CipherSuite list for client mode. |
301 abstract CipherSuiteList getClientDefaultCipherSuiteList(); |
293 abstract List<CipherSuite> getClientDefaultCipherSuites(); |
302 |
294 |
303 // Get default ProtocolList. |
295 // Is the context for DTLS protocols? |
304 ProtocolList getDefaultProtocolList(boolean roleIsServer) { |
296 abstract boolean isDTLS(); |
305 return roleIsServer ? getServerDefaultProtocolList() |
297 |
306 : getClientDefaultProtocolList(); |
298 // Get default protocols. |
307 } |
299 List<ProtocolVersion> getDefaultProtocolVersions(boolean roleIsServer) { |
308 |
300 return roleIsServer ? getServerDefaultProtocolVersions() |
309 // Get default CipherSuiteList. |
301 : getClientDefaultProtocolVersions(); |
310 CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) { |
302 } |
311 return roleIsServer ? getServerDefaultCipherSuiteList() |
303 |
312 : getClientDefaultCipherSuiteList(); |
304 // Get default CipherSuite list. |
|
305 List<CipherSuite> getDefaultCipherSuites(boolean roleIsServer) { |
|
306 return roleIsServer ? getServerDefaultCipherSuites() |
|
307 : getClientDefaultCipherSuites(); |
313 } |
308 } |
314 |
309 |
315 /** |
310 /** |
316 * Return whether a protocol list is the original default enabled |
311 * Return whether a protocol list is the original default enabled |
317 * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() |
312 * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() |
318 */ |
313 */ |
319 boolean isDefaultProtocolList(ProtocolList protocols) { |
314 boolean isDefaultProtocolVesions(List<ProtocolVersion> protocols) { |
320 return (protocols == getServerDefaultProtocolList()) || |
315 return (protocols == getServerDefaultProtocolVersions()) || |
321 (protocols == getClientDefaultProtocolList()); |
316 (protocols == getClientDefaultProtocolVersions()); |
322 } |
317 } |
323 |
318 |
324 /** |
319 /** |
325 * Return whether a protocol list is the original default enabled |
320 * Return whether a protocol list is the original default enabled |
326 * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() |
321 * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols() |
327 */ |
322 */ |
328 boolean isDefaultCipherSuiteList(CipherSuiteList cipherSuites) { |
323 boolean isDefaultCipherSuiteList(List<CipherSuite> cipherSuites) { |
329 return (cipherSuites == getServerDefaultCipherSuiteList()) || |
324 return (cipherSuites == getServerDefaultCipherSuites()) || |
330 (cipherSuites == getClientDefaultCipherSuiteList()); |
325 (cipherSuites == getClientDefaultCipherSuites()); |
331 } |
326 } |
332 |
327 |
333 /** |
328 /** |
334 * Return whether client or server side stapling has been enabled |
329 * Return whether client or server side stapling has been enabled |
335 * for this SSLContextImpl |
330 * for this SSLContextImpl |
340 */ |
335 */ |
341 boolean isStaplingEnabled(boolean isClient) { |
336 boolean isStaplingEnabled(boolean isClient) { |
342 return isClient ? clientEnableStapling : serverEnableStapling; |
337 return isClient ? clientEnableStapling : serverEnableStapling; |
343 } |
338 } |
344 |
339 |
345 |
|
346 /* |
340 /* |
347 * Return the list of all available CipherSuites that are supported |
341 * Return the list of all available CipherSuites that are supported |
348 * using currently installed providers. |
342 * using currently installed providers. |
349 */ |
343 */ |
350 private static CipherSuiteList getApplicableSupportedCipherSuiteList( |
344 private static List<CipherSuite> getApplicableSupportedCipherSuites( |
351 ProtocolList protocols) { |
345 List<ProtocolVersion> protocols) { |
352 |
346 |
353 return getApplicableCipherSuiteList( |
347 return getApplicableCipherSuites( |
354 CipherSuite.allowedCipherSuites(), |
348 CipherSuite.allowedCipherSuites(), protocols); |
355 protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY); |
|
356 } |
349 } |
357 |
350 |
358 /* |
351 /* |
359 * Return the list of all available CipherSuites that are default enabled |
352 * Return the list of all available CipherSuites that are default enabled |
360 * in client or server side. |
353 * in client or server side. |
361 */ |
354 */ |
362 private static CipherSuiteList getApplicableEnabledCipherSuiteList( |
355 private static List<CipherSuite> getApplicableEnabledCipherSuites( |
363 ProtocolList protocols, boolean isClient) { |
356 List<ProtocolVersion> protocols, boolean isClient) { |
364 |
357 |
365 if (isClient) { |
358 if (isClient) { |
366 if (!clientCustomizedCipherSuites.isEmpty()) { |
359 if (!clientCustomizedCipherSuites.isEmpty()) { |
367 return getApplicableCipherSuiteList( |
360 return getApplicableCipherSuites( |
368 clientCustomizedCipherSuites, |
361 clientCustomizedCipherSuites, protocols); |
369 protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY); |
|
370 } |
362 } |
371 } else { |
363 } else { |
372 if (!serverCustomizedCipherSuites.isEmpty()) { |
364 if (!serverCustomizedCipherSuites.isEmpty()) { |
373 return getApplicableCipherSuiteList( |
365 return getApplicableCipherSuites( |
374 serverCustomizedCipherSuites, |
366 serverCustomizedCipherSuites, protocols); |
375 protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY); |
367 } |
376 } |
368 } |
377 } |
369 |
378 |
370 return getApplicableCipherSuites( |
379 return getApplicableCipherSuiteList( |
371 CipherSuite.defaultCipherSuites(), protocols); |
380 CipherSuite.allowedCipherSuites(), |
|
381 protocols, CipherSuite.DEFAULT_SUITES_PRIORITY); |
|
382 } |
372 } |
383 |
373 |
384 /* |
374 /* |
385 * Return the list of available CipherSuites which are applicable to |
375 * Return the list of available CipherSuites which are applicable to |
386 * the specified protocols. |
376 * the specified protocols. |
387 */ |
377 */ |
388 private static CipherSuiteList getApplicableCipherSuiteList( |
378 private static List<CipherSuite> getApplicableCipherSuites( |
389 Collection<CipherSuite> allowedCipherSuites, |
379 Collection<CipherSuite> allowedCipherSuites, |
390 ProtocolList protocols, int minPriority) { |
