/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
private boolean isInitialized;
// The default algrithm constraints
new SSLAlgorithmConstraints(null);
// supported and default protocols
// supported and default cipher suites
SSLContextImpl() {
ephemeralKeyManager = new EphemeralKeyManager();
clientCache = new SSLSessionContextImpl();
serverCache = new SSLSessionContextImpl();
}
isInitialized = false;
try {
} catch (Exception e) {
// eat
}
}
} else {
throw new KeyManagementException
("FIPS mode: SecureRandom must be from provider "
}
secureRandom = sr;
}
/*
* The initial delay of seeding the random number generator
* could be long enough to cause the initial handshake on our
* first connection to timeout and fail. Make sure it is
* primed and ready by getting some initial output from it.
*/
}
}
isInitialized = true;
}
throws KeyManagementException {
// We only use the first instance of X509TrustManager passed to us.
if (tm[i] instanceof X509TrustManager) {
!(tm[i] instanceof X509TrustManagerImpl)) {
throw new KeyManagementException
("FIPS mode: only SunJSSE TrustManagers may be used");
}
if (tm[i] instanceof X509ExtendedTrustManager) {
return (X509TrustManager)tm[i];
} else {
return new AbstractTrustManagerWrapper(
(X509TrustManager)tm[i]);
}
}
}
// nothing found, return a dummy X509TrustManager.
return DummyX509TrustManager.INSTANCE;
}
throws KeyManagementException {
if (!(km instanceof X509KeyManager)) {
continue;
}
// In FIPS mode, require that one of SunJSSE's own keymanagers
// is used. Otherwise, we cannot be sure that only keys from
// the FIPS token are used.
if ((km instanceof X509KeyManagerImpl)
|| (km instanceof SunX509KeyManagerImpl)) {
return (X509ExtendedKeyManager)km;
} else {
// throw exception, we don't want to silently use the
// dummy keymanager without telling the user.
throw new KeyManagementException
("FIPS mode: only SunJSSE KeyManagers may be used");
}
}
if (km instanceof X509ExtendedKeyManager) {
return (X509ExtendedKeyManager)km;
}
"X509KeyManager passed to " +
"SSLContext.init(): need an " +
"X509ExtendedKeyManager for SSLEngine use");
}
}
// nothing found, return a dummy X509ExtendedKeyManager
return DummyX509KeyManager.INSTANCE;
}
if (!isInitialized) {
throw new IllegalStateException(
"SSLContextImpl is not initialized");
}
return new SSLSocketFactoryImpl(this);
}
if (!isInitialized) {
throw new IllegalStateException("SSLContext is not initialized");
}
return new SSLServerSocketFactoryImpl(this);
}
if (!isInitialized) {
throw new IllegalStateException(
"SSLContextImpl is not initialized");
}
return new SSLEngineImpl(this);
}
if (!isInitialized) {
throw new IllegalStateException(
"SSLContextImpl is not initialized");
}
}
return clientCache;
}
return serverCache;
}
return secureRandom;
}
return keyManager;
}
return trustManager;
}
return ephemeralKeyManager;
}
// Get suported ProtoclList.
if (supportedProtocolList == null) {
}
return supportedProtocolList;
}
// Get default ProtoclList.
if (roleIsServer) {
if (defaultServerProtocolList == null) {
}
return defaultServerProtocolList;
} else {
if (defaultClientProtocolList == null) {
}
return defaultClientProtocolList;
}
}
// Get suported CipherSuiteList.
// The maintenance of cipher suites needs to be synchronized.
synchronized (this) {
// Clear cache of available ciphersuites.
if (supportedCipherSuiteList == null) {
getSuportedProtocolList(), false);
}
return supportedCipherSuiteList;
}
}
// Get default CipherSuiteList.
// The maintenance of cipher suites needs to be synchronized.
synchronized (this) {
// Clear cache of available ciphersuites.
if (roleIsServer) {
if (defaultServerCipherSuiteList == null) {
getDefaultProtocolList(true), true);
}
return defaultServerCipherSuiteList;
} else {
if (defaultClientCipherSuiteList == null) {
getDefaultProtocolList(false), true);
}
return defaultClientCipherSuiteList;
}
}
}
/**
* Return whether a protocol list is the original default enabled
* protocols. See: SSLSocket/SSLEngine.setEnabledProtocols()
*/
return (protocols == defaultServerProtocolList) ||
}
/*
* Return the list of all available CipherSuites with a priority of
* minPriority or above.
