| /* |
| * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. Oracle designates this |
| * particular file as subject to the "Classpath" exception as provided |
| * by Oracle in the LICENSE file that accompanied this code. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| package javax.net.ssl; |
| |
| import java.security.AlgorithmConstraints; |
| import java.util.Map; |
| import java.util.List; |
| import java.util.HashMap; |
| import java.util.ArrayList; |
| import java.util.Collection; |
| import java.util.Collections; |
| import java.util.LinkedHashMap; |
| |
| /** |
| * Encapsulates parameters for an SSL/TLS/DTLS connection. The parameters |
| * are the list of ciphersuites to be accepted in an SSL/TLS/DTLS handshake, |
| * the list of protocols to be allowed, the endpoint identification |
| * algorithm during SSL/TLS/DTLS handshaking, the Server Name Indication (SNI), |
| * the maximum network packet size, the algorithm constraints and whether |
| * SSL/TLS/DTLS servers should request or require client authentication, etc. |
| * <p> |
| * SSLParameters can be created via the constructors in this class. |
| * Objects can also be obtained using the {@code getSSLParameters()} |
| * methods in |
| * {@link SSLSocket#getSSLParameters SSLSocket} and |
| * {@link SSLServerSocket#getSSLParameters SSLServerSocket} and |
| * {@link SSLEngine#getSSLParameters SSLEngine} or the |
| * {@link SSLContext#getDefaultSSLParameters getDefaultSSLParameters()} and |
| * {@link SSLContext#getSupportedSSLParameters getSupportedSSLParameters()} |
| * methods in {@code SSLContext}. |
| * <p> |
| * SSLParameters can be applied to a connection via the methods |
| * {@link SSLSocket#setSSLParameters SSLSocket.setSSLParameters()} and |
| * {@link SSLServerSocket#setSSLParameters SSLServerSocket.setSSLParameters()} |
| * and {@link SSLEngine#setSSLParameters SSLEngine.setSSLParameters()}. |
| * <p> |
| * For example: |
| * |
| * <blockquote><pre> |
| * SSLParameters p = sslSocket.getSSLParameters(); |
| * p.setProtocols(new String[] { "TLSv1.2" }); |
| * p.setCipherSuites( |
| * new String[] { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", ... }); |
| * p.setApplicationProtocols(new String[] {"h2", "http/1.1"}); |
| * sslSocket.setSSLParameters(p); |
| * </pre></blockquote> |
| * |
| * @see SSLSocket |
| * @see SSLEngine |
| * @see SSLContext |
| * |
| * @since 1.6 |
| */ |
| public class SSLParameters { |
| |
| private String[] cipherSuites; |
| private String[] protocols; |
| private boolean wantClientAuth; |
| private boolean needClientAuth; |
| private String identificationAlgorithm; |
| private AlgorithmConstraints algorithmConstraints; |
| private Map<Integer, SNIServerName> sniNames = null; |
| private Map<Integer, SNIMatcher> sniMatchers = null; |
| private boolean preferLocalCipherSuites; |
| private boolean enableRetransmissions = true; |
| private int maximumPacketSize = 0; |
| private String[] applicationProtocols = new String[0]; |
| |
| /** |
| * Constructs SSLParameters. |
| * <p> |
| * The values of cipherSuites, protocols, cryptographic algorithm |
| * constraints, endpoint identification algorithm, server names and |
| * server name matchers are set to {@code null}; useCipherSuitesOrder, |
| * wantClientAuth and needClientAuth are set to {@code false}; |
| * enableRetransmissions is set to {@code true}; maximum network packet |
| * size is set to {@code 0}. |
| */ |
| public SSLParameters() { |
| // empty |
| } |
| |
| /** |
| * Constructs SSLParameters from the specified array of ciphersuites. |
| * <p> |
| * Calling this constructor is equivalent to calling the no-args |
| * constructor followed by |
| * {@code setCipherSuites(cipherSuites);}. Note that the |
| * standard list of cipher suite names may be found in the <a href= |
