24 */ |
24 */ |
25 |
25 |
26 |
26 |
27 package sun.security.ssl; |
27 package sun.security.ssl; |
28 |
28 |
29 import java.io.*; |
|
30 import java.net.*; |
29 import java.net.*; |
31 import java.util.Enumeration; |
30 import java.util.Enumeration; |
32 import java.util.Hashtable; |
31 import java.util.Hashtable; |
33 import java.util.Vector; |
32 import java.util.Vector; |
34 import java.util.Arrays; |
|
35 import java.util.Collection; |
33 import java.util.Collection; |
36 import java.util.Collections; |
34 import java.util.Collections; |
37 import java.util.List; |
35 import java.util.List; |
38 import java.util.ArrayList; |
36 import java.util.ArrayList; |
39 |
37 |
43 import java.security.cert.X509Certificate; |
41 import java.security.cert.X509Certificate; |
44 import java.security.cert.CertificateEncodingException; |
42 import java.security.cert.CertificateEncodingException; |
45 |
43 |
46 import javax.crypto.SecretKey; |
44 import javax.crypto.SecretKey; |
47 |
45 |
48 import javax.net.ssl.SSLSession; |
|
49 import javax.net.ssl.SSLSessionContext; |
46 import javax.net.ssl.SSLSessionContext; |
50 import javax.net.ssl.SSLSessionBindingListener; |
47 import javax.net.ssl.SSLSessionBindingListener; |
51 import javax.net.ssl.SSLSessionBindingEvent; |
48 import javax.net.ssl.SSLSessionBindingEvent; |
52 import javax.net.ssl.SSLPeerUnverifiedException; |
49 import javax.net.ssl.SSLPeerUnverifiedException; |
53 import javax.net.ssl.SSLSession; |
|
54 import javax.net.ssl.SSLPermission; |
50 import javax.net.ssl.SSLPermission; |
55 import javax.net.ssl.SSLException; |
|
56 import javax.net.ssl.ExtendedSSLSession; |
51 import javax.net.ssl.ExtendedSSLSession; |
57 import javax.net.ssl.SNIServerName; |
52 import javax.net.ssl.SNIServerName; |
58 |
53 |
59 import javax.security.auth.x500.X500Principal; |
|
60 |
|
61 import static sun.security.ssl.CipherSuite.*; |
|
62 import static sun.security.ssl.CipherSuite.KeyExchange.*; |
54 import static sun.security.ssl.CipherSuite.KeyExchange.*; |
63 |
55 |
64 /** |
56 /** |
65 * Implements the SSL session interface, and exposes the session context |
57 * Implements the SSL session interface, and exposes the session context |
66 * which is maintained by SSL servers. |
58 * which is maintained by SSL servers. |
248 boolean isRejoinable() { |
240 boolean isRejoinable() { |
249 return sessionId != null && sessionId.length() != 0 && |
241 return sessionId != null && sessionId.length() != 0 && |
250 !invalidated && isLocalAuthenticationValid(); |
242 !invalidated && isLocalAuthenticationValid(); |
251 } |
243 } |
252 |
244 |
|
245 @Override |
253 public synchronized boolean isValid() { |
246 public synchronized boolean isValid() { |
254 return isRejoinable(); |
247 return isRejoinable(); |
255 } |
248 } |
256 |
249 |
257 /** |
250 /** |
275 |
268 |
276 /** |
269 /** |
277 * Returns the ID for this session. The ID is fixed for the |
270 * Returns the ID for this session. The ID is fixed for the |
278 * duration of the session; neither it, nor its value, changes. |
271 * duration of the session; neither it, nor its value, changes. |
279 */ |
272 */ |
|
273 @Override |
280 public byte[] getId() { |
274 public byte[] getId() { |
281 return sessionId.getId(); |
275 return sessionId.getId(); |
282 } |
276 } |
283 |
277 |
284 /** |
278 /** |
285 * For server sessions, this returns the set of sessions which |
279 * For server sessions, this returns the set of sessions which |
286 * are currently valid in this process. For client sessions, |
280 * are currently valid in this process. For client sessions, |
287 * this returns null. |
281 * this returns null. |
288 */ |
282 */ |
|
283 @Override |
289 public SSLSessionContext getSessionContext() { |
284 public SSLSessionContext getSessionContext() { |
290 /* |
285 /* |
291 * An interim security policy until we can do something |
286 * An interim security policy until we can do something |
292 * more specific in 1.2. Only allow trusted code (code which |
287 * more specific in 1.2. Only allow trusted code (code which |
