org.apache.tomcat.jni.SSL Java Examples

@Override
public String getCipherSuite() {
    if (cipher == null) {
        String ciphers;
        synchronized (OpenSSLEngine.this) {
            if (!handshakeFinished) {
                return INVALID_CIPHER;
            }
            if (destroyed) {
                return INVALID_CIPHER;
            }
            ciphers = SSL.getCipherForSSL(ssl);
        }
        String c = OpenSSLCipherConfigurationParser.openSSLToJsse(ciphers);
        if (c != null) {
            cipher = c;
        }
    }
    return cipher;
}
 

private void handshake() throws SSLException {
    int code = SSL.doHandshake(ssl);
    if (code <= 0) {
        // Check for OpenSSL errors caused by the handshake
        long error = SSL.getLastErrorNumber();
        if (OpenSsl.isError(error)) {
            String err = SSL.getErrorString(error);
            if (logger.isDebugEnabled()) {
                logger.debug(
                        "SSL_do_handshake failed: OpenSSL error: '" + err + '\'');
            }

            // There was an internal error -- shutdown
            shutdown();
            throw new SSLException(err);
        }
    } else {
        // if SSL_do_handshake returns > 0 it means the handshake was finished. This means we can update
        // handshakeFinished directly and so eliminate uncessary calls to SSL.isInInit(...)
        handshakeFinished = true;
    }
}
 

@Override
public synchronized void closeOutbound() {
    if (isOutboundDone) {
        return;
    }

    isOutboundDone = true;
    engineClosed = true;

    if (accepted != 0 && destroyed == 0) {
        int mode = SSL.getShutdown(ssl);
        if ((mode & SSL.SSL_SENT_SHUTDOWN) != SSL.SSL_SENT_SHUTDOWN) {
            SSL.shutdownSSL(ssl);
        }
    } else {
        // engine closing before initial handshake
        shutdown();
    }
}
 

/**
 * Creates a new instance
 *
 * @param sslCtx an OpenSSL {@code SSL_CTX} object
 * @param alloc the {@link ByteBufAllocator} that will be used by this engine
 * @param clientMode {@code true} if this is used for clients, {@code false} otherwise
 * @param sessionContext the {@link OpenSslSessionContext} this {@link SSLEngine} belongs to.
 */
OpenSslEngine(long sslCtx, ByteBufAllocator alloc, String fallbackApplicationProtocol,
              boolean clientMode, OpenSslSessionContext sessionContext, OpenSslEngineMap engineMap) {
    OpenSsl.ensureAvailability();
    if (sslCtx == 0) {
        throw new NullPointerException("sslCtx");
    }

    this.alloc = ObjectUtil.checkNotNull(alloc, "alloc");
    ssl = SSL.newSSL(sslCtx, !clientMode);
    networkBIO = SSL.makeNetworkBIO(ssl);
    this.fallbackApplicationProtocol = fallbackApplicationProtocol;
    this.clientMode = clientMode;
    this.sessionContext = sessionContext;
    this.engineMap = engineMap;
}
 

private void setClientAuth(ClientAuthMode mode) {
    if (clientMode) {
        return;
    }
    synchronized (this) {
        if (clientAuth == mode) {
            // No need to issue any JNI calls if the mode is the same
            return;
        }
        switch (mode) {
            case NONE:
                SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, OpenSslContext.VERIFY_DEPTH);
                break;
            case REQUIRE:
                SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, OpenSslContext.VERIFY_DEPTH);
                break;
            case OPTIONAL:
                SSL.setVerify(ssl, SSL.SSL_CVERIFY_OPTIONAL, OpenSslContext.VERIFY_DEPTH);
                break;
        }
        clientAuth = mode;
    }
}
 

public static String getDefaultTLSProtocolForTesting(Connector connector) {
    // Clients always use JSSE
    if (!TLSV13_AVAILABLE) {
        // Client doesn't support TLS 1.3 so we have to use TLS 1.2
        return Constants.SSL_PROTO_TLSv1_2;
    }

