1 /*
2 * Copyright 2015 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16
17 package io.netty.handler.ssl;
18
19 import io.netty.handler.ssl.util.KeyManagerFactoryWrapper;
20 import io.netty.handler.ssl.util.TrustManagerFactoryWrapper;
21 import io.netty.util.internal.UnstableApi;
22
23 import javax.net.ssl.KeyManager;
24 import javax.net.ssl.KeyManagerFactory;
25 import javax.net.ssl.SNIHostName;
26 import javax.net.ssl.SNIServerName;
27 import javax.net.ssl.SSLEngine;
28 import javax.net.ssl.SSLException;
29 import javax.net.ssl.SSLParameters;
30 import javax.net.ssl.TrustManager;
31 import javax.net.ssl.TrustManagerFactory;
32 import java.io.File;
33 import java.io.InputStream;
34 import java.security.KeyStore;
35 import java.security.PrivateKey;
36 import java.security.Provider;
37 import java.security.SecureRandom;
38 import java.security.cert.X509Certificate;
39 import java.util.ArrayList;
40 import java.util.Collections;
41 import java.util.HashMap;
42 import java.util.List;
43 import java.util.Map;
44
45 import static io.netty.util.internal.EmptyArrays.EMPTY_STRINGS;
46 import static io.netty.util.internal.EmptyArrays.EMPTY_X509_CERTIFICATES;
47 import static io.netty.util.internal.ObjectUtil.checkNotNull;
48 import static io.netty.util.internal.ObjectUtil.checkNotNullWithIAE;
49 import static io.netty.util.internal.ObjectUtil.checkNonEmpty;
50 import static io.netty.util.internal.ObjectUtil.deepCheckNotNull;
51
52 /**
53 * Builder for configuring a new SslContext for creation.
54 */
55 public final class SslContextBuilder {
56 @SuppressWarnings("rawtypes")
57 private static final Map.Entry[] EMPTY_ENTRIES = new Map.Entry[0];
58
59 /**
60 * Creates a builder for new client-side {@link SslContext}.
61 */
62 public static SslContextBuilder forClient() {
63 return new SslContextBuilder(false);
64 }
65
66 /**
67 * Creates a builder for new server-side {@link SslContext}.
68 *
69 * @param keyCertChainFile an X.509 certificate chain file in PEM format
70 * @param keyFile a PKCS#8 private key file in PEM format
71 * @see #keyManager(File, File)
72 */
73 public static SslContextBuilder forServer(File keyCertChainFile, File keyFile) {
74 return new SslContextBuilder(true).keyManager(keyCertChainFile, keyFile);
75 }
76
77 /**
78 * Creates a builder for new server-side {@link SslContext}.
79 *
80 * @param keyCertChainInputStream an input stream for an X.509 certificate chain in PEM format. The caller is
81 * responsible for calling {@link InputStream#close()} after {@link #build()}
82 * has been called.
83 * @param keyInputStream an input stream for a PKCS#8 private key in PEM format. The caller is
84 * responsible for calling {@link InputStream#close()} after {@link #build()}
85 * has been called.
86 *
87 * @see #keyManager(InputStream, InputStream)
88 */
89 public static SslContextBuilder forServer(InputStream keyCertChainInputStream, InputStream keyInputStream) {
90 return new SslContextBuilder(true).keyManager(keyCertChainInputStream, keyInputStream);
91 }
92
93 /**
94 * Creates a builder for new server-side {@link SslContext}.
95 *
96 * @param key a PKCS#8 private key
97 * @param keyCertChain the X.509 certificate chain
98 * @see #keyManager(PrivateKey, X509Certificate[])
99 */
100 public static SslContextBuilder forServer(PrivateKey key, X509Certificate... keyCertChain) {
101 return new SslContextBuilder(true).keyManager(key, keyCertChain);
102 }
103
104 /**
105 * Creates a builder for new server-side {@link SslContext}.
