diff options
| author | Kenny Root <kroot@google.com> | 2013-05-03 14:32:34 -0700 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2013-05-03 14:32:34 -0700 |
| commit | 4ed78bae40db94ba67985026a45a0f6843a7a890 (patch) | |
| tree | 7418c116fac7c542b386448962ff4ae461792d41 /crypto | |
| parent | e97bceb3efb885c5b82fcc02ee851cb172ec6cce (diff) | |
| parent | 6821dc7ba87af1efe30b162614b4760ddaffcced (diff) | |
| download | libcore-4ed78bae40db94ba67985026a45a0f6843a7a890.zip libcore-4ed78bae40db94ba67985026a45a0f6843a7a890.tar.gz libcore-4ed78bae40db94ba67985026a45a0f6843a7a890.tar.bz2 | |
am 6821dc7b: Merge "NativeCrypto: move key conversion to Java"
* commit '6821dc7ba87af1efe30b162614b4760ddaffcced':
NativeCrypto: move key conversion to Java
Diffstat (limited to 'crypto')
5 files changed, 83 insertions, 204 deletions
diff --git a/crypto/src/main/java/org/conscrypt/NativeCrypto.java b/crypto/src/main/java/org/conscrypt/NativeCrypto.java index 1416d1b..208f89e 100644 --- a/crypto/src/main/java/org/conscrypt/NativeCrypto.java +++ b/crypto/src/main/java/org/conscrypt/NativeCrypto.java @@ -770,27 +770,7 @@ public final class NativeCrypto { public static native byte[] SSL_get_tls_channel_id(long ssl) throws SSLException; - public static native void SSL_use_OpenSSL_PrivateKey_for_tls_channel_id(long ssl, long pkey) - throws SSLException; - - public static native void SSL_use_PKCS8_PrivateKey_for_tls_channel_id( - long ssl, byte[] pkcs8EncodedPrivateKey) throws SSLException; - - public static void SSL_set1_tls_channel_id(long ssl, PrivateKey privateKey) - throws SSLException { - if (privateKey == null) { - throw new NullPointerException("privateKey == null"); - } else if (privateKey instanceof OpenSSLECPrivateKey) { - OpenSSLKey openSslPrivateKey = ((OpenSSLECPrivateKey) privateKey).getOpenSSLKey(); - SSL_use_OpenSSL_PrivateKey_for_tls_channel_id(ssl, openSslPrivateKey.getPkeyContext()); - } else if ("PKCS#8".equals(privateKey.getFormat())) { - byte[] pkcs8EncodedKey = privateKey.getEncoded(); - SSL_use_PKCS8_PrivateKey_for_tls_channel_id(ssl, pkcs8EncodedKey); - } else { - throw new SSLException("Unsupported Channel ID private key type:" + - " class: " + privateKey.getClass() + ", format: " + privateKey.getFormat()); - } - } + public static native void SSL_set1_tls_channel_id(long ssl, long pkey); public static byte[][] encodeCertificates(Certificate[] certificates) throws CertificateEncodingException { @@ -803,9 +783,7 @@ public final class NativeCrypto { public static native void SSL_use_certificate(long ssl, byte[][] asn1DerEncodedCertificateChain); - public static native void SSL_use_OpenSSL_PrivateKey(long ssl, long pkey); - - public static native void SSL_use_PrivateKey(long ssl, byte[] pkcs8EncodedPrivateKey); + public static native void SSL_use_PrivateKey(long ssl, long pkey); public static native void SSL_check_private_key(long ssl) throws SSLException; diff --git a/crypto/src/main/java/org/conscrypt/OpenSSLKey.java b/crypto/src/main/java/org/conscrypt/OpenSSLKey.java index 9dac153..fa9a258 100644 --- a/crypto/src/main/java/org/conscrypt/OpenSSLKey.java +++ b/crypto/src/main/java/org/conscrypt/OpenSSLKey.java @@ -16,6 +16,7 @@ package org.conscrypt; +import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; @@ -64,6 +65,18 @@ public class OpenSSLKey { return alias; } + public static OpenSSLKey fromPrivateKey(PrivateKey key) throws InvalidKeyException { + if (key instanceof OpenSSLKeyHolder) { + return ((OpenSSLKeyHolder) key).getOpenSSLKey(); + } + + if ("PKCS#8".equals(key.getFormat())) { + return new OpenSSLKey(NativeCrypto.d2i_PKCS8_PRIV_KEY_INFO(key.getEncoded())); + } else { + throw new InvalidKeyException("Unknown key format " + key.getFormat()); + } + } + public PublicKey getPublicKey() throws NoSuchAlgorithmException { switch (NativeCrypto.EVP_PKEY_type(ctx)) { case NativeCrypto.EVP_PKEY_RSA: diff --git a/crypto/src/main/java/org/conscrypt/OpenSSLSocketImpl.java b/crypto/src/main/java/org/conscrypt/OpenSSLSocketImpl.java index 3301387..6d51ccb 100644 --- a/crypto/src/main/java/org/conscrypt/OpenSSLSocketImpl.java +++ b/crypto/src/main/java/org/conscrypt/OpenSSLSocketImpl.java @@ -25,6 +25,7 @@ import java.io.OutputStream; import java.net.InetAddress; import java.net.Socket; import java.net.SocketException; +import java.security.InvalidKeyException; import java.security.PrivateKey; import java.security.SecureRandom; import java.security.cert.CertificateEncodingException; @@ -78,7 +79,7 @@ public class OpenSSLSocketImpl /** Whether the TLS Channel ID extension is enabled. This field is server-side only. */ private boolean channelIdEnabled; /** Private key for the TLS Channel ID extension. This field is client-side only. */ - private PrivateKey channelIdPrivateKey; + private OpenSSLKey channelIdPrivateKey; private OpenSSLSessionImpl sslSession; private final Socket socket; private boolean autoClose; @@ -380,14 +381,16 @@ public class OpenSSLSocketImpl } // TLS Channel ID - if (client) { - // Client-side TLS Channel ID - if (channelIdPrivateKey != null) { - NativeCrypto.SSL_set1_tls_channel_id(sslNativePointer, channelIdPrivateKey); - } - } else { - // Server-side TLS Channel ID - if (channelIdEnabled) { + if (channelIdEnabled) { + if (client) { + // Client-side TLS Channel ID + if (channelIdPrivateKey == null) { + throw new SSLHandshakeException("Invalid TLS channel ID key specified"); + } + NativeCrypto.SSL_set1_tls_channel_id(sslNativePointer, + channelIdPrivateKey.getPkeyContext()); + } else { + // Server-side TLS Channel ID NativeCrypto.SSL_enable_tls_channel_id(sslNativePointer); } } @@ -497,14 +500,11 @@ public class OpenSSLSocketImpl return; } - if (privateKey instanceof OpenSSLKeyHolder) { - OpenSSLKey key = ((OpenSSLKeyHolder) privateKey).getOpenSSLKey(); - NativeCrypto.SSL_use_OpenSSL_PrivateKey(sslNativePointer, key.getPkeyContext()); - } else if ("PKCS#8".equals(privateKey.getFormat())) { - byte[] privateKeyBytes = privateKey.getEncoded(); - NativeCrypto.SSL_use_PrivateKey(sslNativePointer, privateKeyBytes); - } else { - throw new SSLException("Unsupported PrivateKey format: " + privateKey.getFormat()); + try { + final OpenSSLKey key = OpenSSLKey.fromPrivateKey(privateKey); + NativeCrypto.SSL_use_PrivateKey(sslNativePointer, key.getPkeyContext()); + } catch (InvalidKeyException e) { + throw new SSLException(e); } byte[][] certificateBytes = NativeCrypto.encodeCertificates(certificates); @@ -879,7 +879,17 @@ public class OpenSSLSocketImpl "Could not change Channel ID private key after the initial handshake has" + " begun."); } - this.channelIdPrivateKey = privateKey; + if (privateKey == null) { + this.channelIdEnabled = false; + this.channelIdPrivateKey = null; + } else { + this.channelIdEnabled = true; + try { + this.channelIdPrivateKey = OpenSSLKey.fromPrivateKey(privateKey); + } catch (InvalidKeyException e) { + // Will have error in startHandshake + } + } } @Override public boolean getUseClientMode() { diff --git a/crypto/src/main/native/org_conscrypt_NativeCrypto.cpp b/crypto/src/main/native/org_conscrypt_NativeCrypto.cpp index 077c391..ac1f321 100644 --- a/crypto/src/main/native/org_conscrypt_NativeCrypto.cpp +++ b/crypto/src/main/native/org_conscrypt_NativeCrypto.cpp @@ -6216,18 +6216,19 @@ static jbyteArray NativeCrypto_SSL_get_tls_channel_id(JNIEnv* env, jclass, jlong return javaBytes; } -static void NativeCrypto_SSL_use_OpenSSL_PrivateKey_for_tls_channel_id( - JNIEnv* env, jclass, jlong ssl_address, jlong pkeyRef) +static void NativeCrypto_SSL_set1_tls_channel_id(JNIEnv* env, jclass, + jlong ssl_address, jlong pkeyRef) { SSL* ssl = to_SSL(env, ssl_address, true); EVP_PKEY* pkey = reinterpret_cast<EVP_PKEY*>(pkeyRef); - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_OpenSSL_PrivateKey_for_tls_channel_id privatekey=%p", - ssl, pkey); + JNI_TRACE("ssl=%p SSL_set1_tls_channel_id privatekey=%p", ssl, pkey); if (ssl == NULL) { return; } if (pkey == NULL) { + jniThrowNullPointerException(env, "pkey == null"); + JNI_TRACE("ssl=%p SSL_set1_tls_channel_id => pkey == null", ssl); return; } @@ -6242,86 +6243,28 @@ static void NativeCrypto_SSL_use_OpenSSL_PrivateKey_for_tls_channel_id( throwSSLExceptionWithSslErrors( env, ssl, SSL_ERROR_NONE, "Error setting private key for Channel ID"); SSL_clear(ssl); - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_OpenSSL_PrivateKey_for_tls_channel_id => error", ssl); + JNI_TRACE("ssl=%p SSL_set1_tls_channel_id => error", ssl); return; } - // SSL_use_PrivateKey expects to take ownership of the EVP_PKEY, - // but we have an external reference from the caller such as an - // OpenSSLKey, so we manually increment the reference count here. + // SSL_set1_tls_channel_id expects to take ownership of the EVP_PKEY, but + // we have an external reference from the caller such as an OpenSSLKey, + // so we manually increment the reference count here. CRYPTO_add(&pkey->references,+1,CRYPTO_LOCK_EVP_PKEY); - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_OpenSSL_PrivateKey_for_tls_channel_id => ok", ssl); + JNI_TRACE("ssl=%p SSL_set1_tls_channel_id => ok", ssl); } -static void NativeCrypto_SSL_use_PKCS8_PrivateKey_for_tls_channel_id( - JNIEnv* env, jclass, jlong ssl_address, jbyteArray privatekey) -{ - SSL* ssl = to_SSL(env, ssl_address, true); - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey_for_tls_channel_id privatekey=%p", ssl, - privatekey); - if (ssl == NULL) { - return; - } - - ScopedByteArrayRO buf(env, privatekey); - if (buf.get() == NULL) { - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey_for_tls_channel_id => threw exception", - ssl); - return; - } - const unsigned char* tmp = reinterpret_cast<const unsigned char*>(buf.get()); - Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(NULL, &tmp, buf.size())); - if (pkcs8.get() == NULL) { - ALOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); - throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, - "Error parsing private