Package org.conscrypt
Class SSLParametersImpl
- java.lang.Object
-
- org.conscrypt.SSLParametersImpl
-
- All Implemented Interfaces:
java.lang.Cloneable
final class SSLParametersImpl extends java.lang.Object implements java.lang.Cloneable
The instances of this class encapsulate all the info about enabled cipher suites and protocols, as well as the information about client/server mode of ssl socket, whether it require/want client authentication or not, and controls whether new SSL sessions may be established by this socket or not.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description (package private) static interface
SSLParametersImpl.AliasChooser
For abstracting the X509KeyManager calls betweenX509KeyManager.chooseClientAlias(String[], java.security.Principal[], java.net.Socket)
andX509ExtendedKeyManager.chooseEngineClientAlias(String[], java.security.Principal[], javax.net.ssl.SSLEngine)
(package private) static interface
SSLParametersImpl.PSKCallbacks
For abstracting thePSKKeyManager
calls between those taking anSSLSocket
and those taking anSSLEngine
.
-
Field Summary
Fields Modifier and Type Field Description private java.security.AlgorithmConstraints
algorithmConstraints
(package private) byte[]
applicationProtocols
(package private) ApplicationProtocolSelectorAdapter
applicationProtocolSelector
(package private) boolean
channelIdEnabled
Whether the TLS Channel ID extension is enabled.private boolean
client_mode
private ClientSessionContext
clientSessionContext
private boolean
ctVerificationEnabled
private static SSLParametersImpl
defaultParameters
private static javax.net.ssl.X509KeyManager
defaultX509KeyManager
private static javax.net.ssl.X509TrustManager
defaultX509TrustManager
private static java.lang.String[]
EMPTY_STRING_ARRAY
private boolean
enable_session_creation
(package private) java.lang.String[]
enabledCipherSuites
(package private) java.lang.String[]
enabledProtocols
private java.lang.String
endpointIdentificationAlgorithm
(package private) boolean
isEnabledProtocolsFiltered
private boolean
need_client_auth
(package private) byte[]
ocspResponse
private PSKKeyManager
pskKeyManager
(package private) byte[]
sctExtension
private ServerSessionContext
serverSessionContext
private java.util.Collection<javax.net.ssl.SNIMatcher>
sniMatchers
private boolean
useCipherSuitesOrder
(package private) boolean
useSessionTickets
private java.lang.Boolean
useSni
private boolean
want_client_auth
private javax.net.ssl.X509KeyManager
x509KeyManager
private javax.net.ssl.X509TrustManager
x509TrustManager
-
Constructor Summary
Constructors Modifier Constructor Description (package private)
SSLParametersImpl(javax.net.ssl.KeyManager[] kms, javax.net.ssl.TrustManager[] tms, java.security.SecureRandom sr, ClientSessionContext clientSessionContext, ServerSessionContext serverSessionContext, java.lang.String[] protocols)
Initializes the parameters.private
SSLParametersImpl(ClientSessionContext clientSessionContext, ServerSessionContext serverSessionContext, javax.net.ssl.X509KeyManager x509KeyManager, PSKKeyManager pskKeyManager, javax.net.ssl.X509TrustManager x509TrustManager, SSLParametersImpl sslParams)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description protected java.lang.Object
clone()
Returns the clone of this object.(package private) SSLParametersImpl
cloneWithTrustManager(javax.net.ssl.X509TrustManager newTrustManager)
private static javax.net.ssl.X509KeyManager
createDefaultX509KeyManager()
private static javax.net.ssl.X509TrustManager
createDefaultX509TrustManager()
private static java.lang.String[]
filterFromCipherSuites(java.lang.String[] cipherSuites, java.util.Set<java.lang.String> toRemove)
private static java.lang.String[]
filterFromProtocols(java.lang.String[] protocols, java.lang.String obsoleteProtocol)
This filtersobsoleteProtocol
from the list ofprotocols
down to help with app compatibility.private static PSKKeyManager
findFirstPSKKeyManager(javax.net.ssl.KeyManager[] kms)
Finds the firstPSKKeyManager
element in the provided array.private static javax.net.ssl.X509KeyManager
findFirstX509KeyManager(javax.net.ssl.KeyManager[] kms)
Finds the firstX509KeyManager
element in the provided array.private static javax.net.ssl.X509TrustManager
findFirstX509TrustManager(javax.net.ssl.TrustManager[] tms)
Finds the firstX509TrustManager
element in the provided array.(package private) java.security.AlgorithmConstraints
getAlgorithmConstraints()
(package private) java.lang.String[]
getApplicationProtocols()
(package private) ApplicationProtocolSelectorAdapter
getApplicationProtocolSelector()
Returns the application protocol (ALPN) selector for this socket.(package private) ClientSessionContext
getClientSessionContext()
(package private) static SSLParametersImpl
getDefault()
private static java.lang.String[]
getDefaultCipherSuites(boolean x509CipherSuitesNeeded, boolean pskCipherSuitesNeeded)
private static javax.net.ssl.X509KeyManager
getDefaultX509KeyManager()
(package private) static javax.net.ssl.X509TrustManager
getDefaultX509TrustManager()
Gets the default X.509 trust manager.(package private) java.lang.String[]
getEnabledCipherSuites()
(package private) java.lang.String[]
