Package org.conscrypt

Class ConscryptFileDescriptorSocket

    • Field Detail

      • state

        private int state
      • ssl

        private final NativeSsl ssl
        Wrapper around the underlying SSL object.
      • guard

        private final java.lang.Object guard
      • channelIdPrivateKey

        private OpenSSLKey channelIdPrivateKey
        Private key for the TLS Channel ID extension. This field is client-side only. Set during startHandshake.
      • closedSession

        private SessionSnapshot closedSession
        A snapshot of the active session when the engine was closed.
      • externalSession

        private final javax.net.ssl.SSLSession externalSession
        The session object exposed externally from this class.
      • writeTimeoutMilliseconds

        private int writeTimeoutMilliseconds
      • handshakeTimeoutMilliseconds

        private int handshakeTimeoutMilliseconds
    • Constructor Detail

      • ConscryptFileDescriptorSocket

        ConscryptFileDescriptorSocket​(SSLParametersImpl sslParameters)
                               throws java.io.IOException
        Throws:
        java.io.IOException
      • ConscryptFileDescriptorSocket

        ConscryptFileDescriptorSocket​(java.lang.String hostname,
                                      int port,
                                      SSLParametersImpl sslParameters)
                               throws java.io.IOException
        Throws:
        java.io.IOException
      • ConscryptFileDescriptorSocket

        ConscryptFileDescriptorSocket​(java.net.InetAddress address,
                                      int port,
                                      SSLParametersImpl sslParameters)
                               throws java.io.IOException
        Throws:
        java.io.IOException
      • ConscryptFileDescriptorSocket

        ConscryptFileDescriptorSocket​(java.lang.String hostname,
                                      int port,
                                      java.net.InetAddress clientAddress,
                                      int clientPort,
                                      SSLParametersImpl sslParameters)
                               throws java.io.IOException
        Throws:
        java.io.IOException
      • ConscryptFileDescriptorSocket

        ConscryptFileDescriptorSocket​(java.net.InetAddress address,
                                      int port,
                                      java.net.InetAddress clientAddress,
                                      int clientPort,
                                      SSLParametersImpl sslParameters)
                               throws java.io.IOException
        Throws:
        java.io.IOException
      • ConscryptFileDescriptorSocket

        ConscryptFileDescriptorSocket​(java.net.Socket socket,
                                      java.lang.String hostname,
                                      int port,
                                      boolean autoClose,
                                      SSLParametersImpl sslParameters)
                               throws java.io.IOException
        Throws:
        java.io.IOException
    • Method Detail

      • startHandshake

        public final void startHandshake()
                                  throws java.io.IOException
        Starts a TLS/SSL handshake on this connection using some native methods from the OpenSSL library. It can negotiate new encryption keys, change cipher suites, or initiate a new session. The certificate chain is verified if the correspondent property in java.Security is set. All listeners are notified at the end of the TLS/SSL handshake.
        Specified by:
        startHandshake in class javax.net.ssl.SSLSocket
        Throws:
        java.io.IOException
      • clientCertificateRequested

        public final void clientCertificateRequested​(byte[] keyTypeBytes,
                                                     int[] signatureAlgs,
                                                     byte[][] asn1DerEncodedPrincipals)
                                              throws java.security.cert.CertificateEncodingException,
                                                     javax.net.ssl.SSLException
        Description copied from interface: NativeCrypto.SSLHandshakeCallbacks
        Called on an SSL client when the server requests (or requires a certificate). The client can respond by using SSL_use_certificate and SSL_use_PrivateKey to set a certificate if has an appropriate one available, similar to how the server provides its certificate.
        Specified by:
        clientCertificateRequested in interface NativeCrypto.SSLHandshakeCallbacks
        Parameters:
        keyTypeBytes - key types supported by the server, convertible to strings with #keyType
        asn1DerEncodedPrincipals - CAs known to the server
        Throws:
        java.security.cert.CertificateEncodingException
        javax.net.ssl.SSLException
      • clientPSKKeyRequested

