Package org.conscrypt
Class ConscryptFileDescriptorSocket
java.lang.Object
java.net.Socket
javax.net.ssl.SSLSocket
org.conscrypt.AbstractConscryptSocket
org.conscrypt.OpenSSLSocketImpl
org.conscrypt.ConscryptFileDescriptorSocket
- All Implemented Interfaces:
Closeable
,AutoCloseable
,NativeCrypto.SSLHandshakeCallbacks
,SSLParametersImpl.AliasChooser
,SSLParametersImpl.PSKCallbacks
- Direct Known Subclasses:
Java8FileDescriptorSocket
class ConscryptFileDescriptorSocket
extends OpenSSLSocketImpl
implements NativeCrypto.SSLHandshakeCallbacks, SSLParametersImpl.PSKCallbacks, SSLParametersImpl.AliasChooser
Implementation of the class OpenSSLSocketImpl based on OpenSSL.
Extensions to SSLSocket include:
- handshake timeout
- session tickets
- Server Name Indication
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate class
This inner class provides input data stream functionality for the OpenSSL native implementation.private class
This inner class provides output data stream functionality for the OpenSSL native implementation. -
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final ActiveSession
private OpenSSLKey
Private key for the TLS Channel ID extension.private SessionSnapshot
A snapshot of the active session when the engine was closed.private static final boolean
private final SSLSession
The session object exposed externally from this class.private final Object
private int
Protected by synchronizing on ssl.Protected by synchronizing on ssl.private final NativeSsl
Wrapper around the underlying SSL object.private final SSLParametersImpl
private int
private int
Fields inherited from class org.conscrypt.AbstractConscryptSocket
socket
-
Constructor Summary
ConstructorsConstructorDescriptionConscryptFileDescriptorSocket
(String hostname, int port, InetAddress clientAddress, int clientPort, SSLParametersImpl sslParameters) ConscryptFileDescriptorSocket
(String hostname, int port, SSLParametersImpl sslParameters) ConscryptFileDescriptorSocket
(InetAddress address, int port, InetAddress clientAddress, int clientPort, SSLParametersImpl sslParameters) ConscryptFileDescriptorSocket
(InetAddress address, int port, SSLParametersImpl sslParameters) ConscryptFileDescriptorSocket
(Socket socket, String hostname, int port, boolean autoClose, SSLParametersImpl sslParameters) ConscryptFileDescriptorSocket
(SSLParametersImpl sslParameters) -
Method Summary
Modifier and TypeMethodDescriptionprivate void
final String
chooseClientAlias
(X509KeyManager keyManager, X500Principal[] issuers, String[] keyTypes) final String
chooseClientPSKIdentity
(PSKKeyManager keyManager, String identityHint) final String
chooseServerAlias
(X509KeyManager keyManager, String keyType) final String
chooseServerPSKIdentityHint
(PSKKeyManager keyManager) final void
clientCertificateRequested
(byte[] keyTypeBytes, int[] signatureAlgs, byte[][] asn1DerEncodedPrincipals) Called on an SSL client when the server requests (or requires a certificate).final int
clientPSKKeyRequested
(String identityHint, byte[] identity, byte[] key) Gets the key to be used in client mode for this connection in Pre-Shared Key (PSK) key exchange.private ClientSessionContext
final void
close()
private void
(package private) byte[]
exportKeyingMaterial
(String label, byte[] context, int length) Exports a value derived from the TLS master secret as described in RFC 5705.protected final void
finalize()
private void
free()
(package private) final SSLSession
Called byAbstractConscryptSocket.notifyHandshakeCompletedListeners()
to get the currently active session.final String
(package private) final String[]
Returns the list of supported ALPN protocols.final byte[]
Gets the TLS Channel ID for this server socket.final String[]
final String[]
final boolean
final String
final SSLSession
final InputStream
final boolean
final OutputStream
final SecretKey
getPSKKey
(PSKKeyManager keyManager, String identityHint, String identity) final SSLSession
final int
Note write timeouts are not part of the javax.net.ssl.SSLSocket APIfinal SSLParameters
final String[]
final String[]
(package private) byte[]
Returns the tls-unique channel binding value for this connection, per RFC 5929.final boolean
final boolean
private static NativeSsl
newSsl
(SSLParametersImpl sslParameters, ConscryptFileDescriptorSocket engine) final void
onNewSessionEstablished
(long sslSessionNativePtr) Called when a new session has been established and may be added to the session cache.final void
onSSLStateChange
(int type, int val) Called when SSL state changes.private ConscryptSession
private ConscryptSession
private ConscryptSession
int
selectApplicationProtocol
(byte[] protocols) Called when acting as a server, the socket has anApplicationProtocolSelectorAdapter
