infernap12/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2026-03-13 17:33:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

6976117: SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets without TLSv1.1 enabled

Browse Source 
Reorg the SSLContext implementation

Reviewed-by: weijun
This commit is contained in:
Xue-Lei Andrew Fan 2011-04-08 02:00:09 -07:00
parent bc945571e4
commit 2a48e38d0f
12 changed files with 719 additions and 391 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
jdk/src/share/classes/sun/security/ssl/CipherSuiteList.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -40,10 +40,6 @@ import javax.net.ssl.SSLException;
*/
final class CipherSuiteList {
// lists of supported and default enabled ciphersuites
// created on demand
private static CipherSuiteList supportedSuites, defaultSuites;
private final Collection<CipherSuite> cipherSuites;
private String[] suiteNames;
@ -206,57 +202,8 @@ final class CipherSuiteList {
*/
static synchronized void clearAvailableCache() {
if (CipherSuite.DYNAMIC_AVAILABILITY) {
supportedSuites = null;
defaultSuites = null;
CipherSuite.BulkCipher.clearAvailableCache();
JsseJce.clearEcAvailable();
}
}
/**
* Return the list of all available CipherSuites with a priority of
* minPriority or above.
* Should be called with the Class lock held.
*/
private static CipherSuiteList buildAvailableCache(int minPriority) {
// SortedSet automatically arranges ciphersuites in default
// preference order
Set<CipherSuite> cipherSuites = new TreeSet<>();
Collection<CipherSuite> allowedCipherSuites =
CipherSuite.allowedCipherSuites();
for (CipherSuite c : allowedCipherSuites) {
if ((c.allowed == false) || (c.priority < minPriority)) {
continue;
}
if (c.isAvailable()) {
cipherSuites.add(c);
}
}
return new CipherSuiteList(cipherSuites);
}
/**
* Return supported CipherSuites in preference order.
*/
static synchronized CipherSuiteList getSupported() {
if (supportedSuites == null) {
supportedSuites =
buildAvailableCache(CipherSuite.SUPPORTED_SUITES_PRIORITY);
}
return supportedSuites;
}
/**
* Return default enabled CipherSuites in preference order.
*/
static synchronized CipherSuiteList getDefault() {
if (defaultSuites == null) {
defaultSuites =
buildAvailableCache(CipherSuite.DEFAULT_SUITES_PRIORITY);
}
return defaultSuites;
}
}

