1 /*
2 * Copyright 2014 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16 package io.netty.handler.ssl;
17
18 import io.netty.internal.tcnative.SSL;
19
20 import java.io.File;
21 import java.security.PrivateKey;
22 import java.security.cert.X509Certificate;
23
24 import javax.net.ssl.KeyManagerFactory;
25 import javax.net.ssl.SSLException;
26 import javax.net.ssl.TrustManager;
27 import javax.net.ssl.TrustManagerFactory;
28
29 import static io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext;
30
31 /**
32 * A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
33 * <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
34 * and manually release the native memory see {@link ReferenceCountedOpenSslClientContext}.
35 */
36 public final class OpenSslClientContext extends OpenSslContext {
37 private final OpenSslSessionContext sessionContext;
38
39 /**
40 * Creates a new instance.
41 * @deprecated use {@link SslContextBuilder}
42 */
43 @Deprecated
44 public OpenSslClientContext() throws SSLException {
45 this((File) null, null, null, null, null, null, null, IdentityCipherSuiteFilter.INSTANCE, null, 0, 0);
46 }
47
48 /**
49 * Creates a new instance.
50 *
51 * @param certChainFile an X.509 certificate chain file in PEM format.
52 * {@code null} to use the system default
53 * @deprecated use {@link SslContextBuilder}
54 */
55 @Deprecated
56 public OpenSslClientContext(File certChainFile) throws SSLException {
57 this(certChainFile, null);
58 }
59
60 /**
61 * Creates a new instance.
62 *
63 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
64 * that verifies the certificates sent from servers.
65 * {@code null} to use the default.
66 * @deprecated use {@link SslContextBuilder}
67 */
68 @Deprecated
69 public OpenSslClientContext(TrustManagerFactory trustManagerFactory) throws SSLException {
70 this(null, trustManagerFactory);
71 }
72
73 /**
74 * Creates a new instance.
75 *
76 * @param certChainFile an X.509 certificate chain file in PEM format.
77 * {@code null} to use the system default
78 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
79 * that verifies the certificates sent from servers.
80 * {@code null} to use the default.
81 * @deprecated use {@link SslContextBuilder}
82 */
83 @Deprecated
84 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory) throws SSLException {
85 this(certChainFile, trustManagerFactory, null, null, null, null, null,
86 IdentityCipherSuiteFilter.INSTANCE, null, 0, 0);
87 }
88
89 /**
90 * Creates a new instance.
91 *
92 * @param certChainFile an X.509 certificate chain file in PEM format
93 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
94 * that verifies the certificates sent from servers.
95 * {@code null} to use the default..
96 * @param ciphers the cipher suites to enable, in the order of preference.
97 * {@code null} to use the default cipher suites.
98 * @param apn Provides a means to configure parameters related to application protocol negotiation.
99 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
100 * {@code 0} to use the default value.
101 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
102 * {@code 0} to use the default value.
103 * @deprecated use {@link SslContextBuilder}
104 */
105 @Deprecated
106 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
107 ApplicationProtocolConfig apn, long sessionCacheSize, long sessionTimeout)
108 throws SSLException {
109 this(certChainFile, trustManagerFactory, null, null, null, null, ciphers, IdentityCipherSuiteFilter.INSTANCE,
110 apn, sessionCacheSize, sessionTimeout);
111 }
112
113 /**
114 * Creates a new instance.
115 *
116 * @param certChainFile an X.509 certificate chain file in PEM format
117 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
118 * that verifies the certificates sent from servers.
119 * {@code null} to use the default..
120 * @param ciphers the cipher suites to enable, in the order of preference.
121 * {@code null} to use the default cipher suites.
122 * @param cipherFilter a filter to apply over the supplied list of ciphers
123 * @param apn Provides a means to configure parameters related to application protocol negotiation.
124 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
125 * {@code 0} to use the default value.
126 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
127 * {@code 0} to use the default value.
128 * @deprecated use {@link SslContextBuilder}
129 */
130 @Deprecated
131 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
132 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
133 long sessionCacheSize, long sessionTimeout) throws SSLException {
134 this(certChainFile, trustManagerFactory, null, null, null, null,
135 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
136 }
137
138 /**
139 * Creates a new instance.
140 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
141 * {@code null} to use the system default
142 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
143 * that verifies the certificates sent from servers.
144 * {@code null} to use the default or the results of parsing
145 * {@code trustCertCollectionFile}
146 * @param keyCertChainFile an X.509 certificate chain file in PEM format.
147 * This provides the public key for mutual authentication.
148 * {@code null} to use the system default
149 * @param keyFile a PKCS#8 private key file in PEM format.
150 * This provides the private key for mutual authentication.
151 * {@code null} for no mutual authentication.
152 * @param keyPassword the password of the {@code keyFile}.
153 * {@code null} if it's not password-protected.
154 * Ignored if {@code keyFile} is {@code null}.
155 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link javax.net.ssl.KeyManager}s
156 * that is used to encrypt data being sent to servers.
157 * {@code null} to use the default or the results of parsing
158 * {@code keyCertChainFile} and {@code keyFile}.
159 * @param ciphers the cipher suites to enable, in the order of preference.
160 * {@code null} to use the default cipher suites.
161 * @param cipherFilter a filter to apply over the supplied list of ciphers
162 * @param apn Application Protocol Negotiator object.
163 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
164 * {@code 0} to use the default value.
165 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
166 * {@code 0} to use the default value.
167 * @deprecated use {@link SslContextBuilder}
168 */
169 @Deprecated
170 public OpenSslClientContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
171 File keyCertChainFile, File keyFile, String keyPassword,
172 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
173 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
174 long sessionCacheSize, long sessionTimeout)
175 throws SSLException {
176 this(toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
177 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
178 keyPassword, keyManagerFactory, ciphers, cipherFilter, apn, null, sessionCacheSize,
179 sessionTimeout, false);
180 }
181
182 OpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
183 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
184 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
185 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn, String[] protocols,
186 long sessionCacheSize, long sessionTimeout, boolean enableOcsp)
187 throws SSLException {
188 super(ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, SSL.SSL_MODE_CLIENT, keyCertChain,
189 ClientAuth.NONE, protocols, false, enableOcsp);
190 boolean success = false;
191 try {
192 sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
193 keyCertChain, key, keyPassword, keyManagerFactory);
194 success = true;
195 } finally {
196 if (!success) {
197 release();
198 }
199 }
200 }
201
202 @Override
203 public OpenSslSessionContext sessionContext() {
204 return sessionContext;
205 }
206
207 @Override
208 OpenSslKeyMaterialManager keyMaterialManager() {
209 return null;
210 }
211 }