associated with it, and the application protocol needs to be selected.final void
Called when acting as a server during ClientHello processing before a decision to resume a session is made.final int
serverPSKKeyRequested
(String identityHint, String identity, byte[] key) Gets the key to be used in server mode for this connection in Pre-Shared Key (PSK) key exchange.final long
serverSessionRequested
(byte[] id) Called for servers where TLS invalid input: '<' 1.3 (TLS 1.3 uses session tickets rather than application session caches).private AbstractSessionContext
(package private) final void
setApplicationProtocols
(String[] protocols) Sets the list of ALPN protocols.final void
Sets an application-provided ALPN protocol selector.(package private) final void
final void
setChannelIdEnabled
(boolean enabled) Enables/disables TLS Channel ID for this server socket.final void
setChannelIdPrivateKey
(PrivateKey privateKey) Sets thePrivateKey
to be used for TLS Channel ID by this client socket.final void
setEnabledCipherSuites
(String[] suites) final void
setEnabledProtocols
(String[] protocols) final void
setEnableSessionCreation
(boolean flag) final void
setHandshakeTimeout
(int handshakeTimeoutMilliseconds) Set the handshake timeout on this socket.final void
setHostname
(String hostname) This method enables Server Name Indication.final void
setNeedClientAuth
(boolean need) final void
setSoWriteTimeout
(int writeTimeoutMilliseconds) Note write timeouts are not part of the javax.net.ssl.SSLSocket APIfinal void
final void
setUseClientMode
(boolean mode) final void
setUseSessionTickets
(boolean useSessionTickets) This method enables session ticket support.final void
setWantClientAuth
(boolean want) private void
final void
Starts a TLS/SSL handshake on this connection using some native methods from the OpenSSL library.private void
transitionTo
(int newState) final void
verifyCertificateChain
(byte[][] certChain, String authMethod) Verify that the certificate chain is trusted.private void
Methods inherited from class org.conscrypt.OpenSSLSocketImpl
getAlpnSelectedProtocol, getFileDescriptor$, getHostname, getHostnameOrIP, getNpnSelectedProtocol, setAlpnProtocols, setAlpnProtocols, setNpnProtocols
Methods inherited from class org.conscrypt.AbstractConscryptSocket
addHandshakeCompletedListener, bind, checkOpen, connect, connect, getChannel, getInetAddress, getKeepAlive, getLocalAddress, getLocalPort, getLocalSocketAddress, getOOBInline, getPort, getReceiveBufferSize, getRemoteSocketAddress, getReuseAddress, getSendBufferSize, getSoLinger, getSoTimeout, getTcpNoDelay, getTrafficClass, isBound, isClosed, isConnected, isInputShutdown, isOutputShutdown, notifyHandshakeCompletedListeners, peerInfoProvider, removeHandshakeCompletedListener, sendUrgentData, setKeepAlive, setOOBInline, setPerformancePreferences, setReceiveBufferSize, setReuseAddress, setSendBufferSize, setSoLinger, setSoTimeout, setTcpNoDelay, setTrafficClass, shutdownInput, shutdownOutput, toString
Methods inherited from class javax.net.ssl.SSLSocket
getHandshakeApplicationProtocolSelector, setHandshakeApplicationProtocolSelector
Methods inherited from class java.net.Socket
getOption, setOption, setSocketImplFactory, supportedOptions
-
Field Details
-
DBG_STATE
private static final boolean DBG_STATE- See Also:
-
state
private int state -
ssl
Wrapper around the underlying SSL object. -
is
Protected by synchronizing on ssl. Starts as null, set by getInputStream. -
os
Protected by synchronizing on ssl. Starts as null, set by getInputStream. -
sslParameters
-
guard
-
channelIdPrivateKey
Private key for the TLS Channel ID extension. This field is client-side only. Set during startHandshake. -
activeSession
-
closedSession
A snapshot of the active session when the engine was closed. -
externalSession
The session object exposed externally from this class. -
writeTimeoutMilliseconds
private int writeTimeoutMilliseconds -
handshakeTimeoutMilliseconds
private int handshakeTimeoutMilliseconds
-
-
Constructor Details
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(String hostname, int port, SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(InetAddress address, int port, SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(String hostname, int port, InetAddress clientAddress, int clientPort, SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(InetAddress address, int port, InetAddress clientAddress, int clientPort, SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
ConscryptFileDescriptorSocket
ConscryptFileDescriptorSocket(Socket socket, String hostname, int port, boolean autoClose, SSLParametersImpl sslParameters) throws IOException - Throws:
