View Javadoc
1   /*
2    * Copyright 2014 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  
17  package io.netty.handler.ssl;
18  
19  import java.security.Provider;
20  import javax.net.ssl.KeyManager;
21  import javax.net.ssl.KeyManagerFactory;
22  import javax.net.ssl.SSLContext;
23  import javax.net.ssl.SSLException;
24  import javax.net.ssl.SSLSessionContext;
25  import javax.net.ssl.TrustManager;
26  import javax.net.ssl.TrustManagerFactory;
27  import java.io.File;
28  import java.security.PrivateKey;
29  import java.security.cert.X509Certificate;
30  
31  /**
32   * A client-side {@link SslContext} which uses JDK's SSL/TLS implementation.
33   *
34   * @deprecated Use {@link SslContextBuilder} to create {@link JdkSslContext} instances and only
35   * use {@link JdkSslContext} in your code.
36   */
37  @Deprecated
38  public final class JdkSslClientContext extends JdkSslContext {
39  
40      /**
41       * Creates a new instance.
42       *
43       * @deprecated use {@link SslContextBuilder}
44       */
45      @Deprecated
46      public JdkSslClientContext() throws SSLException {
47          this(null, null);
48      }
49  
50      /**
51       * Creates a new instance.
52       *
53       * @param certChainFile an X.509 certificate chain file in PEM format.
54       *                      {@code null} to use the system default
55       * @deprecated use {@link SslContextBuilder}
56       */
57      @Deprecated
58      public JdkSslClientContext(File certChainFile) throws SSLException {
59          this(certChainFile, null);
60      }
61  
62      /**
63       * Creates a new instance.
64       *
65       * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
66       *                            that verifies the certificates sent from servers.
67       *                            {@code null} to use the default.
68       * @deprecated use {@link SslContextBuilder}
69       */
70      @Deprecated
71      public JdkSslClientContext(TrustManagerFactory trustManagerFactory) throws SSLException {
72          this(null, trustManagerFactory);
73      }
74  
75      /**
76       * Creates a new instance.
77       *
78       * @param certChainFile an X.509 certificate chain file in PEM format.
79       *                      {@code null} to use the system default
80       * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
81       *                            that verifies the certificates sent from servers.
82       *                            {@code null} to use the default.
83       * @deprecated use {@link SslContextBuilder}
84       */
85      @Deprecated
86      public JdkSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory) throws SSLException {
87          this(certChainFile, trustManagerFactory, null, IdentityCipherSuiteFilter.INSTANCE,
88                  JdkDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
89      }
90  
91      /**
92       * Creates a new instance.
93       *
94       * @param certChainFile an X.509 certificate chain file in PEM format.
95       *                      {@code null} to use the system default
96       * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
97       *                            that verifies the certificates sent from servers.
98       *                            {@code null} to use the default.
99       * @param ciphers the cipher suites to enable, in the order of preference.
100      *                {@code null} to use the default cipher suites.
101      * @param nextProtocols the application layer protocols to accept, in the order of preference.
102      *                      {@code null} to disable TLS NPN/ALPN extension.
103      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
104      *                         {@code 0} to use the default value.
105      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
106      *                       {@code 0} to use the default value.
107      * @deprecated use {@link SslContextBuilder}
108      */
109     @Deprecated
110     public JdkSslClientContext(
111             File certChainFile, TrustManagerFactory trustManagerFactory,
112             Iterable<String> ciphers, Iterable<String> nextProtocols,
113             long sessionCacheSize, long sessionTimeout) throws SSLException {
114         this(certChainFile, trustManagerFactory, ciphers, IdentityCipherSuiteFilter.INSTANCE,
115              toNegotiator(toApplicationProtocolConfig(nextProtocols), false), sessionCacheSize, sessionTimeout);
116     }
117 
118     /**
119      * Creates a new instance.
120      *
121      * @param certChainFile an X.509 certificate chain file in PEM format.
122      *                      {@code null} to use the system default
123      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
124      *                            that verifies the certificates sent from servers.