| * "{@docRoot}/../specs/security/standard-names.html#jsse-cipher-suite-names"> |
| * JSSE Cipher Suite Names</a> section of the Java Cryptography |
| * Architecture Standard Algorithm Name Documentation. Providers |
| * may support cipher suite names not found in this list. |
| * |
| * @param cipherSuites the array of ciphersuites (or null) |
| */ |
| public SSLParameters(String[] cipherSuites) { |
| setCipherSuites(cipherSuites); |
| } |
| |
| /** |
| * Constructs SSLParameters from the specified array of ciphersuites |
| * and protocols. |
| * <p> |
| * Calling this constructor is equivalent to calling the no-args |
| * constructor followed by |
| * {@code setCipherSuites(cipherSuites); setProtocols(protocols);}. |
| * Note that the standard list of cipher suite names may be found in the |
| * <a href= |
| * "{@docRoot}/../specs/security/standard-names.html#jsse-cipher-suite-names"> |
| * JSSE Cipher Suite Names</a> section of the Java Cryptography |
| * Architecture Standard Algorithm Name Documentation. Providers |
| * may support cipher suite names not found in this list. |
| * |
| * @param cipherSuites the array of ciphersuites (or null) |
| * @param protocols the array of protocols (or null) |
| */ |
| public SSLParameters(String[] cipherSuites, String[] protocols) { |
| setCipherSuites(cipherSuites); |
| setProtocols(protocols); |
| } |
| |
| private static String[] clone(String[] s) { |
| return (s == null) ? null : s.clone(); |
| } |
| |
| /** |
| * Returns a copy of the array of ciphersuites or null if none |
| * have been set. |
| * <P> |
| * The returned array includes cipher suites from the list of standard |
| * cipher suite names in the <a href= |
| * "{@docRoot}/../specs/security/standard-names.html#jsse-cipher-suite-names"> |
| * JSSE Cipher Suite Names</a> section of the Java Cryptography |
| * Architecture Standard Algorithm Name Documentation, and may also |
| * include other cipher suites that the provider supports. |
| * |
| * @return a copy of the array of ciphersuites or null if none |
| * have been set. |
| */ |
| public String[] getCipherSuites() { |
| return clone(cipherSuites); |
| } |
| |
| /** |
| * Sets the array of ciphersuites. |
| * |
| * @param cipherSuites the array of ciphersuites (or null). Note that the |
| * standard list of cipher suite names may be found in the <a href= |
| * "{@docRoot}/../specs/security/standard-names.html#jsse-cipher-suite-names"> |
| * JSSE Cipher Suite Names</a> section of the Java Cryptography |
| * Architecture Standard Algorithm Name Documentation. Providers |
| * may support cipher suite names not found in this list or might not |
| * use the recommended name for a certain cipher suite. |
| */ |
| public void setCipherSuites(String[] cipherSuites) { |
| this.cipherSuites = clone(cipherSuites); |
| } |
| |
| /** |
| * Returns a copy of the array of protocols or null if none |
| * have been set. |
| * |
| * @return a copy of the array of protocols or null if none |
| * have been set. |
| */ |
| public String[] getProtocols() { |
| return clone(protocols); |
| } |
| |
| /** |
| * Sets the array of protocols. |
| * |
| * @param protocols the array of protocols (or null) |
| */ |
| public void setProtocols(String[] protocols) { |
| this.protocols = clone(protocols); |
| } |
| |
| /** |
| * Returns whether client authentication should be requested. |
| * |
| * @return whether client authentication should be requested. |
| */ |
| public boolean getWantClientAuth() { |
| return wantClientAuth; |
| } |
| |
| /** |
| * Sets whether client authentication should be requested. Calling |
| * this method clears the {@code needClientAuth} flag. |
| * |
| * @param wantClientAuth whether client authentication should be requested |
| */ |
| public void setWantClientAuth(boolean wantClientAuth) { |
