Class SSL


  • public final class SSL
    extends java.lang.Object
    • Field Detail

      • SSL_OP_CIPHER_SERVER_PREFERENCE

        public static final int SSL_OP_CIPHER_SERVER_PREFERENCE
      • SSL_OP_NO_SSLv2

        public static final int SSL_OP_NO_SSLv2
      • SSL_OP_NO_SSLv3

        public static final int SSL_OP_NO_SSLv3
      • SSL_OP_NO_TLSv1

        public static final int SSL_OP_NO_TLSv1
      • SSL_OP_NO_TLSv1_1

        public static final int SSL_OP_NO_TLSv1_1
      • SSL_OP_NO_TLSv1_2

        public static final int SSL_OP_NO_TLSv1_2
      • SSL_OP_NO_TLSv1_3

        public static final int SSL_OP_NO_TLSv1_3
      • SSL_OP_NO_TICKET

        public static final int SSL_OP_NO_TICKET
      • SSL_OP_NO_COMPRESSION

        public static final int SSL_OP_NO_COMPRESSION
      • SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

        public static final int SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
      • SSL_OP_LEGACY_SERVER_CONNECT

        public static final int SSL_OP_LEGACY_SERVER_CONNECT
      • SSL_SESS_CACHE_OFF

        public static final long SSL_SESS_CACHE_OFF
      • SSL_SESS_CACHE_SERVER

        public static final long SSL_SESS_CACHE_SERVER
      • SSL_SESS_CACHE_CLIENT

        public static final long SSL_SESS_CACHE_CLIENT
      • SSL_SESS_CACHE_NO_INTERNAL_LOOKUP

        public static final long SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
      • SSL_SESS_CACHE_NO_INTERNAL_STORE

        public static final long SSL_SESS_CACHE_NO_INTERNAL_STORE
      • SSL_SELECTOR_FAILURE_NO_ADVERTISE

        public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE
        See Also:
        Constant Field Values
      • SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL

        public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL
        See Also:
        Constant Field Values
      • SSL_ST_CONNECT

        public static final int SSL_ST_CONNECT
      • SSL_ST_ACCEPT

        public static final int SSL_ST_ACCEPT
      • SSL_MODE_ENABLE_PARTIAL_WRITE

        public static final int SSL_MODE_ENABLE_PARTIAL_WRITE
      • SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER

        public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
      • SSL_MODE_RELEASE_BUFFERS

        public static final int SSL_MODE_RELEASE_BUFFERS
      • SSL_MODE_ENABLE_FALSE_START

        public static final int SSL_MODE_ENABLE_FALSE_START
      • SSL_MAX_PLAINTEXT_LENGTH

        public static final int SSL_MAX_PLAINTEXT_LENGTH
      • SSL_MAX_ENCRYPTED_LENGTH

        public static final int SSL_MAX_ENCRYPTED_LENGTH
      • SSL_MAX_RECORD_LENGTH

        public static final int SSL_MAX_RECORD_LENGTH
        The TLS 1.2 RFC defines the maximum length to be SSL_MAX_PLAINTEXT_LENGTH, but there are some implementations such as OpenJDK's SSLEngineImpl that also allow sending larger packets. This can be used as a upper bound for data to support legacy systems.
      • X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT

        public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
      • X509_CHECK_FLAG_NO_WILD_CARDS

        public static final int X509_CHECK_FLAG_NO_WILD_CARDS
      • X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS

        public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS
      • X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS

        public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
      • SSL_RENEGOTIATE_NEVER

        public static final int SSL_RENEGOTIATE_NEVER
      • SSL_RENEGOTIATE_ONCE

        public static final int SSL_RENEGOTIATE_ONCE
      • SSL_RENEGOTIATE_FREELY

        public static final int SSL_RENEGOTIATE_FREELY
      • SSL_RENEGOTIATE_IGNORE

        public static final int SSL_RENEGOTIATE_IGNORE
      • SSL_RENEGOTIATE_EXPLICIT

        public static final int SSL_RENEGOTIATE_EXPLICIT
      • SSL_CERT_COMPRESSION_DIRECTION_COMPRESS

        public static final int SSL_CERT_COMPRESSION_DIRECTION_COMPRESS
      • SSL_CERT_COMPRESSION_DIRECTION_DECOMPRESS

