Package org.conscrypt
Class ConscryptFileDescriptorSocket
java.lang.Object
java.net.Socket
javax.net.ssl.SSLSocket
org.conscrypt.AbstractConscryptSocket
org.conscrypt.OpenSSLSocketImpl
org.conscrypt.ConscryptFileDescriptorSocket
- All Implemented Interfaces:
Closeable,AutoCloseable,NativeCrypto.SSLHandshakeCallbacks,SSLParametersImpl.AliasChooser,SSLParametersImpl.PSKCallbacks
- Direct Known Subclasses:
Java8FileDescriptorSocket
class ConscryptFileDescriptorSocket
extends OpenSSLSocketImpl
implements NativeCrypto.SSLHandshakeCallbacks, SSLParametersImpl.PSKCallbacks, SSLParametersImpl.AliasChooser
Implementation of the class OpenSSLSocketImpl based on OpenSSL.
Extensions to SSLSocket include:
- handshake timeout
- session tickets
- Server Name Indication
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate classThis inner class provides input data stream functionality for the OpenSSL native implementation.private classThis inner class provides output data stream functionality for the OpenSSL native implementation. -
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final ActiveSessionprivate OpenSSLKeyPrivate key for the TLS Channel ID extension.private SessionSnapshotA snapshot of the active session when the engine was closed.private static final booleanprivate final SSLSessionThe session object exposed externally from this class.private final Objectprivate intProtected by synchronizing on ssl.Protected by synchronizing on ssl.private final NativeSslWrapper around the underlying SSL object.private final SSLParametersImplprivate intprivate intFields inherited from class org.conscrypt.AbstractConscryptSocket
socket -
Constructor Summary
ConstructorsConstructorDescriptionConscryptFileDescriptorSocket(String hostname, int port, InetAddress clientAddress, int clientPort, SSLParametersImpl sslParameters) ConscryptFileDescriptorSocket(String hostname, int port, SSLParametersImpl sslParameters) ConscryptFileDescriptorSocket(InetAddress address, int port, InetAddress clientAddress, int clientPort, SSLParametersImpl sslParameters) ConscryptFileDescriptorSocket(InetAddress address, int port, SSLParametersImpl sslParameters) ConscryptFileDescriptorSocket(Socket socket, String hostname, int port, boolean autoClose, SSLParametersImpl sslParameters) ConscryptFileDescriptorSocket(SSLParametersImpl sslParameters) -
Method Summary
Modifier and TypeMethodDescriptionprivate voidfinal StringchooseClientAlias(X509KeyManager keyManager, X500Principal[] issuers, String[] keyTypes) final StringchooseClientPSKIdentity(PSKKeyManager keyManager, String identityHint) final StringchooseServerAlias(X509KeyManager keyManager, String keyType) final StringchooseServerPSKIdentityHint(PSKKeyManager keyManager) final voidclientCertificateRequested(byte[] keyTypeBytes, int[] signatureAlgs, byte[][] asn1DerEncodedPrincipals) Called on an SSL client when the server requests (or requires a certificate).final intclientPSKKeyRequested(String identityHint, byte[] identity, byte[] key) Gets the key to be used in client mode for this connection in Pre-Shared Key (PSK) key exchange.private ClientSessionContextfinal voidclose()private void(package private) byte[]exportKeyingMaterial(String label, byte[] context, int length) Exports a value derived from the TLS master secret as described in RFC 5705.protected final voidfinalize()private voidfree()(package private) final SSLSessionCalled byAbstractConscryptSocket.notifyHandshakeCompletedListeners()to get the currently active session.final String(package private) final String[]Returns the list of supported ALPN protocols.final byte[]Gets the TLS Channel ID for this server socket.final String[]final String[]final booleanfinal Stringfinal SSLSessionfinal InputStreamfinal booleanfinal OutputStreamfinal SecretKeygetPSKKey(PSKKeyManager keyManager, String identityHint, String identity) final SSLSessionfinal intNote write timeouts are not part of the javax.net.ssl.SSLSocket APIfinal SSLParametersfinal String[]final String[](package private) byte[]Returns the tls-unique channel binding value for this connection, per RFC 5929.final booleanfinal booleanprivate static NativeSslnewSsl(SSLParametersImpl sslParameters, ConscryptFileDescriptorSocket engine) final voidonNewSessionEstablished(long sslSessionNativePtr) Called when a new session has been established and may be added to the session cache.final voidonSSLStateChange(int type, int val) Called when SSL state changes.private ConscryptSessionprivate ConscryptSessionprivate ConscryptSessionintselectApplicationProtocol(byte[] protocols) Called when acting as a server, the socket