125      *                            {@code null} to use the default.
126      * @param ciphers the cipher suites to enable, in the order of preference.
127      *                {@code null} to use the default cipher suites.
128      * @param cipherFilter a filter to apply over the supplied list of ciphers
129      * @param apn Provides a means to configure parameters related to application protocol negotiation.
130      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
131      *                         {@code 0} to use the default value.
132      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
133      *                       {@code 0} to use the default value.
134      * @deprecated use {@link SslContextBuilder}
135      */
136     @Deprecated
137     public JdkSslClientContext(
138             File certChainFile, TrustManagerFactory trustManagerFactory,
139             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
140             long sessionCacheSize, long sessionTimeout) throws SSLException {
141         this(certChainFile, trustManagerFactory, ciphers, cipherFilter,
142                 toNegotiator(apn, false), sessionCacheSize, sessionTimeout);
143     }
144 
145     /**
146      * Creates a new instance.
147      *
148      * @param certChainFile an X.509 certificate chain file in PEM format.
149      *                      {@code null} to use the system default
150      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
151      *                            that verifies the certificates sent from servers.
152      *                            {@code null} to use the default.
153      * @param ciphers the cipher suites to enable, in the order of preference.
154      *                {@code null} to use the default cipher suites.
155      * @param cipherFilter a filter to apply over the supplied list of ciphers
156      * @param apn Application Protocol Negotiator object.
157      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
158      *                         {@code 0} to use the default value.
159      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
160      *                       {@code 0} to use the default value.
161      * @deprecated use {@link SslContextBuilder}
162      */
163     @Deprecated
164     public JdkSslClientContext(
165             File certChainFile, TrustManagerFactory trustManagerFactory,
166             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
167             long sessionCacheSize, long sessionTimeout) throws SSLException {
168         this(null, certChainFile, trustManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
169     }
170 
171     JdkSslClientContext(Provider provider,
172         File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
173         Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
174         long sessionCacheSize, long sessionTimeout) throws SSLException {
175         super(newSSLContext(provider, toX509CertificatesInternal(trustCertCollectionFile),
176                 trustManagerFactory, null, null,
177                 null, null, sessionCacheSize, sessionTimeout), true,
178                 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
179     }
180 
181     /**
182      * Creates a new instance.
183      * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
184      *                      {@code null} to use the system default
185      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
186      *                            that verifies the certificates sent from servers.
187      *                            {@code null} to use the default or the results of parsing
188      *                            {@code trustCertCollectionFile}
189      * @param keyCertChainFile an X.509 certificate chain file in PEM format.
190      *                      This provides the public key for mutual authentication.
191      *                      {@code null} to use the system default
192      * @param keyFile a PKCS#8 private key file in PEM format.
193      *                      This provides the private key for mutual authentication.
194      *                      {@code null} for no mutual authentication.
195      * @param keyPassword the password of the {@code keyFile}.
196      *                    {@code null} if it's not password-protected.
197      *                    Ignored if {@code keyFile} is {@code null}.
198      * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
199      *                          that is used to encrypt data being sent to servers.
200      *                          {@code null} to use the default or the results of parsing
201      *                          {@code keyCertChainFile} and {@code keyFile}.
202      * @param ciphers the cipher suites to enable, in the order of preference.
203      *                {@code null} to use the default cipher suites.
204      * @param cipherFilter a filter to apply over the supplied list of ciphers
205      * @param apn Provides a means to configure parameters related to application protocol negotiation.
206      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
207      *                         {@code 0} to use the default value.
208      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
209      *                       {@code 0} to use the default value.
210      * @deprecated use {@link SslContextBuilder}
211      */
212     @Deprecated
213     public JdkSslClientContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
214             File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
215             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
216             long sessionCacheSize, long sessionTimeout) throws SSLException {
217         this(trustCertCollectionFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword, keyManagerFactory,
218                 ciphers, cipherFilter, toNegotiator(apn, false), sessionCacheSize, sessionTimeout);
219     }
220 
221     /**
222      * Creates a new instance.
