69 getCustomizedCipherSuites("jdk.tls.server.cipherSuites"); |
69 getCustomizedCipherSuites("jdk.tls.server.cipherSuites"); |
70 |
70 |
71 private volatile StatusResponseManager statusResponseManager; |
71 private volatile StatusResponseManager statusResponseManager; |
72 |
72 |
73 private final ReentrantLock contextLock = new ReentrantLock(); |
73 private final ReentrantLock contextLock = new ReentrantLock(); |
|
74 final HashMap<Integer, SessionTicketExtension.StatelessKey> keyHashMap = new HashMap<>(); |
|
75 |
74 |
76 |
75 SSLContextImpl() { |
77 SSLContextImpl() { |
76 ephemeralKeyManager = new EphemeralKeyManager(); |
78 ephemeralKeyManager = new EphemeralKeyManager(); |
77 clientCache = new SSLSessionContextImpl(); |
79 clientCache = new SSLSessionContextImpl(false); |
78 serverCache = new SSLSessionContextImpl(); |
80 serverCache = new SSLSessionContextImpl(true); |
79 } |
81 } |
80 |
82 |
81 @Override |
83 @Override |
82 protected void engineInit(KeyManager[] km, TrustManager[] tm, |
84 protected void engineInit(KeyManager[] km, TrustManager[] tm, |
83 SecureRandom sr) throws KeyManagementException { |
85 SecureRandom sr) throws KeyManagementException { |
1476 SSLEngine engine) throws CertificateException { |
1478 SSLEngine engine) throws CertificateException { |
1477 tm.checkServerTrusted(chain, authType); |
1479 tm.checkServerTrusted(chain, authType); |
1478 checkAdditionalTrust(chain, authType, engine, false); |
1480 checkAdditionalTrust(chain, authType, engine, false); |
1479 } |
1481 } |
1480 |
1482 |
1481 private void checkAdditionalTrust(X509Certificate[] chain, String authType, |
1483 private void checkAdditionalTrust(X509Certificate[] chain, |
1482 Socket socket, boolean isClient) throws CertificateException { |
1484 String authType, Socket socket, |
|
1485 boolean checkClientTrusted) throws CertificateException { |
1483 if (socket != null && socket.isConnected() && |
1486 if (socket != null && socket.isConnected() && |
1484 socket instanceof SSLSocket) { |
1487 socket instanceof SSLSocket) { |
1485 |
1488 |
1486 SSLSocket sslSocket = (SSLSocket)socket; |
1489 SSLSocket sslSocket = (SSLSocket)socket; |
1487 SSLSession session = sslSocket.getHandshakeSession(); |
1490 SSLSession session = sslSocket.getHandshakeSession(); |
1491 |
1494 |
1492 // check endpoint identity |
1495 // check endpoint identity |
1493 String identityAlg = sslSocket.getSSLParameters(). |
1496 String identityAlg = sslSocket.getSSLParameters(). |
1494 getEndpointIdentificationAlgorithm(); |
1497 getEndpointIdentificationAlgorithm(); |
1495 if (identityAlg != null && !identityAlg.isEmpty()) { |
1498 if (identityAlg != null && !identityAlg.isEmpty()) { |
1496 String hostname = session.getPeerHost(); |
1499 X509TrustManagerImpl.checkIdentity(session, chain, |
1497 X509TrustManagerImpl.checkIdentity( |
1500 identityAlg, checkClientTrusted); |
1498 hostname, chain[0], identityAlg); |
|
1499 } |
1501 } |
1500 |
1502 |
1501 // try the best to check the algorithm constraints |
1503 // try the best to check the algorithm constraints |
1502 AlgorithmConstraints constraints; |
1504 AlgorithmConstraints constraints; |
1503 if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) { |
1505 if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) { |
1515 } |
1517 } |
1516 } else { |
1518 } else { |
1517 constraints = new SSLAlgorithmConstraints(sslSocket, true); |
1519 constraints = new SSLAlgorithmConstraints(sslSocket, true); |
1518 } |
1520 } |
1519 |
1521 |
1520 checkAlgorithmConstraints(chain, constraints, isClient); |
1522 checkAlgorithmConstraints(chain, constraints, checkClientTrusted); |
1521 } |
1523 } |
1522 } |
1524 } |
1523 |
1525 |