380 List<ProtocolVersion> protocols) { |
391 |
|
392 TreeSet<CipherSuite> suites = new TreeSet<>(); |
381 TreeSet<CipherSuite> suites = new TreeSet<>(); |
393 if (!(protocols.collection().isEmpty()) && |
382 if (protocols != null && (!protocols.isEmpty())) { |
394 protocols.min.v != ProtocolVersion.NONE.v) { |
|
395 for (CipherSuite suite : allowedCipherSuites) { |
383 for (CipherSuite suite : allowedCipherSuites) { |
396 if (!suite.allowed || suite.priority < minPriority) { |
384 if (!suite.isAvailable()) { |
397 continue; |
385 continue; |
398 } |
386 } |
399 |
387 |
400 if (suite.isAvailable() && |
388 boolean isSupported = false; |
401 !protocols.min.obsoletes(suite) && |
389 for (ProtocolVersion protocol : protocols) { |
402 protocols.max.supports(suite)) { |
390 if (!suite.supports(protocol)) { |
|
391 continue; |
|
392 } |
|
393 |
403 if (SSLAlgorithmConstraints.DEFAULT.permits( |
394 if (SSLAlgorithmConstraints.DEFAULT.permits( |
404 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), |
395 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), |
405 suite.name, null)) { |
396 suite.name, null)) { |
406 suites.add(suite); |
397 suites.add(suite); |
407 } else { |
398 isSupported = true; |
408 if (debug != null && Debug.isOn("sslctx") && |
399 } else if (SSLLogger.isOn && |
409 Debug.isOn("verbose")) { |
400 SSLLogger.isOn("ssl,sslctx,verbose")) { |
410 System.out.println( |
401 SSLLogger.fine( |
411 "Ignoring disabled cipher suite: " + |
402 "Ignore disabled cipher suite: " + suite.name); |
412 suite.name); |
|
413 } |
|
414 } |
403 } |
415 } else if (debug != null && |
404 |
416 Debug.isOn("sslctx") && Debug.isOn("verbose")) { |
405 break; |
417 if (protocols.min.obsoletes(suite)) { |
406 } |
418 System.out.println( |
407 |
419 "Ignoring obsoleted cipher suite: " + suite); |
408 if (!isSupported && SSLLogger.isOn && |
420 } else if (!protocols.max.supports(suite)) { |
409 SSLLogger.isOn("ssl,sslctx,verbose")) { |
421 System.out.println( |
410 SSLLogger.finest( |
422 "Ignoring unsupported cipher suite: " + suite); |
411 "Ignore unsupported cipher suite: " + suite); |
423 } else { |
412 } |
424 System.out.println( |
413 } |
425 "Ignoring unavailable cipher suite: " + suite); |
414 } |
426 } |
415 |
427 } |
416 return new ArrayList<>(suites); |
428 } |
|
429 } |
|
430 |
|
431 return new CipherSuiteList(suites); |
|
432 } |
417 } |
433 |
418 |
434 /* |
419 /* |
435 * Get the customized cipher suites specified by the given system property. |
420 * Get the customized cipher suites specified by the given system property. |
436 */ |
421 */ |
437 private static Collection<CipherSuite> getCustomizedCipherSuites( |
422 private static Collection<CipherSuite> getCustomizedCipherSuites( |
438 String propertyName) { |
423 String propertyName) { |
439 |
424 |
440 String property = GetPropertyAction.privilegedGetProperty(propertyName); |
425 String property = GetPropertyAction.privilegedGetProperty(propertyName); |
441 if (debug != null && Debug.isOn("sslctx")) { |
426 if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) { |
442 System.out.println( |
427 SSLLogger.fine( |
443 "System property " + propertyName + " is set to '" + |
428 "System property " + propertyName + " is set to '" + |
444 property + "'"); |
429 property + "'"); |
445 } |
430 } |
446 if (property != null && property.length() != 0) { |
431 if (property != null && property.length() != 0) { |
447 // remove double quote marks from beginning/end of the property |
432 // remove double quote marks from beginning/end of the property |
546 * SSL/TLS parameters. |
531 * SSL/TLS parameters. |
547 * |
532 * |
548 * @see SSLContext |
533 * @see SSLContext |
549 */ |
534 */ |
550 private abstract static class AbstractTLSContext extends SSLContextImpl { |
535 private abstract static class AbstractTLSContext extends SSLContextImpl { |
551 private static final ProtocolList supportedProtocolList; |
536 private static final List<ProtocolVersion> supportedProtocols; |
552 private static final ProtocolList serverDefaultProtocolList; |
537 private static final List<ProtocolVersion> serverDefaultProtocols; |
553 |
538 |
554 private static final CipherSuiteList supportedCipherSuiteList; |
539 private static final List<CipherSuite> supportedCipherSuites; |
555 private static final CipherSuiteList serverDefaultCipherSuiteList; |
540 private static final List<CipherSuite> serverDefaultCipherSuites; |
556 |
541 |
557 static { |
542 static { |
558 if (SunJSSE.isFIPS()) { |
543 if (SunJSSE.isFIPS()) { |
559 supportedProtocolList = new ProtocolList(new String[] { |
544 supportedProtocols = Arrays.asList( |
560 ProtocolVersion.TLS10.name, |
545 ProtocolVersion.TLS13, |
561 ProtocolVersion.TLS11.name, |
546 ProtocolVersion.TLS12, |
562 ProtocolVersion.TLS12.name |
547 ProtocolVersion.TLS11, |
|
548 ProtocolVersion.TLS10 |
|
549 ); |
|
550 |
|
551 serverDefaultProtocols = getAvailableProtocols( |
|
552 new ProtocolVersion[] { |
|
553 ProtocolVersion.TLS13, |
|
554 ProtocolVersion.TLS12, |
|
555 ProtocolVersion.TLS11, |
|
556 ProtocolVersion.TLS10 |
563 }); |
557 }); |
564 |
558 } else { |
565 serverDefaultProtocolList = new ProtocolList( |
559 supportedProtocols = Arrays.asList( |
566 getAvailableProtocols(new ProtocolVersion[] { |
560 ProtocolVersion.TLS13, |
|
561 ProtocolVersion.TLS12, |
|
562 ProtocolVersion.TLS11, |
567 ProtocolVersion.TLS10, |
563 ProtocolVersion.TLS10, |
|
564 ProtocolVersion.SSL30, |
|
565 ProtocolVersion.SSL20Hello |
|
566 ); |
|
567 |
|
568 serverDefaultProtocols = getAvailableProtocols( |
|
569 new ProtocolVersion[] { |
|
570 ProtocolVersion.TLS13, |
|
571 ProtocolVersion.TLS12, |
568 ProtocolVersion.TLS11, |
572 ProtocolVersion.TLS11, |
569 ProtocolVersion.TLS12 |
573 ProtocolVersion.TLS10, |
570 })); |
574 ProtocolVersion.SSL30, |
|
575 ProtocolVersion.SSL20Hello |
|
576 }); |
|
577 } |
|
578 |
|
579 supportedCipherSuites = getApplicableSupportedCipherSuites( |
|
580 supportedProtocols); |
|
581 serverDefaultCipherSuites = getApplicableEnabledCipherSuites( |
|
582 serverDefaultProtocols, false); |