293 * can set system properties) to get an |
288 * can set system properties) to get an |
355 } |
352 } |
356 |
353 |
357 /** |
354 /** |
358 * Returns the hashcode for this session |
355 * Returns the hashcode for this session |
359 */ |
356 */ |
|
357 @Override |
360 public int hashCode() { |
358 public int hashCode() { |
361 return sessionId.hashCode(); |
359 return sessionId.hashCode(); |
362 } |
360 } |
363 |
361 |
364 |
362 |
365 /** |
363 /** |
366 * Returns true if sessions have same ids, false otherwise. |
364 * Returns true if sessions have same ids, false otherwise. |
367 */ |
365 */ |
|
366 @Override |
368 public boolean equals(Object obj) { |
367 public boolean equals(Object obj) { |
369 |
368 |
370 if (obj == this) { |
369 if (obj == this) { |
371 return true; |
370 return true; |
372 } |
371 } |
389 * such as Kerberos, will throw an SSLPeerUnverifiedException. |
388 * such as Kerberos, will throw an SSLPeerUnverifiedException. |
390 * |
389 * |
391 * @return array of peer X.509 certs, with the peer's own cert |
390 * @return array of peer X.509 certs, with the peer's own cert |
392 * first in the chain, and with the "root" CA last. |
391 * first in the chain, and with the "root" CA last. |
393 */ |
392 */ |
|
393 @Override |
394 public java.security.cert.Certificate[] getPeerCertificates() |
394 public java.security.cert.Certificate[] getPeerCertificates() |
395 throws SSLPeerUnverifiedException { |
395 throws SSLPeerUnverifiedException { |
396 // |
396 // |
397 // clone to preserve integrity of session ... caller can't |
397 // clone to preserve integrity of session ... caller can't |
398 // change record of peer identity even by accident, much |
398 // change record of peer identity even by accident, much |
419 * cipher suites. |
419 * cipher suites. |
420 * |
420 * |
421 * @return array of peer X.509 certs, with the peer's own cert |
421 * @return array of peer X.509 certs, with the peer's own cert |
422 * first in the chain, and with the "root" CA last. |
422 * first in the chain, and with the "root" CA last. |
423 */ |
423 */ |
|
424 @Override |
424 public java.security.cert.Certificate[] getLocalCertificates() { |
425 public java.security.cert.Certificate[] getLocalCertificates() { |
425 // |
426 // |
426 // clone to preserve integrity of session ... caller can't |
427 // clone to preserve integrity of session ... caller can't |
427 // change record of peer identity even by accident, much |
428 // change record of peer identity even by accident, much |
428 // less do it intentionally. |
429 // less do it intentionally. |
438 * such as Kerberos, will throw an SSLPeerUnverifiedException. |
439 * such as Kerberos, will throw an SSLPeerUnverifiedException. |
439 * |
440 * |
440 * @return array of peer X.509 certs, with the peer's own cert |
441 * @return array of peer X.509 certs, with the peer's own cert |
441 * first in the chain, and with the "root" CA last. |
442 * first in the chain, and with the "root" CA last. |
442 */ |
443 */ |
|
444 @Override |
443 public javax.security.cert.X509Certificate[] getPeerCertificateChain() |
445 public javax.security.cert.X509Certificate[] getPeerCertificateChain() |
444 throws SSLPeerUnverifiedException { |
446 throws SSLPeerUnverifiedException { |
445 // |
447 // |
446 // clone to preserve integrity of session ... caller can't |
448 // clone to preserve integrity of session ... caller can't |
447 // change record of peer identity even by accident, much |
449 // change record of peer identity even by accident, much |
509 * Principal for Kerberos cipher suites. |
511 * Principal for Kerberos cipher suites. |
510 * |
512 * |
511 * @throws SSLPeerUnverifiedException if the peer's identity has not |
513 * @throws SSLPeerUnverifiedException if the peer's identity has not |
512 * been verified |
514 * been verified |
513 */ |
515 */ |
|
516 @Override |
514 public Principal getPeerPrincipal() |
517 public Principal getPeerPrincipal() |
515 throws SSLPeerUnverifiedException |