    if (connector.getProtocolHandlerClassName().contains("Apr")) {
        // APR connector so OpenSSL is used for TLS.
        if (SSL.version() >= 0x1010100f) {
            return Constants.SSL_PROTO_TLSv1_3;
        } else {
            return Constants.SSL_PROTO_TLSv1_2;
        }
    } else {
        // NIO or NIO2. Tests do not use JSSE+OpenSSL so JSSE will be used.
        // Due to check above, it is known that TLS 1.3 is available
        return Constants.SSL_PROTO_TLSv1_3;
    }
}
 

private void setClientAuth(ClientAuthMode mode) {
    if (clientMode) {
        return;
    }
    synchronized (this) {
        if (clientAuth == mode) {
            // No need to issue any JNI calls if the mode is the same
            return;
        }
        switch (mode) {
            case NONE:
                SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, certificateVerificationDepth);
                break;
            case REQUIRE:
                SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, certificateVerificationDepth);
                break;
            case OPTIONAL:
                SSL.setVerify(ssl,
                        certificateVerificationOptionalNoCA ? SSL.SSL_CVERIFY_OPTIONAL_NO_CA : SSL.SSL_CVERIFY_OPTIONAL,
                        certificateVerificationDepth);
                break;
        }
        clientAuth = mode;
    }
}
 

@Override
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
    // these are lazy created to reduce memory overhead
    X509Certificate[] c = x509PeerCerts;
    if (c == null) {
        if (SSL.isInInit(ssl) != 0) {
            throw new SSLPeerUnverifiedException("peer not verified");
        }
        byte[][] chain = SSL.getPeerCertChain(ssl);
        if (chain == null) {
            throw new SSLPeerUnverifiedException("peer not verified");
        }
        X509Certificate[] peerCerts = new X509Certificate[chain.length];
        for (int i = 0; i < peerCerts.length; i++) {
            try {
                peerCerts[i] = X509Certificate.getInstance(chain[i]);
            } catch (CertificateException e) {
                throw new IllegalStateException(e);
            }
        }
        c = x509PeerCerts = peerCerts;
    }
    return c;
}
 

private synchronized void renegotiate() throws SSLException {
    clearLastError();
    int code;
    if (SSL.getVersion(ssl).equals(Constants.SSL_PROTO_TLSv1_3)) {
        code = SSL.verifyClientPostHandshake(ssl);
    } else {
        code = SSL.renegotiate(ssl);
    }
    if (code <= 0) {
        checkLastError();
    }
    handshakeFinished = false;
    peerCerts = null;
    x509PeerCerts = null;
    currentHandshake = SSL.getHandshakeCount(ssl);
    int code2 = SSL.doHandshake(ssl);
    if (code2 <= 0) {
        checkLastError();
    }
}
 

private void handshake() throws SSLException {
    currentHandshake = SSL.getHandshakeCount(ssl);
    clearLastError();
    int code = SSL.doHandshake(ssl);
    if (code <= 0) {
        checkLastError();
    } else {
        if (alpn) {
            selectedProtocol = SSL.getAlpnSelected(ssl);
            if (selectedProtocol == null) {
                selectedProtocol = SSL.getNextProtoNegotiated(ssl);
            }
        }
        session.lastAccessedTime = System.currentTimeMillis();
        // if SSL_do_handshake returns > 0 it means the handshake was finished. This means we can update
        // handshakeFinished directly and so eliminate unnecessary calls to SSL.isInInit(...)
        handshakeFinished = true;
    }
}
 

@Override
public synchronized String[] getEnabledCipherSuites() {
    if (destroyed) {
        return new String[0];
    }
    String[] enabled = SSL.getCiphers(ssl);
    if (enabled == null) {
        return new String[0];
    } else {
        for (int i = 0; i < enabled.length; i++) {
            String mapped = OpenSSLCipherConfigurationParser.openSSLToJsse(enabled[i]);
            if (mapped != null) {
                enabled[i] = mapped;
            }
        }
        return enabled;
    }
}
 