        public final int clientPSKKeyRequested​(java.lang.String identityHint,
                                               byte[] identity,
                                               byte[] key)
        Description copied from interface: NativeCrypto.SSLHandshakeCallbacks
        Gets the key to be used in client mode for this connection in Pre-Shared Key (PSK) key exchange.
        Specified by:
        clientPSKKeyRequested in interface NativeCrypto.SSLHandshakeCallbacks
        Parameters:
        identityHint - PSK identity hint provided by the server or null if no hint provided.
        identity - buffer to be populated with PSK identity (NULL-terminated modified UTF-8) by this method. This identity will be provided to the server.
        key - buffer to be populated with key material by this method.
        Returns:
        number of bytes this method stored in the key buffer or 0 if an error occurred in which case the handshake will be aborted.
      • serverPSKKeyRequested

        public final int serverPSKKeyRequested​(java.lang.String identityHint,
                                               java.lang.String identity,
                                               byte[] key)
        Description copied from interface: NativeCrypto.SSLHandshakeCallbacks
        Gets the key to be used in server mode for this connection in Pre-Shared Key (PSK) key exchange.
        Specified by:
        serverPSKKeyRequested in interface NativeCrypto.SSLHandshakeCallbacks
        Parameters:
        identityHint - PSK identity hint provided by this server to the client or null if no hint was provided.
        identity - PSK identity provided by the client.
        key - buffer to be populated with key material by this method.
        Returns:
        number of bytes this method stored in the key buffer or 0 if an error occurred in which case the handshake will be aborted.
      • serverSessionRequested

        public final long serverSessionRequested​(byte[] id)
        Description copied from interface: NativeCrypto.SSLHandshakeCallbacks
        Called for servers where TLS < 1.3 (TLS 1.3 uses session tickets rather than application session caches).

        Looks up the session by ID in the application's session cache. If a valid session is returned, this callback is responsible for incrementing the reference count (and any required synchronization).

        Specified by:
        serverSessionRequested in interface NativeCrypto.SSLHandshakeCallbacks
        Parameters:
        id - the ID of the session to find.
        Returns:
        the cached session or 0 if no session was found matching the given ID.
      • serverCertificateRequested

        public final void serverCertificateRequested()
                                              throws java.io.IOException
        Description copied from interface: NativeCrypto.SSLHandshakeCallbacks
        Called when acting as a server during ClientHello processing before a decision to resume a session is made. This allows the selection of the correct server certificate based on things like Server Name Indication (SNI).
        Specified by:
        serverCertificateRequested in interface NativeCrypto.SSLHandshakeCallbacks
        Throws:
        java.io.IOException - if there was an error during certificate selection.
      • verifyCertificateChain

        public final void verifyCertificateChain​(byte[][] certChain,
                                                 java.lang.String authMethod)
                                          throws java.security.cert.CertificateException
        Description copied from interface: NativeCrypto.SSLHandshakeCallbacks
        Verify that the certificate chain is trusted.
        Specified by:
        verifyCertificateChain in interface NativeCrypto.SSLHandshakeCallbacks
        Parameters:
        certChain - chain of X.509 certificates in their encoded form
        authMethod - auth algorithm name
        Throws:
        java.security.cert.CertificateException - if the certificate is untrusted
      • assertReadableOrWriteableState

        private void assertReadableOrWriteableState()
      • waitForHandshake

        private void waitForHandshake()
                               throws java.io.IOException
        Throws:
        java.io.IOException
      • getSession

        public final javax.net.ssl.SSLSession getSession()
        Specified by:
        getSession in class javax.net.ssl.SSLSocket
      • provideAfterHandshakeSession

        private ConscryptSession provideAfterHandshakeSession()
      • getEnableSessionCreation

        public final boolean getEnableSessionCreation()
        Specified by:
        getEnableSessionCreation in class javax.net.ssl.SSLSocket
      • setEnableSessionCreation

