Package org.conscrypt

Class SSLUtils


  • final class SSLUtils
    extends java.lang.Object
    Utility methods for SSL packet processing. Copied from the Netty project.

    This is a public class to allow testing to occur on Android via CTS.

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      (package private) static class  SSLUtils.EngineStates
      States for SSL engines.
      (package private) static class  SSLUtils.SessionType  
    • Constructor Summary

      Constructors 
      Modifier Constructor Description
      private SSLUtils()  
    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      (package private) static int calculateOutNetBufSize​(int pendingBytes)
      Calculates the minimum bytes required in the encrypted output buffer for the given number of plaintext source bytes.
      (package private) static java.lang.String[] concat​(java.lang.String[]... arrays)  
      (package private) static java.lang.String[] decodeProtocols​(byte[] protocols)
      Decodes the given list of protocols into Strings.
      private static java.security.cert.X509Certificate decodeX509Certificate​(java.security.cert.CertificateFactory certificateFactory, byte[] bytes)  
      (package private) static java.security.cert.X509Certificate[] decodeX509CertificateChain​(byte[][] certChain)  
      (package private) static byte[] encodeProtocols​(java.lang.String[] protocols)
      Encodes a list of protocols into the wire-format (length-prefixed 8-bit strings).
      (package private) static byte[][] encodeSubjectX509Principals​(java.security.cert.X509Certificate[] certificates)  
      private static java.security.cert.CertificateFactory getCertificateFactory()  
      (package private) static java.lang.String getClientKeyType​(byte clientCertificateType)
      Similar to getServerKeyType, but returns value given TLS ClientCertificateType byte values from a CertificateRequest message for use with X509KeyManager.chooseClientAlias or X509ExtendedKeyManager.chooseEngineClientAlias.
      (package private) static java.lang.String getClientKeyTypeFromSignatureAlg​(int signatureAlg)  
      private static int getEncryptedPacketLength​(java.nio.ByteBuffer buffer)  
      (package private) static int getEncryptedPacketLength​(java.nio.ByteBuffer[] buffers, int offset)
      Return how much bytes can be read out of the encrypted data.
      (package private) static java.lang.String getServerX509KeyType​(long sslCipherNative)
      Returns key type constant suitable for calling X509KeyManager.chooseServerAlias or X509ExtendedKeyManager.chooseEngineServerAlias.
      (package private) static java.util.Set<java.lang.String> getSupportedClientKeyTypes​(byte[] clientCertificateTypes, int[] signatureAlgs)
      Gets the supported key types for client certificates based on the ClientCertificateType values provided by the server.
      (package private) static javax.security.cert.X509Certificate[] toCertificateChain​(java.security.cert.X509Certificate[] certificates)
      Converts the peer certificates into a cert chain.
      (package private) static byte[] toProtocolBytes​(java.lang.String protocol)  
      (package private) static java.lang.String toProtocolString​(byte[] bytes)  
      (package private) static javax.net.ssl.SSLException toSSLException​(java.lang.Throwable e)
      Wraps the given exception if it's not already a SSLException.
      (package private) static javax.net.ssl.SSLHandshakeException toSSLHandshakeException​(java.lang.Throwable e)
      Wraps the given exception if it's not already a SSLHandshakeException.
      private static short unsignedByte​(byte b)  
      private static int unsignedShort​(short s)  
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • USE_ENGINE_SOCKET_BY_DEFAULT

        static final boolean USE_ENGINE_SOCKET_BY_DEFAULT
      • US_ASCII

        private static final java.nio.charset.Charset US_ASCII
      • MAX_ENCRYPTION_OVERHEAD_LENGTH

        private static final int MAX_ENCRYPTION_OVERHEAD_LENGTH
        This is the maximum overhead when encrypting plaintext as defined by rfc5264, rfc5289, and the BoringSSL implementation itself. Please note that we use a padding of 16 here as BoringSSL uses PKCS#5 which uses 16 bytes while the spec itself allow up to 255 bytes. 16 bytes is the max for PKCS#5 (which handles it the same way as PKCS#7) as we use a block size of 16. See rfc5652#section-6.3. 16 (IV) + 48 (MAC) + 1 (Padding_length field) + 15 (Padding) + 1 (ContentType in TLSCiphertext) + 2 (ProtocolVersion) + 2 (Length) + 1 (ContentType in TLSInnerPlaintext)
        See Also:
        Constant Field Values
      • MAX_ENCRYPTION_OVERHEAD_DIFF

        private static final int MAX_ENCRYPTION_OVERHEAD_DIFF
        See Also:
        Constant Field Values
      • KEY_TYPE_RSA

        private static final java.lang.String KEY_TYPE_RSA
        Key type: RSA certificate.
        See Also:
        Constant Field Values
      • KEY_TYPE_EC

        private static final java.lang.String KEY_TYPE_EC
        Key type: Elliptic Curve certificate.
        See Also:
        Constant Field Values
    • Constructor Detail