/**
 * Creates a new instance
 *
 * @param sslCtx an OpenSSL {@code SSL_CTX} object
 * @param fallbackApplicationProtocol the fallback application protocol
 * @param clientMode {@code true} if this is used for clients, {@code false}
 * otherwise
 * @param sessionContext the {@link OpenSSLSessionContext} this
 * {@link SSLEngine} belongs to.
 * @param alpn {@code true} if alpn should be used, {@code false}
 * otherwise
 * @param initialized {@code true} if this instance gets its protocol,
 * cipher and client verification from the {@code SSL_CTX} {@code sslCtx}
 * @param certificateVerificationDepth Certificate verification depth
 * @param certificateVerificationOptionalNoCA Skip CA verification in
 *   optional mode
 */
OpenSSLEngine(long sslCtx, String fallbackApplicationProtocol,
        boolean clientMode, OpenSSLSessionContext sessionContext, boolean alpn,
        boolean initialized, int certificateVerificationDepth,
        boolean certificateVerificationOptionalNoCA) {
    if (sslCtx == 0) {
        throw new IllegalArgumentException(sm.getString("engine.noSSLContext"));
    }
    session = new OpenSSLSession();
    destroyed = true;
    ssl = SSL.newSSL(sslCtx, !clientMode);
    networkBIO = SSL.makeNetworkBIO(ssl);
    destroyed = false;
    this.fallbackApplicationProtocol = fallbackApplicationProtocol;
    this.clientMode = clientMode;
    this.sessionContext = sessionContext;
    this.alpn = alpn;
    this.initialized = initialized;
    this.certificateVerificationDepth = certificateVerificationDepth;
    this.certificateVerificationOptionalNoCA = certificateVerificationOptionalNoCA;
}
 

@Override
public synchronized void closeOutbound() {
    if (isOutboundDone) {
        return;
    }

    isOutboundDone = true;
    engineClosed = true;

    if (accepted != Accepted.NOT && !destroyed) {
        int mode = SSL.getShutdown(ssl);
        if ((mode & SSL.SSL_SENT_SHUTDOWN) != SSL.SSL_SENT_SHUTDOWN) {
            SSL.shutdownSSL(ssl);
        }
    } else {
        // engine closing before initial handshake
        shutdown();
    }
}
 

@Override
public String getProtocol() {
    String applicationProtocol = OpenSslEngine.this.applicationProtocol;
    if (applicationProtocol == null) {
        applicationProtocol = SSL.getNextProtoNegotiated(ssl);
        if (applicationProtocol == null) {
            applicationProtocol = fallbackApplicationProtocol;
        }
        if (applicationProtocol != null) {
            OpenSslEngine.this.applicationProtocol = applicationProtocol.replace(':', '_');
        } else {
            OpenSslEngine.this.applicationProtocol = applicationProtocol = "";
        }
    }
    String version = SSL.getVersion(ssl);
    if (applicationProtocol.isEmpty()) {
        return version;
    } else {
        return version + ':' + applicationProtocol;
    }
}
 

@Override
public synchronized SSLEngineResult.HandshakeStatus getHandshakeStatus() {
    if (accepted == 0 || destroyed != 0) {
        return NOT_HANDSHAKING;
    }

    // Check if we are in the initial handshake phase
    if (!handshakeFinished) {
        // There is pending data in the network BIO -- call wrap
        if (SSL.pendingWrittenBytesInBIO(networkBIO) != 0) {
            return NEED_WRAP;
        }

        // No pending data to be sent to the peer
        // Check to see if we have finished handshaking
        if (SSL.isInInit(ssl) == 0) {
            handshakeFinished = true;
            return FINISHED;
        }

        // No pending data and still handshaking
        // Must be waiting on the peer to send more data
        return NEED_UNWRAP;
    }

