/*
* Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package javax.net.ssl;
import java.io.IOException;
import java.net.*;
import java.util.Enumeration;
import java.util.Vector;
/**
* This class extends Socket
s and provides secure
* socket using protocols such as the "Secure
* Sockets Layer" (SSL) or IETF "Transport Layer Security" (TLS) protocols.
*
* Such sockets are normal stream sockets, but they * add a layer of security protections over the underlying network transport * protocol, such as TCP. Those protections include:
These kinds of protection are specified by a "cipher suite", which * is a combination of cryptographic algorithms used by a given SSL connection. * During the negotiation process, the two endpoints must agree on * a ciphersuite that is available in both environments. * If there is no such suite in common, no SSL connection can * be established, and no data can be exchanged. * *
The cipher suite used is established by a negotiation process * called "handshaking". The goal of this * process is to create or rejoin a "session", which may protect many * connections over time. After handshaking has completed, you can access * session attributes by using the getSession method. * The initial handshake on this connection can be initiated in * one of three ways:
startHandshake
which explicitly
* begins handshakes, or
* getSession
tries to set up a session
* if there is no currently valid session, and
* an implicit handshake is done.
* If handshaking fails for any reason, the SSLSocket
* is closed, and no futher communications can be done.
*
*
There are two groups of cipher suites which you will need to know * about when managing cipher suites:
Implementation defaults require that only cipher * suites which authenticate servers and provide confidentiality * be enabled by default. * Only if both sides explicitly agree to unauthenticated and/or * non-private (unencrypted) communications will such a ciphersuite be * selected. * *
When SSLSocket
s are first created, no handshaking
* is done so that applications may first set their communication
* preferences: what cipher suites to use, whether the socket should be
* in client or server mode, etc.
* However, security is always provided by the time that application data
* is sent over the connection.
*
*
You may register to receive event notification of handshake
* completion. This involves
* the use of two additional classes. HandshakeCompletedEvent
* objects are passed to HandshakeCompletedListener instances,
* which are registered by users of this API.
*
* SSLSocket
s are created by SSLSocketFactory
s,
* or by accept
ing a connection from a
* SSLServerSocket
.
*
*
A SSL socket must choose to operate in the client or server mode. * This will determine who begins the handshaking process, as well * as which messages should be sent by each party. Each * connection must have one client and one server, or handshaking * will not progress properly. Once the initial handshaking has started, a * socket can not switch between client and server modes, even when * performing renegotiations. * * @see java.net.Socket * @see SSLServerSocket * @see SSLSocketFactory * * @since 1.4 * @author David Brownell */ public abstract class SSLSocket extends Socket { /** * Used only by subclasses. * Constructs an uninitialized, unconnected TCP socket. */ protected SSLSocket() { super(); } /** * Used only by subclasses. * Constructs a TCP connection to a named host at a specified port. * This acts as the SSL client. *
* If there is a security manager, its checkConnect
* method is called with the host address and port
* as its arguments. This could result in a SecurityException.
*
* @param host name of the host with which to connect, or
* null
for the loopback address.
* @param port number of the server's port
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* checkConnect
method doesn't allow the operation.
* @throws UnknownHostException if the host is not known
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @see SecurityManager#checkConnect
*/
protected SSLSocket(String host, int port)
throws IOException, UnknownHostException
{ super(host, port); }
/**
* Used only by subclasses.
* Constructs a TCP connection to a server at a specified address
* and port. This acts as the SSL client.
*
* If there is a security manager, its checkConnect
* method is called with the host address and port
* as its arguments. This could result in a SecurityException.
*
* @param address the server's host
* @param port its port
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* checkConnect
method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter is outside the
* specified range of valid port values, which is between 0 and
* 65535, inclusive.
* @throws NullPointerException if address
is null.
* @see SecurityManager#checkConnect
*/
protected SSLSocket(InetAddress address, int port)
throws IOException
{ super(address, port); }
/**
* Used only by subclasses.
* Constructs an SSL connection to a named host at a specified port,
* binding the client side of the connection a given address and port.
* This acts as the SSL client.
