1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
|
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.conscrypt;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.util.Arrays;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
/**
* The instances of this class encapsulate all the info
* about enabled cipher suites and protocols,
* as well as the information about client/server mode of
* ssl socket, whether it require/want client authentication or not,
* and controls whether new SSL sessions may be established by this
* socket or not.
*/
public class SSLParametersImpl implements Cloneable {
// default source of authentication keys
private static volatile X509KeyManager defaultKeyManager;
// default source of authentication trust decisions
private static volatile X509TrustManager defaultTrustManager;
// default source of random numbers
private static volatile SecureRandom defaultSecureRandom;
// default SSL parameters
private static volatile SSLParametersImpl defaultParameters;
// client session context contains the set of reusable
// client-side SSL sessions
private final ClientSessionContext clientSessionContext;
// server session context contains the set of reusable
// server-side SSL sessions
private final ServerSessionContext serverSessionContext;
// source of authentication keys
private X509KeyManager keyManager;
// source of authentication trust decisions
private X509TrustManager trustManager;
// source of random numbers
private SecureRandom secureRandom;
// cipher suites available for SSL connection
private CipherSuite[] enabledCipherSuites;
// string representations of available cipher suites
private String[] enabledCipherSuiteNames = null;
// protocols available for SSL connection
private String[] enabledProtocols = ProtocolVersion.supportedProtocols;
// if the peer with this parameters tuned to work in client mode
private boolean client_mode = true;
// if the peer with this parameters tuned to require client authentication
private boolean need_client_auth = false;
// if the peer with this parameters tuned to request client authentication
private boolean want_client_auth = false;
// if the peer with this parameters allowed to cteate new SSL session
private boolean enable_session_creation = true;
protected CipherSuite[] getEnabledCipherSuitesMember() {
if (enabledCipherSuites == null) {
this.enabledCipherSuites = CipherSuite.DEFAULT_CIPHER_SUITES;
}
return enabledCipherSuites;
}
/**
* Initializes the parameters. Naturally this constructor is used
* in SSLContextImpl.engineInit method which directly passes its
* parameters. In other words this constructor holds all
* the functionality provided by SSLContext.init method.
* See {@link javax.net.ssl.SSLContext#init(KeyManager[],TrustManager[],
* SecureRandom)} for more information
*/
protected SSLParametersImpl(KeyManager[] kms, TrustManager[] tms,
SecureRandom sr, ClientSessionContext clientSessionContext,
ServerSessionContext serverSessionContext)
throws KeyManagementException {
this.serverSessionContext = serverSessionContext;
this.clientSessionContext = clientSessionContext;
// It's not described by the spec of SSLContext what should happen
// if the arrays of length 0 are specified. This implementation
// behave as for null arrays (i.e. use installed security providers)
// initialize keyManager
if ((kms == null) || (kms.length == 0)) {
keyManager = getDefaultKeyManager();
} else {
keyManager = findX509KeyManager(kms);
}
// initialize trustManager
if ((tms == null) || (tms.length == 0)) {
trustManager = getDefaultTrustManager();
} else {
trustManager = findX509TrustManager(tms);
}
// initialize secure random
// BEGIN android-removed
// if (sr == null) {
// if (defaultSecureRandom == null) {
// defaultSecureRandom = new SecureRandom();
// }
// secureRandom = defaultSecureRandom;
// } else {
// secureRandom = sr;
// }
// END android-removed
// BEGIN android-added
// We simply use the SecureRandom passed in by the caller. If it's
// null, we don't replace it by a new instance. The native code below
// then directly accesses /dev/urandom. Not the most elegant solution,
// but faster than going through the SecureRandom object.
secureRandom = sr;
// END android-added
}
protected static SSLParametersImpl getDefault() throws KeyManagementException {
SSLParametersImpl result = defaultParameters;
if (result == null) {
// single-check idiom
defaultParameters = result = new SSLParametersImpl(null,
null,
null,
new ClientSessionContext(),
new ServerSessionContext());
}
return (SSLParametersImpl) result.clone();
}
/**
* @return server session context
*/
protected ServerSessionContext getServerSessionContext() {
return serverSessionContext;
}
/**
* @return client session context
*/
protected ClientSessionContext getClientSessionContext() {
return clientSessionContext;
}
/**
* @return key manager
*/
protected X509KeyManager getKeyManager() {
return keyManager;
}
/**
* @return trust manager
*/
protected X509TrustManager getTrustManager() {
return trustManager;
}
/**
* @return secure random
*/
protected SecureRandom getSecureRandom() {
if (secureRandom != null) {
return secureRandom;
}
SecureRandom result = defaultSecureRandom;
if (result == null) {
// single-check idiom
defaultSecureRandom = result = new SecureRandom();
}
secureRandom = result;
return secureRandom;
}
/**
* @return the secure random member reference, even it is null
*/
protected SecureRandom getSecureRandomMember() {
return secureRandom;
}
/**
* @return the names of enabled cipher suites
*/
protected String[] getEnabledCipherSuites() {
if (enabledCipherSuiteNames == null) {
CipherSuite[] enabledCipherSuites = getEnabledCipherSuitesMember();
enabledCipherSuiteNames = new String[enabledCipherSuites.length];
for (int i = 0; i< enabledCipherSuites.length; i++) {
enabledCipherSuiteNames[i] = enabledCipherSuites[i].getName();
}
}
return enabledCipherSuiteNames.clone();
}
/**
* Sets the set of available cipher suites for use in SSL connection.
