1 /* 2 * Copyright (C) 2008 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package org.apache.harmony.xnet.provider.jsse; 18 19 import java.io.FileDescriptor; 20 import java.io.IOException; 21 import java.io.OutputStream; 22 import java.net.SocketTimeoutException; 23 import java.nio.ByteOrder; 24 import java.security.MessageDigest; 25 import java.security.NoSuchAlgorithmException; 26 import java.security.PrivateKey; 27 import java.security.SignatureException; 28 import java.security.cert.Certificate; 29 import java.security.cert.CertificateEncodingException; 30 import java.security.cert.CertificateException; 31 import java.security.cert.CertificateParsingException; 32 import java.security.cert.X509Certificate; 33 import java.util.ArrayList; 34 import java.util.Calendar; 35 import java.util.HashMap; 36 import java.util.LinkedHashMap; 37 import java.util.List; 38 import java.util.Map; 39 import javax.crypto.BadPaddingException; 40 import javax.crypto.IllegalBlockSizeException; 41 import javax.net.ssl.SSLException; 42 import javax.security.auth.x500.X500Principal; 43 import libcore.io.Memory; 44 45 /** 46 * Provides the Java side of our JNI glue for OpenSSL. 47 */ 48 public final class NativeCrypto { 49 50 // --- OpenSSL library initialization -------------------------------------- 51 static { 52 clinit(); 53 } 54 55 private native static void clinit(); 56 57 // --- ENGINE functions ---------------------------------------------------- 58 public static native void ENGINE_load_dynamic(); 59 60 public static native long ENGINE_by_id(String id); 61 62 public static native int ENGINE_add(long e); 63 64 public static native int ENGINE_init(long e); 65 66 public static native int ENGINE_finish(long e); 67 68 public static native int ENGINE_free(long e); 69 70 public static native long ENGINE_load_private_key(long e, String key_id); 71 72 public static native String ENGINE_get_id(long engineRef); 73 74 public static native int ENGINE_ctrl_cmd_string(long engineRef, String cmd, String arg, 75 int cmd_optional); 76 77 // --- DSA/RSA public/private key handling functions ----------------------- 78 79 public static native long EVP_PKEY_new_DSA(byte[] p, byte[] q, byte[] g, 80 byte[] pub_key, byte[] priv_key); 81 82 public static native long EVP_PKEY_new_RSA(byte[] n, byte[] e, byte[] d, byte[] p, byte[] q, 83 byte[] dmp1, byte[] dmq1, byte[] iqmp); 84 85 public static native long EVP_PKEY_new_mac_key(int type, byte[] key); 86 87 public static native int EVP_PKEY_size(long pkey); 88 89 public static native int EVP_PKEY_type(long pkey); 90 91 public static native String EVP_PKEY_print_public(long pkeyRef); 92 93 public static native String EVP_PKEY_print_private(long pkeyRef); 94 95 public static native void EVP_PKEY_free(long pkey); 96 97 public static native int EVP_PKEY_cmp(long pkey1, long pkey2); 98 99 public static native byte[] i2d_PKCS8_PRIV_KEY_INFO(long pkey); 100 101 public static native long d2i_PKCS8_PRIV_KEY_INFO(byte[] data); 102 103 public static native byte[] i2d_PUBKEY(long pkey); 104 105 public static native long d2i_PUBKEY(byte[] data); 106 107 public static native long RSA_generate_key_ex(int modulusBits, byte[] publicExponent); 108 109 public static native int RSA_size(long pkey); 110 111 public static native int RSA_private_encrypt(int flen, byte[] from, byte[] to, long pkey, 112 int padding); 113 114 public static native int RSA_public_decrypt(int flen, byte[] from, byte[] to, long pkey, 115 int padding) throws BadPaddingException, SignatureException; 116 117 public static native int RSA_public_encrypt(int flen, byte[] from, byte[] to, long pkey, 118 int padding); 119 120 public static native int RSA_private_decrypt(int flen, byte[] from, byte[] to, long pkey, 121 int padding) throws BadPaddingException, SignatureException; 122 123 /** 124 * @return array of {n, e} 125 */ 126 public static native byte[][] get_RSA_public_params(long rsa); 127 128 /** 129 * @return array of {n, e, d, p, q, dmp1, dmq1, iqmp} 130 */ 131 public static native byte[][] get_RSA_private_params(long rsa); 132 133 public static native long DSA_generate_key(int primeBits, byte[] seed, byte[] g, byte[] p, 134 byte[] q); 135 136 /** 137 * @return array of {g, p, q, y(pub), x(priv)} 138 */ 139 public static native byte[][] get_DSA_params(long dsa); 140 141 public static native byte[] i2d_RSAPublicKey(long rsa); 142 143 public static native byte[] i2d_RSAPrivateKey(long rsa); 144 145 public static native byte[] i2d_DSAPublicKey(long dsa); 146 147 public static native byte[] i2d_DSAPrivateKey(long dsa); 148 149 // --- EC functions -------------------------- 150 151 /** 152 * Used to request EC_GROUP_new_curve_GFp to EC_GROUP_new_curve 153 */ 154 public static final int EC_CURVE_GFP = 1; 155 156 /** 157 * Used to request EC_GROUP_new_curve_GF2m to EC_GROUP_new_curve 158 */ 159 public static final int EC_CURVE_GF2M = 2; 160 161 /** 162 * EC_GROUP_set_asn1_flag: indicates an EC_GROUP is a NamedCurve. 