1 /*
2 * Copyright 2014 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16
17 package io.netty.handler.ssl;
18
19 import java.security.Provider;
20 import javax.net.ssl.KeyManager;
21 import javax.net.ssl.KeyManagerFactory;
22 import javax.net.ssl.SSLContext;
23 import javax.net.ssl.SSLException;
24 import javax.net.ssl.SSLSessionContext;
25 import javax.net.ssl.TrustManager;
26 import javax.net.ssl.TrustManagerFactory;
27 import java.io.File;
28 import java.security.PrivateKey;
29 import java.security.cert.X509Certificate;
30
31 /**
32 * A client-side {@link SslContext} which uses JDK's SSL/TLS implementation.
33 *
34 * @deprecated Use {@link SslContextBuilder} to create {@link JdkSslContext} instances and only
35 * use {@link JdkSslContext} in your code.
36 */
37 @Deprecated
38 public final class JdkSslClientContext extends JdkSslContext {
39
40 /**
41 * Creates a new instance.
42 *
43 * @deprecated use {@link SslContextBuilder}
44 */
45 @Deprecated
46 public JdkSslClientContext() throws SSLException {
47 this(null, null);
48 }
49
50 /**
51 * Creates a new instance.
52 *
53 * @param certChainFile an X.509 certificate chain file in PEM format.
54 * {@code null} to use the system default
55 * @deprecated use {@link SslContextBuilder}
56 */
57 @Deprecated
58 public JdkSslClientContext(File certChainFile) throws SSLException {
59 this(certChainFile, null);
60 }
61
62 /**
63 * Creates a new instance.
64 *
65 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
66 * that verifies the certificates sent from servers.
67 * {@code null} to use the default.
68 * @deprecated use {@link SslContextBuilder}
69 */
70 @Deprecated
71 public JdkSslClientContext(TrustManagerFactory trustManagerFactory) throws SSLException {
72 this(null, trustManagerFactory);
73 }
74
75 /**
76 * Creates a new instance.
77 *
78 * @param certChainFile an X.509 certificate chain file in PEM format.
79 * {@code null} to use the system default
80 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
81 * that verifies the certificates sent from servers.
82 * {@code null} to use the default.
83 * @deprecated use {@link SslContextBuilder}
84 */
85 @Deprecated
86 public JdkSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory) throws SSLException {
87 this(certChainFile, trustManagerFactory, null, IdentityCipherSuiteFilter.INSTANCE,
88 JdkDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
89 }
90
91 /**
92 * Creates a new instance.
93 *
94 * @param certChainFile an X.509 certificate chain file in PEM format.
95 * {@code null} to use the system default
96 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
97 * that verifies the certificates sent from servers.
98 * {@code null} to use the default.
99 * @param ciphers the cipher suites to enable, in the order of preference.
100 * {@code null} to use the default cipher suites.
101 * @param nextProtocols the application layer protocols to accept, in the order of preference.
102 * {@code null} to disable TLS NPN/ALPN extension.
103 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
104 * {@code 0} to use the default value.
105 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
106 * {@code 0} to use the default value.
107 * @deprecated use {@link SslContextBuilder}
108 */
109 @Deprecated
110 public JdkSslClientContext(
111 File certChainFile, TrustManagerFactory trustManagerFactory,
112 Iterable<String> ciphers, Iterable<String> nextProtocols,
113 long sessionCacheSize, long sessionTimeout) throws SSLException {
114 this(certChainFile, trustManagerFactory, ciphers, IdentityCipherSuiteFilter.INSTANCE,
115 toNegotiator(toApplicationProtocolConfig(nextProtocols), false), sessionCacheSize, sessionTimeout);
116 }
117
118 /**
119 * Creates a new instance.
120 *
121 * @param certChainFile an X.509 certificate chain file in PEM format.
122 * {@code null} to use the system default
123 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
124 * that verifies the certificates sent from servers.
125 * {@code null} to use the default.
126 * @param ciphers the cipher suites to enable, in the order of preference.
127 * {@code null} to use the default cipher suites.
128 * @param cipherFilter a filter to apply over the supplied list of ciphers
129 * @param apn Provides a means to configure parameters related to application protocol negotiation.
130 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
131 * {@code 0} to use the default value.
132 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
133 * {@code 0} to use the default value.
134 * @deprecated use {@link SslContextBuilder}
135 */
136 @Deprecated
137 public JdkSslClientContext(
138 File certChainFile, TrustManagerFactory trustManagerFactory,
139 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
140 long sessionCacheSize, long sessionTimeout) throws SSLException {
141 this(certChainFile, trustManagerFactory, ciphers, cipherFilter,
142 toNegotiator(apn, false), sessionCacheSize, sessionTimeout);
143 }
144
145 /**
146 * Creates a new instance.
147 *
148 * @param certChainFile an X.509 certificate chain file in PEM format.
149 * {@code null} to use the system default
150 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
151 * that verifies the certificates sent from servers.
152 * {@code null} to use the default.
153 * @param ciphers the cipher suites to enable, in the order of preference.
154 * {@code null} to use the default cipher suites.
155 * @param cipherFilter a filter to apply over the supplied list of ciphers
156 * @param apn Application Protocol Negotiator object.
157 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
158 * {@code 0} to use the default value.
159 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
160 * {@code 0} to use the default value.
161 * @deprecated use {@link SslContextBuilder}
162 */
163 @Deprecated
164 public JdkSslClientContext(
165 File certChainFile, TrustManagerFactory trustManagerFactory,
166 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
167 long sessionCacheSize, long sessionTimeout) throws SSLException {
168 this(null, certChainFile, trustManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
169 }
170
171 JdkSslClientContext(Provider provider,
172 File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
173 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
174 long sessionCacheSize, long sessionTimeout) throws SSLException {
175 super(newSSLContext(provider, toX509CertificatesInternal(trustCertCollectionFile),
176 trustManagerFactory, null, null,
177 null, null, sessionCacheSize, sessionTimeout), true,
178 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
179 }
180
181 /**
182 * Creates a new instance.
