24 */ |
24 */ |
25 |
25 |
26 package javax.net.ssl; |
26 package javax.net.ssl; |
27 |
27 |
28 import java.security.AlgorithmConstraints; |
28 import java.security.AlgorithmConstraints; |
|
29 import java.util.Map; |
|
30 import java.util.List; |
|
31 import java.util.HashSet; |
|
32 import java.util.HashMap; |
|
33 import java.util.ArrayList; |
|
34 import java.util.Collection; |
|
35 import java.util.Collections; |
|
36 import java.util.LinkedHashMap; |
|
37 import java.util.regex.Pattern; |
29 |
38 |
30 /** |
39 /** |
31 * Encapsulates parameters for an SSL/TLS connection. The parameters |
40 * Encapsulates parameters for an SSL/TLS connection. The parameters |
32 * are the list of ciphersuites to be accepted in an SSL/TLS handshake, |
41 * are the list of ciphersuites to be accepted in an SSL/TLS handshake, |
33 * the list of protocols to be allowed, the endpoint identification |
42 * the list of protocols to be allowed, the endpoint identification |
34 * algorithm during SSL/TLS handshaking, the algorithm constraints and |
43 * algorithm during SSL/TLS handshaking, the Server Name Indication (SNI), |
35 * whether SSL/TLS servers should request or require client authentication. |
44 * the algorithm constraints and whether SSL/TLS servers should request |
|
45 * or require client authentication. |
36 * <p> |
46 * <p> |
37 * SSLParameters can be created via the constructors in this class. |
47 * SSLParameters can be created via the constructors in this class. |
38 * Objects can also be obtained using the <code>getSSLParameters()</code> |
48 * Objects can also be obtained using the <code>getSSLParameters()</code> |
39 * methods in |
49 * methods in |
40 * {@link SSLSocket#getSSLParameters SSLSocket} and |
50 * {@link SSLSocket#getSSLParameters SSLSocket} and |
61 private String[] protocols; |
71 private String[] protocols; |
62 private boolean wantClientAuth; |
72 private boolean wantClientAuth; |
63 private boolean needClientAuth; |
73 private boolean needClientAuth; |
64 private String identificationAlgorithm; |
74 private String identificationAlgorithm; |
65 private AlgorithmConstraints algorithmConstraints; |
75 private AlgorithmConstraints algorithmConstraints; |
|
76 private Map<Integer, SNIServerName> sniNames = null; |
|
77 private Map<Integer, SNIMatcher> sniMatchers = null; |
66 |
78 |
67 /** |
79 /** |
68 * Constructs SSLParameters. |
80 * Constructs SSLParameters. |
69 * <p> |
81 * <p> |
70 * The cipherSuites and protocols values are set to <code>null</code>, |
82 * The values of cipherSuites, protocols, cryptographic algorithm |
|
83 * constraints, endpoint identification algorithm, server names and |
|
84 * server name matchers are set to <code>null</code>, |
71 * wantClientAuth and needClientAuth are set to <code>false</code>. |
85 * wantClientAuth and needClientAuth are set to <code>false</code>. |
72 */ |
86 */ |
73 public SSLParameters() { |
87 public SSLParameters() { |
74 // empty |
88 // empty |
75 } |
89 } |
252 */ |
266 */ |
253 public void setEndpointIdentificationAlgorithm(String algorithm) { |
267 public void setEndpointIdentificationAlgorithm(String algorithm) { |
254 this.identificationAlgorithm = algorithm; |
268 this.identificationAlgorithm = algorithm; |
255 } |
269 } |
256 |
270 |
|
271 /** |
|
272 * Sets the desired {@link SNIServerName}s of the Server Name |
|
273 * Indication (SNI) parameter. |
|
274 * <P> |
|
275 * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s |
|
276 * operating in client mode. |
|
277 * <P> |
|
278 * Note that the {@code serverNames} list is cloned |
|
279 * to protect against subsequent modification. |
|
280 * |
|
281 * @param serverNames |
|
282 * the list of desired {@link SNIServerName}s (or null) |
|
283 * |
|
284 * @throws NullPointerException if the {@code serverNames} |
|
285 * contains {@code null} element |
|
286 * @throws IllegalArgumentException if the {@code serverNames} |
|
287 * contains more than one name of the same name type |
|
288 * |
|
289 * @see SNIServerName |
|
290 * @see #getServerNames() |
|
291 * |
|
292 * @since 1.8 |
|
293 */ |
|
294 public void setServerNames(List<SNIServerName> serverNames) { |
|
295 if (serverNames != null) { |
|
296 if (!serverNames.isEmpty()) { |
|
297 sniNames = new LinkedHashMap<>(serverNames.size()); |
|
298 for (SNIServerName serverName : serverNames) { |
|
299 if (sniNames.put(serverName.getType(), |
|
300 serverName) != null) { |
|
301 throw new IllegalArgumentException( |
|
302 "Duplicated server name of type " + |
|
303 serverName.getType()); |
|
304 } |
|
305 } |
|
306 } else { |
|