163 */ 164 public static final int OPENSSL_EC_NAMED_CURVE = 0x001; 165 166 /** 167 * EC_GROUP_set_point_conversion_form: indicates compressed ASN.1 format 168 */ 169 public static final int POINT_CONVERSION_COMPRESSED = 2; 170 171 /** 172 * EC_GROUP_set_point_conversion_form: indicates uncompressed ASN.1 format 173 */ 174 public static final int POINT_CONVERSION_UNCOMPRESSED = 4; 175 176 /** 177 * EC_GROUP_set_point_conversion_form: indicates hybrid ASN.1 format 178 */ 179 public static final int POINT_CONVERSION_HYBRID = 4; 180 181 public static native long EVP_PKEY_new_EC_KEY(long groupRef, long pubkeyRef, byte[] privkey); 182 183 public static native long EC_GROUP_new_by_curve_name(String curveName); 184 185 public static native long EC_GROUP_new_curve(int type, byte[] p, byte[] a, byte[] b); 186 187 public static native long EC_GROUP_dup(long groupRef); 188 189 public static native void EC_GROUP_set_asn1_flag(long groupRef, int flag); 190 191 public static native void EC_GROUP_set_point_conversion_form(long groupRef, int form); 192 193 public static native String EC_GROUP_get_curve_name(long groupRef); 194 195 public static native byte[][] EC_GROUP_get_curve(long groupRef); 196 197 public static native void EC_GROUP_clear_free(long ctx); 198 199 public static native boolean EC_GROUP_cmp(long ctx1, long ctx2); 200 201 public static native void EC_GROUP_set_generator(long groupCtx, long pointCtx, byte[] n, byte[] h); 202 203 public static native long EC_GROUP_get_generator(long groupCtx); 204 205 public static native int get_EC_GROUP_type(long groupCtx); 206 207 public static native byte[] EC_GROUP_get_order(long groupCtx); 208 209 public static native int EC_GROUP_get_degree(long groupCtx); 210 211 public static native byte[] EC_GROUP_get_cofactor(long groupCtx); 212 213 public static native long EC_POINT_new(long groupRef); 214 215 public static native void EC_POINT_clear_free(long pointRef); 216 217 public static native boolean EC_POINT_cmp(long groupRef, long pointRef1, long pointRef2); 218 219 public static native byte[][] EC_POINT_get_affine_coordinates(long groupCtx, long pointCtx); 220 221 public static native void EC_POINT_set_affine_coordinates(long groupCtx, long pointCtx, byte[] x, 222 byte[] y); 223 224 public static native long EC_KEY_generate_key(long groupRef); 225 226 public static native long EC_KEY_get0_group(long pkeyRef); 227 228 public static native byte[] EC_KEY_get_private_key(long keyRef); 229 230 public static native long EC_KEY_get_public_key(long keyRef); 231 232 public static native int ECDH_compute_key( 233 byte[] out, int outOffset, long publicKeyRef, long privateKeyRef); 234 235 // --- Message digest functions -------------- 236 237 public static native long EVP_get_digestbyname(String name); 238 239 public static native int EVP_MD_size(long evp_md); 240 241 public static native int EVP_MD_block_size(long evp_md); 242 243 // --- Message digest context functions -------------- 244 245 public static native long EVP_MD_CTX_create(); 246 247 public static native void EVP_MD_CTX_init(long ctx); 248 249 public static native void EVP_MD_CTX_destroy(long ctx); 250 251 public static native long EVP_MD_CTX_copy(long ctx); 252 253 // --- Digest handling functions ------------------------------------------- 254 255 public static native long EVP_DigestInit(long evp_md); 256 257 public static native void EVP_DigestUpdate(long ctx, byte[] buffer, int offset, int length); 258 259 public static native int EVP_DigestFinal(long ctx, byte[] hash, int offset); 260 261 // --- MAC handling functions ---------------------------------------------- 262 263 public static native void EVP_DigestSignInit(long evp_md_ctx, long evp_md, long evp_pkey); 264 265 public static native void EVP_DigestSignUpdate(long evp_md_ctx, byte[] in); 266 267 public static native byte[] EVP_DigestSignFinal(long evp_md_ctx); 268 269 // --- Signature handling functions ---------------------------------------- 270 271 public static native long EVP_SignInit(String algorithm); 272 273 public static native void EVP_SignUpdate(long ctx, byte[] buffer, 274 int offset, int length); 275 276 public static native int EVP_SignFinal(long ctx, byte[] signature, int offset, long key); 277 278 public static native long EVP_VerifyInit(String algorithm); 279 280 public static native void EVP_VerifyUpdate(long ctx, byte[] buffer, 281 int offset, int length); 282 283 public static native int EVP_VerifyFinal(long ctx, byte[] signature, 284 int offset, int length, long key); 285 286 287 // --- Block ciphers ------------------------------------------------------- 288 289 public static native long EVP_get_cipherbyname(String string); 290 291 public static native void EVP_CipherInit_ex(long ctx, long evpCipher, byte[] key, byte[] iv, 292 boolean encrypting); 293 294 public static native int EVP_CipherUpdate(long ctx, byte[] out, int outOffset, byte[] in, 295 int inOffset, int inLength); 296 297 public static native int EVP_CipherFinal_ex(long ctx, byte[] out, int outOffset) 298 throws BadPaddingException, IllegalBlockSizeException; 299 300 public static native int EVP_CIPHER_iv_length(long evpCipher); 301 302 public static native long EVP_CIPHER_CTX_new(); 303 304 public static native int EVP_CIPHER_CTX_block_size(long ctx); 305 306 public static native int get_EVP_CIPHER_CTX_buf_len(long ctx); 307 308 public static native void EVP_CIPHER_CTX_set_padding(long ctx, boolean enablePadding); 309 310 public static native void EVP_CIPHER_CTX_set_key_length(long ctx, int keyBitSize); 311 312 public static native void EVP_CIPHER_CTX_cleanup(long ctx); 313 314 // --- RAND seeding -------------------------------------------------------- 315 316 public static final int RAND_SEED_LENGTH_IN_BYTES = 1024; 317 318 public static native void RAND_seed(byte[] seed); 319 320 public static native int RAND_load_file(String filename, long max_bytes); 321 322 public static native void RAND_bytes(byte[] output); 323 324 // --- ASN.1 