      • SSLUtils

        private SSLUtils()
    • Method Detail

      • decodeX509CertificateChain

        static java.security.cert.X509Certificate[] decodeX509CertificateChain​(byte[][] certChain)
                                                                        throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • getCertificateFactory

        private static java.security.cert.CertificateFactory getCertificateFactory()
      • decodeX509Certificate

        private static java.security.cert.X509Certificate decodeX509Certificate​(java.security.cert.CertificateFactory certificateFactory,
                                                                                byte[] bytes)
                                                                         throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • getServerX509KeyType

        static java.lang.String getServerX509KeyType​(long sslCipherNative)
        Returns key type constant suitable for calling X509KeyManager.chooseServerAlias or X509ExtendedKeyManager.chooseEngineServerAlias. Returns null for key exchanges that do not use X.509 for server authentication.
      • getClientKeyType

        static java.lang.String getClientKeyType​(byte clientCertificateType)
        Similar to getServerKeyType, but returns value given TLS ClientCertificateType byte values from a CertificateRequest message for use with X509KeyManager.chooseClientAlias or X509ExtendedKeyManager.chooseEngineClientAlias.

        Visible for testing.

      • getClientKeyTypeFromSignatureAlg

        static java.lang.String getClientKeyTypeFromSignatureAlg​(int signatureAlg)
      • getSupportedClientKeyTypes

        static java.util.Set<java.lang.String> getSupportedClientKeyTypes​(byte[] clientCertificateTypes,
                                                                          int[] signatureAlgs)
        Gets the supported key types for client certificates based on the ClientCertificateType values provided by the server.
        Parameters:
        clientCertificateTypes - ClientCertificateType values provided by the server. See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-2.
        signatureAlgs - SignatureScheme values provided by the server. See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml#tls-signaturescheme
        Returns:
        supported key types that can be used in X509KeyManager.chooseClientAlias and X509ExtendedKeyManager.chooseEngineClientAlias. If the inputs imply a preference order, the returned set will have an iteration order that respects that preference order, otherwise it will be in an arbitrary order. Visible for testing.
      • encodeSubjectX509Principals

        static byte[][] encodeSubjectX509Principals​(java.security.cert.X509Certificate[] certificates)
                                             throws java.security.cert.CertificateEncodingException
        Throws:
        java.security.cert.CertificateEncodingException
      • toCertificateChain

        static javax.security.cert.X509Certificate[] toCertificateChain​(java.security.cert.X509Certificate[] certificates)
                                                                 throws javax.net.ssl.SSLPeerUnverifiedException
        Converts the peer certificates into a cert chain.
        Throws:
        javax.net.ssl.SSLPeerUnverifiedException
      • calculateOutNetBufSize

        static int calculateOutNetBufSize​(int pendingBytes)
        Calculates the minimum bytes required in the encrypted output buffer for the given number of plaintext source bytes.
      • toSSLHandshakeException

        static javax.net.ssl.SSLHandshakeException toSSLHandshakeException​(java.lang.Throwable e)
        Wraps the given exception if it's not already a SSLHandshakeException.
      • toSSLException

        static javax.net.ssl.SSLException toSSLException​(java.lang.Throwable e)
        Wraps the given exception if it's not already a SSLException.
      • toProtocolString

        static java.lang.String toProtocolString​(byte[] bytes)
      • toProtocolBytes

        static byte[] toProtocolBytes​(java.lang.String protocol)
      • decodeProtocols

        static java.lang.String[] decodeProtocols​(byte[] protocols)
        Decodes the given list of protocols into Strings.
        Parameters:
        protocols - the encoded protocol list
        Returns:
        the decoded protocols or EmptyArray.BYTE if protocols is empty.
        Throws:
        java.lang.NullPointerException - if protocols is null.
      • encodeProtocols

        static byte[] encodeProtocols​(java.lang.String[] protocols)
        Encodes a list of protocols into the wire-format (length-prefixed 8-bit strings). Requires that all strings be encoded with US-ASCII.
        Parameters:
        protocols - the list of protocols to be encoded
        Returns:
        the encoded form of the protocol list.
        Throws:
        java.lang.IllegalArgumentException - if protocols is null, or if any element is null or an empty string.
      • getEncryptedPacketLength

        static int getEncryptedPacketLength​(java.nio.ByteBuffer[] buffers,
                                            int offset)
        Return how much bytes can be read out of the encrypted data. Be aware that this method will not increase the readerIndex of the given ByteBuffer.
        Parameters:
        buffers - The ByteBuffers to read from. Be aware that they must have at least NativeConstants.SSL3_RT_HEADER_LENGTH bytes to read, otherwise it will throw an IllegalArgumentException.
        Returns:
        length The length of the encrypted packet that is included in the buffer. This will return -1 if the given ByteBuffer is not encrypted at all.
        Throws:
        java.lang.IllegalArgumentException - Is thrown if the given ByteBuffer has not at least NativeConstants.SSL3_RT_HEADER_LENGTH bytes to read.
      • getEncryptedPacketLength

        private static int getEncryptedPacketLength​(java.nio.ByteBuffer buffer)
      • unsignedByte

        private static short unsignedByte​(byte b)
      • unsignedShort

        private static int unsignedShort​(short s)
      • concat

        static java.lang.String[] concat​(java.lang.String[]... arrays)