has anApplicationProtocolSelectorAdapterassociated with it, and the application protocol needs to be selected.final voidCalled when acting as a server during ClientHello processing before a decision to resume a session is made.final intserverPSKKeyRequested(String identityHint, String identity, byte[] key) Gets the key to be used in server mode for this connection in Pre-Shared Key (PSK) key exchange.final longserverSessionRequested(byte[] id) Called for servers where TLS invalid input: '<' 1.3 (TLS 1.3 uses session tickets rather than application session caches).private AbstractSessionContext(package private) final voidsetApplicationProtocols(String[] protocols) Sets the list of ALPN protocols.final voidSets an application-provided ALPN protocol selector.(package private) final voidfinal voidsetChannelIdEnabled(boolean enabled) Enables/disables TLS Channel ID for this server socket.final voidsetChannelIdPrivateKey(PrivateKey privateKey) Sets thePrivateKeyto be used for TLS Channel ID by this client socket.final voidsetEnabledCipherSuites(String[] suites) final voidsetEnabledProtocols(String[] protocols) final voidsetEnableSessionCreation(boolean flag) final voidsetHandshakeTimeout(int handshakeTimeoutMilliseconds) Set the handshake timeout on this socket.final voidsetHostname(String hostname) This method enables Server Name Indication.final voidsetNeedClientAuth(boolean need) final voidsetSoWriteTimeout(int writeTimeoutMilliseconds) Note write timeouts are not part of the javax.net.ssl.SSLSocket APIfinal voidfinal voidsetUseClientMode(boolean mode) final voidsetUseSessionTickets(boolean useSessionTickets) This method enables session ticket support.final voidsetWantClientAuth(boolean want) private voidfinal voidStarts a TLS/SSL handshake on this connection using some native methods from the OpenSSL library.private voidtransitionTo(int newState) final voidverifyCertificateChain(byte[][] certChain, String authMethod) Verify that the certificate chain is trusted.private voidMethods inherited from class org.conscrypt.OpenSSLSocketImpl
getAlpnSelectedProtocol, getFileDescriptor$, getHostname, getHostnameOrIP, getNpnSelectedProtocol, setAlpnProtocols, setAlpnProtocols, setNpnProtocolsMethods inherited from class org.conscrypt.AbstractConscryptSocket
addHandshakeCompletedListener, bind, checkOpen, connect, connect, getChannel, getInetAddress, getKeepAlive, getLocalAddress, getLocalPort, getLocalSocketAddress, getOOBInline, getPort, getReceiveBufferSize, getRemoteSocketAddress, getReuseAddress, getSendBufferSize, getSoLinger, getSoTimeout, getTcpNoDelay, getTrafficClass, isBound, isClosed, isConnected, isInputShutdown, isOutputShutdown, notifyHandshakeCompletedListeners, peerInfoProvider, removeHandshakeCompletedListener, sendUrgentData, setKeepAlive, setOOBInline, setPerformancePreferences, setReceiveBufferSize, setReuseAddress, setSendBufferSize, setSoLinger, setSoTimeout, setTcpNoDelay, setTrafficClass, shutdownInput, shutdownOutput, toStringMethods inherited from class javax.net.ssl.SSLSocket
getHandshakeApplicationProtocolSelector, setHandshakeApplicationProtocolSelectorMethods inherited from class java.net.Socket
getOption, setOption, setSocketImplFactory, supportedOptions
-
Field Details
-
DBG_STATE
private static final boolean DBG_STATE- See Also:
-
state
private int state -
ssl
Wrapper around the underlying SSL object. -
is
Protected by synchronizing on ssl. Starts as null, set by getInputStream. -
os
Protected by synchronizing on ssl. Starts as null, set by getInputStream. -
sslParameters
-
guard
-
channelIdPrivateKey
Private key for the TLS Channel ID extension. This field is client-side only. Set during startHandshake. -
activeSession
-
closedSession
A snapshot of the active session when the engine was closed. -
externalSession
The session object exposed externally from this class. -
writeTimeoutMilliseconds
private int writeTimeoutMilliseconds -
handshakeTimeoutMilliseconds
private int handshakeTimeoutMilliseconds
-
-
Constructor Details
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(String hostname, int port, SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(InetAddress address, int port, SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(String hostname, int port, InetAddress clientAddress, int clientPort, SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(InetAddress address, int port, InetAddress clientAddress, int clientPort, SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(Socket socket, String hostname, int port, boolean autoClose, SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