objects ------------------------------------------------------- 325 326 public static native int OBJ_txt2nid(String oid); 327 328 public static native String OBJ_txt2nid_longName(String oid); 329 330 public static native String OBJ_txt2nid_oid(String oid); 331 332 // --- X509_NAME ----------------------------------------------------------- 333 334 public static int X509_NAME_hash(X500Principal principal) { 335 return X509_NAME_hash(principal, "SHA1"); 336 } 337 public static int X509_NAME_hash_old(X500Principal principal) { 338 return X509_NAME_hash(principal, "MD5"); 339 } 340 private static int X509_NAME_hash(X500Principal principal, String algorithm) { 341 try { 342 byte[] digest = MessageDigest.getInstance(algorithm).digest(principal.getEncoded()); 343 return Memory.peekInt(digest, 0, ByteOrder.LITTLE_ENDIAN); 344 } catch (NoSuchAlgorithmException e) { 345 throw new AssertionError(e); 346 } 347 } 348 349 public static native String X509_NAME_print_ex(long x509nameCtx, long flags); 350 351 // --- X509 ---------------------------------------------------------------- 352 353 /** Used to request get_X509_GENERAL_NAME_stack get the "altname" field. */ 354 public static final int GN_STACK_SUBJECT_ALT_NAME = 1; 355 356 /** 357 * Used to request get_X509_GENERAL_NAME_stack get the issuerAlternativeName 358 * extension. 359 */ 360 public static final int GN_STACK_ISSUER_ALT_NAME = 2; 361 362 /** 363 * Used to request only non-critical types in get_X509*_ext_oids. 364 */ 365 public static final int EXTENSION_TYPE_NON_CRITICAL = 0; 366 367 /** 368 * Used to request only critical types in get_X509*_ext_oids. 369 */ 370 public static final int EXTENSION_TYPE_CRITICAL = 1; 371 372 public static native long d2i_X509_bio(long bioCtx); 373 374 public static native long d2i_X509(byte[] encoded); 375 376 public static native long PEM_read_bio_X509(long bioCtx); 377 378 public static native byte[] i2d_X509(long x509ctx); 379 380 /** Takes an X509 context not an X509_PUBKEY context. */ 381 public static native byte[] i2d_X509_PUBKEY(long x509ctx); 382 383 public static native byte[] ASN1_seq_pack_X509(long[] x509CertRefs); 384 385 public static native long[] ASN1_seq_unpack_X509_bio(long bioRef); 386 387 public static native void X509_free(long x509ctx); 388 389 public static native int X509_cmp(long x509ctx1, long x509ctx2); 390 391 public static native int get_X509_hashCode(long x509ctx); 392 393 public static native void X509_print_ex(long bioCtx, long x509ctx, long nmflag, long certflag); 394 395 public static native byte[] X509_get_issuer_name(long x509ctx); 396 397 public static native byte[] X509_get_subject_name(long x509ctx); 398 399 public static native String get_X509_sig_alg_oid(long x509ctx); 400 401 public static native byte[] get_X509_sig_alg_parameter(long x509ctx); 402 403 public static native boolean[] get_X509_issuerUID(long x509ctx); 404 405 public static native boolean[] get_X509_subjectUID(long x509ctx); 406 407 public static native long X509_get_pubkey(long x509ctx) throws NoSuchAlgorithmException; 408 409 public static native String get_X509_pubkey_oid(long x509ctx); 410 411 public static native byte[] X509_get_ext_oid(long x509ctx, String oid); 412 413 public static native String[] get_X509_ext_oids(long x509ctx, int critical); 414 415 public static native Object[][] get_X509_GENERAL_NAME_stack(long x509ctx, int type) 416 throws CertificateParsingException; 417 418 public static native boolean[] get_X509_ex_kusage(long x509ctx); 419 420 public static native String[] get_X509_ex_xkusage(long x509ctx); 421 422 public static native int get_X509_ex_pathlen(long x509ctx); 423 424 public static native long X509_get_notBefore(long x509ctx); 425 426 public static native long X509_get_notAfter(long x509ctx); 427 428 public static native long X509_get_version(long x509ctx); 429 430 public static native byte[] X509_get_serialNumber(long x509ctx); 431 432 public static native void X509_verify(long x509ctx, long pkeyCtx); 433 434 public static native byte[] get_X509_cert_info_enc(long x509ctx); 435 436 public static native byte[] get_X509_signature(long x509ctx); 437 438 public static native int get_X509_ex_flags(long x509ctx); 439 440 // --- X509 EXFLAG --------------------------------------------------------- 441 442 public static final int EXFLAG_CA = 0x10; 443 444 public static final int EXFLAG_CRITICAL = 0x200; 445 446 // --- PKCS7 --------------------------------------------------------------- 447 448 /** Used as the "which" field in d2i_PKCS7_bio and PEM_read_bio_PKCS7. */ 449 public static final int PKCS7_CERTS = 1; 450 451 /** Used as the "which" field in d2i_PKCS7_bio and PEM_read_bio_PKCS7. */ 452 public static final int PKCS7_CRLS = 2; 453 454 /** Returns an array of X509 or X509_CRL pointers. */ 455 public static native long[] d2i_PKCS7_bio(long bioCtx, int which); 456 457 /** Returns an array of X509 or X509_CRL pointers. */ 458 public static native byte[] i2d_PKCS7(long[] certs); 459 460 /** Returns an array of X509 or X509_CRL pointers. */ 461 public static native long[] PEM_read_bio_PKCS7(long bioCtx, int which); 462 463 // --- X509_CRL ------------------------------------------------------------ 464 465 public static native long d2i_X509_CRL_bio(long bioCtx); 466 467 public static native long PEM_read_bio_X509_CRL(long bioCtx); 468 469 public static native byte[] i2d_X509_CRL(long x509CrlCtx); 470 471 public static native void X509_CRL_free(long x509CrlCtx); 472 