View Javadoc
1   /*
2    * Copyright 2014 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  
17  package io.netty.handler.ssl;
18  
19  import java.security.KeyStore;
20  import java.security.Provider;
21  import javax.net.ssl.KeyManager;
22  import javax.net.ssl.KeyManagerFactory;
23  import javax.net.ssl.SSLContext;
24  import javax.net.ssl.SSLException;
25  import javax.net.ssl.SSLSessionContext;
26  import javax.net.ssl.TrustManager;
27  import javax.net.ssl.TrustManagerFactory;
28  import java.io.File;
29  import java.security.PrivateKey;
30  import java.security.cert.X509Certificate;
31  
32  /**
33   * A client-side {@link SslContext} which uses JDK's SSL/TLS implementation.
34   *
35   * @deprecated Use {@link SslContextBuilder} to create {@link JdkSslContext} instances and only
36   * use {@link JdkSslContext} in your code.
37   */
38  @Deprecated
39  public final class JdkSslClientContext extends JdkSslContext {
40  
41      /**
42       * Creates a new instance.
43       *
44       * @deprecated use {@link SslContextBuilder}
45       */
46      @Deprecated
47      public JdkSslClientContext() throws SSLException {
48          this(null, null);
49      }
50  
51      /**
52       * Creates a new instance.
53       *
54       * @param certChainFile an X.509 certificate chain file in PEM format.
55       *                      {@code null} to use the system default
56       * @deprecated use {@link SslContextBuilder}
57       */
58      @Deprecated
59      public JdkSslClientContext(File certChainFile) throws SSLException {
60          this(certChainFile, null);
61      }
62  
63      /**
64       * Creates a new instance.
65       *
66       * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
67       *                            that verifies the certificates sent from servers.
68       *                            {@code null} to use the default.
69       * @deprecated use {@link SslContextBuilder}
70       */
71      @Deprecated
72      public JdkSslClientContext(TrustManagerFactory trustManagerFactory) throws SSLException {
73          this(null, trustManagerFactory);
74      }
75  
76      /**
77       * Creates a new instance.
78       *
79       * @param certChainFile an X.509 certificate chain file in PEM format.
80       *                      {@code null} to use the system default
81       * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
82       *                            that verifies the certificates sent from servers.
83       *                            {@code null} to use the default.
84       * @deprecated use {@link SslContextBuilder}
85       */
86      @Deprecated
87      public JdkSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory) throws SSLException {
88          this(certChainFile, trustManagerFactory, null, IdentityCipherSuiteFilter.INSTANCE,
89                  JdkDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
90      }
91  
92      /**
93       * Creates a new instance.
94       *
95       * @param certChainFile an X.509 certificate chain file in PEM format.
96       *                      {@code null} to use the system default
97       * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
98       *                            that verifies the certificates sent from servers.
99       *                            {@code null} to use the default.
100      * @param ciphers the cipher suites to enable, in the order of preference.
101      *                {@code null} to use the default cipher suites.
102      * @param nextProtocols the application layer protocols to accept, in the order of preference.
103      *                      {@code null} to disable TLS NPN/ALPN extension.
104      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
105      *                         {@code 0} to use the default value.
106      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
107      *                       {@code 0} to use the default value.
108      * @deprecated use {@link SslContextBuilder}
109      */
110     @Deprecated
111     public JdkSslClientContext(
112             File certChainFile, TrustManagerFactory trustManagerFactory,
113             Iterable<String> ciphers, Iterable<String> nextProtocols,
114             long sessionCacheSize, long sessionTimeout) throws SSLException {
115         this(certChainFile, trustManagerFactory, ciphers, IdentityCipherSuiteFilter.INSTANCE,
116              toNegotiator(toApplicationProtocolConfig(nextProtocols), false), sessionCacheSize, sessionTimeout);
117     }
118 
119     /**
120      * Creates a new instance.
121      *
122      * @param certChainFile an X.509 certificate chain file in PEM format.
123      *                      {@code null} to use the system default
124      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
125      *                            that verifies the certificates sent from servers.
126      *                            {@code null} to use the default.
