Class SSL
- java.lang.Object
-
- io.netty.internal.tcnative.SSL
-
public final class SSL extends java.lang.Object
-
-
Field Summary
-
Constructor Summary
Constructors Modifier Constructor Description private
SSL()
-
Method Summary
All Methods Static Methods Concrete Methods Deprecated Methods Modifier and Type Method Description static java.lang.String[]
authenticationMethods(long ssl)
Return the methods used for authentication.static void
bioClearByteBuffer(long bio)
After you are done buffering data frombioSetByteBuffer(long, long, int, boolean)
, this will ensure the internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g.static int
bioFlushByteBuffer(long bio)
Flush any pending bytes in the internal SSL write buffer.static int
bioLengthByteBuffer(long bio)
Get the remaining length of theByteBuffer
set bybioSetByteBuffer(long, long, int, boolean)
.static int
bioLengthNonApplication(long bio)
Get the amount of data pending in buffer used for non-application writes.static long
bioNewByteBuffer(long ssl, int nonApplicationBufferSize)
Initialize the BIO for the SSL instance.static void
bioSetByteBuffer(long bio, long bufferAddress, int maxUsableBytes, boolean isSSLWriteSink)
Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted data from.static void
bioSetFd(long ssl, int fd)
Deprecated.This is not supported official by OpenSSL or BoringSSL so its just a no op.static int
bioWrite(long bioAddress, long wbufAddress, int wlen)
BIO_writestatic void
clearError()
Clear all the errors from the error queue that OpenSSL encountered on this thread.static void
clearOptions(long ssl, int options)
Clear OpenSSL Option.static int
doHandshake(long ssl)
SSL_do_handshakestatic void
enableOcsp(long ssl)
Enables OCSP stapling for the givenSSLEngine
or throws an exception if OCSP stapling is not supported.static void
fipsModeSet(int mode)
Set the FIPS mode to use.static void
freeBIO(long bio)
BIO_freestatic void
freePrivateKey(long privateKey)
Free private key (EVP_PKEY
pointer).static void
freeSSL(long ssl)
SSL_freestatic void
freeX509Chain(long x509Chain)
Free x509 chain (STACK_OF(X509)
pointer).static java.lang.String
getAlpnSelected(long ssl)
SSL_get0_alpn_selectedstatic AsyncTask
getAsyncTask(long ssl)
Return theAsyncTask
that needs to be run as an operation did signal that a task needs to be completed before we can retry it.static java.lang.String
getCipherForSSL(long ssl)
SSL_get_cipherstatic java.lang.String[]
getCiphers(long ssl)
Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.static byte[]
getClientRandom(long ssl)
Extracts the random value sent from the client to the server during the initial SSL/TLS handshake.static int
getError(long ssl, int ret)
SSL_get_errorstatic java.lang.String
getErrorString(long errorNumber)
Get the error string representing for the givenerrorNumber
.static int
getHandshakeCount(long ssl)
Returns the number of handshakes done for this SSL instance.static java.lang.String
getLastError()
Return last SSL error stringstatic int
getLastErrorNumber()
Get the error number representing the last error OpenSSL encountered on this thread.static byte[]
getMasterKey(long ssl)
Returns the master key used for the current ssl session.static int
getMaxWrapOverhead(long ssl)
Get the maximum overhead, in bytes, of wrapping (a.k.a sealing) a record with ssl.static int
getMode(long ssl)
Call SSL_get_modestatic java.lang.String
getNextProtoNegotiated(long ssl)
SSL_get0_next_proto_negotiatedstatic byte[]
getOcspResponse(long ssl)
Returns the OCSP response for the givenSSLEngine
ornull
if the server didn't provide a stapled OCSP response.static int
getOptions(long ssl)
Get OpenSSL Option.static byte[][]
getPeerCertChain(long ssl)
Get the peer certificate chain ornull
if none was send.static byte[]
getPeerCertificate(long ssl)
Get the peer certificate ornull
if non was send.static byte[]
getServerRandom(long ssl)
Extracts the random value sent from the server to the client during the initial SSL/TLS handshake.static long
