1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package io.netty.handler.ssl;
18
19 import io.netty.buffer.ByteBuf;
20 import io.netty.buffer.ByteBufAllocator;
21 import io.netty.buffer.ByteBufInputStream;
22 import io.netty.channel.ChannelInitializer;
23 import io.netty.channel.ChannelPipeline;
24 import io.netty.handler.ssl.ApplicationProtocolConfig.Protocol;
25 import io.netty.handler.ssl.ApplicationProtocolConfig.SelectedListenerFailureBehavior;
26 import io.netty.handler.ssl.ApplicationProtocolConfig.SelectorFailureBehavior;
27 import io.netty.util.AttributeMap;
28 import io.netty.util.DefaultAttributeMap;
29 import io.netty.util.concurrent.ImmediateExecutor;
30 import io.netty.util.internal.EmptyArrays;
31 import io.netty.util.internal.PlatformDependent;
32
33 import java.io.BufferedInputStream;
34 import java.security.Provider;
35 import javax.net.ssl.KeyManager;
36 import javax.net.ssl.KeyManagerFactory;
37 import javax.crypto.Cipher;
38 import javax.crypto.EncryptedPrivateKeyInfo;
39 import javax.crypto.NoSuchPaddingException;
40 import javax.crypto.SecretKey;
41 import javax.crypto.SecretKeyFactory;
42 import javax.crypto.spec.PBEKeySpec;
43 import javax.net.ssl.SSLContext;
44 import javax.net.ssl.SSLEngine;
45 import javax.net.ssl.SSLException;
46 import javax.net.ssl.SSLSessionContext;
47 import javax.net.ssl.TrustManager;
48 import javax.net.ssl.TrustManagerFactory;
49
50 import java.io.File;
51 import java.io.IOException;
52 import java.io.InputStream;
53 import java.security.AlgorithmParameters;
54 import java.security.InvalidAlgorithmParameterException;
55 import java.security.InvalidKeyException;
56 import java.security.KeyException;
57 import java.security.KeyFactory;
58 import java.security.KeyStore;
59 import java.security.KeyStoreException;
60 import java.security.NoSuchAlgorithmException;
61 import java.security.PrivateKey;
62 import java.security.SecureRandom;
63 import java.security.UnrecoverableKeyException;
64 import java.security.cert.CertificateException;
65 import java.security.cert.CertificateFactory;
66 import java.security.cert.X509Certificate;
67 import java.security.spec.InvalidKeySpecException;
68 import java.security.spec.PKCS8EncodedKeySpec;
69 import java.util.List;
70 import java.util.Map;
71 import java.util.concurrent.Executor;
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95 public abstract class SslContext {
96 static final String ALIAS = "key";
97
98 static final CertificateFactory X509_CERT_FACTORY;
99 static {
100 try {
101 X509_CERT_FACTORY = CertificateFactory.getInstance("X.509");
102 } catch (CertificateException e) {
103 throw new IllegalStateException("unable to instance X.509 CertificateFactory", e);
104 }
105 }
106
107 private final boolean startTls;
108 private final AttributeMap attributes = new DefaultAttributeMap();
109 final ResumptionController resumptionController;
110 private static final String OID_PKCS5_PBES2 = "1.2.840.113549.1.5.13";
111 private static final String PBES2 = "PBES2";
112
113
114
115
116
117
118 public static SslProvider defaultServerProvider() {
119 return defaultProvider();
120 }
121
122
123
124
125
126
127 public static SslProvider defaultClientProvider() {
128 return defaultProvider();
129 }
130
131 private static SslProvider defaultProvider() {
132 if (OpenSsl.isAvailable()) {
133 return SslProvider.OPENSSL;
134 } else {
135 return SslProvider.JDK;
136 }
137 }
138
139
140
141
142
143
144
145
146
147 @Deprecated
148 public static SslContext newServerContext(File certChainFile, File keyFile) throws SSLException {
149 return newServerContext(certChainFile, keyFile, null);
150 }
151
152
153
154
155
156
157
158
159
160
161
162 @Deprecated
163 public static SslContext newServerContext(
164 File certChainFile, File keyFile, String keyPassword) throws SSLException {
