1 /*
2 * Copyright 2014 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16 package io.netty.handler.ssl;
17
18 import io.netty.internal.tcnative.SSL;
19
20 import java.io.File;
21 import java.security.KeyStore;
22 import java.security.PrivateKey;
23 import java.security.cert.X509Certificate;
24 import java.util.List;
25 import java.util.Map;
26
27 import javax.net.ssl.KeyManager;
28 import javax.net.ssl.KeyManagerFactory;
29 import javax.net.ssl.SSLException;
30 import javax.net.ssl.TrustManager;
31 import javax.net.ssl.TrustManagerFactory;
32
33 import static io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext;
34 import static io.netty.util.internal.EmptyArrays.EMPTY_MAP_ENTRY;
35
36 /**
37 * A server-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
38 * <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
39 * and manually release the native memory see {@link ReferenceCountedOpenSslServerContext}.
40 */
41 public final class OpenSslServerContext extends OpenSslContext {
42 private final OpenSslServerSessionContext sessionContext;
43
44 /**
45 * Creates a new instance.
46 *
47 * @param certChainFile an X.509 certificate chain file in PEM format
48 * @param keyFile a PKCS#8 private key file in PEM format
49 * @deprecated use {@link SslContextBuilder}
50 */
51 @Deprecated
52 public OpenSslServerContext(File certChainFile, File keyFile) throws SSLException {
53 this(certChainFile, keyFile, null);
54 }
55
56 /**
57 * Creates a new instance.
58 *
59 * @param certChainFile an X.509 certificate chain file in PEM format
60 * @param keyFile a PKCS#8 private key file in PEM format
61 * @param keyPassword the password of the {@code keyFile}.
62 * {@code null} if it's not password-protected.
63 * @deprecated use {@link SslContextBuilder}
64 */
65 @Deprecated
66 public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword) throws SSLException {
67 this(certChainFile, keyFile, keyPassword, null, IdentityCipherSuiteFilter.INSTANCE,
68 ApplicationProtocolConfig.DISABLED, 0, 0);
69 }
70
71 /**
72 * Creates a new instance.
73 *
74 * @param certChainFile an X.509 certificate chain file in PEM format
75 * @param keyFile a PKCS#8 private key file in PEM format
76 * @param keyPassword the password of the {@code keyFile}.
77 * {@code null} if it's not password-protected.
78 * @param ciphers the cipher suites to enable, in the order of preference.
79 * {@code null} to use the default cipher suites.
80 * @param apn Provides a means to configure parameters related to application protocol negotiation.
81 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
82 * {@code 0} to use the default value.
83 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
84 * {@code 0} to use the default value.
85 * @deprecated use {@link SslContextBuilder}
86 */
87 @Deprecated
88 public OpenSslServerContext(
89 File certChainFile, File keyFile, String keyPassword,
90 Iterable<String> ciphers, ApplicationProtocolConfig apn,
91 long sessionCacheSize, long sessionTimeout) throws SSLException {
92 this(certChainFile, keyFile, keyPassword, ciphers, IdentityCipherSuiteFilter.INSTANCE,
93 apn, sessionCacheSize, sessionTimeout);
94 }
95
96 /**
97 * Creates a new instance.
98 *
99 * @param certChainFile an X.509 certificate chain file in PEM format
100 * @param keyFile a PKCS#8 private key file in PEM format
101 * @param keyPassword the password of the {@code keyFile}.
102 * {@code null} if it's not password-protected.
103 * @param ciphers the cipher suites to enable, in the order of preference.
104 * {@code null} to use the default cipher suites.
105 * @param nextProtocols the application layer protocols to accept, in the order of preference.
106 * {@code null} to disable TLS NPN/ALPN extension.
107 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
108 * {@code 0} to use the default value.
109 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
110 * {@code 0} to use the default value.