getSession(long ssl)
Returns theSSL_SESSION
that is used forSSL
.static byte[]
getSessionId(long ssl)
Returns the ID of the session as byte array representation.static int
getShutdown(long ssl)
SSL_get_shutdownstatic java.lang.String[]
getSigAlgs(long ssl)
Return the signature algorithms that the remote peer supports ornull
if none are supported.static java.lang.String
getSniHostname(long ssl)
Return the SNI hostname that was sent as part of the SSL Hello.static java.lang.Runnable
getTask(long ssl)
Return theRunnable
that needs to be run as an operation did signal that a task needs to be completed before we can retry the previous action.static long
getTime(long ssl)
SSL_get_timestatic long
getTimeout(long ssl)
SSL_get_timeoutstatic java.lang.String
getVersion(long ssl)
SSL_get_version(package private) static int
initialize(java.lang.String engine)
Initialize OpenSSL support.static int
isInInit(long ssl)
SSL_in_initstatic boolean
isSessionReused(long ssl)
Returntrue
if the SSL_SESSION was reused.static long
loadPrivateKeyFromEngine(java.lang.String keyId, java.lang.String password)
Load a private key from the used OpenSSL ENGINE via the ENGINE_load_private_key function.static long
newMemBIO()
Initialize new in-memory BIO that is located in the secure heap.static long
newSSL(long ctx, boolean server)
SSL_newstatic long
parsePrivateKey(long privateKeyBio, java.lang.String password)
Parse private key from BIO and returnEVP_PKEY
pointer.static long
parseX509Chain(long x509ChainBio)
Parse X509 chain from BIO and return (STACK_OF(X509)
pointer).static int
readFromSSL(long ssl, long rbuf, int rlen)
SSL_readstatic void
setCertificateBio(long ssl, long certBio, long keyBio, java.lang.String password)
Deprecated.static void
setCertificateChainBio(long ssl, long bio, boolean skipfirst)
Deprecated.static boolean
setCipherSuites(long ssl, java.lang.String ciphers)
Deprecated.static boolean
setCipherSuites(long ssl, java.lang.String ciphers, boolean tlsv13)
Returns the cipher suites available for negotiation in SSL handshake.static boolean
setCurves(long ssl, int[] curves)
Sets the curves to use.private static boolean
setCurves0(long ctx, int[] curves)
static boolean
setCurvesList(long ssl, java.lang.String... curves)
Sets the curves to use.private static boolean
setCurvesList0(long ctx, java.lang.String curves)
static void
setHostNameValidation(long ssl, int flags, java.lang.String hostname)
Explicitly control hostname validation see X509_check_host for X509_CHECK_FLAG* definitions.static void
setKeyMaterial(long ssl, long chain, long key)
Sets the keymaterial to be used.static void
setKeyMaterialClientSide(long ssl, long x509Out, long pkeyOut, long chain, long key)
Deprecated.static void
setKeyMaterialServerSide(long ssl, long chain, long key)
Deprecated.static int
setMode(long ssl, int mode)
Call SSL_set_modestatic void
setOcspResponse(long ssl, byte[] response)
Sets the OCSP response for the givenSSLEngine
or throws an exception in case of an error.static void
setOptions(long ssl, int options)
Set OpenSSL Option.static void
setRenegotiateMode(long ssl, int mode)
Allow to set the renegotiation mode that is used.static boolean
setSession(long ssl, long session)
Sets theSSL_SESSION
that should be used forSSL
.static void
setShutdown(long ssl, int mode)
SSL_set_shutdownstatic long
setTimeout(long ssl, long seconds)
SSL_set_timeoutstatic void
setTlsExtHostName(long ssl, java.lang.String hostname)
Call SSL_set_tlsext_host_nameprivate static void
setTlsExtHostName0(long ssl, java.lang.String hostname)
static void
setVerify(long ssl, int level, int depth)
Set Type of Client Certificate verification and Maximum depth of CA Certificates in Client Certificate verification.static int
shutdownSSL(long ssl)
SSL_shutdownstatic int
sslPending(long ssl)
The number of bytes pending in SSL which can be read immediately.static int
version()
static java.lang.String
versionString()
static int
writeToSSL(long ssl, long wbuf, int wlen)