165 return newServerContext(null, certChainFile, keyFile, keyPassword);
166 }
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186 @Deprecated
187 public static SslContext newServerContext(
188 File certChainFile, File keyFile, String keyPassword,
189 Iterable<String> ciphers, Iterable<String> nextProtocols,
190 long sessionCacheSize, long sessionTimeout) throws SSLException {
191
192 return newServerContext(
193 null, certChainFile, keyFile, keyPassword,
194 ciphers, nextProtocols, sessionCacheSize, sessionTimeout);
195 }
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215 @Deprecated
216 public static SslContext newServerContext(
217 File certChainFile, File keyFile, String keyPassword,
218 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
219 long sessionCacheSize, long sessionTimeout) throws SSLException {
220 return newServerContext(
221 null, certChainFile, keyFile, keyPassword,
222 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
223 }
224
225
226
227
228
229
230
231
232
233
234
235 @Deprecated
236 public static SslContext newServerContext(
237 SslProvider provider, File certChainFile, File keyFile) throws SSLException {
238 return newServerContext(provider, certChainFile, keyFile, null);
239 }
240
241
242
243
244
245
246
247
248
249
250
251
252
253 @Deprecated
254 public static SslContext newServerContext(
255 SslProvider provider, File certChainFile, File keyFile, String keyPassword) throws SSLException {
256 return newServerContext(provider, certChainFile, keyFile, keyPassword, null, IdentityCipherSuiteFilter.INSTANCE,
257 null, 0, 0);
258 }
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280 @Deprecated
281 public static SslContext newServerContext(
282 SslProvider provider,
283 File certChainFile, File keyFile, String keyPassword,
284 Iterable<String> ciphers, Iterable<String> nextProtocols,
285 long sessionCacheSize, long sessionTimeout) throws SSLException {
286 return newServerContext(provider, certChainFile, keyFile, keyPassword,
287 ciphers, IdentityCipherSuiteFilter.INSTANCE,
288 toApplicationProtocolConfig(nextProtocols), sessionCacheSize, sessionTimeout);
289 }
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314 @Deprecated
315 public static SslContext newServerContext(
316 SslProvider provider,
317 File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
318 Iterable<String> ciphers, Iterable<String> nextProtocols,
319 long sessionCacheSize, long sessionTimeout) throws SSLException {
320
321 return newServerContext(
322 provider, null, trustManagerFactory, certChainFile, keyFile, keyPassword,
323 null, ciphers, IdentityCipherSuiteFilter.INSTANCE,
324 toApplicationProtocolConfig(nextProtocols), sessionCacheSize, sessionTimeout);
325 }
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348 @Deprecated
349 public static SslContext newServerContext(SslProvider provider,
350 File certChainFile, File keyFile, String keyPassword,
351 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
352 long sessionCacheSize, long sessionTimeout) throws SSLException {
353 return newServerContext(provider, null, null, certChainFile, keyFile, keyPassword, null,
354 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, KeyStore.getDefaultType());
355 }
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390 @Deprecated
391 public static SslContext newServerContext(
392 SslProvider provider,
393 File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
394 File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
395 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
396 long sessionCacheSize, long sessionTimeout) throws SSLException {
397 return newServerContext(provider, trustCertCollectionFile, trustManagerFactory, keyCertChainFile,
398 keyFile, keyPassword, keyManagerFactory, ciphers, cipherFilter, apn,