| this.wantClientAuth = wantClientAuth; |
| this.needClientAuth = false; |
| } |
| |
| /** |
| * Returns whether client authentication should be required. |
| * |
| * @return whether client authentication should be required. |
| */ |
| public boolean getNeedClientAuth() { |
| return needClientAuth; |
| } |
| |
| /** |
| * Sets whether client authentication should be required. Calling |
| * this method clears the {@code wantClientAuth} flag. |
| * |
| * @param needClientAuth whether client authentication should be required |
| */ |
| public void setNeedClientAuth(boolean needClientAuth) { |
| this.wantClientAuth = false; |
| this.needClientAuth = needClientAuth; |
| } |
| |
| /** |
| * Returns the cryptographic algorithm constraints. |
| * |
| * @return the cryptographic algorithm constraints, or null if the |
| * constraints have not been set |
| * |
| * @see #setAlgorithmConstraints(AlgorithmConstraints) |
| * |
| * @since 1.7 |
| */ |
| public AlgorithmConstraints getAlgorithmConstraints() { |
| return algorithmConstraints; |
| } |
| |
| /** |
| * Sets the cryptographic algorithm constraints, which will be used |
| * in addition to any configured by the runtime environment. |
| * <p> |
| * If the {@code constraints} parameter is non-null, every |
| * cryptographic algorithm, key and algorithm parameters used in the |
| * SSL/TLS/DTLS handshake must be permitted by the constraints. |
| * |
| * @param constraints the algorithm constraints (or null) |
| * |
| * @since 1.7 |
| */ |
| public void setAlgorithmConstraints(AlgorithmConstraints constraints) { |
| // the constraints object is immutable |
| this.algorithmConstraints = constraints; |
| } |
| |
| /** |
| * Gets the endpoint identification algorithm. |
| * |
| * @return the endpoint identification algorithm, or null if none |
| * has been set. |
| * |
| * @see X509ExtendedTrustManager |
| * @see #setEndpointIdentificationAlgorithm(String) |
| * |
| * @since 1.7 |
| */ |
| public String getEndpointIdentificationAlgorithm() { |
| return identificationAlgorithm; |
| } |
| |
| /** |
| * Sets the endpoint identification algorithm. |
| * <p> |
| * If the {@code algorithm} parameter is non-null or non-empty, the |
| * endpoint identification/verification procedures must be handled during |
| * SSL/TLS/DTLS handshaking. This is to prevent man-in-the-middle attacks. |
| * |
| * @param algorithm The standard string name of the endpoint |
| * identification algorithm (or null). |
| * See the <a href= |
| * "{@docRoot}/../specs/security/standard-names.html"> |
| * Java Security Standard Algorithm Names</a> document |
| * for information about standard algorithm names. |
| * |
| * @see X509ExtendedTrustManager |
| * |
| * @since 1.7 |
| */ |
| public void setEndpointIdentificationAlgorithm(String algorithm) { |
| this.identificationAlgorithm = algorithm; |
| } |
| |
| /** |
| * Sets the desired {@link SNIServerName}s of the Server Name |
| * Indication (SNI) parameter. |
| * <P> |
| * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s |
| * operating in client mode. |
| * <P> |
| * Note that the {@code serverNames} list is cloned |
| * to protect against subsequent modification. |
| * |
| * @param serverNames |
| * the list of desired {@link SNIServerName}s (or null) |
| * |
| * @throws NullPointerException if the {@code serverNames} |
| * contains {@code null} element |
| * @throws IllegalArgumentException if the {@code serverNames} |
| * contains more than one name of the same name type |
| * |
| * @see SNIServerName |
| * @see #getServerNames() |
| * |
| * @since 1.8 |
| */ |
| public final void setServerNames(List<SNIServerName> serverNames) { |
| if (serverNames != null) { |
| if (!serverNames.isEmpty()) { |
| sniNames = new LinkedHashMap<>(serverNames.size()); |
| for (SNIServerName serverName : serverNames) { |
