1 /* 2 * Copyright (C) 2008 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package org.apache.harmony.xnet.provider.jsse; 18 19 import java.io.FileDescriptor; 20 import java.io.IOException; 21 import java.lang.reflect.Field; 22 import java.net.Socket; 23 import java.net.SocketImpl; 24 import java.net.SocketTimeoutException; 25 import java.security.cert.Certificate; 26 import java.security.cert.CertificateEncodingException; 27 import java.security.cert.CertificateException; 28 import java.security.cert.X509Certificate; 29 import java.security.interfaces.RSAPublicKey; 30 import java.util.ArrayList; 31 import java.util.HashMap; 32 import java.util.LinkedHashMap; 33 import java.util.List; 34 import java.util.Map; 35 import javax.net.ssl.SSLException; 36 37 /** 38 * Provides the Java side of our JNI glue for OpenSSL. 39 */ 40 public final class NativeCrypto { 41 42 // --- OpenSSL library initialization -------------------------------------- 43 static { 44 clinit(); 45 } 46 47 private native static void clinit(); 48 49 // --- DSA/RSA public/private key handling functions ----------------------- 50 51 public static native int EVP_PKEY_new_DSA(byte[] p, byte[] q, byte[] g, 52 byte[] priv_key, byte[] pub_key); 53 54 public static native int EVP_PKEY_new_RSA(byte[] n, byte[] e, byte[] d, byte[] p, byte[] q); 55 56 public static native void EVP_PKEY_free(int pkey); 57 58 // --- General context handling functions (despite the names) -------------- 59 60 public static native int EVP_MD_CTX_create(); 61 62 public static native void EVP_MD_CTX_destroy(int ctx); 63 64 public static native int EVP_MD_CTX_copy(int ctx); 65 66 // --- Digest handling functions ------------------------------------------- 67 68 public static native void EVP_DigestInit(int ctx, String algorithm); 69 70 public static native void EVP_DigestUpdate(int ctx, byte[] buffer, int offset, int length); 71 72 public static native int EVP_DigestFinal(int ctx, byte[] hash, int offset); 73 74 public static native int EVP_MD_CTX_size(int ctx); 75 76 public static native int EVP_MD_CTX_block_size(int ctx); 77 78 // --- Signature handling functions ---------------------------------------- 79 80 public static native void EVP_VerifyInit(int ctx, String algorithm); 81 82 public static native void EVP_VerifyUpdate(int ctx, byte[] buffer, 83 int offset, int length); 84 85 public static native int EVP_VerifyFinal(int ctx, byte[] signature, 86 int offset, int length, int key); 87 88 // --- Legacy Signature handling ------------------------------------------- 89 // TODO rewrite/replace with EVP_Verify* 90 /** 91 * Verifies an RSA signature. Conceptually, this method doesn't really 92 * belong here, but due to its native code being closely tied to OpenSSL 93 * (just like the rest of this class), we put it here for the time being. 94 * This also solves potential problems with native library initialization. 95 * 96 * @param message The message to verify 97 * @param signature The signature to verify 98 * @param algorithm The hash/sign algorithm to use, i.e. "RSA-SHA1" 99 * @param key The RSA public key to use 100 * @return true if the verification succeeds, false otherwise 101 */ 102 public static boolean verifySignature( 103 byte[] message, byte[] signature, String algorithm, RSAPublicKey key) { 104 byte[] modulus = key.getModulus().toByteArray(); 105 byte[] exponent = key.getPublicExponent().toByteArray(); 106 107 return verifySignature(message, signature, algorithm, modulus, exponent) == 1; 108 } 109 110 private static native int verifySignature(byte[] message, byte[] signature, 111 String algorithm, byte[] modulus, byte[] exponent); 112 113 // --- RAND seeding -------------------------------------------------------- 114 115 public static final int RAND_SEED_LENGTH_IN_BYTES = 1024; 116 117 public static native void RAND_seed(byte[] seed); 118 119 public static native int RAND_load_file(String filename, long max_bytes); 120 121 // --- SSL handling -------------------------------------------------------- 122 123 private static final Field JAVA_NET_SOCKET_IMPL; 124 private static final Field JAVA_NET_SOCKETIMPL_FD; 125 static { 126 try { 127 JAVA_NET_SOCKET_IMPL = Socket.class.getDeclaredField("impl"); 128 JAVA_NET_SOCKET_IMPL.setAccessible(true); 129 JAVA_NET_SOCKETIMPL_FD = SocketImpl.class.getDeclaredField("fd"); 130 JAVA_NET_SOCKETIMPL_FD.setAccessible(true); 131 } catch (Exception e) { 132 throw new AssertionError(e); 133 } 134 } 135 /** 136 * Return the FileDescriptor associated with the provided socket. 137 */ 138 public static FileDescriptor getFileDescriptor(Socket socket) { 139 try { 140 SocketImpl socketImpl = (SocketImpl) JAVA_NET_SOCKET_IMPL.get(socket); 141 FileDescriptor fd = (FileDescriptor) JAVA_NET_SOCKETIMPL_FD.get(socketImpl); 142 return fd; 143 } catch (IllegalAccessException e) { 144 throw new AssertionError(e); 145 } 146 } 147 148 private static final String SUPPORTED_PROTOCOL_SSLV3 = "SSLv3"; 149 private static final String SUPPORTED_PROTOCOL_TLSV1 = "TLSv1"; 150 151 public static final Map<String, String> OPENSSL_TO_STANDARD_CIPHER_SUITES 152 = new HashMap<String, String>(); 153 public static final Map<String, String> STANDARD_TO_OPENSSL_CIPHER_SUITES 154 = new LinkedHashMap<String, String>(); 155 156 private static void add(String standard, String openssl) { 157 OPENSSL_TO_STANDARD_CIPHER_SUITES.put(openssl, standard); 158 STANDARD_TO_OPENSSL_CIPHER_SUITES.put(standard, openssl); 159 } 160 161 static { 162 // Note these are added in priority order 163 // Android doesn't currently support Elliptic Curve 164 add("SSL_RSA_WITH_RC4_128_MD5", "RC4-MD5"); 165 add("SSL_RSA_WITH_RC4_128_SHA", "RC4-SHA"); 166 add("TLS_RSA_WITH_AES_128_CBC_SHA", "AES128-SHA"); 167 add("TLS_RSA_WITH_AES_256_CBC_SHA", "AES256-SHA"); 168 // add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "ECDH-ECDSA-RC4-SHA"); 169 // add("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "ECDH-ECDSA-AES128-SHA"); 170 // add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "ECDH-ECDSA-AES256-SHA"); 171 // add("TLS_ECDH_RSA_WITH_RC4_128_SHA", "ECDH-RSA-RC4-SHA"); 172 // add("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "ECDH-RSA-AES128-SHA"); 173 // add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "ECDH-RSA-AES256-SHA"); 174 // add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "ECDHE-ECDSA-RC4-SHA"); 175 // add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "ECDHE-ECDSA-AES128-SHA"); 176 // add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "ECDHE-ECDSA-AES256-SHA"); 177 // add("TLS_ECDHE_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-RC4-SHA"); 178 // add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "ECDHE-RSA-AES128-SHA"); 179 // add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "ECDHE-RSA-AES256-SHA"); 180 add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "DHE-RSA-AES128-SHA"); 181 add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "DHE-RSA-AES256-SHA"); 182 add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "DHE-DSS-AES128-SHA"); 183 add("TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "DHE-DSS-AES256-SHA"); 184 add("SSL_RSA_WITH_3DES_EDE_CBC_SHA", "DES-CBC3-SHA"); 185 // add("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "ECDH-ECDSA-DES-CBC3-SHA"); 186 // add("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "ECDH-RSA-DES-CBC3-SHA"); 187 // add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "ECDHE-ECDSA-DES-CBC3-SHA"); 188 // add("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "ECDHE-RSA-DES-CBC3-SHA"); 189 add("SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "EDH-RSA-DES-CBC3-SHA"); 190 add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "EDH-DSS-DES-CBC3-SHA"); 191 add("SSL_RSA_WITH_DES_CBC_SHA", "DES-CBC-SHA"); 192 add("SSL_DHE_RSA_WITH_DES_CBC_SHA", "EDH-RSA-DES-CBC-SHA"); 193 add("SSL_DHE_DSS_WITH_DES_CBC_SHA", "EDH-DSS-DES-CBC-SHA"); 194 add("SSL_RSA_EXPORT_WITH_RC4_40_MD5", "EXP-RC4-MD5"); 195 add("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "EXP-DES-CBC-SHA"); 196 add("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "EXP-EDH-RSA-DES-CBC-SHA"); 197 add("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "EXP-EDH-DSS-DES-CBC-SHA"); 198 add("SSL_RSA_WITH_NULL_MD5", "NULL-MD5"); 199 add("SSL_RSA_WITH_NULL_SHA", "NULL-SHA"); 200 // add("TLS_ECDH_ECDSA_WITH_NULL_SHA", "ECDH-ECDSA-NULL-SHA"); 201 // add("TLS_ECDH_RSA_WITH_NULL_SHA", "ECDH-RSA-NULL-SHA"); 202 // add("TLS_ECDHE_ECDSA_WITH_NULL_SHA", "ECDHE-ECDSA-NULL-SHA"); 203 // add("TLS_ECDHE_RSA_WITH_NULL_SHA", "ECDHE-RSA-NULL-SHA"); 204 add("SSL_DH_anon_WITH_RC4_128_MD5", "ADH-RC4-MD5"); 205 add("TLS_DH_anon_WITH_AES_128_CBC_SHA", "ADH-AES128-SHA"); 206 add("TLS_DH_anon_WITH_AES_256_CBC_SHA", "ADH-AES256-SHA"); 207 add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", "ADH-DES-CBC3-SHA"); 208 add("SSL_DH_anon_WITH_DES_CBC_SHA", "ADH-DES-CBC-SHA"); 209 // add("TLS_ECDH_anon_WITH_RC4_128_SHA", "AECDH-RC4-SHA"); 210 // add("TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "AECDH-AES128-SHA"); 211 // add("TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "AECDH-AES256-SHA"); 212 // add("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "AECDH-DES-CBC3-SHA"); 213 add("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", "EXP-ADH-RC4-MD5"); 214 add("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", "EXP-ADH-DES-CBC-SHA"); 215 // add("TLS_ECDH_anon_WITH_NULL_SHA", "AECDH-NULL-SHA"); 216 217 // No Kerberos in Android 218 // add("TLS_KRB5_WITH_RC4_128_SHA", "KRB5-RC4-SHA"); 219 // add("TLS_KRB5_WITH_RC4_128_MD5", "KRB5-RC4-MD5"); 220 // add("TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "KRB5-DES-CBC3-SHA"); 221 // add("TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "KRB5-DES-CBC3-MD5"); 222 // add("TLS_KRB5_WITH_DES_CBC_SHA", "KRB5-DES-CBC-SHA"); 223 // add("TLS_KRB5_WITH_DES_CBC_MD5", "KRB5-DES-CBC-MD5"); 224 // add("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "EXP-KRB5-RC4-SHA"); 225 // add("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "EXP-KRB5-RC4-MD5"); 226 // add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "EXP-KRB5-DES-CBC-SHA"); 227 // add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "EXP-KRB5-DES-CBC-MD5"); 228 229 // not implemented by either RI or OpenSSL 230 // add("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", null); 231 // add("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", null); 232 233 // EXPORT1024 suites were never standardized but were widely implemented. 