-
Method Details
-
newSsl
private static NativeSsl newSsl(SSLParametersImpl sslParameters, ConscryptFileDescriptorSocket engine) throws SSLException - Throws:
SSLException
-
startHandshake
Starts a TLS/SSL handshake on this connection using some native methods from the OpenSSL library. It can negotiate new encryption keys, change cipher suites, or initiate a new session. The certificate chain is verified if the correspondent property in java.Security is set. All listeners are notified at the end of the TLS/SSL handshake.- Specified by:
startHandshakein classSSLSocket- Throws:
IOException
-
clientCertificateRequested
public final void clientCertificateRequested(byte[] keyTypeBytes, int[] signatureAlgs, byte[][] asn1DerEncodedPrincipals) throws CertificateEncodingException, SSLException Description copied from interface:NativeCrypto.SSLHandshakeCallbacksCalled on an SSL client when the server requests (or requires a certificate). The client can respond by using SSL_use_certificate and SSL_use_PrivateKey to set a certificate if has an appropriate one available, similar to how the server provides its certificate.- Specified by:
clientCertificateRequestedin interfaceNativeCrypto.SSLHandshakeCallbacks- Parameters:
keyTypeBytes- key types supported by the server, convertible to strings with #keyTypeasn1DerEncodedPrincipals- CAs known to the server- Throws:
CertificateEncodingExceptionSSLException
-
clientPSKKeyRequested
Description copied from interface:NativeCrypto.SSLHandshakeCallbacksGets the key to be used in client mode for this connection in Pre-Shared Key (PSK) key exchange.- Specified by:
clientPSKKeyRequestedin interfaceNativeCrypto.SSLHandshakeCallbacks- Parameters:
identityHint- PSK identity hint provided by the server ornullif no hint provided.identity- buffer to be populated with PSK identity (NULL-terminated modified UTF-8) by this method. This identity will be provided to the server.key- buffer to be populated with key material by this method.- Returns:
- number of bytes this method stored in the
keybuffer or0if an error occurred in which case the handshake will be aborted.
-
serverPSKKeyRequested
Description copied from interface:NativeCrypto.SSLHandshakeCallbacksGets the key to be used in server mode for this connection in Pre-Shared Key (PSK) key exchange.- Specified by:
serverPSKKeyRequestedin interfaceNativeCrypto.SSLHandshakeCallbacks- Parameters:
identityHint- PSK identity hint provided by this server to the client ornullif no hint was provided.identity- PSK identity provided by the client.key- buffer to be populated with key material by this method.- Returns:
- number of bytes this method stored in the
keybuffer or0if an error occurred in which case the handshake will be aborted.
-
onSSLStateChange
public final void onSSLStateChange(int type, int val) Description copied from interface:NativeCrypto.SSLHandshakeCallbacksCalled when SSL state changes. This could be handshake completion.- Specified by:
onSSLStateChangein interfaceNativeCrypto.SSLHandshakeCallbacks
-
onNewSessionEstablished
public final void onNewSessionEstablished(long sslSessionNativePtr) Description copied from interface:NativeCrypto.SSLHandshakeCallbacksCalled when a new session has been established and may be added to the session cache. The callee is responsible for incrementing the reference count on the returned session.- Specified by:
onNewSessionEstablishedin interfaceNativeCrypto.SSLHandshakeCallbacks
-
serverSessionRequested
public final long serverSessionRequested(byte[] id) Description copied from interface:NativeCrypto.SSLHandshakeCallbacksCalled for servers where TLS invalid input: '<' 1.3 (TLS 1.3 uses session tickets rather than application session caches). Looks up the session by ID in the application's session cache. If a valid session is returned, this callback is responsible for incrementing the reference count (and any required synchronization).- Specified by:
serverSessionRequestedin interfaceNativeCrypto.SSLHandshakeCallbacks- Parameters:
id- the ID of the session to find.- Returns:
- the cached session or
0if no session was found matching the given ID.
-
serverCertificateRequested
Description copied from interface:NativeCrypto.SSLHandshakeCallbacksCalled when acting as a server during ClientHello processing before a decision to resume a session is made. This allows the selection of the correct server certificate based on things like Server Name Indication (SNI).- Specified by:
serverCertificateRequestedin interfaceNativeCrypto.SSLHandshakeCallbacks- Throws:
IOException- if there was an error during certificate selection.