        public static final int SSL_CERT_COMPRESSION_DIRECTION_DECOMPRESS
      • SSL_CERT_COMPRESSION_DIRECTION_BOTH

        public static final int SSL_CERT_COMPRESSION_DIRECTION_BOTH
      • SSL_SENT_SHUTDOWN

        public static final int SSL_SENT_SHUTDOWN
      • SSL_RECEIVED_SHUTDOWN

        public static final int SSL_RECEIVED_SHUTDOWN
      • SSL_ERROR_NONE

        public static final int SSL_ERROR_NONE
      • SSL_ERROR_SSL

        public static final int SSL_ERROR_SSL
      • SSL_ERROR_WANT_READ

        public static final int SSL_ERROR_WANT_READ
      • SSL_ERROR_WANT_WRITE

        public static final int SSL_ERROR_WANT_WRITE
      • SSL_ERROR_WANT_X509_LOOKUP

        public static final int SSL_ERROR_WANT_X509_LOOKUP
      • SSL_ERROR_SYSCALL

        public static final int SSL_ERROR_SYSCALL
      • SSL_ERROR_ZERO_RETURN

        public static final int SSL_ERROR_ZERO_RETURN
      • SSL_ERROR_WANT_CONNECT

        public static final int SSL_ERROR_WANT_CONNECT
      • SSL_ERROR_WANT_ACCEPT

        public static final int SSL_ERROR_WANT_ACCEPT
      • SSL_ERROR_WANT_PRIVATE_KEY_OPERATION

        public static final int SSL_ERROR_WANT_PRIVATE_KEY_OPERATION
      • SSL_ERROR_WANT_CERTIFICATE_VERIFY

        public static final int SSL_ERROR_WANT_CERTIFICATE_VERIFY
    • Constructor Detail

      • SSL

        private SSL()
    • Method Detail

      • version

        public static int version()
      • versionString

        public static java.lang.String versionString()
      • initialize

        static int initialize​(java.lang.String engine)
        Initialize OpenSSL support. This function needs to be called once for the lifetime of JVM. See Library.initialize(String, String)
        Parameters:
        engine - Support for external a Crypto Device ("engine"), usually a hardware accelerator card for crypto operations.
        Returns:
        APR status code
      • newMemBIO

        public static long newMemBIO()
                              throws java.lang.Exception
        Initialize new in-memory BIO that is located in the secure heap.
        Returns:
        New BIO handle
        Throws:
        java.lang.Exception - if an error happened.
      • getLastError

        public static java.lang.String getLastError()
        Return last SSL error string
        Returns:
        the last SSL error string.
      • newSSL

        public static long newSSL​(long ctx,
                                  boolean server)
        SSL_new
        Parameters:
        ctx - Server or Client context to use.
        server - if true configure SSL instance to use accept handshake routines if false configure SSL instance to use connect handshake routines
        Returns:
        pointer to SSL instance (SSL *)
      • getError

        public static int getError​(long ssl,
                                   int ret)
        SSL_get_error
        Parameters:
        ssl - SSL pointer (SSL *)
        ret - TLS/SSL I/O return value
        Returns:
        the error code
      • bioWrite

        public static int bioWrite​(long bioAddress,
                                   long wbufAddress,
                                   int wlen)
        BIO_write
        Parameters:
        bioAddress - The address of a BIO*.
        wbufAddress - The address of a native char*.
        wlen - The length to write starting at wbufAddress.
        Returns:
        The number of bytes that were written. See BIO_write for exceptional return values.
      • bioNewByteBuffer

        public static long bioNewByteBuffer​(long ssl,
                                            int nonApplicationBufferSize)
        Initialize the BIO for the SSL instance. This is a custom BIO which is designed to play nicely with a direct ByteBuffer. Because it is a special BIO it requires special usage such that bioSetByteBuffer(long, long, int, boolean) and bioClearByteBuffer(long) are called in order to provide to supply data to SSL, and also to ensure the internal SSL buffering mechanism is expecting write at the appropriate times.
        Parameters:
        ssl - the SSL instance (SSL *)
        nonApplicationBufferSize - The size of the internal buffer for write operations that are not initiated directly by the application attempting to encrypt data. Must be >0.
        Returns:
        pointer to the Network BIO (BIO *). The memory is owned by ssl and will be cleaned up by freeSSL(long).
      • bioSetFd