234 // OpenSSL 0.9.8c and later have disabled TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 235 // add("SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA", "EXP1024-DES-CBC-SHA"); 236 // add("SSL_RSA_EXPORT1024_WITH_RC4_56_SHA", "EXP1024-RC4-SHA"); 237 238 // No RC2 239 // add("SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", "EXP-RC2-CBC-MD5"); 240 // add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", "EXP-KRB5-RC2-CBC-SHA"); 241 // add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", "EXP-KRB5-RC2-CBC-MD5"); 242 243 // PSK is Private Shared Key - didn't exist in Froyo's openssl - no JSSE equivalent 244 // add(null, "PSK-3DES-EDE-CBC-SHA"); 245 // add(null, "PSK-AES128-CBC-SHA"); 246 // add(null, "PSK-AES256-CBC-SHA"); 247 // add(null, "PSK-RC4-SHA"); 248 } 249 250 private static final String[] SUPPORTED_CIPHER_SUITES 251 = STANDARD_TO_OPENSSL_CIPHER_SUITES.keySet().toArray(new String[0]); 252 253 // SSL mode from ssl.h 254 public static long SSL_MODE_HANDSHAKE_CUTTHROUGH = 0x00000040L; 255 256 // SSL options from ssl.h 257 public static long SSL_OP_NO_TICKET = 0x00004000L; 258 public static long SSL_OP_NO_COMPRESSION = 0x00020000L; 259 public static long SSL_OP_NO_SSLv3 = 0x02000000L; 260 public static long SSL_OP_NO_TLSv1 = 0x04000000L; 261 262 public static native int SSL_CTX_new(); 263 264 public static String[] getDefaultCipherSuites() { 265 return new String[] { 266 "SSL_RSA_WITH_RC4_128_MD5", 267 "SSL_RSA_WITH_RC4_128_SHA", 268 "TLS_RSA_WITH_AES_128_CBC_SHA", 269 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", 270 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", 271 "SSL_RSA_WITH_3DES_EDE_CBC_SHA", 272 "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", 273 "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", 274 "SSL_RSA_WITH_DES_CBC_SHA", 275 "SSL_DHE_RSA_WITH_DES_CBC_SHA", 276 "SSL_DHE_DSS_WITH_DES_CBC_SHA", 277 "SSL_RSA_EXPORT_WITH_RC4_40_MD5", 278 "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", 279 "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", 280 "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" 281 }; 282 } 283 284 public static String[] getSupportedCipherSuites() { 285 return SUPPORTED_CIPHER_SUITES.clone(); 286 } 287 288 public static native void SSL_CTX_free(int ssl_ctx); 289 290 public static native int SSL_new(int ssl_ctx) throws SSLException; 291 292 public static final String[] KEY_TYPES = new String[] { 293 "RSA", 294 "DSA", 295 "DH_RSA", 296 "DH_DSA", 297 "EC" 298 }; 299 300 public static String keyType(int keyType) { 301 switch (keyType) { 302 case 1: // TLS_CT_RSA_SIGN 303 return "RSA"; 304 case 2: // TLS_CT_DSS_SIGN 305 return "DSA"; 306 case 3: // TLS_CT_RSA_FIXED_DH 307 return "DH_RSA"; 308 case 4: // TLS_CT_DSS_FIXED_DH 309 return "DH_DSA"; 310 case 64: // TLS_CT_ECDSA_SIGN 311 return "EC"; 312 default: 313 return null; 314 } 315 } 316 317 public static byte[][] encodeCertificates(Certificate[] certificates) 318 throws CertificateEncodingException { 319 byte[][] certificateBytes = new byte[certificates.length][]; 320 for (int i = 0; i < certificates.length; i++) { 321 certificateBytes[i] = certificates[i].getEncoded(); 322 } 323 return certificateBytes; 324 } 325 326 public static native void SSL_use_certificate(int ssl, byte[][] asn1DerEncodedCertificateChain); 327 328 public static native void SSL_use_PrivateKey(int ssl, byte[] pkcs8EncodedPrivateKey); 329 330 public static native void SSL_check_private_key(int ssl) throws SSLException; 331 332 public static byte[][] encodeIssuerX509Principals(X509Certificate[] certificates) 333 throws CertificateEncodingException { 334 byte[][] principalBytes = new byte[certificates.length][]; 335 for (int i = 0; i < certificates.length; i++) { 336 principalBytes[i] = certificates[i].getIssuerX500Principal().getEncoded(); 337 } 338 return principalBytes; 339 } 340 341 public static native void SSL_set_client_CA_list(int ssl, byte[][] asn1DerEncodedX500Principals); 342 343 public static native long SSL_get_mode(int ssl); 