-
verifyCertificateChain
public final void verifyCertificateChain(byte[][] certChain, String authMethod) throws CertificateException Description copied from interface:NativeCrypto.SSLHandshakeCallbacksVerify that the certificate chain is trusted.- Specified by:
verifyCertificateChainin interfaceNativeCrypto.SSLHandshakeCallbacks- Parameters:
certChain- chain of X.509 certificates in their encoded formauthMethod- auth algorithm name- Throws:
CertificateException- if the certificate is untrusted
-
getInputStream
- Overrides:
getInputStreamin classAbstractConscryptSocket- Throws:
IOException
-
getOutputStream
- Overrides:
getOutputStreamin classAbstractConscryptSocket- Throws:
IOException
-
assertReadableOrWriteableState
private void assertReadableOrWriteableState() -
waitForHandshake
- Throws:
IOException
-
getSession
- Specified by:
getSessionin classSSLSocket
-
provideSession
-
provideAfterHandshakeSession
-
provideHandshakeSession
-
getActiveSession
Description copied from class:AbstractConscryptSocketCalled byAbstractConscryptSocket.notifyHandshakeCompletedListeners()to get the currently active session. UnlikeSSLSocket.getSession(), this method must not block.- Specified by:
getActiveSessionin classAbstractConscryptSocket
-
getHandshakeSession
- Specified by:
getHandshakeSessionin classOpenSSLSocketImpl
-
getEnableSessionCreation
public final boolean getEnableSessionCreation()- Specified by:
getEnableSessionCreationin classSSLSocket
-
setEnableSessionCreation
public final void setEnableSessionCreation(boolean flag) - Specified by:
setEnableSessionCreationin classSSLSocket
-
getSupportedCipherSuites
- Specified by:
getSupportedCipherSuitesin classSSLSocket
-
getEnabledCipherSuites
- Specified by:
getEnabledCipherSuitesin classSSLSocket
-
setEnabledCipherSuites
- Specified by:
setEnabledCipherSuitesin classSSLSocket
-
getSupportedProtocols
- Specified by:
getSupportedProtocolsin classSSLSocket
-
getEnabledProtocols
- Specified by:
getEnabledProtocolsin classSSLSocket
-
setEnabledProtocols
- Specified by:
setEnabledProtocolsin classSSLSocket
-
setUseSessionTickets
public final void setUseSessionTickets(boolean useSessionTickets) This method enables session ticket support.- Specified by:
setUseSessionTicketsin classOpenSSLSocketImpl- Parameters:
useSessionTickets- True to enable session tickets
-
setHostname
This method enables Server Name Indication. If the hostname is not a valid SNI hostname, the SNI extension will be omitted from the handshake.- Overrides:
setHostnamein classOpenSSLSocketImpl- Parameters:
hostname- the desired SNI hostname, or null to disable
-
setChannelIdEnabled
public final void setChannelIdEnabled(boolean enabled) Enables/disables TLS Channel ID for this server socket.This method needs to be invoked before the handshake starts.
- Specified by:
setChannelIdEnabledin classOpenSSLSocketImpl- Throws:
IllegalStateException- if this is a client socket or if the handshake has already started.
-
getChannelId
Gets the TLS Channel ID for this server socket. Channel ID is only available once the handshake completes.- Specified by:
getChannelIdin classOpenSSLSocketImpl- Returns:
- channel ID or
nullif not available. - Throws:
IllegalStateException- if this is a client socket or if the handshake has not yet completed.SSLException- if channel ID is available but could not be obtained.
-
setChannelIdPrivateKey
Sets thePrivateKeyto be used for TLS Channel ID by this client socket.This method needs to be invoked before the handshake starts.
- Specified by:
setChannelIdPrivateKeyin classOpenSSLSocketImpl- Parameters:
privateKey- private key (enables TLS Channel ID) ornullfor no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).- Throws:
IllegalStateException- if this is a server socket or if the handshake has already started.
-
getTlsUnique
byte[] getTlsUnique()Description copied from class:AbstractConscryptSocketReturns the tls-unique channel binding value for this connection, per RFC 5929. This will returnnullif there is no such value available, such as if the handshake has not yet completed or this connection is closed.- Specified by:
getTlsUniquein classAbstractConscryptSocket
-
exportKeyingMaterial
Description copied from class:AbstractConscryptSocketExports a value derived from the TLS master secret as described in RFC 5705.- Specified by:
exportKeyingMaterialin classAbstractConscryptSocket- Parameters:
label- the label to use in calculating the exported value. This must be an ASCII-only string.context- the application-specific context value to use in calculating the exported value. This may benullto use no application context, which is treated differently than an empty byte array.length- the number of bytes of keying material to return.- Returns:
- a value of the specified length, or
nullif the handshake has not yet completed or the connection has been closed. - Throws:
SSLException- if the value could not be exported.
