View Javadoc
1   /*
2    * Copyright 2014 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.handler.ssl;
17  
18  import io.netty.internal.tcnative.SSL;
19  
20  import java.io.File;
21  import java.security.KeyStore;
22  import java.security.PrivateKey;
23  import java.security.cert.X509Certificate;
24  import java.util.Map;
25  
26  import javax.net.ssl.KeyManager;
27  import javax.net.ssl.KeyManagerFactory;
28  import javax.net.ssl.SSLException;
29  import javax.net.ssl.TrustManager;
30  import javax.net.ssl.TrustManagerFactory;
31  
32  import static io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext;
33  
34  /**
35   * A server-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
36   * <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
37   * and manually release the native memory see {@link ReferenceCountedOpenSslServerContext}.
38   */
39  public final class OpenSslServerContext extends OpenSslContext {
40      private final OpenSslServerSessionContext sessionContext;
41  
42      /**
43       * Creates a new instance.
44       *
45       * @param certChainFile an X.509 certificate chain file in PEM format
46       * @param keyFile a PKCS#8 private key file in PEM format
47       * @deprecated use {@link SslContextBuilder}
48       */
49      @Deprecated
50      public OpenSslServerContext(File certChainFile, File keyFile) throws SSLException {
51          this(certChainFile, keyFile, null);
52      }
53  
54      /**
55       * Creates a new instance.
56       *
57       * @param certChainFile an X.509 certificate chain file in PEM format
58       * @param keyFile a PKCS#8 private key file in PEM format
59       * @param keyPassword the password of the {@code keyFile}.
60       *                    {@code null} if it's not password-protected.
61       * @deprecated use {@link SslContextBuilder}
62       */
63      @Deprecated
64      public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
65          this(certChainFile, keyFile, keyPassword, null, IdentityCipherSuiteFilter.INSTANCE,
66               ApplicationProtocolConfig.DISABLED, 0, 0);
67      }
68  
69      /**
70       * Creates a new instance.
71       *
72       * @param certChainFile an X.509 certificate chain file in PEM format
73       * @param keyFile a PKCS#8 private key file in PEM format
74       * @param keyPassword the password of the {@code keyFile}.
75       *                    {@code null} if it's not password-protected.
76       * @param ciphers the cipher suites to enable, in the order of preference.
77       *                {@code null} to use the default cipher suites.
78       * @param apn Provides a means to configure parameters related to application protocol negotiation.
79       * @param sessionCacheSize the size of the cache used for storing SSL session objects.
80       *                         {@code 0} to use the default value.
81       * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
82       *                       {@code 0} to use the default value.
83       * @deprecated use {@link SslContextBuilder}
84       */
85      @Deprecated
86      public OpenSslServerContext(
87              File certChainFile, File keyFile, String keyPassword,
88              Iterable<String> ciphers, ApplicationProtocolConfig apn,
89              long sessionCacheSize, long sessionTimeout) throws SSLException {
90          this(certChainFile, keyFile, keyPassword, ciphers, IdentityCipherSuiteFilter.INSTANCE,
91               apn, sessionCacheSize, sessionTimeout);
92      }
93  
94      /**
95       * Creates a new instance.
96       *
97       * @param certChainFile an X.509 certificate chain file in PEM format
98       * @param keyFile a PKCS#8 private key file in PEM format
99       * @param keyPassword the password of the {@code keyFile}.
100      *                    {@code null} if it's not password-protected.
101      * @param ciphers the cipher suites to enable, in the order of preference.
102      *                {@code null} to use the default cipher suites.
103      * @param nextProtocols the application layer protocols to accept, in the order of preference.
104      *                      {@code null} to disable TLS NPN/ALPN extension.
105      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
106      *                         {@code 0} to use the default value.
107      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
108      *                       {@code 0} to use the default value.
109      * @deprecated use {@link SslContextBuilder}
110      */
111     @Deprecated
112     public OpenSslServerContext(
113             File certChainFile, File keyFile, String keyPassword,
114             Iterable<String> ciphers, Iterable<String> nextProtocols,
115             long sessionCacheSize, long sessionTimeout) throws SSLException {
116         this(certChainFile, keyFile, keyPassword, ciphers,
117             toApplicationProtocolConfig(nextProtocols), sessionCacheSize, sessionTimeout);
118     }
119 
120     /**
121      * Creates a new instance.
122      *
123      * @param certChainFile an X.509 certificate chain file in PEM format
124      * @param keyFile a PKCS#8 private key file in PEM format
125      * @param keyPassword the password of the {@code keyFile}.
126      *                    {@code null} if it's not password-protected.
127      * @param ciphers the cipher suites to enable, in the order of preference.
128      *                {@code null} to use the default cipher suites.