193
jdk/src/share/classes/sun/security/ssl/DefaultSSLContextImpl.java
View File

@ -1,193 +0,0 @@
/*
* Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.ssl;
import java.io.*;
import java.util.*;
import java.security.*;
import javax.net.ssl.*;
/**
* "Default" SSLContext as returned by SSLContext.getDefault(). It comes
* initialized with default KeyManagers and TrustManagers created using
* various system properties.
*
* @since 1.6
*/
public final class DefaultSSLContextImpl extends SSLContextImpl {
private static final String NONE = "NONE";
private static final String P11KEYSTORE = "PKCS11";
private static final Debug debug = Debug.getInstance("ssl");
private static volatile SSLContextImpl defaultImpl;
private static TrustManager[] defaultTrustManagers;
private static KeyManager[] defaultKeyManagers;
public DefaultSSLContextImpl() throws Exception {
super(defaultImpl);
try {
super.engineInit(getDefaultKeyManager(), getDefaultTrustManager(), null);
} catch (Exception e) {
if (debug != null && Debug.isOn("defaultctx")) {
System.out.println("default context init failed: " + e);
}
throw e;
}
if (defaultImpl == null) {
defaultImpl = this;
}
}
protected void engineInit(KeyManager[] km, TrustManager[] tm,
SecureRandom sr) throws KeyManagementException {
throw new KeyManagementException
("Default SSLContext is initialized automatically");
}
static synchronized SSLContextImpl getDefaultImpl() throws Exception {
if (defaultImpl == null) {
new DefaultSSLContextImpl();
}
return defaultImpl;
}
private static synchronized TrustManager[] getDefaultTrustManager() throws Exception {
if (defaultTrustManagers != null) {
return defaultTrustManagers;
}
KeyStore ks = TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
defaultTrustManagers = tmf.getTrustManagers();
return defaultTrustManagers;
}
private static synchronized KeyManager[] getDefaultKeyManager() throws Exception {
if (defaultKeyManagers != null) {
return defaultKeyManagers;
}
final Map<String,String> props = new HashMap<>();
AccessController.doPrivileged(
new PrivilegedExceptionAction<Object>() {
public Object run() throws Exception {
props.put("keyStore", System.getProperty(
"javax.net.ssl.keyStore", ""));
props.put("keyStoreType", System.getProperty(
"javax.net.ssl.keyStoreType",
KeyStore.getDefaultType()));
props.put("keyStoreProvider", System.getProperty(
"javax.net.ssl.keyStoreProvider", ""));
props.put("keyStorePasswd", System.getProperty(
"javax.net.ssl.keyStorePassword", ""));
return null;
}
});
final String defaultKeyStore = props.get("keyStore");
String defaultKeyStoreType = props.get("keyStoreType");
String defaultKeyStoreProvider = props.get("keyStoreProvider");
if (debug != null && Debug.isOn("defaultctx")) {
System.out.println("keyStore is : " + defaultKeyStore);
System.out.println("keyStore type is : " +
defaultKeyStoreType);
System.out.println("keyStore provider is : " +
defaultKeyStoreProvider);
}
if (P11KEYSTORE.equals(defaultKeyStoreType) &&
!NONE.equals(defaultKeyStore)) {
throw new IllegalArgumentException("if keyStoreType is "
+ P11KEYSTORE + ", then keyStore must be " + NONE);
}
FileInputStream fs = null;
if (defaultKeyStore.length() != 0 && !NONE.equals(defaultKeyStore)) {
fs = AccessController.doPrivileged(
new PrivilegedExceptionAction<FileInputStream>() {
public FileInputStream run() throws Exception {
return new FileInputStream(defaultKeyStore);
}
});
}
String defaultKeyStorePassword = props.get("keyStorePasswd");
char[] passwd = null;
if (defaultKeyStorePassword.length() != 0) {
passwd = defaultKeyStorePassword.toCharArray();
}
/**
* Try to initialize key store.
*/
KeyStore ks = null;
if ((defaultKeyStoreType.length()) != 0) {
if (debug != null && Debug.isOn("defaultctx")) {
System.out.println("init keystore");
}
if (defaultKeyStoreProvider.length() == 0) {
ks = KeyStore.getInstance(defaultKeyStoreType);
} else {
ks = KeyStore.getInstance(defaultKeyStoreType,
defaultKeyStoreProvider);
}
// if defaultKeyStore is NONE, fs will be null
ks.load(fs, passwd);
}
if (fs != null) {
fs.close();
fs = null;
}
/*
* Try to initialize key manager.
*/
if (debug != null && Debug.isOn("defaultctx")) {
System.out.println("init keymanager of type " +
KeyManagerFactory.getDefaultAlgorithm());
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
if (P11KEYSTORE.equals(defaultKeyStoreType)) {
kmf.init(ks, null); // do not pass key passwd if using token
} else {
kmf.init(ks, passwd);
}
defaultKeyManagers = kmf.getKeyManagers();
return defaultKeyManagers;
}
}

8
jdk/src/share/classes/sun/security/ssl/JsseJce.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2001, 2009, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -247,9 +247,9 @@ final class JsseJce {
// the SunJSSE implementation does the actual crypto using
// a NONEwithRSA signature obtained from the cryptoProvider.
if (cryptoProvider.getService("Signature", algorithm) == null) {
// Calling Signature.getInstance() and catching the exception
// would be cleaner, but exceptions are a little expensive.
// So we check directly via getService().
// Calling Signature.getInstance() and catching the
// exception would be cleaner, but exceptions are a little
// expensive. So we check directly via getService().
try {
return Signature.getInstance(algorithm, "SunJSSE");
} catch (NoSuchProviderException e) {

68
jdk/src/share/classes/sun/security/ssl/ProtocolList.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -37,10 +37,6 @@ import java.util.*;
*/
final class ProtocolList {
private static final ProtocolList SUPPORTED;
private static final ProtocolList CLIENT_DEFAULT;
private static final ProtocolList SERVER_DEFAULT;
// the sorted protocol version list
private final ArrayList<ProtocolVersion> protocols;
@ -154,66 +150,4 @@ final class ProtocolList {
public String toString() {
return protocols.toString();
}
/**
* Return the list of default enabled protocols.
*/
static ProtocolList getDefault(boolean isServer) {
return isServer ? SERVER_DEFAULT : CLIENT_DEFAULT;
}
/**
* Return whether a protocol list is the original default enabled
* protocols. See: SSLSocket/SSLEngine.setEnabledProtocols()
*/
static boolean isDefaultProtocolList(ProtocolList protocols) {
return protocols == CLIENT_DEFAULT || protocols == SERVER_DEFAULT;
}
/**
* Return the list of supported protocols.
*/
static ProtocolList getSupported() {
return SUPPORTED;
}
static {
if (SunJSSE.isFIPS()) {
SUPPORTED = new ProtocolList(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
SERVER_DEFAULT = SUPPORTED;
CLIENT_DEFAULT = new ProtocolList(new String[] {
ProtocolVersion.TLS10.name
});
} else {
SUPPORTED = new ProtocolList(new String[] {
ProtocolVersion.SSL20Hello.name,
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
SERVER_DEFAULT = SUPPORTED;
/*
* RFC 5246 says that sending SSLv2 backward-compatible
* hello SHOULD NOT be done any longer.
*
* We are not enabling TLS 1.1/1.2 by default yet on clients
* out of concern for interop with existing
* SSLv3/TLS1.0-only servers. When these versions of TLS
* gain more traction, we'll enable them.
*/
CLIENT_DEFAULT = new ProtocolList(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name
});
}
}
}

