1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package io.netty.handler.ssl;
18
19 import io.netty.util.CharsetUtil;
20 import io.netty.util.internal.PlatformDependent;
21 import io.netty.util.internal.SuppressJava6Requirement;
22
23 import java.io.ByteArrayInputStream;
24 import java.io.IOException;
25 import java.security.InvalidAlgorithmParameterException;
26 import java.security.KeyException;
27 import java.security.KeyStore;
28 import java.security.KeyStoreException;
29 import java.security.NoSuchAlgorithmException;
30 import java.security.Provider;
31 import javax.crypto.NoSuchPaddingException;
32 import javax.net.ssl.KeyManager;
33
34 import javax.net.ssl.KeyManagerFactory;
35 import javax.net.ssl.SSLContext;
36 import javax.net.ssl.SSLException;
37 import javax.net.ssl.SSLSessionContext;
38 import javax.net.ssl.TrustManager;
39 import javax.net.ssl.TrustManagerFactory;
40 import javax.net.ssl.X509ExtendedTrustManager;
41 import java.io.File;
42 import java.security.PrivateKey;
43 import java.security.SecureRandom;
44 import java.security.UnrecoverableKeyException;
45 import java.security.cert.CertificateException;
46 import java.security.cert.X509Certificate;
47 import java.security.spec.InvalidKeySpecException;
48
49 import static io.netty.handler.ssl.SslUtils.PROBING_CERT;
50 import static io.netty.handler.ssl.SslUtils.PROBING_KEY;
51
52
53
54
55
56
57
58 @Deprecated
59 public final class JdkSslServerContext extends JdkSslContext {
60
61 private static final boolean WRAP_TRUST_MANAGER;
62 static {
63 boolean wrapTrustManager = false;
64 if (PlatformDependent.javaVersion() >= 7) {
65 try {
66 checkIfWrappingTrustManagerIsSupported();
67 wrapTrustManager = true;
68 } catch (Throwable ignore) {
69
70
71 }
72 }
73 WRAP_TRUST_MANAGER = wrapTrustManager;
74 }
75
76
77 @SuppressJava6Requirement(reason = "Guarded by java version check")
78 static void checkIfWrappingTrustManagerIsSupported() throws CertificateException,
79 InvalidAlgorithmParameterException, NoSuchPaddingException, NoSuchAlgorithmException,
80 InvalidKeySpecException, IOException, KeyException, KeyStoreException, UnrecoverableKeyException {
81 X509Certificate[] certs = toX509Certificates(
82 new ByteArrayInputStream(PROBING_CERT.getBytes(CharsetUtil.US_ASCII)));
83 PrivateKey privateKey = toPrivateKey(new ByteArrayInputStream(
84 PROBING_KEY.getBytes(CharsetUtil.UTF_8)), null);
85 char[] keyStorePassword = keyStorePassword(null);
86 KeyStore ks = buildKeyStore(certs, privateKey, keyStorePassword, null);
87 KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
88 kmf.init(ks, keyStorePassword);
89
90 SSLContext ctx = SSLContext.getInstance(PROTOCOL);
91 TrustManagerFactory tm = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
92 tm.init((KeyStore) null);
93 TrustManager[] managers = tm.getTrustManagers();
94
95 ctx.init(kmf.getKeyManagers(), wrapTrustManagerIfNeeded(managers), null);
96 }
97
98
99
100
101
102
103
104
105 @Deprecated
106 public JdkSslServerContext(File certChainFile, File keyFile) throws SSLException {
107 this(null, certChainFile, keyFile, null, null, IdentityCipherSuiteFilter.INSTANCE,
108 JdkDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0, null);
109 }
110
111
112
113
114
115
116
117
118
119
120 @Deprecated
121 public JdkSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
122 this(certChainFile, keyFile, keyPassword, null, IdentityCipherSuiteFilter.INSTANCE,
123 JdkDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
124 }
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143 @Deprecated
144 public JdkSslServerContext(
145 File certChainFile, File keyFile, String keyPassword,
146 Iterable<String> ciphers, Iterable<String> nextProtocols,
147 long sessionCacheSize, long sessionTimeout) throws SSLException {
148 this(null, certChainFile, keyFile, keyPassword, ciphers, IdentityCipherSuiteFilter.INSTANCE,
149 toNegotiator(toApplicationProtocolConfig(nextProtocols), true), sessionCacheSize,
150 sessionTimeout, KeyStore.getDefaultType());
151 }
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170 @Deprecated
171 public JdkSslServerContext(
172 File certChainFile, File keyFile, String keyPassword,
173 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
174 long sessionCacheSize, long sessionTimeout) throws SSLException {
175 this(null, certChainFile, keyFile, keyPassword, ciphers, cipherFilter,
176 toNegotiator(apn, true), sessionCacheSize, sessionTimeout, KeyStore.getDefaultType());
177 }
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196 @Deprecated
197 public JdkSslServerContext(
198 File certChainFile, File keyFile, String keyPassword,
199 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
200 long sessionCacheSize, long sessionTimeout) throws SSLException {
201 this(null, certChainFile, keyFile, keyPassword, ciphers, cipherFilter, apn,
202 sessionCacheSize, sessionTimeout, KeyStore.getDefaultType());
203 }
204
205 JdkSslServerContext(Provider provider,