        public final void setEnableSessionCreation​(boolean flag)
        Specified by:
        setEnableSessionCreation in class javax.net.ssl.SSLSocket
      • getSupportedCipherSuites

        public final java.lang.String[] getSupportedCipherSuites()
        Specified by:
        getSupportedCipherSuites in class javax.net.ssl.SSLSocket
      • getEnabledCipherSuites

        public final java.lang.String[] getEnabledCipherSuites()
        Specified by:
        getEnabledCipherSuites in class javax.net.ssl.SSLSocket
      • setEnabledCipherSuites

        public final void setEnabledCipherSuites​(java.lang.String[] suites)
        Specified by:
        setEnabledCipherSuites in class javax.net.ssl.SSLSocket
      • getSupportedProtocols

        public final java.lang.String[] getSupportedProtocols()
        Specified by:
        getSupportedProtocols in class javax.net.ssl.SSLSocket
      • getEnabledProtocols

        public final java.lang.String[] getEnabledProtocols()
        Specified by:
        getEnabledProtocols in class javax.net.ssl.SSLSocket
      • setEnabledProtocols

        public final void setEnabledProtocols​(java.lang.String[] protocols)
        Specified by:
        setEnabledProtocols in class javax.net.ssl.SSLSocket
      • setUseSessionTickets

        public final void setUseSessionTickets​(boolean useSessionTickets)
        This method enables session ticket support.
        Specified by:
        setUseSessionTickets in class OpenSSLSocketImpl
        Parameters:
        useSessionTickets - True to enable session tickets
      • setHostname

        public final void setHostname​(java.lang.String hostname)
        This method enables Server Name Indication. If the hostname is not a valid SNI hostname, the SNI extension will be omitted from the handshake.
        Overrides:
        setHostname in class OpenSSLSocketImpl
        Parameters:
        hostname - the desired SNI hostname, or null to disable
      • setChannelIdEnabled

        public final void setChannelIdEnabled​(boolean enabled)
        Enables/disables TLS Channel ID for this server socket.

        This method needs to be invoked before the handshake starts.

        Specified by:
        setChannelIdEnabled in class OpenSSLSocketImpl
        Throws:
        java.lang.IllegalStateException - if this is a client socket or if the handshake has already started.
      • getChannelId

        public final byte[] getChannelId()
                                  throws javax.net.ssl.SSLException
        Gets the TLS Channel ID for this server socket. Channel ID is only available once the handshake completes.
        Specified by:
        getChannelId in class OpenSSLSocketImpl
        Returns:
        channel ID or null if not available.
        Throws:
        java.lang.IllegalStateException - if this is a client socket or if the handshake has not yet completed.
        javax.net.ssl.SSLException - if channel ID is available but could not be obtained.
      • setChannelIdPrivateKey

        public final void setChannelIdPrivateKey​(java.security.PrivateKey privateKey)
        Sets the PrivateKey to be used for TLS Channel ID by this client socket.

        This method needs to be invoked before the handshake starts.

        Specified by:
        setChannelIdPrivateKey in class OpenSSLSocketImpl
        Parameters:
        privateKey - private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).
        Throws:
        java.lang.IllegalStateException - if this is a server socket or if the handshake has already started.
      • getTlsUnique

        byte[] getTlsUnique()
        Description copied from class: AbstractConscryptSocket
        Returns the tls-unique channel binding value for this connection, per RFC 5929. This will return null if there is no such value available, such as if the handshake has not yet completed or this connection is closed.
        Specified by:
        getTlsUnique in class AbstractConscryptSocket
      • exportKeyingMaterial

