org.conscrypt

Class OpenSSLSocketImpl

java.lang.Object

java.net.Socket

javax.net.ssl.SSLSocket

org.conscrypt.OpenSSLSocketImpl

All Implemented Interfaces:

Closeable, AutoCloseable, NativeCrypto.SSLHandshakeCallbacks, SSLParametersImpl.AliasChooser, SSLParametersImpl.PSKCallbacks

Direct Known Subclasses:

OpenSSLSocketImplWrapper

public class OpenSSLSocketImpl
extends SSLSocket
implements NativeCrypto.SSLHandshakeCallbacks, SSLParametersImpl.AliasChooser, SSLParametersImpl.PSKCallbacks

Implementation of the class OpenSSLSocketImpl based on OpenSSL.

Extensions to SSLSocket include:

• handshake timeout
• session tickets
• Server Name Indication

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	OpenSSLSocketImpl(InetAddress address, int port, InetAddress clientAddress, int clientPort, SSLParametersImpl sslParameters)
protected	OpenSSLSocketImpl(InetAddress address, int port, SSLParametersImpl sslParameters)
protected	OpenSSLSocketImpl(Socket socket, String hostname, int port, boolean autoClose, SSLParametersImpl sslParameters) Create an SSL socket that wraps another socket.
protected	OpenSSLSocketImpl(SSLParametersImpl sslParameters)
protected	OpenSSLSocketImpl(String hostname, int port, InetAddress clientAddress, int clientPort, SSLParametersImpl sslParameters)
protected	OpenSSLSocketImpl(String hostname, int port, SSLParametersImpl sslParameters)

Method Summary

Modifier and Type	Method and Description
void	addHandshakeCompletedListener(HandshakeCompletedListener listener)
String	chooseClientAlias(X509KeyManager keyManager, X500Principal[] issuers, String[] keyTypes)
String	chooseClientPSKIdentity(PSKKeyManager keyManager, String identityHint)
String	chooseServerAlias(X509KeyManager keyManager, String keyType)
String	chooseServerPSKIdentityHint(PSKKeyManager keyManager)
void	clientCertificateRequested(byte[] keyTypeBytes, byte[][] asn1DerEncodedPrincipals) Called on an SSL client when the server requests (or requires a certificate).
int	clientPSKKeyRequested(String identityHint, byte[] identity, byte[] key) Gets the key to be used in client mode for this connection in Pre-Shared Key (PSK) key exchange.
void	close()
void	connect(SocketAddress endpoint)
void	connect(SocketAddress endpoint, int timeout) Try to extract the peer's hostname if it's available from the endpoint address.
protected void	finalize()
byte[]	getAlpnSelectedProtocol() Returns the protocol agreed upon by client and server, or null if no protocol was agreed upon.
byte[]	getChannelId() Gets the TLS Channel ID for this server socket.
String[]	getEnabledCipherSuites()
String[]	getEnabledProtocols()
boolean	getEnableSessionCreation()
FileDescriptor	getFileDescriptor$()
SSLSession	getHandshakeSession()
String	getHostname() Returns the hostname that was supplied during socket creation.
String	getHostnameOrIP() For the purposes of an SSLSession, we want a way to represent the supplied hostname or the IP address in a textual representation.
InputStream	getInputStream()
boolean	getNeedClientAuth()
byte[]	getNpnSelectedProtocol() Returns null always for backward compatibility.
OutputStream	getOutputStream()
int	getPort()
SecretKey	getPSKKey(PSKKeyManager keyManager, String identityHint, String identity)
SSLSession	getSession()
int	getSoTimeout()
int	getSoWriteTimeout() Note write timeouts are not part of the javax.net.ssl.SSLSocket API
SSLParameters	getSSLParameters()
String[]	getSupportedCipherSuites()
String[]	getSupportedProtocols()
boolean	getUseClientMode()
boolean	getWantClientAuth()
void	onSSLStateChange(int type, int val) Called when SSL state changes.
void	removeHandshakeCompletedListener(HandshakeCompletedListener listener)
void	sendUrgentData(int data)
int	serverPSKKeyRequested(String identityHint, String identity, byte[] key) Gets the key to be used in server mode for this connection in Pre-Shared Key (PSK) key exchange.
void	setAlpnProtocols(byte[] alpnProtocols) Sets the list of protocols this peer is interested in.
void	setChannelIdEnabled(boolean enabled) Enables/disables TLS Channel ID for this server socket.
void	setChannelIdPrivateKey(PrivateKey privateKey) Sets the PrivateKey to be used for TLS Channel ID by this client socket.
void	setEnabledCipherSuites(String[] suites)
void	setEnabledProtocols(String[] protocols)
void	setEnableSessionCreation(boolean flag)
void	setHandshakeTimeout(int handshakeTimeoutMilliseconds) Set the handshake timeout on this socket.
void	setHostname(String hostname) This method enables Server Name Indication
void	setNeedClientAuth(boolean need)
void	setNpnProtocols(byte[] npnProtocols) This method does nothing and is kept for backward compatibility.
void	setOOBInline(boolean on)
void	setSoTimeout(int readTimeoutMilliseconds)
void	setSoWriteTimeout(int writeTimeoutMilliseconds) Note write timeouts are not part of the javax.net.ssl.SSLSocket API
void	setSSLParameters(SSLParameters p)
void	setUseClientMode(boolean mode)
void	setUseSessionTickets(boolean useSessionTickets) This method enables session ticket support.
void	setWantClientAuth(boolean want)
void	startHandshake() Starts a TLS/SSL handshake on this connection using some native methods from the OpenSSL library.
void	verifyCertificateChain(long[] certRefs, String authMethod) Verify that we trust the certificate chain is trusted.