key from DER to PKCS8"); - SSL_clear(ssl); - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => error from DER to PKCS8", ssl); - return; - } - - Unique_EVP_PKEY privatekeyevp(EVP_PKCS82PKEY(pkcs8.get())); - if (privatekeyevp.get() == NULL) { - ALOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); - throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, - "Error creating private key from PKCS8"); - SSL_clear(ssl); - JNI_TRACE( - "ssl=%p NativeCrypto_SSL_use_PrivateKey_for_tls_channel_id => error from PKCS8 to key", - ssl); - return; - } - - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey_for_tls_channel_id EVP_PKEY_type=%d", - ssl, EVP_PKEY_type(privatekeyevp.get()->type)); - - // SSL_set1_tls_channel_id requires ssl->server to be set to 0. - // Unfortunately, the default value is 1 and it's only changed to 0 just - // before the handshake starts (see NativeCrypto_SSL_do_handshake). - ssl->server = 0; - long ret = SSL_set1_tls_channel_id(ssl, privatekeyevp.get()); - if (ret == 1L) { - OWNERSHIP_TRANSFERRED(privatekeyevp); - } else { - ALOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); - throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, "Error setting private key"); - SSL_clear(ssl); - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey_for_tls_channel_id => error", ssl); - return; - } - - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey_for_tls_channel_id => ok", ssl); -} - -static void NativeCrypto_SSL_use_OpenSSL_PrivateKey(JNIEnv* env, jclass, jlong ssl_address, jlong pkeyRef) { +static void NativeCrypto_SSL_use_PrivateKey(JNIEnv* env, jclass, jlong ssl_address, jlong pkeyRef) { SSL* ssl = to_SSL(env, ssl_address, true); EVP_PKEY* pkey = reinterpret_cast<EVP_PKEY*>(pkeyRef); - JNI_TRACE("ssl=%p SSL_use_OpenSSL_PrivateKey privatekey=%p", ssl, pkey); + JNI_TRACE("ssl=%p SSL_use_PrivateKey privatekey=%p", ssl, pkey); if (ssl == NULL) { return; } if (pkey == NULL) { + jniThrowNullPointerException(env, "pkey == null"); + JNI_TRACE("ssl=%p SSL_use_PrivateKey => pkey == null", ssl); return; } @@ -6330,7 +6273,7 @@ static void NativeCrypto_SSL_use_OpenSSL_PrivateKey(JNIEnv* env, jclass, jlong s ALOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, "Error setting private key"); SSL_clear(ssl); - JNI_TRACE("ssl=%p SSL_use_OpenSSL_PrivateKey => error", ssl); + JNI_TRACE("ssl=%p SSL_use_PrivateKey => error", ssl); return; } // SSL_use_PrivateKey expects to take ownership of the EVP_PKEY, @@ -6338,58 +6281,7 @@ static void NativeCrypto_SSL_use_OpenSSL_PrivateKey(JNIEnv* env, jclass, jlong s // OpenSSLKey, so we manually increment the reference count here. CRYPTO_add(&pkey->references,+1,CRYPTO_LOCK_EVP_PKEY); - JNI_TRACE("ssl=%p SSL_use_OpenSSL_PrivateKey => ok", ssl); -} - -static void NativeCrypto_SSL_use_PrivateKey(JNIEnv* env, jclass, - jlong ssl_address, jbyteArray privatekey) -{ - SSL* ssl = to_SSL(env, ssl_address, true); - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey privatekey=%p", ssl, privatekey); - if (ssl == NULL) { - return; - } - - ScopedByteArrayRO buf(env, privatekey); - if (buf.get() == NULL) { - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => threw exception", ssl); - return; - } - const unsigned char* tmp = reinterpret_cast<const unsigned