*
* If there is a security manager, its checkConnect
* method is called with the host address and port
* as its arguments. This could result in a SecurityException.
*
* @param host name of the host with which to connect, or
* null
for the loopback address.
* @param port number of the server's port
* @param clientAddress the client's address the socket is bound to, or
* null
for the anyLocal
address.
* @param clientPort the client's port the socket is bound to, or
* zero
for a system selected free port.
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* checkConnect
method doesn't allow the operation.
* @throws UnknownHostException if the host is not known
* @throws IllegalArgumentException if the port parameter or clientPort
* parameter is outside the specified range of valid port values,
* which is between 0 and 65535, inclusive.
* @see SecurityManager#checkConnect
*/
protected SSLSocket(String host, int port,
InetAddress clientAddress, int clientPort)
throws IOException, UnknownHostException
{ super(host, port, clientAddress, clientPort); }
/**
* Used only by subclasses.
* Constructs an SSL connection to a server at a specified address
* and TCP port, binding the client side of the connection a given
* address and port. This acts as the SSL client.
*
* If there is a security manager, its checkConnect
* method is called with the host address and port
* as its arguments. This could result in a SecurityException.
*
* @param address the server's host
* @param port its port
* @param clientAddress the client's address the socket is bound to, or
* null
for the anyLocal
address.
* @param clientPort the client's port the socket is bound to, or
* zero
for a system selected free port.
* @throws IOException if an I/O error occurs when creating the socket
* @throws SecurityException if a security manager exists and its
* checkConnect
method doesn't allow the operation.
* @throws IllegalArgumentException if the port parameter or clientPort
* parameter is outside the specified range of valid port values,
* which is between 0 and 65535, inclusive.
* @throws NullPointerException if address
is null.
* @see SecurityManager#checkConnect
*/
protected SSLSocket(InetAddress address, int port,
InetAddress clientAddress, int clientPort)
throws IOException
{ super(address, port, clientAddress, clientPort); }
/**
* Returns the names of the cipher suites which could be enabled for use
* on this connection. Normally, only a subset of these will actually
* be enabled by default, since this list may include cipher suites which
* do not meet quality of service requirements for those defaults. Such
* cipher suites might be useful in specialized applications.
*
* @return an array of cipher suite names
* @see #getEnabledCipherSuites()
* @see #setEnabledCipherSuites(String [])
*/
public abstract String [] getSupportedCipherSuites();
/**
* Returns the names of the SSL cipher suites which are currently
* enabled for use on this connection. When an SSLSocket is first
* created, all enabled cipher suites support a minimum quality of
* service. Thus, in some environments this value might be empty.
*
* Even if a suite has been enabled, it might never be used. (For * example, the peer does not support it, the requisite certificates * (and private keys) for the suite are not available, or an * anonymous suite is enabled but authentication is required. * * @return an array of cipher suite names * @see #getSupportedCipherSuites() * @see #setEnabledCipherSuites(String []) */ public abstract String [] getEnabledCipherSuites(); /** * Sets the cipher suites enabled for use on this connection. *
* Each cipher suite in the suites
parameter must have
* been listed by getSupportedCipherSuites(), or the method will
* fail. Following a successful call to this method, only suites
* listed in the suites
parameter are enabled for use.
*
* See {@link #getEnabledCipherSuites()} for more information * on why a specific ciphersuite may never be used on a connection. * * @param suites Names of all the cipher suites to enable * @throws IllegalArgumentException when one or more of the ciphers * named by the parameter is not supported, or when the * parameter is null. * @see #getSupportedCipherSuites() * @see #getEnabledCipherSuites() */ public abstract void setEnabledCipherSuites(String suites []); /** * Returns the names of the protocols which could be enabled for use * on an SSL connection. * * @return an array of protocols supported */ public abstract String [] getSupportedProtocols(); /** * Returns the names of the protocol versions which are currently * enabled for use on this connection. * @see #setEnabledProtocols(String []) * @return an array of protocols */ public abstract String [] getEnabledProtocols(); /** * Sets the protocol versions enabled for use on this connection. *
* The protocols must have been listed by
* getSupportedProtocols()
as being supported.