106 *
107 * @param key a PKCS#8 private key
108 * @param keyCertChain the X.509 certificate chain
109 * @see #keyManager(PrivateKey, X509Certificate[])
110 */
111 public static SslContextBuilder forServer(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
112 return forServer(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
113 }
114
115 /**
116 * Creates a builder for new server-side {@link SslContext}.
117 *
118 * @param keyCertChainFile an X.509 certificate chain file in PEM format
119 * @param keyFile a PKCS#8 private key file in PEM format
120 * @param keyPassword the password of the {@code keyFile}, or {@code null} if it's not
121 * password-protected
122 * @see #keyManager(File, File, String)
123 */
124 public static SslContextBuilder forServer(
125 File keyCertChainFile, File keyFile, String keyPassword) {
126 return new SslContextBuilder(true).keyManager(keyCertChainFile, keyFile, keyPassword);
127 }
128
129 /**
130 * Creates a builder for new server-side {@link SslContext}.
131 *
132 * @param keyCertChainInputStream an input stream for an X.509 certificate chain in PEM format. The caller is
133 * responsible for calling {@link InputStream#close()} after {@link #build()}
134 * has been called.
135 * @param keyInputStream an input stream for a PKCS#8 private key in PEM format. The caller is
136 * responsible for calling {@link InputStream#close()} after {@link #build()}
137 * has been called.
138 * @param keyPassword the password of the {@code keyFile}, or {@code null} if it's not
139 * password-protected
140 * @see #keyManager(InputStream, InputStream, String)
141 */
142 public static SslContextBuilder forServer(
143 InputStream keyCertChainInputStream, InputStream keyInputStream, String keyPassword) {
144 return new SslContextBuilder(true).keyManager(keyCertChainInputStream, keyInputStream, keyPassword);
145 }
146
147 /**
148 * Creates a builder for new server-side {@link SslContext}.
149 *
150 * @param key a PKCS#8 private key
151 * @param keyCertChain the X.509 certificate chain
152 * @param keyPassword the password of the {@code keyFile}, or {@code null} if it's not
153 * password-protected
154 * @see #keyManager(File, File, String)
155 */
156 public static SslContextBuilder forServer(
157 PrivateKey key, String keyPassword, X509Certificate... keyCertChain) {
158 return new SslContextBuilder(true).keyManager(key, keyPassword, keyCertChain);
159 }
160
161 /**
162 * Creates a builder for new server-side {@link SslContext}.
163 *
164 * @param key a PKCS#8 private key
165 * @param keyCertChain the X.509 certificate chain
166 * @param keyPassword the password of the {@code keyFile}, or {@code null} if it's not
167 * password-protected
168 * @see #keyManager(File, File, String)
169 */
170 public static SslContextBuilder forServer(
171 PrivateKey key, String keyPassword, Iterable<? extends X509Certificate> keyCertChain) {
172 return forServer(key, keyPassword, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
173 }
174
175 /**
176 * Creates a builder for new server-side {@link SslContext}.
177 * <p>
178 * If you use {@link SslProvider#OPENSSL} or {@link SslProvider#OPENSSL_REFCNT} consider using
179 * {@link OpenSslX509KeyManagerFactory} or {@link OpenSslCachingX509KeyManagerFactory}.
180 *
181 * @param keyManagerFactory non-{@code null} factory for server's private key
182 * @see #keyManager(KeyManagerFactory)
183 */
184 public static SslContextBuilder forServer(KeyManagerFactory keyManagerFactory) {
185 return new SslContextBuilder(true).keyManager(keyManagerFactory);
186 }
187
188 /**
189 * Creates a builder for new server-side {@link SslContext} with {@link KeyManager}.