566
jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,6 +27,7 @@ package sun.security.ssl;
import java.net.Socket;
import java.io.*;
import java.util.*;
import java.security.*;
import java.security.cert.*;
@ -36,7 +37,7 @@ import javax.net.ssl.*;
import sun.security.provider.certpath.AlgorithmChecker;
public class SSLContextImpl extends SSLContextSpi {
public abstract class SSLContextImpl extends SSLContextSpi {
private static final Debug debug = Debug.getInstance("ssl");
@ -50,20 +51,24 @@ public class SSLContextImpl extends SSLContextSpi {
private X509TrustManager trustManager;
private SecureRandom secureRandom;
public SSLContextImpl() {
this(null);
}
// The default algrithm constraints
private AlgorithmConstraints defaultAlgorithmConstraints =
new SSLAlgorithmConstraints(null);
SSLContextImpl(SSLContextImpl other) {
if (other == null) {
ephemeralKeyManager = new EphemeralKeyManager();
clientCache = new SSLSessionContextImpl();
serverCache = new SSLSessionContextImpl();
} else {
ephemeralKeyManager = other.ephemeralKeyManager;
clientCache = other.clientCache;
serverCache = other.serverCache;
}
// supported and default protocols
private ProtocolList defaultServerProtocolList;
private ProtocolList defaultClientProtocolList;
private ProtocolList supportedProtocolList;
// supported and default cipher suites
private CipherSuiteList defaultServerCipherSuiteList;
private CipherSuiteList defaultClientCipherSuiteList;
private CipherSuiteList supportedCipherSuiteList;
SSLContextImpl() {
ephemeralKeyManager = new EphemeralKeyManager();
clientCache = new SSLSessionContextImpl();
serverCache = new SSLSessionContextImpl();
}
protected void engineInit(KeyManager[] km, TrustManager[] tm,
@ -177,7 +182,7 @@ public class SSLContextImpl extends SSLContextSpi {
throw new IllegalStateException(
"SSLContextImpl is not initialized");
}
return new SSLSocketFactoryImpl(this);
return new SSLSocketFactoryImpl(this);
}
protected SSLServerSocketFactory engineGetServerSocketFactory() {
@ -227,6 +232,535 @@ public class SSLContextImpl extends SSLContextSpi {
return ephemeralKeyManager;
}
abstract SSLParameters getDefaultServerSSLParams();
abstract SSLParameters getDefaultClientSSLParams();
abstract SSLParameters getSupportedSSLParams();
// Get suported ProtoclList.
ProtocolList getSuportedProtocolList() {
if (supportedProtocolList == null) {
supportedProtocolList =
new ProtocolList(getSupportedSSLParams().getProtocols());
}
return supportedProtocolList;
}
// Get default ProtoclList.
ProtocolList getDefaultProtocolList(boolean roleIsServer) {
if (roleIsServer) {
if (defaultServerProtocolList == null) {
defaultServerProtocolList = new ProtocolList(
getDefaultServerSSLParams().getProtocols());
}
return defaultServerProtocolList;
} else {
if (defaultClientProtocolList == null) {
defaultClientProtocolList = new ProtocolList(
getDefaultClientSSLParams().getProtocols());
}
return defaultClientProtocolList;
}
}
// Get suported CipherSuiteList.
CipherSuiteList getSuportedCipherSuiteList() {
// Clear cache of available ciphersuites.
clearAvailableCache();
if (supportedCipherSuiteList == null) {
supportedCipherSuiteList =
getApplicableCipherSuiteList(getSuportedProtocolList(), false);
}
return supportedCipherSuiteList;
}
// Get default CipherSuiteList.
CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) {
// Clear cache of available ciphersuites.
clearAvailableCache();
if (roleIsServer) {
if (defaultServerCipherSuiteList == null) {
defaultServerCipherSuiteList = getApplicableCipherSuiteList(
getDefaultProtocolList(true), true);
}
return defaultServerCipherSuiteList;
} else {
if (defaultClientCipherSuiteList == null) {
defaultClientCipherSuiteList = getApplicableCipherSuiteList(
getDefaultProtocolList(false), true);
}
return defaultClientCipherSuiteList;
}
}
/**
* Return whether a protocol list is the original default enabled
* protocols. See: SSLSocket/SSLEngine.setEnabledProtocols()
*/
boolean isDefaultProtocolList(ProtocolList protocols) {
return (protocols == defaultServerProtocolList) ||
(protocols == defaultClientProtocolList);
}
/*
* Return the list of all available CipherSuites with a priority of
* minPriority or above.
*/
private CipherSuiteList getApplicableCipherSuiteList(
ProtocolList protocols, boolean onlyEnabled) {
int minPriority = CipherSuite.SUPPORTED_SUITES_PRIORITY;
if (onlyEnabled) {
minPriority = CipherSuite.DEFAULT_SUITES_PRIORITY;
}
Collection<CipherSuite> allowedCipherSuites =
CipherSuite.allowedCipherSuites();
ArrayList<CipherSuite> suites = new ArrayList<>();
if (!(protocols.collection().isEmpty()) &&
protocols.min.v != ProtocolVersion.NONE.v) {
for (CipherSuite suite : allowedCipherSuites) {
if (suite.allowed == false || suite.priority < minPriority) {
continue;
}
if (suite.isAvailable() &&
suite.obsoleted > protocols.min.v &&
suite.supported <= protocols.max.v) {
if (defaultAlgorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
suite.name, null)) {
suites.add(suite);
}
} else if (debug != null &&
Debug.isOn("sslctx") && Debug.isOn("verbose")) {
if (suite.obsoleted <= protocols.min.v) {
System.out.println(
"Ignoring obsoleted cipher suite: " + suite);
} else if (suite.supported > protocols.max.v) {
System.out.println(
"Ignoring unsupported cipher suite: " + suite);
} else {
System.out.println(
"Ignoring unavailable cipher suite: " + suite);
}
}
}
}
return new CipherSuiteList(suites);
}
/**
* Clear cache of available ciphersuites. If we support all ciphers
* internally, there is no need to clear the cache and calling this
* method has no effect.
*/
synchronized void clearAvailableCache() {
if (CipherSuite.DYNAMIC_AVAILABILITY) {
supportedCipherSuiteList = null;
defaultServerCipherSuiteList = null;
defaultClientCipherSuiteList = null;
CipherSuite.BulkCipher.clearAvailableCache();
JsseJce.clearEcAvailable();
}
}
/*
* The SSLContext implementation for TLS/SSL algorithm
*
* SSL/TLS protocols specify the forward compatibility and version
* roll-back attack protections, however, a number of SSL/TLS server
* vendors did not implement these aspects properly, and some current
* SSL/TLS servers may refuse to talk to a TLS 1.1 or later client.
*
* Considering above interoperability issues, SunJSSE will not set
* TLS 1.1 and TLS 1.2 as the enabled protocols for client by default.
*
* For SSL/TLS servers, there is no such interoperability issues as
* SSL/TLS clients. In SunJSSE, TLS 1.1 or later version will be the
* enabled protocols for server by default.
*
* We may change the behavior when popular TLS/SSL vendors support TLS
* forward compatibility properly.
*
* SSLv2Hello is no longer necessary. This interoperability option was
* put in place in the late 90's when SSLv3/TLS1.0 were relatively new
* and there were a fair number of SSLv2-only servers deployed. Because
* of the security issues in SSLv2, it is rarely (if ever) used, as
* deployments should now be using SSLv3 and TLSv1.
*
* Considering the issues of SSLv2Hello, we should not enable SSLv2Hello
* by default. Applications still can use it by enabling SSLv2Hello with