399 sessionCacheSize, sessionTimeout, KeyStore.getDefaultType());
400 }
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435 static SslContext newServerContext(
436 SslProvider provider,
437 File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
438 File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
439 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
440 long sessionCacheSize, long sessionTimeout, String keyStore) throws SSLException {
441 try {
442 return newServerContextInternal(provider, null, toX509Certificates(trustCertCollectionFile),
443 trustManagerFactory, toX509Certificates(keyCertChainFile),
444 toPrivateKey(keyFile, keyPassword),
445 keyPassword, keyManagerFactory, ciphers, cipherFilter, apn,
446 sessionCacheSize, sessionTimeout, ClientAuth.NONE, null,
447 false, false, null, keyStore);
448 } catch (Exception e) {
449 if (e instanceof SSLException) {
450 throw (SSLException) e;
451 }
452 throw new SSLException("failed to initialize the server-side SSL context", e);
453 }
454 }
455
456 static SslContext newServerContextInternal(
457 SslProvider provider,
458 Provider sslContextProvider,
459 X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
460 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
461 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
462 long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
463 boolean enableOcsp, SecureRandom secureRandom, String keyStoreType,
464 Map.Entry<SslContextOption<?>, Object>... ctxOptions)
465 throws SSLException {
466
467 if (provider == null) {
468 provider = defaultServerProvider();
469 }
470
471 ResumptionController resumptionController = new ResumptionController();
472
473 switch (provider) {
474 case JDK:
475 if (enableOcsp) {
476 throw new IllegalArgumentException("OCSP is not supported with this SslProvider: " + provider);
477 }
478 return new JdkSslServerContext(sslContextProvider,
479 trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
480 keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
481 clientAuth, protocols, startTls, secureRandom, keyStoreType, resumptionController);
482 case OPENSSL:
483 verifyNullSslContextProvider(provider, sslContextProvider);
484 return new OpenSslServerContext(
485 trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
486 keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
487 clientAuth, protocols, startTls, enableOcsp, keyStoreType, resumptionController, ctxOptions);
488 case OPENSSL_REFCNT:
489 verifyNullSslContextProvider(provider, sslContextProvider);
490 return new ReferenceCountedOpenSslServerContext(
491 trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
492 keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
493 clientAuth, protocols, startTls, enableOcsp, keyStoreType, resumptionController, ctxOptions);
494 default:
495 throw new Error(provider.toString());
496 }
497 }
498
499 private static void verifyNullSslContextProvider(SslProvider provider, Provider sslContextProvider) {
500 if (sslContextProvider != null) {
501 throw new IllegalArgumentException("Java Security Provider unsupported for SslProvider: " + provider);
502 }
503 }
504
505
506
507
508
509
510
511 @Deprecated
512 public static SslContext newClientContext() throws SSLException {
513 return newClientContext(null, null, null);
514 }
515
516
517
518
519
520
521
522
523
524 @Deprecated
525 public static SslContext newClientContext(File certChainFile) throws SSLException {
526 return newClientContext(null, certChainFile);
527 }
528
529
530
531
532
533
534
535
536
537
538
539 @Deprecated
540 public static SslContext newClientContext(TrustManagerFactory trustManagerFactory) throws SSLException {
541 return newClientContext(null, null, trustManagerFactory);
542 }
543
544
545
546
547
548
549
550
551
552
553
554
555
556 @Deprecated
557 public static SslContext newClientContext(