getEnabledProtocols()
(package private) boolean
getEnableSessionCreation()
Returns the value indicating if the peer with this parameters allowed to cteate new SSL session(package private) java.lang.String
getEndpointIdentificationAlgorithm()
(package private) boolean
getNeedClientAuth()
Returns the value indicating if the peer with this parameters tuned to require client authentication(package private) byte[]
getOCSPResponse()
(package private) PSKKeyManager
getPSKKeyManager()
(package private) AbstractSessionContext
getSessionContext()
Returns the appropriate session context.(package private) java.util.Collection<javax.net.ssl.SNIMatcher>
getSNIMatchers()
(package private) boolean
getUseCipherSuitesOrder()
(package private) boolean
getUseClientMode()
Returns the value indicating if the parameters configured to work in client mode.(package private) boolean
getUseSni()
Returns whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).(package private) boolean
getWantClientAuth()
Returns the value indicating if the peer with this parameters tuned to request client authentication(package private) javax.net.ssl.X509KeyManager
getX509KeyManager()
(package private) javax.net.ssl.X509TrustManager
getX509TrustManager()
(package private) boolean
isCTVerificationEnabled(java.lang.String hostname)
Check if SCT verification is enforced for a given hostname.private boolean
isSniEnabledByDefault()
Returns whether Server Name Indication (SNI) is enabled by default for sockets.(package private) void
setAlgorithmConstraints(java.security.AlgorithmConstraints algorithmConstraints)
(package private) void
setApplicationProtocols(java.lang.String[] protocols)
Sets the list of ALPN protocols.(package private) void
setApplicationProtocolSelector(ApplicationProtocolSelectorAdapter applicationProtocolSelector)
Used for server-mode only.(package private) void
setCTVerificationEnabled(boolean enabled)
For testing only.(package private) void
setEnabledCipherSuites(java.lang.String[] cipherSuites)
Sets the enabled cipher suites after filtering through OpenSSL.(package private) void
setEnabledProtocols(java.lang.String[] protocols)
Sets the list of available protocols for use in SSL connection.(package private) void
setEnableSessionCreation(boolean flag)
Allows/disallows the peer holding this parameters to create new SSL session(package private) void
setEndpointIdentificationAlgorithm(java.lang.String endpointIdentificationAlgorithm)
(package private) void
setNeedClientAuth(boolean need)
Tunes the peer holding this parameters to require client authentication(package private) void
setOCSPResponse(byte[] response)
For testing only.(package private) void
setSCTExtension(byte[] extension)
For testing only.(package private) void
setSNIMatchers(java.util.Collection<javax.net.ssl.SNIMatcher> sniMatchers)
(package private) void
setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
(package private) void
setUseClientMode(boolean mode)
Tunes the peer holding this parameters to work in client mode.(package private) void
setUseSessionTickets(boolean useSessionTickets)
(package private) void
setUseSni(boolean flag)
Whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).(package private) void
setWantClientAuth(boolean want)
Tunes the peer holding this parameters to request client authentication
-
-
-
Field Detail
-
defaultX509KeyManager
private static volatile javax.net.ssl.X509KeyManager defaultX509KeyManager
-
defaultX509TrustManager
private static volatile javax.net.ssl.X509TrustManager defaultX509TrustManager
-
defaultParameters
private static volatile SSLParametersImpl defaultParameters
-
clientSessionContext
private final ClientSessionContext clientSessionContext
-
serverSessionContext
private final ServerSessionContext serverSessionContext
-
x509KeyManager
private final javax.net.ssl.X509KeyManager x509KeyManager
-
pskKeyManager
private final PSKKeyManager pskKeyManager
-
x509TrustManager
private final javax.net.ssl.X509TrustManager x509TrustManager
-
enabledProtocols
java.lang.String[] enabledProtocols
-
isEnabledProtocolsFiltered
boolean isEnabledProtocolsFiltered
-
enabledCipherSuites
java.lang.String[] enabledCipherSuites
-
client_mode
private boolean client_mode
-
need_client_auth
private boolean need_client_auth
-
want_client_auth
private boolean want_client_auth
-
enable_session_creation
private boolean enable_session_creation
-
endpointIdentificationAlgorithm
private java.lang.String endpointIdentificationAlgorithm
-
useCipherSuitesOrder
private boolean useCipherSuitesOrder
-
sniMatchers
private java.util.Collection<javax.net.ssl.SNIMatcher> sniMatchers
-
algorithmConstraints
private java.security.AlgorithmConstraints algorithmConstraints
-
ctVerificationEnabled
private boolean ctVerificationEnabled
-
sctExtension
byte[] sctExtension
-
ocspResponse
byte[] ocspResponse
-
applicationProtocols
byte[] applicationProtocols
-
applicationProtocolSelector
ApplicationProtocolSelectorAdapter applicationProtocolSelector
-
useSessionTickets
boolean useSessionTickets
-
useSni
private java.lang.Boolean useSni
-
channelIdEnabled
boolean channelIdEnabled
Whether the TLS Channel ID extension is enabled. This field is server-side only.