* the series of setEnabledProtocols APIs.
*/
/*
* The conservative SSLContext implementation for TLS, SSL, SSLv3 and
* TLS10 algorithm.
*
* This is a super class of DefaultSSLContext and TLS10Context.
*
* @see SSLContext
*/
private static class ConservativeSSLContext extends SSLContextImpl {
// parameters
private static SSLParameters defaultServerSSLParams;
private static SSLParameters defaultClientSSLParams;
private static SSLParameters supportedSSLParams;
static {
if (SunJSSE.isFIPS()) {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name
});
} else {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL20Hello.name,
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name
});
}
}
SSLParameters getDefaultServerSSLParams() {
return defaultServerSSLParams;
}
SSLParameters getDefaultClientSSLParams() {
return defaultClientSSLParams;
}
SSLParameters getSupportedSSLParams() {
return supportedSSLParams;
}
}
/*
* The SSLContext implementation for default algorithm
*
* @see SSLContext
*/
public static final class DefaultSSLContext extends ConservativeSSLContext {
private static final String NONE = "NONE";
private static final String P11KEYSTORE = "PKCS11";
private static volatile SSLContextImpl defaultImpl;
private static TrustManager[] defaultTrustManagers;
private static KeyManager[] defaultKeyManagers;
public DefaultSSLContext() throws Exception {
try {
super.engineInit(getDefaultKeyManager(),
getDefaultTrustManager(), null);
} catch (Exception e) {
if (debug != null && Debug.isOn("defaultctx")) {
System.out.println("default context init failed: " + e);
}
throw e;
}
if (defaultImpl == null) {
defaultImpl = this;
}
}
protected void engineInit(KeyManager[] km, TrustManager[] tm,
SecureRandom sr) throws KeyManagementException {
throw new KeyManagementException
("Default SSLContext is initialized automatically");
}
static synchronized SSLContextImpl getDefaultImpl() throws Exception {
if (defaultImpl == null) {
new DefaultSSLContext();
}
return defaultImpl;
}
private static synchronized TrustManager[] getDefaultTrustManager()
throws Exception {
if (defaultTrustManagers != null) {
return defaultTrustManagers;
}
KeyStore ks =
TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
defaultTrustManagers = tmf.getTrustManagers();
return defaultTrustManagers;
}
private static synchronized KeyManager[] getDefaultKeyManager()
throws Exception {
if (defaultKeyManagers != null) {
return defaultKeyManagers;
}
final Map<String,String> props = new HashMap<>();
AccessController.doPrivileged(
new PrivilegedExceptionAction<Object>() {
public Object run() throws Exception {
props.put("keyStore", System.getProperty(
"javax.net.ssl.keyStore", ""));
props.put("keyStoreType", System.getProperty(
"javax.net.ssl.keyStoreType",
KeyStore.getDefaultType()));
props.put("keyStoreProvider", System.getProperty(
"javax.net.ssl.keyStoreProvider", ""));
props.put("keyStorePasswd", System.getProperty(
"javax.net.ssl.keyStorePassword", ""));
return null;
}
});
final String defaultKeyStore = props.get("keyStore");
String defaultKeyStoreType = props.get("keyStoreType");
String defaultKeyStoreProvider = props.get("keyStoreProvider");
if (debug != null && Debug.isOn("defaultctx")) {
System.out.println("keyStore is : " + defaultKeyStore);
System.out.println("keyStore type is : " +
defaultKeyStoreType);
System.out.println("keyStore provider is : " +
defaultKeyStoreProvider);
}
if (P11KEYSTORE.equals(defaultKeyStoreType) &&
!NONE.equals(defaultKeyStore)) {
throw new IllegalArgumentException("if keyStoreType is "
+ P11KEYSTORE + ", then keyStore must be " + NONE);
}
FileInputStream fs = null;
if (defaultKeyStore.length() != 0 && !NONE.equals(defaultKeyStore)) {
fs = AccessController.doPrivileged(
new PrivilegedExceptionAction<FileInputStream>() {
public FileInputStream run() throws Exception {
return new FileInputStream(defaultKeyStore);
}
});
}
String defaultKeyStorePassword = props.get("keyStorePasswd");
char[] passwd = null;
if (defaultKeyStorePassword.length() != 0) {
passwd = defaultKeyStorePassword.toCharArray();
}
/**
* Try to initialize key store.
*/
KeyStore ks = null;
if ((defaultKeyStoreType.length()) != 0) {
if (debug != null && Debug.isOn("defaultctx")) {
System.out.println("init keystore");
}
if (defaultKeyStoreProvider.length() == 0) {
ks = KeyStore.getInstance(defaultKeyStoreType);
} else {
ks = KeyStore.getInstance(defaultKeyStoreType,
defaultKeyStoreProvider);
}
// if defaultKeyStore is NONE, fs will be null
ks.load(fs, passwd);
}
if (fs != null) {
fs.close();
fs = null;
}
/*
* Try to initialize key manager.
*/
if (debug != null && Debug.isOn("defaultctx")) {
System.out.println("init keymanager of type " +
KeyManagerFactory.getDefaultAlgorithm());
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
if (P11KEYSTORE.equals(defaultKeyStoreType)) {
kmf.init(ks, null); // do not pass key passwd if using token
} else {
kmf.init(ks, passwd);
}
defaultKeyManagers = kmf.getKeyManagers();
return defaultKeyManagers;
}
}
/*
* The SSLContext implementation for TLS, SSL, SSLv3 and TLS10 algorithm
*
* @see SSLContext
*/
public static final class TLS10Context extends ConservativeSSLContext {
// use the default constructor and methods
}
/*
* The SSLContext implementation for TLS11 algorithm
*
* @see SSLContext
*/
public static final class TLS11Context extends SSLContextImpl {
// parameters
private static SSLParameters defaultServerSSLParams;
private static SSLParameters defaultClientSSLParams;
private static SSLParameters supportedSSLParams;
static {
if (SunJSSE.isFIPS()) {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name
});
} else {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL20Hello.name,
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name
});
}
}
SSLParameters getDefaultServerSSLParams() {
return defaultServerSSLParams;
}
SSLParameters getDefaultClientSSLParams() {
return defaultClientSSLParams;
}
SSLParameters getSupportedSSLParams() {
return supportedSSLParams;
}
}
/*
* The SSLContext implementation for TLS12 algorithm
*
* @see SSLContext
*/
public static final class TLS12Context extends SSLContextImpl {
// parameters
private static SSLParameters defaultServerSSLParams;
private static SSLParameters defaultClientSSLParams;
private static SSLParameters supportedSSLParams;
static {
if (SunJSSE.isFIPS()) {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
} else {
supportedSSLParams = new SSLParameters();
supportedSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL20Hello.name,
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
defaultServerSSLParams = supportedSSLParams;
defaultClientSSLParams = new SSLParameters();
defaultClientSSLParams.setProtocols(new String[] {
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
ProtocolVersion.TLS11.name,
ProtocolVersion.TLS12.name
});
}
}
SSLParameters getDefaultServerSSLParams() {
return defaultServerSSLParams;
}
SSLParameters getDefaultClientSSLParams() {
return defaultClientSSLParams;
}
SSLParameters getSupportedSSLParams() {
return supportedSSLParams;
}
}
}