IOException
-
-
Method Details
-
newSsl
private static NativeSsl newSsl(SSLParametersImpl sslParameters, ConscryptFileDescriptorSocket engine) throws SSLException - Throws:
SSLException
-
startHandshake
Starts a TLS/SSL handshake on this connection using some native methods from the OpenSSL library. It can negotiate new encryption keys, change cipher suites, or initiate a new session. The certificate chain is verified if the correspondent property in java.Security is set. All listeners are notified at the end of the TLS/SSL handshake.- Specified by:
startHandshake
in classSSLSocket
- Throws:
IOException
-
clientCertificateRequested
public final void clientCertificateRequested(byte[] keyTypeBytes, int[] signatureAlgs, byte[][] asn1DerEncodedPrincipals) throws CertificateEncodingException, SSLException Description copied from interface:NativeCrypto.SSLHandshakeCallbacks
Called on an SSL client when the server requests (or requires a certificate). The client can respond by using SSL_use_certificate and SSL_use_PrivateKey to set a certificate if has an appropriate one available, similar to how the server provides its certificate.- Specified by:
clientCertificateRequested
in interfaceNativeCrypto.SSLHandshakeCallbacks
- Parameters:
keyTypeBytes
- key types supported by the server, convertible to strings with #keyTypeasn1DerEncodedPrincipals
- CAs known to the server- Throws:
CertificateEncodingException
SSLException
-
clientPSKKeyRequested
Description copied from interface:NativeCrypto.SSLHandshakeCallbacks
Gets the key to be used in client mode for this connection in Pre-Shared Key (PSK) key exchange.- Specified by:
clientPSKKeyRequested
in interfaceNativeCrypto.SSLHandshakeCallbacks
- Parameters:
identityHint
- PSK identity hint provided by the server ornull
if no hint provided.identity
- buffer to be populated with PSK identity (NULL-terminated modified UTF-8) by this method. This identity will be provided to the server.key
- buffer to be populated with key material by this method.- Returns:
- number of bytes this method stored in the
key
buffer or0
if an error occurred in which case the handshake will be aborted.
-
serverPSKKeyRequested
Description copied from interface:NativeCrypto.SSLHandshakeCallbacks
Gets the key to be used in server mode for this connection in Pre-Shared Key (PSK) key exchange.- Specified by:
serverPSKKeyRequested
in interfaceNativeCrypto.SSLHandshakeCallbacks
- Parameters:
identityHint
- PSK identity hint provided by this server to the client ornull
if no hint was provided.identity
- PSK identity provided by the client.key
- buffer to be populated with key material by this method.- Returns:
- number of bytes this method stored in the
key
buffer or0
if an error occurred in which case the handshake will be aborted.
-
onSSLStateChange
public final void onSSLStateChange(int type, int val) Description copied from interface:NativeCrypto.SSLHandshakeCallbacks
Called when SSL state changes. This could be handshake completion.- Specified by:
onSSLStateChange
in interfaceNativeCrypto.SSLHandshakeCallbacks
-
onNewSessionEstablished
public final void onNewSessionEstablished(long sslSessionNativePtr) Description copied from interface:NativeCrypto.SSLHandshakeCallbacks
Called when a new session has been established and may be added to the session cache. The callee is responsible for incrementing the reference count on the returned session.- Specified by:
onNewSessionEstablished
in interfaceNativeCrypto.SSLHandshakeCallbacks
-
serverSessionRequested
public final long serverSessionRequested(byte[] id) Description copied from interface:NativeCrypto.SSLHandshakeCallbacks
Called for servers where TLS invalid input: '<' 1.3 (TLS 1.3 uses session tickets rather than application session caches). Looks up the session by ID in the application's session cache. If a valid session is returned, this callback is responsible for incrementing the reference count (and any required synchronization).- Specified by:
serverSessionRequested
in interfaceNativeCrypto.SSLHandshakeCallbacks
- Parameters:
id
- the ID of the session to find.- Returns:
- the cached session or
0
if no session was found matching the given ID.
-
serverCertificateRequested
Description copied from interface:NativeCrypto.SSLHandshakeCallbacks
Called when acting as a server during ClientHello processing before a decision to resume a session is made. This allows the selection of the correct server certificate based on things like Server Name Indication (SNI).- Specified by:
serverCertificateRequested
in interfaceNativeCrypto.SSLHandshakeCallbacks
- Throws:
IOException
- if there was an error during certificate selection.