-
EMPTY_STRING_ARRAY
private static final java.lang.String[] EMPTY_STRING_ARRAY
-
-
Constructor Detail
-
SSLParametersImpl
SSLParametersImpl(javax.net.ssl.KeyManager[] kms, javax.net.ssl.TrustManager[] tms, java.security.SecureRandom sr, ClientSessionContext clientSessionContext, ServerSessionContext serverSessionContext, java.lang.String[] protocols) throws java.security.KeyManagementException
Initializes the parameters. Naturally this constructor is used in SSLContextImpl.engineInit method which directly passes its parameters. In other words this constructor holds all the functionality provided by SSLContext.init method. SeeSSLContext.init(KeyManager[],TrustManager[], SecureRandom)
for more information- Throws:
java.security.KeyManagementException
-
SSLParametersImpl
private SSLParametersImpl(ClientSessionContext clientSessionContext, ServerSessionContext serverSessionContext, javax.net.ssl.X509KeyManager x509KeyManager, PSKKeyManager pskKeyManager, javax.net.ssl.X509TrustManager x509TrustManager, SSLParametersImpl sslParams)
-
-
Method Detail
-
getDefault
static SSLParametersImpl getDefault() throws java.security.KeyManagementException
- Throws:
java.security.KeyManagementException
-
getSessionContext
AbstractSessionContext getSessionContext()
Returns the appropriate session context.
-
getClientSessionContext
ClientSessionContext getClientSessionContext()
- Returns:
- client session context
-
getX509KeyManager
javax.net.ssl.X509KeyManager getX509KeyManager()
- Returns:
- X.509 key manager or
null
for none.
-
getPSKKeyManager
PSKKeyManager getPSKKeyManager()
- Returns:
- Pre-Shared Key (PSK) key manager or
null
for none.
-
getX509TrustManager
javax.net.ssl.X509TrustManager getX509TrustManager()
- Returns:
- X.509 trust manager or
null
for none.
-
getEnabledCipherSuites
java.lang.String[] getEnabledCipherSuites()
- Returns:
- the names of enabled cipher suites
-
setEnabledCipherSuites
void setEnabledCipherSuites(java.lang.String[] cipherSuites)
Sets the enabled cipher suites after filtering through OpenSSL.
-
getEnabledProtocols
java.lang.String[] getEnabledProtocols()
- Returns:
- the set of enabled protocols
-
setEnabledProtocols
void setEnabledProtocols(java.lang.String[] protocols)
Sets the list of available protocols for use in SSL connection.- Throws:
java.lang.IllegalArgumentException
- ifprotocols == null
-
setApplicationProtocols
void setApplicationProtocols(java.lang.String[] protocols)
Sets the list of ALPN protocols.- Parameters:
protocols
- the list of ALPN protocols
-
getApplicationProtocols
java.lang.String[] getApplicationProtocols()
-
setApplicationProtocolSelector
void setApplicationProtocolSelector(ApplicationProtocolSelectorAdapter applicationProtocolSelector)
Used for server-mode only. Sets or clears the application-provided ALPN protocol selector. If set, will override the protocol list provided bysetApplicationProtocols(String[])
.
-
getApplicationProtocolSelector
ApplicationProtocolSelectorAdapter getApplicationProtocolSelector()
Returns the application protocol (ALPN) selector for this socket.
-
setUseClientMode
void setUseClientMode(boolean mode)
Tunes the peer holding this parameters to work in client mode.- Parameters:
mode
- if the peer is configured to work in client mode
-
getUseClientMode
boolean getUseClientMode()
Returns the value indicating if the parameters configured to work in client mode.