518 throws SSLPeerUnverifiedException |
516 { |
519 { |
517 if ((cipherSuite.keyExchange == K_KRB5) || |
520 if ((cipherSuite.keyExchange == K_KRB5) || |
518 (cipherSuite.keyExchange == K_KRB5_EXPORT)) { |
521 (cipherSuite.keyExchange == K_KRB5_EXPORT)) { |
535 * @return the principal sent to the peer. Returns an X500Principal |
538 * @return the principal sent to the peer. Returns an X500Principal |
536 * of the end-entity certificate for X509-based cipher suites, and |
539 * of the end-entity certificate for X509-based cipher suites, and |
537 * Principal for Kerberos cipher suites. If no principal was |
540 * Principal for Kerberos cipher suites. If no principal was |
538 * sent, then null is returned. |
541 * sent, then null is returned. |
539 */ |
542 */ |
|
543 @Override |
540 public Principal getLocalPrincipal() { |
544 public Principal getLocalPrincipal() { |
541 |
545 |
542 if ((cipherSuite.keyExchange == K_KRB5) || |
546 if ((cipherSuite.keyExchange == K_KRB5) || |
543 (cipherSuite.keyExchange == K_KRB5_EXPORT)) { |
547 (cipherSuite.keyExchange == K_KRB5_EXPORT)) { |
544 // Eliminate dependency on KerberosPrincipal |
548 // Eliminate dependency on KerberosPrincipal |
549 } |
553 } |
550 |
554 |
551 /** |
555 /** |
552 * Returns the time this session was created. |
556 * Returns the time this session was created. |
553 */ |
557 */ |
|
558 @Override |
554 public long getCreationTime() { |
559 public long getCreationTime() { |
555 return creationTime; |
560 return creationTime; |
556 } |
561 } |
557 |
562 |
558 /** |
563 /** |
559 * Returns the last time this session was used to initialize |
564 * Returns the last time this session was used to initialize |
560 * a connection. |
565 * a connection. |
561 */ |
566 */ |
|
567 @Override |
562 public long getLastAccessedTime() { |
568 public long getLastAccessedTime() { |
563 return (lastUsedTime != 0) ? lastUsedTime : creationTime; |
569 return (lastUsedTime != 0) ? lastUsedTime : creationTime; |
564 } |
570 } |
565 |
571 |
566 void setLastAccessedTime(long time) { |
572 void setLastAccessedTime(long time) { |
580 } catch (java.net.UnknownHostException e) { |
586 } catch (java.net.UnknownHostException e) { |
581 return null; |
587 return null; |
582 } |
588 } |
583 } |
589 } |
584 |
590 |
|
591 @Override |
585 public String getPeerHost() { |
592 public String getPeerHost() { |
586 return host; |
593 return host; |
587 } |
594 } |
588 |
595 |
589 /** |
596 /** |
590 * Need to provide the port info for caching sessions based on |
597 * Need to provide the port info for caching sessions based on |
591 * host and port. Accessed by SSLSessionContextImpl |
598 * host and port. Accessed by SSLSessionContextImpl |
592 */ |
599 */ |
|
600 @Override |
593 public int getPeerPort() { |
601 public int getPeerPort() { |
594 return port; |
602 return port; |
595 } |
603 } |
596 |
604 |
597 void setContext(SSLSessionContextImpl ctx) { |
605 void setContext(SSLSessionContextImpl ctx) { |
602 |
610 |
603 /** |
611 /** |
604 * Invalidate a session. Active connections may still exist, but |
612 * Invalidate a session. Active connections may still exist, but |
605 * no connections will be able to rejoin this session. |
613 * no connections will be able to rejoin this session. |
606 */ |
614 */ |
|
615 @Override |
607 synchronized public void invalidate() { |
616 synchronized public void invalidate() { |
608 // |
617 // |
609 // Can't invalidate the NULL session -- this would be |
618 // Can't invalidate the NULL session -- this would be |
610 // attempted when we get a handshaking error on a brand |
619 // attempted when we get a handshaking error on a brand |
611 // new connection, with no "real" session yet. |
620 // new connection, with no "real" session yet. |
632 |
641 |
633 /** |
642 /** |
634 * Assigns a session value. Session change events are given if |
643 * Assigns a session value. Session change events are given if |
635 * appropriate, to any original value as well as the new value. |
644 * appropriate, to any original value as well as the new value. |