473 public static native void X509_CRL_print(long bioCtx, long x509CrlCtx); 474 475 public static native String get_X509_CRL_sig_alg_oid(long x509CrlCtx); 476 477 public static native byte[] get_X509_CRL_sig_alg_parameter(long x509CrlCtx); 478 479 public static native byte[] X509_CRL_get_issuer_name(long x509CrlCtx); 480 481 /** Returns X509_REVOKED reference that is not duplicated! */ 482 public static native long X509_CRL_get0_by_cert(long x509CrlCtx, long x509Ctx); 483 484 /** Returns X509_REVOKED reference that is not duplicated! */ 485 public static native long X509_CRL_get0_by_serial(long x509CrlCtx, byte[] serial); 486 487 /** Returns an array of X509_REVOKED that are owned by the caller. */ 488 public static native long[] X509_CRL_get_REVOKED(long x509CrlCtx); 489 490 public static native String[] get_X509_CRL_ext_oids(long x509ctx, int critical); 491 492 public static native byte[] X509_CRL_get_ext_oid(long x509CrlCtx, String oid); 493 494 public static native long X509_CRL_get_version(long x509CrlCtx); 495 496 public static native long X509_CRL_get_ext(long x509CrlCtx, String oid); 497 498 public static native byte[] get_X509_CRL_signature(long x509ctx); 499 500 public static native void X509_CRL_verify(long x509CrlCtx, long pkeyCtx); 501 502 public static native byte[] get_X509_CRL_crl_enc(long x509CrlCtx); 503 504 public static native long X509_CRL_get_lastUpdate(long x509CrlCtx); 505 506 public static native long X509_CRL_get_nextUpdate(long x509CrlCtx); 507 508 // --- X509_REVOKED -------------------------------------------------------- 509 510 public static native long X509_REVOKED_dup(long x509RevokedCtx); 511 512 public static native byte[] i2d_X509_REVOKED(long x509RevokedCtx); 513 514 public static native String[] get_X509_REVOKED_ext_oids(long x509ctx, int critical); 515 516 public static native byte[] X509_REVOKED_get_ext_oid(long x509RevokedCtx, String oid); 517 518 public static native byte[] X509_REVOKED_get_serialNumber(long x509RevokedCtx); 519 520 public static native long X509_REVOKED_get_ext(long x509RevokedCtx, String oid); 521 522 /** Returns ASN1_TIME reference. */ 523 public static native long get_X509_REVOKED_revocationDate(long x509RevokedCtx); 524 525 public static native void X509_REVOKED_print(long bioRef, long x509RevokedCtx); 526 527 // --- X509_EXTENSION ------------------------------------------------------ 528 529 public static native int X509_supported_extension(long x509ExtensionRef); 530 531 // --- ASN1_TIME ----------------------------------------------------------- 532 533 public static native void ASN1_TIME_to_Calendar(long asn1TimeCtx, Calendar cal); 534 535 // --- BIO stream creation ------------------------------------------------- 536 537 public static native long create_BIO_InputStream(OpenSSLBIOInputStream is); 538 539 public static native long create_BIO_OutputStream(OutputStream os); 540 541 public static native int BIO_read(long bioRef, byte[] buffer); 542 543 public static native void BIO_write(long bioRef, byte[] buffer, int offset, int length) 544 throws IOException; 545 546 public static native void BIO_free(long bioRef); 547 548 // --- SSL handling -------------------------------------------------------- 549 550 private static final String SUPPORTED_PROTOCOL_SSLV3 = "SSLv3"; 551 private static final String SUPPORTED_PROTOCOL_TLSV1 = "TLSv1"; 552 private static final String SUPPORTED_PROTOCOL_TLSV1_1 = "TLSv1.1"; 553 private static final String SUPPORTED_PROTOCOL_TLSV1_2 = "TLSv1.2"; 554 555 public static final Map<String, String> OPENSSL_TO_STANDARD_CIPHER_SUITES 556 = new HashMap<String, String>(); 557 public static final Map<String, String> STANDARD_TO_OPENSSL_CIPHER_SUITES 558 = new LinkedHashMap<String, String>(); 559 560 private static void add(String standard, String openssl) { 561 OPENSSL_TO_STANDARD_CIPHER_SUITES.put(openssl, standard); 562 STANDARD_TO_OPENSSL_CIPHER_SUITES.put(standard, openssl); 563 } 564 565 /** 566 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is RFC 5746's renegotiation 567 * indication signaling cipher suite value. It is not a real 568 * cipher suite. It is just an indication in the default and 569 * supported cipher suite lists indicates that the implementation 570 * supports secure renegotiation. 571 * 572 * In the RI, its presence means that the SCSV is sent in the 573 * cipher suite list to indicate secure renegotiation support and 574 * its absense means to send an empty TLS renegotiation info 575 * extension instead. 576 * 577 * However, OpenSSL doesn't provide an API to give this level of 578 * control, instead always sending the SCSV and always including 579 * the empty renegotiation info if TLS is used (as opposed to 580 * SSL). So we simply allow TLS_EMPTY_RENEGOTIATION_INFO_SCSV to 581 * be passed for compatibility as to provide the hint that we 582 * support secure renegotiation. 