Package org.conscrypt
Class SSLUtils
- java.lang.Object
-
- org.conscrypt.SSLUtils
-
final class SSLUtils extends java.lang.Object
Utility methods for SSL packet processing. Copied from the Netty project.This is a public class to allow testing to occur on Android via CTS.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description (package private) static class
SSLUtils.EngineStates
States for SSL engines.(package private) static class
SSLUtils.SessionType
-
Field Summary
Fields Modifier and Type Field Description private static java.lang.String
KEY_TYPE_EC
Key type: Elliptic Curve certificate.private static java.lang.String
KEY_TYPE_RSA
Key type: RSA certificate.private static int
MAX_ENCRYPTION_OVERHEAD_DIFF
private static int
MAX_ENCRYPTION_OVERHEAD_LENGTH
private static int
MAX_PROTOCOL_LENGTH
private static java.nio.charset.Charset
US_ASCII
(package private) static boolean
USE_ENGINE_SOCKET_BY_DEFAULT
-
Constructor Summary
Constructors Modifier Constructor Description private
SSLUtils()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description (package private) static int
calculateOutNetBufSize(int pendingBytes)
Calculates the minimum bytes required in the encrypted output buffer for the given number of plaintext source bytes.(package private) static java.lang.String[]
concat(java.lang.String[]... arrays)
(package private) static java.lang.String[]
decodeProtocols(byte[] protocols)
Decodes the given list of protocols intoString
s.private static java.security.cert.X509Certificate
decodeX509Certificate(java.security.cert.CertificateFactory certificateFactory, byte[] bytes)
(package private) static java.security.cert.X509Certificate[]
decodeX509CertificateChain(byte[][] certChain)
(package private) static byte[]
encodeProtocols(java.lang.String[] protocols)
Encodes a list of protocols into the wire-format (length-prefixed 8-bit strings).(package private) static byte[][]
encodeSubjectX509Principals(java.security.cert.X509Certificate[] certificates)
private static java.security.cert.CertificateFactory
getCertificateFactory()
(package private) static java.lang.String
getClientKeyType(byte clientCertificateType)
Similar to getServerKeyType, but returns value given TLS ClientCertificateType byte values from a CertificateRequest message for use with X509KeyManager.chooseClientAlias or X509ExtendedKeyManager.chooseEngineClientAlias.(package private) static java.lang.String
getClientKeyTypeFromSignatureAlg(int signatureAlg)
private static int
getEncryptedPacketLength(java.nio.ByteBuffer buffer)
(package private) static int
getEncryptedPacketLength(java.nio.ByteBuffer[] buffers, int offset)
Return how much bytes can be read out of the encrypted data.(package private) static java.lang.String
getServerX509KeyType(long sslCipherNative)
Returns key type constant suitable for calling X509KeyManager.chooseServerAlias or X509ExtendedKeyManager.chooseEngineServerAlias.(package private) static java.util.Set<java.lang.String>
getSupportedClientKeyTypes(byte[] clientCertificateTypes, int[] signatureAlgs)
Gets the supported key types for client certificates based on theClientCertificateType
values provided by the server.(package private) static javax.security.cert.X509Certificate[]
toCertificateChain(java.security.cert.X509Certificate[] certificates)
Converts the peer certificates into a cert chain.(package private) static byte[]
toProtocolBytes(java.lang.String protocol)
(package private) static java.lang.String
toProtocolString(byte[] bytes)
(package private) static javax.net.ssl.SSLException
toSSLException(java.lang.Throwable e)
Wraps the given exception if it's not already aSSLException
.(package private) static javax.net.ssl.SSLHandshakeException
toSSLHandshakeException(java.lang.Throwable e)
Wraps the given exception if it's not already aSSLHandshakeException
.private static short
unsignedByte(byte b)
private static int
unsignedShort(short s)
-
-
-
Field Detail
-
USE_ENGINE_SOCKET_BY_DEFAULT
static final boolean USE_ENGINE_SOCKET_BY_DEFAULT
-
MAX_PROTOCOL_LENGTH
private static final int MAX_PROTOCOL_LENGTH
- See Also:
- Constant Field Values
-
US_ASCII
private static final java.nio.charset.Charset US_ASCII
-
MAX_ENCRYPTION_OVERHEAD_LENGTH
private static final int MAX_ENCRYPTION_OVERHEAD_LENGTH
This is the maximum overhead when encrypting plaintext as defined by rfc5264, rfc5289, and the BoringSSL implementation itself. Please note that we use a padding of 16 here as BoringSSL uses PKCS#5 which uses 16 bytes while the spec itself allow up to 255 bytes. 16 bytes is the max for PKCS#5 (which handles it the same way as PKCS#7) as we use a block size of 16. See rfc5652#section-6.3. 16 (IV) + 48 (MAC) + 1 (Padding_length field) + 15 (Padding) + 1 (ContentType in TLSCiphertext) + 2 (ProtocolVersion) + 2 (Length) + 1 (ContentType in TLSInnerPlaintext)- See Also:
- Constant Field Values
-
MAX_ENCRYPTION_OVERHEAD_DIFF
private static final int MAX_ENCRYPTION_OVERHEAD_DIFF
- See Also:
- Constant Field Values
-
KEY_TYPE_RSA
private static final java.lang.String KEY_TYPE_RSA
Key type: RSA certificate.- See Also:
- Constant Field Values
-
KEY_TYPE_EC
private static final java.lang.String KEY_TYPE_EC
Key type: Elliptic Curve certificate.- See Also:
- Constant Field Values
-
-
Method Detail
-
decodeX509CertificateChain
static java.security.cert.X509Certificate[] decodeX509CertificateChain(byte[][] certChain) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
getCertificateFactory
private static java.security.cert.CertificateFactory getCertificateFactory()
-
decodeX509Certificate
private static java.security.cert.X509Certificate decodeX509Certificate(java.security.cert.CertificateFactory certificateFactory, byte[] bytes) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
getServerX509KeyType
static java.lang.String getServerX509KeyType(long sslCipherNative)
Returns key type constant suitable for calling X509KeyManager.chooseServerAlias or X509ExtendedKeyManager.chooseEngineServerAlias. Returnsnull
for key exchanges that do not use X.509 for server authentication.