SSL_write
-
-
-
Field Detail
-
SSL_PROTOCOL_NONE
public static final int SSL_PROTOCOL_NONE
- See Also:
- Constant Field Values
-
SSL_PROTOCOL_SSLV2
public static final int SSL_PROTOCOL_SSLV2
- See Also:
- Constant Field Values
-
SSL_PROTOCOL_SSLV3
public static final int SSL_PROTOCOL_SSLV3
- See Also:
- Constant Field Values
-
SSL_PROTOCOL_TLSV1
public static final int SSL_PROTOCOL_TLSV1
- See Also:
- Constant Field Values
-
SSL_PROTOCOL_TLSV1_1
public static final int SSL_PROTOCOL_TLSV1_1
- See Also:
- Constant Field Values
-
SSL_PROTOCOL_TLSV1_2
public static final int SSL_PROTOCOL_TLSV1_2
- See Also:
- Constant Field Values
-
SSL_PROTOCOL_TLSV1_3
public static final int SSL_PROTOCOL_TLSV1_3
- See Also:
- Constant Field Values
-
SSL_PROTOCOL_TLS
public static final int SSL_PROTOCOL_TLS
TLS_*method according to SSL_CTX_new- See Also:
- Constant Field Values
-
SSL_PROTOCOL_ALL
public static final int SSL_PROTOCOL_ALL
- See Also:
- Constant Field Values
-
SSL_CVERIFY_IGNORED
public static final int SSL_CVERIFY_IGNORED
- See Also:
- Constant Field Values
-
SSL_CVERIFY_NONE
public static final int SSL_CVERIFY_NONE
- See Also:
- Constant Field Values
-
SSL_CVERIFY_OPTIONAL
public static final int SSL_CVERIFY_OPTIONAL
- See Also:
- Constant Field Values
-
SSL_CVERIFY_REQUIRED
public static final int SSL_CVERIFY_REQUIRED
- See Also:
- Constant Field Values
-
SSL_OP_CIPHER_SERVER_PREFERENCE
public static final int SSL_OP_CIPHER_SERVER_PREFERENCE
-
SSL_OP_NO_SSLv2
public static final int SSL_OP_NO_SSLv2
-
SSL_OP_NO_SSLv3
public static final int SSL_OP_NO_SSLv3
-
SSL_OP_NO_TLSv1
public static final int SSL_OP_NO_TLSv1
-
SSL_OP_NO_TLSv1_1
public static final int SSL_OP_NO_TLSv1_1
-
SSL_OP_NO_TLSv1_2
public static final int SSL_OP_NO_TLSv1_2
-
SSL_OP_NO_TLSv1_3
public static final int SSL_OP_NO_TLSv1_3
-
SSL_OP_NO_TICKET
public static final int SSL_OP_NO_TICKET
-
SSL_OP_NO_COMPRESSION
public static final int SSL_OP_NO_COMPRESSION
-
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-
SSL_OP_LEGACY_SERVER_CONNECT
public static final int SSL_OP_LEGACY_SERVER_CONNECT
-
SSL_MODE_CLIENT
public static final int SSL_MODE_CLIENT
- See Also:
- Constant Field Values
-
SSL_MODE_SERVER
public static final int SSL_MODE_SERVER
- See Also:
- Constant Field Values
-
SSL_MODE_COMBINED
public static final int SSL_MODE_COMBINED
- See Also:
- Constant Field Values
-
SSL_SESS_CACHE_OFF
public static final long SSL_SESS_CACHE_OFF
-
SSL_SESS_CACHE_SERVER
public static final long SSL_SESS_CACHE_SERVER
-
SSL_SESS_CACHE_CLIENT
public static final long SSL_SESS_CACHE_CLIENT
-
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
public static final long SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
-
SSL_SESS_CACHE_NO_INTERNAL_STORE
public static final long SSL_SESS_CACHE_NO_INTERNAL_STORE
-
SSL_SELECTOR_FAILURE_NO_ADVERTISE
public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE
- See Also:
- Constant Field Values
-
SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL
public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL
- See Also:
- Constant Field Values
-
SSL_ST_CONNECT
public static final int SSL_ST_CONNECT
-
SSL_ST_ACCEPT
public static final int SSL_ST_ACCEPT
-
SSL_MODE_ENABLE_PARTIAL_WRITE
public static final int SSL_MODE_ENABLE_PARTIAL_WRITE
-
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
-
SSL_MODE_RELEASE_BUFFERS
public static final int SSL_MODE_RELEASE_BUFFERS
-
SSL_MODE_ENABLE_FALSE_START
public static final int SSL_MODE_ENABLE_FALSE_START
-
SSL_MAX_PLAINTEXT_LENGTH
public static final int SSL_MAX_PLAINTEXT_LENGTH
-
SSL_MAX_ENCRYPTED_LENGTH
public static final int SSL_MAX_ENCRYPTED_LENGTH
-
SSL_MAX_RECORD_LENGTH
public static final int SSL_MAX_RECORD_LENGTH
The TLS 1.2 RFC defines the maximum length to beSSL_MAX_PLAINTEXT_LENGTH
, but there are some implementations such as OpenJDK's SSLEngineImpl that also allow sending larger packets. This can be used as a upper bound for data to support legacy systems.