190 *
191 * @param keyManager non-{@code null} KeyManager for server's private key
192 */
193 public static SslContextBuilder forServer(KeyManager keyManager) {
194 return new SslContextBuilder(true).keyManager(keyManager);
195 }
196
197 private final boolean forServer;
198 private SslProvider provider;
199 private Provider sslContextProvider;
200 private X509Certificate[] trustCertCollection;
201 private TrustManagerFactory trustManagerFactory;
202 private X509Certificate[] keyCertChain;
203 private PrivateKey key;
204 private String keyPassword;
205 private KeyManagerFactory keyManagerFactory;
206 private List<OpenSslCredential> credentials;
207 private Iterable<String> ciphers;
208 private CipherSuiteFilter cipherFilter = IdentityCipherSuiteFilter.INSTANCE;
209 private ApplicationProtocolConfig apn;
210 private long sessionCacheSize;
211 private long sessionTimeout;
212 private ClientAuth clientAuth = ClientAuth.NONE;
213 private String[] protocols;
214 private boolean startTls;
215 private boolean enableOcsp;
216 private SecureRandom secureRandom;
217 private String keyStoreType = KeyStore.getDefaultType();
218 private String endpointIdentificationAlgorithm;
219 private final Map<SslContextOption<?>, Object> options = new HashMap<SslContextOption<?>, Object>();
220 private final List<SNIServerName> serverNames;
221
222 private SslContextBuilder(boolean forServer) {
223 this.forServer = forServer;
224 if (!forServer) {
225 endpointIdentificationAlgorithm = SslContext.defaultEndpointVerificationAlgorithm;
226 }
227 serverNames = forServer ? null : new ArrayList<>(2); // Only for clients.
228 }
229
230 /**
231 * Configure a {@link SslContextOption}.
232 */
233 public <T> SslContextBuilder option(SslContextOption<T> option, T value) {
234 if (value == null) {
235 options.remove(option);
236 } else {
237 options.put(option, value);
238 }
239 return this;
240 }
241
242 /**
243 * The {@link SslContext} implementation to use. {@code null} uses the default one.
244 */
245 public SslContextBuilder sslProvider(SslProvider provider) {
246 this.provider = provider;
247 return this;
248 }
249
250 /**
251 * Sets the {@link KeyStore} type that should be used. {@code null} uses the default one.
252 */
253 public SslContextBuilder keyStoreType(String keyStoreType) {
254 this.keyStoreType = keyStoreType;
255 return this;
256 }
257
258 /**
259 * The SSLContext {@link Provider} to use. {@code null} uses the default one. This is only
260 * used with {@link SslProvider#JDK}.
261 */
262 public SslContextBuilder sslContextProvider(Provider sslContextProvider) {
263 this.sslContextProvider = sslContextProvider;
264 return this;
265 }
266
267 /**
268 * Trusted certificates for verifying the remote endpoint's certificate. The file should
269 * contain an X.509 certificate collection in PEM format. {@code null} uses the system default.
270 */
271 public SslContextBuilder trustManager(File trustCertCollectionFile) {
272 try {
273 return trustManager(SslContext.toX509Certificates(trustCertCollectionFile));
274 } catch (Exception e) {
275 throw new IllegalArgumentException("File does not contain valid certificates: "
276 + trustCertCollectionFile, e);
277 }
278 }
279
280 /**
281 * Trusted certificates for verifying the remote endpoint's certificate. The input stream should
282 * contain an X.509 certificate collection in PEM format. {@code null} uses the system default.
283 * <p>
284 * The caller is responsible for calling {@link InputStream#close()} after {@link #build()} has been called.
285 */
286 public SslContextBuilder trustManager(InputStream trustCertCollectionInputStream) {
287 try {
288 return trustManager(SslContext.toX509Certificates(trustCertCollectionInputStream));
289 } catch (Exception e) {
290 throw new IllegalArgumentException("Input stream does not contain valid certificates.", e);
291 }
292 }
293
294 /**
295 * Trusted certificates for verifying the remote endpoint's certificate, {@code null} uses the system default.
296 */
297 public SslContextBuilder trustManager(X509Certificate... trustCertCollection) {
298 this.trustCertCollection = trustCertCollection != null ? trustCertCollection.clone() : null;
299 trustManagerFactory = null;
300 return this;
301 }
302
303 /**
304 * Trusted certificates for verifying the remote endpoint's certificate, {@code null} uses the system default.