    // Check if we are in the shutdown phase
    if (engineClosed) {
        // Waiting to send the close_notify message
        if (SSL.pendingWrittenBytesInBIO(networkBIO) != 0) {
            return NEED_WRAP;
        }

        // Must be waiting to receive the close_notify message
        return NEED_UNWRAP;
    }

    return NOT_HANDSHAKING;
}
 

@Override
public String getSessionId() throws IOException {
    try {
        return socketWrapper.getSSLInfoS(SSL.SSL_INFO_SESSION_ID);
    } catch (Exception e) {
        throw new IOException(e);
    }
}
 

@Override
 public String getProtocol() throws IOException {
     try {
         return socketWrapper.getSSLInfoS(SSL.SSL_INFO_PROTOCOL);
     } catch (Exception e) {
         throw new IOException(e);
     }
}
 

/**
 * Process the specified connection.
 */
protected boolean setSocketOptions(long socket) {
    // Process the connection
    int step = 1;
    try {

        // 1: Set socket options: timeout, linger, etc
        if (socketProperties.getSoLingerOn() && socketProperties.getSoLingerTime() >= 0)
            Socket.optSet(socket, Socket.APR_SO_LINGER, socketProperties.getSoLingerTime());
        if (socketProperties.getTcpNoDelay())
            Socket.optSet(socket, Socket.APR_TCP_NODELAY, (socketProperties.getTcpNoDelay() ? 1 : 0));
        Socket.timeoutSet(socket, socketProperties.getSoTimeout() * 1000);

        // 2: SSL handshake
        step = 2;
        if (sslContext != 0) {
            SSLSocket.attach(sslContext, socket);
            if (SSLSocket.handshake(socket) != 0) {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("endpoint.err.handshake") + ": " + SSL.getLastError());
                }
                return false;
            }
        }

    } catch (Throwable t) {
        ExceptionUtils.handleThrowable(t);
        if (log.isDebugEnabled()) {
            if (step == 2) {
                log.debug(sm.getString("endpoint.err.handshake"), t);
            } else {
                log.debug(sm.getString("endpoint.err.unexpected"), t);
            }
        }
        // Tell to close the socket
        return false;
    }
    return true;
}
 

@Override
public byte[] getId() {
    // We don't cache that to keep memory usage to a minimum.
    byte[] id = SSL.getSessionId(ssl);
    if (id == null) {
        // The id should never be null, if it was null then the SESSION itself was not valid.
        throw new IllegalStateException("SSL session ID not available");
    }
    return id;
}
 

/**
 * Process the specified connection.
 */
protected boolean setSocketOptions(long socket) {
    // Process the connection
    int step = 1;
    try {

        // 1: Set socket options: timeout, linger, etc
        if (socketProperties.getSoLingerOn() && socketProperties.getSoLingerTime() >= 0)
            Socket.optSet(socket, Socket.APR_SO_LINGER, socketProperties.getSoLingerTime());
        if (socketProperties.getTcpNoDelay())
            Socket.optSet(socket, Socket.APR_TCP_NODELAY, (socketProperties.getTcpNoDelay() ? 1 : 0));
        Socket.timeoutSet(socket, socketProperties.getSoTimeout() * 1000);

        // 2: SSL handshake
        step = 2;
        if (sslContext != 0) {
            SSLSocket.attach(sslContext, socket);
            if (SSLSocket.handshake(socket) != 0) {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("endpoint.err.handshake") + ": " + SSL.getLastError());
                }
                return false;
            }
        }

    } catch (Throwable t) {
        ExceptionUtils.handleThrowable(t);
        if (log.isDebugEnabled()) {
            if (step == 2) {
                log.debug(sm.getString("endpoint.err.handshake"), t);
            } else {
                log.debug(sm.getString("endpoint.err.unexpected"), t);
            }
        }
        // Tell to close the socket
        return false;
    }
    return true;
}
 

/**
 * Converts the specified OpenSSL cipher suite to the Java cipher suite.
 */
private String toJavaCipherSuite(String openSslCipherSuite) {
    if (openSslCipherSuite == null) {
        return null;
    }

