1 /*
2 * Copyright 2014 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16 package io.netty.handler.ssl;
17
18 import io.netty.internal.tcnative.SSL;
19
20 import java.io.File;
21 import java.security.KeyStore;
22 import java.security.PrivateKey;
23 import java.security.cert.X509Certificate;
24 import java.util.Map;
25
26 import javax.net.ssl.KeyManagerFactory;
27 import javax.net.ssl.SSLException;
28 import javax.net.ssl.TrustManager;
29 import javax.net.ssl.TrustManagerFactory;
30
31 import static io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext;
32
33 /**
34 * A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
35 * <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
36 * and manually release the native memory see {@link ReferenceCountedOpenSslClientContext}.
37 */
38 public final class OpenSslClientContext extends OpenSslContext {
39 private final OpenSslSessionContext sessionContext;
40
41 /**
42 * Creates a new instance.
43 * @deprecated use {@link SslContextBuilder}
44 */
45 @Deprecated
46 public OpenSslClientContext() throws SSLException {
47 this(null, null, null, null, null, null, null, IdentityCipherSuiteFilter.INSTANCE, null, 0, 0);
48 }
49
50 /**
51 * Creates a new instance.
52 *
53 * @param certChainFile an X.509 certificate chain file in PEM format.
54 * {@code null} to use the system default
55 * @deprecated use {@link SslContextBuilder}
56 */
57 @Deprecated
58 public OpenSslClientContext(File certChainFile) throws SSLException {
59 this(certChainFile, null);
60 }
61
62 /**
63 * Creates a new instance.
64 *
65 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
66 * that verifies the certificates sent from servers.
67 * {@code null} to use the default.
68 * @deprecated use {@link SslContextBuilder}
69 */
70 @Deprecated
71 public OpenSslClientContext(TrustManagerFactory trustManagerFactory) throws SSLException {
72 this(null, trustManagerFactory);
73 }
74
75 /**
76 * Creates a new instance.
77 *
78 * @param certChainFile an X.509 certificate chain file in PEM format.
79 * {@code null} to use the system default
80 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
81 * that verifies the certificates sent from servers.
82 * {@code null} to use the default.
83 * @deprecated use {@link SslContextBuilder}
84 */
85 @Deprecated
86 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory) throws SSLException {
87 this(certChainFile, trustManagerFactory, null, null, null, null, null,
88 IdentityCipherSuiteFilter.INSTANCE, null, 0, 0);
89 }
90
91 /**
92 * Creates a new instance.
93 *
94 * @param certChainFile an X.509 certificate chain file in PEM format
95 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
96 * that verifies the certificates sent from servers.
97 * {@code null} to use the default..
98 * @param ciphers the cipher suites to enable, in the order of preference.
99 * {@code null} to use the default cipher suites.
100 * @param apn Provides a means to configure parameters related to application protocol negotiation.
101 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
102 * {@code 0} to use the default value.
103 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
104 * {@code 0} to use the default value.
105 * @deprecated use {@link SslContextBuilder}
106 */
107 @Deprecated
108 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
109 ApplicationProtocolConfig apn, long sessionCacheSize, long sessionTimeout)
110 throws SSLException {
111 this(certChainFile, trustManagerFactory, null, null, null, null, ciphers, IdentityCipherSuiteFilter.INSTANCE,
112 apn, sessionCacheSize, sessionTimeout);
113 }
114
115 /**
116 * Creates a new instance.
117 *
118 * @param certChainFile an X.509 certificate chain file in PEM format
119 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
120 * that verifies the certificates sent from servers.
121 * {@code null} to use the default..
122 * @param ciphers the cipher suites to enable, in the order of preference.
123 * {@code null} to use the default cipher suites.
124 * @param cipherFilter a filter to apply over the supplied list of ciphers
125 * @param apn Provides a means to configure parameters related to application protocol negotiation.
126 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
127 * {@code 0} to use the default value.
128 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
129 * {@code 0} to use the default value.
130 * @deprecated use {@link SslContextBuilder}
131 */
132 @Deprecated
133 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
134 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
135 long sessionCacheSize, long sessionTimeout) throws SSLException {
136 this(certChainFile, trustManagerFactory, null, null, null, null,
137 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
138 }
139
140 /**
141 * Creates a new instance.
142 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
143 * {@code null} to use the system default
144 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
145 * that verifies the certificates sent from servers.
146 * {@code null} to use the default or the results of parsing
147 * {@code trustCertCollectionFile}
148 * @param keyCertChainFile an X.509 certificate chain file in PEM format.
149 * This provides the public key for mutual authentication.
150 * {@code null} to use the system default
151 * @param keyFile a PKCS#8 private key file in PEM format.
152 * This provides the private key for mutual authentication.
153 * {@code null} for no mutual authentication.
154 * @param keyPassword the password of the {@code keyFile}.
155 * {@code null} if it's not password-protected.
156 * Ignored if {@code keyFile} is {@code null}.
157 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link javax.net.ssl.KeyManager}s
158 * that is used to encrypt data being sent to servers.
159 * {@code null} to use the default or the results of parsing
160 * {@code keyCertChainFile} and {@code keyFile}.
161 * @param ciphers the cipher suites to enable, in the order of preference.
162 * {@code null} to use the default cipher suites.
163 * @param cipherFilter a filter to apply over the supplied list of ciphers
164 * @param apn Application Protocol Negotiator object.
165 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
166 * {@code 0} to use the default value.
167 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
168 * {@code 0} to use the default value.
169 * @deprecated use {@link SslContextBuilder}
170 */
171 @Deprecated
172 public OpenSslClientContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
173 File keyCertChainFile, File keyFile, String keyPassword,
174 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
175 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
176 long sessionCacheSize, long sessionTimeout)
177 throws SSLException {
178 this(toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
179 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
180 keyPassword, keyManagerFactory, ciphers, cipherFilter, apn, null, sessionCacheSize,
181 sessionTimeout, false, KeyStore.getDefaultType());
182 }
183
184 OpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
185 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
186 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
187 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn, String[] protocols,
188 long sessionCacheSize, long sessionTimeout, boolean enableOcsp, String keyStore,
189 Map.Entry<SslContextOption<?>, Object>... options)
190 throws SSLException {
191 super(ciphers, cipherFilter, apn, SSL.SSL_MODE_CLIENT, keyCertChain,
192 ClientAuth.NONE, protocols, false, enableOcsp, options);
193 boolean success = false;
194 try {
195 OpenSslKeyMaterialProvider.validateKeyMaterialSupported(keyCertChain, key, keyPassword);
196 sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
197 keyCertChain, key, keyPassword, keyManagerFactory, keyStore,
198 sessionCacheSize, sessionTimeout);
199 success = true;
200 } finally {
201 if (!success) {
202 release();
203 }
204 }
205 }
206
207 @Override
208 public OpenSslSessionContext sessionContext() {
209 return sessionContext;
210 }
211 }