-
verifyCertificateChain
public final void verifyCertificateChain(byte[][] certChain, String authMethod) throws CertificateException Description copied from interface:NativeCrypto.SSLHandshakeCallbacks
Verify that the certificate chain is trusted.- Specified by:
verifyCertificateChain
in interfaceNativeCrypto.SSLHandshakeCallbacks
- Parameters:
certChain
- chain of X.509 certificates in their encoded formauthMethod
- auth algorithm name- Throws:
CertificateException
- if the certificate is untrusted
-
getInputStream
- Overrides:
getInputStream
in classAbstractConscryptSocket
- Throws:
IOException
-
getOutputStream
- Overrides:
getOutputStream
in classAbstractConscryptSocket
- Throws:
IOException
-
assertReadableOrWriteableState
private void assertReadableOrWriteableState() -
waitForHandshake
- Throws:
IOException
-
getSession
- Specified by:
getSession
in classSSLSocket
-
provideSession
-
provideAfterHandshakeSession
-
provideHandshakeSession
-
getActiveSession
Description copied from class:AbstractConscryptSocket
Called byAbstractConscryptSocket.notifyHandshakeCompletedListeners()
to get the currently active session. UnlikeSSLSocket.getSession()
, this method must not block.- Specified by:
getActiveSession
in classAbstractConscryptSocket
-
getHandshakeSession
- Specified by:
getHandshakeSession
in classOpenSSLSocketImpl
-
getEnableSessionCreation
public final boolean getEnableSessionCreation()- Specified by:
getEnableSessionCreation
in classSSLSocket
-
setEnableSessionCreation
public final void setEnableSessionCreation(boolean flag) - Specified by:
setEnableSessionCreation
in classSSLSocket
-
getSupportedCipherSuites
- Specified by:
getSupportedCipherSuites
in classSSLSocket
-
getEnabledCipherSuites
- Specified by:
getEnabledCipherSuites
in classSSLSocket
-
setEnabledCipherSuites
- Specified by:
setEnabledCipherSuites
in classSSLSocket
-
getSupportedProtocols
- Specified by:
getSupportedProtocols
in classSSLSocket
-
getEnabledProtocols
- Specified by:
getEnabledProtocols
in classSSLSocket
-
setEnabledProtocols
- Specified by:
setEnabledProtocols
in classSSLSocket
-
setUseSessionTickets
public final void setUseSessionTickets(boolean useSessionTickets) This method enables session ticket support.- Specified by:
setUseSessionTickets
in classOpenSSLSocketImpl
- Parameters:
useSessionTickets
- True to enable session tickets
-
setHostname
This method enables Server Name Indication. If the hostname is not a valid SNI hostname, the SNI extension will be omitted from the handshake.- Overrides:
setHostname
in classOpenSSLSocketImpl
- Parameters:
hostname
- the desired SNI hostname, or null to disable
-
setChannelIdEnabled
public final void setChannelIdEnabled(boolean enabled) Enables/disables TLS Channel ID for this server socket.This method needs to be invoked before the handshake starts.
- Specified by:
setChannelIdEnabled
in classOpenSSLSocketImpl
- Throws:
IllegalStateException
- if this is a client socket or if the handshake has already started.
-
getChannelId
Gets the TLS Channel ID for this server socket. Channel ID is only available once the handshake completes.- Specified by:
getChannelId
in classOpenSSLSocketImpl
- Returns:
- channel ID or
null
if not available. - Throws:
IllegalStateException
- if this is a client socket or if the handshake has not yet completed.SSLException
- if channel ID is available but could not be obtained.
-
setChannelIdPrivateKey
Sets thePrivateKey
to be used for TLS Channel ID by this client socket.This method needs to be invoked before the handshake starts.
- Specified by:
setChannelIdPrivateKey
in classOpenSSLSocketImpl
- Parameters:
privateKey
- private key (enables TLS Channel ID) ornull
for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).- Throws:
IllegalStateException
- if this is a server socket or if the handshake has already started.
-
getTlsUnique
byte[] getTlsUnique()Description copied from class:AbstractConscryptSocket
Returns the tls-unique channel binding value for this connection, per RFC 5929. This will returnnull
if there is no such value available, such as if the handshake has not yet completed or this connection is closed.- Specified by:
getTlsUnique
in classAbstractConscryptSocket
-
exportKeyingMaterial
Description copied from class:AbstractConscryptSocket
Exports a value derived from the TLS master secret as described in RFC 5705.- Specified by:
exportKeyingMaterial
in classAbstractConscryptSocket
- Parameters:
label
- the label to use in calculating the exported value. This must be an ASCII-only string.context
- the application-specific context value to use in calculating the exported value. This may benull
to use no application context, which is treated differently than an empty byte array.length
- the number of bytes of keying material to return.- Returns:
- a value of the specified length, or
null
if the handshake has not yet completed or the connection has been closed. - Throws:
SSLException
- if the value could not be exported.
