1 /*
2 * Copyright 2014 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16
17 package io.netty.handler.ssl;
18
19 import java.security.KeyStore;
20 import java.security.Provider;
21 import javax.net.ssl.KeyManager;
22
23 import javax.net.ssl.KeyManagerFactory;
24 import javax.net.ssl.SSLContext;
25 import javax.net.ssl.SSLException;
26 import javax.net.ssl.SSLSessionContext;
27 import javax.net.ssl.TrustManager;
28 import javax.net.ssl.TrustManagerFactory;
29 import java.io.File;
30 import java.security.PrivateKey;
31 import java.security.cert.X509Certificate;
32
33 /**
34 * A server-side {@link SslContext} which uses JDK's SSL/TLS implementation.
35 *
36 * @deprecated Use {@link SslContextBuilder} to create {@link JdkSslContext} instances and only
37 * use {@link JdkSslContext} in your code.
38 */
39 @Deprecated
40 public final class JdkSslServerContext extends JdkSslContext {
41
42 /**
43 * Creates a new instance.
44 *
45 * @param certChainFile an X.509 certificate chain file in PEM format
46 * @param keyFile a PKCS#8 private key file in PEM format
47 * @deprecated use {@link SslContextBuilder}
48 */
49 @Deprecated
50 public JdkSslServerContext(File certChainFile, File keyFile) throws SSLException {
51 this(null, certChainFile, keyFile, null, null, IdentityCipherSuiteFilter.INSTANCE,
52 JdkDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0, null);
53 }
54
55 /**
56 * Creates a new instance.
57 *
58 * @param certChainFile an X.509 certificate chain file in PEM format
59 * @param keyFile a PKCS#8 private key file in PEM format
60 * @param keyPassword the password of the {@code keyFile}.
61 * {@code null} if it's not password-protected.
62 * @deprecated use {@link SslContextBuilder}
63 */
64 @Deprecated
65 public JdkSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
66 this(certChainFile, keyFile, keyPassword, null, IdentityCipherSuiteFilter.INSTANCE,
67 JdkDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
68 }
69
70 /**
71 * Creates a new instance.
72 *
73 * @param certChainFile an X.509 certificate chain file in PEM format
74 * @param keyFile a PKCS#8 private key file in PEM format
75 * @param keyPassword the password of the {@code keyFile}.
76 * {@code null} if it's not password-protected.
77 * @param ciphers the cipher suites to enable, in the order of preference.
78 * {@code null} to use the default cipher suites.
79 * @param nextProtocols the application layer protocols to accept, in the order of preference.
80 * {@code null} to disable TLS NPN/ALPN extension.
81 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
82 * {@code 0} to use the default value.
83 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
84 * {@code 0} to use the default value.
85 * @deprecated use {@link SslContextBuilder}
86 */
87 @Deprecated
88 public JdkSslServerContext(
89 File certChainFile, File keyFile, String keyPassword,
90 Iterable<String> ciphers, Iterable<String> nextProtocols,
91 long sessionCacheSize, long sessionTimeout) throws SSLException {
92 this(null, certChainFile, keyFile, keyPassword, ciphers, IdentityCipherSuiteFilter.INSTANCE,
93 toNegotiator(toApplicationProtocolConfig(nextProtocols), true), sessionCacheSize,
94 sessionTimeout, KeyStore.getDefaultType());
95 }
96
97 /**
98 * Creates a new instance.
99 *
100 * @param certChainFile an X.509 certificate chain file in PEM format
101 * @param keyFile a PKCS#8 private key file in PEM format
102 * @param keyPassword the password of the {@code keyFile}.
103 * {@code null} if it's not password-protected.
104 * @param ciphers the cipher suites to enable, in the order of preference.
105 * {@code null} to use the default cipher suites.
106 * @param cipherFilter a filter to apply over the supplied list of ciphers
107 * @param apn Provides a means to configure parameters related to application protocol negotiation.
