Package org.conscrypt

Class SSLUtils

java.lang.Object
org.conscrypt.SSLUtils

final class SSLUtils extends Object
Utility methods for SSL packet processing. Copied from the Netty project.

This is a public class to allow testing to occur on Android via CTS.

  • Field Details

    • USE_ENGINE_SOCKET_BY_DEFAULT

      static final boolean USE_ENGINE_SOCKET_BY_DEFAULT
    • MAX_PROTOCOL_LENGTH

      private static final int MAX_PROTOCOL_LENGTH
      See Also:
    • US_ASCII

      private static final Charset US_ASCII
    • MAX_ENCRYPTION_OVERHEAD_LENGTH

      private static final int MAX_ENCRYPTION_OVERHEAD_LENGTH
      This is the maximum overhead when encrypting plaintext as defined by rfc5264, rfc5289, and the BoringSSL implementation itself. Please note that we use a padding of 16 here as BoringSSL uses PKCS#5 which uses 16 bytes while the spec itself allow up to 255 bytes. 16 bytes is the max for PKCS#5 (which handles it the same way as PKCS#7) as we use a block size of 16. See rfc5652#section-6.3. 16 (IV) + 48 (MAC) + 1 (Padding_length field) + 15 (Padding) + 1 (ContentType in TLSCiphertext) + 2 (ProtocolVersion) + 2 (Length) + 1 (ContentType in TLSInnerPlaintext)
      See Also:
    • MAX_ENCRYPTION_OVERHEAD_DIFF

      private static final int MAX_ENCRYPTION_OVERHEAD_DIFF
      See Also:
    • KEY_TYPE_RSA

      private static final String KEY_TYPE_RSA
      Key type: RSA certificate.
      See Also:
    • KEY_TYPE_EC

      private static final String KEY_TYPE_EC
      Key type: Elliptic Curve certificate.
      See Also:
  • Constructor Details

    • SSLUtils

      private SSLUtils()
  • Method Details

    • decodeX509CertificateChain

      static X509Certificate[] decodeX509CertificateChain(byte[][] certChain) throws CertificateException
      Throws:
      CertificateException
    • getCertificateFactory

      private static CertificateFactory getCertificateFactory()
    • decodeX509Certificate

      private static X509Certificate decodeX509Certificate(CertificateFactory certificateFactory, byte[] bytes) throws CertificateException
      Throws:
      CertificateException
    • getServerX509KeyType

      static String getServerX509KeyType(long sslCipherNative)
      Returns key type constant suitable for calling X509KeyManager.chooseServerAlias or X509ExtendedKeyManager.chooseEngineServerAlias. Returns null for key exchanges that do not use X.509 for server authentication.
    • getClientKeyType

      static String getClientKeyType(byte clientCertificateType)
      Similar to getServerKeyType, but returns value given TLS ClientCertificateType byte values from a CertificateRequest message for use with X509KeyManager.chooseClientAlias or X509ExtendedKeyManager.chooseEngineClientAlias.

      Visible for testing.

    • getClientKeyTypeFromSignatureAlg

      static String getClientKeyTypeFromSignatureAlg(int signatureAlg)
    • getSupportedClientKeyTypes

      static Set<String> getSupportedClientKeyTypes(byte[] clientCertificateTypes, int[] signatureAlgs)
      Gets the supported key types for client certificates based on the ClientCertificateType values provided by the server.
      Parameters:
      clientCertificateTypes - ClientCertificateType values provided by the server. See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-2.
      signatureAlgs - SignatureScheme values provided by the server. See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml#tls-signaturescheme
      Returns:
      supported key types that can be used in X509KeyManager.chooseClientAlias and X509ExtendedKeyManager.chooseEngineClientAlias. If the inputs imply a preference order, the returned set will have an iteration order that respects that preference order, otherwise it will be in an arbitrary order. Visible for testing.
    • encodeSubjectX509Principals

      static byte[][] encodeSubjectX509Principals(X509Certificate[] certificates) throws CertificateEncodingException
      Throws:
      CertificateEncodingException
    • toCertificateChain

      static X509Certificate[] toCertificateChain(X509Certificate[] certificates) throws SSLPeerUnverifiedException
      Converts the peer certificates into a cert chain.
      Throws:
      SSLPeerUnverifiedException
    • calculateOutNetBufSize

      static int calculateOutNetBufSize(int pendingBytes)
      Calculates the minimum bytes required in the encrypted output buffer for the given number of plaintext source bytes.
    • toSSLHandshakeException

      static SSLHandshakeException toSSLHandshakeException(Throwable e)
      Wraps the given exception if it's not already a SSLHandshakeException.
    • toSSLException

      static SSLException toSSLException(Throwable e)
      Wraps the given exception if it's not already a SSLException.
    • toProtocolString

      static String toProtocolString(byte[] bytes)
    • toProtocolBytes

      static byte[] toProtocolBytes(String protocol)
    • decodeProtocols

      static String[] decodeProtocols(byte[] protocols)
      Decodes the given list of protocols into Strings.
      Parameters:
      protocols - the encoded protocol list
      Returns:
      the decoded protocols or EmptyArray.BYTE if protocols is empty.
      Throws:
      NullPointerException - if protocols is null.
    • encodeProtocols

      static byte[] encodeProtocols(String[] protocols)
      Encodes a list of protocols into the wire-format (length-prefixed 8-bit strings). Requires that all strings be encoded with US-ASCII.
      Parameters:
      protocols - the list of protocols to be encoded
      Returns:
      the encoded form of the protocol list.
      Throws:
      IllegalArgumentException - if protocols is null, or if any element is null or an empty string.
    • getEncryptedPacketLength

      static int getEncryptedPacketLength(ByteBuffer[] buffers, int offset)
      Return how much bytes can be read out of the encrypted data. Be aware that this method will not increase the readerIndex of the given ByteBuffer.
      Parameters:
      buffers - The ByteBuffers to read from. Be aware that they must have at least NativeConstants.SSL3_RT_HEADER_LENGTH bytes to read, otherwise it will throw an IllegalArgumentException.
      Returns:
      length The length of the encrypted packet that is included in the buffer. This will return -1 if the given ByteBuffer is not encrypted at all.
      Throws:
      IllegalArgumentException - Is thrown if the given ByteBuffer has not at least NativeConstants.SSL3_RT_HEADER_LENGTH bytes to read.
    • getEncryptedPacketLength

      private static int getEncryptedPacketLength(ByteBuffer buffer)
    • unsignedByte

      private static short unsignedByte(byte b)
    • unsignedShort

      private static int unsignedShort(short s)
    • concat

      static String[] concat(String[]... arrays)