-
getUseClientMode
public final boolean getUseClientMode()- Specified by:
getUseClientMode
in classSSLSocket
-
setUseClientMode
public final void setUseClientMode(boolean mode) - Specified by:
setUseClientMode
in classSSLSocket
-
getWantClientAuth
public final boolean getWantClientAuth()- Specified by:
getWantClientAuth
in classSSLSocket
-
getNeedClientAuth
public final boolean getNeedClientAuth()- Specified by:
getNeedClientAuth
in classSSLSocket
-
setNeedClientAuth
public final void setNeedClientAuth(boolean need) - Specified by:
setNeedClientAuth
in classSSLSocket
-
setWantClientAuth
public final void setWantClientAuth(boolean want) - Specified by:
setWantClientAuth
in classSSLSocket
-
setSoWriteTimeout
Note write timeouts are not part of the javax.net.ssl.SSLSocket API- Overrides:
setSoWriteTimeout
in classOpenSSLSocketImpl
- Throws:
SocketException
-
getSoWriteTimeout
Note write timeouts are not part of the javax.net.ssl.SSLSocket API- Overrides:
getSoWriteTimeout
in classOpenSSLSocketImpl
- Throws:
SocketException
-
setHandshakeTimeout
Set the handshake timeout on this socket. This timeout is specified in milliseconds and will be used only during the handshake process.- Overrides:
setHandshakeTimeout
in classOpenSSLSocketImpl
- Throws:
SocketException
-
close
- Specified by:
close
in interfaceAutoCloseable
- Specified by:
close
in interfaceCloseable
- Overrides:
close
in classAbstractConscryptSocket
- Throws:
IOException
-
shutdownAndFreeSslNative
- Throws:
IOException
-
closeUnderlyingSocket
- Throws:
IOException
-
free
private void free() -
finalize
-
setApplicationProtocolSelector
Description copied from class:AbstractConscryptSocket
Sets an application-provided ALPN protocol selector. If provided, this will override the list of protocols set byAbstractConscryptSocket.setApplicationProtocols(String[])
.- Specified by:
setApplicationProtocolSelector
in classAbstractConscryptSocket
-
setApplicationProtocolSelector
- Specified by:
setApplicationProtocolSelector
in classAbstractConscryptSocket
-
selectApplicationProtocol
public int selectApplicationProtocol(byte[] protocols) Description copied from interface:NativeCrypto.SSLHandshakeCallbacks
Called when acting as a server, the socket has anApplicationProtocolSelectorAdapter
associated with it, and the application protocol needs to be selected.- Specified by:
selectApplicationProtocol
in interfaceNativeCrypto.SSLHandshakeCallbacks
- Parameters:
protocols
- list of application protocols in length-prefix format- Returns:
- the index offset of the selected protocol
-
setApplicationProtocols
Description copied from class:AbstractConscryptSocket
Sets the list of ALPN protocols.- Specified by:
setApplicationProtocols
in classAbstractConscryptSocket
- Parameters:
protocols
- the list of ALPN protocols
-
getApplicationProtocols
Description copied from class:AbstractConscryptSocket
Returns the list of supported ALPN protocols.- Specified by:
getApplicationProtocols
in classAbstractConscryptSocket
-
getApplicationProtocol
- Specified by:
getApplicationProtocol
in classAbstractConscryptSocket
-
getHandshakeApplicationProtocol
- Specified by:
getHandshakeApplicationProtocol
in classAbstractConscryptSocket
-
getSSLParameters
- Overrides:
getSSLParameters
in classSSLSocket
-
setSSLParameters
- Overrides:
setSSLParameters
in classSSLSocket
-
chooseServerPSKIdentityHint
- Specified by:
chooseServerPSKIdentityHint
in interfaceSSLParametersImpl.PSKCallbacks
-
chooseClientPSKIdentity
- Specified by:
chooseClientPSKIdentity
in interfaceSSLParametersImpl.PSKCallbacks
-
getPSKKey
- Specified by:
getPSKKey
in interfaceSSLParametersImpl.PSKCallbacks
-
chooseServerAlias
- Specified by:
chooseServerAlias
in interfaceSSLParametersImpl.AliasChooser
-
chooseClientAlias
public final String chooseClientAlias(X509KeyManager keyManager, X500Principal[] issuers, String[] keyTypes) - Specified by:
chooseClientAlias
in interfaceSSLParametersImpl.AliasChooser
-
clientSessionContext
-
sessionContext
-
transitionTo
private void transitionTo(int newState)
-