21
jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -374,8 +374,10 @@ final public class SSLEngineImpl extends SSLEngine {
clientVerifyData = new byte[0];
serverVerifyData = new byte[0];
enabledCipherSuites = CipherSuiteList.getDefault();
enabledProtocols = ProtocolList.getDefault(roleIsServer);
enabledCipherSuites =
sslContext.getDefaultCipherSuiteList(roleIsServer);
enabledProtocols =
sslContext.getDefaultProtocolList(roleIsServer);
wrapLock = new Object();
unwrapLock = new Object();
@ -1883,8 +1885,8 @@ final public class SSLEngineImpl extends SSLEngine {
* change them to the corresponding default ones.
*/
if (roleIsServer != (!flag) &&
ProtocolList.isDefaultProtocolList(enabledProtocols)) {
enabledProtocols = ProtocolList.getDefault(!flag);
sslContext.isDefaultProtocolList(enabledProtocols)) {
enabledProtocols = sslContext.getDefaultProtocolList(!flag);
}
roleIsServer = !flag;
@ -1907,8 +1909,8 @@ final public class SSLEngineImpl extends SSLEngine {
* change them to the corresponding default ones.
*/
if (roleIsServer != (!flag) &&
ProtocolList.isDefaultProtocolList(enabledProtocols)) {
enabledProtocols = ProtocolList.getDefault(!flag);
sslContext.isDefaultProtocolList(enabledProtocols)) {
enabledProtocols = sslContext.getDefaultProtocolList(!flag);
}
roleIsServer = !flag;
@ -1951,8 +1953,7 @@ final public class SSLEngineImpl extends SSLEngine {
* @return an array of cipher suite names
*/
public String[] getSupportedCipherSuites() {
CipherSuiteList.clearAvailableCache();
return CipherSuiteList.getSupported().toStringArray();
return sslContext.getSuportedCipherSuiteList().toStringArray();
}
/**
@ -1992,7 +1993,7 @@ final public class SSLEngineImpl extends SSLEngine {
* @return an array of protocol names.
*/
public String[] getSupportedProtocols() {
return ProtocolList.getSupported().toStringArray();
return sslContext.getSuportedProtocolList().toStringArray();
}
/**