127      * @param ciphers the cipher suites to enable, in the order of preference.
128      *                {@code null} to use the default cipher suites.
129      * @param cipherFilter a filter to apply over the supplied list of ciphers
130      * @param apn Provides a means to configure parameters related to application protocol negotiation.
131      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
132      *                         {@code 0} to use the default value.
133      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
134      *                       {@code 0} to use the default value.
135      * @deprecated use {@link SslContextBuilder}
136      */
137     @Deprecated
138     public JdkSslClientContext(
139             File certChainFile, TrustManagerFactory trustManagerFactory,
140             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
141             long sessionCacheSize, long sessionTimeout) throws SSLException {
142         this(certChainFile, trustManagerFactory, ciphers, cipherFilter,
143                 toNegotiator(apn, false), sessionCacheSize, sessionTimeout);
144     }
145 
146     /**
147      * Creates a new instance.
148      *
149      * @param certChainFile an X.509 certificate chain file in PEM format.
150      *                      {@code null} to use the system default
151      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
152      *                            that verifies the certificates sent from servers.
153      *                            {@code null} to use the default.
154      * @param ciphers the cipher suites to enable, in the order of preference.
155      *                {@code null} to use the default cipher suites.
156      * @param cipherFilter a filter to apply over the supplied list of ciphers
157      * @param apn Application Protocol Negotiator object.
158      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
159      *                         {@code 0} to use the default value.
160      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
161      *                       {@code 0} to use the default value.
162      * @deprecated use {@link SslContextBuilder}
163      */
164     @Deprecated
165     public JdkSslClientContext(
166             File certChainFile, TrustManagerFactory trustManagerFactory,
167             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
168             long sessionCacheSize, long sessionTimeout) throws SSLException {
169         this(null, certChainFile, trustManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
170     }
171 
172     JdkSslClientContext(Provider provider,
173                         File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
174                         Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
175                         long sessionCacheSize, long sessionTimeout) throws SSLException {
176         super(newSSLContext(provider, toX509CertificatesInternal(trustCertCollectionFile),
177                 trustManagerFactory, null, null,
178                 null, null, sessionCacheSize, sessionTimeout, KeyStore.getDefaultType()), true,
179                 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
180     }
181 
182     /**
183      * Creates a new instance.
184      * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
185      *                      {@code null} to use the system default
186      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
187      *                            that verifies the certificates sent from servers.
188      *                            {@code null} to use the default or the results of parsing
189      *                            {@code trustCertCollectionFile}
190      * @param keyCertChainFile an X.509 certificate chain file in PEM format.
191      *                      This provides the public key for mutual authentication.
192      *                      {@code null} to use the system default
193      * @param keyFile a PKCS#8 private key file in PEM format.
194      *                      This provides the private key for mutual authentication.
195      *                      {@code null} for no mutual authentication.
196      * @param keyPassword the password of the {@code keyFile}.
197      *                    {@code null} if it's not password-protected.
198      *                    Ignored if {@code keyFile} is {@code null}.
199      * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
200      *                          that is used to encrypt data being sent to servers.
201      *                          {@code null} to use the default or the results of parsing
202      *                          {@code keyCertChainFile} and {@code keyFile}.
203      * @param ciphers the cipher suites to enable, in the order of preference.
204      *                {@code null} to use the default cipher suites.
205      * @param cipherFilter a filter to apply over the supplied list of ciphers
206      * @param apn Provides a means to configure parameters related to application protocol negotiation.
207      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
208      *                         {@code 0} to use the default value.
209      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
210      *                       {@code 0} to use the default value.
211      * @deprecated use {@link SslContextBuilder}
212      */
213     @Deprecated
214     public JdkSslClientContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
215             File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
216             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
217             long sessionCacheSize, long sessionTimeout) throws SSLException {
218         this(trustCertCollectionFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword, keyManagerFactory,
219                 ciphers, cipherFilter, toNegotiator(apn, false), sessionCacheSize, sessionTimeout);
220     }
221 
222     /**
223      * Creates a new instance.
