1 /*
2 * Copyright 2014 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16 package io.netty.handler.ssl;
17
18 import io.netty.internal.tcnative.SSL;
19
20 import java.io.File;
21 import java.security.KeyStore;
22 import java.security.PrivateKey;
23 import java.security.cert.X509Certificate;
24 import java.util.List;
25 import java.util.Map;
26
27 import javax.net.ssl.KeyManagerFactory;
28 import javax.net.ssl.SNIServerName;
29 import javax.net.ssl.SSLException;
30 import javax.net.ssl.TrustManager;
31 import javax.net.ssl.TrustManagerFactory;
32
33 import static io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext;
34
35 /**
36 * A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
37 * <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
38 * and manually release the native memory see {@link ReferenceCountedOpenSslClientContext}.
39 */
40 public final class OpenSslClientContext extends OpenSslContext {
41 private final OpenSslSessionContext sessionContext;
42
43 /**
44 * Creates a new instance.
45 * @deprecated use {@link SslContextBuilder}
46 */
47 @Deprecated
48 public OpenSslClientContext() throws SSLException {
49 this(null, null, null, null, null, null, null, IdentityCipherSuiteFilter.INSTANCE, null, 0, 0);
50 }
51
52 /**
53 * Creates a new instance.
54 *
55 * @param certChainFile an X.509 certificate chain file in PEM format.
56 * {@code null} to use the system default
57 * @deprecated use {@link SslContextBuilder}
58 */
59 @Deprecated
60 public OpenSslClientContext(File certChainFile) throws SSLException {
61 this(certChainFile, null);
62 }
63
64 /**
65 * Creates a new instance.
66 *
67 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
68 * that verifies the certificates sent from servers.
69 * {@code null} to use the default.
70 * @deprecated use {@link SslContextBuilder}
71 */
72 @Deprecated
73 public OpenSslClientContext(TrustManagerFactory trustManagerFactory) throws SSLException {
74 this(null, trustManagerFactory);
75 }
76
77 /**
78 * Creates a new instance.
79 *
80 * @param certChainFile an X.509 certificate chain file in PEM format.
81 * {@code null} to use the system default
82 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
83 * that verifies the certificates sent from servers.
84 * {@code null} to use the default.
85 * @deprecated use {@link SslContextBuilder}
86 */
87 @Deprecated
88 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory) throws SSLException {
89 this(certChainFile, trustManagerFactory, null, null, null, null, null,
90 IdentityCipherSuiteFilter.INSTANCE, null, 0, 0);
91 }
92
93 /**
94 * Creates a new instance.
95 *
96 * @param certChainFile an X.509 certificate chain file in PEM format
97 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
98 * that verifies the certificates sent from servers.
99 * {@code null} to use the default..
100 * @param ciphers the cipher suites to enable, in the order of preference.
101 * {@code null} to use the default cipher suites.
102 * @param apn Provides a means to configure parameters related to application protocol negotiation.
103 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
104 * {@code 0} to use the default value.
105 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
106 * {@code 0} to use the default value.
107 * @deprecated use {@link SslContextBuilder}
108 */
109 @Deprecated
110 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
111 ApplicationProtocolConfig apn, long sessionCacheSize, long sessionTimeout)
112 throws SSLException {
113 this(certChainFile, trustManagerFactory, null, null, null, null, ciphers, IdentityCipherSuiteFilter.INSTANCE,
114 apn, sessionCacheSize, sessionTimeout);
115 }
116
117 /**
118 * Creates a new instance.
119 *
120 * @param certChainFile an X.509 certificate chain file in PEM format
121 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
122 * that verifies the certificates sent from servers.
123 * {@code null} to use the default..
124 * @param ciphers the cipher suites to enable, in the order of preference.
125 * {@code null} to use the default cipher suites.
126 * @param cipherFilter a filter to apply over the supplied list of ciphers
127 * @param apn Provides a means to configure parameters related to application protocol negotiation.
128 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
129 * {@code 0} to use the default value.
130 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
131 * {@code 0} to use the default value.
132 * @deprecated use {@link SslContextBuilder}
133 */
134 @Deprecated
135 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
136 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
137 long sessionCacheSize, long sessionTimeout) throws SSLException {
138 this(certChainFile, trustManagerFactory, null, null, null, null,
139 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
140 }
141
142 /**
143 * Creates a new instance.
144 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
145 * {@code null} to use the system default
146 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
147 * that verifies the certificates sent from servers.
148 * {@code null} to use the default or the results of parsing
149 * {@code trustCertCollectionFile}
150 * @param keyCertChainFile an X.509 certificate chain file in PEM format.
151 * This provides the public key for mutual authentication.
152 * {@code null} to use the system default
153 * @param keyFile a PKCS#8 private key file in PEM format.
154 * This provides the private key for mutual authentication.
155 * {@code null} for no mutual authentication.
156 * @param keyPassword the password of the {@code keyFile}.
157 * {@code null} if it's not password-protected.
158 * Ignored if {@code keyFile} is {@code null}.
159 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link javax.net.ssl.KeyManager}s
160 * that is used to encrypt data being sent to servers.
161 * {@code null} to use the default or the results of parsing
162 * {@code keyCertChainFile} and {@code keyFile}.
163 * @param ciphers the cipher suites to enable, in the order of preference.
164 * {@code null} to use the default cipher suites.
165 * @param cipherFilter a filter to apply over the supplied list of ciphers
166 * @param apn Application Protocol Negotiator object.
167 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
168 * {@code 0} to use the default value.
169 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
170 * {@code 0} to use the default value.
171 * @deprecated use {@link SslContextBuilder}
172 */
173 @Deprecated
174 public OpenSslClientContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
175 File keyCertChainFile, File keyFile, String keyPassword,
176 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
177 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
178 long sessionCacheSize, long sessionTimeout)
179 throws SSLException {
180 this(toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
181 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
182 keyPassword, keyManagerFactory, ciphers, cipherFilter, apn, null, sessionCacheSize,
183 sessionTimeout, false, KeyStore.getDefaultType(), null, null, null);
184 }
185
186 OpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
187 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
188 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
189 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn, String[] protocols,
190 long sessionCacheSize, long sessionTimeout, boolean enableOcsp, String keyStore,
191 String endpointIdentificationAlgorithm, List<SNIServerName> serverNames,
192 ResumptionController resumptionController,
193 Map.Entry<SslContextOption<?>, Object>... options)
194 throws SSLException {
195 super(ciphers, cipherFilter, apn, SSL.SSL_MODE_CLIENT, keyCertChain, ClientAuth.NONE, protocols, false,
196 endpointIdentificationAlgorithm, enableOcsp, serverNames, resumptionController, options);
197 boolean success = false;
198 boolean supportJdkSignatureFallback = isJdkSignatureFallbackEnabled(options);
199 try {
200 OpenSslKeyMaterialProvider.validateKeyMaterialSupported(keyCertChain, key, keyPassword,
201 supportJdkSignatureFallback);
202 sessionContext = newSessionContext(this, ctx, engines, trustCertCollection, trustManagerFactory,
203 keyCertChain, key, keyPassword, keyManagerFactory, keyStore,
204 sessionCacheSize, sessionTimeout, resumptionController,
205 supportJdkSignatureFallback);
206 success = true;
207 } finally {
208 if (!success) {
209 release();
210 }
211 }
212 }
213
214 @Override
215 public OpenSslSessionContext sessionContext() {
216 return sessionContext;
217 }
218 }