        @Deprecated
        public static void bioSetFd​(long ssl,
                                    int fd)
        Deprecated.
        This is not supported official by OpenSSL or BoringSSL so its just a no op.
        Sets the socket file descriptor
        Parameters:
        ssl - the SSL instance (SSL *)
        fd - the file descriptor of the socket used for the given SSL connection
      • bioSetByteBuffer

        public static void bioSetByteBuffer​(long bio,
                                            long bufferAddress,
                                            int maxUsableBytes,
                                            boolean isSSLWriteSink)
        Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted data from.

        After you are done buffering data you should call bioClearByteBuffer(long).

        Parameters:
        bio - BIO*.
        bufferAddress - The memory address (typically from a direct ByteBuffer) which will be used to either write encrypted data to, or read encrypted data from by OpenSSL's internal BIO pair.
        maxUsableBytes - The maximum usable length in bytes starting at bufferAddress.
        isSSLWriteSink - true if this buffer is expected to buffer data as a result of calls to SSL_write. false if this buffer is expected to buffer data as a result of calls to SSL_read.
      • bioClearByteBuffer

        public static void bioClearByteBuffer​(long bio)
        After you are done buffering data from bioSetByteBuffer(long, long, int, boolean), this will ensure the internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..).
        Parameters:
        bio - BIO*.
      • bioFlushByteBuffer

        public static int bioFlushByteBuffer​(long bio)
        Flush any pending bytes in the internal SSL write buffer.

        This does the same thing as BIO_flush for a BIO* of type bioNewByteBuffer(long, int) but returns the number of bytes that were flushed.

        Parameters:
        bio - BIO*.
        Returns:
        The number of bytes that were flushed.
      • bioLengthNonApplication

        public static int bioLengthNonApplication​(long bio)
        Get the amount of data pending in buffer used for non-application writes. This value will not exceed the value configured in bioNewByteBuffer(long, int).
        Parameters:
        bio - BIO*.
        Returns:
        the amount of data pending in buffer used for non-application writes.
      • sslPending

        public static int sslPending​(long ssl)
        The number of bytes pending in SSL which can be read immediately. See SSL_pending.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        The number of bytes pending in SSL which can be read immediately.
      • writeToSSL

        public static int writeToSSL​(long ssl,
                                     long wbuf,
                                     int wlen)
        SSL_write
        Parameters:
        ssl - the SSL instance (SSL *)
        wbuf - the memory address of the buffer
        wlen - the length
        Returns:
        the number of written bytes
      • readFromSSL

        public static int readFromSSL​(long ssl,
                                      long rbuf,
                                      int rlen)
        SSL_read
        Parameters:
        ssl - the SSL instance (SSL *)
        rbuf - the memory address of the buffer
        rlen - the length
        Returns:
        the number of read bytes
      • getShutdown

        public static int getShutdown​(long ssl)
        SSL_get_shutdown
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the return code of SSL_get_shutdown
      • setShutdown

        public static void setShutdown​(long ssl,
                                       int mode)
        SSL_set_shutdown
        Parameters:
        ssl - the SSL instance (SSL *)
        mode - the mode to use
      • freeSSL

        public static void freeSSL​(long ssl)
        SSL_free
        Parameters:
        ssl - the SSL instance (SSL *)
      • freeBIO

        public static void freeBIO​(long bio)
        BIO_free
        Parameters:
        bio - the BIO
      • shutdownSSL

        public static int shutdownSSL​(long ssl)
        SSL_shutdown
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the return code of SSL_shutdown
      • getLastErrorNumber

        public static int getLastErrorNumber()
        Get the error number representing the last error OpenSSL encountered on this thread.
        Returns:
        the last error code for the calling thread.
      • getCipherForSSL

        public static java.lang.String getCipherForSSL​(long ssl)
        SSL_get_cipher
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the name of the current cipher.
      • getVersion

        public static java.lang.String getVersion​(long ssl)
        SSL_get_version
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the version.
      • doHandshake

        public static int doHandshake​(long ssl)
        SSL_do_handshake
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the return code of SSL_do_handshake.
      • isInInit