305 */
306 public SslContextBuilder trustManager(Iterable<? extends X509Certificate> trustCertCollection) {
307 return trustManager(toArray(trustCertCollection, EMPTY_X509_CERTIFICATES));
308 }
309
310 /**
311 * Trusted manager for verifying the remote endpoint's certificate. {@code null} uses the system default.
312 */
313 public SslContextBuilder trustManager(TrustManagerFactory trustManagerFactory) {
314 trustCertCollection = null;
315 this.trustManagerFactory = trustManagerFactory;
316 return this;
317 }
318
319 /**
320 * A single trusted manager for verifying the remote endpoint's certificate.
321 * This is helpful when custom implementation of {@link TrustManager} is needed.
322 * Internally, a simple wrapper of {@link TrustManagerFactory} that only produces this
323 * specified {@link TrustManager} will be created, thus all the requirements specified in
324 * {@link #trustManager(TrustManagerFactory trustManagerFactory)} also apply here.
325 */
326 public SslContextBuilder trustManager(TrustManager trustManager) {
327 if (trustManager != null) {
328 trustManagerFactory = new TrustManagerFactoryWrapper(trustManager);
329 } else {
330 trustManagerFactory = null;
331 }
332 trustCertCollection = null;
333 return this;
334 }
335
336 /**
337 * Identifying certificate for this host. {@code keyCertChainFile} and {@code keyFile} may
338 * be {@code null} for client contexts, which disables mutual authentication.
339 *
340 * @param keyCertChainFile an X.509 certificate chain file in PEM format
341 * @param keyFile a PKCS#8 private key file in PEM format
342 */
343 public SslContextBuilder keyManager(File keyCertChainFile, File keyFile) {
344 return keyManager(keyCertChainFile, keyFile, null);
345 }
346
347 /**
348 * Identifying certificate for this host. {@code keyCertChainInputStream} and {@code keyInputStream} may
349 * be {@code null} for client contexts, which disables mutual authentication.
350 *
351 * @param keyCertChainInputStream an input stream for an X.509 certificate chain in PEM format. The caller is
352 * responsible for calling {@link InputStream#close()} after {@link #build()}
353 * has been called.
354 * @param keyInputStream an input stream for a PKCS#8 private key in PEM format. The caller is
355 * responsible for calling {@link InputStream#close()} after {@link #build()}
356 * has been called.
357 */
358 public SslContextBuilder keyManager(InputStream keyCertChainInputStream, InputStream keyInputStream) {
359 return keyManager(keyCertChainInputStream, keyInputStream, null);
360 }
361
362 /**
363 * Identifying certificate for this host. {@code keyCertChain} and {@code key} may
364 * be {@code null} for client contexts, which disables mutual authentication.
365 *
366 * @param key a PKCS#8 private key
367 * @param keyCertChain an X.509 certificate chain
368 */
369 public SslContextBuilder keyManager(PrivateKey key, X509Certificate... keyCertChain) {
370 return keyManager(key, null, keyCertChain);
371 }
372
373 /**
374 * Identifying certificate for this host. {@code keyCertChain} and {@code key} may
375 * be {@code null} for client contexts, which disables mutual authentication.
376 *
377 * @param key a PKCS#8 private key
378 * @param keyCertChain an X.509 certificate chain
379 */
380 public SslContextBuilder keyManager(PrivateKey key, Iterable<? extends X509Certificate> keyCertChain) {
381 return keyManager(key, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
382 }
383
384 /**
385 * Identifying certificate for this host. {@code keyCertChainFile} and {@code keyFile} may
386 * be {@code null} for client contexts, which disables mutual authentication.