111 * @deprecated use {@link SslContextBuilder}
112 */
113 @Deprecated
114 public OpenSslServerContext(
115 File certChainFile, File keyFile, String keyPassword,
116 Iterable<String> ciphers, Iterable<String> nextProtocols,
117 long sessionCacheSize, long sessionTimeout) throws SSLException {
118 this(certChainFile, keyFile, keyPassword, ciphers,
119 toApplicationProtocolConfig(nextProtocols), sessionCacheSize, sessionTimeout);
120 }
121
122 /**
123 * Creates a new instance.
124 *
125 * @param certChainFile an X.509 certificate chain file in PEM format
126 * @param keyFile a PKCS#8 private key file in PEM format
127 * @param keyPassword the password of the {@code keyFile}.
128 * {@code null} if it's not password-protected.
129 * @param ciphers the cipher suites to enable, in the order of preference.
130 * {@code null} to use the default cipher suites.
131 * @param config Application protocol config.
132 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
133 * {@code 0} to use the default value.
134 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
135 * {@code 0} to use the default value.
136 * @deprecated use {@link SslContextBuilder}
137 */
138 @Deprecated
139 public OpenSslServerContext(
140 File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
141 Iterable<String> ciphers, ApplicationProtocolConfig config,
142 long sessionCacheSize, long sessionTimeout) throws SSLException {
143 this(certChainFile, keyFile, keyPassword, trustManagerFactory, ciphers,
144 toNegotiator(config), sessionCacheSize, sessionTimeout);
145 }
146
147 /**
148 * Creates a new instance.
149 *
150 * @param certChainFile an X.509 certificate chain file in PEM format
151 * @param keyFile a PKCS#8 private key file in PEM format
152 * @param keyPassword the password of the {@code keyFile}.
153 * {@code null} if it's not password-protected.
154 * @param ciphers the cipher suites to enable, in the order of preference.
155 * {@code null} to use the default cipher suites.
156 * @param apn Application protocol negotiator.
157 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
158 * {@code 0} to use the default value.
159 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
160 * {@code 0} to use the default value.
161 * @deprecated use {@link SslContextBuilder}
162 */
163 @Deprecated
164 public OpenSslServerContext(
165 File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
166 Iterable<String> ciphers, OpenSslApplicationProtocolNegotiator apn,
167 long sessionCacheSize, long sessionTimeout) throws SSLException {
168 this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null,
169 ciphers, null, apn, sessionCacheSize, sessionTimeout);
170 }
171
172 /**
173 * Creates a new instance.
174 *
175 * @param certChainFile an X.509 certificate chain file in PEM format
176 * @param keyFile a PKCS#8 private key file in PEM format
177 * @param keyPassword the password of the {@code keyFile}.
178 * {@code null} if it's not password-protected.
179 * @param ciphers the cipher suites to enable, in the order of preference.
180 * {@code null} to use the default cipher suites.
181 * @param cipherFilter a filter to apply over the supplied list of ciphers
182 * @param apn Provides a means to configure parameters related to application protocol negotiation.
183 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
184 * {@code 0} to use the default value.
185 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
186 * {@code 0} to use the default value.
187 * @deprecated use {@link SslContextBuilder}
188 */
189 @Deprecated
190 public OpenSslServerContext(
191 File certChainFile, File keyFile, String keyPassword,
192 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
193 long sessionCacheSize, long sessionTimeout) throws SSLException {
194 this(null, null, certChainFile, keyFile, keyPassword, null,
195 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
196 }
197
198 /**
199 * Creates a new instance.
200 *
201 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
202 * This provides the certificate collection used for mutual authentication.
203 * {@code null} to use the system default
204 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
205 * that verifies the certificates sent from clients.
206 * {@code null} to use the default or the results of parsing
207 * {@code trustCertCollectionFile}.
208 * @param keyCertChainFile an X.509 certificate chain file in PEM format
209 * @param keyFile a PKCS#8 private key file in PEM format
210 * @param keyPassword the password of the {@code keyFile}.
211 * {@code null} if it's not password-protected.
