Package org.conscrypt
Class SSLUtils
java.lang.Object
org.conscrypt.SSLUtils
Utility methods for SSL packet processing. Copied from the Netty project.
This is a public class to allow testing to occur on Android via CTS.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescription(package private) static final classStates for SSL engines.(package private) static enum -
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescription(package private) static intcalculateOutNetBufSize(int pendingBytes) Calculates the minimum bytes required in the encrypted output buffer for the given number of plaintext source bytes.(package private) static String[](package private) static String[]decodeProtocols(byte[] protocols) Decodes the given list of protocols intoStrings.private static X509CertificatedecodeX509Certificate(CertificateFactory certificateFactory, byte[] bytes) (package private) static X509Certificate[]decodeX509CertificateChain(byte[][] certChain) (package private) static byte[]encodeProtocols(String[] protocols) Encodes a list of protocols into the wire-format (length-prefixed 8-bit strings).(package private) static byte[][]encodeSubjectX509Principals(X509Certificate[] certificates) private static CertificateFactory(package private) static StringgetClientKeyType(byte clientCertificateType) Similar to getServerKeyType, but returns value given TLS ClientCertificateType byte values from a CertificateRequest message for use with X509KeyManager.chooseClientAlias or X509ExtendedKeyManager.chooseEngineClientAlias.(package private) static StringgetClientKeyTypeFromSignatureAlg(int signatureAlg) private static intgetEncryptedPacketLength(ByteBuffer buffer) (package private) static intgetEncryptedPacketLength(ByteBuffer[] buffers, int offset) Return how much bytes can be read out of the encrypted data.(package private) static StringgetServerX509KeyType(long sslCipherNative) Returns key type constant suitable for calling X509KeyManager.chooseServerAlias or X509ExtendedKeyManager.chooseEngineServerAlias.getSupportedClientKeyTypes(byte[] clientCertificateTypes, int[] signatureAlgs) Gets the supported key types for client certificates based on theClientCertificateTypevalues provided by the server.(package private) static X509Certificate[]toCertificateChain(X509Certificate[] certificates) Converts the peer certificates into a cert chain.(package private) static byte[]toProtocolBytes(String protocol) (package private) static StringtoProtocolString(byte[] bytes) (package private) static SSLExceptionWraps the given exception if it's not already aSSLException.(package private) static SSLHandshakeExceptionWraps the given exception if it's not already aSSLHandshakeException.private static shortunsignedByte(byte b) private static intunsignedShort(short s)
-
Field Details
-
USE_ENGINE_SOCKET_BY_DEFAULT
static final boolean USE_ENGINE_SOCKET_BY_DEFAULT -
MAX_PROTOCOL_LENGTH
private static final int MAX_PROTOCOL_LENGTH- See Also:
-
US_ASCII
-
MAX_ENCRYPTION_OVERHEAD_LENGTH
private static final int MAX_ENCRYPTION_OVERHEAD_LENGTHThis is the maximum overhead when encrypting plaintext as defined by rfc5264, rfc5289, and the BoringSSL implementation itself. Please note that we use a padding of 16 here as BoringSSL uses PKCS#5 which uses 16 bytes while the spec itself allow up to 255 bytes. 16 bytes is the max for PKCS#5 (which handles it the same way as PKCS#7) as we use a block size of 16. See rfc5652#section-6.3. 16 (IV) + 48 (MAC) + 1 (Padding_length field) + 15 (Padding) + 1 (ContentType in TLSCiphertext) + 2 (ProtocolVersion) + 2 (Length) + 1 (ContentType in TLSInnerPlaintext)- See Also:
-
MAX_ENCRYPTION_OVERHEAD_DIFF
private static final int MAX_ENCRYPTION_OVERHEAD_DIFF- See Also:
-
KEY_TYPE_RSA
Key type: RSA certificate.- See Also:
-
KEY_TYPE_EC
Key type: Elliptic Curve certificate.- See Also:
-
-
Constructor Details
-
SSLUtils
private SSLUtils()
-
-
Method Details
-
decodeX509CertificateChain
- Throws:
CertificateException
-
getCertificateFactory
-
decodeX509Certificate
private static X509Certificate decodeX509Certificate(CertificateFactory certificateFactory, byte[] bytes) throws CertificateException - Throws:
CertificateException
-
getServerX509KeyType
Returns key type constant suitable for calling X509KeyManager.chooseServerAlias or X509ExtendedKeyManager.chooseEngineServerAlias. Returnsnullfor key exchanges that do not use X.509 for server authentication. -
getClientKeyType
Similar to getServerKeyType, but returns value given TLS ClientCertificateType byte values from a CertificateRequest message for use with X509KeyManager.chooseClientAlias or X509ExtendedKeyManager.chooseEngineClientAlias.Visible for testing.
-
getClientKeyTypeFromSignatureAlg
-
getSupportedClientKeyTypes
Gets the supported key types for client certificates based on theClientCertificateTypevalues provided by the server.- Parameters:
clientCertificateTypes-ClientCertificateTypevalues provided by the server. See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-2.signatureAlgs-SignatureSchemevalues provided by the server. See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml#tls-signaturescheme- Returns:
- supported key types that can be used in
X509KeyManager.chooseClientAliasandX509ExtendedKeyManager.chooseEngineClientAlias. If the inputs imply a preference order, the returned set will have an iteration order that respects that preference order, otherwise it will be in an arbitrary order. Visible for testing.
-
encodeSubjectX509Principals
static byte[][] encodeSubjectX509Principals(X509Certificate[] certificates) throws CertificateEncodingException - Throws:
CertificateEncodingException
-
toCertificateChain
static X509Certificate[] toCertificateChain(X509Certificate[] certificates) throws SSLPeerUnverifiedException Converts the peer certificates into a cert chain.- Throws:
SSLPeerUnverifiedException
-
calculateOutNetBufSize
static int calculateOutNetBufSize(int pendingBytes) Calculates the minimum bytes required in the encrypted output buffer for the given number of plaintext source bytes. -
toSSLHandshakeException
Wraps the given exception if it's not already aSSLHandshakeException. -
toSSLException
Wraps the given exception if it's not already aSSLException. -
toProtocolString
-
toProtocolBytes
-
decodeProtocols
Decodes the given list of protocols intoStrings.- Parameters:
protocols- the encoded protocol list- Returns:
- the decoded protocols or
EmptyArray.BYTEifprotocolsis empty. - Throws:
NullPointerException- if protocols isnull.
-
encodeProtocols
Encodes a list of protocols into the wire-format (length-prefixed 8-bit strings). Requires that all strings be encoded with US-ASCII.- Parameters:
protocols- the list of protocols to be encoded- Returns:
- the encoded form of the protocol list.
- Throws:
IllegalArgumentException- if protocols isnull, or if any element isnullor an empty string.
-
getEncryptedPacketLength
Return how much bytes can be read out of the encrypted data. Be aware that this method will not increase the readerIndex of the givenByteBuffer.- Parameters:
buffers- TheByteBuffers to read from. Be aware that they must have at leastNativeConstants.SSL3_RT_HEADER_LENGTHbytes to read, otherwise it will throw anIllegalArgumentException.- Returns:
- length The length of the encrypted packet that is included in the buffer. This will
return
-1if the givenByteBufferis not encrypted at all. - Throws:
IllegalArgumentException- Is thrown if the givenByteBufferhas not at leastNativeConstants.SSL3_RT_HEADER_LENGTHbytes to read.
-
getEncryptedPacketLength
-
unsignedByte
private static short unsignedByte(byte b) -
unsignedShort
private static int unsignedShort(short s) -
concat
-