387 *
388 * @param keyCertChainFile an X.509 certificate chain file in PEM format
389 * @param keyFile a PKCS#8 private key file in PEM format
390 * @param keyPassword the password of the {@code keyFile}, or {@code null} if it's not
391 * password-protected
392 */
393 public SslContextBuilder keyManager(File keyCertChainFile, File keyFile, String keyPassword) {
394 X509Certificate[] keyCertChain;
395 PrivateKey key;
396 try {
397 keyCertChain = SslContext.toX509Certificates(keyCertChainFile);
398 } catch (Exception e) {
399 throw new IllegalArgumentException("File does not contain valid certificates: " + keyCertChainFile, e);
400 }
401 try {
402 key = SslContext.toPrivateKey(keyFile, keyPassword);
403 } catch (Exception e) {
404 throw new IllegalArgumentException("File does not contain valid private key: " + keyFile, e);
405 }
406 return keyManager(key, keyPassword, keyCertChain);
407 }
408
409 /**
410 * Identifying certificate for this host. {@code keyCertChainInputStream} and {@code keyInputStream} may
411 * be {@code null} for client contexts, which disables mutual authentication.
412 *
413 * @param keyCertChainInputStream an input stream for an X.509 certificate chain in PEM format. The caller is
414 * responsible for calling {@link InputStream#close()} after {@link #build()}
415 * has been called.
416 * @param keyInputStream an input stream for a PKCS#8 private key in PEM format. The caller is
417 * responsible for calling {@link InputStream#close()} after {@link #build()}
418 * has been called.
419 * @param keyPassword the password of the {@code keyInputStream}, or {@code null} if it's not
420 * password-protected
421 */
422 public SslContextBuilder keyManager(InputStream keyCertChainInputStream, InputStream keyInputStream,
423 String keyPassword) {
424 X509Certificate[] keyCertChain;
425 PrivateKey key;
426 try {
427 keyCertChain = SslContext.toX509Certificates(keyCertChainInputStream);
428 } catch (Exception e) {
429 throw new IllegalArgumentException("Input stream not contain valid certificates.", e);
430 }
431 try {
432 key = SslContext.toPrivateKey(keyInputStream, keyPassword);
433 } catch (Exception e) {
434 throw new IllegalArgumentException("Input stream does not contain valid private key.", e);
435 }
436 return keyManager(key, keyPassword, keyCertChain);
437 }
438
439 /**
440 * Identifying certificate for this host. {@code keyCertChain} and {@code key} may
441 * be {@code null} for client contexts, which disables mutual authentication.
442 *
443 * @param key a PKCS#8 private key file
444 * @param keyPassword the password of the {@code key}, or {@code null} if it's not
445 * password-protected
446 * @param keyCertChain an X.509 certificate chain
447 */
448 public SslContextBuilder keyManager(PrivateKey key, String keyPassword, X509Certificate... keyCertChain) {
449 if (forServer) {
450 checkNonEmpty(keyCertChain, "keyCertChain");
451 checkNotNull(key, "key required for servers");
452 }
453 if (keyCertChain == null || keyCertChain.length == 0) {
454 this.keyCertChain = null;
455 } else {
456 for (X509Certificate cert: keyCertChain) {
457 checkNotNullWithIAE(cert, "cert");
458 }
459 this.keyCertChain = keyCertChain.clone();
460 }
461 this.key = key;
462 this.keyPassword = keyPassword;
463 keyManagerFactory = null;
464 return this;
465 }
466
467 /**
468 * Identifying certificate for this host. {@code keyCertChain} and {@code key} may
469 * be {@code null} for client contexts, which disables mutual authentication.
470 *
471 * @param key a PKCS#8 private key file
472 * @param keyPassword the password of the {@code key}, or {@code null} if it's not
473 * password-protected
474 * @param keyCertChain an X.509 certificate chain
475 */
476 public SslContextBuilder keyManager(PrivateKey key, String keyPassword,
477 Iterable<? extends X509Certificate> keyCertChain) {
478 return keyManager(key, keyPassword, toArray(keyCertChain, EMPTY_X509_CERTIFICATES));
479 }
480
481 /**
482 * Identifying manager for this host. {@code keyManagerFactory} may be {@code null} for
483 * client contexts, which disables mutual authentication. Using a {@link KeyManagerFactory}
484 * is only supported for {@link SslProvider#JDK} or {@link SslProvider#OPENSSL} / {@link SslProvider#OPENSSL_REFCNT}
485 * if the used openssl version is 1.0.1+. You can check if your openssl version supports using a
486 * {@link KeyManagerFactory} by calling {@link OpenSsl#supportsKeyManagerFactory()}. If this is not the case
487 * you must use {@link #keyManager(File, File)} or {@link #keyManager(File, File, String)}.