-
getClientKeyType
static java.lang.String getClientKeyType(byte clientCertificateType)
Similar to getServerKeyType, but returns value given TLS ClientCertificateType byte values from a CertificateRequest message for use with X509KeyManager.chooseClientAlias or X509ExtendedKeyManager.chooseEngineClientAlias.Visible for testing.
-
getClientKeyTypeFromSignatureAlg
static java.lang.String getClientKeyTypeFromSignatureAlg(int signatureAlg)
-
getSupportedClientKeyTypes
static java.util.Set<java.lang.String> getSupportedClientKeyTypes(byte[] clientCertificateTypes, int[] signatureAlgs)
Gets the supported key types for client certificates based on theClientCertificateType
values provided by the server.- Parameters:
clientCertificateTypes
-ClientCertificateType
values provided by the server. See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-2.signatureAlgs
-SignatureScheme
values provided by the server. See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml#tls-signaturescheme- Returns:
- supported key types that can be used in
X509KeyManager.chooseClientAlias
andX509ExtendedKeyManager.chooseEngineClientAlias
. If the inputs imply a preference order, the returned set will have an iteration order that respects that preference order, otherwise it will be in an arbitrary order. Visible for testing.
-
encodeSubjectX509Principals
static byte[][] encodeSubjectX509Principals(java.security.cert.X509Certificate[] certificates) throws java.security.cert.CertificateEncodingException
- Throws:
java.security.cert.CertificateEncodingException
-
toCertificateChain
static javax.security.cert.X509Certificate[] toCertificateChain(java.security.cert.X509Certificate[] certificates) throws javax.net.ssl.SSLPeerUnverifiedException
Converts the peer certificates into a cert chain.- Throws:
javax.net.ssl.SSLPeerUnverifiedException
-
calculateOutNetBufSize
static int calculateOutNetBufSize(int pendingBytes)
Calculates the minimum bytes required in the encrypted output buffer for the given number of plaintext source bytes.
-
toSSLHandshakeException
static javax.net.ssl.SSLHandshakeException toSSLHandshakeException(java.lang.Throwable e)
Wraps the given exception if it's not already aSSLHandshakeException
.
-
toSSLException
static javax.net.ssl.SSLException toSSLException(java.lang.Throwable e)
Wraps the given exception if it's not already aSSLException
.
-
toProtocolString
static java.lang.String toProtocolString(byte[] bytes)
-
toProtocolBytes
static byte[] toProtocolBytes(java.lang.String protocol)
-
decodeProtocols
static java.lang.String[] decodeProtocols(byte[] protocols)
Decodes the given list of protocols intoString
s.- Parameters:
protocols
- the encoded protocol list- Returns:
- the decoded protocols or
EmptyArray.BYTE
ifprotocols
is empty. - Throws:
java.lang.NullPointerException
- if protocols isnull
.
-
encodeProtocols
static byte[] encodeProtocols(java.lang.String[] protocols)
Encodes a list of protocols into the wire-format (length-prefixed 8-bit strings). Requires that all strings be encoded with US-ASCII.- Parameters:
protocols
- the list of protocols to be encoded- Returns:
- the encoded form of the protocol list.
- Throws:
java.lang.IllegalArgumentException
- if protocols isnull
, or if any element isnull
or an empty string.
-
getEncryptedPacketLength
static int getEncryptedPacketLength(java.nio.ByteBuffer[] buffers, int offset)
Return how much bytes can be read out of the encrypted data. Be aware that this method will not increase the readerIndex of the givenByteBuffer
.- Parameters:
buffers
- TheByteBuffer
s to read from. Be aware that they must have at leastNativeConstants.SSL3_RT_HEADER_LENGTH
bytes to read, otherwise it will throw anIllegalArgumentException
.- Returns:
- length The length of the encrypted packet that is included in the buffer. This will
return
-1
if the givenByteBuffer
is not encrypted at all. - Throws:
java.lang.IllegalArgumentException
- Is thrown if the givenByteBuffer
has not at leastNativeConstants.SSL3_RT_HEADER_LENGTH
bytes to read.
-
getEncryptedPacketLength
private static int getEncryptedPacketLength(java.nio.ByteBuffer buffer)
-
unsignedByte
private static short unsignedByte(byte b)
-
unsignedShort
private static int unsignedShort(short s)
-
concat
static java.lang.String[] concat(java.lang.String[]... arrays)
-
-