char*>(buf.get()); - Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(NULL, &tmp, buf.size())); - if (pkcs8.get() == NULL) { - ALOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); - throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, - "Error parsing private key from DER to PKCS8"); - SSL_clear(ssl); - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => error from DER to PKCS8", ssl); - return; - } - - Unique_EVP_PKEY privatekeyevp(EVP_PKCS82PKEY(pkcs8.get())); - if (privatekeyevp.get() == NULL) { - ALOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); - throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, - "Error creating private key from PKCS8"); - SSL_clear(ssl); - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => error from PKCS8 to key", ssl); - return; - } - - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey EVP_PKEY_type=%d", - ssl, EVP_PKEY_type(privatekeyevp.get()->type)); - int ret = SSL_use_PrivateKey(ssl, privatekeyevp.get()); - if (ret == 1) { - OWNERSHIP_TRANSFERRED(privatekeyevp); - } else { - ALOGE("%s", ERR_error_string(ERR_peek_error(), NULL)); - throwSSLExceptionWithSslErrors(env, ssl, SSL_ERROR_NONE, "Error setting private key"); - SSL_clear(ssl); - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => error", ssl); - return; - } - - JNI_TRACE("ssl=%p NativeCrypto_SSL_use_PrivateKey => ok", ssl); + JNI_TRACE("ssl=%p SSL_use_PrivateKey => ok", ssl); } static void NativeCrypto_SSL_use_certificate(JNIEnv* env, jclass, @@ -8005,10 +7897,8 @@ static JNINativeMethod sNativeCryptoMethods[] = { NATIVE_METHOD(NativeCrypto, SSL_new, "(J)J"), NATIVE_METHOD(NativeCrypto, SSL_enable_tls_channel_id, "(J)V"), NATIVE_METHOD(NativeCrypto, SSL_get_tls_channel_id, "(J)[B"), - NATIVE_METHOD(NativeCrypto, SSL_use_OpenSSL_PrivateKey_for_tls_channel_id, "(JJ)V"), - NATIVE_METHOD(NativeCrypto, SSL_use_PKCS8_PrivateKey_for_tls_channel_id, "(J[B)V"), - NATIVE_METHOD(NativeCrypto, SSL_use_OpenSSL_PrivateKey, "(JJ)V"), - NATIVE_METHOD(NativeCrypto, SSL_use_PrivateKey, "(J[B)V"), + NATIVE_METHOD(NativeCrypto, SSL_set1_tls_channel_id, "(JJ)V"), + NATIVE_METHOD(NativeCrypto, SSL_use_PrivateKey, "(JJ)V"), NATIVE_METHOD(NativeCrypto, SSL_use_certificate, "(J[[B)V"), NATIVE_METHOD(NativeCrypto, SSL_check_private_key, "(J)V"), NATIVE_METHOD(NativeCrypto, SSL_set_client_CA_list, "(J[[B)V"), diff --git a/crypto/src/test/java/org/conscrypt/NativeCryptoTest.java b/crypto/src/test/java/org/conscrypt/NativeCryptoTest.java index b55a745..6b8be07 100644 --- a/crypto/src/test/java/org/conscrypt/NativeCryptoTest.java +++ b/crypto/src/test/java/org/conscrypt/NativeCryptoTest.java @@ -29,7 +29,6 @@ import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.KeyStore; import java.security.KeyStore.PrivateKeyEntry; -import java.security.PrivateKey; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.security.interfaces.DSAPublicKey; @@ -67,12 +66,12 @@ public class NativeCryptoTest extends TestCase { private static final long TIMEOUT_SECONDS = 5; - private static byte[] SERVER_PRIVATE_KEY; + private static OpenSSLKey SERVER_PRIVATE_KEY; private static byte[][] SERVER_CERTIFICATES; - private static byte[] CLIENT_PRIVATE_KEY; + private static OpenSSLKey CLIENT_PRIVATE_KEY; private static byte[][] CLIENT_CERTIFICATES; private static byte[][] CA_PRINCIPALS; - private static PrivateKey