583 */ 584 public static final String TLS_EMPTY_RENEGOTIATION_INFO_SCSV 585 = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; 586 587 static { 588 // Note these are added in priority order 589 add("SSL_RSA_WITH_RC4_128_MD5", "RC4-MD5"); 590 add("SSL_RSA_WITH_RC4_128_SHA", "RC4-SHA"); 591 add("TLS_RSA_WITH_AES_128_CBC_SHA", "AES128-SHA"); 592 add("TLS_RSA_WITH_AES_256_CBC_SHA", "AES256-SHA"); 593 add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "ECDH-ECDSA-RC4-SHA"); 594 add("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "ECDH-ECDSA-AES128-SHA"); 595 add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "ECDH-ECDSA-AES256-SHA"); 596 add("TLS_ECDH_RSA_WITH_RC4_128_SHA", "ECDH-RSA-RC4-SHA"); 597 add("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "ECDH-RSA-AES128-SHA"); 598 add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "ECDH-RSA-AES256-SHA"); 599 add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "ECDHE-ECDSA-RC4-SHA"); 600 add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "ECDHE-ECDSA-AES128-SHA"); 601 add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "ECDHE-ECDSA-AES256-SHA"); 602 add("TLS_ECDHE_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-RC4-SHA"); 603 add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "ECDHE-RSA-AES128-SHA"); 604 add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "ECDHE-RSA-AES256-SHA"); 605 add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "DHE-RSA-AES128-SHA"); 606 add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "DHE-RSA-AES256-SHA"); 607 add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "DHE-DSS-AES128-SHA"); 608 add("TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "DHE-DSS-AES256-SHA"); 609 add("SSL_RSA_WITH_3DES_EDE_CBC_SHA", "DES-CBC3-SHA"); 610 add("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "ECDH-ECDSA-DES-CBC3-SHA"); 611 add("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "ECDH-RSA-DES-CBC3-SHA"); 612 add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "ECDHE-ECDSA-DES-CBC3-SHA"); 613 add("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "ECDHE-RSA-DES-CBC3-SHA"); 614 add("SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "EDH-RSA-DES-CBC3-SHA"); 615 add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "EDH-DSS-DES-CBC3-SHA"); 616 add("SSL_RSA_WITH_DES_CBC_SHA", "DES-CBC-SHA"); 617 add("SSL_DHE_RSA_WITH_DES_CBC_SHA", "EDH-RSA-DES-CBC-SHA"); 618 add("SSL_DHE_DSS_WITH_DES_CBC_SHA", "EDH-DSS-DES-CBC-SHA"); 619 add("SSL_RSA_EXPORT_WITH_RC4_40_MD5", "EXP-RC4-MD5"); 620 add("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "EXP-DES-CBC-SHA"); 621 add("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "EXP-EDH-RSA-DES-CBC-SHA"); 622 add("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "EXP-EDH-DSS-DES-CBC-SHA"); 623 add("SSL_RSA_WITH_NULL_MD5", "NULL-MD5"); 624 add("SSL_RSA_WITH_NULL_SHA", "NULL-SHA"); 625 add("TLS_ECDH_ECDSA_WITH_NULL_SHA", "ECDH-ECDSA-NULL-SHA"); 626 add("TLS_ECDH_RSA_WITH_NULL_SHA", "ECDH-RSA-NULL-SHA"); 627 add("TLS_ECDHE_ECDSA_WITH_NULL_SHA", "ECDHE-ECDSA-NULL-SHA"); 628 add("TLS_ECDHE_RSA_WITH_NULL_SHA", "ECDHE-RSA-NULL-SHA"); 629 add("SSL_DH_anon_WITH_RC4_128_MD5", "ADH-RC4-MD5"); 630 add("TLS_DH_anon_WITH_AES_128_CBC_SHA", "ADH-AES128-SHA"); 631 add("TLS_DH_anon_WITH_AES_256_CBC_SHA", "ADH-AES256-SHA"); 632 add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", "ADH-DES-CBC3-SHA"); 633 add("SSL_DH_anon_WITH_DES_CBC_SHA", "ADH-DES-CBC-SHA"); 634 add("TLS_ECDH_anon_WITH_RC4_128_SHA", "AECDH-RC4-SHA"); 635 add("TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "AECDH-AES128-SHA"); 636 add("TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "AECDH-AES256-SHA"); 637 add("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "AECDH-DES-CBC3-SHA"); 638 add("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", "EXP-ADH-RC4-MD5"); 639 add("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", "EXP-ADH-DES-CBC-SHA"); 640 add("TLS_ECDH_anon_WITH_NULL_SHA", "AECDH-NULL-SHA"); 641 642 // No Kerberos in Android 643 // add("TLS_KRB5_WITH_RC4_128_SHA", "KRB5-RC4-SHA"); 644 // add("TLS_KRB5_WITH_RC4_128_MD5", "KRB5-RC4-MD5"); 645 // add("TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "KRB5-DES-CBC3-SHA"); 646 // add("TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "KRB5-DES-CBC3-MD5"); 647 // add("TLS_KRB5_WITH_DES_CBC_SHA", "KRB5-DES-CBC-SHA"); 648 // add("TLS_KRB5_WITH_DES_CBC_MD5", "KRB5-DES-CBC-MD5"); 649 // add("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "EXP-KRB5-RC4-SHA"); 650 // add("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "EXP-KRB5-RC4-MD5"); 651 // add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "EXP-KRB5-DES-CBC-SHA"); 652 // add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "EXP-KRB5-DES-CBC-MD5"); 653 654 // not implemented by either RI or OpenSSL 655 // add("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", null); 656 // add("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", null); 657 658 // EXPORT1024 suites were never standardized but were widely implemented. 659 // OpenSSL 0.9.8c and later have disabled TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 660 // add("SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA", "EXP1024-DES-CBC-SHA"); 661 // add("SSL_RSA_EXPORT1024_WITH_RC4_56_SHA", "EXP1024-RC4-SHA"); 662 663 // No RC2 664 // add("SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", "EXP-RC2-CBC-MD5"); 665 // add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", "EXP-KRB5-RC2-CBC-SHA"); 666 // add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", "EXP-KRB5-RC2-CBC-MD5"); 667 668 // PSK is Private Shared Key - didn't exist in Froyo's openssl - no JSSE equivalent 669 // add(null, "PSK-3DES-EDE-CBC-SHA"); 670 // add(null, "PSK-AES128-CBC-SHA"); 671 // add(null, "PSK-AES256-CBC-SHA"); 672 // add(null, "PSK-RC4-SHA"); 673 674 // Signaling Cipher Suite Value for secure renegotiation handled as special case. 675 // add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV", null); 