| if (sniNames.put(serverName.getType(), |
| serverName) != null) { |
| throw new IllegalArgumentException( |
| "Duplicated server name of type " + |
| serverName.getType()); |
| } |
| } |
| } else { |
| sniNames = Collections.<Integer, SNIServerName>emptyMap(); |
| } |
| } else { |
| sniNames = null; |
| } |
| } |
| |
| /** |
| * Returns a {@link List} containing all {@link SNIServerName}s of the |
| * Server Name Indication (SNI) parameter, or null if none has been set. |
| * <P> |
| * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s |
| * operating in client mode. |
| * <P> |
| * For SSL/TLS/DTLS connections, the underlying SSL/TLS/DTLS provider |
| * may specify a default value for a certain server name type. In |
| * client mode, it is recommended that, by default, providers should |
| * include the server name indication whenever the server can be located |
| * by a supported server name type. |
| * <P> |
| * It is recommended that providers initialize default Server Name |
| * Indications when creating {@code SSLSocket}/{@code SSLEngine}s. |
| * In the following examples, the server name could be represented by an |
| * instance of {@link SNIHostName} which has been initialized with the |
| * hostname "www.example.com" and type |
| * {@link StandardConstants#SNI_HOST_NAME}. |
| * |
| * <pre> |
| * Socket socket = |
| * sslSocketFactory.createSocket("www.example.com", 443); |
| * </pre> |
| * or |
| * <pre> |
| * SSLEngine engine = |
| * sslContext.createSSLEngine("www.example.com", 443); |
| * </pre> |
| * |
| * @return null or an immutable list of non-null {@link SNIServerName}s |
| * |
| * @see List |
| * @see #setServerNames(List) |
| * |
| * @since 1.8 |
| */ |
| public final List<SNIServerName> getServerNames() { |
| if (sniNames != null) { |
| if (!sniNames.isEmpty()) { |
| return Collections.<SNIServerName>unmodifiableList( |
| new ArrayList<>(sniNames.values())); |
| } else { |
| return Collections.<SNIServerName>emptyList(); |
| } |
| } |
| |
| return null; |
| } |
| |
| /** |
| * Sets the {@link SNIMatcher}s of the Server Name Indication (SNI) |
| * parameter. |
| * <P> |
| * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s |
| * operating in server mode. |
| * <P> |
| * Note that the {@code matchers} collection is cloned to protect |
| * against subsequent modification. |
| * |
| * @param matchers |
| * the collection of {@link SNIMatcher}s (or null) |
| * |
| * @throws NullPointerException if the {@code matchers} |
| * contains {@code null} element |
| * @throws IllegalArgumentException if the {@code matchers} |
| * contains more than one name of the same name type |
| * |
| * @see Collection |
| * @see SNIMatcher |
| * @see #getSNIMatchers() |
| * |
| * @since 1.8 |
| */ |
| public final void setSNIMatchers(Collection<SNIMatcher> matchers) { |
| if (matchers != null) { |
| if (!matchers.isEmpty()) { |
| sniMatchers = new HashMap<>(matchers.size()); |
| for (SNIMatcher matcher : matchers) { |
| if (sniMatchers.put(matcher.getType(), |
| matcher) != null) { |
| throw new IllegalArgumentException( |
| "Duplicated server name of type " + |
| matcher.getType()); |
| } |
| } |
| } else { |
| sniMatchers = Collections.<Integer, SNIMatcher>emptyMap(); |
| } |
| } else { |
| sniMatchers = null; |
| } |
| } |
| |
| /** |
| * Returns a {@link Collection} containing all {@link SNIMatcher}s of the |
| * Server Name Indication (SNI) parameter, or null if none has been set. |
| * <P> |
| * This method is only useful to {@link SSLSocket}s or {@link SSLEngine}s |
| * operating in server mode. |
| * <P> |
| * For better interoperability, providers generally will not define |
| * default matchers so that by default servers will ignore the SNI |
| * extension and continue the handshake. |
| * |
