1 /*
2 * Copyright 2014 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16 package io.netty.handler.ssl;
17
18 import io.netty.internal.tcnative.SSL;
19
20 import java.io.File;
21 import java.security.KeyStore;
22 import java.security.PrivateKey;
23 import java.security.cert.X509Certificate;
24 import java.util.List;
25 import java.util.Map;
26
27 import javax.net.ssl.KeyManagerFactory;
28 import javax.net.ssl.SNIServerName;
29 import javax.net.ssl.SSLException;
30 import javax.net.ssl.TrustManager;
31 import javax.net.ssl.TrustManagerFactory;
32
33 import static io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext;
34 import static io.netty.util.internal.EmptyArrays.EMPTY_MAP_ENTRY;
35
36 /**
37 * A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
38 * <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
39 * and manually release the native memory see {@link ReferenceCountedOpenSslClientContext}.
40 */
41 public final class OpenSslClientContext extends OpenSslContext {
42 private final OpenSslSessionContext sessionContext;
43
44 /**
45 * Creates a new instance.
46 * @deprecated use {@link SslContextBuilder}
47 */
48 @Deprecated
49 public OpenSslClientContext() throws SSLException {
50 this(null, null, null, null, null, null, null, IdentityCipherSuiteFilter.INSTANCE, null, 0, 0);
51 }
52
53 /**
54 * Creates a new instance.
55 *
56 * @param certChainFile an X.509 certificate chain file in PEM format.
57 * {@code null} to use the system default
58 * @deprecated use {@link SslContextBuilder}
59 */
60 @Deprecated
61 public OpenSslClientContext(File certChainFile) throws SSLException {
62 this(certChainFile, null);
63 }
64
65 /**
66 * Creates a new instance.
67 *
68 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
69 * that verifies the certificates sent from servers.
70 * {@code null} to use the default.
71 * @deprecated use {@link SslContextBuilder}
72 */
73 @Deprecated
74 public OpenSslClientContext(TrustManagerFactory trustManagerFactory) throws SSLException {
75 this(null, trustManagerFactory);
76 }
77
78 /**
79 * Creates a new instance.
80 *
81 * @param certChainFile an X.509 certificate chain file in PEM format.
82 * {@code null} to use the system default
83 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
84 * that verifies the certificates sent from servers.
85 * {@code null} to use the default.
86 * @deprecated use {@link SslContextBuilder}
87 */
88 @Deprecated
89 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory) throws SSLException {
90 this(certChainFile, trustManagerFactory, null, null, null, null, null,
91 IdentityCipherSuiteFilter.INSTANCE, null, 0, 0);
92 }
93
94 /**
95 * Creates a new instance.
96 *
97 * @param certChainFile an X.509 certificate chain file in PEM format
98 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
99 * that verifies the certificates sent from servers.
100 * {@code null} to use the default..
101 * @param ciphers the cipher suites to enable, in the order of preference.
102 * {@code null} to use the default cipher suites.
103 * @param apn Provides a means to configure parameters related to application protocol negotiation.
104 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
105 * {@code 0} to use the default value.
106 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
107 * {@code 0} to use the default value.
108 * @deprecated use {@link SslContextBuilder}
109 */
110 @Deprecated
111 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
112 ApplicationProtocolConfig apn, long sessionCacheSize, long sessionTimeout)
113 throws SSLException {
114 this(certChainFile, trustManagerFactory, null, null, null, null, ciphers, IdentityCipherSuiteFilter.INSTANCE,
115 apn, sessionCacheSize, sessionTimeout);
116 }
117
118 /**
119 * Creates a new instance.
120 *
121 * @param certChainFile an X.509 certificate chain file in PEM format
122 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
123 * that verifies the certificates sent from servers.
124 * {@code null} to use the default..
125 * @param ciphers the cipher suites to enable, in the order of preference.
126 * {@code null} to use the default cipher suites.