206 File certChainFile, File keyFile, String keyPassword,
207 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
208 long sessionCacheSize, long sessionTimeout, String keyStore) throws SSLException {
209 super(newSSLContext(provider, null, null,
210 toX509CertificatesInternal(certChainFile), toPrivateKeyInternal(keyFile, keyPassword),
211 keyPassword, null, sessionCacheSize, sessionTimeout, null, keyStore), false,
212 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
213 }
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243 @Deprecated
244 public JdkSslServerContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
245 File keyCertChainFile, File keyFile, String keyPassword,
246 KeyManagerFactory keyManagerFactory,
247 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
248 long sessionCacheSize, long sessionTimeout) throws SSLException {
249 super(newSSLContext(null, toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
250 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
251 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout, null, null), false,
252 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
253 }
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283 @Deprecated
284 public JdkSslServerContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
285 File keyCertChainFile, File keyFile, String keyPassword,
286 KeyManagerFactory keyManagerFactory,
287 Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
288 JdkApplicationProtocolNegotiator apn,
289 long sessionCacheSize, long sessionTimeout) throws SSLException {
290 super(newSSLContext(null, toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
291 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
292 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout,
293 null, KeyStore.getDefaultType()), false,
294 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
295 }
296
297 JdkSslServerContext(Provider provider,
298 X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
299 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
300 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
301 ApplicationProtocolConfig apn, long sessionCacheSize, long sessionTimeout,
302 ClientAuth clientAuth, String[] protocols, boolean startTls,
303 SecureRandom secureRandom, String keyStore) throws SSLException {
304 super(newSSLContext(provider, trustCertCollection, trustManagerFactory, keyCertChain, key,
305 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout, secureRandom, keyStore), false,
306 ciphers, cipherFilter, toNegotiator(apn, true), clientAuth, protocols, startTls);
307 }
308
309 private static SSLContext newSSLContext(Provider sslContextProvider, X509Certificate[] trustCertCollection,
310 TrustManagerFactory trustManagerFactory, X509Certificate[] keyCertChain,
311 PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
312 long sessionCacheSize, long sessionTimeout,
313 SecureRandom secureRandom, String keyStore)
314 throws SSLException {
315 if (key == null && keyManagerFactory == null) {
316 throw new NullPointerException("key, keyManagerFactory");
317 }
318
319 try {
320 if (trustCertCollection != null) {
321 trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory, keyStore);
322 } else if (trustManagerFactory == null) {
323
324 trustManagerFactory = TrustManagerFactory.getInstance(
325 TrustManagerFactory.getDefaultAlgorithm());
326 trustManagerFactory.init((KeyStore) null);
327 }
328
329 if (key != null) {
330 keyManagerFactory = buildKeyManagerFactory(keyCertChain, null,
331 key, keyPassword, keyManagerFactory, null);
332 }
333
334
335 SSLContext ctx = sslContextProvider == null ? SSLContext.getInstance(PROTOCOL)
336 : SSLContext.getInstance(PROTOCOL, sslContextProvider);
337 ctx.init(keyManagerFactory.getKeyManagers(),
338 wrapTrustManagerIfNeeded(trustManagerFactory.getTrustManagers()),
339 secureRandom);
340
341 SSLSessionContext sessCtx = ctx.getServerSessionContext();
342 if (sessionCacheSize > 0) {
343 sessCtx.setSessionCacheSize((int) Math.min(sessionCacheSize, Integer.MAX_VALUE));
344 }
345 if (sessionTimeout > 0) {
346 sessCtx.setSessionTimeout((int) Math.min(sessionTimeout, Integer.MAX_VALUE));
347 }
348 return ctx;
349 } catch (Exception e) {
350 if (e instanceof SSLException) {
351 throw (SSLException) e;
352 }
353 throw new SSLException("failed to initialize the server-side SSL context", e);
354 }
355 }
356
357 @SuppressJava6Requirement(reason = "Guarded by java version check")
358 private static TrustManager[] wrapTrustManagerIfNeeded(TrustManager[] trustManagers) {
359 if (WRAP_TRUST_MANAGER && PlatformDependent.javaVersion() >= 7) {
360 for (int i = 0; i < trustManagers.length; i++) {
361 TrustManager tm = trustManagers[i];
362 if (tm instanceof X509ExtendedTrustManager) {
363
364
365 trustManagers[i] = new EnhancingX509ExtendedTrustManager((X509ExtendedTrustManager) tm);
366 }
367 }
368 }
369 return trustManagers;
370 }
371 }