Methods inherited from class java.net.Socket

bind, getChannel, getInetAddress, getKeepAlive, getLocalAddress, getLocalPort, getLocalSocketAddress, getOOBInline, getReceiveBufferSize, getRemoteSocketAddress, getReuseAddress, getSendBufferSize, getSoLinger, getTcpNoDelay, getTrafficClass, isBound, isClosed, isConnected, isInputShutdown, isOutputShutdown, setKeepAlive, setPerformancePreferences, setReceiveBufferSize, setReuseAddress, setSendBufferSize, setSocketImplFactory, setSoLinger, setTcpNoDelay, setTrafficClass, shutdownInput, shutdownOutput, toString

Methods inherited from class java.lang.Object

clone, equals, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

OpenSSLSocketImpl

protected OpenSSLSocketImpl(SSLParametersImpl sslParameters)
                     throws IOException

Throws:

IOException

OpenSSLSocketImpl

protected OpenSSLSocketImpl(String hostname,
                            int port,
                            SSLParametersImpl sslParameters)
                     throws IOException

Throws:

IOException

OpenSSLSocketImpl

protected OpenSSLSocketImpl(InetAddress address,
                            int port,
                            SSLParametersImpl sslParameters)
                     throws IOException

Throws:

IOException

OpenSSLSocketImpl

protected OpenSSLSocketImpl(String hostname,
                            int port,
                            InetAddress clientAddress,
                            int clientPort,
                            SSLParametersImpl sslParameters)
                     throws IOException

Throws:

IOException

OpenSSLSocketImpl

protected OpenSSLSocketImpl(InetAddress address,
                            int port,
                            InetAddress clientAddress,
                            int clientPort,
                            SSLParametersImpl sslParameters)
                     throws IOException

Throws:

IOException

OpenSSLSocketImpl

protected OpenSSLSocketImpl(Socket socket,
                            String hostname,
                            int port,
                            boolean autoClose,
                            SSLParametersImpl sslParameters)
                     throws IOException

Create an SSL socket that wraps another socket. Invoked by OpenSSLSocketImplWrapper constructor.

Throws:

IOException

Method Detail

connect

public void connect(SocketAddress endpoint)
             throws IOException

Overrides:

connect in class Socket

Throws:

IOException

connect

public void connect(SocketAddress endpoint,
                    int timeout)
             throws IOException

Try to extract the peer's hostname if it's available from the endpoint address.

Overrides:

connect in class Socket

Throws:

IOException

startHandshake

public void startHandshake()
                    throws IOException

Starts a TLS/SSL handshake on this connection using some native methods from the OpenSSL library. It can negotiate new encryption keys, change cipher suites, or initiate a new session. The certificate chain is verified if the correspondent property in java.Security is set. All listeners are notified at the end of the TLS/SSL handshake.

Specified by:

startHandshake in class SSLSocket

Throws:

IOException

getHostname

public String getHostname()

Returns the hostname that was supplied during socket creation. No DNS resolution is attempted before returning the hostname.

getHostnameOrIP

public String getHostnameOrIP()

For the purposes of an SSLSession, we want a way to represent the supplied hostname or the IP address in a textual representation. We do not want to perform reverse DNS lookups on this address.

getPort

public int getPort()

Overrides:

getPort in class Socket

clientCertificateRequested

public void clientCertificateRequested(byte[] keyTypeBytes,
                                       byte[][] asn1DerEncodedPrincipals)
                                throws CertificateEncodingException,
                                       SSLException

Description copied from interface: NativeCrypto.SSLHandshakeCallbacks

Called on an SSL client when the server requests (or requires a certificate). The client can respond by using SSL_use_certificate and SSL_use_PrivateKey to set a certificate if has an appropriate one available, similar to how the server provides its certificate.