344 345 public static native long SSL_set_mode(int ssl, long mode); 346 347 public static native long SSL_clear_mode(int ssl, long mode); 348 349 public static native long SSL_get_options(int ssl); 350 351 public static native long SSL_set_options(int ssl, long options); 352 353 public static native long SSL_clear_options(int ssl, long options); 354 355 public static String[] getSupportedProtocols() { 356 return new String[] { SUPPORTED_PROTOCOL_SSLV3, SUPPORTED_PROTOCOL_TLSV1 }; 357 } 358 359 public static void setEnabledProtocols(int ssl, String[] protocols) { 360 checkEnabledProtocols(protocols); 361 // openssl uses negative logic letting you disable protocols. 362 // so first, assume we need to set all (disable all) and clear none (enable none). 363 // in the loop, selectively move bits from set to clear (from disable to enable) 364 long optionsToSet = (SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1); 365 long optionsToClear = 0; 366 for (int i = 0; i < protocols.length; i++) { 367 String protocol = protocols[i]; 368 if (protocol.equals(SUPPORTED_PROTOCOL_SSLV3)) { 369 optionsToSet &= ~SSL_OP_NO_SSLv3; 370 optionsToClear |= SSL_OP_NO_SSLv3; 371 } else if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1)) { 372 optionsToSet &= ~SSL_OP_NO_TLSv1; 373 optionsToClear |= SSL_OP_NO_TLSv1; 374 } else { 375 // error checked by checkEnabledProtocols 376 throw new IllegalStateException(); 377 } 378 } 379 380 SSL_set_options(ssl, optionsToSet); 381 SSL_clear_options(ssl, optionsToClear); 382 } 383 384 public static String[] checkEnabledProtocols(String[] protocols) { 385 if (protocols == null) { 386 throw new IllegalArgumentException("protocols == null"); 387 } 388 for (int i = 0; i < protocols.length; i++) { 389 String protocol = protocols[i]; 390 if (protocol == null) { 391 throw new IllegalArgumentException("protocols[" + i + "] == null"); 392 } 393 if ((!protocol.equals(SUPPORTED_PROTOCOL_SSLV3)) 394 && (!protocol.equals(SUPPORTED_PROTOCOL_TLSV1))) { 395 throw new IllegalArgumentException("protocol " + protocol 396 + " is not supported"); 397 } 398 } 399 return protocols; 400 } 401 402 public static native void SSL_set_cipher_lists(int ssl, String[] ciphers); 403 404 public static void setEnabledCipherSuites(int ssl, String[] cipherSuites) { 405 checkEnabledCipherSuites(cipherSuites); 406 List<String> opensslSuites = new ArrayList<String>(); 407 for (int i = 0; i < cipherSuites.length; i++) { 408 String cipherSuite = cipherSuites[i]; 409 String openssl = STANDARD_TO_OPENSSL_CIPHER_SUITES.get(cipherSuite); 410 String cs = (openssl == null) ? cipherSuite : openssl; 411 opensslSuites.add(cs); 412 } 413 SSL_set_cipher_lists(ssl, opensslSuites.toArray(new String[opensslSuites.size()])); 414 } 415 416 public static String[] checkEnabledCipherSuites(String[] cipherSuites) { 417 if (cipherSuites == null) { 418 throw new IllegalArgumentException("cipherSuites == null"); 419 } 420 // makes sure all suites are valid, throwing on error 421 for (int i = 0; i < cipherSuites.length; i++) { 422 String cipherSuite = cipherSuites[i]; 423 if (cipherSuite == null) { 424 throw new IllegalArgumentException("cipherSuites[" + i + "] == null"); 425 } 426 if (STANDARD_TO_OPENSSL_CIPHER_SUITES.containsKey(cipherSuite)) { 427 continue; 428 } 429 if (OPENSSL_TO_STANDARD_CIPHER_SUITES.containsKey(cipherSuite)) { 430 // TODO log warning about using backward compatability 431 continue; 432 } 433 throw new IllegalArgumentException("cipherSuite " + cipherSuite + " is not supported."); 434 } 435 return cipherSuites; 436 } 437 438 private static final String SUPPORTED_COMPRESSION_METHOD_ZLIB = "ZLIB"; 439 private