-
X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
-
X509_CHECK_FLAG_NO_WILD_CARDS
public static final int X509_CHECK_FLAG_NO_WILD_CARDS
-
X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS
public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS
-
X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
-
SSL_RENEGOTIATE_NEVER
public static final int SSL_RENEGOTIATE_NEVER
-
SSL_RENEGOTIATE_ONCE
public static final int SSL_RENEGOTIATE_ONCE
-
SSL_RENEGOTIATE_FREELY
public static final int SSL_RENEGOTIATE_FREELY
-
SSL_RENEGOTIATE_IGNORE
public static final int SSL_RENEGOTIATE_IGNORE
-
SSL_RENEGOTIATE_EXPLICIT
public static final int SSL_RENEGOTIATE_EXPLICIT
-
SSL_CERT_COMPRESSION_DIRECTION_COMPRESS
public static final int SSL_CERT_COMPRESSION_DIRECTION_COMPRESS
-
SSL_CERT_COMPRESSION_DIRECTION_DECOMPRESS
public static final int SSL_CERT_COMPRESSION_DIRECTION_DECOMPRESS
-
SSL_CERT_COMPRESSION_DIRECTION_BOTH
public static final int SSL_CERT_COMPRESSION_DIRECTION_BOTH
-
SSL_SENT_SHUTDOWN
public static final int SSL_SENT_SHUTDOWN
-
SSL_RECEIVED_SHUTDOWN
public static final int SSL_RECEIVED_SHUTDOWN
-
SSL_ERROR_NONE
public static final int SSL_ERROR_NONE
-
SSL_ERROR_SSL
public static final int SSL_ERROR_SSL
-
SSL_ERROR_WANT_READ
public static final int SSL_ERROR_WANT_READ
-
SSL_ERROR_WANT_WRITE
public static final int SSL_ERROR_WANT_WRITE
-
SSL_ERROR_WANT_X509_LOOKUP
public static final int SSL_ERROR_WANT_X509_LOOKUP
-
SSL_ERROR_SYSCALL
public static final int SSL_ERROR_SYSCALL
-
SSL_ERROR_ZERO_RETURN
public static final int SSL_ERROR_ZERO_RETURN
-
SSL_ERROR_WANT_CONNECT
public static final int SSL_ERROR_WANT_CONNECT
-
SSL_ERROR_WANT_ACCEPT
public static final int SSL_ERROR_WANT_ACCEPT
-
SSL_ERROR_WANT_PRIVATE_KEY_OPERATION
public static final int SSL_ERROR_WANT_PRIVATE_KEY_OPERATION
-
SSL_ERROR_WANT_CERTIFICATE_VERIFY
public static final int SSL_ERROR_WANT_CERTIFICATE_VERIFY
-
-
Method Detail
-
version
public static int version()
-
versionString
public static java.lang.String versionString()
-
initialize
static int initialize(java.lang.String engine)
Initialize OpenSSL support. This function needs to be called once for the lifetime of JVM. SeeLibrary.initialize(String, String)
- Parameters:
engine
- Support for external a Crypto Device ("engine"), usually a hardware accelerator card for crypto operations.- Returns:
- APR status code
-
newMemBIO
public static long newMemBIO() throws java.lang.Exception
Initialize new in-memory BIO that is located in the secure heap.- Returns:
- New BIO handle
- Throws:
java.lang.Exception
- if an error happened.
-
getLastError
public static java.lang.String getLastError()
Return last SSL error string- Returns:
- the last SSL error string.
-
newSSL
public static long newSSL(long ctx, boolean server)
SSL_new- Parameters:
ctx
- Server or Client context to use.server
- if true configure SSL instance to use accept handshake routines if false configure SSL instance to use connect handshake routines- Returns:
- pointer to SSL instance (SSL *)
-
getError
public static int getError(long ssl, int ret)
SSL_get_error- Parameters:
ssl
- SSL pointer (SSL *)ret
- TLS/SSL I/O return value- Returns:
- the error code
-
bioWrite
public static int bioWrite(long bioAddress, long wbufAddress, int wlen)
BIO_write- Parameters:
bioAddress
- The address of aBIO*
.wbufAddress
- The address of a nativechar*
.wlen
- The length to write starting atwbufAddress
.- Returns:
- The number of bytes that were written. See BIO_write for exceptional return values.
-
bioNewByteBuffer
public static long bioNewByteBuffer(long ssl, int nonApplicationBufferSize)
Initialize the BIO for the SSL instance. This is a custom BIO which is designed to play nicely with a directByteBuffer
. Because it is a special BIO it requires special usage such thatbioSetByteBuffer(long, long, int, boolean)
andbioClearByteBuffer(long)
are called in order to provide to supply data to SSL, and also to ensure the internal SSL buffering mechanism is expecting write at the appropriate times.- Parameters:
ssl
- the SSL instance (SSL *)nonApplicationBufferSize
- The size of the internal buffer for write operations that are not initiated directly by the application attempting to encrypt data. Must be >0
.- Returns:
- pointer to the Network BIO (BIO *).
The memory is owned by
ssl
and will be cleaned up byfreeSSL(long)
.
-
bioSetFd
@Deprecated public static void bioSetFd(long ssl, int fd)
Deprecated.This is not supported official by OpenSSL or BoringSSL so its just a no op.Sets the socket file descriptor- Parameters:
ssl
- the SSL instance (SSL *)fd
- the file descriptor of the socket used for the given SSL connection
-
bioSetByteBuffer
public static void bioSetByteBuffer(long bio, long bufferAddress, int maxUsableBytes, boolean isSSLWriteSink)
Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted data from.After you are done buffering data you should call
bioClearByteBuffer(long)
.- Parameters:
bio
-BIO*
.bufferAddress
- The memory address (typically from a directByteBuffer
) which will be used to either write encrypted data to, or read encrypted data from by OpenSSL's internal BIO pair.maxUsableBytes
- The maximum usable length in bytes starting atbufferAddress
.isSSLWriteSink
-true
if this buffer is expected to buffer data as a result of calls toSSL_write
.false
if this buffer is expected to buffer data as a result of calls toSSL_read
.