224      * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
225      *                      {@code null} to use the system default
226      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
227      *                            that verifies the certificates sent from servers.
228      *                            {@code null} to use the default or the results of parsing
229      *                            {@code trustCertCollectionFile}
230      * @param keyCertChainFile an X.509 certificate chain file in PEM format.
231      *                      This provides the public key for mutual authentication.
232      *                      {@code null} to use the system default
233      * @param keyFile a PKCS#8 private key file in PEM format.
234      *                      This provides the private key for mutual authentication.
235      *                      {@code null} for no mutual authentication.
236      * @param keyPassword the password of the {@code keyFile}.
237      *                    {@code null} if it's not password-protected.
238      *                    Ignored if {@code keyFile} is {@code null}.
239      * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
240      *                          that is used to encrypt data being sent to servers.
241      *                          {@code null} to use the default or the results of parsing
242      *                          {@code keyCertChainFile} and {@code keyFile}.
243      * @param ciphers the cipher suites to enable, in the order of preference.
244      *                {@code null} to use the default cipher suites.
245      * @param cipherFilter a filter to apply over the supplied list of ciphers
246      * @param apn Application Protocol Negotiator object.
247      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
248      *                         {@code 0} to use the default value.
249      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
250      *                       {@code 0} to use the default value.
251      * @deprecated use {@link SslContextBuilder}
252      */
253     @Deprecated
254     public JdkSslClientContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
255             File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
256             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
257             long sessionCacheSize, long sessionTimeout) throws SSLException {
258         super(newSSLContext(null, toX509CertificatesInternal(
259                 trustCertCollectionFile), trustManagerFactory,
260                 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
261                 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout, KeyStore.getDefaultType()), true,
262                 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
263     }
264 
265     JdkSslClientContext(Provider sslContextProvider,
266                         X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
267                         X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
268                         KeyManagerFactory keyManagerFactory, Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
269                         ApplicationProtocolConfig apn, String[] protocols, long sessionCacheSize, long sessionTimeout,
270                         String keyStoreType)
271             throws SSLException {
272         super(newSSLContext(sslContextProvider, trustCertCollection, trustManagerFactory,
273                             keyCertChain, key, keyPassword, keyManagerFactory, sessionCacheSize,
274                             sessionTimeout, keyStoreType),
275                 true, ciphers, cipherFilter, toNegotiator(apn, false), ClientAuth.NONE, protocols, false);
276     }
277 
278     private static SSLContext newSSLContext(Provider sslContextProvider,
279                                             X509Certificate[] trustCertCollection,
280                                             TrustManagerFactory trustManagerFactory, X509Certificate[] keyCertChain,
281                                             PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
282                                             long sessionCacheSize, long sessionTimeout,
283                                             String keyStore) throws SSLException {
284         try {
285             if (trustCertCollection != null) {
286                 trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory, keyStore);
287             }
288             if (keyCertChain != null) {
289                 keyManagerFactory = buildKeyManagerFactory(keyCertChain, null,
290                         key, keyPassword, keyManagerFactory, keyStore);
291             }
292             SSLContext ctx = sslContextProvider == null ? SSLContext.getInstance(PROTOCOL)
293                 : SSLContext.getInstance(PROTOCOL, sslContextProvider);
294             ctx.init(keyManagerFactory == null ? null : keyManagerFactory.getKeyManagers(),
295                      trustManagerFactory == null ? null : trustManagerFactory.getTrustManagers(),
296                      null);
297 
298             SSLSessionContext sessCtx = ctx.getClientSessionContext();
299             if (sessionCacheSize > 0) {
300                 sessCtx.setSessionCacheSize((int) Math.min(sessionCacheSize, Integer.MAX_VALUE));
301             }
302             if (sessionTimeout > 0) {
303                 sessCtx.setSessionTimeout((int) Math.min(sessionTimeout, Integer.MAX_VALUE));
304             }
305             return ctx;
306         } catch (Exception e) {
307             if (e instanceof SSLException) {
308                 throw (SSLException) e;
309             }
310             throw new SSLException("failed to initialize the client-side SSL context", e);
311         }
312     }
313 }