Package org.conscrypt

Class SSLParametersImpl

  • All Implemented Interfaces:
    java.lang.Cloneable
    final class SSLParametersImpl
extends java.lang.Object
implements java.lang.Cloneable
    The instances of this class encapsulate all the info about enabled cipher suites and protocols, as well as the information about client/server mode of ssl socket, whether it require/want client authentication or not, and controls whether new SSL sessions may be established by this socket or not.

    • Field Detail

      • defaultX509KeyManager

        private static volatile javax.net.ssl.X509KeyManager defaultX509KeyManager

      • defaultX509TrustManager

        private static volatile javax.net.ssl.X509TrustManager defaultX509TrustManager

      • x509KeyManager

        private final javax.net.ssl.X509KeyManager x509KeyManager

      • x509TrustManager

        private final javax.net.ssl.X509TrustManager x509TrustManager

      • enabledProtocols

        java.lang.String[] enabledProtocols

      • isEnabledProtocolsFiltered

        boolean isEnabledProtocolsFiltered

      • enabledCipherSuites

        java.lang.String[] enabledCipherSuites

      • client_mode

        private boolean client_mode

      • need_client_auth

        private boolean need_client_auth

      • want_client_auth

        private boolean want_client_auth

      • enable_session_creation

        private boolean enable_session_creation

      • endpointIdentificationAlgorithm

        private java.lang.String endpointIdentificationAlgorithm

      • useCipherSuitesOrder

        private boolean useCipherSuitesOrder

      • sniMatchers

        private java.util.Collection<javax.net.ssl.SNIMatcher> sniMatchers

      • algorithmConstraints

        private java.security.AlgorithmConstraints algorithmConstraints

      • ctVerificationEnabled

        private boolean ctVerificationEnabled

      • sctExtension

        byte[] sctExtension

      • ocspResponse

        byte[] ocspResponse

      • applicationProtocols

        byte[] applicationProtocols

      • useSessionTickets

        boolean useSessionTickets

      • useSni

        private java.lang.Boolean useSni

      • channelIdEnabled

        boolean channelIdEnabled
        Whether the TLS Channel ID extension is enabled. This field is server-side only.

      • EMPTY_STRING_ARRAY

        private static final java.lang.String[] EMPTY_STRING_ARRAY

    • Constructor Detail

      • SSLParametersImpl

        SSLParametersImpl​(javax.net.ssl.KeyManager[] kms,
                  javax.net.ssl.TrustManager[] tms,
                  java.security.SecureRandom sr,
                  ClientSessionContext clientSessionContext,
                  ServerSessionContext serverSessionContext,
                  java.lang.String[] protocols)
           throws java.security.KeyManagementException
        Initializes the parameters. Naturally this constructor is used in SSLContextImpl.engineInit method which directly passes its parameters. In other words this constructor holds all the functionality provided by SSLContext.init method. See SSLContext.init(KeyManager[],TrustManager[], SecureRandom) for more information
        Throws:
        java.security.KeyManagementException

    • Method Detail

      • getDefault

        static SSLParametersImpl getDefault()
                             throws java.security.KeyManagementException
        Throws:
        java.security.KeyManagementException

      • getClientSessionContext

        ClientSessionContext getClientSessionContext()
        Returns:
        client session context

      • getX509KeyManager

        javax.net.ssl.X509KeyManager getX509KeyManager()
        Returns:
        X.509 key manager or null for none.

      • getPSKKeyManager

        PSKKeyManager getPSKKeyManager()
        Returns:
        Pre-Shared Key (PSK) key manager or null for none.

      • getX509TrustManager

        javax.net.ssl.X509TrustManager getX509TrustManager()
        Returns:
        X.509 trust manager or null for none.

      • getEnabledCipherSuites

        java.lang.String[] getEnabledCipherSuites()
        Returns:
        the names of enabled cipher suites

      • setEnabledCipherSuites

        void setEnabledCipherSuites​(java.lang.String[] cipherSuites)
        Sets the enabled cipher suites after filtering through OpenSSL.

      • getEnabledProtocols

        java.lang.String[] getEnabledProtocols()
        Returns:
        the set of enabled protocols

      • setEnabledProtocols

        void setEnabledProtocols​(java.lang.String[] protocols)
        Sets the list of available protocols for use in SSL connection.
        Throws:
        java.lang.IllegalArgumentException - if protocols == null

      • setApplicationProtocols

        void setApplicationProtocols​(java.lang.String[] protocols)
        Sets the list of ALPN protocols.
        Parameters:
        protocols - the list of ALPN protocols

      • getApplicationProtocols

        java.lang.String[] getApplicationProtocols()

      • setUseClientMode

        void setUseClientMode​(boolean mode)
        Tunes the peer holding this parameters to work in client mode.
        Parameters:
        mode - if the peer is configured to work in client mode

      • getUseClientMode

        boolean getUseClientMode()
        Returns the value indicating if the parameters configured to work in client mode.