-
bioClearByteBuffer
public static void bioClearByteBuffer(long bio)
After you are done buffering data frombioSetByteBuffer(long, long, int, boolean)
, this will ensure the internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..).- Parameters:
bio
-BIO*
.
-
bioFlushByteBuffer
public static int bioFlushByteBuffer(long bio)
Flush any pending bytes in the internal SSL write buffer.This does the same thing as
BIO_flush
for aBIO*
of typebioNewByteBuffer(long, int)
but returns the number of bytes that were flushed.- Parameters:
bio
-BIO*
.- Returns:
- The number of bytes that were flushed.
-
bioLengthByteBuffer
public static int bioLengthByteBuffer(long bio)
Get the remaining length of theByteBuffer
set bybioSetByteBuffer(long, long, int, boolean)
.- Parameters:
bio
-BIO*
.- Returns:
- The remaining length of the
ByteBuffer
set bybioSetByteBuffer(long, long, int, boolean)
.
-
bioLengthNonApplication
public static int bioLengthNonApplication(long bio)
Get the amount of data pending in buffer used for non-application writes. This value will not exceed the value configured inbioNewByteBuffer(long, int)
.- Parameters:
bio
-BIO*
.- Returns:
- the amount of data pending in buffer used for non-application writes.
-
sslPending
public static int sslPending(long ssl)
The number of bytes pending in SSL which can be read immediately. See SSL_pending.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- The number of bytes pending in SSL which can be read immediately.
-
writeToSSL
public static int writeToSSL(long ssl, long wbuf, int wlen)
SSL_write- Parameters:
ssl
- the SSL instance (SSL *)wbuf
- the memory address of the bufferwlen
- the length- Returns:
- the number of written bytes
-
readFromSSL
public static int readFromSSL(long ssl, long rbuf, int rlen)
SSL_read- Parameters:
ssl
- the SSL instance (SSL *)rbuf
- the memory address of the bufferrlen
- the length- Returns:
- the number of read bytes
-
getShutdown
public static int getShutdown(long ssl)
SSL_get_shutdown- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the return code of
SSL_get_shutdown
-
setShutdown
public static void setShutdown(long ssl, int mode)
SSL_set_shutdown- Parameters:
ssl
- the SSL instance (SSL *)mode
- the mode to use
-
freeSSL
public static void freeSSL(long ssl)
SSL_free- Parameters:
ssl
- the SSL instance (SSL *)
-
freeBIO
public static void freeBIO(long bio)
BIO_free- Parameters:
bio
- the BIO
-
shutdownSSL
public static int shutdownSSL(long ssl)
SSL_shutdown- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the return code of
SSL_shutdown
-
getLastErrorNumber
public static int getLastErrorNumber()
Get the error number representing the last error OpenSSL encountered on this thread.- Returns:
- the last error code for the calling thread.
-
getCipherForSSL
public static java.lang.String getCipherForSSL(long ssl)
SSL_get_cipher- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the name of the current cipher.
-
getVersion
public static java.lang.String getVersion(long ssl)
SSL_get_version- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the version.
-
doHandshake
public static int doHandshake(long ssl)
SSL_do_handshake- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the return code of
SSL_do_handshake
.
-
isInInit
public static int isInInit(long ssl)
SSL_in_init- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the return code of
SSL_in_init
.
-
getNextProtoNegotiated
public static java.lang.String getNextProtoNegotiated(long ssl)
SSL_get0_next_proto_negotiated- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the name of the negotiated proto
-
getAlpnSelected
public static java.lang.String getAlpnSelected(long ssl)
SSL_get0_alpn_selected- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the name of the selected ALPN protocol
-
getPeerCertChain
public static byte[][] getPeerCertChain(long ssl)
Get the peer certificate chain ornull
if none was send.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the chain or
null
if none was send
-
getPeerCertificate
public static byte[] getPeerCertificate(long ssl)
Get the peer certificate ornull
if non was send.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the peer certificate or
null
if none was send
-
getErrorString
public static java.lang.String getErrorString(long errorNumber)
Get the error string representing for the givenerrorNumber
.- Parameters:
errorNumber
- the error number / code- Returns:
- the error string
-
getTime
public static long getTime(long ssl)
SSL_get_time- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- returns the time at which the session ssl was established. The time is given in seconds since the Epoch
-
getTimeout
public static long getTimeout(long ssl)
SSL_get_timeout- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- returns the timeout for the session ssl The time is given in seconds since the Epoch
-
setTimeout
public static long setTimeout(long ssl, long seconds)
SSL_set_timeout- Parameters:
ssl
- the SSL instance (SSL *)seconds
- timeout in seconds- Returns:
- returns the timeout for the session ssl before this call. The time is given in seconds since the Epoch
-
setVerify
public static void setVerify(long ssl, int level, int depth)
Set Type of Client Certificate verification and Maximum depth of CA Certificates in Client Certificate verification.This directive sets the Certificate verification level for the Client Authentication. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.