676 } 677 678 private static final String[] SUPPORTED_CIPHER_SUITES; 679 static { 680 int size = STANDARD_TO_OPENSSL_CIPHER_SUITES.size(); 681 SUPPORTED_CIPHER_SUITES = new String[size + 1]; 682 STANDARD_TO_OPENSSL_CIPHER_SUITES.keySet().toArray(SUPPORTED_CIPHER_SUITES); 683 SUPPORTED_CIPHER_SUITES[size] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV; 684 } 685 686 // EVP_PKEY types from evp.h and objects.h 687 public static final int EVP_PKEY_RSA = 6; // NID_rsaEcnryption 688 public static final int EVP_PKEY_DSA = 116; // NID_dsa 689 public static final int EVP_PKEY_DH = 28; // NID_dhKeyAgreement 690 public static final int EVP_PKEY_EC = 408; // NID_X9_62_id_ecPublicKey 691 public static final int EVP_PKEY_HMAC = 855; // NID_hmac 692 public static final int EVP_PKEY_CMAC = 894; // NID_cmac 693 694 // RSA padding modes from rsa.h 695 public static final int RSA_PKCS1_PADDING = 1; 696 public static final int RSA_NO_PADDING = 3; 697 698 // SSL mode from ssl.h 699 public static final long SSL_MODE_HANDSHAKE_CUTTHROUGH = 0x00000020L; 700 701 // SSL options from ssl.h 702 public static final long SSL_OP_NO_TICKET = 0x00004000L; 703 public static final long SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00010000L; 704 public static final long SSL_OP_NO_SSLv3 = 0x02000000L; 705 public static final long SSL_OP_NO_TLSv1 = 0x04000000L; 706 public static final long SSL_OP_NO_TLSv1_1 = 0x10000000L; 707 public static final long SSL_OP_NO_TLSv1_2 = 0x08000000L; 708 709 public static native long SSL_CTX_new(); 710 711 public static String[] getDefaultCipherSuites() { 712 return new String[] { 713 "SSL_RSA_WITH_RC4_128_MD5", 714 "SSL_RSA_WITH_RC4_128_SHA", 715 "TLS_RSA_WITH_AES_128_CBC_SHA", 716 "TLS_RSA_WITH_AES_256_CBC_SHA", 717 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", 718 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", 719 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", 720 "TLS_ECDH_RSA_WITH_RC4_128_SHA", 721 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", 722 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", 723 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", 724 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 725 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", 726 "TLS_ECDHE_RSA_WITH_RC4_128_SHA", 727 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 728 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", 729 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", 730 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", 731 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", 732 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", 733 "SSL_RSA_WITH_3DES_EDE_CBC_SHA", 734 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", 735 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", 736 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", 737 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", 738 "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", 739 "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", 740 "SSL_RSA_WITH_DES_CBC_SHA", 741 "SSL_DHE_RSA_WITH_DES_CBC_SHA", 742 "SSL_DHE_DSS_WITH_DES_CBC_SHA", 743 "SSL_RSA_EXPORT_WITH_RC4_40_MD5", 744 "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", 745 "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", 746 "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", 747 TLS_EMPTY_RENEGOTIATION_INFO_SCSV 748 }; 749 } 750 751 public static String[] getSupportedCipherSuites() { 752 return SUPPORTED_CIPHER_SUITES.clone(); 753 } 754 755 public static native void SSL_CTX_free(long ssl_ctx); 756 757 public static native void SSL_CTX_set_session_id_context(long ssl_ctx, byte[] sid_ctx); 758 759 public static native long SSL_new(long ssl_ctx) throws SSLException; 760 761 public static native void SSL_enable_tls_channel_id(long ssl) throws SSLException; 762 763 public static native byte[] SSL_get_tls_channel_id(long ssl) throws SSLException; 764 765 public static native void SSL_use_OpenSSL_PrivateKey_for_tls_channel_id(long ssl, long pkey) 766 throws SSLException; 767 768 public static native void SSL_use_PKCS8_PrivateKey_for_tls_channel_id( 769 long ssl, byte[] pkcs8EncodedPrivateKey) throws SSLException; 770 771 public static void SSL_set1_tls_channel_id(long ssl, PrivateKey privateKey) 772 throws SSLException { 773 if (privateKey == null) { 774 throw new NullPointerException("privateKey == null"); 775 } else if (privateKey instanceof OpenSSLECPrivateKey) { 776 OpenSSLKey openSslPrivateKey = ((OpenSSLECPrivateKey) privateKey).getOpenSSLKey(); 777 SSL_use_OpenSSL_PrivateKey_for_tls_channel_id(ssl, openSslPrivateKey.getPkeyContext()); 778 } else if ("PKCS#8".equals(privateKey.getFormat())) { 779 byte[] pkcs8EncodedKey = privateKey.getEncoded(); 780 SSL_use_PKCS8_PrivateKey_for_tls_channel_id(ssl, pkcs8EncodedKey); 781 } else { 782 throw new SSLException("Unsupported Channel ID private key type:" + 783 " class: " + privateKey.getClass() + ", format: " + privateKey.getFormat()); 784 } 785 } 786 787 public static byte[][] encodeCertificates(Certificate[] certificates) 788 throws CertificateEncodingException { 789 byte[][] certificateBytes = new byte[certificates.length][]; 790 for (int i = 0; i < certificates.length; i++) { 791 certificateBytes[i] = certificates[i].getEncoded(); 792 } 793 return certificateBytes; 794 } 795 796 public static native void SSL_use_certificate(long ssl, byte[][] asn1DerEncodedCertificateChain); 