* Following a successful call to this method, only protocols listed
* in the protocols
parameter are enabled for use.
*
* @param protocols Names of all the protocols to enable.
* @throws IllegalArgumentException when one or more of
* the protocols named by the parameter is not supported or
* when the protocols parameter is null.
* @see #getEnabledProtocols()
*/
public abstract void setEnabledProtocols(String protocols[]);
/**
* Returns the SSL Session in use by this connection. These can
* be long lived, and frequently correspond to an entire login session
* for some user. The session specifies a particular cipher suite
* which is being actively used by all connections in that session,
* as well as the identities of the session's client and server.
*
* This method will initiate the initial handshake if * necessary and then block until the handshake has been * established. *
* If an error occurs during the initial handshake, this method
* returns an invalid session object which reports an invalid
* cipher suite of "SSL_NULL_WITH_NULL_NULL".
*
* @return the SSLSession
*/
public abstract SSLSession getSession();
/**
* Returns the {@code SSLSession} being constructed during a SSL/TLS
* handshake.
*
* TLS protocols may negotiate parameters that are needed when using * an instance of this class, but before the {@code SSLSession} has * been completely initialized and made available via {@code getSession}. * For example, the list of valid signature algorithms may restrict * the type of certificates that can used during TrustManager * decisions, or the maximum TLS fragment packet sizes can be * resized to better support the network environment. *
* This method provides early access to the {@code SSLSession} being * constructed. Depending on how far the handshake has progressed, * some data may not yet be available for use. For example, if a * remote server will be sending a Certificate chain, but that chain * has yet not been processed, the {@code getPeerCertificates} * method of {@code SSLSession} will throw a * SSLPeerUnverifiedException. Once that chain has been processed, * {@code getPeerCertificates} will return the proper value. *
* Unlike {@link #getSession()}, this method does not initiate the * initial handshake and does not block until handshaking is * complete. * * @see SSLEngine * @see SSLSession * @see ExtendedSSLSession * @see X509ExtendedKeyManager * @see X509ExtendedTrustManager * * @return null if this instance is not currently handshaking, or * if the current handshake has not progressed far enough to * create a basic SSLSession. Otherwise, this method returns the * {@code SSLSession} currently being negotiated. * @throws UnsupportedOperationException if the underlying provider * does not implement the operation. * * @since 1.7 */ public SSLSession getHandshakeSession() { throw new UnsupportedOperationException(); } /** * Registers an event listener to receive notifications that an * SSL handshake has completed on this connection. * * @param listener the HandShake Completed event listener * @see #startHandshake() * @see #removeHandshakeCompletedListener(HandshakeCompletedListener) * @throws IllegalArgumentException if the argument is null. */ public abstract void addHandshakeCompletedListener( HandshakeCompletedListener listener); /** * Removes a previously registered handshake completion listener. * * @param listener the HandShake Completed event listener * @throws IllegalArgumentException if the listener is not registered, * or the argument is null. * @see #addHandshakeCompletedListener(HandshakeCompletedListener) */ public abstract void removeHandshakeCompletedListener( HandshakeCompletedListener listener); /** * Starts an SSL handshake on this connection. Common reasons include * a need to use new encryption keys, to change cipher suites, or to * initiate a new session. To force complete reauthentication, the * current session could be invalidated before starting this handshake. * *
If data has already been sent on the connection, it continues * to flow during this handshake. When the handshake completes, this * will be signaled with an event. * * This method is synchronous for the initial handshake on a connection * and returns when the negotiated handshake is complete. Some * protocols may not support multiple handshakes on an existing socket * and may throw an IOException. * * @throws IOException on a network level error * @see #addHandshakeCompletedListener(HandshakeCompletedListener) */ public abstract void startHandshake() throws IOException; /** * Configures the socket to use client (or server) mode when * handshaking. *
* This method must be called before any handshaking occurs. * Once handshaking has begun, the mode can not be reset for the * life of this socket. *