        byte[] exportKeyingMaterial​(java.lang.String label,
                                    byte[] context,
                                    int length)
                             throws javax.net.ssl.SSLException
        Description copied from class: AbstractConscryptSocket
        Exports a value derived from the TLS master secret as described in RFC 5705.
        Specified by:
        exportKeyingMaterial in class AbstractConscryptSocket
        Parameters:
        label - the label to use in calculating the exported value. This must be an ASCII-only string.
        context - the application-specific context value to use in calculating the exported value. This may be null to use no application context, which is treated differently than an empty byte array.
        length - the number of bytes of keying material to return.
        Returns:
        a value of the specified length, or null if the handshake has not yet completed or the connection has been closed.
        Throws:
        javax.net.ssl.SSLException - if the value could not be exported.
      • getUseClientMode

        public final boolean getUseClientMode()
        Specified by:
        getUseClientMode in class javax.net.ssl.SSLSocket
      • setUseClientMode

        public final void setUseClientMode​(boolean mode)
        Specified by:
        setUseClientMode in class javax.net.ssl.SSLSocket
      • getWantClientAuth

        public final boolean getWantClientAuth()
        Specified by:
        getWantClientAuth in class javax.net.ssl.SSLSocket
      • getNeedClientAuth

        public final boolean getNeedClientAuth()
        Specified by:
        getNeedClientAuth in class javax.net.ssl.SSLSocket
      • setNeedClientAuth

        public final void setNeedClientAuth​(boolean need)
        Specified by:
        setNeedClientAuth in class javax.net.ssl.SSLSocket
      • setWantClientAuth

        public final void setWantClientAuth​(boolean want)
        Specified by:
        setWantClientAuth in class javax.net.ssl.SSLSocket
      • setSoWriteTimeout

        public final void setSoWriteTimeout​(int writeTimeoutMilliseconds)
                                     throws java.net.SocketException
        Note write timeouts are not part of the javax.net.ssl.SSLSocket API
        Overrides:
        setSoWriteTimeout in class OpenSSLSocketImpl
        Throws:
        java.net.SocketException
      • getSoWriteTimeout

        public final int getSoWriteTimeout()
                                    throws java.net.SocketException
        Note write timeouts are not part of the javax.net.ssl.SSLSocket API
        Overrides:
        getSoWriteTimeout in class OpenSSLSocketImpl
        Throws:
        java.net.SocketException
      • setHandshakeTimeout

        public final void setHandshakeTimeout​(int handshakeTimeoutMilliseconds)
                                       throws java.net.SocketException
        Set the handshake timeout on this socket. This timeout is specified in milliseconds and will be used only during the handshake process.
        Overrides:
        setHandshakeTimeout in class OpenSSLSocketImpl
        Throws:
        java.net.SocketException
      • close

        public final void close()
                         throws java.io.IOException
        Specified by:
        close in interface java.lang.AutoCloseable
        Specified by:
        close in interface java.io.Closeable
        Overrides:
        close in class AbstractConscryptSocket
        Throws:
        java.io.IOException
      • shutdownAndFreeSslNative

        private void shutdownAndFreeSslNative()
                                       throws java.io.IOException
        Throws:
        java.io.IOException
      • closeUnderlyingSocket

        private void closeUnderlyingSocket()
                                    throws java.io.IOException
        Throws:
        java.io.IOException
      • free

        private void free()
      • finalize

        protected final void finalize()
                               throws java.lang.Throwable
        Overrides:
        finalize in class java.lang.Object
        Throws:
        java.lang.Throwable
      • getSSLParameters

        public final javax.net.ssl.SSLParameters getSSLParameters()
        Overrides:
        getSSLParameters in class javax.net.ssl.SSLSocket
      • setSSLParameters

        public final void setSSLParameters​(javax.net.ssl.SSLParameters p)
        Overrides:
        setSSLParameters in class javax.net.ssl.SSLSocket
      • chooseClientAlias

        public final java.lang.String chooseClientAlias​(javax.net.ssl.X509KeyManager keyManager,
                                                        javax.security.auth.x500.X500Principal[] issuers,
                                                        java.lang.String[] keyTypes)
        Specified by:
        chooseClientAlias in interface SSLParametersImpl.AliasChooser
      • transitionTo

        private void transitionTo​(int newState)