797 798 public static native void SSL_use_OpenSSL_PrivateKey(long ssl, long pkey); 799 800 public static native void SSL_use_PrivateKey(long ssl, byte[] pkcs8EncodedPrivateKey); 801 802 public static native void SSL_check_private_key(long ssl) throws SSLException; 803 804 public static byte[][] encodeIssuerX509Principals(X509Certificate[] certificates) 805 throws CertificateEncodingException { 806 byte[][] principalBytes = new byte[certificates.length][]; 807 for (int i = 0; i < certificates.length; i++) { 808 principalBytes[i] = certificates[i].getIssuerX500Principal().getEncoded(); 809 } 810 return principalBytes; 811 } 812 813 public static native void SSL_set_client_CA_list(long ssl, byte[][] asn1DerEncodedX500Principals); 814 815 public static native long SSL_get_mode(long ssl); 816 817 public static native long SSL_set_mode(long ssl, long mode); 818 819 public static native long SSL_clear_mode(long ssl, long mode); 820 821 public static native long SSL_get_options(long ssl); 822 823 public static native long SSL_set_options(long ssl, long options); 824 825 public static native long SSL_clear_options(long ssl, long options); 826 827 public static String[] getDefaultProtocols() { 828 return new String[] { SUPPORTED_PROTOCOL_SSLV3, 829 SUPPORTED_PROTOCOL_TLSV1, 830 }; 831 } 832 833 public static String[] getSupportedProtocols() { 834 return new String[] { SUPPORTED_PROTOCOL_SSLV3, 835 SUPPORTED_PROTOCOL_TLSV1, 836 SUPPORTED_PROTOCOL_TLSV1_1, 837 SUPPORTED_PROTOCOL_TLSV1_2, 838 }; 839 } 840 841 public static void setEnabledProtocols(long ssl, String[] protocols) { 842 checkEnabledProtocols(protocols); 843 // openssl uses negative logic letting you disable protocols. 844 // so first, assume we need to set all (disable all) and clear none (enable none). 845 // in the loop, selectively move bits from set to clear (from disable to enable) 846 long optionsToSet = (SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2); 847 long optionsToClear = 0; 848 for (int i = 0; i < protocols.length; i++) { 849 String protocol = protocols[i]; 850 if (protocol.equals(SUPPORTED_PROTOCOL_SSLV3)) { 851 optionsToSet &= ~SSL_OP_NO_SSLv3; 852 optionsToClear |= SSL_OP_NO_SSLv3; 853 } else if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1)) { 854 optionsToSet &= ~SSL_OP_NO_TLSv1; 855 optionsToClear |= SSL_OP_NO_TLSv1; 856 } else if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1_1)) { 857 optionsToSet &= ~SSL_OP_NO_TLSv1_1; 858 optionsToClear |= SSL_OP_NO_TLSv1_1; 859 } else if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1_2)) { 860 optionsToSet &= ~SSL_OP_NO_TLSv1_2; 861 optionsToClear |= SSL_OP_NO_TLSv1_2; 862 } else { 863 // error checked by checkEnabledProtocols 864 throw new IllegalStateException(); 865 } 866 } 867 868 SSL_set_options(ssl, optionsToSet); 869 SSL_clear_options(ssl, optionsToClear); 870 } 871 872 public static String[] checkEnabledProtocols(String[] protocols) { 873 if (protocols == null) { 874 throw new IllegalArgumentException("protocols == null"); 875 } 876 for (int i = 0; i < protocols.length; i++) { 877 String protocol = protocols[i]; 878 if (protocol == null) { 879 throw new IllegalArgumentException("protocols[" + i + "] == null"); 880 } 881 if ((!protocol.equals(SUPPORTED_PROTOCOL_SSLV3)) 882 && (!protocol.equals(SUPPORTED_PROTOCOL_TLSV1)) 883 && (!protocol.equals(SUPPORTED_PROTOCOL_TLSV1_1)) 884 && (!protocol.equals(SUPPORTED_PROTOCOL_TLSV1_2))) { 885 throw new IllegalArgumentException("protocol " + protocol 886 + " is not supported"); 887 } 888 } 889 return protocols; 890 } 891 892 public static native void SSL_set_cipher_lists(long ssl, String[] ciphers); 893 894 public static void setEnabledCipherSuites(long ssl, String[] cipherSuites) { 895 checkEnabledCipherSuites(cipherSuites); 896 List<String> opensslSuites = new ArrayList<String>(); 897 for (int i = 0; i < cipherSuites.length; i++) { 898 String cipherSuite = cipherSuites[i]; 899 if (cipherSuite.equals(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) { 900 continue; 901 } 902 String openssl = STANDARD_TO_OPENSSL_CIPHER_SUITES.get(cipherSuite); 903 String cs = (openssl == null) ? cipherSuite : openssl; 904 opensslSuites.add(cs); 905 } 906 SSL_set_cipher_lists(ssl, opensslSuites.toArray(new String[opensslSuites.size()])); 907 } 908 909 public static String[] checkEnabledCipherSuites(String[] cipherSuites) { 910 if (cipherSuites == null) { 911 throw new IllegalArgumentException("cipherSuites == null"); 912 } 913 // makes sure all suites are valid, throwing on error 914 for (int i = 0; i < cipherSuites.length; i++) { 915 String cipherSuite = cipherSuites[i]; 916 if (cipherSuite == null) { 917 throw new IllegalArgumentException("cipherSuites[" + i + "] == null"); 918 } 919 if (cipherSuite.equals(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) { 920 continue; 921 } 922 if (STANDARD_TO_OPENSSL_CIPHER_SUITES.containsKey(cipherSuite)) { 923 continue; 924 } 925 if (OPENSSL_TO_STANDARD_CIPHER_SUITES.containsKey(cipherSuite)) { 926 // TODO log warning about using backward compatability 927 continue; 928 } 929 throw new IllegalArgumentException("cipherSuite " + cipherSuite + " is not supported."); 930 } 931 return cipherSuites; 932 } 933 934 /* 935 * See the OpenSSL ssl.h header file for more information. 