      • setNeedClientAuth

        void setNeedClientAuth​(boolean need)
        Tunes the peer holding this parameters to require client authentication

      • getNeedClientAuth

        boolean getNeedClientAuth()
        Returns the value indicating if the peer with this parameters tuned to require client authentication

      • setWantClientAuth

        void setWantClientAuth​(boolean want)
        Tunes the peer holding this parameters to request client authentication

      • getWantClientAuth

        boolean getWantClientAuth()
        Returns the value indicating if the peer with this parameters tuned to request client authentication

      • setEnableSessionCreation

        void setEnableSessionCreation​(boolean flag)
        Allows/disallows the peer holding this parameters to create new SSL session

      • getEnableSessionCreation

        boolean getEnableSessionCreation()
        Returns the value indicating if the peer with this parameters allowed to cteate new SSL session

      • setUseSessionTickets

        void setUseSessionTickets​(boolean useSessionTickets)

      • setUseSni

        void setUseSni​(boolean flag)
        Whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).

      • getUseSni

        boolean getUseSni()
        Returns whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).

      • setCTVerificationEnabled

        void setCTVerificationEnabled​(boolean enabled)
        For testing only.

      • setSCTExtension

        void setSCTExtension​(byte[] extension)
        For testing only.

      • setOCSPResponse

        void setOCSPResponse​(byte[] response)
        For testing only.

      • getOCSPResponse

        byte[] getOCSPResponse()

      • filterFromProtocols

        private static java.lang.String[] filterFromProtocols​(java.lang.String[] protocols,
                                                      java.lang.String obsoleteProtocol)
        This filters obsoleteProtocol from the list of protocols down to help with app compatibility.

      • filterFromCipherSuites

        private static java.lang.String[] filterFromCipherSuites​(java.lang.String[] cipherSuites,
                                                         java.util.Set<java.lang.String> toRemove)

      • isSniEnabledByDefault

        private boolean isSniEnabledByDefault()
        Returns whether Server Name Indication (SNI) is enabled by default for sockets. For more information on SNI, see RFC 6066 section 3.

      • clone

        protected java.lang.Object clone()
        Returns the clone of this object.
        Overrides:
        clone in class java.lang.Object
        Returns:
        the clone.

      • cloneWithTrustManager

        SSLParametersImpl cloneWithTrustManager​(javax.net.ssl.X509TrustManager newTrustManager)

      • getDefaultX509KeyManager

        private static javax.net.ssl.X509KeyManager getDefaultX509KeyManager()
                                                              throws java.security.KeyManagementException
        Throws:
        java.security.KeyManagementException

      • createDefaultX509KeyManager

        private static javax.net.ssl.X509KeyManager createDefaultX509KeyManager()
                                                                 throws java.security.KeyManagementException
        Throws:
        java.security.KeyManagementException

      • findFirstX509KeyManager

        private static javax.net.ssl.X509KeyManager findFirstX509KeyManager​(javax.net.ssl.KeyManager[] kms)
        Finds the first X509KeyManager element in the provided array.
        Returns:
        the first X509KeyManager or null if not found.

      • findFirstPSKKeyManager

        private static PSKKeyManager findFirstPSKKeyManager​(javax.net.ssl.KeyManager[] kms)
        Finds the first PSKKeyManager element in the provided array.
        Returns:
        the first PSKKeyManager or null if not found.

      • getDefaultX509TrustManager

        static javax.net.ssl.X509TrustManager getDefaultX509TrustManager()
                                                          throws java.security.KeyManagementException
        Gets the default X.509 trust manager.
        Throws:
        java.security.KeyManagementException

      • createDefaultX509TrustManager

        private static javax.net.ssl.X509TrustManager createDefaultX509TrustManager()
                                                                     throws java.security.KeyManagementException
        Throws:
        java.security.KeyManagementException

      • findFirstX509TrustManager

        private static javax.net.ssl.X509TrustManager findFirstX509TrustManager​(javax.net.ssl.TrustManager[] tms)
        Finds the first X509TrustManager element in the provided array.
        Returns:
        the first X509ExtendedTrustManager or X509TrustManager or null if not found.

      • getEndpointIdentificationAlgorithm

        java.lang.String getEndpointIdentificationAlgorithm()

      • setEndpointIdentificationAlgorithm

        void setEndpointIdentificationAlgorithm​(java.lang.String endpointIdentificationAlgorithm)

      • getUseCipherSuitesOrder

        boolean getUseCipherSuitesOrder()

      • getSNIMatchers

        java.util.Collection<javax.net.ssl.SNIMatcher> getSNIMatchers()

      • setSNIMatchers

        void setSNIMatchers​(java.util.Collection<javax.net.ssl.SNIMatcher> sniMatchers)

      • getAlgorithmConstraints

        java.security.AlgorithmConstraints getAlgorithmConstraints()

      • setAlgorithmConstraints

        void setAlgorithmConstraints​(java.security.AlgorithmConstraints algorithmConstraints)

      • setUseCipherSuitesOrder

        void setUseCipherSuitesOrder​(boolean useCipherSuitesOrder)

      • getDefaultCipherSuites

        private static java.lang.String[] getDefaultCipherSuites​(boolean x509CipherSuitesNeeded,
                                                         boolean pskCipherSuitesNeeded)

      • isCTVerificationEnabled

        boolean isCTVerificationEnabled​(java.lang.String hostname)
        Check if SCT verification is enforced for a given hostname.