558 File certChainFile, TrustManagerFactory trustManagerFactory) throws SSLException {
559 return newClientContext(null, certChainFile, trustManagerFactory);
560 }
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582 @Deprecated
583 public static SslContext newClientContext(
584 File certChainFile, TrustManagerFactory trustManagerFactory,
585 Iterable<String> ciphers, Iterable<String> nextProtocols,
586 long sessionCacheSize, long sessionTimeout) throws SSLException {
587 return newClientContext(
588 null, certChainFile, trustManagerFactory,
589 ciphers, nextProtocols, sessionCacheSize, sessionTimeout);
590 }
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612 @Deprecated
613 public static SslContext newClientContext(
614 File certChainFile, TrustManagerFactory trustManagerFactory,
615 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
616 long sessionCacheSize, long sessionTimeout) throws SSLException {
617 return newClientContext(
618 null, certChainFile, trustManagerFactory,
619 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
620 }
621
622
623
624
625
626
627
628
629
630
631 @Deprecated
632 public static SslContext newClientContext(SslProvider provider) throws SSLException {
633 return newClientContext(provider, null, null);
634 }
635
636
637
638
639
640
641
642
643
644
645
646
647 @Deprecated
648 public static SslContext newClientContext(SslProvider provider, File certChainFile) throws SSLException {
649 return newClientContext(provider, certChainFile, null);
650 }
651
652
653
654
655
656
657
658
659
660
661
662
663
664 @Deprecated
665 public static SslContext newClientContext(
666 SslProvider provider, TrustManagerFactory trustManagerFactory) throws SSLException {
667 return newClientContext(provider, null, trustManagerFactory);
668 }
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684 @Deprecated
685 public static SslContext newClientContext(
686 SslProvider provider, File certChainFile, TrustManagerFactory trustManagerFactory) throws SSLException {
687 return newClientContext(provider, certChainFile, trustManagerFactory, null, IdentityCipherSuiteFilter.INSTANCE,
688 null, 0, 0);
689 }
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713 @Deprecated
714 public static SslContext newClientContext(
715 SslProvider provider,
716 File certChainFile, TrustManagerFactory trustManagerFactory,
717 Iterable<String> ciphers, Iterable<String> nextProtocols,
718 long sessionCacheSize, long sessionTimeout) throws SSLException {
719 return newClientContext(
720 provider, certChainFile, trustManagerFactory, null, null, null, null,
721 ciphers, IdentityCipherSuiteFilter.INSTANCE,
722 toApplicationProtocolConfig(nextProtocols), sessionCacheSize, sessionTimeout);
723 }
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747 @Deprecated
748 public static SslContext newClientContext(
749 SslProvider provider,
750 File certChainFile, TrustManagerFactory trustManagerFactory,
751 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
752 long sessionCacheSize, long sessionTimeout) throws SSLException {
753
754 return newClientContext(
755 provider, certChainFile, trustManagerFactory, null, null, null, null,
756 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
757 }
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796 @Deprecated
797 public static SslContext newClientContext(
798 SslProvider provider,
799 File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
800 File keyCertChainFile, File keyFile, String keyPassword,
801 KeyManagerFactory keyManagerFactory,
802 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
803 long sessionCacheSize, long sessionTimeout) throws SSLException {
804 try {
805 return newClientContextInternal(provider, null,
806 toX509Certificates(trustCertCollectionFile), trustManagerFactory,
