View Javadoc
1   /*
2    * Copyright 2014 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.handler.ssl;
17  
18  import io.netty.internal.tcnative.SSL;
19  
20  import java.io.File;
21  import java.security.PrivateKey;
22  import java.security.cert.X509Certificate;
23  
24  import javax.net.ssl.KeyManager;
25  import javax.net.ssl.KeyManagerFactory;
26  import javax.net.ssl.SSLException;
27  import javax.net.ssl.TrustManager;
28  import javax.net.ssl.TrustManagerFactory;
29  
30  import static io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext;
31  
32  /**
33   * A server-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
34   * <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
35   * and manually release the native memory see {@link ReferenceCountedOpenSslServerContext}.
36   */
37  public final class OpenSslServerContext extends OpenSslContext {
38      private final OpenSslServerSessionContext sessionContext;
39  
40      /**
41       * Creates a new instance.
42       *
43       * @param certChainFile an X.509 certificate chain file in PEM format
44       * @param keyFile a PKCS#8 private key file in PEM format
45       * @deprecated use {@link SslContextBuilder}
46       */
47      @Deprecated
48      public OpenSslServerContext(File certChainFile, File keyFile) throws SSLException {
49          this(certChainFile, keyFile, null);
50      }
51  
52      /**
53       * Creates a new instance.
54       *
55       * @param certChainFile an X.509 certificate chain file in PEM format
56       * @param keyFile a PKCS#8 private key file in PEM format
57       * @param keyPassword the password of the {@code keyFile}.
58       *                    {@code null} if it's not password-protected.
59       * @deprecated use {@link SslContextBuilder}
60       */
61      @Deprecated
62      public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
63          this(certChainFile, keyFile, keyPassword, null, IdentityCipherSuiteFilter.INSTANCE,
64               ApplicationProtocolConfig.DISABLED, 0, 0);
65      }
66  
67      /**
68       * Creates a new instance.
69       *
70       * @param certChainFile an X.509 certificate chain file in PEM format
71       * @param keyFile a PKCS#8 private key file in PEM format
72       * @param keyPassword the password of the {@code keyFile}.
73       *                    {@code null} if it's not password-protected.
74       * @param ciphers the cipher suites to enable, in the order of preference.
75       *                {@code null} to use the default cipher suites.
76       * @param apn Provides a means to configure parameters related to application protocol negotiation.
77       * @param sessionCacheSize the size of the cache used for storing SSL session objects.
78       *                         {@code 0} to use the default value.
79       * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
80       *                       {@code 0} to use the default value.
81       * @deprecated use {@link SslContextBuilder}
82       */
83      @Deprecated
84      public OpenSslServerContext(
85              File certChainFile, File keyFile, String keyPassword,
86              Iterable<String> ciphers, ApplicationProtocolConfig apn,
87              long sessionCacheSize, long sessionTimeout) throws SSLException {
88          this(certChainFile, keyFile, keyPassword, ciphers, IdentityCipherSuiteFilter.INSTANCE,
89               apn, sessionCacheSize, sessionTimeout);
90      }
91  
92      /**
93       * Creates a new instance.
94       *
95       * @param certChainFile an X.509 certificate chain file in PEM format
96       * @param keyFile a PKCS#8 private key file in PEM format
97       * @param keyPassword the password of the {@code keyFile}.
98       *                    {@code null} if it's not password-protected.
99       * @param ciphers the cipher suites to enable, in the order of preference.
100      *                {@code null} to use the default cipher suites.
101      * @param nextProtocols the application layer protocols to accept, in the order of preference.
102      *                      {@code null} to disable TLS NPN/ALPN extension.
103      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
104      *                         {@code 0} to use the default value.
105      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
106      *                       {@code 0} to use the default value.
107      * @deprecated use {@link SslContextBuilder}
108      */
109     @Deprecated
110     public OpenSslServerContext(
111             File certChainFile, File keyFile, String keyPassword,
112             Iterable<String> ciphers, Iterable<String> nextProtocols,
113             long sessionCacheSize, long sessionTimeout) throws SSLException {
114         this(certChainFile, keyFile, keyPassword, ciphers,
115             toApplicationProtocolConfig(nextProtocols), sessionCacheSize, sessionTimeout);
116     }
117 
118     /**
119      * Creates a new instance.
120      *
121      * @param certChainFile an X.509 certificate chain file in PEM format
122      * @param keyFile a PKCS#8 private key file in PEM format
123      * @param keyPassword the password of the {@code keyFile}.
124      *                    {@code null} if it's not password-protected.
125      * @param ciphers the cipher suites to enable, in the order of preference.