212 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
213 * that is used to encrypt data being sent to clients.
214 * {@code null} to use the default or the results of parsing
215 * {@code keyCertChainFile} and {@code keyFile}.
216 * @param ciphers the cipher suites to enable, in the order of preference.
217 * {@code null} to use the default cipher suites.
218 * @param cipherFilter a filter to apply over the supplied list of ciphers
219 * Only required if {@code provider} is {@link SslProvider#JDK}
220 * @param config Provides a means to configure parameters related to application protocol negotiation.
221 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
222 * {@code 0} to use the default value.
223 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
224 * {@code 0} to use the default value.
225 * @deprecated use {@link SslContextBuilder}
226 */
227 @Deprecated
228 public OpenSslServerContext(
229 File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
230 File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
231 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig config,
232 long sessionCacheSize, long sessionTimeout) throws SSLException {
233 this(trustCertCollectionFile, trustManagerFactory, keyCertChainFile, keyFile, keyPassword, keyManagerFactory,
234 ciphers, cipherFilter, toNegotiator(config), sessionCacheSize, sessionTimeout);
235 }
236
237 /**
238 * Creates a new instance.
239 *
240 * @param certChainFile an X.509 certificate chain file in PEM format
241 * @param keyFile a PKCS#8 private key file in PEM format
242 * @param keyPassword the password of the {@code keyFile}.
243 * {@code null} if it's not password-protected.
244 * @param ciphers the cipher suites to enable, in the order of preference.
245 * {@code null} to use the default cipher suites.
246 * @param cipherFilter a filter to apply over the supplied list of ciphers
247 * @param config Application protocol config.
248 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
249 * {@code 0} to use the default value.
250 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
251 * {@code 0} to use the default value.
252 * @deprecated use {@link SslContextBuilder}
253 */
254 @Deprecated
255 public OpenSslServerContext(File certChainFile, File keyFile, String keyPassword,
256 TrustManagerFactory trustManagerFactory, Iterable<String> ciphers,
257 CipherSuiteFilter cipherFilter, ApplicationProtocolConfig config,
258 long sessionCacheSize, long sessionTimeout) throws SSLException {
259 this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null, ciphers, cipherFilter,
260 toNegotiator(config), sessionCacheSize, sessionTimeout);
261 }
262
263 /**
264 * Creates a new instance.
265 *
266 * @param certChainFile an X.509 certificate chain file in PEM format
267 * @param keyFile a PKCS#8 private key file in PEM format
268 * @param keyPassword the password of the {@code keyFile}.
269 * {@code null} if it's not password-protected.
270 * @param ciphers the cipher suites to enable, in the order of preference.
271 * {@code null} to use the default cipher suites.
272 * @param cipherFilter a filter to apply over the supplied list of ciphers
273 * @param apn Application protocol negotiator.
274 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
275 * {@code 0} to use the default value.
276 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
277 * {@code 0} to use the default value.
278 * @deprecated use {@link SslContextBuilder}}
279 */
280 @Deprecated
281 public OpenSslServerContext(
282 File certChainFile, File keyFile, String keyPassword, TrustManagerFactory trustManagerFactory,
283 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
284 long sessionCacheSize, long sessionTimeout) throws SSLException {
285 this(null, trustManagerFactory, certChainFile, keyFile, keyPassword, null, ciphers, cipherFilter,
286 apn, sessionCacheSize, sessionTimeout);
287 }
288
289 /**
290 * Creates a new instance.
291 *
292 *
293 * @param trustCertCollectionFile an X.509 certificate collection file in PEM format.
294 * This provides the certificate collection used for mutual authentication.
295 * {@code null} to use the system default
296 * @param trustManagerFactory the {@link TrustManagerFactory} that provides the {@link TrustManager}s
297 * that verifies the certificates sent from clients.
298 * {@code null} to use the default or the results of parsing
299 * {@code trustCertCollectionFile}.