        public static int isInInit​(long ssl)
        SSL_in_init
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the return code of SSL_in_init.
      • getNextProtoNegotiated

        public static java.lang.String getNextProtoNegotiated​(long ssl)
        SSL_get0_next_proto_negotiated
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the name of the negotiated proto
      • getAlpnSelected

        public static java.lang.String getAlpnSelected​(long ssl)
        SSL_get0_alpn_selected
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the name of the selected ALPN protocol
      • getPeerCertChain

        public static byte[][] getPeerCertChain​(long ssl)
        Get the peer certificate chain or null if none was send.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the chain or null if none was send
      • getPeerCertificate

        public static byte[] getPeerCertificate​(long ssl)
        Get the peer certificate or null if non was send.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the peer certificate or null if none was send
      • getErrorString

        public static java.lang.String getErrorString​(long errorNumber)
        Get the error string representing for the given errorNumber.
        Parameters:
        errorNumber - the error number / code
        Returns:
        the error string
      • getTime

        public static long getTime​(long ssl)
        SSL_get_time
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        returns the time at which the session ssl was established. The time is given in seconds since the Epoch
      • getTimeout

        public static long getTimeout​(long ssl)
        SSL_get_timeout
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        returns the timeout for the session ssl The time is given in seconds since the Epoch
      • setTimeout

        public static long setTimeout​(long ssl,
                                      long seconds)
        SSL_set_timeout
        Parameters:
        ssl - the SSL instance (SSL *)
        seconds - timeout in seconds
        Returns:
        returns the timeout for the session ssl before this call. The time is given in seconds since the Epoch
      • setVerify

        public static void setVerify​(long ssl,
                                     int level,
                                     int depth)
        Set Type of Client Certificate verification and Maximum depth of CA Certificates in Client Certificate verification.

        This directive sets the Certificate verification level for the Client Authentication. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.

        The following levels are available for level:

        The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate. A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under setCACertificatePath, etc.
        Parameters:
        ssl - the SSL instance (SSL *)
        level - Type of Client Certificate verification.
        depth - Maximum depth of CA Certificates in Client Certificate verification. Ignored if value is <0.
      • setOptions

        public static void setOptions​(long ssl,
                                      int options)
        Set OpenSSL Option.
        Parameters:
        ssl - the SSL instance (SSL *)
        options - See SSL.SSL_OP_* for option flags.
      • clearOptions

        public static void clearOptions​(long ssl,
                                        int options)
        Clear OpenSSL Option.
        Parameters:
        ssl - the SSL instance (SSL *)
        options - See SSL.SSL_OP_* for option flags.
      • getOptions

        public static int getOptions​(long ssl)
        Get OpenSSL Option.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        options See SSL.SSL_OP_* for option flags.
      • setMode

        public static int setMode​(long ssl,
                                  int mode)
        Call SSL_set_mode
        Parameters:
        ssl - the SSL instance (SSL *).
        mode - the mode
        Returns:
        the set mode.
      • getMode

        public static int getMode​(long ssl)
        Call SSL_get_mode
        Parameters:
        ssl - the SSL instance (SSL *).
        Returns:
        the mode.
      • getMaxWrapOverhead

        public static int getMaxWrapOverhead​(long ssl)
        Get the maximum overhead, in bytes, of wrapping (a.k.a sealing) a record with ssl. See SSL_max_seal_overhead.
        Parameters:
        ssl - the SSL instance (SSL *).
        Returns:
        Maximum overhead, in bytes, of wrapping (a.k.a sealing) a record with ssl.
      • getCiphers

        public static java.lang.String[] getCiphers​(long ssl)
        Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        ciphers
      • setCipherSuites

        @Deprecated
        public static boolean setCipherSuites​(long ssl,
                                              java.lang.String ciphers)
                                       throws java.lang.Exception
        Returns the cipher suites available for negotiation in SSL handshake.

        This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.

        Parameters:
        ssl - the SSL instance (SSL *)
        ciphers - an SSL cipher specification
        Returns:
        true if successful
        Throws:
        java.lang.Exception - if an error happened
      • setCipherSuites

        public static boolean setCipherSuites​(long ssl,
                                              java.lang.String ciphers,
                                              boolean tlsv13)
                                       throws java.lang.Exception
        Returns the cipher suites available for negotiation in SSL handshake.