|
583 } |
|
584 |
|
585 @Override |
|
586 List<ProtocolVersion> getSupportedProtocolVersions() { |
|
587 return supportedProtocols; |
|
588 } |
|
589 |
|
590 @Override |
|
591 List<CipherSuite> getSupportedCipherSuites() { |
|
592 return supportedCipherSuites; |
|
593 } |
|
594 |
|
595 @Override |
|
596 List<ProtocolVersion> getServerDefaultProtocolVersions() { |
|
597 return serverDefaultProtocols; |
|
598 } |
|
599 |
|
600 @Override |
|
601 List<CipherSuite> getServerDefaultCipherSuites() { |
|
602 return serverDefaultCipherSuites; |
|
603 } |
|
604 |
|
605 @Override |
|
606 SSLEngine createSSLEngineImpl() { |
|
607 return new SSLEngineImpl(this); |
|
608 } |
|
609 |
|
610 @Override |
|
611 SSLEngine createSSLEngineImpl(String host, int port) { |
|
612 return new SSLEngineImpl(this, host, port); |
|
613 } |
|
614 |
|
615 @Override |
|
616 boolean isDTLS() { |
|
617 return false; |
|
618 } |
|
619 |
|
620 static ProtocolVersion[] getSupportedProtocols() { |
|
621 if (SunJSSE.isFIPS()) { |
|
622 return new ProtocolVersion[] { |
|
623 ProtocolVersion.TLS13, |
|
624 ProtocolVersion.TLS12, |
|
625 ProtocolVersion.TLS11, |
|
626 ProtocolVersion.TLS10 |
|
627 }; |
571 } else { |
628 } else { |
572 supportedProtocolList = new ProtocolList(new String[] { |
629 return new ProtocolVersion[]{ |
573 ProtocolVersion.SSL20Hello.name, |
630 ProtocolVersion.TLS13, |
574 ProtocolVersion.SSL30.name, |
631 ProtocolVersion.TLS12, |
575 ProtocolVersion.TLS10.name, |
632 ProtocolVersion.TLS11, |
576 ProtocolVersion.TLS11.name, |
633 ProtocolVersion.TLS10, |
577 ProtocolVersion.TLS12.name |
634 ProtocolVersion.SSL30, |
578 }); |
635 ProtocolVersion.SSL20Hello |
579 |
636 }; |
580 serverDefaultProtocolList = new ProtocolList( |
637 } |
581 getAvailableProtocols(new ProtocolVersion[] { |
|
582 ProtocolVersion.SSL20Hello, |
|
583 ProtocolVersion.SSL30, |
|
584 ProtocolVersion.TLS10, |
|
585 ProtocolVersion.TLS11, |
|
586 ProtocolVersion.TLS12 |
|
587 })); |
|
588 } |
|
589 |
|
590 supportedCipherSuiteList = getApplicableSupportedCipherSuiteList( |
|
591 supportedProtocolList); |
|
592 serverDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
|
593 serverDefaultProtocolList, false); |
|
594 } |
|
595 |
|
596 @Override |
|
597 ProtocolList getSuportedProtocolList() { |
|
598 return supportedProtocolList; |
|
599 } |
|
600 |
|
601 @Override |
|
602 CipherSuiteList getSupportedCipherSuiteList() { |
|
603 return supportedCipherSuiteList; |
|
604 } |
|
605 |
|
606 @Override |
|
607 ProtocolList getServerDefaultProtocolList() { |
|
608 return serverDefaultProtocolList; |
|
609 } |
|
610 |
|
611 @Override |
|
612 CipherSuiteList getServerDefaultCipherSuiteList() { |
|
613 return serverDefaultCipherSuiteList; |
|
614 } |
|
615 |
|
616 @Override |
|
617 SSLEngine createSSLEngineImpl() { |
|
618 return new SSLEngineImpl(this, false); |
|
619 } |
|
620 |
|
621 @Override |
|
622 SSLEngine createSSLEngineImpl(String host, int port) { |
|
623 return new SSLEngineImpl(this, host, port, false); |
|
624 } |
638 } |
625 } |
639 } |
626 |
640 |
627 /* |
641 /* |
628 * The SSLContext implementation for SSLv3 and TLS10 algorithm |
642 * The SSLContext implementation for SSLv3 and TLS10 algorithm |
629 * |
643 * |
630 * @see SSLContext |
644 * @see SSLContext |
631 */ |
645 */ |
632 public static final class TLS10Context extends AbstractTLSContext { |
646 public static final class TLS10Context extends AbstractTLSContext { |
633 private static final ProtocolList clientDefaultProtocolList; |
647 private static final List<ProtocolVersion> clientDefaultProtocols; |
634 private static final CipherSuiteList clientDefaultCipherSuiteList; |
648 private static final List<CipherSuite> clientDefaultCipherSuites; |
635 |
649 |
636 static { |
650 static { |
637 if (SunJSSE.isFIPS()) { |
651 if (SunJSSE.isFIPS()) { |
638 clientDefaultProtocolList = new ProtocolList( |
652 clientDefaultProtocols = getAvailableProtocols( |
639 getAvailableProtocols(new ProtocolVersion[] { |
653 new ProtocolVersion[] { |
640 ProtocolVersion.TLS10 |
654 ProtocolVersion.TLS10 |
641 })); |
655 }); |
642 } else { |
656 } else { |
643 clientDefaultProtocolList = new ProtocolList( |
657 clientDefaultProtocols = getAvailableProtocols( |
644 getAvailableProtocols(new ProtocolVersion[] { |
658 new ProtocolVersion[] { |
645 ProtocolVersion.SSL30, |
659 ProtocolVersion.TLS10, |
646 ProtocolVersion.TLS10 |
660 ProtocolVersion.SSL30 |
647 })); |
661 }); |
648 } |
662 } |
649 |
663 |
650 clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
664 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
651 clientDefaultProtocolList, true); |
665 clientDefaultProtocols, true); |
652 } |
666 } |
653 |
667 |
654 @Override |
668 @Override |
655 ProtocolList getClientDefaultProtocolList() { |
669 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
656 return clientDefaultProtocolList; |
670 return clientDefaultProtocols; |
657 } |
671 } |
658 |
672 |
659 @Override |
673 @Override |
660 CipherSuiteList getClientDefaultCipherSuiteList() { |
674 List<CipherSuite> getClientDefaultCipherSuites() { |
661 return clientDefaultCipherSuiteList; |
675 return clientDefaultCipherSuites; |
662 } |
676 } |
663 } |
677 } |
664 |
678 |
665 /* |
679 /* |
666 * The SSLContext implementation for TLS11 algorithm |
680 * The SSLContext implementation for TLS11 algorithm |
667 * |
681 * |
668 * @see SSLContext |
682 * @see SSLContext |
669 */ |
683 */ |
670 public static final class TLS11Context extends AbstractTLSContext { |
684 public static final class TLS11Context extends AbstractTLSContext { |
671 private static final ProtocolList clientDefaultProtocolList; |
685 private static final List<ProtocolVersion> clientDefaultProtocols; |
672 private static final CipherSuiteList clientDefaultCipherSuiteList; |
686 private static final List<CipherSuite> clientDefaultCipherSuites; |
673 |
687 |
674 static { |
688 static { |
675 if (SunJSSE.isFIPS()) { |
689 if (SunJSSE.isFIPS()) { |
676 clientDefaultProtocolList = new ProtocolList( |