static final String SUPPORTED_COMPRESSION_METHOD_NULL = "NULL"; 440 441 private static final String[] SUPPORTED_COMPRESSION_METHODS 442 = { SUPPORTED_COMPRESSION_METHOD_ZLIB, SUPPORTED_COMPRESSION_METHOD_NULL }; 443 444 public static String[] getSupportedCompressionMethods() { 445 return SUPPORTED_COMPRESSION_METHODS.clone(); 446 } 447 448 public static final String[] getDefaultCompressionMethods() { 449 return new String[] { SUPPORTED_COMPRESSION_METHOD_NULL }; 450 } 451 452 public static String[] checkEnabledCompressionMethods(String[] methods) { 453 if (methods == null) { 454 throw new IllegalArgumentException("methods == null"); 455 } 456 if (methods.length < 1 457 && !methods[methods.length-1].equals(SUPPORTED_COMPRESSION_METHOD_NULL)) { 458 throw new IllegalArgumentException("last method must be NULL"); 459 } 460 for (int i = 0; i < methods.length; i++) { 461 String method = methods[i]; 462 if (method == null) { 463 throw new IllegalArgumentException("methods[" + i + "] == null"); 464 } 465 if (!method.equals(SUPPORTED_COMPRESSION_METHOD_ZLIB) 466 && !method.equals(SUPPORTED_COMPRESSION_METHOD_NULL)) { 467 throw new IllegalArgumentException("method " + method 468 + " is not supported"); 469 } 470 } 471 return methods; 472 } 473 474 public static void setEnabledCompressionMethods(int ssl, String[] methods) { 475 checkEnabledCompressionMethods(methods); 476 // openssl uses negative logic letting you disable compression. 477 // so first, assume we need to set all (disable all) and clear none (enable none). 478 // in the loop, selectively move bits from set to clear (from disable to enable) 479 long optionsToSet = (SSL_OP_NO_COMPRESSION); 480 long optionsToClear = 0; 481 for (int i = 0; i < methods.length; i++) { 482 String method = methods[i]; 483 if (method.equals(SUPPORTED_COMPRESSION_METHOD_NULL)) { 484 // nothing to do to support NULL 485 } else if (method.equals(SUPPORTED_COMPRESSION_METHOD_ZLIB)) { 486 optionsToSet &= ~SSL_OP_NO_COMPRESSION; 487 optionsToClear |= SSL_OP_NO_COMPRESSION; 488 } else { 489 // error checked by checkEnabledCompressionMethods 490 throw new IllegalStateException(); 491 } 492 } 493 494 SSL_set_options(ssl, optionsToSet); 495 SSL_clear_options(ssl, optionsToClear); 496 } 497 498 /* 499 * See the OpenSSL ssl.h header file for more information. 500 */ 501 public static final int SSL_VERIFY_NONE = 0x00; 502 public static final int SSL_VERIFY_PEER = 0x01; 503 public static final int SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 0x02; 504 505 public static native void SSL_set_verify(int sslNativePointer, int mode); 506 507 public static native void SSL_set_session(int sslNativePointer, int sslSessionNativePointer) 508 throws SSLException; 509 510 public static native void SSL_set_session_creation_enabled( 511 int sslNativePointer, boolean creationEnabled) throws SSLException; 512 513 public static native void SSL_set_tlsext_host_name(int sslNativePointer, String hostname) 514 throws SSLException; 515 public static native String SSL_get_servername(int sslNativePointer); 516 517 /** 518 * Returns the sslSessionNativePointer of the negotiated session 519 */ 520 public static native int SSL_do_handshake(int sslNativePointer, 521 FileDescriptor fd, 522 SSLHandshakeCallbacks shc, 523 int timeout, 524 boolean client_mode) 525 throws SSLException, SocketTimeoutException, CertificateException; 526 527 /** 528 * Currently only intended for forcing renegotiation for testing. 529 * Not used within OpenSSLSocketImpl. 530 */ 531 public static native void SSL_renegotiate(int sslNativePointer) throws SSLException; 532 533 /** 534 * Returns the local ASN.1 DER encoded X509 certificates. 