300 * @param keyCertChainFile an X.509 certificate chain file in PEM format
301 * @param keyFile a PKCS#8 private key file in PEM format
302 * @param keyPassword the password of the {@code keyFile}.
303 * {@code null} if it's not password-protected.
304 * @param keyManagerFactory the {@link KeyManagerFactory} that provides the {@link KeyManager}s
305 * that is used to encrypt data being sent to clients.
306 * {@code null} to use the default or the results of parsing
307 * {@code keyCertChainFile} and {@code keyFile}.
308 * @param ciphers the cipher suites to enable, in the order of preference.
309 * {@code null} to use the default cipher suites.
310 * @param cipherFilter a filter to apply over the supplied list of ciphers
311 * Only required if {@code provider} is {@link SslProvider#JDK}
312 * @param apn Application Protocol Negotiator object
313 * @param sessionCacheSize the size of the cache used for storing SSL session objects.
314 * {@code 0} to use the default value.
315 * @param sessionTimeout the timeout for the cached SSL session objects, in seconds.
316 * {@code 0} to use the default value.
317 * @deprecated use {@link SslContextBuilder}
318 */
319 @Deprecated
320 public OpenSslServerContext(
321 File trustCertCollectionFile, TrustManagerFactory trustManagerFactory,
322 File keyCertChainFile, File keyFile, String keyPassword, KeyManagerFactory keyManagerFactory,
323 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
324 long sessionCacheSize, long sessionTimeout) throws SSLException {
325 this(toX509CertificatesInternal(trustCertCollectionFile), trustManagerFactory,
326 toX509CertificatesInternal(keyCertChainFile), toPrivateKeyInternal(keyFile, keyPassword),
327 keyPassword, keyManagerFactory, ciphers, cipherFilter,
328 apn, sessionCacheSize, sessionTimeout, ClientAuth.NONE, null, false, false, KeyStore.getDefaultType(),
329 null, EMPTY_MAP_ENTRY, null);
330 }
331
332 OpenSslServerContext(
333 X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
334 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
335 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
336 long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
337 boolean enableOcsp, String keyStore, ResumptionController resumptionController,
338 Map.Entry<SslContextOption<?>, Object>... options)
339 throws SSLException {
340 this(trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory, ciphers,
341 cipherFilter, toNegotiator(apn), sessionCacheSize, sessionTimeout, clientAuth, protocols, startTls,
342 enableOcsp, keyStore, resumptionController, options, null);
343 }
344
345 @SuppressWarnings("deprecation")
346 private OpenSslServerContext(
347 X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
348 X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
349 Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
350 long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth, String[] protocols, boolean startTls,
351 boolean enableOcsp, String keyStore, ResumptionController resumptionController,
352 Map.Entry<SslContextOption<?>, Object>[] options,
353 List<OpenSslCredential> credentials)
354 throws SSLException {
355 super(ciphers, cipherFilter, apn, SSL.SSL_MODE_SERVER, keyCertChain,
356 clientAuth, protocols, startTls, enableOcsp, null, resumptionController, options, credentials);
357
358 // Create a new SSL_CTX and configure it.
359 boolean success = false;
360 boolean fallbackToJdkSignatureProviders = isJdkSignatureFallbackEnabled(options);
361 try {
362 OpenSslKeyMaterialProvider.validateKeyMaterialSupported(keyCertChain, key, keyPassword,
363 fallbackToJdkSignatureProviders);
364 sessionContext = newSessionContext(this, ctx, engines, trustCertCollection, trustManagerFactory,
365 keyCertChain, key, keyPassword, keyManagerFactory, keyStore,
366 sessionCacheSize, sessionTimeout, resumptionController,
367 fallbackToJdkSignatureProviders);
368 success = true;
369 } finally {
370 if (!success) {
371 release();
372 }
373 }
374 }
375
376 @Override
377 public OpenSslServerSessionContext sessionContext() {
378 return sessionContext;
379 }
380 }