10
jdk/src/share/classes/sun/security/ssl/SSLServerSocketFactoryImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -49,7 +49,7 @@ public class SSLServerSocketFactoryImpl extends SSLServerSocketFactory
* java.security file is set.
*/
public SSLServerSocketFactoryImpl() throws Exception {
this.context = DefaultSSLContextImpl.getDefaultImpl();
this.context = SSLContextImpl.DefaultSSLContext.getDefaultImpl();
}
/**
@ -99,8 +99,7 @@ public class SSLServerSocketFactoryImpl extends SSLServerSocketFactory
* is encrypted to provide confidentiality.
*/
public String[] getDefaultCipherSuites() {
CipherSuiteList.clearAvailableCache();
return CipherSuiteList.getDefault().toStringArray();
return context.getDefaultCipherSuiteList(true).toStringArray();
}
/**
@ -114,8 +113,7 @@ public class SSLServerSocketFactoryImpl extends SSLServerSocketFactory
* @return an array of cipher suite names
*/
public String[] getSupportedCipherSuites() {
CipherSuiteList.clearAvailableCache();
return CipherSuiteList.getSupported().toStringArray();
return context.getSuportedCipherSuiteList().toStringArray();
}
}

15
jdk/src/share/classes/sun/security/ssl/SSLServerSocketImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -153,8 +153,8 @@ class SSLServerSocketImpl extends SSLServerSocket
throw new SSLException("No Authentication context given");
}
sslContext = context;
enabledCipherSuites = CipherSuiteList.getDefault();
enabledProtocols = ProtocolList.getDefault(true);
enabledCipherSuites = sslContext.getDefaultCipherSuiteList(true);
enabledProtocols = sslContext.getDefaultProtocolList(true);
}
/**
@ -168,8 +168,7 @@ class SSLServerSocketImpl extends SSLServerSocket
* @return an array of cipher suite names
*/
public String[] getSupportedCipherSuites() {
CipherSuiteList.clearAvailableCache();
return CipherSuiteList.getSupported().toStringArray();
return sslContext.getSuportedCipherSuiteList().toStringArray();
}
/**
@ -194,7 +193,7 @@ class SSLServerSocketImpl extends SSLServerSocket
}
public String[] getSupportedProtocols() {
return ProtocolList.getSupported().toStringArray();
return sslContext.getSuportedProtocolList().toStringArray();
}
/**
@ -253,8 +252,8 @@ class SSLServerSocketImpl extends SSLServerSocket
* change them to the corresponding default ones.
*/
if (useServerMode != (!flag) &&
ProtocolList.isDefaultProtocolList(enabledProtocols)) {
enabledProtocols = ProtocolList.getDefault(!flag);
sslContext.isDefaultProtocolList(enabledProtocols)) {
enabledProtocols = sslContext.getDefaultProtocolList(!flag);
}
useServerMode = !flag;