* @param suites: String[]
* @return
*/
protected void setEnabledCipherSuites(String[] suites) {
if (suites == null) {
throw new IllegalArgumentException("suites == null");
}
CipherSuite[] cipherSuites = new CipherSuite[suites.length];
for (int i=0; i<suites.length; i++) {
String suite = suites[i];
if (suite == null) {
throw new IllegalArgumentException("suites[" + i + "] == null");
}
cipherSuites[i] = CipherSuite.getByName(suite);
if (cipherSuites[i] == null || !cipherSuites[i].supported) {
throw new IllegalArgumentException(suite + " is not supported.");
}
}
enabledCipherSuites = cipherSuites;
enabledCipherSuiteNames = suites;
}
/**
* @return the set of enabled protocols
*/
protected String[] getEnabledProtocols() {
return enabledProtocols.clone();
}
/**
* Sets the set of available protocols for use in SSL connection.
* @param protocols String[]
*/
protected void setEnabledProtocols(String[] protocols) {
if (protocols == null) {
throw new IllegalArgumentException("protocols == null");
}
for (int i=0; i<protocols.length; i++) {
String protocol = protocols[i];
if (protocol == null) {
throw new IllegalArgumentException("protocols[" + i + "] == null");
}
if (!ProtocolVersion.isSupported(protocol)) {
throw new IllegalArgumentException("Protocol " + protocol + " is not supported.");
}
}
enabledProtocols = protocols;
}
/**
* Tunes the peer holding this parameters to work in client mode.
* @param mode if the peer is configured to work in client mode
*/
protected void setUseClientMode(boolean mode) {
client_mode = mode;
}
/**
* Returns the value indicating if the parameters configured to work
* in client mode.
*/
protected boolean getUseClientMode() {
return client_mode;
}
/**
* Tunes the peer holding this parameters to require client authentication
*/
protected void setNeedClientAuth(boolean need) {
need_client_auth = need;
// reset the want_client_auth setting
want_client_auth = false;
}
/**
* Returns the value indicating if the peer with this parameters tuned
* to require client authentication
*/
protected boolean getNeedClientAuth() {
return need_client_auth;
}
/**
* Tunes the peer holding this parameters to request client authentication
*/
protected void setWantClientAuth(boolean want) {
want_client_auth = want;
// reset the need_client_auth setting
need_client_auth = false;
}
/**
* Returns the value indicating if the peer with this parameters
* tuned to request client authentication
* @return
*/
protected boolean getWantClientAuth() {
return want_client_auth;
}
/**
* Allows/disallows the peer holding this parameters to
* create new SSL session
*/
protected void setEnableSessionCreation(boolean flag) {
enable_session_creation = flag;
}
/**
* Returns the value indicating if the peer with this parameters
* allowed to cteate new SSL session
*/
protected boolean getEnableSessionCreation() {
return enable_session_creation;
}
/**
* Returns the clone of this object.
* @return the clone.
*/
@Override
protected Object clone() {
try {
return super.clone();
} catch (CloneNotSupportedException e) {
throw new AssertionError(e);
}
}
private static X509KeyManager getDefaultKeyManager() throws KeyManagementException {
X509KeyManager result = defaultKeyManager;
if (result == null) {
// single-check idiom
defaultKeyManager = result = createDefaultKeyManager();
}
return result;
}
private static X509KeyManager createDefaultKeyManager() throws KeyManagementException {
try {
String algorithm = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
kmf.init(null, null);
KeyManager[] kms = kmf.getKeyManagers();
return findX509KeyManager(kms);
} catch (NoSuchAlgorithmException e) {
throw new KeyManagementException(e);
} catch (KeyStoreException e) {
throw new KeyManagementException(e);
} catch (UnrecoverableKeyException e) {
throw new KeyManagementException(e);
}
}
private static X509KeyManager findX509KeyManager(KeyManager[] kms) throws KeyManagementException {
for (KeyManager km : kms) {
if (km instanceof X509KeyManager) {
return (X509KeyManager)km;
}
}
throw new KeyManagementException("Failed to find an X509KeyManager in " + Arrays.toString(kms));
}
/**
* Gets the default trust manager.
*
* TODO: Move this to a published API under dalvik.system.
*/
public static X509TrustManager getDefaultTrustManager() throws KeyManagementException {
X509TrustManager result = defaultTrustManager;
if (result == null) {
// single-check idiom
defaultTrustManager = result = createDefaultTrustManager();
}
return result;
}
private static X509TrustManager createDefaultTrustManager() throws KeyManagementException {
try {
String algorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
tmf.init((KeyStore) null);
TrustManager[] tms = tmf.getTrustManagers();
X509TrustManager trustManager = findX509TrustManager(tms);
return trustManager;
} catch (NoSuchAlgorithmException e) {
throw new KeyManagementException(e);
} catch (KeyStoreException e) {
throw new KeyManagementException(e);
}
}
private static X509TrustManager findX509TrustManager(TrustManager[] tms) throws KeyManagementException {
for (TrustManager tm : tms) {
if (tm instanceof X509TrustManager) {
return (X509TrustManager)tm;
}
}
throw new KeyManagementException("Failed to find an X509TrustManager in " + Arrays.toString(tms));
}
}
|