807 toX509Certificates(keyCertChainFile), toPrivateKey(keyFile, keyPassword),
808 keyPassword, keyManagerFactory, ciphers, cipherFilter,
809 apn, null, sessionCacheSize, sessionTimeout, false,
810 null, KeyStore.getDefaultType(), null);
811 } catch (Exception e) {
812 if (e instanceof SSLException) {
813 throw (SSLException) e;
814 }
815 throw new SSLException("failed to initialize the client-side SSL context", e);
816 }
817 }
818
819 static SslContext newClientContextInternal(
820 SslProvider provider,
821 Provider sslContextProvider,
822 X509Certificate[] trustCert, TrustManagerFactory trustManagerFactory,
823 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
824 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn, String[] protocols,
825 long sessionCacheSize, long sessionTimeout, boolean enableOcsp,
826 SecureRandom secureRandom, String keyStoreType, String endpointIdentificationAlgorithm,
827 Map.Entry<SslContextOption<?>, Object>... options) throws SSLException {
828 if (provider == null) {
829 provider = defaultClientProvider();
830 }
831
832 ResumptionController resumptionController = new ResumptionController();
833
834 switch (provider) {
835 case JDK:
836 if (enableOcsp) {
837 throw new IllegalArgumentException("OCSP is not supported with this SslProvider: " + provider);
838 }
839 return new JdkSslClientContext(sslContextProvider,
840 trustCert, trustManagerFactory, keyCertChain, key, keyPassword,
841 keyManagerFactory, ciphers, cipherFilter, apn, protocols, sessionCacheSize,
842 sessionTimeout, secureRandom, keyStoreType, endpointIdentificationAlgorithm,
843 resumptionController);
844 case OPENSSL:
845 verifyNullSslContextProvider(provider, sslContextProvider);
846 OpenSsl.ensureAvailability();
847 return new OpenSslClientContext(
848 trustCert, trustManagerFactory, keyCertChain, key, keyPassword,
849 keyManagerFactory, ciphers, cipherFilter, apn, protocols, sessionCacheSize, sessionTimeout,
850 enableOcsp, keyStoreType, endpointIdentificationAlgorithm, resumptionController, options);
851 case OPENSSL_REFCNT:
852 verifyNullSslContextProvider(provider, sslContextProvider);
853 OpenSsl.ensureAvailability();
854 return new ReferenceCountedOpenSslClientContext(
855 trustCert, trustManagerFactory, keyCertChain, key, keyPassword,
856 keyManagerFactory, ciphers, cipherFilter, apn, protocols, sessionCacheSize, sessionTimeout,
857 enableOcsp, keyStoreType, endpointIdentificationAlgorithm, resumptionController, options);
858 default:
859 throw new Error(provider.toString());
860 }
861 }
862
863 static ApplicationProtocolConfig toApplicationProtocolConfig(Iterable<String> nextProtocols) {
864 ApplicationProtocolConfig apn;
865 if (nextProtocols == null) {
866 apn = ApplicationProtocolConfig.DISABLED;
867 } else {
868 apn = new ApplicationProtocolConfig(
869 Protocol.NPN_AND_ALPN, SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL,
870 SelectedListenerFailureBehavior.ACCEPT, nextProtocols);
871 }
872 return apn;
873 }
874
875
876
877
878 protected SslContext() {
879 this(false);
880 }
881
882
883
884
885 protected SslContext(boolean startTls) {
886 this(startTls, null);
887 }
888
889 SslContext(boolean startTls, ResumptionController resumptionController) {
890 this.startTls = startTls;
891 this.resumptionController = resumptionController;
892 }
893
894
895
896
897 public final AttributeMap attributes() {
898 return attributes;
899 }
900
901
902
903
904 public final boolean isServer() {
905 return !isClient();
906 }
907
908
909
910
911 public abstract boolean isClient();
912
913
914
915
916 public abstract List<String> cipherSuites();
917
918
919
920
921 public long sessionCacheSize() {
922 return sessionContext().getSessionCacheSize();
923 }
924
925
926
927
928 public long sessionTimeout() {
929 return sessionContext().getSessionTimeout();
930 }
931
932
933
934
935 @Deprecated