690 clientDefaultProtocols = getAvailableProtocols( |
677 getAvailableProtocols(new ProtocolVersion[] { |
691 new ProtocolVersion[] { |
|
692 ProtocolVersion.TLS11, |
|
693 ProtocolVersion.TLS10 |
|
694 }); |
|
695 } else { |
|
696 clientDefaultProtocols = getAvailableProtocols( |
|
697 new ProtocolVersion[] { |
|
698 ProtocolVersion.TLS11, |
678 ProtocolVersion.TLS10, |
699 ProtocolVersion.TLS10, |
679 ProtocolVersion.TLS11 |
700 ProtocolVersion.SSL30 |
680 })); |
701 }); |
681 } else { |
702 } |
682 clientDefaultProtocolList = new ProtocolList( |
703 |
683 getAvailableProtocols(new ProtocolVersion[] { |
704 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
684 ProtocolVersion.SSL30, |
705 clientDefaultProtocols, true); |
685 ProtocolVersion.TLS10, |
706 |
686 ProtocolVersion.TLS11 |
707 } |
687 })); |
708 |
688 } |
709 @Override |
689 |
710 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
690 clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
711 return clientDefaultProtocols; |
691 clientDefaultProtocolList, true); |
712 } |
692 |
713 |
693 } |
714 @Override |
694 |
715 List<CipherSuite> getClientDefaultCipherSuites() { |
695 @Override |
716 return clientDefaultCipherSuites; |
696 ProtocolList getClientDefaultProtocolList() { |
|
697 return clientDefaultProtocolList; |
|
698 } |
|
699 |
|
700 @Override |
|
701 CipherSuiteList getClientDefaultCipherSuiteList() { |
|
702 return clientDefaultCipherSuiteList; |
|
703 } |
717 } |
704 } |
718 } |
705 |
719 |
706 /* |
720 /* |
707 * The SSLContext implementation for TLS12 algorithm |
721 * The SSLContext implementation for TLS12 algorithm |
708 * |
722 * |
709 * @see SSLContext |
723 * @see SSLContext |
710 */ |
724 */ |
711 public static final class TLS12Context extends AbstractTLSContext { |
725 public static final class TLS12Context extends AbstractTLSContext { |
712 private static final ProtocolList clientDefaultProtocolList; |
726 private static final List<ProtocolVersion> clientDefaultProtocols; |
713 private static final CipherSuiteList clientDefaultCipherSuiteList; |
727 private static final List<CipherSuite> clientDefaultCipherSuites; |
714 |
728 |
715 static { |
729 static { |
716 if (SunJSSE.isFIPS()) { |
730 if (SunJSSE.isFIPS()) { |
717 clientDefaultProtocolList = new ProtocolList( |
731 clientDefaultProtocols = getAvailableProtocols( |
718 getAvailableProtocols(new ProtocolVersion[] { |
732 new ProtocolVersion[] { |
|
733 ProtocolVersion.TLS12, |
|
734 ProtocolVersion.TLS11, |
|
735 ProtocolVersion.TLS10 |
|
736 }); |
|
737 } else { |
|
738 clientDefaultProtocols = getAvailableProtocols( |
|
739 new ProtocolVersion[] { |
|
740 ProtocolVersion.TLS12, |
|
741 ProtocolVersion.TLS11, |
719 ProtocolVersion.TLS10, |
742 ProtocolVersion.TLS10, |
|
743 ProtocolVersion.SSL30 |
|
744 }); |
|
745 } |
|
746 |
|
747 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
|
748 clientDefaultProtocols, true); |
|
749 } |
|
750 |
|
751 @Override |
|
752 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
|
753 return clientDefaultProtocols; |
|
754 } |
|
755 |
|
756 @Override |
|
757 List<CipherSuite> getClientDefaultCipherSuites() { |
|
758 return clientDefaultCipherSuites; |
|
759 } |
|
760 } |
|
761 |
|
762 /* |
|
763 * The SSLContext implementation for TLS1.3 algorithm |
|
764 * |
|
765 * @see SSLContext |
|
766 */ |
|
767 public static final class TLS13Context extends AbstractTLSContext { |
|
768 private static final List<ProtocolVersion> clientDefaultProtocols; |
|
769 private static final List<CipherSuite> clientDefaultCipherSuites; |
|
770 |
|
771 static { |
|
772 if (SunJSSE.isFIPS()) { |
|
773 clientDefaultProtocols = getAvailableProtocols( |
|
774 new ProtocolVersion[] { |
|
775 ProtocolVersion.TLS13, |
|
776 ProtocolVersion.TLS12, |
720 ProtocolVersion.TLS11, |
777 ProtocolVersion.TLS11, |
721 ProtocolVersion.TLS12 |
778 ProtocolVersion.TLS10 |
722 })); |
779 }); |
723 } else { |
780 } else { |
724 clientDefaultProtocolList = new ProtocolList( |
781 clientDefaultProtocols = getAvailableProtocols( |
725 getAvailableProtocols(new ProtocolVersion[] { |
782 new ProtocolVersion[] { |
726 ProtocolVersion.SSL30, |
783 ProtocolVersion.TLS13, |
|
784 ProtocolVersion.TLS12, |
|
785 ProtocolVersion.TLS11, |
727 ProtocolVersion.TLS10, |
786 ProtocolVersion.TLS10, |
728 ProtocolVersion.TLS11, |
787 ProtocolVersion.SSL30 |
729 ProtocolVersion.TLS12 |
788 }); |
730 })); |
789 } |
731 } |
790 |
732 |
791 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
733 clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
792 clientDefaultProtocols, true); |
734 clientDefaultProtocolList, true); |
793 } |
735 } |
794 |
736 |
795 @Override |
737 @Override |
796 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
738 ProtocolList getClientDefaultProtocolList() { |
797 return clientDefaultProtocols; |
739 return clientDefaultProtocolList; |
798 } |
740 } |
799 |
741 |
800 @Override |
742 @Override |
801 List<CipherSuite> getClientDefaultCipherSuites() { |
743 CipherSuiteList getClientDefaultCipherSuiteList() { |
802 return clientDefaultCipherSuites; |
744 return clientDefaultCipherSuiteList; |
|
745 } |
803 } |
746 } |
804 } |
747 |
805 |
748 /* |
806 /* |
749 * The interface for the customized SSL/(D)TLS SSLContext. |
807 * The interface for the customized SSL/(D)TLS SSLContext. |
750 * |
808 * |
751 * @see SSLContext |
809 * @see SSLContext |
752 */ |
810 */ |
753 private static class CustomizedSSLProtocols { |
811 private static class CustomizedSSLProtocols { |
754 private static final String PROPERTY_NAME = "jdk.tls.client.protocols"; |
812 private static final String JDK_TLS_CLIENT_PROTOCOLS = |
|
813 "jdk.tls.client.protocols"; |
|
814 private static final String JDK_TLS_SERVER_PROTOCOLS = |
|
815 "jdk.tls.server.protocols"; |
755 static IllegalArgumentException reservedException = null; |
816 static IllegalArgumentException reservedException = null; |
756 static ArrayList<ProtocolVersion> |
817 static final ArrayList<ProtocolVersion> customizedClientProtocols = |
757 customizedProtocols = new ArrayList<>(); |