936 */ 937 public static final int SSL_VERIFY_NONE = 0x00; 938 public static final int SSL_VERIFY_PEER = 0x01; 939 public static final int SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 0x02; 940 941 public static native void SSL_set_verify(long sslNativePointer, int mode); 942 943 public static native void SSL_set_session(long sslNativePointer, long sslSessionNativePointer) 944 throws SSLException; 945 946 public static native void SSL_set_session_creation_enabled( 947 long sslNativePointer, boolean creationEnabled) throws SSLException; 948 949 public static native void SSL_set_tlsext_host_name(long sslNativePointer, String hostname) 950 throws SSLException; 951 public static native String SSL_get_servername(long sslNativePointer); 952 953 /** 954 * Enables NPN for all SSL connections in the context. 955 * 956 * <p>For clients this causes the NPN extension to be included in the 957 * ClientHello message. 958 * 959 * <p>For servers this causes the NPN extension to be included in the 960 * ServerHello message. The NPN extension will not be included in the 961 * ServerHello response if the client didn't include it in the ClientHello 962 * request. 963 * 964 * <p>In either case the caller should pass a non-null byte array of NPN 965 * protocols to {@link #SSL_do_handshake}. 966 */ 967 public static native void SSL_CTX_enable_npn(long sslCtxNativePointer); 968 969 /** 970 * Disables NPN for all SSL connections in the context. 971 */ 972 public static native void SSL_CTX_disable_npn(long sslCtxNativePointer); 973 974 /** 975 * Returns the sslSessionNativePointer of the negotiated session 976 */ 977 public static native int SSL_do_handshake(long sslNativePointer, 978 FileDescriptor fd, 979 SSLHandshakeCallbacks shc, 980 int timeoutMillis, 981 boolean client_mode, 982 byte[] npnProtocols) 983 throws SSLException, SocketTimeoutException, CertificateException; 984 985 public static native byte[] SSL_get_npn_negotiated_protocol(long sslNativePointer); 986 987 /** 988 * Currently only intended for forcing renegotiation for testing. 989 * Not used within OpenSSLSocketImpl. 990 */ 991 public static native void SSL_renegotiate(long sslNativePointer) throws SSLException; 992 993 /** 994 * Returns the local ASN.1 DER encoded X509 certificates. 995 */ 996 public static native byte[][] SSL_get_certificate(long sslNativePointer); 997 998 /** 999 * Returns the peer ASN.1 DER encoded X509 certificates. 1000 */ 1001 public static native byte[][] SSL_get_peer_cert_chain(long sslNativePointer); 1002 1003 /** 1004 * Reads with the native SSL_read function from the encrypted data stream 1005 * @return -1 if error or the end of the stream is reached. 1006 */ 1007 public static native int SSL_read(long sslNativePointer, 1008 FileDescriptor fd, 1009 SSLHandshakeCallbacks shc, 1010 byte[] b, int off, int len, int readTimeoutMillis) 1011 throws IOException; 1012 1013 /** 1014 * Writes with the native SSL_write function to the encrypted data stream. 1015 */ 1016 public static native void SSL_write(long sslNativePointer, 1017 FileDescriptor fd, 1018 SSLHandshakeCallbacks shc, 1019 byte[] b, int off, int len, int writeTimeoutMillis) 1020 throws IOException; 1021 1022 public static native void SSL_interrupt(long sslNativePointer); 1023 public static native void SSL_shutdown(long sslNativePointer, 1024 FileDescriptor fd, 1025 SSLHandshakeCallbacks shc) throws IOException; 1026 1027 public static native void SSL_free(long sslNativePointer); 1028 1029 public static native byte[] SSL_SESSION_session_id(long sslSessionNativePointer); 1030 1031 public static native long SSL_SESSION_get_time(long sslSessionNativePointer); 1032 1033 public static native String SSL_SESSION_get_version(long sslSessionNativePointer); 1034 1035 public static native String SSL_SESSION_cipher(long sslSessionNativePointer); 1036 1037 public static native void SSL_SESSION_free(long sslSessionNativePointer); 1038 1039 public static native byte[] i2d_SSL_SESSION(long sslSessionNativePointer); 1040 1041 public static native long d2i_SSL_SESSION(byte[] data); 1042 1043 /** 1044 * A collection of callbacks from the native OpenSSL code that are 1045 * related to the SSL handshake initiated by SSL_do_handshake. 1046 */ 1047 public interface SSLHandshakeCallbacks { 1048 /** 1049 * Verify that we trust the certificate chain is trusted. 1050 * 1051 * @param asn1DerEncodedCertificateChain A chain of ASN.1 DER encoded certificates 1052 * @param authMethod auth algorithm name 1053 * 1054 * @throws CertificateException if the certificate is untrusted 1055 */ 1056 public void verifyCertificateChain(byte[][] asn1DerEncodedCertificateChain, String authMethod) 1057 throws CertificateException; 1058 1059 /** 1060 * Called on an SSL client when the server requests (or 1061 * requires a certificate). The client can respond by using 1062 * SSL_use_certificate and SSL_use_PrivateKey to set a 1063 * certificate if has an appropriate one available, similar to 1064 * how the server provides its certificate. 1065 * 1066 * @param keyTypes key types supported by the server, 1067 * convertible to strings with #keyType 1068 * @param asn1DerEncodedX500Principals CAs known to the server 1069 */ 1070 public void clientCertificateRequested(byte[] keyTypes, 1071 byte[][] asn1DerEncodedX500Principals) 1072 throws CertificateEncodingException, SSLException; 1073 1074 /** 1075 * Called when SSL handshake is completed. Note that this can 1076 * be after SSL_do_handshake returns when handshake cutthrough 1077 * is enabled. 1078 */ 1079 public void handshakeCompleted(); 1080 } 1081 1082 public static native long ERR_peek_last_error(); 1083 } 1084