127 * @param cipherFilter a filter to apply over the supplied list of ciphers
128 * @param apn Provides a means to configure parameters related to application protocol negotiation.
129 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
130 * {@code 0} to use the default value.
131 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
132 * {@code 0} to use the default value.
133 * @deprecated use {@link SslContextBuilder}
134 */
135 @Deprecated
136 public OpenSslClientContext(File certChainFile, TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
137 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
138 long sessionCacheSize, long sessionTimeout) throws SSLException {
139 this(certChainFile, trustManagerFactory, null, null, null, null,
140 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
141 }
142
143 /**
144 * Creates a new instance.
145 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
146 * {@code null} to use the system default
147 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
148 * that verifies the certificates sent from servers.
149 * {@code null} to use the default or the results of parsing
150 * {@code trustCertCollectionFile}
151 * @param keyCertChainFile an X.509 certificate chain file in PEM format.
152 * This provides the public key for mutual authentication.
153 * {@code null} to use the system default
154 * @param keyFile a PKCS#8 private key file in PEM format.
155 * This provides the private key for mutual authentication.
156 * {@code null} for no mutual authentication.
157 * @param keyPassword the password of the {@code keyFile}.
158 * {@code null} if it's not password-protected.
159 * Ignored if {@code keyFile} is {@code null}.
160 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link javax.net.ssl.KeyManager}s
161 * that is used to encrypt data being sent to servers.
162 * {@code null} to use the default or the results of parsing
163 * {@code keyCertChainFile} and {@code keyFile}.
164 * @param ciphers the cipher suites to enable, in the order of preference.
165 * {@code null} to use the default cipher suites.
166 * @param cipherFilter a filter to apply over the supplied list of ciphers
167 * @param apn Application Protocol Negotiator object.
168 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
169 * {@code 0} to use the default value.
170 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
171 * {@code 0} to use the default value.
172 * @deprecated use {@link SslContextBuilder}
173 */
174 @Deprecated
175 public OpenSslClientContext(File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
176 File keyCertChainFile, File keyFile, String keyPassword,
177 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
178 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
179 long sessionCacheSize, long sessionTimeout)
180 throws SSLException {
181 this(toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
182 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
183 keyPassword, keyManagerFactory, ciphers, cipherFilter, apn, null, sessionCacheSize,
184 sessionTimeout, false, KeyStore.getDefaultType(), null, null, null, EMPTY_MAP_ENTRY, null);
185 }
186
187 OpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
188 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
189 KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
190 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn, String[] protocols,
191 long sessionCacheSize, long sessionTimeout, boolean enableOcsp, String keyStore,
192 String endpointIdentificationAlgorithm, List<SNIServerName> serverNames,
193 ResumptionController resumptionController,
194 Map.Entry<SslContextOption<?>, Object>[] options,
195 List<OpenSslCredential> credentials)
196 throws SSLException {
197 super(ciphers, cipherFilter, apn, SSL.SSL_MODE_CLIENT, keyCertChain, ClientAuth.NONE, protocols, false,
198 endpointIdentificationAlgorithm, enableOcsp, serverNames, resumptionController, options, credentials);
199 boolean success = false;
200 boolean supportJdkSignatureFallback = isJdkSignatureFallbackEnabled(options);
201 try {
202 OpenSslKeyMaterialProvider.validateKeyMaterialSupported(keyCertChain, key, keyPassword,
203 supportJdkSignatureFallback);
204 sessionContext = newSessionContext(this, ctx, engines, trustCertCollection, trustManagerFactory,
205 keyCertChain, key, keyPassword, keyManagerFactory, keyStore,
206 sessionCacheSize, sessionTimeout, resumptionController,
207 supportJdkSignatureFallback);
208 success = true;
209 } finally {
210 if (!success) {
211 release();
212 }
213 }
214 }
215
216 @Override
217 public OpenSslSessionContext sessionContext() {
218 return sessionContext;
219 }
220 }