-
setNeedClientAuth
void setNeedClientAuth(boolean need)
Tunes the peer holding this parameters to require client authentication
-
getNeedClientAuth
boolean getNeedClientAuth()
Returns the value indicating if the peer with this parameters tuned to require client authentication
-
setWantClientAuth
void setWantClientAuth(boolean want)
Tunes the peer holding this parameters to request client authentication
-
getWantClientAuth
boolean getWantClientAuth()
Returns the value indicating if the peer with this parameters tuned to request client authentication
-
setEnableSessionCreation
void setEnableSessionCreation(boolean flag)
Allows/disallows the peer holding this parameters to create new SSL session
-
getEnableSessionCreation
boolean getEnableSessionCreation()
Returns the value indicating if the peer with this parameters allowed to cteate new SSL session
-
setUseSessionTickets
void setUseSessionTickets(boolean useSessionTickets)
-
setUseSni
void setUseSni(boolean flag)
Whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).
-
getUseSni
boolean getUseSni()
Returns whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).
-
setCTVerificationEnabled
void setCTVerificationEnabled(boolean enabled)
For testing only.
-
setSCTExtension
void setSCTExtension(byte[] extension)
For testing only.
-
setOCSPResponse
void setOCSPResponse(byte[] response)
For testing only.
-
getOCSPResponse
byte[] getOCSPResponse()
-
filterFromProtocols
private static java.lang.String[] filterFromProtocols(java.lang.String[] protocols, java.lang.String obsoleteProtocol)
This filtersobsoleteProtocol
from the list ofprotocols
down to help with app compatibility.
-
filterFromCipherSuites
private static java.lang.String[] filterFromCipherSuites(java.lang.String[] cipherSuites, java.util.Set<java.lang.String> toRemove)
-
isSniEnabledByDefault
private boolean isSniEnabledByDefault()
Returns whether Server Name Indication (SNI) is enabled by default for sockets. For more information on SNI, see RFC 6066 section 3.
-
clone
protected java.lang.Object clone()
Returns the clone of this object.- Overrides:
clone
in classjava.lang.Object
- Returns:
- the clone.
-
cloneWithTrustManager
SSLParametersImpl cloneWithTrustManager(javax.net.ssl.X509TrustManager newTrustManager)
-
getDefaultX509KeyManager
private static javax.net.ssl.X509KeyManager getDefaultX509KeyManager() throws java.security.KeyManagementException
- Throws:
java.security.KeyManagementException
-
createDefaultX509KeyManager
private static javax.net.ssl.X509KeyManager createDefaultX509KeyManager() throws java.security.KeyManagementException
- Throws:
java.security.KeyManagementException
-
findFirstX509KeyManager
private static javax.net.ssl.X509KeyManager findFirstX509KeyManager(javax.net.ssl.KeyManager[] kms)
Finds the firstX509KeyManager
element in the provided array.- Returns:
- the first
X509KeyManager
ornull
if not found.
-
findFirstPSKKeyManager
private static PSKKeyManager findFirstPSKKeyManager(javax.net.ssl.KeyManager[] kms)
Finds the firstPSKKeyManager
element in the provided array.- Returns:
- the first
PSKKeyManager
ornull
if not found.
-
getDefaultX509TrustManager
static javax.net.ssl.X509TrustManager getDefaultX509TrustManager() throws java.security.KeyManagementException
Gets the default X.509 trust manager.- Throws:
java.security.KeyManagementException
-
createDefaultX509TrustManager
private static javax.net.ssl.X509TrustManager createDefaultX509TrustManager() throws java.security.KeyManagementException
- Throws:
java.security.KeyManagementException
-
findFirstX509TrustManager
private static javax.net.ssl.X509TrustManager findFirstX509TrustManager(javax.net.ssl.TrustManager[] tms)
Finds the firstX509TrustManager
element in the provided array.- Returns:
- the first
X509ExtendedTrustManager
orX509TrustManager
ornull
if not found.
-
getEndpointIdentificationAlgorithm
java.lang.String getEndpointIdentificationAlgorithm()
-
setEndpointIdentificationAlgorithm
void setEndpointIdentificationAlgorithm(java.lang.String endpointIdentificationAlgorithm)
-
getUseCipherSuitesOrder
boolean getUseCipherSuitesOrder()
-
getSNIMatchers
java.util.Collection<javax.net.ssl.SNIMatcher> getSNIMatchers()
-
setSNIMatchers
void setSNIMatchers(java.util.Collection<javax.net.ssl.SNIMatcher> sniMatchers)
-
getAlgorithmConstraints
java.security.AlgorithmConstraints getAlgorithmConstraints()
-
setAlgorithmConstraints
void setAlgorithmConstraints(java.security.AlgorithmConstraints algorithmConstraints)
-
setUseCipherSuitesOrder
void setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
-
getDefaultCipherSuites
private static java.lang.String[] getDefaultCipherSuites(boolean x509CipherSuitesNeeded, boolean pskCipherSuitesNeeded)
-
isCTVerificationEnabled
boolean isCTVerificationEnabled(java.lang.String hostname)
Check if SCT verification is enforced for a given hostname.
-
-