1524 private void checkAdditionalTrust(X509Certificate[] chain, String authType, |
1526 private void checkAdditionalTrust(X509Certificate[] chain, |
1525 SSLEngine engine, boolean isClient) throws CertificateException { |
1527 String authType, SSLEngine engine, |
|
1528 boolean checkClientTrusted) throws CertificateException { |
1526 if (engine != null) { |
1529 if (engine != null) { |
1527 SSLSession session = engine.getHandshakeSession(); |
1530 SSLSession session = engine.getHandshakeSession(); |
1528 if (session == null) { |
1531 if (session == null) { |
1529 throw new CertificateException("No handshake session"); |
1532 throw new CertificateException("No handshake session"); |
1530 } |
1533 } |
1531 |
1534 |
1532 // check endpoint identity |
1535 // check endpoint identity |
1533 String identityAlg = engine.getSSLParameters(). |
1536 String identityAlg = engine.getSSLParameters(). |
1534 getEndpointIdentificationAlgorithm(); |
1537 getEndpointIdentificationAlgorithm(); |
1535 if (identityAlg != null && !identityAlg.isEmpty()) { |
1538 if (identityAlg != null && !identityAlg.isEmpty()) { |
1536 String hostname = session.getPeerHost(); |
1539 X509TrustManagerImpl.checkIdentity(session, chain, |
1537 X509TrustManagerImpl.checkIdentity( |
1540 identityAlg, checkClientTrusted); |
1538 hostname, chain[0], identityAlg); |
|
1539 } |
1541 } |
1540 |
1542 |
1541 // try the best to check the algorithm constraints |
1543 // try the best to check the algorithm constraints |
1542 AlgorithmConstraints constraints; |
1544 AlgorithmConstraints constraints; |
1543 if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) { |
1545 if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) { |
1555 } |
1557 } |
1556 } else { |
1558 } else { |
1557 constraints = new SSLAlgorithmConstraints(engine, true); |
1559 constraints = new SSLAlgorithmConstraints(engine, true); |
1558 } |
1560 } |
1559 |
1561 |
1560 checkAlgorithmConstraints(chain, constraints, isClient); |
1562 checkAlgorithmConstraints(chain, constraints, checkClientTrusted); |
1561 } |
1563 } |
1562 } |
1564 } |
1563 |
1565 |
1564 private void checkAlgorithmConstraints(X509Certificate[] chain, |
1566 private void checkAlgorithmConstraints(X509Certificate[] chain, |
1565 AlgorithmConstraints constraints, |
1567 AlgorithmConstraints constraints, |
1566 boolean isClient) throws CertificateException { |
1568 boolean checkClientTrusted) throws CertificateException { |
1567 try { |
1569 try { |
1568 // Does the certificate chain end with a trusted certificate? |
1570 // Does the certificate chain end with a trusted certificate? |
1569 int checkedLength = chain.length - 1; |
1571 int checkedLength = chain.length - 1; |
1570 |
1572 |
1571 Collection<X509Certificate> trustedCerts = new HashSet<>(); |
1573 Collection<X509Certificate> trustedCerts = new HashSet<>(); |
1580 |
1582 |
1581 // A forward checker, need to check from trust to target |
1583 // A forward checker, need to check from trust to target |
1582 if (checkedLength >= 0) { |
1584 if (checkedLength >= 0) { |
1583 AlgorithmChecker checker = |
1585 AlgorithmChecker checker = |
1584 new AlgorithmChecker(constraints, null, |
1586 new AlgorithmChecker(constraints, null, |
1585 (isClient ? Validator.VAR_TLS_CLIENT : |
1587 (checkClientTrusted ? Validator.VAR_TLS_CLIENT : |
1586 Validator.VAR_TLS_SERVER)); |
1588 Validator.VAR_TLS_SERVER)); |
1587 checker.init(false); |
1589 checker.init(false); |
1588 for (int i = checkedLength; i >= 0; i--) { |
1590 for (int i = checkedLength; i >= 0; i--) { |
1589 X509Certificate cert = chain[i]; |
1591 X509Certificate cert = chain[i]; |
1590 // We don't care about the unresolved critical extensions. |
1592 // We don't care about the unresolved critical extensions. |