*/
if (onlyEnabled) {
}
continue;
}
if (suite.isAvailable() &&
}
"Ignoring obsoleted cipher suite: " + suite);
"Ignoring unsupported cipher suite: " + suite);
} else {
"Ignoring unavailable cipher suite: " + suite);
}
}
}
}
return new CipherSuiteList(suites);
}
/**
* Clear cache of available ciphersuites. If we support all ciphers
* internally, there is no need to clear the cache and calling this
* method has no effect.
*
* Note that every call to clearAvailableCache() and the maintenance of
* cipher suites need to be synchronized with this instance.
*/
private void clearAvailableCache() {
if (CipherSuite.DYNAMIC_AVAILABILITY) {
}
}
/*
*
* vendors did not implement these aspects properly, and some current
*
* Considering above interoperability issues, SunJSSE will not set
* TLS 1.1 and TLS 1.2 as the enabled protocols for client by default.
*
* enabled protocols for server by default.
*
* forward compatibility properly.
*
* SSLv2Hello is no longer necessary. This interoperability option was
* and there were a fair number of SSLv2-only servers deployed. Because
* of the security issues in SSLv2, it is rarely (if ever) used, as
* deployments should now be using SSLv3 and TLSv1.
*
* Considering the issues of SSLv2Hello, we should not enable SSLv2Hello
* by default. Applications still can use it by enabling SSLv2Hello with
* the series of setEnabledProtocols APIs.
*/
/*
* The conservative SSLContext implementation for TLS, SSL, SSLv3 and
* TLS10 algorithm.
*
* This is a super class of DefaultSSLContext and TLS10Context.
*
* @see SSLContext
*/
// parameters
static {
supportedSSLParams = new SSLParameters();
});
defaultClientSSLParams = new SSLParameters();
});
} else {
supportedSSLParams = new SSLParameters();
});
defaultClientSSLParams = new SSLParameters();
});
}
}
return defaultServerSSLParams;
}
return defaultClientSSLParams;
}
return supportedSSLParams;
}
}
/*
* The SSLContext implementation for default algorithm
*
* @see SSLContext
*/
try {
super.engineInit(getDefaultKeyManager(),
} catch (Exception e) {
}
throw e;
}
if (defaultImpl == null) {
defaultImpl = this;
}
}
throw new KeyManagementException
("Default SSLContext is initialized automatically");
}
if (defaultImpl == null) {
new DefaultSSLContext();
}
return defaultImpl;
}
throws Exception {
if (defaultTrustManagers != null) {
return defaultTrustManagers;
}
return defaultTrustManagers;
}
throws Exception {
if (defaultKeyManagers != null) {
return defaultKeyManagers;
}
new PrivilegedExceptionAction<Object>() {
"javax.net.ssl.keyStore", ""));
"javax.net.ssl.keyStoreType",
KeyStore.getDefaultType()));
"javax.net.ssl.keyStoreProvider", ""));
"javax.net.ssl.keyStorePassword", ""));
return null;
}
});
}
throw new IllegalArgumentException("if keyStoreType is "
}
new PrivilegedExceptionAction<FileInputStream>() {
return new FileInputStream(defaultKeyStore);
}
});
}
}
/**
* Try to initialize key store.
*/
}
} else {
}
// if defaultKeyStore is NONE, fs will be null
}
}
/*
* Try to initialize key manager.