| * @return null or an immutable collection of non-null {@link SNIMatcher}s |
| * |
| * @see SNIMatcher |
| * @see #setSNIMatchers(Collection) |
| * |
| * @since 1.8 |
| */ |
| public final Collection<SNIMatcher> getSNIMatchers() { |
| if (sniMatchers != null) { |
| if (!sniMatchers.isEmpty()) { |
| return Collections.<SNIMatcher>unmodifiableList( |
| new ArrayList<>(sniMatchers.values())); |
| } else { |
| return Collections.<SNIMatcher>emptyList(); |
| } |
| } |
| |
| return null; |
| } |
| |
| /** |
| * Sets whether the local cipher suites preference should be honored. |
| * |
| * @param honorOrder whether local cipher suites order in |
| * {@code #getCipherSuites} should be honored during |
| * SSL/TLS/DTLS handshaking. |
| * |
| * @see #getUseCipherSuitesOrder() |
| * |
| * @since 1.8 |
| */ |
| public final void setUseCipherSuitesOrder(boolean honorOrder) { |
| this.preferLocalCipherSuites = honorOrder; |
| } |
| |
| /** |
| * Returns whether the local cipher suites preference should be honored. |
| * |
| * @return whether local cipher suites order in {@code #getCipherSuites} |
| * should be honored during SSL/TLS/DTLS handshaking. |
| * |
| * @see #setUseCipherSuitesOrder(boolean) |
| * |
| * @since 1.8 |
| */ |
| public final boolean getUseCipherSuitesOrder() { |
| return preferLocalCipherSuites; |
| } |
| |
| /** |
| * Sets whether DTLS handshake retransmissions should be enabled. |
| * |
| * This method only applies to DTLS. |
| * |
| * @param enableRetransmissions |
| * {@code true} indicates that DTLS handshake retransmissions |
| * should be enabled; {@code false} indicates that DTLS handshake |
| * retransmissions should be disabled |
| * |
| * @see #getEnableRetransmissions() |
| * |
| * @since 9 |
| */ |
| public void setEnableRetransmissions(boolean enableRetransmissions) { |
| this.enableRetransmissions = enableRetransmissions; |
| } |
| |
| /** |
| * Returns whether DTLS handshake retransmissions should be enabled. |
| * |
| * This method only applies to DTLS. |
| * |
| * @return true, if DTLS handshake retransmissions should be enabled |
| * |
| * @see #setEnableRetransmissions(boolean) |
| * |
| * @since 9 |
| */ |
| public boolean getEnableRetransmissions() { |
| return enableRetransmissions; |
| } |
| |
| /** |
| * Sets the maximum expected network packet size in bytes for |
| * SSL/TLS/DTLS records. |
| * |
| * @apiNote It is recommended that if possible, the maximum packet size |
| * should not be less than 256 bytes so that small handshake |
| * messages, such as HelloVerifyRequests, are not fragmented. |
| * |
| * @implNote If the maximum packet size is too small to hold a minimal |
| * record, an implementation may attempt to generate as minimal |
| * records as possible. However, this may cause a generated |
| * packet to be larger than the maximum packet size. |
| * |
| * @param maximumPacketSize |
| * the maximum expected network packet size in bytes, or |
| * {@code 0} to use the implicit size that is automatically |
| * specified by the underlying implementation. |
| * @throws IllegalArgumentException |
| * if {@code maximumPacketSize} is negative. |
| * |
| * @see #getMaximumPacketSize() |
| * |
| * @since 9 |
| */ |
| public void setMaximumPacketSize(int maximumPacketSize) { |
| if (maximumPacketSize < 0) { |
| throw new IllegalArgumentException( |
| "The maximum packet size cannot be negative"); |
| } |
| |
| this.maximumPacketSize = maximumPacketSize; |
| } |
| |
| /** |
| * Returns the maximum expected network packet size in bytes for |
| * SSL/TLS/DTLS records. |
| * |
| * @apiNote The implicit size may not be a fixed value, especially |
| * for a DTLS protocols implementation. |
| * |
| * @implNote For SSL/TLS/DTLS connections, the underlying provider |
| * should calculate and specify the implicit value of the |