126      *                {@code null} to use the default cipher suites.
127      * @param config Application protocol config.
128      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
129      *                         {@code 0} to use the default value.
130      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
131      *                       {@code 0} to use the default value.
132      * @deprecated use {@link SslContextBuilder}
133      */
134     @Deprecated
135     public OpenSslServerContext(
136             File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
137             Iterable<String> ciphers, ApplicationProtocolConfig config,
138             long sessionCacheSize, long sessionTimeout) throws SSLException {
139         this(certChainFile, keyFile, keyPassword, trustManagerFactory, ciphers,
140                 toNegotiator(config), sessionCacheSize, sessionTimeout);
141     }
142 
143     /**
144      * Creates a new instance.
145      *
146      * @param certChainFile an X.509 certificate chain file in PEM format
147      * @param keyFile a PKCS#8 private key file in PEM format
148      * @param keyPassword the password of the {@code keyFile}.
149      *                    {@code null} if it's not password-protected.
150      * @param ciphers the cipher suites to enable, in the order of preference.
151      *                {@code null} to use the default cipher suites.
152      * @param apn Application protocol negotiator.
153      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
154      *                         {@code 0} to use the default value.
155      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
156      *                       {@code 0} to use the default value.
157      * @deprecated use {@link SslContextBuilder}
158      */
159     @Deprecated
160     public OpenSslServerContext(
161             File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
162             Iterable<String> ciphers, OpenSslApplicationProtocolNegotiator apn,
163             long sessionCacheSize, long sessionTimeout) throws SSLException {
164         this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null,
165              ciphers, null, apn, sessionCacheSize, sessionTimeout);
166     }
167 
168     /**
169      * Creates a new instance.
170      *
171      * @param certChainFile an X.509 certificate chain file in PEM format
172      * @param keyFile a PKCS#8 private key file in PEM format
173      * @param keyPassword the password of the {@code keyFile}.
174      *                    {@code null} if it's not password-protected.
175      * @param ciphers the cipher suites to enable, in the order of preference.
176      *                {@code null} to use the default cipher suites.
177      * @param cipherFilter a filter to apply over the supplied list of ciphers
178      * @param apn Provides a means to configure parameters related to application protocol negotiation.
179      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
180      *                         {@code 0} to use the default value.
181      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
182      *                       {@code 0} to use the default value.
183      * @deprecated use {@link SslContextBuilder}
184      */
185     @Deprecated
186     public OpenSslServerContext(
187             File certChainFile, File keyFile, String keyPassword,
188             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
189             long sessionCacheSize, long sessionTimeout) throws SSLException {
190         this(null, null, certChainFile, keyFile, keyPassword, null,
191              ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
192     }
193 
194     /**
195      * Creates a new instance.
196      *
197      * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
198      *                      This provides the certificate collection used for mutual authentication.
199      *                      {@code null} to use the system default
200      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
201      *                            that verifies the certificates sent from clients.
202      *                            {@code null} to use the default or the results of parsing
203      *                            {@code trustCertCollectionFile}.
204      * @param keyCertChainFile an X.509 certificate chain file in PEM format
205      * @param keyFile a PKCS#8 private key file in PEM format
206      * @param keyPassword the password of the {@code keyFile}.
207      *                    {@code null} if it's not password-protected.
208      * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
209      *                          that is used to encrypt data being sent to clients.
210      *                          {@code null} to use the default or the results of parsing
211      *                          {@code keyCertChainFile} and {@code keyFile}.
212      * @param ciphers the cipher suites to enable, in the order of preference.
213      *                {@code null} to use the default cipher suites.
214      * @param cipherFilter a filter to apply over the supplied list of ciphers
215      *                Only required if {@code provider} is {@link SslProvider#JDK}
216      * @param config Provides a means to configure parameters related to application protocol negotiation.
217      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
218      *                         {@code 0} to use the default value.
219      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
220      *                       {@code 0} to use the default value.
221      * @deprecated use {@link SslContextBuilder}
222      */
223     @Deprecated
224     public OpenSslServerContext(
225             File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
226             File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
227             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig config,
228             long sessionCacheSize, long sessionTimeout) throws SSLException {
229         this(trustCertCollectionFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword, keyManagerFactory,
230              ciphers, cipherFilter, toNegotiator(config), sessionCacheSize, sessionTimeout);
231     }
232 
233     /**
234      * Creates a new instance.
235      *
236      * @param certChainFile an X.509 certificate chain file in PEM format
237      * @param keyFile a PKCS#8 private key file in PEM format
238      * @param keyPassword the password of the {@code keyFile}.