        This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.

        Parameters:
        ssl - the SSL instance (SSL *)
        ciphers - an SSL cipher specification
        tlsv13 - true if the ciphers are for TLSv1.3
        Returns:
        true if successful
        Throws:
        java.lang.Exception - if an error happened
      • setCurvesList

        public static boolean setCurvesList​(long ssl,
                                            java.lang.String... curves)
        Sets the curves to use. See SSL_set1_curves_list.
        Parameters:
        ssl - the SSL instance (SSL *)
        curves - the curves to use.
        Returns:
        true if successful, false otherwise.
      • setCurvesList0

        private static boolean setCurvesList0​(long ctx,
                                              java.lang.String curves)
      • setCurves

        public static boolean setCurves​(long ssl,
                                        int[] curves)
        Sets the curves to use. See SSL_set1_curves.
        Parameters:
        ssl - the SSL instance (SSL *)
        curves - the curves to use.
        Returns:
        true if successful, false otherwise.
      • setCurves0

        private static boolean setCurves0​(long ctx,
                                          int[] curves)
      • getSessionId

        public static byte[] getSessionId​(long ssl)
        Returns the ID of the session as byte array representation.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the session as byte array representation obtained via SSL_SESSION_get_id.
      • getHandshakeCount

        public static int getHandshakeCount​(long ssl)
        Returns the number of handshakes done for this SSL instance. This also includes renegations.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the number of handshakes done for this SSL instance.
      • clearError

        public static void clearError()
        Clear all the errors from the error queue that OpenSSL encountered on this thread.
      • setTlsExtHostName

        public static void setTlsExtHostName​(long ssl,
                                             java.lang.String hostname)
        Call SSL_set_tlsext_host_name
        Parameters:
        ssl - the SSL instance (SSL *)
        hostname - the hostname
      • setTlsExtHostName0

        private static void setTlsExtHostName0​(long ssl,
                                               java.lang.String hostname)
      • setHostNameValidation

        public static void setHostNameValidation​(long ssl,
                                                 int flags,
                                                 java.lang.String hostname)
        Explicitly control hostname validation see X509_check_host for X509_CHECK_FLAG* definitions. Values are defined as a bitmask of X509_CHECK_FLAG* values.
        Parameters:
        ssl - the SSL instance (SSL*).
        flags - a bitmask of X509_CHECK_FLAG* values.
        hostname - the hostname which is expected for validation.
      • authenticationMethods

        public static java.lang.String[] authenticationMethods​(long ssl)
        Return the methods used for authentication.
        Parameters:
        ssl - the SSL instance (SSL*)
        Returns:
        the methods
      • setCertificateChainBio

        @Deprecated
        public static void setCertificateChainBio​(long ssl,
                                                  long bio,
                                                  boolean skipfirst)
        Set BIO of PEM-encoded Server CA Certificates

        This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.

        But be careful: Providing the certificate chain works only if you are using a single (either RSA or DSA) based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Otherwsie the browsers will be confused in this situation.

        Parameters:
        ssl - Server or Client to use.
        bio - BIO of PEM-encoded Server CA Certificates.
        skipfirst - Skip first certificate if chain file is inside certificate file.
      • setCertificateBio

        @Deprecated
        public static void setCertificateBio​(long ssl,
                                             long certBio,
                                             long keyBio,
                                             java.lang.String password)
                                      throws java.lang.Exception
        Set Certificate
        Point setCertificate at a PEM encoded certificate stored in a BIO. If the certificate is encrypted, then you will be prompted for a pass phrase. Note that a kill -HUP will prompt again. A test certificate can be generated with `make certificate' under built time. Keep in mind that if you've both a RSA and a DSA certificate you can configure both in parallel (to also allow the use of DSA ciphers, etc.)
        If the key is not combined with the certificate, use key param to point at the key file. Keep in mind that if you've both a RSA and a DSA private key you can configure both in parallel (to also allow the use of DSA ciphers, etc.)
        Parameters:
        ssl - Server or Client to use.
        certBio - Certificate BIO.
        keyBio - Private Key BIO to use if not in cert.
        password - Certificate password. If null and certificate is encrypted.
        Throws:
        java.lang.Exception - if an error happened
      • loadPrivateKeyFromEngine

        public static long loadPrivateKeyFromEngine​(java.lang.String keyId,
                                                    java.lang.String password)
                                             throws java.lang.Exception
        Load a private key from the used OpenSSL ENGINE via the ENGINE_load_private_key function.