| * maximum expected network packet size if it is not |
| * configured explicitly. For any connection populated |
| * object, this method should never return {@code 0} so |
| * that applications can retrieve the actual implicit size |
| * of the underlying implementation. |
| * <P> |
| * An implementation should attempt to comply with the maximum |
| * packet size configuration. However, if the maximum packet |
| * size is too small to hold a minimal record, an implementation |
| * may try to generate as minimal records as possible. This |
| * may cause a generated packet to be larger than the maximum |
| * packet size. |
| * |
| * @return the maximum expected network packet size, or {@code 0} if |
| * use the implicit size that is automatically specified by |
| * the underlying implementation and this object has not been |
| * populated by any connection. |
| * |
| * @see #setMaximumPacketSize(int) |
| * |
| * @since 9 |
| */ |
| public int getMaximumPacketSize() { |
| return maximumPacketSize; |
| } |
| |
| /** |
| * Returns a prioritized array of application-layer protocol names that |
| * can be negotiated over the SSL/TLS/DTLS protocols. |
| * <p> |
| * The array could be empty (zero-length), in which case protocol |
| * indications will not be used. |
| * <p> |
| * This method will return a new array each time it is invoked. |
| * |
| * @return a non-null, possibly zero-length array of application protocol |
| * {@code String}s. The array is ordered based on protocol |
| * preference, with {@code protocols[0]} being the most preferred. |
| * @see #setApplicationProtocols |
| * @since 9 |
| */ |
| public String[] getApplicationProtocols() { |
| return applicationProtocols.clone(); |
| } |
| |
| /** |
| * Sets the prioritized array of application-layer protocol names that |
| * can be negotiated over the SSL/TLS/DTLS protocols. |
| * <p> |
| * If application-layer protocols are supported by the underlying |
| * SSL/TLS implementation, this method configures which values can |
| * be negotiated by protocols such as <a |
| * href="http://www.ietf.org/rfc/rfc7301.txt"> RFC 7301 </a>, the |
| * Application Layer Protocol Negotiation (ALPN). |
| * <p> |
| * If this end of the connection is expected to offer application protocol |
| * values, all protocols configured by this method will be sent to the |
| * peer. |
| * <p> |
| * If this end of the connection is expected to select the application |
| * protocol value, the {@code protocols} configured by this method are |
| * compared with those sent by the peer. The first matched value becomes |
| * the negotiated value. If none of the {@code protocols} were actually |
| * requested by the peer, the underlying protocol will determine what |
| * action to take. (For example, ALPN will send a |
| * {@code "no_application_protocol"} alert and terminate the connection.) |
| * |
| * @implSpec |
| * This method will make a copy of the {@code protocols} array. |
| * |
| * @param protocols an ordered array of application protocols, |
| * with {@code protocols[0]} being the most preferred. |
| * If the array is empty (zero-length), protocol |
| * indications will not be used. |
| * @throws IllegalArgumentException if protocols is null, or if |
| * any element in a non-empty array is null or an |
| * empty (zero-length) string |
| * @see #getApplicationProtocols |
| * @since 9 |
| */ |
| public void setApplicationProtocols(String[] protocols) { |
| if (protocols == null) { |
| throw new IllegalArgumentException("protocols was null"); |
| } |
| |
| String[] tempProtocols = protocols.clone(); |
| |
| for (String p : tempProtocols) { |
| if (p == null || p.equals("")) { |
| throw new IllegalArgumentException( |
| "An element of protocols was null/empty"); |
| } |
| } |
| applicationProtocols = tempProtocols; |
| } |
| } |