936 public final List<String> nextProtocols() {
937 return applicationProtocolNegotiator().protocols();
938 }
939
940
941
942
943 public abstract ApplicationProtocolNegotiator applicationProtocolNegotiator();
944
945
946
947
948
949
950
951 public abstract SSLEngine newEngine(ByteBufAllocator alloc);
952
953
954
955
956
957
958
959
960
961
962
963 public abstract SSLEngine newEngine(ByteBufAllocator alloc, String peerHost, int peerPort);
964
965
966
967
968 public abstract SSLSessionContext sessionContext();
969
970
971
972
973
974 public final SslHandler newHandler(ByteBufAllocator alloc) {
975 return newHandler(alloc, startTls);
976 }
977
978
979
980
981
982 protected SslHandler newHandler(ByteBufAllocator alloc, boolean startTls) {
983 return new SslHandler(newEngine(alloc), startTls, ImmediateExecutor.INSTANCE, resumptionController);
984 }
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011 public SslHandler newHandler(ByteBufAllocator alloc, Executor delegatedTaskExecutor) {
1012 return newHandler(alloc, startTls, delegatedTaskExecutor);
1013 }
1014
1015
1016
1017
1018
1019 protected SslHandler newHandler(ByteBufAllocator alloc, boolean startTls, Executor executor) {
1020 return new SslHandler(newEngine(alloc), startTls, executor, resumptionController);
1021 }
1022
1023
1024
1025
1026
1027
1028 public final SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort) {
1029 return newHandler(alloc, peerHost, peerPort, startTls);
1030 }
1031
1032
1033
1034
1035
1036 protected SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls) {
1037 return new SslHandler(newEngine(alloc, peerHost, peerPort), startTls, ImmediateExecutor.INSTANCE,
1038 resumptionController);
1039 }
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069 public SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort,
1070 Executor delegatedTaskExecutor) {
1071 return newHandler(alloc, peerHost, peerPort, startTls, delegatedTaskExecutor);
1072 }
1073
1074 protected SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls,
1075 Executor delegatedTaskExecutor) {
1076 return new SslHandler(newEngine(alloc, peerHost, peerPort), startTls, delegatedTaskExecutor,
1077 resumptionController);
1078 }
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096 @Deprecated
1097 protected static PKCS8EncodedKeySpec generateKeySpec(char[] password, byte[] key)
1098 throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeySpecException,
1099 InvalidKeyException, InvalidAlgorithmParameterException {
1100
1101 if (password == null) {
1102 return new PKCS8EncodedKeySpec(key);
1103 }
1104
1105 EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(key);
1106 String pbeAlgorithm = getPBEAlgorithm(encryptedPrivateKeyInfo);
1107 SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(pbeAlgorithm);
1108 PBEKeySpec pbeKeySpec = new PBEKeySpec(password);
1109 SecretKey pbeKey = keyFactory.generateSecret(pbeKeySpec);
1110
1111 Cipher cipher = Cipher.getInstance(pbeAlgorithm);
1112 cipher.init(Cipher.DECRYPT_MODE, pbeKey, encryptedPrivateKeyInfo.getAlgParameters());
1113
1114 return encryptedPrivateKeyInfo.getKeySpec(cipher);
1115 }
1116
1117 private static String getPBEAlgorithm(EncryptedPrivateKeyInfo encryptedPrivateKeyInfo) {
1118 AlgorithmParameters parameters = encryptedPrivateKeyInfo.getAlgParameters();
1119 String algName = encryptedPrivateKeyInfo.getAlgName();
1120
1121
1122 if (PlatformDependent.javaVersion() >= 8 && parameters != null &&
1123 (OID_PKCS5_PBES2.equals(algName) || PBES2.equals(algName))) {
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134 return parameters.toString();
1135 }
1136 return encryptedPrivateKeyInfo.getAlgName();
1137 }
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149 protected static KeyStore buildKeyStore(X509Certificate[] certChain, PrivateKey key,