-
getUseClientMode
public final boolean getUseClientMode()- Specified by:
getUseClientModein classSSLSocket
-
setUseClientMode
public final void setUseClientMode(boolean mode) - Specified by:
setUseClientModein classSSLSocket
-
getWantClientAuth
public final boolean getWantClientAuth()- Specified by:
getWantClientAuthin classSSLSocket
-
getNeedClientAuth
public final boolean getNeedClientAuth()- Specified by:
getNeedClientAuthin classSSLSocket
-
setNeedClientAuth
public final void setNeedClientAuth(boolean need) - Specified by:
setNeedClientAuthin classSSLSocket
-
setWantClientAuth
public final void setWantClientAuth(boolean want) - Specified by:
setWantClientAuthin classSSLSocket
-
setSoWriteTimeout
Note write timeouts are not part of the javax.net.ssl.SSLSocket API- Overrides:
setSoWriteTimeoutin classOpenSSLSocketImpl- Throws:
SocketException
-
getSoWriteTimeout
Note write timeouts are not part of the javax.net.ssl.SSLSocket API- Overrides:
getSoWriteTimeoutin classOpenSSLSocketImpl- Throws:
SocketException
-
setHandshakeTimeout
Set the handshake timeout on this socket. This timeout is specified in milliseconds and will be used only during the handshake process.- Overrides:
setHandshakeTimeoutin classOpenSSLSocketImpl- Throws:
SocketException
-
close
- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable- Overrides:
closein classAbstractConscryptSocket- Throws:
IOException
-
shutdownAndFreeSslNative
- Throws:
IOException
-
closeUnderlyingSocket
- Throws:
IOException
-
free
private void free() -
finalize
-
setApplicationProtocolSelector
Description copied from class:AbstractConscryptSocketSets an application-provided ALPN protocol selector. If provided, this will override the list of protocols set byAbstractConscryptSocket.setApplicationProtocols(String[]).- Specified by:
setApplicationProtocolSelectorin classAbstractConscryptSocket
-
setApplicationProtocolSelector
- Specified by:
setApplicationProtocolSelectorin classAbstractConscryptSocket
-
selectApplicationProtocol
public int selectApplicationProtocol(byte[] protocols) Description copied from interface:NativeCrypto.SSLHandshakeCallbacksCalled when acting as a server, the socket has anApplicationProtocolSelectorAdapterassociated with it, and the application protocol needs to be selected.- Specified by:
selectApplicationProtocolin interfaceNativeCrypto.SSLHandshakeCallbacks- Parameters:
protocols- list of application protocols in length-prefix format- Returns:
- the index offset of the selected protocol
-
setApplicationProtocols
Description copied from class:AbstractConscryptSocketSets the list of ALPN protocols.- Specified by:
setApplicationProtocolsin classAbstractConscryptSocket- Parameters:
protocols- the list of ALPN protocols
-
getApplicationProtocols
Description copied from class:AbstractConscryptSocketReturns the list of supported ALPN protocols.- Specified by:
getApplicationProtocolsin classAbstractConscryptSocket
-
getApplicationProtocol
- Specified by:
getApplicationProtocolin classAbstractConscryptSocket
-
getHandshakeApplicationProtocol
- Specified by:
getHandshakeApplicationProtocolin classAbstractConscryptSocket
-
getSSLParameters
- Overrides:
getSSLParametersin classSSLSocket
-
setSSLParameters
- Overrides:
setSSLParametersin classSSLSocket
-
chooseServerPSKIdentityHint
- Specified by:
chooseServerPSKIdentityHintin interfaceSSLParametersImpl.PSKCallbacks
-
chooseClientPSKIdentity
- Specified by:
chooseClientPSKIdentityin interfaceSSLParametersImpl.PSKCallbacks
-
getPSKKey
- Specified by:
getPSKKeyin interfaceSSLParametersImpl.PSKCallbacks
-
chooseServerAlias
- Specified by:
chooseServerAliasin interfaceSSLParametersImpl.AliasChooser
-
chooseClientAlias
public final String chooseClientAlias(X509KeyManager keyManager, X500Principal[] issuers, String[] keyTypes) - Specified by:
chooseClientAliasin interfaceSSLParametersImpl.AliasChooser
-
clientSessionContext
-
sessionContext
-
transitionTo
private void transitionTo(int newState)
-