488 * <p>
489 * If you use {@link SslProvider#OPENSSL} or {@link SslProvider#OPENSSL_REFCNT} consider using
490 * {@link OpenSslX509KeyManagerFactory} or {@link OpenSslCachingX509KeyManagerFactory}.
491 */
492 public SslContextBuilder keyManager(KeyManagerFactory keyManagerFactory) {
493 if (forServer) {
494 checkNotNull(keyManagerFactory, "keyManagerFactory required for servers");
495 }
496 keyCertChain = null;
497 key = null;
498 keyPassword = null;
499 this.keyManagerFactory = keyManagerFactory;
500 return this;
501 }
502
503 /**
504 * Adds a single {@link OpenSslCredential} to this context.
505 *
506 * <p>This is useful for multi-certificate scenarios, such as serving both RSA and ECDSA
507 * certificates to support different client capabilities.
508 *
509 * <p>Credential instances are built with the {@link OpenSslCredentialBuilder}.
510 *
511 * <p>This is a BoringSSL-specific feature and only works with {@link SslProvider#OPENSSL}
512 * or {@link SslProvider#OPENSSL_REFCNT}.
513 * Check {@link OpenSslCredential#isAvailable()} to verify that the feature is supported.
514 *
515 * @param credential the credential to add
516 * @return this builder for chaining
517 * @see OpenSslCredentialBuilder
518 */
519 public SslContextBuilder addCredential(OpenSslCredential credential) {
520 checkNotNull(credential, "credential");
521 if (credentials == null) {
522 credentials = new ArrayList<>();
523 }
524 credentials.add(credential);
525 return this;
526 }
527
528 /**
529 * Adds multiple {@link OpenSslCredential}s to this context.
530 *
531 * <p>This is useful for multi-certificate scenarios, such as serving both RSA and ECDSA
532 * certificates to support different client capabilities.
533 *
534 * <p>Credential instances are built with the {@link OpenSslCredentialBuilder}.
535 *
536 * <p>This is a BoringSSL-specific feature and only works with {@link SslProvider#OPENSSL}
537 * or {@link SslProvider#OPENSSL_REFCNT}.
538 * Check {@link OpenSslCredential#isAvailable()} to verify that the feature is supported.
539 *
540 * @param credentials the credentials to add
541 * @return this builder for chaining
542 * @see OpenSslCredentialBuilder
543 */
544 public SslContextBuilder addCredentials(OpenSslCredential... credentials) {
545 deepCheckNotNull("credentials", credentials);
546 if (this.credentials == null) {
547 this.credentials = new ArrayList<>(credentials.length);
548 }
549 Collections.addAll(this.credentials, credentials);
550 return this;
551 }
552
553 /**
554 * Adds multiple {@link OpenSslCredential}s to this context.
555 *
556 * <p>This is useful for multi-certificate scenarios, such as serving both RSA and ECDSA
557 * certificates to support different client capabilities.
558 *
559 * <p>Credential instances are built with the {@link OpenSslCredentialBuilder}.
560 *
561 * <p>This is a BoringSSL-specific feature and only works with {@link SslProvider#OPENSSL}
562 * or {@link SslProvider#OPENSSL_REFCNT}.
563 * Check {@link OpenSslCredential#isAvailable()} to verify that the feature is supported.