818 new ArrayList<>(); |
|
819 static final ArrayList<ProtocolVersion> customizedServerProtocols = |
|
820 new ArrayList<>(); |
758 |
821 |
759 // Don't want a java.lang.LinkageError for illegal system property. |
822 // Don't want a java.lang.LinkageError for illegal system property. |
760 // |
823 // |
761 // Please don't throw exception in this static block. Otherwise, |
824 // Please don't throw exception in this static block. Otherwise, |
762 // java.lang.LinkageError may be thrown during the instantiation of |
825 // java.lang.LinkageError may be thrown during the instantiation of |
763 // the provider service. Instead, please handle the initialization |
826 // the provider service. Instead, please handle the initialization |
764 // exception in the caller's constructor. |
827 // exception in the caller's constructor. |
765 static { |
828 static { |
766 String property = GetPropertyAction |
829 populate(JDK_TLS_CLIENT_PROTOCOLS, customizedClientProtocols); |
767 .privilegedGetProperty(PROPERTY_NAME); |
830 populate(JDK_TLS_SERVER_PROTOCOLS, customizedServerProtocols); |
768 if (property != null && property.length() != 0) { |
831 } |
|
832 |
|
833 private static void populate(String propname, |
|
834 ArrayList<ProtocolVersion> arrayList) { |
|
835 String property = GetPropertyAction.privilegedGetProperty(propname); |
|
836 if (property == null) { |
|
837 return; |
|
838 } |
|
839 |
|
840 if (property.length() != 0) { |
769 // remove double quote marks from beginning/end of the property |
841 // remove double quote marks from beginning/end of the property |
770 if (property.length() > 1 && property.charAt(0) == '"' && |
842 if (property.length() > 1 && property.charAt(0) == '"' && |
771 property.charAt(property.length() - 1) == '"') { |
843 property.charAt(property.length() - 1) == '"') { |
772 property = property.substring(1, property.length() - 1); |
844 property = property.substring(1, property.length() - 1); |
773 } |
845 } |
774 } |
846 } |
775 |
847 |
776 if (property != null && property.length() != 0) { |
848 if (property.length() != 0) { |
777 String[] protocols = property.split(","); |
849 String[] protocols = property.split(","); |
778 for (int i = 0; i < protocols.length; i++) { |
850 for (int i = 0; i < protocols.length; i++) { |
779 protocols[i] = protocols[i].trim(); |
851 protocols[i] = protocols[i].trim(); |
780 // Is it a supported protocol name? |
852 // Is it a supported protocol name? |
781 try { |
853 ProtocolVersion pv = |
782 ProtocolVersion pro = |
854 ProtocolVersion.nameOf(protocols[i]); |
783 ProtocolVersion.valueOf(protocols[i]); |
855 if (pv == null) { |
784 |
|
785 if (SunJSSE.isFIPS() && |
|
786 ((pro.v == ProtocolVersion.SSL30.v) || |
|
787 (pro.v == ProtocolVersion.SSL20Hello.v))) { |
|
788 reservedException = new IllegalArgumentException( |
|
789 PROPERTY_NAME + ": " + pro + |
|
790 " is not FIPS compliant"); |
|
791 |
|
792 break; |
|
793 } |
|
794 |
|
795 // ignore duplicated protocols |
|
796 if (!customizedProtocols.contains(pro)) { |
|
797 customizedProtocols.add(pro); |
|
798 } |
|
799 } catch (IllegalArgumentException iae) { |
|
800 reservedException = new IllegalArgumentException( |
856 reservedException = new IllegalArgumentException( |
801 PROPERTY_NAME + ": " + protocols[i] + |
857 propname + ": " + protocols[i] + |
802 " is not a standard SSL protocol name", iae); |
858 " is not a supported SSL protocol name"); |
803 } |
859 } |
|
860 |
|
861 if (SunJSSE.isFIPS() && |
|
862 ((pv == ProtocolVersion.SSL30) || |
|
863 (pv == ProtocolVersion.SSL20Hello))) { |
|
864 reservedException = new IllegalArgumentException( |
|
865 propname + ": " + pv + |
|
866 " is not FIPS compliant"); |
|
867 |
|
868 break; |
|
869 } |
|
870 |
|
871 // ignore duplicated protocols |
|
872 if (!arrayList.contains(pv)) { |
|
873 arrayList.add(pv); |
|
874 } |
804 } |
875 } |
805 } |
876 } |
806 } |
877 } |
807 } |
878 } |
808 |
879 |
811 * |
882 * |
812 * @see SSLContext |
883 * @see SSLContext |
813 */ |
884 */ |
814 private static class CustomizedTLSContext extends AbstractTLSContext { |
885 private static class CustomizedTLSContext extends AbstractTLSContext { |
815 |
886 |
816 private static final ProtocolList clientDefaultProtocolList; |
887 private static final List<ProtocolVersion> clientDefaultProtocols; |
817 private static final CipherSuiteList clientDefaultCipherSuiteList; |
888 private static final List<ProtocolVersion> serverDefaultProtocols; |
818 |
889 private static final List<CipherSuite> clientDefaultCipherSuites; |
819 private static IllegalArgumentException reservedException = null; |
890 private static final List<CipherSuite> serverDefaultCipherSuites; |
|
891 private static final IllegalArgumentException reservedException; |
820 |
892 |
821 // Don't want a java.lang.LinkageError for illegal system property. |
893 // Don't want a java.lang.LinkageError for illegal system property. |
822 // |
894 // |
823 // Please don't throw exception in this static block. Otherwise, |
895 // Please don't throw exception in this static block. Otherwise, |
824 // java.lang.LinkageError may be thrown during the instantiation of |
896 // java.lang.LinkageError may be thrown during the instantiation of |
825 // the provider service. Instead, let's handle the initialization |
897 // the provider service. Instead, let's handle the initialization |
826 // exception in constructor. |
898 // exception in constructor. |
827 static { |
899 static { |
828 reservedException = CustomizedSSLProtocols.reservedException; |
900 reservedException = CustomizedSSLProtocols.reservedException; |
829 if (reservedException == null) { |
901 if (reservedException == null) { |
830 ArrayList<ProtocolVersion> |
902 clientDefaultProtocols = customizedProtocols(true, |
831 customizedTLSProtocols = new ArrayList<>(); |
903 CustomizedSSLProtocols.customizedClientProtocols); |
832 for (ProtocolVersion protocol : |
904 serverDefaultProtocols = customizedProtocols(false, |
833 CustomizedSSLProtocols.customizedProtocols) { |