108 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
109 * {@code 0} to use the default value.
110 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
111 * {@code 0} to use the default value.
112 * @deprecated use {@link SslContextBuilder}
113 */
114 @Deprecated
115 public JdkSslServerContext(
116 File certChainFile, File keyFile, String keyPassword,
117 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
118 long sessionCacheSize, long sessionTimeout) throws SSLException {
119 this(null, certChainFile, keyFile, keyPassword, ciphers, cipherFilter,
120 toNegotiator(apn, true), sessionCacheSize, sessionTimeout, KeyStore.getDefaultType());
121 }
122
123 /**
124 * Creates a new instance.
125 *
126 * @param certChainFile an X.509 certificate chain file in PEM format
127 * @param keyFile a PKCS#8 private key file in PEM format
128 * @param keyPassword the password of the {@code keyFile}.
129 * {@code null} if it's not password-protected.
130 * @param ciphers the cipher suites to enable, in the order of preference.
131 * {@code null} to use the default cipher suites.
132 * @param cipherFilter a filter to apply over the supplied list of ciphers
133 * @param apn Application Protocol Negotiator object.
134 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
135 * {@code 0} to use the default value.
136 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
137 * {@code 0} to use the default value.
138 * @deprecated use {@link SslContextBuilder}
139 */
140 @Deprecated
141 public JdkSslServerContext(
142 File certChainFile, File keyFile, String keyPassword,
143 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
144 long sessionCacheSize, long sessionTimeout) throws SSLException {
145 this(null, certChainFile, keyFile, keyPassword, ciphers, cipherFilter, apn,
146 sessionCacheSize, sessionTimeout, KeyStore.getDefaultType());
147 }
148
149 JdkSslServerContext(Provider provider,
150 File certChainFile, File keyFile, String keyPassword,
151 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
152 long sessionCacheSize, long sessionTimeout, String keyStore) throws SSLException {
153 super(newSSLContext(provider, null, null,
154 toX509CertificatesInternal(certChainFile), toPrivateKeyInternal(keyFile, keyPassword),
155 keyPassword, null, sessionCacheSize, sessionTimeout, keyStore), false,
156 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
157 }
158
159 /**
160 * Creates a new instance.
161 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
162 * This provides the certificate collection used for mutual authentication.
163 * {@code null} to use the system default
164 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
165 * that verifies the certificates sent from clients.
166 * {@code null} to use the default or the results of parsing
167 * {@code trustCertCollectionFile}.
168 * @param keyCertChainFile an X.509 certificate chain file in PEM format
169 * @param keyFile a PKCS#8 private key file in PEM format
170 * @param keyPassword the password of the {@code keyFile}.
171 * {@code null} if it's not password-protected.
172 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
173 * that is used to encrypt data being sent to clients.
174 * {@code null} to use the default or the results of parsing
175 * {@code keyCertChainFile} and {@code keyFile}.
176 * @param ciphers the cipher suites to enable, in the order of preference.
177 * {@code null} to use the default cipher suites.
178 * @param cipherFilter a filter to apply over the supplied list of ciphers
179 * Only required if {@code provider} is {@link SslProvider#JDK}
180 * @param apn Provides a means to configure parameters related to application protocol negotiation.
181 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
182 * {@code 0} to use the default value.
183 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
184 * {@code 0} to use the default value.
185 * @deprecated use {@link SslContextBuilder}
186 */
187 @Deprecated
188 public JdkSslServerContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
189 File keyCertChainFile, File keyFile, String keyPassword,
190 KeyManagerFactory keyManagerFactory,
191 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
192 long sessionCacheSize, long sessionTimeout) throws SSLException {
193 super(newSSLContext(null, toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
194 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
195 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout, null), false,
196 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
197 }
198
199 /**
200 * Creates a new instance.
201 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
202 * This provides the certificate collection used for mutual authentication.
