1 /*
2 * Copyright 2014 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16
17 package io.netty.handler.ssl;
18
19 import java.security.Provider;
20 import javax.net.ssl.KeyManager;
21
22 import javax.net.ssl.KeyManagerFactory;
23 import javax.net.ssl.SSLContext;
24 import javax.net.ssl.SSLException;
25 import javax.net.ssl.SSLSessionContext;
26 import javax.net.ssl.TrustManager;
27 import javax.net.ssl.TrustManagerFactory;
28 import java.io.File;
29 import java.security.PrivateKey;
30 import java.security.cert.X509Certificate;
31
32 /**
33 * A server-side {@link SslContext} which uses JDK's SSL/TLS implementation.
34 *
35 * @deprecated Use {@link SslContextBuilder} to create {@link JdkSslContext} instances and only
36 * use {@link JdkSslContext} in your code.
37 */
38 @Deprecated
39 public final class JdkSslServerContext extends JdkSslContext {
40
41 /**
42 * Creates a new instance.
43 *
44 * @param certChainFile an X.509 certificate chain file in PEM format
45 * @param keyFile a PKCS#8 private key file in PEM format
46 * @deprecated use {@link SslContextBuilder}
47 */
48 @Deprecated
49 public JdkSslServerContext(File certChainFile, File keyFile) throws SSLException {
50 this(certChainFile, keyFile, null);
51 }
52
53 /**
54 * Creates a new instance.
55 *
56 * @param certChainFile an X.509 certificate chain file in PEM format
57 * @param keyFile a PKCS#8 private key file in PEM format
58 * @param keyPassword the password of the {@code keyFile}.
59 * {@code null} if it's not password-protected.
60 * @deprecated use {@link SslContextBuilder}
61 */
62 @Deprecated
63 public JdkSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
64 this(certChainFile, keyFile, keyPassword, null, IdentityCipherSuiteFilter.INSTANCE,
65 JdkDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
66 }
67
68 /**
69 * Creates a new instance.
70 *
71 * @param certChainFile an X.509 certificate chain file in PEM format
72 * @param keyFile a PKCS#8 private key file in PEM format
73 * @param keyPassword the password of the {@code keyFile}.
74 * {@code null} if it's not password-protected.
75 * @param ciphers the cipher suites to enable, in the order of preference.
76 * {@code null} to use the default cipher suites.
77 * @param nextProtocols the application layer protocols to accept, in the order of preference.
78 * {@code null} to disable TLS NPN/ALPN extension.
79 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
80 * {@code 0} to use the default value.
81 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
82 * {@code 0} to use the default value.
83 * @deprecated use {@link SslContextBuilder}
84 */
85 @Deprecated
86 public JdkSslServerContext(
87 File certChainFile, File keyFile, String keyPassword,
88 Iterable<String> ciphers, Iterable<String> nextProtocols,
89 long sessionCacheSize, long sessionTimeout) throws SSLException {
90 this(certChainFile, keyFile, keyPassword, ciphers, IdentityCipherSuiteFilter.INSTANCE,
91 toNegotiator(toApplicationProtocolConfig(nextProtocols), true), sessionCacheSize, sessionTimeout);
92 }
93
94 /**
95 * Creates a new instance.
96 *
97 * @param certChainFile an X.509 certificate chain file in PEM format
98 * @param keyFile a PKCS#8 private key file in PEM format
99 * @param keyPassword the password of the {@code keyFile}.
100 * {@code null} if it's not password-protected.
101 * @param ciphers the cipher suites to enable, in the order of preference.
102 * {@code null} to use the default cipher suites.
103 * @param cipherFilter a filter to apply over the supplied list of ciphers
104 * @param apn Provides a means to configure parameters related to application protocol negotiation.
105 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
106 * {@code 0} to use the default value.
107 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
108 * {@code 0} to use the default value.
109 * @deprecated use {@link SslContextBuilder}
110 */
111 @Deprecated
112 public JdkSslServerContext(
113 File certChainFile, File keyFile, String keyPassword,
114 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
115 long sessionCacheSize, long sessionTimeout) throws SSLException {
116 this(certChainFile, keyFile, keyPassword, ciphers, cipherFilter,
117 toNegotiator(apn, true), sessionCacheSize, sessionTimeout);
118 }
119
120 /**
121 * Creates a new instance.
122 *
123 * @param certChainFile an X.509 certificate chain file in PEM format
124 * @param keyFile a PKCS#8 private key file in PEM format
125 * @param keyPassword the password of the {@code keyFile}.
126 * {@code null} if it's not password-protected.
127 * @param ciphers the cipher suites to enable, in the order of preference.
128 * {@code null} to use the default cipher suites.
129 * @param cipherFilter a filter to apply over the supplied list of ciphers
130 * @param apn Application Protocol Negotiator object.
131 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
132 * {@code 0} to use the default value.
133 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
134 * {@code 0} to use the default value.
135 * @deprecated use {@link SslContextBuilder}
136 */
137 @Deprecated
138 public JdkSslServerContext(
139 File certChainFile, File keyFile, String keyPassword,
140 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
141 long sessionCacheSize, long sessionTimeout) throws SSLException {
142 this(null, certChainFile, keyFile, keyPassword, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
143 }
144
145 JdkSslServerContext(Provider provider,
146 File certChainFile, File keyFile, String keyPassword,
147 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
148 long sessionCacheSize, long sessionTimeout) throws SSLException {
149 super(newSSLContext(provider, null, null,
150 toX509CertificatesInternal(certChainFile), toPrivateKeyInternal(keyFile, keyPassword),
151 keyPassword, null, sessionCacheSize, sessionTimeout), false,
152 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
153 }
154
155 /**
156 * Creates a new instance.