The following levels are available for level:
SSL_CVERIFY_IGNORED
- The level is ignored. Only depth will change.SSL_CVERIFY_NONE
- No client Certificate is required at allSSL_CVERIFY_OPTIONAL
- The client may present a valid CertificateSSL_CVERIFY_REQUIRED
- The client has to present a valid Certificate
setCACertificatePath
, etc.- Parameters:
ssl
- the SSL instance (SSL *)level
- Type of Client Certificate verification.depth
- Maximum depth of CA Certificates in Client Certificate verification. Ignored if value is<0
.
-
setOptions
public static void setOptions(long ssl, int options)
Set OpenSSL Option.- Parameters:
ssl
- the SSL instance (SSL *)options
- See SSL.SSL_OP_* for option flags.
-
clearOptions
public static void clearOptions(long ssl, int options)
Clear OpenSSL Option.- Parameters:
ssl
- the SSL instance (SSL *)options
- See SSL.SSL_OP_* for option flags.
-
getOptions
public static int getOptions(long ssl)
Get OpenSSL Option.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- options See SSL.SSL_OP_* for option flags.
-
setMode
public static int setMode(long ssl, int mode)
Call SSL_set_mode- Parameters:
ssl
- the SSL instance (SSL *).mode
- the mode- Returns:
- the set mode.
-
getMode
public static int getMode(long ssl)
Call SSL_get_mode- Parameters:
ssl
- the SSL instance (SSL *).- Returns:
- the mode.
-
getMaxWrapOverhead
public static int getMaxWrapOverhead(long ssl)
Get the maximum overhead, in bytes, of wrapping (a.k.a sealing) a record with ssl. See SSL_max_seal_overhead.- Parameters:
ssl
- the SSL instance (SSL *).- Returns:
- Maximum overhead, in bytes, of wrapping (a.k.a sealing) a record with ssl.
-
getCiphers
public static java.lang.String[] getCiphers(long ssl)
Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- ciphers
-
setCipherSuites
@Deprecated public static boolean setCipherSuites(long ssl, java.lang.String ciphers) throws java.lang.Exception
Deprecated.Returns the cipher suites available for negotiation in SSL handshake.This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.
- Parameters:
ssl
- the SSL instance (SSL *)ciphers
- an SSL cipher specification- Returns:
true
if successful- Throws:
java.lang.Exception
- if an error happened
-
setCipherSuites
public static boolean setCipherSuites(long ssl, java.lang.String ciphers, boolean tlsv13) throws java.lang.Exception
Returns the cipher suites available for negotiation in SSL handshake.This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.
- Parameters:
ssl
- the SSL instance (SSL *)ciphers
- an SSL cipher specificationtlsv13
-true
if the ciphers are for TLSv1.3- Returns:
true
if successful- Throws:
java.lang.Exception
- if an error happened
-
setCurvesList
public static boolean setCurvesList(long ssl, java.lang.String... curves)
Sets the curves to use. See SSL_set1_curves_list.- Parameters:
ssl
- the SSL instance (SSL *)curves
- the curves to use.- Returns:
true
if successful,false
otherwise.
-
setCurvesList0
private static boolean setCurvesList0(long ctx, java.lang.String curves)
-
setCurves
public static boolean setCurves(long ssl, int[] curves)
Sets the curves to use. See SSL_set1_curves.- Parameters:
ssl
- the SSL instance (SSL *)curves
- the curves to use.- Returns:
true
if successful,false
otherwise.
-
setCurves0
private static boolean setCurves0(long ctx, int[] curves)
-
getSessionId
public static byte[] getSessionId(long ssl)
Returns the ID of the session as byte array representation.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the session as byte array representation obtained via SSL_SESSION_get_id.
-
getHandshakeCount
public static int getHandshakeCount(long ssl)
Returns the number of handshakes done for this SSL instance. This also includes renegations.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the number of handshakes done for this SSL instance.
-
clearError
public static void clearError()
Clear all the errors from the error queue that OpenSSL encountered on this thread.
-
setTlsExtHostName
public static void setTlsExtHostName(long ssl, java.lang.String hostname)
Call SSL_set_tlsext_host_name- Parameters:
ssl
- the SSL instance (SSL *)hostname
- the hostname
-
setTlsExtHostName0
private static void setTlsExtHostName0(long ssl, java.lang.String hostname)
-
setHostNameValidation
public static void setHostNameValidation(long ssl, int flags, java.lang.String hostname)
Explicitly control hostname validation see X509_check_host for X509_CHECK_FLAG* definitions. Values are defined as a bitmask ofX509_CHECK_FLAG*
values.- Parameters:
ssl
- the SSL instance (SSL*).flags
- a bitmask ofX509_CHECK_FLAG*
values.hostname
- the hostname which is expected for validation.