129      * @param config Application protocol config.
130      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
131      *                         {@code 0} to use the default value.
132      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
133      *                       {@code 0} to use the default value.
134      * @deprecated use {@link SslContextBuilder}
135      */
136     @Deprecated
137     public OpenSslServerContext(
138             File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
139             Iterable<String> ciphers, ApplicationProtocolConfig config,
140             long sessionCacheSize, long sessionTimeout) throws SSLException {
141         this(certChainFile, keyFile, keyPassword, trustManagerFactory, ciphers,
142                 toNegotiator(config), sessionCacheSize, sessionTimeout);
143     }
144 
145     /**
146      * Creates a new instance.
147      *
148      * @param certChainFile an X.509 certificate chain file in PEM format
149      * @param keyFile a PKCS#8 private key file in PEM format
150      * @param keyPassword the password of the {@code keyFile}.
151      *                    {@code null} if it's not password-protected.
152      * @param ciphers the cipher suites to enable, in the order of preference.
153      *                {@code null} to use the default cipher suites.
154      * @param apn Application protocol negotiator.
155      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
156      *                         {@code 0} to use the default value.
157      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
158      *                       {@code 0} to use the default value.
159      * @deprecated use {@link SslContextBuilder}
160      */
161     @Deprecated
162     public OpenSslServerContext(
163             File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
164             Iterable<String> ciphers, OpenSslApplicationProtocolNegotiator apn,
165             long sessionCacheSize, long sessionTimeout) throws SSLException {
166         this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null,
167              ciphers, null, apn, sessionCacheSize, sessionTimeout);
168     }
169 
170     /**
171      * Creates a new instance.
172      *
173      * @param certChainFile an X.509 certificate chain file in PEM format
174      * @param keyFile a PKCS#8 private key file in PEM format
175      * @param keyPassword the password of the {@code keyFile}.
176      *                    {@code null} if it's not password-protected.
177      * @param ciphers the cipher suites to enable, in the order of preference.
178      *                {@code null} to use the default cipher suites.
179      * @param cipherFilter a filter to apply over the supplied list of ciphers
180      * @param apn Provides a means to configure parameters related to application protocol negotiation.
181      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
182      *                         {@code 0} to use the default value.
183      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
184      *                       {@code 0} to use the default value.
185      * @deprecated use {@link SslContextBuilder}
186      */
187     @Deprecated
188     public OpenSslServerContext(
189             File certChainFile, File keyFile, String keyPassword,
190             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
191             long sessionCacheSize, long sessionTimeout) throws SSLException {
192         this(null, null, certChainFile, keyFile, keyPassword, null,
193              ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
194     }
195 
196     /**
197      * Creates a new instance.
198      *
199      * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
200      *                      This provides the certificate collection used for mutual authentication.
201      *                      {@code null} to use the system default
202      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
203      *                            that verifies the certificates sent from clients.
204      *                            {@code null} to use the default or the results of parsing
205      *                            {@code trustCertCollectionFile}.
206      * @param keyCertChainFile an X.509 certificate chain file in PEM format
207      * @param keyFile a PKCS#8 private key file in PEM format
208      * @param keyPassword the password of the {@code keyFile}.
209      *                    {@code null} if it's not password-protected.
210      * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
211      *                          that is used to encrypt data being sent to clients.
212      *                          {@code null} to use the default or the results of parsing
213      *                          {@code keyCertChainFile} and {@code keyFile}.
214      * @param ciphers the cipher suites to enable, in the order of preference.
215      *                {@code null} to use the default cipher suites.
216      * @param cipherFilter a filter to apply over the supplied list of ciphers
217      *                Only required if {@code provider} is {@link SslProvider#JDK}
218      * @param config Provides a means to configure parameters related to application protocol negotiation.
219      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
220      *                         {@code 0} to use the default value.
221      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
222      *                       {@code 0} to use the default value.
223      * @deprecated use {@link SslContextBuilder}
224      */
225     @Deprecated
226     public OpenSslServerContext(
227             File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
228             File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
229             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig config,
230             long sessionCacheSize, long sessionTimeout) throws SSLException {
231         this(trustCertCollectionFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword, keyManagerFactory,
232              ciphers, cipherFilter, toNegotiator(config), sessionCacheSize, sessionTimeout);
233     }
234 
235     /**
236      * Creates a new instance.
237      *
238      * @param certChainFile an X.509 certificate chain file in PEM format
239      * @param keyFile a PKCS#8 private key file in PEM format
240      * @param keyPassword the password of the {@code keyFile}.
241      *                    {@code null} if it's not password-protected.
242      * @param ciphers the cipher suites to enable, in the order of preference.
243      *                {@code null} to use the default cipher suites.