Specified by:

clientCertificateRequested in interface NativeCrypto.SSLHandshakeCallbacks

Parameters:

keyTypeBytes - key types supported by the server, convertible to strings with #keyType

asn1DerEncodedPrincipals - CAs known to the server

Throws:

CertificateEncodingException

SSLException

clientPSKKeyRequested

public int clientPSKKeyRequested(String identityHint,
                                 byte[] identity,
                                 byte[] key)

Description copied from interface: NativeCrypto.SSLHandshakeCallbacks

Gets the key to be used in client mode for this connection in Pre-Shared Key (PSK) key exchange.

Specified by:

clientPSKKeyRequested in interface NativeCrypto.SSLHandshakeCallbacks

Parameters:

identityHint - PSK identity hint provided by the server or null if no hint provided.

identity - buffer to be populated with PSK identity (NULL-terminated modified UTF-8) by this method. This identity will be provided to the server.

key - buffer to be populated with key material by this method.

Returns:

number of bytes this method stored in the key buffer or 0 if an error occurred in which case the handshake will be aborted.

serverPSKKeyRequested

public int serverPSKKeyRequested(String identityHint,
                                 String identity,
                                 byte[] key)

Description copied from interface: NativeCrypto.SSLHandshakeCallbacks

Gets the key to be used in server mode for this connection in Pre-Shared Key (PSK) key exchange.

Specified by:

serverPSKKeyRequested in interface NativeCrypto.SSLHandshakeCallbacks

Parameters:

identityHint - PSK identity hint provided by this server to the client or null if no hint was provided.

identity - PSK identity provided by the client.

key - buffer to be populated with key material by this method.

Returns:

number of bytes this method stored in the key buffer or 0 if an error occurred in which case the handshake will be aborted.

onSSLStateChange

public void onSSLStateChange(int type,
                             int val)

Description copied from interface: NativeCrypto.SSLHandshakeCallbacks

Called when SSL state changes. This could be handshake completion.

Specified by:

onSSLStateChange in interface NativeCrypto.SSLHandshakeCallbacks

verifyCertificateChain

public void verifyCertificateChain(long[] certRefs,
                                   String authMethod)
                            throws CertificateException

Description copied from interface: NativeCrypto.SSLHandshakeCallbacks

Verify that we trust the certificate chain is trusted.

Specified by:

verifyCertificateChain in interface NativeCrypto.SSLHandshakeCallbacks

Parameters:

certRefs - chain of X.509 certificate references

authMethod - auth algorithm name

Throws:

CertificateException - if the certificate is untrusted

getInputStream

public InputStream getInputStream()
                           throws IOException

Overrides:

getInputStream in class Socket

Throws:

IOException

getOutputStream

public OutputStream getOutputStream()
                             throws IOException

Overrides:

getOutputStream in class Socket

Throws:

IOException

getSession

public SSLSession getSession()

Specified by:

getSession in class SSLSocket

getHandshakeSession

public SSLSession getHandshakeSession()

Overrides:

getHandshakeSession in class SSLSocket

addHandshakeCompletedListener

public void addHandshakeCompletedListener(HandshakeCompletedListener listener)

Specified by:

addHandshakeCompletedListener in class SSLSocket

removeHandshakeCompletedListener

public void removeHandshakeCompletedListener(HandshakeCompletedListener listener)

Specified by:

removeHandshakeCompletedListener in class SSLSocket

getEnableSessionCreation

public boolean getEnableSessionCreation()

Specified by:

getEnableSessionCreation in class SSLSocket

setEnableSessionCreation

public void setEnableSessionCreation(boolean flag)

Specified by:

setEnableSessionCreation in class SSLSocket

getSupportedCipherSuites

public String[] getSupportedCipherSuites()

Specified by:

getSupportedCipherSuites in class SSLSocket

getEnabledCipherSuites

public String[] getEnabledCipherSuites()

Specified by:

getEnabledCipherSuites in class SSLSocket

setEnabledCipherSuites

public void setEnabledCipherSuites(String[] suites)

Specified by:

setEnabledCipherSuites in class SSLSocket

getSupportedProtocols

public String[] getSupportedProtocols()

Specified by:

getSupportedProtocols in class SSLSocket

getEnabledProtocols

public String[] getEnabledProtocols()

Specified by:

getEnabledProtocols in class SSLSocket

setEnabledProtocols

public void setEnabledProtocols(String[] protocols)

Specified by:

setEnabledProtocols in class SSLSocket

setUseSessionTickets

public void setUseSessionTickets(boolean useSessionTickets)

This method enables session ticket support.