        Be sure you understand how OpenSsl will behave with respect to reference counting! If the ownership is not transferred you need to call freePrivateKey(long) once the key is not used anymore to prevent memory leaks.

        Parameters:
        keyId - the id of the key.
        password - the password to use or null if none.
        Returns:
        EVP_PKEY pointer
        Throws:
        java.lang.Exception - if an error happened
      • parsePrivateKey

        public static long parsePrivateKey​(long privateKeyBio,
                                           java.lang.String password)
                                    throws java.lang.Exception
        Parse private key from BIO and return EVP_PKEY pointer.

        Be sure you understand how OpenSsl will behave with respect to reference counting! If the EVP_PKEY pointer is used with the client certificate callback CertificateRequestedCallback the ownership goes over to OpenSsl / Tcnative and so calling freePrivateKey(long) should NOT be done in this case. Otherwise you may need to call freePrivateKey(long) to decrement the reference count and free memory.

        Parameters:
        privateKeyBio - the pointer to the BIO that contains the private key
        password - the password or null if no password is needed
        Returns:
        EVP_PKEY pointer
        Throws:
        java.lang.Exception - if an error happened
      • freePrivateKey

        public static void freePrivateKey​(long privateKey)
        Free private key (EVP_PKEY pointer).
        Parameters:
        privateKey - EVP_PKEY pointer
      • parseX509Chain

        public static long parseX509Chain​(long x509ChainBio)
                                   throws java.lang.Exception
        Parse X509 chain from BIO and return (STACK_OF(X509) pointer).

        Be sure you understand how OpenSsl will behave with respect to reference counting! If the STACK_OF(X509) pointer is used with the client certificate callback CertificateRequestedCallback the ownership goes over to OpenSsl / Tcnative and so calling freeX509Chain(long) should NOT be done in this case. Otherwise you may need to call freeX509Chain(long) to decrement the reference count and free memory.

        Parameters:
        x509ChainBio - the pointer to the BIO that contains the X509 chain
        Returns:
        STACK_OF(X509) pointer
        Throws:
        java.lang.Exception - if an error happened
      • freeX509Chain

        public static void freeX509Chain​(long x509Chain)
        Free x509 chain (STACK_OF(X509) pointer).
        Parameters:
        x509Chain - STACK_OF(X509) pointer
      • enableOcsp

        public static void enableOcsp​(long ssl)
        Enables OCSP stapling for the given SSLEngine or throws an exception if OCSP stapling is not supported.

        NOTE: This needs to happen before the SSL handshake.

        SSL_set_tlsext_status_type

        Search for OCSP

      • setKeyMaterialServerSide

        @Deprecated
        public static void setKeyMaterialServerSide​(long ssl,
                                                    long chain,
                                                    long key)
                                             throws java.lang.Exception
        Sets the keymaterial to be used for the server side. The passed in chain and key needs to be generated via parseX509Chain(long) and parsePrivateKey(long, String). It's important to note that the caller of the method is responsible to free the passed in chain and key in any case as this method will increment the reference count of the chain and key.
        Throws:
        java.lang.Exception
      • setKeyMaterial

        public static void setKeyMaterial​(long ssl,
                                          long chain,
                                          long key)
                                   throws java.lang.Exception
        Sets the keymaterial to be used. The passed in chain and key needs to be generated via parseX509Chain(long) and parsePrivateKey(long, String). It's important to note that the caller of the method is responsible to free the passed in chain and key in any case as this method will increment the reference count of the chain and key.
        Throws:
        java.lang.Exception
      • setKeyMaterialClientSide

        @Deprecated
        public static void setKeyMaterialClientSide​(long ssl,
                                                    long x509Out,
                                                    long pkeyOut,
                                                    long chain,
                                                    long key)
                                             throws java.lang.Exception
        Sets the keymaterial to be used for the client side. The passed in chain and key needs to be generated via parseX509Chain(long) and parsePrivateKey(long, String). It's important to note that the caller of the method is responsible to free the passed in chain and key in any case as this method will increment the reference count of the chain and key.
        Throws:
        java.lang.Exception
      • setOcspResponse

        public static void setOcspResponse​(long ssl,
                                           byte[] response)
        Sets the OCSP response for the given SSLEngine or throws an exception in case of an error.