17
jdk/src/share/classes/sun/security/ssl/SSLSocketFactoryImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -42,20 +42,18 @@ import javax.net.ssl.SSLSocket;
*
* @author David Brownell
*/
final
public class SSLSocketFactoryImpl extends SSLSocketFactory
{
final public class SSLSocketFactoryImpl extends SSLSocketFactory {
private static SSLContextImpl defaultContext;
private SSLContextImpl context;
/**
* Constructor used to instantiate the default factory. This method is
* only called if the old "ssl.SocketFactory.provider" property in the
* java.security file is set.
*/
public SSLSocketFactoryImpl() throws Exception {
this.context = DefaultSSLContextImpl.getDefaultImpl();
this.context = SSLContextImpl.DefaultSSLContext.getDefaultImpl();
}
/**
@ -167,11 +165,9 @@ public class SSLSocketFactoryImpl extends SSLSocketFactory
* is encrypted to provide confidentiality.
*/
public String[] getDefaultCipherSuites() {
CipherSuiteList.clearAvailableCache();
return CipherSuiteList.getDefault().toStringArray();
return context.getDefaultCipherSuiteList(false).toStringArray();
}
/**
* Returns the names of the cipher suites which could be enabled for use
* on an SSL connection. Normally, only a subset of these will actually
@ -181,7 +177,6 @@ public class SSLSocketFactoryImpl extends SSLSocketFactory
* certain kinds of certificates to use certain cipher suites.
*/
public String[] getSupportedCipherSuites() {
CipherSuiteList.clearAvailableCache();
return CipherSuiteList.getSupported().toStringArray();
return context.getSuportedCipherSuiteList().toStringArray();
}
}

22
jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -562,8 +562,11 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
clientVerifyData = new byte[0];
serverVerifyData = new byte[0];
enabledCipherSuites = CipherSuiteList.getDefault();
enabledProtocols = ProtocolList.getDefault(roleIsServer);
enabledCipherSuites =
sslContext.getDefaultCipherSuiteList(roleIsServer);
enabledProtocols =
sslContext.getDefaultProtocolList(roleIsServer);
inrec = null;
// save the acc
@ -2170,8 +2173,8 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
* change them to the corresponding default ones.
*/
if (roleIsServer != (!flag) &&
ProtocolList.isDefaultProtocolList(enabledProtocols)) {
enabledProtocols = ProtocolList.getDefault(!flag);
sslContext.isDefaultProtocolList(enabledProtocols)) {
enabledProtocols = sslContext.getDefaultProtocolList(!flag);
}
roleIsServer = !flag;
break;
@ -2192,8 +2195,8 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
* change them to the corresponding default ones.
*/
if (roleIsServer != (!flag) &&
ProtocolList.isDefaultProtocolList(enabledProtocols)) {
enabledProtocols = ProtocolList.getDefault(!flag);
sslContext.isDefaultProtocolList(enabledProtocols)) {
enabledProtocols = sslContext.getDefaultProtocolList(!flag);
}
roleIsServer = !flag;
connectionState = cs_START;
@ -2230,8 +2233,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
* @return an array of cipher suite names
*/
public String[] getSupportedCipherSuites() {
CipherSuiteList.clearAvailableCache();
return CipherSuiteList.getSupported().toStringArray();
return sslContext.getSuportedCipherSuiteList().toStringArray();
}
/**
@ -2271,7 +2273,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
* @return an array of protocol names.
*/
public String[] getSupportedProtocols() {
return ProtocolList.getSupported().toStringArray();
return sslContext.getSuportedProtocolList().toStringArray();
}
/**

