1 /*
2 * Copyright 2014 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16 package io.netty.handler.ssl;
17
18 import io.netty.internal.tcnative.SSL;
19
20 import java.io.File;
21 import java.security.KeyStore;
22 import java.security.PrivateKey;
23 import java.security.cert.X509Certificate;
24 import java.util.Map;
25
26 import javax.net.ssl.KeyManager;
27 import javax.net.ssl.KeyManagerFactory;
28 import javax.net.ssl.SSLException;
29 import javax.net.ssl.TrustManager;
30 import javax.net.ssl.TrustManagerFactory;
31
32 import static io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext;
33
34 /**
35 * A server-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
36 * <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
37 * and manually release the native memory see {@link ReferenceCountedOpenSslServerContext}.
38 */
39 public final class OpenSslServerContext extends OpenSslContext {
40 private final OpenSslServerSessionContext sessionContext;
41
42 /**
43 * Creates a new instance.
44 *
45 * @param certChainFile an X.509 certificate chain file in PEM format
46 * @param keyFile a PKCS#8 private key file in PEM format
47 * @deprecated use {@link SslContextBuilder}
48 */
49 @Deprecated
50 public OpenSslServerContext(File certChainFile, File keyFile) throws SSLException {
51 this(certChainFile, keyFile, null);
52 }
53
54 /**
55 * Creates a new instance.
56 *
57 * @param certChainFile an X.509 certificate chain file in PEM format
58 * @param keyFile a PKCS#8 private key file in PEM format
59 * @param keyPassword the password of the {@code keyFile}.
60 * {@code null} if it's not password-protected.
61 * @deprecated use {@link SslContextBuilder}
62 */
63 @Deprecated
64 public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
65 this(certChainFile, keyFile, keyPassword, null, IdentityCipherSuiteFilter.INSTANCE,
66 ApplicationProtocolConfig.DISABLED, 0, 0);
67 }
68
69 /**
70 * Creates a new instance.
71 *
72 * @param certChainFile an X.509 certificate chain file in PEM format
73 * @param keyFile a PKCS#8 private key file in PEM format
74 * @param keyPassword the password of the {@code keyFile}.
75 * {@code null} if it's not password-protected.
76 * @param ciphers the cipher suites to enable, in the order of preference.
77 * {@code null} to use the default cipher suites.
78 * @param apn Provides a means to configure parameters related to application protocol negotiation.
79 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
80 * {@code 0} to use the default value.
81 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
82 * {@code 0} to use the default value.
83 * @deprecated use {@link SslContextBuilder}
84 */
85 @Deprecated
86 public OpenSslServerContext(
87 File certChainFile, File keyFile, String keyPassword,
88 Iterable<String> ciphers, ApplicationProtocolConfig apn,
89 long sessionCacheSize, long sessionTimeout) throws SSLException {
90 this(certChainFile, keyFile, keyPassword, ciphers, IdentityCipherSuiteFilter.INSTANCE,
91 apn, sessionCacheSize, sessionTimeout);
92 }
93
94 /**
95 * Creates a new instance.
96 *
97 * @param certChainFile an X.509 certificate chain file in PEM format
98 * @param keyFile a PKCS#8 private key file in PEM format
99 * @param keyPassword the password of the {@code keyFile}.
100 * {@code null} if it's not password-protected.
101 * @param ciphers the cipher suites to enable, in the order of preference.
102 * {@code null} to use the default cipher suites.
103 * @param nextProtocols the application layer protocols to accept, in the order of preference.
104 * {@code null} to disable TLS NPN/ALPN extension.
105 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
106 * {@code 0} to use the default value.
107 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
108 * {@code 0} to use the default value.
109 * @deprecated use {@link SslContextBuilder}
110 */
111 @Deprecated
112 public OpenSslServerContext(
113 File certChainFile, File keyFile, String keyPassword,
114 Iterable<String> ciphers, Iterable<String> nextProtocols,
115 long sessionCacheSize, long sessionTimeout) throws SSLException {
116 this(certChainFile, keyFile, keyPassword, ciphers,
117 toApplicationProtocolConfig(nextProtocols), sessionCacheSize, sessionTimeout);
118 }
119
120 /**
121 * Creates a new instance.
122 *
123 * @param certChainFile an X.509 certificate chain file in PEM format
124 * @param keyFile a PKCS#8 private key file in PEM format
125 * @param keyPassword the password of the {@code keyFile}.
126 * {@code null} if it's not password-protected.
127 * @param ciphers the cipher suites to enable, in the order of preference.
128 * {@code null} to use the default cipher suites.
129 * @param config Application protocol config.
