1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package io.netty.handler.ssl;
18
19 import io.netty.util.CharsetUtil;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.File;
23 import java.io.IOException;
24 import java.security.InvalidAlgorithmParameterException;
25 import java.security.KeyException;
26 import java.security.KeyStore;
27 import java.security.KeyStoreException;
28 import java.security.NoSuchAlgorithmException;
29 import java.security.PrivateKey;
30 import java.security.Provider;
31 import java.security.SecureRandom;
32 import java.security.UnrecoverableKeyException;
33 import java.security.cert.CertificateException;
34 import java.security.cert.X509Certificate;
35 import java.security.spec.InvalidKeySpecException;
36 import javax.crypto.NoSuchPaddingException;
37 import javax.net.ssl.KeyManager;
38 import javax.net.ssl.KeyManagerFactory;
39 import javax.net.ssl.SSLContext;
40 import javax.net.ssl.SSLException;
41 import javax.net.ssl.SSLSessionContext;
42 import javax.net.ssl.TrustManager;
43 import javax.net.ssl.TrustManagerFactory;
44 import javax.net.ssl.X509ExtendedTrustManager;
45
46 import static io.netty.handler.ssl.SslUtils.PROBING_CERT;
47 import static io.netty.handler.ssl.SslUtils.PROBING_KEY;
48
49
50
51
52
53
54
55 @Deprecated
56 public final class JdkSslServerContext extends JdkSslContext {
57
58 private static final boolean WRAP_TRUST_MANAGER;
59 static {
60 boolean wrapTrustManager = false;
61 try {
62 checkIfWrappingTrustManagerIsSupported();
63 wrapTrustManager = true;
64 } catch (Throwable ignore) {
65
66
67 }
68 WRAP_TRUST_MANAGER = wrapTrustManager;
69 }
70
71
72 static void checkIfWrappingTrustManagerIsSupported() throws CertificateException,
73 InvalidAlgorithmParameterException, NoSuchPaddingException, NoSuchAlgorithmException,
74 InvalidKeySpecException, IOException, KeyException, KeyStoreException, UnrecoverableKeyException {
75 X509Certificate[] certs = toX509Certificates(
76 new ByteArrayInputStream(PROBING_CERT.getBytes(CharsetUtil.US_ASCII)));
77 PrivateKey privateKey = toPrivateKey(new ByteArrayInputStream(
78 PROBING_KEY.getBytes(CharsetUtil.UTF_8)), null);
79 char[] keyStorePassword = keyStorePassword(null);
80 KeyStore ks = buildKeyStore(certs, privateKey, keyStorePassword, null);
81 KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
82 kmf.init(ks, keyStorePassword);
83
84 SSLContext ctx = SSLContext.getInstance(PROTOCOL);
85 TrustManagerFactory tm = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
86 tm.init((KeyStore) null);
87 TrustManager[] managers = tm.getTrustManagers();
88
89 ctx.init(kmf.getKeyManagers(), wrapTrustManagerIfNeeded(managers), null);
90 }
91
92
93
94
95
96
97
98
99 @Deprecated
100 public JdkSslServerContext(File certChainFile, File keyFile) throws SSLException {
101 this(null, certChainFile, keyFile, null, null, IdentityCipherSuiteFilter.INSTANCE,
102 JdkDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0, null);
103 }
104
105
106
107
108
109
110
111
112
113
114 @Deprecated
115 public JdkSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
116 this(certChainFile, keyFile, keyPassword, null, IdentityCipherSuiteFilter.INSTANCE,
117 JdkDefaultApplicationProtocolNegotiator.INSTANCE, 0, 0);
118 }
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137 @Deprecated
138 public JdkSslServerContext(
139 File certChainFile, File keyFile, String keyPassword,
140 Iterable<String> ciphers, Iterable<String> nextProtocols,
141 long sessionCacheSize, long sessionTimeout) throws SSLException {
142 this(null, certChainFile, keyFile, keyPassword, ciphers, IdentityCipherSuiteFilter.INSTANCE,
143 toNegotiator(toApplicationProtocolConfig(nextProtocols), true), sessionCacheSize,
144 sessionTimeout, KeyStore.getDefaultType());
145 }
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164 @Deprecated
165 public JdkSslServerContext(
166 File certChainFile, File keyFile, String keyPassword,
167 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
168 long sessionCacheSize, long sessionTimeout) throws SSLException {
169 this(null, certChainFile, keyFile, keyPassword, ciphers, cipherFilter,
170 toNegotiator(apn, true), sessionCacheSize, sessionTimeout, KeyStore.getDefaultType());
171 }
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190 @Deprecated
191 public JdkSslServerContext(
192 File certChainFile, File keyFile, String keyPassword,
193 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
194 long sessionCacheSize, long sessionTimeout) throws SSLException {
195 this(null, certChainFile, keyFile, keyPassword, ciphers, cipherFilter, apn,
196 sessionCacheSize, sessionTimeout, KeyStore.getDefaultType());
197 }
198
199 JdkSslServerContext(Provider provider,
200 File certChainFile, File keyFile, String keyPassword,