905 CustomizedSSLProtocols.customizedServerProtocols); |
834 if (!protocol.isDTLSProtocol()) { |
906 |
835 customizedTLSProtocols.add(protocol); |
907 clientDefaultCipherSuites = |
836 } |
908 getApplicableEnabledCipherSuites( |
837 } |
909 clientDefaultProtocols, true); |
838 |
910 serverDefaultCipherSuites = |
839 // candidates for available protocols |
911 getApplicableEnabledCipherSuites( |
840 ProtocolVersion[] candidates; |
912 serverDefaultProtocols, false); |
841 if (customizedTLSProtocols.isEmpty()) { |
913 |
842 // Use the default enabled client protocols if no |
914 } else { |
843 // customized TLS protocols. |
915 // unlikely to be used |
844 if (SunJSSE.isFIPS()) { |
916 clientDefaultProtocols = null; |
845 candidates = new ProtocolVersion[] { |
917 serverDefaultProtocols = null; |
846 ProtocolVersion.TLS10, |
918 clientDefaultCipherSuites = null; |
847 ProtocolVersion.TLS11, |
919 serverDefaultCipherSuites = null; |
848 ProtocolVersion.TLS12 |
920 } |
849 }; |
921 } |
850 } else { |
922 |
851 candidates = new ProtocolVersion[] { |
923 private static List<ProtocolVersion> customizedProtocols( |
852 ProtocolVersion.SSL30, |
924 boolean client, List<ProtocolVersion> customized) { |
853 ProtocolVersion.TLS10, |
925 List<ProtocolVersion> refactored = new ArrayList<>(); |
854 ProtocolVersion.TLS11, |
926 for (ProtocolVersion pv : customized) { |
855 ProtocolVersion.TLS12 |
927 if (!pv.isDTLS) { |
856 }; |
928 refactored.add(pv); |
857 } |
929 } |
|
930 } |
|
931 |
|
932 // Use the default enabled protocols if no customization |
|
933 ProtocolVersion[] candidates; |
|
934 if (refactored.isEmpty()) { |
|
935 if (client) { |
|
936 candidates = getProtocols(); |
858 } else { |
937 } else { |
859 // Use the customized TLS protocols. |
938 candidates = getSupportedProtocols(); |
860 candidates = |
939 } |
861 new ProtocolVersion[customizedTLSProtocols.size()]; |
|
862 candidates = customizedTLSProtocols.toArray(candidates); |
|
863 } |
|
864 |
|
865 clientDefaultProtocolList = new ProtocolList( |
|
866 getAvailableProtocols(candidates)); |
|
867 clientDefaultCipherSuiteList = |
|
868 getApplicableEnabledCipherSuiteList( |
|
869 clientDefaultProtocolList, true); |
|
870 } else { |
940 } else { |
871 clientDefaultProtocolList = null; // unlikely to be used |
941 // Use the customized TLS protocols. |
872 clientDefaultCipherSuiteList = null; // unlikely to be used |
942 candidates = |
|
943 refactored.toArray(new ProtocolVersion[refactored.size()]); |
|
944 } |
|
945 |
|
946 return getAvailableProtocols(candidates); |
|
947 } |
|
948 |
|
949 static ProtocolVersion[] getProtocols() { |
|
950 if (SunJSSE.isFIPS()) { |
|
951 return new ProtocolVersion[]{ |
|
952 ProtocolVersion.TLS13, |
|
953 ProtocolVersion.TLS12, |
|
954 ProtocolVersion.TLS11, |
|
955 ProtocolVersion.TLS10 |
|
956 }; |
|
957 } else { |
|
958 return new ProtocolVersion[]{ |
|
959 ProtocolVersion.TLS13, |
|
960 ProtocolVersion.TLS12, |
|
961 ProtocolVersion.TLS11, |
|
962 ProtocolVersion.TLS10, |
|
963 ProtocolVersion.SSL30 |
|
964 }; |
873 } |
965 } |
874 } |
966 } |
875 |
967 |
876 protected CustomizedTLSContext() { |
968 protected CustomizedTLSContext() { |
877 if (reservedException != null) { |
969 if (reservedException != null) { |
878 throw reservedException; |
970 throw reservedException; |
879 } |
971 } |
880 } |
972 } |
881 |
973 |
882 @Override |
974 @Override |
883 ProtocolList getClientDefaultProtocolList() { |
975 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
884 return clientDefaultProtocolList; |
976 return clientDefaultProtocols; |
885 } |
977 } |
886 |
978 |
887 @Override |
979 @Override |
888 CipherSuiteList getClientDefaultCipherSuiteList() { |
980 List<ProtocolVersion> getServerDefaultProtocolVersions() { |
889 return clientDefaultCipherSuiteList; |
981 return serverDefaultProtocols; |
890 } |
982 } |
|
983 |
|
984 @Override |
|
985 List<CipherSuite> getClientDefaultCipherSuites() { |
|
986 return clientDefaultCipherSuites; |
|
987 } |
|
988 |
|
989 @Override |
|
990 List<CipherSuite> getServerDefaultCipherSuites() { |
|
991 return serverDefaultCipherSuites; |
|
992 } |
|
993 |
|
994 |
891 } |
995 } |
892 |
996 |
893 /* |
997 /* |
894 * The SSLContext implementation for default "TLS" algorithm |
998 * The SSLContext implementation for default "TLS" algorithm |
895 * |
999 * |
1126 * parameters. |
1233 * parameters. |
1127 * |
1234 * |
1128 * @see SSLContext |
1235 * @see SSLContext |
1129 */ |
1236 */ |
1130 private abstract static class AbstractDTLSContext extends SSLContextImpl { |
1237 private abstract static class AbstractDTLSContext extends SSLContextImpl { |
1131 private static final ProtocolList supportedProtocolList; |
1238 private static final List<ProtocolVersion> supportedProtocols; |
1132 private static final ProtocolList serverDefaultProtocolList; |
1239 private static final List<ProtocolVersion> serverDefaultProtocols; |
1133 |
1240 |
1134 private static final CipherSuiteList supportedCipherSuiteList; |
1241 private static final List<CipherSuite> supportedCipherSuites; |
1135 private static final CipherSuiteList serverDefaultCipherSuiteList; |
1242 private static final List<CipherSuite> serverDefaultCipherSuites; |
1136 |
1243 |
1137 static { |
1244 static { |
1138 // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode. |
1245 // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode. |
1139 supportedProtocolList = new ProtocolList(new String[] { |
1246 supportedProtocols = Arrays.asList( |
1140 ProtocolVersion.DTLS10.name, |
1247 ProtocolVersion.DTLS12, |
1141 ProtocolVersion.DTLS12.name |
1248 ProtocolVersion.DTLS10 |
|
1249 ); |
|
1250 |
|
1251 // available protocols for server mode |
|
1252 serverDefaultProtocols = getAvailableProtocols( |
|
1253 new ProtocolVersion[] { |
|
1254 ProtocolVersion.DTLS12, |
|
1255 ProtocolVersion.DTLS10 |
1142 }); |
1256 }); |
1143 |
1257 |
1144 // available protocols for server mode |
1258 supportedCipherSuites = getApplicableSupportedCipherSuites( |
1145 serverDefaultProtocolList = new ProtocolList( |