130 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
131 * {@code 0} to use the default value.
132 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
133 * {@code 0} to use the default value.
134 * @deprecated use {@link SslContextBuilder}
135 */
136 @Deprecated
137 public OpenSslServerContext(
138 File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
139 Iterable<String> ciphers, ApplicationProtocolConfig config,
140 long sessionCacheSize, long sessionTimeout) throws SSLException {
141 this(certChainFile, keyFile, keyPassword, trustManagerFactory, ciphers,
142 toNegotiator(config), sessionCacheSize, sessionTimeout);
143 }
144
145 /**
146 * Creates a new instance.
147 *
148 * @param certChainFile an X.509 certificate chain file in PEM format
149 * @param keyFile a PKCS#8 private key file in PEM format
150 * @param keyPassword the password of the {@code keyFile}.
151 * {@code null} if it's not password-protected.
152 * @param ciphers the cipher suites to enable, in the order of preference.
153 * {@code null} to use the default cipher suites.
154 * @param apn Application protocol negotiator.
155 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
156 * {@code 0} to use the default value.
157 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
158 * {@code 0} to use the default value.
159 * @deprecated use {@link SslContextBuilder}
160 */
161 @Deprecated
162 public OpenSslServerContext(
163 File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
164 Iterable<String> ciphers, OpenSslApplicationProtocolNegotiator apn,
165 long sessionCacheSize, long sessionTimeout) throws SSLException {
166 this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null,
167 ciphers, null, apn, sessionCacheSize, sessionTimeout);
168 }
169
170 /**
171 * Creates a new instance.
172 *
173 * @param certChainFile an X.509 certificate chain file in PEM format
174 * @param keyFile a PKCS#8 private key file in PEM format
175 * @param keyPassword the password of the {@code keyFile}.
176 * {@code null} if it's not password-protected.
177 * @param ciphers the cipher suites to enable, in the order of preference.
178 * {@code null} to use the default cipher suites.
179 * @param cipherFilter a filter to apply over the supplied list of ciphers
180 * @param apn Provides a means to configure parameters related to application protocol negotiation.
181 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
182 * {@code 0} to use the default value.
183 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
184 * {@code 0} to use the default value.
185 * @deprecated use {@link SslContextBuilder}
186 */
187 @Deprecated
188 public OpenSslServerContext(
189 File certChainFile, File keyFile, String keyPassword,
190 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
191 long sessionCacheSize, long sessionTimeout) throws SSLException {
192 this(null, null, certChainFile, keyFile, keyPassword, null,
193 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
194 }
195
196 /**
197 * Creates a new instance.
198 *
199 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
200 * This provides the certificate collection used for mutual authentication.
201 * {@code null} to use the system default
202 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
203 * that verifies the certificates sent from clients.
204 * {@code null} to use the default or the results of parsing
205 * {@code trustCertCollectionFile}.
206 * @param keyCertChainFile an X.509 certificate chain file in PEM format
207 * @param keyFile a PKCS#8 private key file in PEM format
208 * @param keyPassword the password of the {@code keyFile}.
209 * {@code null} if it's not password-protected.
210 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
211 * that is used to encrypt data being sent to clients.
212 * {@code null} to use the default or the results of parsing
213 * {@code keyCertChainFile} and {@code keyFile}.
214 * @param ciphers the cipher suites to enable, in the order of preference.
215 * {@code null} to use the default cipher suites.
216 * @param cipherFilter a filter to apply over the supplied list of ciphers
217 * Only required if {@code provider} is {@link SslProvider#JDK}
218 * @param config Provides a means to configure parameters related to application protocol negotiation.
219 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
220 * {@code 0} to use the default value.
221 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
222 * {@code 0} to use the default value.
223 * @deprecated use {@link SslContextBuilder}
224 */
225 @Deprecated
226 public OpenSslServerContext(
227 File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
228 File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
229 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig config,
230 long sessionCacheSize, long sessionTimeout) throws SSLException {
231 this(trustCertCollectionFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword, keyManagerFactory,
232 ciphers, cipherFilter, toNegotiator(config), sessionCacheSize, sessionTimeout);
233 }
234
235 /**
236 * Creates a new instance.
237 *
238 * @param certChainFile an X.509 certificate chain file in PEM format
239 * @param keyFile a PKCS#8 private key file in PEM format
240 * @param keyPassword the password of the {@code keyFile}.
241 * {@code null} if it's not password-protected.
242 * @param ciphers the cipher suites to enable, in the order of preference.
243 * {@code null} to use the default cipher suites.
244 * @param cipherFilter a filter to apply over the supplied list of ciphers
245 * @param config Application protocol config.