-
authenticationMethods
public static java.lang.String[] authenticationMethods(long ssl)
Return the methods used for authentication.- Parameters:
ssl
- the SSL instance (SSL*)- Returns:
- the methods
-
setCertificateChainBio
@Deprecated public static void setCertificateChainBio(long ssl, long bio, boolean skipfirst)
Deprecated.Set BIO of PEM-encoded Server CA CertificatesThis directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.
But be careful: Providing the certificate chain works only if you are using a single (either RSA or DSA) based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Otherwsie the browsers will be confused in this situation.
- Parameters:
ssl
- Server or Client to use.bio
- BIO of PEM-encoded Server CA Certificates.skipfirst
- Skip first certificate if chain file is inside certificate file.
-
setCertificateBio
@Deprecated public static void setCertificateBio(long ssl, long certBio, long keyBio, java.lang.String password) throws java.lang.Exception
Deprecated.Set Certificate
Point setCertificate at a PEM encoded certificate stored in a BIO. If the certificate is encrypted, then you will be prompted for a pass phrase. Note that a kill -HUP will prompt again. A test certificate can be generated with `make certificate' under built time. Keep in mind that if you've both a RSA and a DSA certificate you can configure both in parallel (to also allow the use of DSA ciphers, etc.)
If the key is not combined with the certificate, use key param to point at the key file. Keep in mind that if you've both a RSA and a DSA private key you can configure both in parallel (to also allow the use of DSA ciphers, etc.)- Parameters:
ssl
- Server or Client to use.certBio
- Certificate BIO.keyBio
- Private Key BIO to use if not in cert.password
- Certificate password. If null and certificate is encrypted.- Throws:
java.lang.Exception
- if an error happened
-
loadPrivateKeyFromEngine
public static long loadPrivateKeyFromEngine(java.lang.String keyId, java.lang.String password) throws java.lang.Exception
Load a private key from the used OpenSSL ENGINE via the ENGINE_load_private_key function.Be sure you understand how OpenSsl will behave with respect to reference counting! If the ownership is not transferred you need to call
freePrivateKey(long)
once the key is not used anymore to prevent memory leaks.- Parameters:
keyId
- the id of the key.password
- the password to use ornull
if none.- Returns:
EVP_PKEY
pointer- Throws:
java.lang.Exception
- if an error happened
-
parsePrivateKey
public static long parsePrivateKey(long privateKeyBio, java.lang.String password) throws java.lang.Exception
Parse private key from BIO and returnEVP_PKEY
pointer.Be sure you understand how OpenSsl will behave with respect to reference counting! If the
EVP_PKEY
pointer is used with the client certificate callbackCertificateRequestedCallback
the ownership goes over to OpenSsl / Tcnative and so callingfreePrivateKey(long)
should NOT be done in this case. Otherwise you may need to callfreePrivateKey(long)
to decrement the reference count and free memory.- Parameters:
privateKeyBio
- the pointer to theBIO
that contains the private keypassword
- the password ornull
if no password is needed- Returns:
EVP_PKEY
pointer- Throws:
java.lang.Exception
- if an error happened
-
freePrivateKey
public static void freePrivateKey(long privateKey)
Free private key (EVP_PKEY
pointer).- Parameters:
privateKey
-EVP_PKEY
pointer
-
parseX509Chain
public static long parseX509Chain(long x509ChainBio) throws java.lang.Exception
Parse X509 chain from BIO and return (STACK_OF(X509)
pointer).Be sure you understand how OpenSsl will behave with respect to reference counting! If the
STACK_OF(X509)
pointer is used with the client certificate callbackCertificateRequestedCallback
the ownership goes over to OpenSsl / Tcnative and so callingfreeX509Chain(long)
should NOT be done in this case. Otherwise you may need to callfreeX509Chain(long)
to decrement the reference count and free memory.- Parameters:
x509ChainBio
- the pointer to theBIO
that contains the X509 chain- Returns:
STACK_OF(X509)
pointer- Throws:
java.lang.Exception
- if an error happened
-
freeX509Chain
public static void freeX509Chain(long x509Chain)
Free x509 chain (STACK_OF(X509)
pointer).- Parameters:
x509Chain
-STACK_OF(X509)
pointer
-
enableOcsp
public static void enableOcsp(long ssl)
Enables OCSP stapling for the givenSSLEngine
or throws an exception if OCSP stapling is not supported.NOTE: This needs to happen before the SSL handshake.