*/
}
} else {
}
return defaultKeyManagers;
}
}
/*
* The SSLContext implementation for TLS, SSL, SSLv3 and TLS10 algorithm
*
* @see SSLContext
*/
// use the default constructor and methods
}
/*
* The SSLContext implementation for TLS11 algorithm
*
* @see SSLContext
*/
// parameters
static {
supportedSSLParams = new SSLParameters();
});
defaultClientSSLParams = new SSLParameters();
});
} else {
supportedSSLParams = new SSLParameters();
});
defaultClientSSLParams = new SSLParameters();
});
}
}
return defaultServerSSLParams;
}
return defaultClientSSLParams;
}
return supportedSSLParams;
}
}
/*
* The SSLContext implementation for TLS12 algorithm
*
* @see SSLContext
*/
// parameters
static {
supportedSSLParams = new SSLParameters();
});
defaultClientSSLParams = new SSLParameters();
});
} else {
supportedSSLParams = new SSLParameters();
});
defaultClientSSLParams = new SSLParameters();
});
}
}
return defaultServerSSLParams;
}
return defaultClientSSLParams;
}
return supportedSSLParams;
}
}
}
implements X509TrustManager {
// the delegated trust manager
}
throws CertificateException {
}
throws CertificateException {
}
return tm.getAcceptedIssuers();
}
}
}
}
}
throw new CertificateException("No handshake session");
}
// check endpoint identity
}
// try the best to check the algorithm constraints
if (session instanceof ExtendedSSLSession) {
sslSocket, peerSupportedSignAlgs, true);
} else {
new SSLAlgorithmConstraints(sslSocket, true);
}
} else {
}
}
}
throw new CertificateException("No handshake session");
}
// check endpoint identity
}
// try the best to check the algorithm constraints
if (session instanceof ExtendedSSLSession) {
engine, peerSupportedSignAlgs, true);
} else {
new SSLAlgorithmConstraints(engine, true);
}
} else {
}
}
}
try {
// Does the certificate chain end with a trusted certificate?
}
}
// A forward checker, need to check from trust to target
if (checkedLength >= 0) {
for (int i = checkedLength; i >= 0; i--) {
// We don't care about the unresolved critical extensions.
}
}
} catch (CertPathValidatorException cpve) {
throw new CertificateException(
"Certificates does not conform to algorithm constraints");
}
}
}
// Dummy X509TrustManager implementation, rejects all peer certificates.
// Used if the application did not specify a proper X509TrustManager.
implements X509TrustManager {
private DummyX509TrustManager() {
// empty
}
/*
* Given the partial or complete certificate chain
* provided by the peer, build a certificate path
* to a trusted root and return if it can be
* validated and is trusted for client SSL authentication.
* If not, it throws an exception.
*/
throws CertificateException {
throw new CertificateException(
"No X509TrustManager implementation avaiable");
}
/*
* Given the partial or complete certificate chain
* provided by the peer, build a certificate path
* to a trusted root and return if it can be
* validated and is trusted for server SSL authentication.
* If not, it throws an exception.
*/
throws CertificateException {
throw new CertificateException(
"No X509TrustManager implementation available");
}
/*
* Return an array of issuer certificates which are trusted
* for authenticating peers.
*/
return new X509Certificate[0];
}
throw new CertificateException(
"No X509TrustManager implementation available");
}
throw new CertificateException(
"No X509TrustManager implementation available");
}
throw new CertificateException(
"No X509TrustManager implementation available");
}
throw new CertificateException(
"No X509TrustManager implementation available");
}
}
/*
* A wrapper class to turn a X509KeyManager into an X509ExtendedKeyManager
*/
}
}
}
}
}
}
}
// Inherit chooseEngineClientAlias() and chooseEngineServerAlias() from
// X509ExtendedKeymanager. It defines them to return null;
}
// Dummy X509KeyManager implementation, never returns any certificates/keys.
// Used if the application did not specify a proper X509TrustManager.
private DummyX509KeyManager() {
// empty
}
/*
* Get the matching aliases for authenticating the client side of a secure
* socket given the public key type and the list of
* certificate issuer authorities recognized by the peer (if any).
*/
return null;
}
/*
* Choose an alias to authenticate the client side of a secure
* socket given the public key type and the list of
* certificate issuer authorities recognized by the peer (if any).
*/
return null;
}
/*
* Choose an alias to authenticate the client side of an
* engine given the public key type and the list of
* certificate issuer authorities recognized by the peer (if any).
*/
return null;
}
/*
* Get the matching aliases for authenticating the server side of a secure
* socket given the public key type and the list of
* certificate issuer authorities recognized by the peer (if any).
*/
return null;
}
/*
* Choose an alias to authenticate the server side of a secure
* socket given the public key type and the list of
* certificate issuer authorities recognized by the peer (if any).
*/
return null;
}
/*
* Choose an alias to authenticate the server side of an engine
* given the public key type and the list of
* certificate issuer authorities recognized by the peer (if any).
*/
return null;
}
/**
* Returns the certificate chain associated with the given alias.
*
* @param alias the alias name
*
* @return the certificate chain (ordered with the user's certificate first
* and the root certificate authority last)
*/
return null;
}
/*
* Returns the key associated with the given alias, using the given
* password to recover it.
*
* @param alias the alias name
*
* @return the requested key
*/
return null;
}
}