1150 char[] keyPasswordChars, String keyStoreType)
1151 throws KeyStoreException, NoSuchAlgorithmException,
1152 CertificateException, IOException {
1153 if (keyStoreType == null) {
1154 keyStoreType = KeyStore.getDefaultType();
1155 }
1156 KeyStore ks = KeyStore.getInstance(keyStoreType);
1157 ks.load(null, null);
1158 ks.setKeyEntry(ALIAS, key, keyPasswordChars, certChain);
1159 return ks;
1160 }
1161
1162 protected static PrivateKey toPrivateKey(File keyFile, String keyPassword) throws NoSuchAlgorithmException,
1163 NoSuchPaddingException, InvalidKeySpecException,
1164 InvalidAlgorithmParameterException,
1165 KeyException, IOException {
1166 return toPrivateKey(keyFile, keyPassword, true);
1167 }
1168
1169 static PrivateKey toPrivateKey(File keyFile, String keyPassword, boolean tryBouncyCastle)
1170 throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeySpecException,
1171 InvalidAlgorithmParameterException,
1172 KeyException, IOException {
1173 if (keyFile == null) {
1174 return null;
1175 }
1176
1177
1178 if (tryBouncyCastle && BouncyCastlePemReader.isAvailable()) {
1179 PrivateKey pk = BouncyCastlePemReader.getPrivateKey(keyFile, keyPassword);
1180 if (pk != null) {
1181 return pk;
1182 }
1183 }
1184
1185 return getPrivateKeyFromByteBuffer(PemReader.readPrivateKey(keyFile), keyPassword);
1186 }
1187
1188 protected static PrivateKey toPrivateKey(InputStream keyInputStream, String keyPassword)
1189 throws NoSuchAlgorithmException,
1190 NoSuchPaddingException, InvalidKeySpecException,
1191 InvalidAlgorithmParameterException,
1192 KeyException, IOException {
1193 if (keyInputStream == null) {
1194 return null;
1195 }
1196
1197
1198 if (BouncyCastlePemReader.isAvailable()) {
1199 if (!keyInputStream.markSupported()) {
1200
1201 keyInputStream = new BufferedInputStream(keyInputStream);
1202 }
1203 keyInputStream.mark(1048576);
1204 PrivateKey pk = BouncyCastlePemReader.getPrivateKey(keyInputStream, keyPassword);
1205 if (pk != null) {
1206 return pk;
1207 }
1208
1209 keyInputStream.reset();
1210 }
1211
1212 return getPrivateKeyFromByteBuffer(PemReader.readPrivateKey(keyInputStream), keyPassword);
1213 }
1214
1215 private static PrivateKey getPrivateKeyFromByteBuffer(ByteBuf encodedKeyBuf, String keyPassword)
1216 throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeySpecException,
1217 InvalidAlgorithmParameterException, KeyException, IOException {
1218
1219 byte[] encodedKey = new byte[encodedKeyBuf.readableBytes()];
1220 encodedKeyBuf.readBytes(encodedKey).release();
1221
1222 PKCS8EncodedKeySpec encodedKeySpec = generateKeySpec(
1223 keyPassword == null ? null : keyPassword.toCharArray(), encodedKey);
1224 try {
1225 return KeyFactory.getInstance("RSA").generatePrivate(encodedKeySpec);
1226 } catch (InvalidKeySpecException ignore) {
1227 try {
1228 return KeyFactory.getInstance("DSA").generatePrivate(encodedKeySpec);
1229 } catch (InvalidKeySpecException ignore2) {
1230 try {
1231 return KeyFactory.getInstance("EC").generatePrivate(encodedKeySpec);
1232 } catch (InvalidKeySpecException e) {
1233 throw new InvalidKeySpecException("Neither RSA, DSA nor EC worked", e);
1234 }
1235 }
1236 }
1237 }
1238
1239
1240
1241
1242
1243
1244
1245 @Deprecated
1246 protected static TrustManagerFactory buildTrustManagerFactory(
1247 File certChainFile, TrustManagerFactory trustManagerFactory)
1248 throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException {
1249 return buildTrustManagerFactory(certChainFile, trustManagerFactory, null);
1250 }
1251
1252
1253
1254
1255
1256
1257
1258
1259 protected static TrustManagerFactory buildTrustManagerFactory(
1260 File certChainFile, TrustManagerFactory trustManagerFactory, String keyType)
1261 throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException {
1262 X509Certificate[] x509Certs = toX509Certificates(certChainFile);
1263