183 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
184 * {@code null} to use the system default
185 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
186 * that verifies the certificates sent from servers.
187 * {@code null} to use the default or the results of parsing
188 * {@code trustCertCollectionFile}
189 * @param keyCertChainFile an X.509 certificate chain file in PEM format.
190 * This provides the public key for mutual authentication.
191 * {@code null} to use the system default
192 * @param keyFile a PKCS#8 private key file in PEM format.
193 * This provides the private key for mutual authentication.
194 * {@code null} for no mutual authentication.
195 * @param keyPassword the password of the {@code keyFile}.
196 * {@code null} if it's not password-protected.
197 * Ignored if {@code keyFile} is {@code null}.
198 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
199 * that is used to encrypt data being sent to servers.
200 * {@code null} to use the default or the results of parsing
201 * {@code keyCertChainFile} and {@code keyFile}.
202 * @param ciphers the cipher suites to enable, in the order of preference.
203 * {@code null} to use the default cipher suites.
204 * @param cipherFilter a filter to apply over the supplied list of ciphers
205 * @param apn Provides a means to configure parameters related to application protocol negotiation.
206 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
207 * {@code 0} to use the default value.
208 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
209 * {@code 0} to use the default value.
210 * @deprecated use {@link SslContextBuilder}
211 */
212 @Deprecated
213 public JdkSslClientContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
214 File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
215 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
216 long sessionCacheSize, long sessionTimeout) throws SSLException {
217 this(trustCertCollectionFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword, keyManagerFactory,
218 ciphers, cipherFilter, toNegotiator(apn, false), sessionCacheSize, sessionTimeout);
219 }
220
221 /**
222 * Creates a new instance.
223 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
224 * {@code null} to use the system default
225 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
226 * that verifies the certificates sent from servers.
227 * {@code null} to use the default or the results of parsing
228 * {@code trustCertCollectionFile}
229 * @param keyCertChainFile an X.509 certificate chain file in PEM format.
230 * This provides the public key for mutual authentication.
231 * {@code null} to use the system default
232 * @param keyFile a PKCS#8 private key file in PEM format.
233 * This provides the private key for mutual authentication.
234 * {@code null} for no mutual authentication.
235 * @param keyPassword the password of the {@code keyFile}.
236 * {@code null} if it's not password-protected.
237 * Ignored if {@code keyFile} is {@code null}.
238 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
239 * that is used to encrypt data being sent to servers.
240 * {@code null} to use the default or the results of parsing
241 * {@code keyCertChainFile} and {@code keyFile}.
242 * @param ciphers the cipher suites to enable, in the order of preference.
243 * {@code null} to use the default cipher suites.
244 * @param cipherFilter a filter to apply over the supplied list of ciphers
245 * @param apn Application Protocol Negotiator object.
246 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
247 * {@code 0} to use the default value.
248 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
249 * {@code 0} to use the default value.
250 * @deprecated use {@link SslContextBuilder}
251 */
252 @Deprecated
253 public JdkSslClientContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
254 File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
255 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
256 long sessionCacheSize, long sessionTimeout) throws SSLException {
257 super(newSSLContext(null, toX509CertificatesInternal(
258 trustCertCollectionFile), trustManagerFactory,
259 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
260 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout), true,
261 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
262 }
263
264 JdkSslClientContext(Provider sslContextProvider,
265 X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
266 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
267 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
268 ApplicationProtocolConfig apn, String[] protocols, long sessionCacheSize, long sessionTimeout)
269 throws SSLException {
270 super(newSSLContext(sslContextProvider, trustCertCollection, trustManagerFactory,
271 keyCertChain, key, keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout),
272 true, ciphers, cipherFilter, toNegotiator(apn, false), ClientAuth.NONE, protocols, false);
273 }
274
275 private static SSLContext newSSLContext(Provider sslContextProvider,
276 X509Certificate[] trustCertCollection,
277 TrustManagerFactory trustManagerFactory, X509Certificate[] keyCertChain,
278 PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
279 long sessionCacheSize, long sessionTimeout) throws SSLException {
280 try {
281 if (trustCertCollection != null) {
282 trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
283 }
284 if (keyCertChain != null) {
285 keyManagerFactory = buildKeyManagerFactory(keyCertChain, key, keyPassword, keyManagerFactory);
286 }
287 SSLContext ctx = sslContextProvider == null ? SSLContext.getInstance(PROTOCOL)
288 : SSLContext.getInstance(PROTOCOL, sslContextProvider);
289 ctx.init(keyManagerFactory == null ? null : keyManagerFactory.getKeyManagers(),
290 trustManagerFactory == null ? null : trustManagerFactory.getTrustManagers(),
291 null);
292
293 SSLSessionContext sessCtx = ctx.getClientSessionContext();
294 if (sessionCacheSize > 0) {
295 sessCtx.setSessionCacheSize((int) Math.min(sessionCacheSize, Integer.MAX_VALUE));
296 }
297 if (sessionTimeout > 0) {
298 sessCtx.setSessionTimeout((int) Math.min(sessionTimeout, Integer.MAX_VALUE));
299 }
300 return ctx;
301 } catch (Exception e) {
302 if (e instanceof SSLException) {
303 throw (SSLException) e;
304 }
305 throw new SSLException("failed to initialize the client-side SSL context", e);
306 }
307 }
308 }