636 */ |
645 */ |
|
646 @Override |
637 public void putValue(String key, Object value) { |
647 public void putValue(String key, Object value) { |
638 if ((key == null) || (value == null)) { |
648 if ((key == null) || (value == null)) { |
639 throw new IllegalArgumentException("arguments can not be null"); |
649 throw new IllegalArgumentException("arguments can not be null"); |
640 } |
650 } |
641 |
651 |
692 |
704 |
693 |
705 |
694 /** |
706 /** |
695 * Lists the names of the session values. |
707 * Lists the names of the session values. |
696 */ |
708 */ |
|
709 @Override |
697 public String[] getValueNames() { |
710 public String[] getValueNames() { |
698 Enumeration<SecureKey> e; |
711 Enumeration<SecureKey> e; |
699 Vector<Object> v = new Vector<>(); |
712 Vector<Object> v = new Vector<>(); |
700 SecureKey key; |
713 SecureKey key; |
701 Object securityCtx = SecureKey.getCurrentSecurityContext(); |
714 Object securityCtx = SecureKey.getCurrentSecurityContext(); |
739 |
752 |
740 /** |
753 /** |
741 * Gets the current size of the largest SSL/TLS packet that is expected |
754 * Gets the current size of the largest SSL/TLS packet that is expected |
742 * when using this session. |
755 * when using this session. |
743 */ |
756 */ |
|
757 @Override |
744 public synchronized int getPacketBufferSize() { |
758 public synchronized int getPacketBufferSize() { |
745 return acceptLargeFragments ? |
759 return acceptLargeFragments ? |
746 Record.maxLargeRecordSize : Record.maxRecordSize; |
760 Record.maxLargeRecordSize : Record.maxRecordSize; |
747 } |
761 } |
748 |
762 |
749 /** |
763 /** |
750 * Gets the current size of the largest application data that is |
764 * Gets the current size of the largest application data that is |
751 * expected when using this session. |
765 * expected when using this session. |
752 */ |
766 */ |
|
767 @Override |
753 public synchronized int getApplicationBufferSize() { |
768 public synchronized int getApplicationBufferSize() { |
754 return getPacketBufferSize() - Record.headerSize; |
769 return getPacketBufferSize() - Record.headerSize; |
755 } |
770 } |
756 |
771 |
757 /** |
772 /** |
793 |
808 |
794 return Collections.<SNIServerName>emptyList(); |
809 return Collections.<SNIServerName>emptyList(); |
795 } |
810 } |
796 |
811 |
797 /** Returns a string representation of this SSL session */ |
812 /** Returns a string representation of this SSL session */ |
|
813 @Override |
798 public String toString() { |
814 public String toString() { |
799 return "[Session-" + sessionCount |
815 return "[Session-" + sessionCount |
800 + ", " + getCipherSuite() |
816 + ", " + getCipherSuite() |
801 + "]"; |
817 + "]"; |
802 } |
818 } |
803 |
819 |
804 /** |
820 /** |
805 * When SSL sessions are finalized, all values bound to |
821 * When SSL sessions are finalized, all values bound to |
806 * them are removed. |
822 * them are removed. |
807 */ |
823 */ |
|
824 @Override |
808 public void finalize() { |
825 public void finalize() { |
809 String[] names = getValueNames(); |
826 String[] names = getValueNames(); |
810 for (int i = 0; i < names.length; i++) { |
827 for (int i = 0; i < names.length; i++) { |
811 removeValue(names[i]); |
828 removeValue(names[i]); |
812 } |
829 } |
845 |
862 |
846 Object getSecurityContext() { |
863 Object getSecurityContext() { |
847 return securityCtx; |
864 return securityCtx; |
848 } |
865 } |
849 |
866 |
|
867 @Override |
850 public int hashCode() { |
868 public int hashCode() { |
851 return appKey.hashCode() ^ securityCtx.hashCode(); |
869 return appKey.hashCode() ^ securityCtx.hashCode(); |
852 } |
870 } |
853 |
871 |
|
872 @Override |
854 public boolean equals(Object o) { |
873 public boolean equals(Object o) { |
855 return o instanceof SecureKey && ((SecureKey)o).appKey.equals(appKey) |
874 return o instanceof SecureKey && ((SecureKey)o).appKey.equals(appKey) |
856 && ((SecureKey)o).securityCtx.equals(securityCtx); |
875 && ((SecureKey)o).securityCtx.equals(securityCtx); |
857 } |
876 } |
858 } |
877 } |