535 */ 536 public static native byte[][] SSL_get_certificate(int sslNativePointer); 537 538 /** 539 * Returns the peer ASN.1 DER encoded X509 certificates. 540 */ 541 public static native byte[][] SSL_get_peer_cert_chain(int sslNativePointer); 542 543 /** 544 * Reads with the native SSL_read function from the encrypted data stream 545 * @return -1 if error or the end of the stream is reached. 546 */ 547 public static native int SSL_read_byte(int sslNativePointer, 548 FileDescriptor fd, 549 SSLHandshakeCallbacks shc, 550 int timeout) throws IOException; 551 public static native int SSL_read(int sslNativePointer, 552 FileDescriptor fd, 553 SSLHandshakeCallbacks shc, 554 byte[] b, int off, int len, int timeout) 555 throws IOException; 556 557 /** 558 * Writes with the native SSL_write function to the encrypted data stream. 559 */ 560 public static native void SSL_write_byte(int sslNativePointer, 561 FileDescriptor fd, 562 SSLHandshakeCallbacks shc, 563 int b) throws IOException; 564 public static native void SSL_write(int sslNativePointer, 565 FileDescriptor fd, 566 SSLHandshakeCallbacks shc, 567 byte[] b, int off, int len) 568 throws IOException; 569 570 public static native void SSL_interrupt(int sslNativePointer) throws IOException; 571 public static native void SSL_shutdown(int sslNativePointer, 572 FileDescriptor fd, 573 SSLHandshakeCallbacks shc) throws IOException; 574 575 public static native void SSL_free(int sslNativePointer); 576 577 public static native byte[] SSL_SESSION_session_id(int sslSessionNativePointer); 578 579 public static native long SSL_SESSION_get_time(int sslSessionNativePointer); 580 581 public static native String SSL_SESSION_get_version(int sslSessionNativePointer); 582 583 public static native String SSL_SESSION_cipher(int sslSessionNativePointer); 584 585 public static native String SSL_SESSION_compress_meth(int sslCtxNativePointer, 586 int sslSessionNativePointer); 587 588 public static native void SSL_SESSION_free(int sslSessionNativePointer); 589 590 public static native byte[] i2d_SSL_SESSION(int sslSessionNativePointer); 591 592 public static native int d2i_SSL_SESSION(byte[] data); 593 594 /** 595 * A collection of callbacks from the native OpenSSL code that are 596 * related to the SSL handshake initiated by SSL_do_handshake. 597 */ 598 public interface SSLHandshakeCallbacks { 599 /** 600 * Verify that we trust the certificate chain is trusted. 601 * 602 * @param asn1DerEncodedCertificateChain A chain of ASN.1 DER encoded certficates 603 * @param authMethod auth algorithm name 604 * 605 * @throws CertificateException if the certificate is untrusted 606 */ 607 public void verifyCertificateChain(byte[][] asn1DerEncodedCertificateChain, String authMethod) 608 throws CertificateException; 609 610 /** 611 * Called on an SSL client when the server requests (or 612 * requires a certificate). The client can respond by using 613 * SSL_use_certificate and SSL_use_PrivateKey to set a 614 * certificate if has an appropriate one available, similar to 615 * how the server provides its certificate. 616 * 617 * @param keyTypes key types supported by the server, 618 * convertible to strings with #keyType 619 * @param asn1DerEncodedX500Principals CAs known to the server 620 */ 621 public void clientCertificateRequested(byte[] keyTypes, 622 byte[][] asn1DerEncodedX500Principals) 623 throws CertificateEncodingException, SSLException; 624 625 /** 626 * Called when SSL handshake is completed. Note that this can 627 * be after SSL_do_handshake returns when handshake cutthrough 628 * is enabled. 629 */ 630 public void handshakeCompleted(); 631 } 632 } 633