CHANNEL_ID_PRIVATE_KEY; + private static OpenSSLKey CHANNEL_ID_PRIVATE_KEY; private static byte[] CHANNEL_ID; @Override @@ -80,7 +79,7 @@ public class NativeCryptoTest extends TestCase { assertEquals(0, NativeCrypto.ERR_peek_last_error()); } - private static byte[] getServerPrivateKey() { + private static OpenSSLKey getServerPrivateKey() { initCerts(); return SERVER_PRIVATE_KEY; } @@ -90,7 +89,7 @@ public class NativeCryptoTest extends TestCase { return SERVER_CERTIFICATES; } - private static byte[] getClientPrivateKey() { + private static OpenSSLKey getClientPrivateKey() { initCerts(); return CLIENT_PRIVATE_KEY; } @@ -116,13 +115,13 @@ public class NativeCryptoTest extends TestCase { try { PrivateKeyEntry serverPrivateKeyEntry = TestKeyStore.getServer().getPrivateKey("RSA", "RSA"); - SERVER_PRIVATE_KEY = serverPrivateKeyEntry.getPrivateKey().getEncoded(); + SERVER_PRIVATE_KEY = OpenSSLKey.fromPrivateKey(serverPrivateKeyEntry.getPrivateKey()); SERVER_CERTIFICATES = NativeCrypto.encodeCertificates( serverPrivateKeyEntry.getCertificateChain()); PrivateKeyEntry clientPrivateKeyEntry = TestKeyStore.getClientCertificate().getPrivateKey("RSA", "RSA"); - CLIENT_PRIVATE_KEY = clientPrivateKeyEntry.getPrivateKey().getEncoded(); + CLIENT_PRIVATE_KEY = OpenSSLKey.fromPrivateKey(clientPrivateKeyEntry.getPrivateKey()); CLIENT_CERTIFICATES = NativeCrypto.encodeCertificates( clientPrivateKeyEntry.getCertificateChain()); @@ -147,7 +146,7 @@ public class NativeCryptoTest extends TestCase { BigInteger s = new BigInteger( "229cdbbf489aea584828a261a23f9ff8b0f66f7ccac98bf2096ab3aee41497c5", 16); CHANNEL_ID_PRIVATE_KEY = new OpenSSLECPrivateKey( - new ECPrivateKeySpec(s, openSslSpec.getECParameterSpec())); + new ECPrivateKeySpec(s, openSslSpec.getECParameterSpec())).getOpenSSLKey(); // Channel ID is the concatenation of the X and Y coordinates of the public key. CHANNEL_ID = new BigInteger( @@ -339,7 +338,7 @@ public class NativeCryptoTest extends TestCase { public void test_SSL_use_PrivateKey_for_tls_channel_id() throws Exception { try { - NativeCrypto.SSL_set1_tls_channel_id(NULL, null); + NativeCrypto.SSL_set1_tls_channel_id(NULL, NULL); fail(); } catch (NullPointerException expected) { } @@ -348,25 +347,14 @@ public class NativeCryptoTest extends TestCase { long s = NativeCrypto.SSL_new(c); try { - NativeCrypto.SSL_set1_tls_channel_id(s, null); + NativeCrypto.SSL_set1_tls_channel_id(s, NULL); fail(); } catch (NullPointerException expected) { } - // Use the key via the wrapper that decides whether to use PKCS#8 or native OpenSSL. - NativeCrypto.SSL_set1_tls_channel_id(s, CHANNEL_ID_PRIVATE_KEY); - - // Use the key via its PKCS#8 representation. - assertEquals("PKCS#8", CHANNEL_ID_PRIVATE_KEY.getFormat()); - byte[] pkcs8EncodedKeyBytes = CHANNEL_ID_PRIVATE_KEY.getEncoded(); - assertNotNull(pkcs8EncodedKeyBytes); - NativeCrypto.SSL_use_PKCS8_PrivateKey_for_tls_channel_id(s, pkcs8EncodedKeyBytes); - // Use the key natively. This works because the initChannelIdKey method ensures that the // key is backed by OpenSSL. - NativeCrypto.SSL_use_OpenSSL_PrivateKey_for_tls_channel_id( - s, - ((OpenSSLECPrivateKey) CHANNEL_ID_PRIVATE_KEY).getOpenSSLKey().getPkeyContext()); + NativeCrypto.SSL_set1_tls_channel_id(s, CHANNEL_ID_PRIVATE_KEY.getPkeyContext()); NativeCrypto.SSL_free(s); NativeCrypto.SSL_CTX_free(c); @@ -374,7 +362,7 @@ public class NativeCryptoTest extends TestCase { public void test_SSL_use_PrivateKey() throws Exception { try { - NativeCrypto.SSL_use_PrivateKey(NULL, null); + NativeCrypto.SSL_use_PrivateKey(NULL, NULL); fail(); } catch (NullPointerException expected) { } @@ -383,12 +371,12 @@ public class NativeCryptoTest extends TestCase { long s = NativeCrypto.SSL_new(c); try { - NativeCrypto.SSL_use_PrivateKey(s, null); + NativeCrypto.SSL_use_PrivateKey(s, NULL); fail(); } catch (NullPointerException expected) { } - NativeCrypto.SSL_use_PrivateKey(s, getServerPrivateKey()); + NativeCrypto.SSL_use_PrivateKey(s, getServerPrivateKey().getPkeyContext()); NativeCrypto.SSL_free(s); NativeCrypto.SSL_CTX_free(c); @@ -430,7 +418,7 @@ public class NativeCryptoTest extends TestCase { } catch (SSLException expected) { } - NativeCrypto.SSL_use_PrivateKey(s, getServerPrivateKey()); + NativeCrypto.SSL_use_PrivateKey(s, getServerPrivateKey().getPkeyContext()); NativeCrypto.SSL_check_private_key(s); NativeCrypto.SSL_free(s); @@ -441,7 +429,7 @@ public class NativeCryptoTest extends TestCase { long s = NativeCrypto.SSL_new(c); // first private, then certificate - NativeCrypto.SSL_use_PrivateKey(s, getServerPrivateKey()); + NativeCrypto.SSL_use_PrivateKey(s, getServerPrivateKey().getPkeyContext()); try { NativeCrypto.SSL_check_private_key(s); @@ -613,7 +601,7 @@ public class NativeCryptoTest extends TestCase { private static final boolean DEBUG = false; public static class Hooks { - private PrivateKey channelIdPrivateKey; + private OpenSSLKey channelIdPrivateKey; public long getContext() throws SSLException { return NativeCrypto.SSL_CTX_new(); @@ -626,7 +614,7 @@ public class NativeCryptoTest extends TestCase { NativeCrypto.SSL_set_cipher_lists(s, new String[] { "RC4-MD5" }); if (channelIdPrivateKey != null) { - NativeCrypto.SSL_set1_tls_channel_id(s, channelIdPrivateKey); + NativeCrypto.SSL_set1_tls_channel_id(s, channelIdPrivateKey.getPkeyContext()); } return s; } @@ -721,13 +709,13 @@ public class NativeCryptoTest extends TestCase { } public static class ServerHooks extends Hooks { - private final byte[] privateKey; + private final OpenSSLKey privateKey; private final byte[][] certificates; private boolean channelIdEnabled; private byte[] channelIdAfterHandshake; private Throwable channelIdAfterHandshakeException; - public ServerHooks(byte[] privateKey, byte[][] certificates) { + public ServerHooks(OpenSSLKey privateKey, byte[][] certificates) { this.privateKey = privateKey; this.certificates = certificates; } @@ -736,7 +724,7 @@ public class NativeCryptoTest extends TestCase { public long beforeHandshake(long c) throws SSLException { long s = super.beforeHandshake(c); if (privateKey != null) { - NativeCrypto.SSL_use_PrivateKey(s, privateKey); + NativeCrypto.SSL_use_PrivateKey(s, privateKey.getPkeyContext()); } if (certificates != null) { NativeCrypto.SSL_use_certificate(s, certificates); @@ -870,7 +858,7 @@ public class NativeCryptoTest extends TestCase { @Override public void clientCertificateRequested(long s) { super.clientCertificateRequested(s); - NativeCrypto.SSL_use_PrivateKey(s, getClientPrivateKey()); + NativeCrypto.SSL_use_PrivateKey(s, getClientPrivateKey().getPkeyContext()); NativeCrypto.SSL_use_certificate(s, getClientCertificates()); } }; |