    String prefix = toJavaCipherSuitePrefix(SSL.getVersion(ssl));
    return CipherSuiteConverter.toJava(openSslCipherSuite, prefix);
}
 

@Override
public String getCipherSuite() {
    if (!handshakeFinished) {
        return INVALID_CIPHER;
    }
    if (cipher == null) {
        String c = toJavaCipherSuite(SSL.getCipherForSSL(ssl));
        if (c != null) {
            cipher = c;
        }
    }
    return cipher;
}
 

/**
 * Destroys this engine.
 */
public synchronized void shutdown() {
    if (DESTROYED_UPDATER.compareAndSet(this, 0, 1)) {
        engineMap.remove(ssl);
        SSL.freeSSL(ssl);
        SSL.freeBIO(networkBIO);
        ssl = networkBIO = 0;

        // internal errors can cause shutdown without marking the engine closed
        isInboundDone = isOutboundDone = engineClosed = true;
    }
}
 

@Override
public void doClientAuth(SSLSupport sslSupport) throws IOException {
    long socket = getSocket().longValue();
    // Configure connection to require a certificate
    try {
        SSLSocket.setVerify(socket, SSL.SSL_CVERIFY_REQUIRE, -1);
        SSLSocket.renegotiate(socket);
    } catch (Throwable t) {
        ExceptionUtils.handleThrowable(t);
        throw new IOException(sm.getString("socket.sslreneg"), t);
    }
}
 

@Override
public String[] getEnabledCipherSuites() {
    String[] enabled = SSL.getCiphers(ssl);
    if (enabled == null) {
        return EmptyArrays.EMPTY_STRINGS;
    } else {
        for (int i = 0; i < enabled.length; i++) {
            String mapped = toJavaCipherSuite(enabled[i]);
            if (mapped != null) {
                enabled[i] = mapped;
            }
        }
        return enabled;
    }
}
 

@Override
public void setEnabledCipherSuites(String[] cipherSuites) {
    ObjectUtil.checkNotNull(cipherSuites, "cipherSuites");

    final StringBuilder buf = new StringBuilder();
    for (String c: cipherSuites) {
        if (c == null) {
            break;
        }

        String converted = CipherSuiteConverter.toOpenSsl(c);
        if (converted == null) {
            converted = c;
        }

        if (!OpenSsl.isCipherSuiteAvailable(converted)) {
            throw new IllegalArgumentException("unsupported cipher suite: " + c + '(' + converted + ')');
        }

        buf.append(converted);
        buf.append(':');
    }

    if (buf.length() == 0) {
        throw new IllegalArgumentException("empty cipher suites");
    }
    buf.setLength(buf.length() - 1);

    final String cipherSuiteSpec = buf.toString();
    try {
        SSL.setCipherSuites(ssl, cipherSuiteSpec);
    } catch (Exception e) {
        throw new IllegalStateException("failed to enable cipher suites: " + cipherSuiteSpec, e);
    }
}
 

@Override
public String[] getEnabledProtocols() {
    List<String> enabled = new ArrayList<String>();
    // Seems like there is no way to explict disable SSLv2Hello in openssl so it is always enabled
    enabled.add(PROTOCOL_SSL_V2_HELLO);
    int opts = SSL.getOptions(ssl);
    if ((opts & SSL.SSL_OP_NO_TLSv1) == 0) {
        enabled.add(PROTOCOL_TLS_V1);
    }
    if ((opts & SSL.SSL_OP_NO_TLSv1_1) == 0) {
        enabled.add(PROTOCOL_TLS_V1_1);
    }
    if ((opts & SSL.SSL_OP_NO_TLSv1_2) == 0) {
        enabled.add(PROTOCOL_TLS_V1_2);
    }
    if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
        enabled.add(PROTOCOL_SSL_V2);
    }
    if ((opts & SSL.SSL_OP_NO_SSLv3) == 0) {
        enabled.add(PROTOCOL_SSL_V3);
    }
    int size = enabled.size();
    if (size == 0) {
        return EmptyArrays.EMPTY_STRINGS;
    } else {
        return enabled.toArray(new String[size]);
    }
}
 