244      * @param cipherFilter a filter to apply over the supplied list of ciphers
245      * @param config Application protocol config.
246      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
247      *                         {@code 0} to use the default value.
248      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
249      *                       {@code 0} to use the default value.
250      * @deprecated use {@link SslContextBuilder}
251      */
252     @Deprecated
253     public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword,
254                                 TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
255                                 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig config,
256                                 long sessionCacheSize, long sessionTimeout) throws SSLException {
257         this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null, ciphers, cipherFilter,
258                       toNegotiator(config), sessionCacheSize, sessionTimeout);
259     }
260 
261     /**
262      * Creates a new instance.
263      *
264      * @param certChainFile an X.509 certificate chain file in PEM format
265      * @param keyFile a PKCS#8 private key file in PEM format
266      * @param keyPassword the password of the {@code keyFile}.
267      *                    {@code null} if it's not password-protected.
268      * @param ciphers the cipher suites to enable, in the order of preference.
269      *                {@code null} to use the default cipher suites.
270      * @param cipherFilter a filter to apply over the supplied list of ciphers
271      * @param apn Application protocol negotiator.
272      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
273      *                         {@code 0} to use the default value.
274      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
275      *                       {@code 0} to use the default value.
276      * @deprecated use {@link SslContextBuilder}}
277      */
278     @Deprecated
279     public OpenSslServerContext(
280             File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
281             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
282             long sessionCacheSize, long sessionTimeout) throws SSLException {
283         this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null, ciphers, cipherFilter,
284              apn, sessionCacheSize, sessionTimeout);
285     }
286 
287     /**
288      * Creates a new instance.
289      *
290      *
291      * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
292      *                      This provides the certificate collection used for mutual authentication.
293      *                      {@code null} to use the system default
294      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
295      *                            that verifies the certificates sent from clients.
296      *                            {@code null} to use the default or the results of parsing
297      *                            {@code trustCertCollectionFile}.
298      * @param keyCertChainFile an X.509 certificate chain file in PEM format
299      * @param keyFile a PKCS#8 private key file in PEM format
300      * @param keyPassword the password of the {@code keyFile}.
301      *                    {@code null} if it's not password-protected.
302      * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
303      *                          that is used to encrypt data being sent to clients.
304      *                          {@code null} to use the default or the results of parsing
305      *                          {@code keyCertChainFile} and {@code keyFile}.
306      * @param ciphers the cipher suites to enable, in the order of preference.
307      *                {@code null} to use the default cipher suites.
308      * @param cipherFilter a filter to apply over the supplied list of ciphers
309      *                Only required if {@code provider} is {@link SslProvider#JDK}
310      * @param apn Application Protocol Negotiator object
311      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
312      *                         {@code 0} to use the default value.
313      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
314      *                       {@code 0} to use the default value.
315      * @deprecated use {@link SslContextBuilder}
316      */
317     @Deprecated
318     public OpenSslServerContext(
319             File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
320             File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
321             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
322             long sessionCacheSize, long sessionTimeout) throws SSLException {
323         this(toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
324                 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
325                 keyPassword, keyManagerFactory, ciphers, cipherFilter,
326                 apn, sessionCacheSize, sessionTimeout, ClientAuth.NONE, null, false, false, KeyStore.getDefaultType());
327     }
328 
329     OpenSslServerContext(
330             X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
331             X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
332             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
333             long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
334             boolean enableOcsp, String keyStore, Map.Entry<SslContextOption<?>, Object>... options)
335             throws SSLException {
336         this(trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory, ciphers,
337                 cipherFilter, toNegotiator(apn), sessionCacheSize, sessionTimeout, clientAuth, protocols, startTls,
338                 enableOcsp, keyStore, options);
339     }
340 
341     @SuppressWarnings("deprecation")
342     private OpenSslServerContext(
343             X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
344             X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
345             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
346             long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
347             boolean enableOcsp, String keyStore, Map.Entry<SslContextOption<?>, Object>... options)
348             throws SSLException {
349         super(ciphers, cipherFilter, apn, SSL.SSL_MODE_SERVER, keyCertChain,
350                 clientAuth, protocols, startTls, enableOcsp, options);
351 
352         // Create a new SSL_CTX and configure it.
353         boolean success = false;
354         try {
355             OpenSslKeyMaterialProvider.validateKeyMaterialSupported(keyCertChain, key, keyPassword);
356             sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
357                                                keyCertChain, key, keyPassword, keyManagerFactory, keyStore,
358                                                sessionCacheSize, sessionTimeout);
359             success = true;
360         } finally {
361             if (!success) {
362                 release();
363             }
364         }
365     }
366 
367     @Override
368     public OpenSslServerSessionContext sessionContext() {
369         return sessionContext;
370     }
371 }