View Javadoc
1   /*
2    * Copyright 2014 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.handler.ssl;
17  
18  import io.netty.buffer.ByteBuf;
19  import io.netty.buffer.ByteBufInputStream;
20  import io.netty.util.internal.logging.InternalLogger;
21  import io.netty.util.internal.logging.InternalLoggerFactory;
22  import org.apache.tomcat.jni.CertificateVerifier;
23  import org.apache.tomcat.jni.SSL;
24  import org.apache.tomcat.jni.SSLContext;
25  
26  import javax.net.ssl.SSLException;
27  import javax.net.ssl.TrustManager;
28  import javax.net.ssl.TrustManagerFactory;
29  import javax.net.ssl.X509TrustManager;
30  import javax.security.auth.x500.X500Principal;
31  import java.io.File;
32  import java.io.IOException;
33  import java.security.KeyStore;
34  import java.security.KeyStoreException;
35  import java.security.NoSuchAlgorithmException;
36  import java.security.cert.CertificateException;
37  import java.security.cert.X509Certificate;
38  
39  /**
40   * A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
41   */
42  public final class OpenSslClientContext extends OpenSslContext {
43      private static final InternalLogger logger = InternalLoggerFactory.getInstance(OpenSslClientContext.class);
44      private final OpenSslSessionContext sessionContext;
45  
46      /**
47       * Creates a new instance.
48       */
49      public OpenSslClientContext() throws SSLException {
50          this(null, null, null, null, 0, 0);
51      }
52  
53      /**
54       * Creates a new instance.
55       *
56       * @param certChainFile an X.509 certificate chain file in PEM format.
57       *                      {@code null} to use the system default
58       */
59      public OpenSslClientContext(File certChainFile) throws SSLException {
60          this(certChainFile, null);
61      }
62  
63      /**
64       * Creates a new instance.
65       *
66       * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
67       *                            that verifies the certificates sent from servers.
68       *                            {@code null} to use the default.
69       */
70      public OpenSslClientContext(TrustManagerFactory trustManagerFactory) throws SSLException {
71          this(null, trustManagerFactory);
72      }
73  
74      /**
75       * Creates a new instance.
76       *
77       * @param certChainFile an X.509 certificate chain file in PEM format.
78       *                      {@code null} to use the system default
79       * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
80       *                            that verifies the certificates sent from servers.
81       *                            {@code null} to use the default.
82       */
83      public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory) throws SSLException {
84          this(certChainFile, trustManagerFactory, null, null, 0, 0);
85      }
86  
87      /**
88       * Creates a new instance.
89       *
90       * @param certChainFile an X.509 certificate chain file in PEM format
91       * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
92       *                            that verifies the certificates sent from servers.
93       *                            {@code null} to use the default..
94       * @param ciphers the cipher suites to enable, in the order of preference.
95       *                {@code null} to use the default cipher suites.
96       * @param apn Provides a means to configure parameters related to application protocol negotiation.
97       * @param sessionCacheSize the size of the cache used for storing SSL session objects.
98       *                         {@code 0} to use the default value.
99       * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
100      *                       {@code 0} to use the default value.
101      */
102     public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
103                                 ApplicationProtocolConfig apn, long sessionCacheSize, long sessionTimeout)
104             throws SSLException {
105         super(ciphers, apn, sessionCacheSize, sessionTimeout, SSL.SSL_MODE_CLIENT);
106         boolean success = false;
107         try {
108             if (certChainFile != null && !certChainFile.isFile()) {
109                 throw new IllegalArgumentException("certChainFile is not a file: " + certChainFile);
110             }
111 
112             synchronized (OpenSslContext.class) {
113                 if (certChainFile != null) {
114                     /* Load the certificate chain. We must skip the first cert when server mode */
115                     if (!SSLContext.setCertificateChainFile(ctx, certChainFile.getPath(), true)) {
116                         long error = SSL.getLastErrorNumber();
117                         if (OpenSsl.isError(error)) {
118                             throw new SSLException(
119                                     "failed to set certificate chain: "
120                                             + certChainFile + " (" + SSL.getErrorString(error) + ')');
121                         }
122                     }
123                 }
124                 SSLContext.setVerify(ctx, SSL.SSL_VERIFY_NONE, VERIFY_DEPTH);
125 
126                 try {
127                     // Set up trust manager factory to use our key store.
128                     if (trustManagerFactory == null) {
129                         trustManagerFactory = TrustManagerFactory.getInstance(
130                                 TrustManagerFactory.getDefaultAlgorithm());
131                     }
132                     initTrustManagerFactory(certChainFile, trustManagerFactory);
133                     final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
134 
135                     SSLContext.setCertVerifyCallback(ctx, new CertificateVerifier() {
136                         @Override
137                         public boolean verify(long ssl, byte[][] chain, String auth) {
138                             X509Certificate[] peerCerts = certificates(chain);
139                             try {
140                                 manager.checkServerTrusted(peerCerts, auth);
141                                 return true;
142                             } catch (Exception e) {
143                                 logger.debug("verification of certificate failed", e);
144                             }
145                             return false;
146                         }
147                     });
148                 } catch (Exception e) {
149                     throw new SSLException("unable to setup trustmanager", e);
150                 }
151             }
152             sessionContext = new OpenSslClientSessionContext(ctx);
153             success = true;
154         } finally {
155             if (!success) {
156                 destroyPools();
157             }
158         }
159     }
160 
161     private static void initTrustManagerFactory(File certChainFile, TrustManagerFactory trustManagerFactory)
162             throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
163         KeyStore ks = KeyStore.getInstance("JKS");
164         ks.load(null, null);
165         if (certChainFile != null) {
166             ByteBuf[] certs = PemReader.readCertificates(certChainFile);
167             try {
168                 for (ByteBuf buf: certs) {
169                     X509Certificate cert = (X509Certificate) X509_CERT_FACTORY.generateCertificate(
170                             new ByteBufInputStream(buf));
171                     X500Principal principal = cert.getSubjectX500Principal();
172                     ks.setCertificateEntry(principal.getName("RFC2253"), cert);
173                 }
174             } finally {
175                 for (ByteBuf buf: certs) {
176                     buf.release();
177                 }
178             }
179         }
180         trustManagerFactory.init(ks);
181     }
182 
183     @Override
184     public OpenSslSessionContext sessionContext() {
185         return sessionContext;
186     }
187 
188     // No cache is currently supported for client side mode.
189     private static final class OpenSslClientSessionContext extends OpenSslSessionContext {
190         private OpenSslClientSessionContext(long context) {
191             super(context);
192         }
193 
194         @Override
195         public void setSessionTimeout(int seconds) {
196             if (seconds < 0) {
197                 throw new IllegalArgumentException();
198             }
199         }
200 
201         @Override
202         public int getSessionTimeout() {
203             return 0;
204         }
205 
206         @Override
207         public void setSessionCacheSize(int size)  {
208             if (size < 0) {
209                 throw new IllegalArgumentException();
210             }
211         }
212 
213         @Override
214         public int getSessionCacheSize() {
215             return 0;
216         }
217 
218         @Override
219         public void setSessionCacheEnabled(boolean enabled) {
220             // ignored
221         }
222 
223         @Override
224         public boolean isSessionCacheEnabled() {
225             return false;
226         }
227     }
228 }