2362N/A * Copyright (c) 2000, 2001, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * This class implements the LDAPv3 Extended Response for StartTLS as 0N/A * Access Protocol (v3): Extension for Transport Layer Security</a> 0N/A * The object identifier for StartTLS is 1.3.6.1.4.1.1466.20037 0N/A * and no extended response value is defined. 0N/A * The Start TLS extended request and response are used to establish 0N/A * a TLS connection over the existing LDAP connection associated with 0N/A * the JNDI context on which <tt>extendedOperation()</tt> is invoked. 0N/A * Typically, a JNDI program uses the StartTLS extended request and response 0N/A * classes as follows. 0N/A * import javax.naming.ldap.*; 0N/A * // Open an LDAP association 0N/A * LdapContext ctx = new InitialLdapContext(); 0N/A * // Perform a StartTLS extended operation 0N/A * StartTlsResponse tls = 0N/A * (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest()); 0N/A * // Open a TLS connection (over the existing LDAP association) and get details 0N/A * // of the negotiated TLS session: cipher suite, peer certificate, ... 0N/A * SSLSession session = tls.negotiate(); 0N/A * // ... use ctx to perform protected LDAP operations 0N/A * // Close the TLS connection (revert back to the underlying LDAP association) 0N/A * // ... use ctx to perform unprotected LDAP operations 0N/A * // Close the LDAP association 0N/A * </pre></blockquote> 0N/A * @see StartTlsRequest 0N/A * @author Vincent Ryan 0N/A * The StartTLS extended response's assigned object identifier 0N/A * is 1.3.6.1.4.1.1466.20037. 0N/A // Called by subclass 0N/A * Constructs a StartTLS extended response. 0N/A * A concrete subclass must have a public no-arg constructor. 0N/A // ExtendedResponse methods 0N/A * Retrieves the StartTLS response's object identifier string. 0N/A * @return The object identifier string, "1.3.6.1.4.1.1466.20037". 0N/A * Retrieves the StartTLS response's ASN.1 BER encoded value. 0N/A * Since the response has no defined value, null is always 0N/A * @return The null value. 0N/A // StartTls-specific methods 0N/A * Overrides the default list of cipher suites enabled for use on the 0N/A * TLS connection. The cipher suites must have already been listed by 0N/A * <tt>SSLSocketFactory.getSupportedCipherSuites()</tt> as being supported. 0N/A * Even if a suite has been enabled, it still might not be used because 0N/A * the peer does not support it, or because the requisite certificates 0N/A * (and private keys) are not available. 0N/A * @param suites The non-null list of names of all the cipher suites to 0N/A * Sets the hostname verifier used by <tt>negotiate()</tt> 0N/A * after the TLS handshake has completed and the default hostname 0N/A * verification has failed. 0N/A * <tt>setHostnameVerifier()</tt> must be called before 0N/A * <tt>negotiate()</tt> is invoked for it to have effect. 0N/A * <tt>negotiate()</tt>, this method does not do anything. 0N/A * @param verifier The non-null hostname verifier callback. 0N/A * Negotiates a TLS session using the default SSL socket factory. 0N/A * This method is equivalent to <tt>negotiate(null)</tt>. 0N/A * @return The negotiated SSL session 0N/A * @throws IOException If an IO error was encountered while establishing 0N/A * @see #setEnabledCipherSuites 0N/A * @see #setHostnameVerifier 0N/A * Negotiates a TLS session using an SSL socket factory. 0N/A * Creates an SSL socket using the supplied SSL socket factory and 0N/A * attaches it to the existing connection. Performs the TLS handshake 0N/A * and returns the negotiated session information. 0N/A * If cipher suites have been set via <tt>setEnabledCipherSuites</tt> 0N/A * then they are enabled before the TLS handshake begins. 0N/A * Hostname verification is performed after the TLS handshake completes. 0N/A * The default hostname verification performs a match of the server's 0N/A * hostname against the hostname information found in the server's certificate. 0N/A * If this verification fails and no callback has been set via 0N/A * <tt>setHostnameVerifier</tt> then the negotiation fails. 0N/A * If this verification fails and a callback has been set via 0N/A * <tt>setHostnameVerifier</tt>, then the callback is used to determine whether 0N/A * the negotiation succeeds. 0N/A * If an error occurs then the SSL socket is closed and an IOException 0N/A * is thrown. The underlying connection remains intact. 0N/A * @param factory The possibly null SSL socket factory to use. 0N/A * If null, the default SSL socket factory is used. 0N/A * @return The negotiated SSL session 0N/A * @throws IOException If an IO error was encountered while establishing 0N/A * @see #setEnabledCipherSuites 0N/A * @see #setHostnameVerifier 0N/A * Closes the TLS connection gracefully and reverts back to the underlying 0N/A * @throws IOException If an IO error was encountered while closing the