1259 supportedProtocols); |
1146 getAvailableProtocols(new ProtocolVersion[] { |
1260 serverDefaultCipherSuites = getApplicableEnabledCipherSuites( |
1147 ProtocolVersion.DTLS10, |
1261 serverDefaultProtocols, false); |
1148 ProtocolVersion.DTLS12 |
1262 } |
1149 })); |
1263 |
1150 |
1264 @Override |
1151 supportedCipherSuiteList = getApplicableSupportedCipherSuiteList( |
1265 List<ProtocolVersion> getSupportedProtocolVersions() { |
1152 supportedProtocolList); |
1266 return supportedProtocols; |
1153 serverDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
1267 } |
1154 serverDefaultProtocolList, false); |
1268 |
1155 } |
1269 @Override |
1156 |
1270 List<CipherSuite> getSupportedCipherSuites() { |
1157 @Override |
1271 return supportedCipherSuites; |
1158 ProtocolList getSuportedProtocolList() { |
1272 } |
1159 return supportedProtocolList; |
1273 |
1160 } |
1274 @Override |
1161 |
1275 List<ProtocolVersion> getServerDefaultProtocolVersions() { |
1162 @Override |
1276 return serverDefaultProtocols; |
1163 CipherSuiteList getSupportedCipherSuiteList() { |
1277 } |
1164 return supportedCipherSuiteList; |
1278 |
1165 } |
1279 @Override |
1166 |
1280 List<CipherSuite> getServerDefaultCipherSuites() { |
1167 @Override |
1281 return serverDefaultCipherSuites; |
1168 ProtocolList getServerDefaultProtocolList() { |
|
1169 return serverDefaultProtocolList; |
|
1170 } |
|
1171 |
|
1172 @Override |
|
1173 CipherSuiteList getServerDefaultCipherSuiteList() { |
|
1174 return serverDefaultCipherSuiteList; |
|
1175 } |
1282 } |
1176 |
1283 |
1177 @Override |
1284 @Override |
1178 SSLEngine createSSLEngineImpl() { |
1285 SSLEngine createSSLEngineImpl() { |
1179 return new SSLEngineImpl(this, true); |
1286 return new SSLEngineImpl(this); |
1180 } |
1287 } |
1181 |
1288 |
1182 @Override |
1289 @Override |
1183 SSLEngine createSSLEngineImpl(String host, int port) { |
1290 SSLEngine createSSLEngineImpl(String host, int port) { |
1184 return new SSLEngineImpl(this, host, port, true); |
1291 return new SSLEngineImpl(this, host, port); |
1185 } |
1292 } |
1186 |
1293 |
1187 @Override |
1294 @Override |
1188 HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) { |
1295 boolean isDTLS() { |
1189 return new HelloCookieManager(secureRandom); |
1296 return true; |
1190 } |
1297 } |
1191 } |
1298 } |
1192 |
1299 |
1193 /* |
1300 /* |
1194 * The SSLContext implementation for DTLSv1.0 algorithm. |
1301 * The SSLContext implementation for DTLSv1.0 algorithm. |
1195 * |
1302 * |
1196 * @see SSLContext |
1303 * @see SSLContext |
1197 */ |
1304 */ |
1198 public static final class DTLS10Context extends AbstractDTLSContext { |
1305 public static final class DTLS10Context extends AbstractDTLSContext { |
1199 private static final ProtocolList clientDefaultProtocolList; |
1306 private static final List<ProtocolVersion> clientDefaultProtocols; |
1200 private static final CipherSuiteList clientDefaultCipherSuiteList; |
1307 private static final List<CipherSuite> clientDefaultCipherSuites; |
1201 |
1308 |
1202 static { |
1309 static { |
1203 // available protocols for client mode |
1310 // available protocols for client mode |
1204 clientDefaultProtocolList = new ProtocolList( |
1311 clientDefaultProtocols = getAvailableProtocols( |
1205 getAvailableProtocols(new ProtocolVersion[] { |
1312 new ProtocolVersion[] { |
1206 ProtocolVersion.DTLS10 |
1313 ProtocolVersion.DTLS10 |
1207 })); |
1314 }); |
1208 |
1315 |
1209 clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
1316 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
1210 clientDefaultProtocolList, true); |
1317 clientDefaultProtocols, true); |
1211 } |
1318 } |
1212 |
1319 |
1213 @Override |
1320 @Override |
1214 ProtocolList getClientDefaultProtocolList() { |
1321 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
1215 return clientDefaultProtocolList; |
1322 return clientDefaultProtocols; |
1216 } |
1323 } |
1217 |
1324 |
1218 @Override |
1325 @Override |
1219 CipherSuiteList getClientDefaultCipherSuiteList() { |
1326 List<CipherSuite> getClientDefaultCipherSuites() { |
1220 return clientDefaultCipherSuiteList; |
1327 return clientDefaultCipherSuites; |
1221 } |
1328 } |
1222 } |
1329 } |
1223 |
1330 |
1224 /* |
1331 /* |
1225 * The SSLContext implementation for DTLSv1.2 algorithm. |
1332 * The SSLContext implementation for DTLSv1.2 algorithm. |
1226 * |
1333 * |
1227 * @see SSLContext |
1334 * @see SSLContext |
1228 */ |
1335 */ |
1229 public static final class DTLS12Context extends AbstractDTLSContext { |
1336 public static final class DTLS12Context extends AbstractDTLSContext { |
1230 private static final ProtocolList clientDefaultProtocolList; |
1337 private static final List<ProtocolVersion> clientDefaultProtocols; |
1231 private static final CipherSuiteList clientDefaultCipherSuiteList; |
1338 private static final List<CipherSuite> clientDefaultCipherSuites; |
1232 |
1339 |
1233 static { |
1340 static { |
1234 // available protocols for client mode |
1341 // available protocols for client mode |
1235 clientDefaultProtocolList = new ProtocolList( |
1342 clientDefaultProtocols = getAvailableProtocols( |
1236 getAvailableProtocols(new ProtocolVersion[] { |
1343 new ProtocolVersion[] { |
1237 ProtocolVersion.DTLS10, |
1344 ProtocolVersion.DTLS12, |
1238 ProtocolVersion.DTLS12 |
1345 ProtocolVersion.DTLS10 |
1239 })); |
1346 }); |
1240 |
1347 |
1241 clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList( |
1348 clientDefaultCipherSuites = getApplicableEnabledCipherSuites( |
1242 clientDefaultProtocolList, true); |
1349 clientDefaultProtocols, true); |
1243 } |
1350 } |
1244 |
1351 |
1245 @Override |
1352 @Override |
1246 ProtocolList getClientDefaultProtocolList() { |
1353 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
1247 return clientDefaultProtocolList; |
1354 return clientDefaultProtocols; |
1248 } |
1355 } |
1249 |
1356 |
1250 @Override |
1357 @Override |
1251 CipherSuiteList getClientDefaultCipherSuiteList() { |
1358 List<CipherSuite> getClientDefaultCipherSuites() { |
1252 return clientDefaultCipherSuiteList; |