564 *
565 * @param credentials the credentials to add
566 * @return this builder for chaining
567 * @see OpenSslCredentialBuilder
568 */
569 public SslContextBuilder addCredentials(Iterable<? extends OpenSslCredential> credentials) {
570 checkNotNull(credentials, "credentials");
571 // Validate all credentials before adding any of them to avoid partial state
572 for (OpenSslCredential credential : credentials) {
573 checkNotNull(credential, "credential");
574 }
575 if (this.credentials == null) {
576 this.credentials = new ArrayList<>();
577 }
578 for (OpenSslCredential credential : credentials) {
579 this.credentials.add(credential);
580 }
581 return this;
582 }
583
584 /**
585 * A single key manager managing the identity information of this host.
586 * This is helpful when custom implementation of {@link KeyManager} is needed.
587 * Internally, a wrapper of {@link KeyManagerFactory} that only produces this specified
588 * {@link KeyManager} will be created, thus all the requirements specified in
589 * {@link #keyManager(KeyManagerFactory keyManagerFactory)} also apply here.
590 */
591 public SslContextBuilder keyManager(KeyManager keyManager) {
592 if (forServer) {
593 checkNotNull(keyManager, "keyManager required for servers");
594 }
595 if (keyManager != null) {
596 keyManagerFactory = new KeyManagerFactoryWrapper(keyManager);
597 } else {
598 keyManagerFactory = null;
599 }
600 keyCertChain = null;
601 key = null;
602 keyPassword = null;
603 return this;
604 }
605
606 /**
607 * The cipher suites to enable, in the order of preference. {@code null} to use default
608 * cipher suites.
609 */
610 public SslContextBuilder ciphers(Iterable<String> ciphers) {
611 return ciphers(ciphers, IdentityCipherSuiteFilter.INSTANCE);
612 }
613
614 /**
615 * The cipher suites to enable, in the order of preference. {@code cipherFilter} will be
616 * applied to the ciphers before use. If {@code ciphers} is {@code null}, then the default
617 * cipher suites will be used.
618 */
619 public SslContextBuilder ciphers(Iterable<String> ciphers, CipherSuiteFilter cipherFilter) {
620 this.cipherFilter = checkNotNull(cipherFilter, "cipherFilter");
621 this.ciphers = ciphers;
622 return this;
623 }
624
625 /**
626 * Application protocol negotiation configuration. {@code null} disables support.
627 */
628 public SslContextBuilder applicationProtocolConfig(ApplicationProtocolConfig apn) {
629 this.apn = apn;
630 return this;
631 }
632
633 /**
634 * Set the size of the cache used for storing SSL session objects. {@code 0} to use the
635 * default value.
636 */
637 public SslContextBuilder sessionCacheSize(long sessionCacheSize) {
638 this.sessionCacheSize = sessionCacheSize;
639 return this;
640 }
641
642 /**
643 * Set the timeout for the cached SSL session objects, in seconds. {@code 0} to use the
644 * default value.
645 */
646 public SslContextBuilder sessionTimeout(long sessionTimeout) {
647 this.sessionTimeout = sessionTimeout;
648 return this;
649 }
650
651 /**
652 * Sets the client authentication mode.
653 */
654 public SslContextBuilder clientAuth(ClientAuth clientAuth) {
655 this.clientAuth = checkNotNull(clientAuth, "clientAuth");
656 return this;
657 }
658
659 /**
660 * The TLS protocol versions to enable.
661 * @param protocols The protocols to enable, or {@code null} to enable the default protocols.
662 * @see SSLEngine#setEnabledCipherSuites(String[])
663 */
664 public SslContextBuilder protocols(String... protocols) {
665 this.protocols = protocols == null ? null : protocols.clone();
666 return this;
667 }
668
669 /**
670 * The TLS protocol versions to enable.
671 * @param protocols The protocols to enable, or {@code null} to enable the default protocols.
672 * @see SSLEngine#setEnabledCipherSuites(String[])
673 */
674 public SslContextBuilder protocols(Iterable<String> protocols) {
675 return protocols(toArray(protocols, EMPTY_STRINGS));
676 }
677
678 /**
679 * {@code true} if the first write request shouldn't be encrypted.
680 */
681 public SslContextBuilder startTls(boolean startTls) {
682 this.startTls = startTls;
683 return this;
684 }
685
686 /**
687 * Enables OCSP stapling. Please note that not all {@link SslProvider} implementations support OCSP
688 * stapling and an exception will be thrown upon {@link #build()}.