157 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
158 * This provides the certificate collection used for mutual authentication.
159 * {@code null} to use the system default
160 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
161 * that verifies the certificates sent from clients.
162 * {@code null} to use the default or the results of parsing
163 * {@code trustCertCollectionFile}.
164 * @param keyCertChainFile an X.509 certificate chain file in PEM format
165 * @param keyFile a PKCS#8 private key file in PEM format
166 * @param keyPassword the password of the {@code keyFile}.
167 * {@code null} if it's not password-protected.
168 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
169 * that is used to encrypt data being sent to clients.
170 * {@code null} to use the default or the results of parsing
171 * {@code keyCertChainFile} and {@code keyFile}.
172 * @param ciphers the cipher suites to enable, in the order of preference.
173 * {@code null} to use the default cipher suites.
174 * @param cipherFilter a filter to apply over the supplied list of ciphers
175 * Only required if {@code provider} is {@link SslProvider#JDK}
176 * @param apn Provides a means to configure parameters related to application protocol negotiation.
177 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
178 * {@code 0} to use the default value.
179 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
180 * {@code 0} to use the default value.
181 * @deprecated use {@link SslContextBuilder}
182 */
183 @Deprecated
184 public JdkSslServerContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
185 File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
186 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
187 long sessionCacheSize, long sessionTimeout) throws SSLException {
188 this(trustCertCollectionFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword, keyManagerFactory,
189 ciphers, cipherFilter, toNegotiator(apn, true), sessionCacheSize, sessionTimeout);
190 }
191
192 /**
193 * Creates a new instance.
194 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
195 * This provides the certificate collection used for mutual authentication.
196 * {@code null} to use the system default
197 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
198 * that verifies the certificates sent from clients.
199 * {@code null} to use the default or the results of parsing
200 * {@code trustCertCollectionFile}
201 * @param keyCertChainFile an X.509 certificate chain file in PEM format
202 * @param keyFile a PKCS#8 private key file in PEM format
203 * @param keyPassword the password of the {@code keyFile}.
204 * {@code null} if it's not password-protected.
205 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
206 * that is used to encrypt data being sent to clients.
207 * {@code null} to use the default or the results of parsing
208 * {@code keyCertChainFile} and {@code keyFile}.
209 * @param ciphers the cipher suites to enable, in the order of preference.
210 * {@code null} to use the default cipher suites.
211 * @param cipherFilter a filter to apply over the supplied list of ciphers
212 * Only required if {@code provider} is {@link SslProvider#JDK}
213 * @param apn Application Protocol Negotiator object.
214 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
215 * {@code 0} to use the default value.
216 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
217 * {@code 0} to use the default value.
218 * @deprecated use {@link SslContextBuilder}
219 */
220 @Deprecated
221 public JdkSslServerContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
222 File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
223 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
224 long sessionCacheSize, long sessionTimeout) throws SSLException {
225 super(newSSLContext(null, toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
226 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
227 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout), false,
228 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
229 }
230
231 JdkSslServerContext(Provider provider,
232 X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
233 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
234 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
235 ApplicationProtocolConfig apn, long sessionCacheSize, long sessionTimeout,
236 ClientAuth clientAuth, String[] protocols, boolean startTls) throws SSLException {
237 super(newSSLContext(provider, trustCertCollection, trustManagerFactory, keyCertChain, key,
238 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout), false,
239 ciphers, cipherFilter, toNegotiator(apn, true), clientAuth, protocols, startTls);
240 }
241
242 private static SSLContext newSSLContext(Provider sslContextProvider, X509Certificate[] trustCertCollection,
243 TrustManagerFactory trustManagerFactory, X509Certificate[] keyCertChain,
244 PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
245 long sessionCacheSize, long sessionTimeout)
246 throws SSLException {
247 if (key == null && keyManagerFactory == null) {
248 throw new NullPointerException("key, keyManagerFactory");
249 }
250
251 try {
252 if (trustCertCollection != null) {
253 trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
254 }
255 if (key != null) {
256 keyManagerFactory = buildKeyManagerFactory(keyCertChain, key, keyPassword, keyManagerFactory);
257 }
258
259 // Initialize the SSLContext to work with our key managers.
260 SSLContext ctx = sslContextProvider == null ? SSLContext.getInstance(PROTOCOL)
261 : SSLContext.getInstance(PROTOCOL, sslContextProvider);
262 ctx.init(keyManagerFactory.getKeyManagers(),
263 trustManagerFactory == null ? null : trustManagerFactory.getTrustManagers(),
264 null);
265
266 SSLSessionContext sessCtx = ctx.getServerSessionContext();
267 if (sessionCacheSize > 0) {
268 sessCtx.setSessionCacheSize((int) Math.min(sessionCacheSize, Integer.MAX_VALUE));
269 }
270 if (sessionTimeout > 0) {
271 sessCtx.setSessionTimeout((int) Math.min(sessionTimeout, Integer.MAX_VALUE));
272 }
273 return ctx;
274 } catch (Exception e) {
275 if (e instanceof SSLException) {
276 throw (SSLException) e;
277 }
278 throw new SSLException("failed to initialize the server-side SSL context", e);
279 }
280 }
281
282 }