        NOTE: This is only meant to be called for server SSLEngines.

        SSL_set_tlsext_status_type

        Search for OCSP

        Parameters:
        ssl - the SSL instance (SSL *)
      • getOcspResponse

        public static byte[] getOcspResponse​(long ssl)
        Returns the OCSP response for the given SSLEngine or null if the server didn't provide a stapled OCSP response.

        NOTE: This is only meant to be called for client SSLEngines.

        SSL_set_tlsext_status_type

        Search for OCSP

        Parameters:
        ssl - the SSL instance (SSL *)
      • fipsModeSet

        public static void fipsModeSet​(int mode)
                                throws java.lang.Exception
        Set the FIPS mode to use. See man FIPS_mode_set.
        Parameters:
        mode - the mode to use.
        Throws:
        java.lang.Exception - throws if setting the fips mode failed.
      • getSniHostname

        public static java.lang.String getSniHostname​(long ssl)
        Return the SNI hostname that was sent as part of the SSL Hello.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the SNI hostname or null if none was used.
      • getSigAlgs

        public static java.lang.String[] getSigAlgs​(long ssl)
        Return the signature algorithms that the remote peer supports or null if none are supported. See man SSL_get_sigalgs for more details. The returned names are generated using OBJ_nid2ln with the psignhash as parameter.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the signature algorithms or null.
      • getMasterKey

        public static byte[] getMasterKey​(long ssl)
        Returns the master key used for the current ssl session. This should be used extremely sparingly as leaking this key defeats the whole purpose of encryption especially forward secrecy. This exists here strictly for debugging purposes.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the master key used for the ssl session
      • getServerRandom

        public static byte[] getServerRandom​(long ssl)
        Extracts the random value sent from the server to the client during the initial SSL/TLS handshake. This is needed to extract the HMAC & keys from the master key according to the TLS PRF. This is not a random number generator.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the random server value used for the ssl session
      • getClientRandom

        public static byte[] getClientRandom​(long ssl)
        Extracts the random value sent from the client to the server during the initial SSL/TLS handshake. This is needed to extract the HMAC & keys from the master key according to the TLS PRF. This is not a random number generator.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the random client value used for the ssl session
      • getTask

        public static java.lang.Runnable getTask​(long ssl)
        Return the Runnable that needs to be run as an operation did signal that a task needs to be completed before we can retry the previous action. After the task was run we should retry the operation that did signal back that a task needed to be run. The Runnable may also implement AsyncTask which allows for fully asynchronous execution if AsyncTask.runAsync(Runnable) is used.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the task to run.
      • getAsyncTask

        public static AsyncTask getAsyncTask​(long ssl)
        Return the AsyncTask that needs to be run as an operation did signal that a task needs to be completed before we can retry it. After the task was run we should retry the operation that did signal back that a task needed to be run.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the task to run.
      • isSessionReused

        public static boolean isSessionReused​(long ssl)
        Return true if the SSL_SESSION was reused. See SSL_session_reused.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        true if the SSL_SESSION was reused, false otherwise.
      • setSession

        public static boolean setSession​(long ssl,
                                         long session)
        Sets the SSL_SESSION that should be used for SSL.
        Parameters:
        ssl - the SSL instance (SSL *)
        session - the SSL_SESSION instance (SSL_SESSION *)
        Returns:
        true if successful, false otherwise.
      • getSession

        public static long getSession​(long ssl)
        Returns the SSL_SESSION that is used for SSL. See SSL_get_session.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the SSL_SESSION instance (SSL_SESSION *) used
      • setRenegotiateMode

        public static void setRenegotiateMode​(long ssl,
                                              int mode)
                                       throws java.lang.Exception
        Allow to set the renegotiation mode that is used. This is only support by BoringSSL. See SSL_set_renegotiate_mode..
        Parameters:
        ssl - the SSL instance (SSL *)
        mode - the mode.
        Throws:
        java.lang.Exception - thrown if some error happens.