203 * {@code null} to use the system default
204 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
205 * that verifies the certificates sent from clients.
206 * {@code null} to use the default or the results of parsing
207 * {@code trustCertCollectionFile}
208 * @param keyCertChainFile an X.509 certificate chain file in PEM format
209 * @param keyFile a PKCS#8 private key file in PEM format
210 * @param keyPassword the password of the {@code keyFile}.
211 * {@code null} if it's not password-protected.
212 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
213 * that is used to encrypt data being sent to clients.
214 * {@code null} to use the default or the results of parsing
215 * {@code keyCertChainFile} and {@code keyFile}.
216 * @param ciphers the cipher suites to enable, in the order of preference.
217 * {@code null} to use the default cipher suites.
218 * @param cipherFilter a filter to apply over the supplied list of ciphers
219 * Only required if {@code provider} is {@link SslProvider#JDK}
220 * @param apn Application Protocol Negotiator object.
221 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
222 * {@code 0} to use the default value.
223 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
224 * {@code 0} to use the default value
225 * @deprecated use {@link SslContextBuilder}
226 */
227 @Deprecated
228 public JdkSslServerContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
229 File keyCertChainFile, File keyFile, String keyPassword,
230 KeyManagerFactory keyManagerFactory,
231 Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
232 JdkApplicationProtocolNegotiator apn,
233 long sessionCacheSize, long sessionTimeout) throws SSLException {
234 super(newSSLContext(null, toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
235 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
236 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout, KeyStore.getDefaultType()), false,
237 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
238 }
239
240 JdkSslServerContext(Provider provider,
241 X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
242 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
243 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
244 ApplicationProtocolConfig apn, long sessionCacheSize, long sessionTimeout,
245 ClientAuth clientAuth, String[] protocols, boolean startTls,
246 String keyStore) throws SSLException {
247 super(newSSLContext(provider, trustCertCollection, trustManagerFactory, keyCertChain, key,
248 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout, keyStore), false,
249 ciphers, cipherFilter, toNegotiator(apn, true), clientAuth, protocols, startTls);
250 }
251
252 private static SSLContext newSSLContext(Provider sslContextProvider, X509Certificate[] trustCertCollection,
253 TrustManagerFactory trustManagerFactory, X509Certificate[] keyCertChain,
254 PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
255 long sessionCacheSize, long sessionTimeout, String keyStore)
256 throws SSLException {
257 if (key == null && keyManagerFactory == null) {
258 throw new NullPointerException("key, keyManagerFactory");
259 }
260
261 try {
262 if (trustCertCollection != null) {
263 trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory, keyStore);
264 }
265 if (key != null) {
266 keyManagerFactory = buildKeyManagerFactory(keyCertChain, null,
267 key, keyPassword, keyManagerFactory, null);
268 }
269
270 // Initialize the SSLContext to work with our key managers.
271 SSLContext ctx = sslContextProvider == null ? SSLContext.getInstance(PROTOCOL)
272 : SSLContext.getInstance(PROTOCOL, sslContextProvider);
273 ctx.init(keyManagerFactory.getKeyManagers(),
274 trustManagerFactory == null ? null : trustManagerFactory.getTrustManagers(),
275 null);
276
277 SSLSessionContext sessCtx = ctx.getServerSessionContext();
278 if (sessionCacheSize > 0) {
279 sessCtx.setSessionCacheSize((int) Math.min(sessionCacheSize, Integer.MAX_VALUE));
280 }
281 if (sessionTimeout > 0) {
282 sessCtx.setSessionTimeout((int) Math.min(sessionTimeout, Integer.MAX_VALUE));
283 }
284 return ctx;
285 } catch (Exception e) {
286 if (e instanceof SSLException) {
287 throw (SSLException) e;
288 }
289 throw new SSLException("failed to initialize the server-side SSL context", e);
290 }
291 }
292
293 }