1264 return buildTrustManagerFactory(x509Certs, trustManagerFactory, keyType);
1265 }
1266
1267 protected static X509Certificate[] toX509Certificates(File file) throws CertificateException {
1268 if (file == null) {
1269 return null;
1270 }
1271 return getCertificatesFromBuffers(PemReader.readCertificates(file));
1272 }
1273
1274 protected static X509Certificate[] toX509Certificates(InputStream in) throws CertificateException {
1275 if (in == null) {
1276 return null;
1277 }
1278 return getCertificatesFromBuffers(PemReader.readCertificates(in));
1279 }
1280
1281 private static X509Certificate[] getCertificatesFromBuffers(ByteBuf[] certs) throws CertificateException {
1282 CertificateFactory cf = CertificateFactory.getInstance("X.509");
1283 X509Certificate[] x509Certs = new X509Certificate[certs.length];
1284
1285 try {
1286 for (int i = 0; i < certs.length; i++) {
1287 InputStream is = new ByteBufInputStream(certs[i], false);
1288 try {
1289 x509Certs[i] = (X509Certificate) cf.generateCertificate(is);
1290 } finally {
1291 try {
1292 is.close();
1293 } catch (IOException e) {
1294
1295 throw new RuntimeException(e);
1296 }
1297 }
1298 }
1299 } finally {
1300 for (ByteBuf buf: certs) {
1301 buf.release();
1302 }
1303 }
1304 return x509Certs;
1305 }
1306
1307 protected static TrustManagerFactory buildTrustManagerFactory(
1308 X509Certificate[] certCollection, TrustManagerFactory trustManagerFactory, String keyStoreType)
1309 throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException {
1310 if (keyStoreType == null) {
1311 keyStoreType = KeyStore.getDefaultType();
1312 }
1313 final KeyStore ks = KeyStore.getInstance(keyStoreType);
1314 ks.load(null, null);
1315
1316 int i = 1;
1317 for (X509Certificate cert: certCollection) {
1318 String alias = Integer.toString(i);
1319 ks.setCertificateEntry(alias, cert);
1320 i++;
1321 }
1322
1323
1324 if (trustManagerFactory == null) {
1325 trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
1326 }
1327 trustManagerFactory.init(ks);
1328
1329 return trustManagerFactory;
1330 }
1331
1332 static PrivateKey toPrivateKeyInternal(File keyFile, String keyPassword) throws SSLException {
1333 try {
1334 return toPrivateKey(keyFile, keyPassword);
1335 } catch (Exception e) {
1336 throw new SSLException(e);
1337 }
1338 }
1339
1340 static X509Certificate[] toX509CertificatesInternal(File file) throws SSLException {
1341 try {
1342 return toX509Certificates(file);
1343 } catch (CertificateException e) {
1344 throw new SSLException(e);
1345 }
1346 }
1347
1348 protected static KeyManagerFactory buildKeyManagerFactory(X509Certificate[] certChainFile,
1349 String keyAlgorithm, PrivateKey key,
1350 String keyPassword, KeyManagerFactory kmf,
1351 String keyStore)
1352 throws KeyStoreException, NoSuchAlgorithmException, IOException,
1353 CertificateException, UnrecoverableKeyException {
1354 if (keyAlgorithm == null) {
1355 keyAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
1356 }
1357 char[] keyPasswordChars = keyStorePassword(keyPassword);
1358 KeyStore ks = buildKeyStore(certChainFile, key, keyPasswordChars, keyStore);
1359 return buildKeyManagerFactory(ks, keyAlgorithm, keyPasswordChars, kmf);
1360 }
1361
1362 static KeyManagerFactory buildKeyManagerFactory(KeyStore ks,
1363 String keyAlgorithm,
1364 char[] keyPasswordChars, KeyManagerFactory kmf)
1365 throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
1366
1367 if (kmf == null) {
1368 if (keyAlgorithm == null) {
1369 keyAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
1370 }
1371 kmf = KeyManagerFactory.getInstance(keyAlgorithm);
1372 }
1373 kmf.init(ks, keyPasswordChars);
1374
1375 return kmf;
1376 }
1377
1378 static char[] keyStorePassword(String keyPassword) {
1379 return keyPassword == null ? EmptyArrays.EMPTY_CHARS : keyPassword.toCharArray();
1380 }
1381 }