-
setKeyMaterialServerSide
@Deprecated public static void setKeyMaterialServerSide(long ssl, long chain, long key) throws java.lang.Exception
Deprecated.Sets the keymaterial to be used for the server side. The passed in chain and key needs to be generated viaparseX509Chain(long)
andparsePrivateKey(long, String)
. It's important to note that the caller of the method is responsible to free the passed in chain and key in any case as this method will increment the reference count of the chain and key.- Throws:
java.lang.Exception
-
setKeyMaterial
public static void setKeyMaterial(long ssl, long chain, long key) throws java.lang.Exception
Sets the keymaterial to be used. The passed in chain and key needs to be generated viaparseX509Chain(long)
andparsePrivateKey(long, String)
. It's important to note that the caller of the method is responsible to free the passed in chain and key in any case as this method will increment the reference count of the chain and key.- Throws:
java.lang.Exception
-
setKeyMaterialClientSide
@Deprecated public static void setKeyMaterialClientSide(long ssl, long x509Out, long pkeyOut, long chain, long key) throws java.lang.Exception
Deprecated.Sets the keymaterial to be used for the client side. The passed in chain and key needs to be generated viaparseX509Chain(long)
andparsePrivateKey(long, String)
. It's important to note that the caller of the method is responsible to free the passed in chain and key in any case as this method will increment the reference count of the chain and key.- Throws:
java.lang.Exception
-
setOcspResponse
public static void setOcspResponse(long ssl, byte[] response)
Sets the OCSP response for the givenSSLEngine
or throws an exception in case of an error.NOTE: This is only meant to be called for server
SSLEngine
s.- Parameters:
ssl
- the SSL instance (SSL *)
-
getOcspResponse
public static byte[] getOcspResponse(long ssl)
Returns the OCSP response for the givenSSLEngine
ornull
if the server didn't provide a stapled OCSP response.NOTE: This is only meant to be called for client
SSLEngine
s.- Parameters:
ssl
- the SSL instance (SSL *)
-
fipsModeSet
public static void fipsModeSet(int mode) throws java.lang.Exception
Set the FIPS mode to use. See man FIPS_mode_set.- Parameters:
mode
- the mode to use.- Throws:
java.lang.Exception
- throws if setting the fips mode failed.
-
getSniHostname
public static java.lang.String getSniHostname(long ssl)
Return the SNI hostname that was sent as part of the SSL Hello.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the SNI hostname or
null
if none was used.
-
getSigAlgs
public static java.lang.String[] getSigAlgs(long ssl)
Return the signature algorithms that the remote peer supports ornull
if none are supported. See man SSL_get_sigalgs for more details. The returned names are generated usingOBJ_nid2ln
with thepsignhash
as parameter.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the signature algorithms or
null
.
-
getMasterKey
public static byte[] getMasterKey(long ssl)
Returns the master key used for the current ssl session. This should be used extremely sparingly as leaking this key defeats the whole purpose of encryption especially forward secrecy. This exists here strictly for debugging purposes.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the master key used for the ssl session
-
getServerRandom
public static byte[] getServerRandom(long ssl)
Extracts the random value sent from the server to the client during the initial SSL/TLS handshake. This is needed to extract the HMAC & keys from the master key according to the TLS PRF. This is not a random number generator.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the random server value used for the ssl session
-
getClientRandom
public static byte[] getClientRandom(long ssl)
Extracts the random value sent from the client to the server during the initial SSL/TLS handshake. This is needed to extract the HMAC & keys from the master key according to the TLS PRF. This is not a random number generator.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the random client value used for the ssl session
-
getTask
public static java.lang.Runnable getTask(long ssl)
Return theRunnable
that needs to be run as an operation did signal that a task needs to be completed before we can retry the previous action. After the task was run we should retry the operation that did signal back that a task needed to be run. TheRunnable
may also implementAsyncTask
which allows for fully asynchronous execution ifAsyncTask.runAsync(Runnable)
is used.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the task to run.
-
getAsyncTask
public static AsyncTask getAsyncTask(long ssl)
Return theAsyncTask
that needs to be run as an operation did signal that a task needs to be completed before we can retry it. After the task was run we should retry the operation that did signal back that a task needed to be run.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the task to run.
-
isSessionReused
public static boolean isSessionReused(long ssl)
Returntrue
if the SSL_SESSION was reused. See SSL_session_reused.- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
true
if the SSL_SESSION was reused,false
otherwise.
-
setSession
public static boolean setSession(long ssl, long session)
Sets theSSL_SESSION
that should be used forSSL
.- Parameters:
ssl
- the SSL instance (SSL *)session
- the SSL_SESSION instance (SSL_SESSION *)- Returns:
true
if successful,false
otherwise.
-
getSession
public static long getSession(long ssl)
- Parameters:
ssl
- the SSL instance (SSL *)- Returns:
- the SSL_SESSION instance (SSL_SESSION *) used
-
setRenegotiateMode
public static void setRenegotiateMode(long ssl, int mode) throws java.lang.Exception
Allow to set the renegotiation mode that is used. This is only support byBoringSSL
. See SSL_set_renegotiate_mode..- Parameters:
ssl
- the SSL instance (SSL *)mode
- the mode.- Throws:
java.lang.Exception
- thrown if some error happens.
-
-