246 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
247 * {@code 0} to use the default value.
248 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
249 * {@code 0} to use the default value.
250 * @deprecated use {@link SslContextBuilder}
251 */
252 @Deprecated
253 public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword,
254 TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
255 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig config,
256 long sessionCacheSize, long sessionTimeout) throws SSLException {
257 this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null, ciphers, cipherFilter,
258 toNegotiator(config), sessionCacheSize, sessionTimeout);
259 }
260
261 /**
262 * Creates a new instance.
263 *
264 * @param certChainFile an X.509 certificate chain file in PEM format
265 * @param keyFile a PKCS#8 private key file in PEM format
266 * @param keyPassword the password of the {@code keyFile}.
267 * {@code null} if it's not password-protected.
268 * @param ciphers the cipher suites to enable, in the order of preference.
269 * {@code null} to use the default cipher suites.
270 * @param cipherFilter a filter to apply over the supplied list of ciphers
271 * @param apn Application protocol negotiator.
272 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
273 * {@code 0} to use the default value.
274 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
275 * {@code 0} to use the default value.
276 * @deprecated use {@link SslContextBuilder}}
277 */
278 @Deprecated
279 public OpenSslServerContext(
280 File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
281 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
282 long sessionCacheSize, long sessionTimeout) throws SSLException {
283 this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null, ciphers, cipherFilter,
284 apn, sessionCacheSize, sessionTimeout);
285 }
286
287 /**
288 * Creates a new instance.
289 *
290 *
291 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
292 * This provides the certificate collection used for mutual authentication.
293 * {@code null} to use the system default
294 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
295 * that verifies the certificates sent from clients.
296 * {@code null} to use the default or the results of parsing
297 * {@code trustCertCollectionFile}.
298 * @param keyCertChainFile an X.509 certificate chain file in PEM format
299 * @param keyFile a PKCS#8 private key file in PEM format
300 * @param keyPassword the password of the {@code keyFile}.
301 * {@code null} if it's not password-protected.
302 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
303 * that is used to encrypt data being sent to clients.
304 * {@code null} to use the default or the results of parsing
305 * {@code keyCertChainFile} and {@code keyFile}.
306 * @param ciphers the cipher suites to enable, in the order of preference.
307 * {@code null} to use the default cipher suites.
308 * @param cipherFilter a filter to apply over the supplied list of ciphers
309 * Only required if {@code provider} is {@link SslProvider#JDK}
310 * @param apn Application Protocol Negotiator object
311 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
312 * {@code 0} to use the default value.
313 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
314 * {@code 0} to use the default value.
315 * @deprecated use {@link SslContextBuilder}
316 */
317 @Deprecated
318 public OpenSslServerContext(
319 File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
320 File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
321 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
322 long sessionCacheSize, long sessionTimeout) throws SSLException {
323 this(toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
324 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
325 keyPassword, keyManagerFactory, ciphers, cipherFilter,
326 apn, sessionCacheSize, sessionTimeout, ClientAuth.NONE, null, false, false, KeyStore.getDefaultType(),
327 null);
328 }
329
330 OpenSslServerContext(
331 X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
332 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
333 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
334 long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
335 boolean enableOcsp, String keyStore, ResumptionController resumptionController,
336 Map.Entry<SslContextOption<?>, Object>... options)
337 throws SSLException {
338 this(trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory, ciphers,
339 cipherFilter, toNegotiator(apn), sessionCacheSize, sessionTimeout, clientAuth, protocols, startTls,
340 enableOcsp, keyStore, resumptionController, options);
341 }
342
343 @SuppressWarnings("deprecation")
344 private OpenSslServerContext(
345 X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
346 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
347 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
348 long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
349 boolean enableOcsp, String keyStore, ResumptionController resumptionController,
350 Map.Entry<SslContextOption<?>, Object>... options)
351 throws SSLException {
352 super(ciphers, cipherFilter, apn, SSL.SSL_MODE_SERVER, keyCertChain,
353 clientAuth, protocols, startTls, enableOcsp, resumptionController, options);
354
355 // Create a new SSL_CTX and configure it.
356 boolean success = false;
357 try {
358 OpenSslKeyMaterialProvider.validateKeyMaterialSupported(keyCertChain, key, keyPassword);
359 sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
360 keyCertChain, key, keyPassword, keyManagerFactory, keyStore,
361 sessionCacheSize, sessionTimeout, resumptionController);
362 success = true;
363 } finally {
364 if (!success) {
365 release();
366 }
367 }
368 }
369
370 @Override
371 public OpenSslServerSessionContext sessionContext() {
372 return sessionContext;
373 }
374 }