201 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, JdkApplicationProtocolNegotiator apn,
202 long sessionCacheSize, long sessionTimeout, String keyStore) throws SSLException {
203 super(newSSLContext(provider, null, null,
204 toX509CertificatesInternal(certChainFile), toPrivateKeyInternal(keyFile, keyPassword),
205 keyPassword, null, sessionCacheSize, sessionTimeout, null, keyStore), false,
206 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
207 }
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237 @Deprecated
238 public JdkSslServerContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
239 File keyCertChainFile, File keyFile, String keyPassword,
240 KeyManagerFactory keyManagerFactory,
241 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
242 long sessionCacheSize, long sessionTimeout) throws SSLException {
243 super(newSSLContext(null, toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
244 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
245 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout, null, null), false,
246 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
247 }
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277 @Deprecated
278 public JdkSslServerContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
279 File keyCertChainFile, File keyFile, String keyPassword,
280 KeyManagerFactory keyManagerFactory,
281 Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
282 JdkApplicationProtocolNegotiator apn,
283 long sessionCacheSize, long sessionTimeout) throws SSLException {
284 super(newSSLContext(null, toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
285 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
286 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout,
287 null, KeyStore.getDefaultType()), false,
288 ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
289 }
290
291 JdkSslServerContext(Provider provider,
292 X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
293 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
294 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
295 ApplicationProtocolConfig apn, long sessionCacheSize, long sessionTimeout,
296 ClientAuth clientAuth, String[] protocols, boolean startTls,
297 SecureRandom secureRandom, String keyStore) throws SSLException {
298 super(newSSLContext(provider, trustCertCollection, trustManagerFactory, keyCertChain, key,
299 keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout, secureRandom, keyStore), false,
300 ciphers, cipherFilter, toNegotiator(apn, true), clientAuth, protocols, startTls);
301 }
302
303 private static SSLContext newSSLContext(Provider sslContextProvider, X509Certificate[] trustCertCollection,
304 TrustManagerFactory trustManagerFactory, X509Certificate[] keyCertChain,
305 PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
306 long sessionCacheSize, long sessionTimeout,
307 SecureRandom secureRandom, String keyStore)
308 throws SSLException {
309 if (key == null && keyManagerFactory == null) {
310 throw new NullPointerException("key, keyManagerFactory");
311 }
312
313 try {
314 if (trustCertCollection != null) {
315 trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory, keyStore);
316 } else if (trustManagerFactory == null) {
317
318 trustManagerFactory = TrustManagerFactory.getInstance(
319 TrustManagerFactory.getDefaultAlgorithm());
320 trustManagerFactory.init((KeyStore) null);
321 }
322
323 if (key != null) {
324 keyManagerFactory = buildKeyManagerFactory(keyCertChain, null,
325 key, keyPassword, keyManagerFactory, null);
326 }
327
328
329 SSLContext ctx = sslContextProvider == null ? SSLContext.getInstance(PROTOCOL)
330 : SSLContext.getInstance(PROTOCOL, sslContextProvider);
331 ctx.init(keyManagerFactory.getKeyManagers(),
332 wrapTrustManagerIfNeeded(trustManagerFactory.getTrustManagers()),
333 secureRandom);
334
335 SSLSessionContext sessCtx = ctx.getServerSessionContext();
336 if (sessionCacheSize > 0) {
337 sessCtx.setSessionCacheSize((int) Math.min(sessionCacheSize, Integer.MAX_VALUE));
338 }
339 if (sessionTimeout > 0) {
340 sessCtx.setSessionTimeout((int) Math.min(sessionTimeout, Integer.MAX_VALUE));
341 }
342 return ctx;
343 } catch (Exception e) {
344 if (e instanceof SSLException) {
345 throw (SSLException) e;
346 }
347 throw new SSLException("failed to initialize the server-side SSL context", e);
348 }
349 }
350
351 private static TrustManager[] wrapTrustManagerIfNeeded(TrustManager[] trustManagers) {
352 if (WRAP_TRUST_MANAGER) {
353 for (int i = 0; i < trustManagers.length; i++) {
354 TrustManager tm = trustManagers[i];
355 if (tm instanceof X509ExtendedTrustManager) {
356
357
358 trustManagers[i] = new EnhancingX509ExtendedTrustManager((X509ExtendedTrustManager) tm);
359 }
360 }
361 }
362 return trustManagers;
363 }
364 }