307 sniNames = Collections.<Integer, SNIServerName>emptyMap(); |
|
308 } |
|
309 } else { |
|
310 sniNames = null; |
|
311 } |
|
312 } |
|
313 |
|
314 /** |
|
315 * Returns a {@link List} containing all {@link SNIServerName}s of the |
|
316 * Server Name Indication (SNI) parameter, or null if none has been set. |
|
317 * <P> |
|
318 * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s |
|
319 * operating in client mode. |
|
320 * <P> |
|
321 * For SSL/TLS connections, the underlying SSL/TLS provider |
|
322 * may specify a default value for a certain server name type. In |
|
323 * client mode, it is recommended that, by default, providers should |
|
324 * include the server name indication whenever the server can be located |
|
325 * by a supported server name type. |
|
326 * <P> |
|
327 * It is recommended that providers initialize default Server Name |
|
328 * Indications when creating {@code SSLSocket}/{@code SSLEngine}s. |
|
329 * In the following examples, the server name could be represented by an |
|
330 * instance of {@link SNIHostName} which has been initialized with the |
|
331 * hostname "www.example.com" and type |
|
332 * {@link StandardConstants#SNI_HOST_NAME}. |
|
333 * |
|
334 * <pre> |
|
335 * Socket socket = |
|
336 * sslSocketFactory.createSocket("www.example.com", 443); |
|
337 * </pre> |
|
338 * or |
|
339 * <pre> |
|
340 * SSLEngine engine = |
|
341 * sslContext.createSSLEngine("www.example.com", 443); |
|
342 * </pre> |
|
343 * <P> |
|
344 * |
|
345 * @return null or an immutable list of non-null {@link SNIServerName}s |
|
346 * |
|
347 * @see List |
|
348 * @see #setServerNames(List<SNIServerName>) |
|
349 * |
|
350 * @since 1.8 |
|
351 */ |
|
352 public List<SNIServerName> getServerNames() { |
|
353 if (sniNames != null) { |
|
354 if (!sniNames.isEmpty()) { |
|
355 return Collections.<SNIServerName>unmodifiableList( |
|
356 new ArrayList<>(sniNames.values())); |
|
357 } else { |
|
358 return Collections.<SNIServerName>emptyList(); |
|
359 } |
|
360 } |
|
361 |
|
362 return null; |
|
363 } |
|
364 |
|
365 /** |
|
366 * Sets the {@link SNIMatcher}s of the Server Name Indication (SNI) |
|
367 * parameter. |
|
368 * <P> |
|
369 * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s |
|
370 * operating in server mode. |
|
371 * <P> |
|
372 * Note that the {@code matchers} collection is cloned to protect |
|
373 * against subsequent modification. |
|
374 * |
|
375 * @param matchers |
|
376 * the collection of {@link SNIMatcher}s (or null) |
|
377 * |
|
378 * @throws NullPointerException if the {@code matchers} |
|
379 * contains {@code null} element |
|
380 * @throws IllegalArgumentException if the {@code matchers} |
|
381 * contains more than one name of the same name type |
|
382 * |
|
383 * @see Collection |
|
384 * @see SNIMatcher |
|
385 * @see #getSNIMatchers() |
|
386 * |
|
387 * @since 1.8 |
|
388 */ |
|
389 public void setSNIMatchers(Collection<SNIMatcher> matchers) { |
|
390 if (matchers != null) { |
|
391 if (!matchers.isEmpty()) { |
|
392 sniMatchers = new HashMap<>(matchers.size()); |
|
393 for (SNIMatcher matcher : matchers) { |
|
394 if (sniMatchers.put(matcher.getType(), |
|
395 matcher) != null) { |
|
396 throw new IllegalArgumentException( |
|
397 "Duplicated server name of type " + |
|
398 matcher.getType()); |
|
399 } |
|
400 } |
|
401 } else { |
|
402 sniMatchers = Collections.<Integer, SNIMatcher>emptyMap(); |
|
403 } |
|
404 } else { |
|
405 sniMatchers = null; |
|
406 } |
|
407 } |
|
408 |
|
409 /** |
|
410 * Returns a {@link Collection} containing all {@link SNIMatcher}s of the |
|
411 * Server Name Indication (SNI) parameter, or null if none has been set. |
|
412 * <P> |
|
413 * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s |
|
414 * operating in server mode. |
|
415 * <P> |
|
416 * For better interoperability, providers generally will not define |
|
417 * default matchers so that by default servers will ignore the SNI |
|
418 * extension and continue the handshake. |
|
419 * |
|
420 * @return null or an immutable collection of non-null {@link SNIMatcher}s |
|
421 * |
|
422 * @see SNIMatcher |
|
423 * @see #setSNIMatchers(Collection<SNIMatcher>) |
|
424 * |
|
425 * @since 1.8 |
|
426 */ |
|
427 public Collection<SNIMatcher> getSNIMatchers() { |
|
428 if (sniMatchers != null) { |
|
429 if (!sniMatchers.isEmpty()) { |
|
430 return Collections.<SNIMatcher>unmodifiableList( |
|
431 new ArrayList<>(sniMatchers.values())); |
|
432 } else { |
|
433 return Collections.<SNIMatcher>emptyList(); |
|
434 } |
|
435 } |
|
436 |
|
437 return null; |
|
438 } |
257 } |
439 } |
|
440 |