* Servers normally authenticate themselves, and clients * are not required to do so. * * @param mode true if the socket should start its handshaking * in "client" mode * @throws IllegalArgumentException if a mode change is attempted * after the initial handshake has begun. * @see #getUseClientMode() */ public abstract void setUseClientMode(boolean mode); /** * Returns true if the socket is set to use client mode when * handshaking. * * @return true if the socket should do handshaking * in "client" mode * @see #setUseClientMode(boolean) */ public abstract boolean getUseClientMode(); /** * Configures the socket to require client authentication. This * option is only useful for sockets in the server mode. *
* A socket's client authentication setting is one of the following: *
* Unlike {@link #setWantClientAuth(boolean)}, if this option is set and * the client chooses not to provide authentication information * about itself, the negotiations will stop and the connection * will be dropped. *
* Calling this method overrides any previous setting made by * this method or {@link #setWantClientAuth(boolean)}. * * @param need set to true if client authentication is required, * or false if no client authentication is desired. * @see #getNeedClientAuth() * @see #setWantClientAuth(boolean) * @see #getWantClientAuth() * @see #setUseClientMode(boolean) */ public abstract void setNeedClientAuth(boolean need); /** * Returns true if the socket will require client authentication. * This option is only useful to sockets in the server mode. * * @return true if client authentication is required, * or false if no client authentication is desired. * @see #setNeedClientAuth(boolean) * @see #setWantClientAuth(boolean) * @see #getWantClientAuth() * @see #setUseClientMode(boolean) */ public abstract boolean getNeedClientAuth(); /** * Configures the socket to request client authentication. * This option is only useful for sockets in the server mode. *
* A socket's client authentication setting is one of the following: *
* Unlike {@link #setNeedClientAuth(boolean)}, if this option is set and * the client chooses not to provide authentication information * about itself, the negotiations will continue. *
* Calling this method overrides any previous setting made by * this method or {@link #setNeedClientAuth(boolean)}. * * @param want set to true if client authentication is requested, * or false if no client authentication is desired. * @see #getWantClientAuth() * @see #setNeedClientAuth(boolean) * @see #getNeedClientAuth() * @see #setUseClientMode(boolean) */ public abstract void setWantClientAuth(boolean want); /** * Returns true if the socket will request client authentication. * This option is only useful for sockets in the server mode. * * @return true if client authentication is requested, * or false if no client authentication is desired. * @see #setNeedClientAuth(boolean) * @see #getNeedClientAuth() * @see #setWantClientAuth(boolean) * @see #setUseClientMode(boolean) */ public abstract boolean getWantClientAuth(); /** * Controls whether new SSL sessions may be established by this socket. * If session creations are not allowed, and there are no * existing sessions to resume, there will be no successful * handshaking. * * @param flag true indicates that sessions may be created; this * is the default. false indicates that an existing session * must be resumed * @see #getEnableSessionCreation() */ public abstract void setEnableSessionCreation(boolean flag); /** * Returns true if new SSL sessions may be established by this socket. * * @return true indicates that sessions may be created; this * is the default. false indicates that an existing session * must be resumed * @see #setEnableSessionCreation(boolean) */ public abstract boolean getEnableSessionCreation(); /** * Returns the SSLParameters in effect for this SSLSocket. * The ciphersuites and protocols of the returned SSLParameters * are always non-null. * * @return the SSLParameters in effect for this SSLSocket. * @since 1.6 */ public SSLParameters getSSLParameters() { SSLParameters params = new SSLParameters(); params.setCipherSuites(getEnabledCipherSuites()); params.setProtocols(getEnabledProtocols()); if (getNeedClientAuth()) { params.setNeedClientAuth(true); } else if (getWantClientAuth()) { params.setWantClientAuth(true); } return params; } /** * Applies SSLParameters to this socket. * *
This means: *
params.getCipherSuites()
is non-null,
* setEnabledCipherSuites()
is called with that value
* params.getProtocols()
is non-null,
* setEnabledProtocols()
is called with that value
* params.getNeedClientAuth()
or
* params.getWantClientAuth()
return true
,
* setNeedClientAuth(true)
and
* setWantClientAuth(true)
are called, respectively;
* otherwise setWantClientAuth(false)
is called.
*