689 *
690 * @see OpenSsl#isOcspSupported()
691 */
692 @UnstableApi
693 public SslContextBuilder enableOcsp(boolean enableOcsp) {
694 this.enableOcsp = enableOcsp;
695 return this;
696 }
697
698 /**
699 * Specify a non-default source of randomness for the {@link JdkSslContext}
700 * <p>
701 * In general, the best practice is to leave this unspecified, or to assign a new random source using the
702 * default {@code new SecureRandom()} constructor.
703 * Only assign this something when you have a good reason to.
704 *
705 * @param secureRandom the source of randomness for {@link JdkSslContext}
706 *
707 */
708 public SslContextBuilder secureRandom(SecureRandom secureRandom) {
709 this.secureRandom = secureRandom;
710 return this;
711 }
712
713 /**
714 * Specify the endpoint identification algorithm (aka. hostname verification algorithm) that clients will use as
715 * part of authenticating servers.
716 * <p>
717 * See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#jssenames">
718 * Java Security Standard Names</a> for a list of supported algorithms.
719 *
720 * @param algorithm either {@code "HTTPS"}, {@code "LDAPS"}, or {@code null} (disables hostname verification).
721 * @see SSLParameters#setEndpointIdentificationAlgorithm(String)
722 */
723 public SslContextBuilder endpointIdentificationAlgorithm(String algorithm) {
724 endpointIdentificationAlgorithm = algorithm;
725 return this;
726 }
727
728 /**
729 * Add the given server name indication to this client context. This will cause the client to include a
730 * Server Name Indication extension with its {@code ClientHello} message, as per
731 * <a href="https://datatracker.ietf.org/doc/html/rfc6066#section-3">RFC 6066 section 3</a>.
732 * <p>
733 * Note that only one name per name type can be included in the message.
734 * Currently, only the {@link SNIHostName} type is supported.
735 * @param serverName The server name to include in the SNI extension.
736 */
737 public SslContextBuilder serverName(SNIServerName serverName) {
738 if (forServer) {
739 throw new UnsupportedOperationException("Cannot add Server Name Indication extension, " +
740 "because this is a server context builder.");
741 }
742 checkNotNull(serverName, "serverName");
743 if (!(serverName instanceof SNIHostName)) {
744 throw new IllegalArgumentException("Only SNIHostName is supported. The given SNIServerName type was " +
745 serverName.getClass().getName());
746 }
747 serverNames.add(serverName);
748 return this;
749 }
750
751 /**
752 * Create new {@code SslContext} instance with configured settings.
753 * <p>If {@link #sslProvider(SslProvider)} is set to {@link SslProvider#OPENSSL_REFCNT} then the caller is
754 * responsible for releasing this object, or else native memory may leak.
755 */
756 public SslContext build() throws SSLException {
757 if (forServer) {
758 return SslContext.newServerContextInternal(provider, sslContextProvider, trustCertCollection,
759 trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory,
760 ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, clientAuth, protocols, startTls,
761 enableOcsp, secureRandom, keyStoreType, toArray(options.entrySet(), EMPTY_ENTRIES),
762 credentials);
763 } else {
764 return SslContext.newClientContextInternal(provider, sslContextProvider, trustCertCollection,
765 trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory,
766 ciphers, cipherFilter, apn, protocols, sessionCacheSize,
767 sessionTimeout, enableOcsp, secureRandom, keyStoreType, endpointIdentificationAlgorithm,
768 serverNames, toArray(options.entrySet(), EMPTY_ENTRIES), credentials);
769 }
770 }
771
772 private static <T> T[] toArray(Iterable<? extends T> iterable, T[] prototype) {
773 if (iterable == null) {
774 return null;
775 }
776 final List<T> list = new ArrayList<T>();
777 for (T element : iterable) {
778 list.add(element);
779 }
780 return list.toArray(prototype);
781 }
782 }