23
jdk/src/share/classes/sun/security/ssl/SunJSSE.java
View File

@ -204,22 +204,21 @@ public abstract class SunJSSE extends java.security.Provider {
put("Alg.Alias.TrustManagerFactory.SunPKIX", "PKIX");
put("Alg.Alias.TrustManagerFactory.X509", "PKIX");
put("Alg.Alias.TrustManagerFactory.X.509", "PKIX");
if (isfips == false) {
put("SSLContext.SSL",
"sun.security.ssl.SSLContextImpl");
put("SSLContext.SSLv3",
"sun.security.ssl.SSLContextImpl");
}
put("SSLContext.TLS",
"sun.security.ssl.SSLContextImpl");
put("SSLContext.TLSv1",
"sun.security.ssl.SSLContextImpl");
"sun.security.ssl.SSLContextImpl$TLS10Context");
put("Alg.Alias.SSLContext.TLS", "TLSv1");
if (isfips == false) {
put("Alg.Alias.SSLContext.SSL", "TLSv1");
put("Alg.Alias.SSLContext.SSLv3", "TLSv1");
}
put("SSLContext.TLSv1.1",
"sun.security.ssl.SSLContextImpl");
"sun.security.ssl.SSLContextImpl$TLS11Context");
put("SSLContext.TLSv1.2",
"sun.security.ssl.SSLContextImpl");
"sun.security.ssl.SSLContextImpl$TLS12Context");
put("SSLContext.Default",
"sun.security.ssl.DefaultSSLContextImpl");
"sun.security.ssl.SSLContextImpl$DefaultSSLContext");
/*
* KeyStore

112
jdk/test/sun/security/ssl/javax/net/ssl/SSLContextVersion.java Normal file
View File

@ -0,0 +1,112 @@
/*
* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 6976117
* @summary SSLContext.getInstance("TLSv1.1") returns SSLEngines/SSLSockets
* without TLSv1.1 enabled
*/
import javax.net.ssl.*;
public class SSLContextVersion {
static enum ContextVersion {
TLS_CV_01("SSL", "TLSv1", "TLSv1.2"),
TLS_CV_02("TLS", "TLSv1", "TLSv1.2"),
TLS_CV_03("SSLv3", "TLSv1", "TLSv1.2"),
TLS_CV_04("TLSv1", "TLSv1", "TLSv1.2"),
TLS_CV_05("TLSv1.1", "TLSv1.1", "TLSv1.2"),
TLS_CV_06("TLSv1.2", "TLSv1.2", "TLSv1.2"),
TLS_CV_07("Default", "TLSv1", "TLSv1.2");
final String contextVersion;
final String defaultProtocolVersion;
final String supportedProtocolVersion;
ContextVersion(String contextVersion, String defaultProtocolVersion,
String supportedProtocolVersion) {
this.contextVersion = contextVersion;
this.defaultProtocolVersion = defaultProtocolVersion;
this.supportedProtocolVersion = supportedProtocolVersion;
}
}
public static void main(String[] args) throws Exception {
for (ContextVersion cv : ContextVersion.values()) {
System.out.println("Checking SSLContext of " + cv.contextVersion);
SSLContext context = SSLContext.getInstance(cv.contextVersion);
// Default SSLContext is initialized automatically.
if (!cv.contextVersion.equals("Default")) {
// Use default TK, KM and random.
context.init((KeyManager[])null, (TrustManager[])null, null);
}
SSLParameters parameters = context.getDefaultSSLParameters();
String[] protocols = parameters.getProtocols();
String[] ciphers = parameters.getCipherSuites();
if (protocols.length == 0 || ciphers.length == 0) {
throw new Exception("No default protocols or cipher suites");
}
boolean isMatch = false;
for (String protocol : protocols) {
System.out.println("\tdefault protocol version " + protocol);
if (protocol.equals(cv.defaultProtocolVersion)) {
isMatch = true;
break;
}
}
if (!isMatch) {
throw new Exception("No matched default protocol");
}
parameters = context.getSupportedSSLParameters();
protocols = parameters.getProtocols();
ciphers = parameters.getCipherSuites();
if (protocols.length == 0 || ciphers.length == 0) {
throw new Exception("No default protocols or cipher suites");
}
isMatch = false;
for (String protocol : protocols) {
System.out.println("\tsupported protocol version " + protocol);
if (protocol.equals(cv.supportedProtocolVersion)) {
isMatch = true;
break;
}
}
if (!isMatch) {
throw new Exception("No matched default protocol");
}
System.out.println("\t... Success");
}
}
}