@Override
public X509Certificate[] getPeerCertificateChain() throws IOException {
    try {
        // certLength == -1 indicates an error unless TLS session tickets
        // are in use in which case OpenSSL won't store the chain in the
        // ticket.
        int certLength = socketWrapper.getSSLInfoI(SSL.SSL_INFO_CLIENT_CERT_CHAIN);
        byte[] clientCert = socketWrapper.getSSLInfoB(SSL.SSL_INFO_CLIENT_CERT);
        X509Certificate[] certs = null;

        if (clientCert != null) {
            if (certLength < 0) {
                certLength = 0;
            }
            certs = new X509Certificate[certLength + 1];
            CertificateFactory cf;
            if (clientCertProvider == null) {
                cf = CertificateFactory.getInstance("X.509");
            } else {
                cf = CertificateFactory.getInstance("X.509", clientCertProvider);
            }
            certs[0] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(clientCert));
            for (int i = 0; i < certLength; i++) {
                byte[] data = socketWrapper.getSSLInfoB(SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
                certs[i+1] = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(data));
            }
        }
        return certs;
    } catch (Exception e) {
        throw new IOException(e);
    }
}
 

@Override
public synchronized String[] getEnabledProtocols() {
    if (destroyed) {
        return new String[0];
    }
    List<String> enabled = new ArrayList<>();
    // Seems like there is no way to explicitly disable SSLv2Hello in OpenSSL so it is always enabled
    enabled.add(Constants.SSL_PROTO_SSLv2Hello);
    int opts = SSL.getOptions(ssl);
    if ((opts & SSL.SSL_OP_NO_TLSv1) == 0) {
        enabled.add(Constants.SSL_PROTO_TLSv1);
    }
    if ((opts & SSL.SSL_OP_NO_TLSv1_1) == 0) {
        enabled.add(Constants.SSL_PROTO_TLSv1_1);
    }
    if ((opts & SSL.SSL_OP_NO_TLSv1_2) == 0) {
        enabled.add(Constants.SSL_PROTO_TLSv1_2);
    }
    if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
        enabled.add(Constants.SSL_PROTO_SSLv2);
    }
    if ((opts & SSL.SSL_OP_NO_SSLv3) == 0) {
        enabled.add(Constants.SSL_PROTO_SSLv3);
    }
    int size = enabled.size();
    if (size == 0) {
        return new String[0];
    } else {
        return enabled.toArray(new String[size]);
    }
}
 

@Override
public synchronized void setEnabledCipherSuites(String[] cipherSuites) {
    if (initialized) {
        return;
    }
    if (cipherSuites == null) {
        throw new IllegalArgumentException(sm.getString("engine.nullCipherSuite"));
    }
    if (destroyed) {
        return;
    }
    final StringBuilder buf = new StringBuilder();
    for (String cipherSuite : cipherSuites) {
        if (cipherSuite == null) {
            break;
        }
        String converted = OpenSSLCipherConfigurationParser.jsseToOpenSSL(cipherSuite);
        if (!AVAILABLE_CIPHER_SUITES.contains(cipherSuite)) {
            logger.debug(sm.getString("engine.unsupportedCipher", cipherSuite, converted));
        }
        if (converted != null) {
            cipherSuite = converted;
        }

        buf.append(cipherSuite);
        buf.append(':');
    }

    if (buf.length() == 0) {
        throw new IllegalArgumentException(sm.getString("engine.emptyCipherSuite"));
    }
    buf.setLength(buf.length() - 1);

    final String cipherSuiteSpec = buf.toString();
    try {
        SSL.setCipherSuites(ssl, cipherSuiteSpec);
    } catch (Exception e) {
        throw new IllegalStateException(sm.getString("engine.failedCipherSuite", cipherSuiteSpec), e);
    }
}