223      * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
224      *                      {@code null} to use the system default
225      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
226      *                            that verifies the certificates sent from servers.
227      *                            {@code null} to use the default or the results of parsing
228      *                            {@code trustCertCollectionFile}
229      * @param keyCertChainFile an X.509 certificate chain file in PEM format.
230      *                      This provides the public key for mutual authentication.
231      *                      {@code null} to use the system default
232      * @param keyFile a PKCS#8 private key file in PEM format.
233      *                      This provides the private key for mutual authentication.
234      *                      {@code null} for no mutual authentication.
235      * @param keyPassword the password of the {@code keyFile}.
236      *                    {@code null} if it's not password-protected.
237      *                    Ignored if {@code keyFile} is {@code null}.
238      * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
239      *                          that is used to encrypt data being sent to servers.
240      *                          {@code null} to use the default or the results of parsing
241      *                          {@code keyCertChainFile} and {@code keyFile}.
242      * @param ciphers the cipher suites to enable, in the order of preference.
243      *                {@code null} to use the default cipher suites.
244      * @param cipherFilter a filter to apply over the supplied list of ciphers
245      * @param apn Application Protocol Negotiator object.
246      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
247      *                         {@code 0} to use the default value.
248      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
249      *                       {@code 0} to use the default value.
250      * @deprecated use {@link SslContextBuilder}
251      */
252     @Deprecated
253     public JdkSslClientContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
254             File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
255             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
256             long sessionCacheSize, long sessionTimeout) throws SSLException {
257         super(newSSLContext(null, toX509CertificatesInternal(
258                 trustCertCollectionFile), trustManagerFactory,
259                 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
260                 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout), true,
261                 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
262     }
263 
264     JdkSslClientContext(Provider sslContextProvider,
265                         X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
266                         X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
267                         KeyManagerFactory keyManagerFactory, Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
268                         ApplicationProtocolConfig apn, String[] protocols, long sessionCacheSize, long sessionTimeout)
269             throws SSLException {
270         super(newSSLContext(sslContextProvider, trustCertCollection, trustManagerFactory,
271                             keyCertChain, key, keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout),
272                 true, ciphers, cipherFilter, toNegotiator(apn, false), ClientAuth.NONE, protocols, false);
273     }
274 
275     private static SSLContext newSSLContext(Provider sslContextProvider,
276                                             X509Certificate[] trustCertCollection,
277                                             TrustManagerFactory trustManagerFactory, X509Certificate[] keyCertChain,
278                                             PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
279                                             long sessionCacheSize, long sessionTimeout) throws SSLException {
280         try {
281             if (trustCertCollection != null) {
282                 trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
283             }
284             if (keyCertChain != null) {
285                 keyManagerFactory = buildKeyManagerFactory(keyCertChain, key, keyPassword, keyManagerFactory);
286             }
287             SSLContext ctx = sslContextProvider == null ? SSLContext.getInstance(PROTOCOL)
288                 : SSLContext.getInstance(PROTOCOL, sslContextProvider);
289             ctx.init(keyManagerFactory == null ? null : keyManagerFactory.getKeyManagers(),
290                      trustManagerFactory == null ? null : trustManagerFactory.getTrustManagers(),
291                      null);
292 
293             SSLSessionContext sessCtx = ctx.getClientSessionContext();
294             if (sessionCacheSize > 0) {
295                 sessCtx.setSessionCacheSize((int) Math.min(sessionCacheSize, Integer.MAX_VALUE));
296             }
297             if (sessionTimeout > 0) {
298                 sessCtx.setSessionTimeout((int) Math.min(sessionTimeout, Integer.MAX_VALUE));
299             }
300             return ctx;
301         } catch (Exception e) {
302             if (e instanceof SSLException) {
303                 throw (SSLException) e;
304             }
305             throw new SSLException("failed to initialize the client-side SSL context", e);
306         }
307     }
308 }