1359 return clientDefaultCipherSuites; |
1253 } |
1360 } |
1254 } |
1361 } |
1255 |
1362 |
1256 /* |
1363 /* |
1257 * The SSLContext implementation for customized TLS protocols |
1364 * The SSLContext implementation for customized TLS protocols |
1258 * |
1365 * |
1259 * @see SSLContext |
1366 * @see SSLContext |
1260 */ |
1367 */ |
1261 private static class CustomizedDTLSContext extends AbstractDTLSContext { |
1368 private static class CustomizedDTLSContext extends AbstractDTLSContext { |
1262 private static final ProtocolList clientDefaultProtocolList; |
1369 private static final List<ProtocolVersion> clientDefaultProtocols; |
1263 private static final CipherSuiteList clientDefaultCipherSuiteList; |
1370 private static final List<ProtocolVersion> serverDefaultProtocols; |
|
1371 private static final List<CipherSuite> clientDefaultCipherSuites; |
|
1372 private static final List<CipherSuite> serverDefaultCipherSuites; |
1264 |
1373 |
1265 private static IllegalArgumentException reservedException = null; |
1374 private static IllegalArgumentException reservedException = null; |
1266 |
1375 |
1267 // Don't want a java.lang.LinkageError for illegal system property. |
1376 // Don't want a java.lang.LinkageError for illegal system property. |
1268 // |
1377 // |
1271 // the provider service. Instead, let's handle the initialization |
1380 // the provider service. Instead, let's handle the initialization |
1272 // exception in constructor. |
1381 // exception in constructor. |
1273 static { |
1382 static { |
1274 reservedException = CustomizedSSLProtocols.reservedException; |
1383 reservedException = CustomizedSSLProtocols.reservedException; |
1275 if (reservedException == null) { |
1384 if (reservedException == null) { |
1276 ArrayList<ProtocolVersion> |
1385 clientDefaultProtocols = customizedProtocols(true, |
1277 customizedDTLSProtocols = new ArrayList<>(); |
1386 CustomizedSSLProtocols.customizedClientProtocols); |
1278 for (ProtocolVersion protocol : |
1387 serverDefaultProtocols = customizedProtocols(false, |
1279 CustomizedSSLProtocols.customizedProtocols) { |
1388 CustomizedSSLProtocols.customizedServerProtocols); |
1280 if (protocol.isDTLSProtocol()) { |
1389 |
1281 customizedDTLSProtocols.add(protocol); |
1390 clientDefaultCipherSuites = |
1282 } |
1391 getApplicableEnabledCipherSuites( |
1283 } |
1392 clientDefaultProtocols, true); |
1284 |
1393 serverDefaultCipherSuites = |
1285 // candidates for available protocols |
1394 getApplicableEnabledCipherSuites( |
1286 ProtocolVersion[] candidates; |
1395 serverDefaultProtocols, false); |
1287 if (customizedDTLSProtocols.isEmpty()) { |
1396 |
1288 // Use the default enabled client protocols if no |
|
1289 // customized TLS protocols. |
|
1290 // |
|
1291 // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode. |
|
1292 candidates = new ProtocolVersion[] { |
|
1293 ProtocolVersion.DTLS10, |
|
1294 ProtocolVersion.DTLS12 |
|
1295 }; |
|
1296 |
|
1297 } else { |
|
1298 // Use the customized TLS protocols. |
|
1299 candidates = |
|
1300 new ProtocolVersion[customizedDTLSProtocols.size()]; |
|
1301 candidates = customizedDTLSProtocols.toArray(candidates); |
|
1302 } |
|
1303 |
|
1304 clientDefaultProtocolList = new ProtocolList( |
|
1305 getAvailableProtocols(candidates)); |
|
1306 clientDefaultCipherSuiteList = |
|
1307 getApplicableEnabledCipherSuiteList( |
|
1308 clientDefaultProtocolList, true); |
|
1309 } else { |
1397 } else { |
1310 clientDefaultProtocolList = null; // unlikely to be used |
1398 // unlikely to be used |
1311 clientDefaultCipherSuiteList = null; // unlikely to be used |
1399 clientDefaultProtocols = null; |
1312 } |
1400 serverDefaultProtocols = null; |
|
1401 clientDefaultCipherSuites = null; |
|
1402 serverDefaultCipherSuites = null; |
|
1403 } |
|
1404 } |
|
1405 |
|
1406 private static List<ProtocolVersion> customizedProtocols(boolean client, |
|
1407 List<ProtocolVersion> customized) { |
|
1408 List<ProtocolVersion> refactored = new ArrayList<>(); |
|
1409 for (ProtocolVersion pv : customized) { |
|
1410 if (pv.isDTLS) { |
|
1411 refactored.add(pv); |
|
1412 } |
|
1413 } |
|
1414 |
|
1415 ProtocolVersion[] candidates; |
|
1416 // Use the default enabled protocols if no customization |
|
1417 if (refactored.isEmpty()) { |
|
1418 candidates = new ProtocolVersion[]{ |
|
1419 ProtocolVersion.DTLS12, |
|
1420 ProtocolVersion.DTLS10 |
|
1421 }; |
|
1422 if (!client) |
|
1423 return Arrays.asList(candidates); |
|
1424 } else { |
|
1425 // Use the customized TLS protocols. |
|
1426 candidates = |
|
1427 new ProtocolVersion[customized.size()]; |
|
1428 candidates = customized.toArray(candidates); |
|
1429 } |
|
1430 |
|
1431 return getAvailableProtocols(candidates); |
1313 } |
1432 } |
1314 |
1433 |
1315 protected CustomizedDTLSContext() { |
1434 protected CustomizedDTLSContext() { |
1316 if (reservedException != null) { |
1435 if (reservedException != null) { |
1317 throw reservedException; |
1436 throw reservedException; |
1318 } |
1437 } |
1319 } |
1438 } |
1320 |
1439 |
1321 @Override |
1440 @Override |
1322 ProtocolList getClientDefaultProtocolList() { |
1441 List<ProtocolVersion> getClientDefaultProtocolVersions() { |
1323 return clientDefaultProtocolList; |
1442 return clientDefaultProtocols; |
1324 } |
1443 } |
1325 |
1444 |
1326 @Override |
1445 @Override |
1327 CipherSuiteList getClientDefaultCipherSuiteList() { |
1446 List<ProtocolVersion> getServerDefaultProtocolVersions() { |
1328 return clientDefaultCipherSuiteList; |
1447 return serverDefaultProtocols; |
|
1448 } |
|
1449 |
|
1450 @Override |
|
1451 List<CipherSuite> getClientDefaultCipherSuites() { |
|
1452 return clientDefaultCipherSuites; |
|
1453 } |
|
1454 |
|
1455 @Override |
|
1456 List<CipherSuite> getServerDefaultCipherSuites() { |
|
1457 return serverDefaultCipherSuites; |
1329 } |
1458 } |
1330 } |
1459 } |
1331 |
1460 |
1332 /* |
1461 /* |
1333 * The SSLContext implementation for default "DTLS" algorithm |
1462 * The SSLContext implementation for default "DTLS" algorithm |