239      *                    {@code null} if it's not password-protected.
240      * @param ciphers the cipher suites to enable, in the order of preference.
241      *                {@code null} to use the default cipher suites.
242      * @param cipherFilter a filter to apply over the supplied list of ciphers
243      * @param config Application protocol config.
244      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
245      *                         {@code 0} to use the default value.
246      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
247      *                       {@code 0} to use the default value.
248      * @deprecated use {@link SslContextBuilder}
249      */
250     @Deprecated
251     public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword,
252                                 TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
253                                 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig config,
254                                 long sessionCacheSize, long sessionTimeout) throws SSLException {
255         this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null, ciphers, cipherFilter,
256                       toNegotiator(config), sessionCacheSize, sessionTimeout);
257     }
258 
259     /**
260      * Creates a new instance.
261      *
262      * @param certChainFile an X.509 certificate chain file in PEM format
263      * @param keyFile a PKCS#8 private key file in PEM format
264      * @param keyPassword the password of the {@code keyFile}.
265      *                    {@code null} if it's not password-protected.
266      * @param ciphers the cipher suites to enable, in the order of preference.
267      *                {@code null} to use the default cipher suites.
268      * @param cipherFilter a filter to apply over the supplied list of ciphers
269      * @param apn Application protocol negotiator.
270      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
271      *                         {@code 0} to use the default value.
272      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
273      *                       {@code 0} to use the default value.
274      * @deprecated use {@link SslContextBuilder}}
275      */
276     @Deprecated
277     public OpenSslServerContext(
278             File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
279             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
280             long sessionCacheSize, long sessionTimeout) throws SSLException {
281         this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null, ciphers, cipherFilter,
282              apn, sessionCacheSize, sessionTimeout);
283     }
284 
285     /**
286      * Creates a new instance.
287      *
288      *
289      * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
290      *                      This provides the certificate collection used for mutual authentication.
291      *                      {@code null} to use the system default
292      * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
293      *                            that verifies the certificates sent from clients.
294      *                            {@code null} to use the default or the results of parsing
295      *                            {@code trustCertCollectionFile}.
296      * @param keyCertChainFile an X.509 certificate chain file in PEM format
297      * @param keyFile a PKCS#8 private key file in PEM format
298      * @param keyPassword the password of the {@code keyFile}.
299      *                    {@code null} if it's not password-protected.
300      * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
301      *                          that is used to encrypt data being sent to clients.
302      *                          {@code null} to use the default or the results of parsing
303      *                          {@code keyCertChainFile} and {@code keyFile}.
304      * @param ciphers the cipher suites to enable, in the order of preference.
305      *                {@code null} to use the default cipher suites.
306      * @param cipherFilter a filter to apply over the supplied list of ciphers
307      *                Only required if {@code provider} is {@link SslProvider#JDK}
308      * @param apn Application Protocol Negotiator object
309      * @param sessionCacheSize the size of the cache used for storing SSL session objects.
310      *                         {@code 0} to use the default value.
311      * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
312      *                       {@code 0} to use the default value.
313      * @deprecated use {@link SslContextBuilder}
314      */
315     @Deprecated
316     public OpenSslServerContext(
317             File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
318             File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
319             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
320             long sessionCacheSize, long sessionTimeout) throws SSLException {
321         this(toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
322                 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
323                 keyPassword, keyManagerFactory, ciphers, cipherFilter,
324                 apn, sessionCacheSize, sessionTimeout, ClientAuth.NONE, null, false, false);
325     }
326 
327     OpenSslServerContext(
328             X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
329             X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
330             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
331             long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
332             boolean enableOcsp) throws SSLException {
333         this(trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory, ciphers,
334                 cipherFilter, toNegotiator(apn), sessionCacheSize, sessionTimeout, clientAuth, protocols, startTls,
335                 enableOcsp);
336     }
337 
338     @SuppressWarnings("deprecation")
339     private OpenSslServerContext(
340             X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
341             X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
342             Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
343             long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
344             boolean enableOcsp) throws SSLException {
345         super(ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, SSL.SSL_MODE_SERVER, keyCertChain,
346                 clientAuth, protocols, startTls, enableOcsp);
347         // Create a new SSL_CTX and configure it.
348         boolean success = false;
349         try {
350             sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
351                                                keyCertChain, key, keyPassword, keyManagerFactory);
352             success = true;
353         } finally {
354             if (!success) {
355                 release();
356             }
357         }
358     }
359 
360     @Override
361     public OpenSslServerSessionContext sessionContext() {
362         return sessionContext;
363     }
364 }