Parameters:

useSessionTickets - True to enable session tickets

setHostname

public void setHostname(String hostname)

This method enables Server Name Indication

Parameters:

hostname - the desired SNI hostname, or null to disable

setChannelIdEnabled

public void setChannelIdEnabled(boolean enabled)

Enables/disables TLS Channel ID for this server socket.

This method needs to be invoked before the handshake starts.

Throws:

IllegalStateException - if this is a client socket or if the handshake has already started.

getChannelId

public byte[] getChannelId()
                    throws SSLException

Gets the TLS Channel ID for this server socket. Channel ID is only available once the handshake completes.

Returns:

channel ID or null if not available.

Throws:

IllegalStateException - if this is a client socket or if the handshake has not yet completed.

SSLException - if channel ID is available but could not be obtained.

setChannelIdPrivateKey

public void setChannelIdPrivateKey(PrivateKey privateKey)

Sets the PrivateKey to be used for TLS Channel ID by this client socket.

This method needs to be invoked before the handshake starts.

Parameters:

privateKey - private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).

Throws:

IllegalStateException - if this is a server socket or if the handshake has already started.

getUseClientMode

public boolean getUseClientMode()

Specified by:

getUseClientMode in class SSLSocket

setUseClientMode

public void setUseClientMode(boolean mode)

Specified by:

setUseClientMode in class SSLSocket

getWantClientAuth

public boolean getWantClientAuth()

Specified by:

getWantClientAuth in class SSLSocket

getNeedClientAuth

public boolean getNeedClientAuth()

Specified by:

getNeedClientAuth in class SSLSocket

setNeedClientAuth

public void setNeedClientAuth(boolean need)

Specified by:

setNeedClientAuth in class SSLSocket

setWantClientAuth

public void setWantClientAuth(boolean want)

Specified by:

setWantClientAuth in class SSLSocket

sendUrgentData

public void sendUrgentData(int data)
                    throws IOException

Overrides:

sendUrgentData in class Socket

Throws:

IOException

setOOBInline

public void setOOBInline(boolean on)
                  throws SocketException

Overrides:

setOOBInline in class Socket

Throws:

SocketException

setSoTimeout

public void setSoTimeout(int readTimeoutMilliseconds)
                  throws SocketException

Overrides:

setSoTimeout in class Socket

Throws:

SocketException

getSoTimeout

public int getSoTimeout()
                 throws SocketException

Overrides:

getSoTimeout in class Socket

Throws:

SocketException

setSoWriteTimeout

public void setSoWriteTimeout(int writeTimeoutMilliseconds)
                       throws SocketException

Note write timeouts are not part of the javax.net.ssl.SSLSocket API

Throws:

SocketException

getSoWriteTimeout

public int getSoWriteTimeout()
                      throws SocketException

Note write timeouts are not part of the javax.net.ssl.SSLSocket API

Throws:

SocketException

setHandshakeTimeout

public void setHandshakeTimeout(int handshakeTimeoutMilliseconds)
                         throws SocketException

Set the handshake timeout on this socket. This timeout is specified in milliseconds and will be used only during the handshake process.

Throws:

SocketException

close

public void close()
           throws IOException

Specified by:

close in interface Closeable

Specified by:

close in interface AutoCloseable

Overrides:

close in class Socket

Throws:

IOException

finalize

protected void finalize()
                 throws Throwable

Overrides:

finalize in class Object

Throws:

Throwable

getFileDescriptor$

public FileDescriptor getFileDescriptor$()

getNpnSelectedProtocol

public byte[] getNpnSelectedProtocol()

Returns null always for backward compatibility.

getAlpnSelectedProtocol

public byte[] getAlpnSelectedProtocol()

Returns the protocol agreed upon by client and server, or null if no protocol was agreed upon.

setNpnProtocols

public void setNpnProtocols(byte[] npnProtocols)

This method does nothing and is kept for backward compatibility.

setAlpnProtocols

public void setAlpnProtocols(byte[] alpnProtocols)

Sets the list of protocols this peer is interested in. If the list is null, no protocols will be used.

Parameters:

alpnProtocols - a non-empty array of protocol names. From SSL_select_next_proto, "vector of 8-bit, length prefixed byte strings. The length byte itself is not included in the length. A byte string of length 0 is invalid. No byte string may be truncated.".

getSSLParameters

public SSLParameters getSSLParameters()

Overrides:

getSSLParameters in class SSLSocket

setSSLParameters

public void setSSLParameters(SSLParameters p)

Overrides:

setSSLParameters in class SSLSocket

chooseServerAlias

public String chooseServerAlias(X509KeyManager keyManager,
                                String keyType)

Specified by:

chooseServerAlias in interface SSLParametersImpl.AliasChooser

chooseClientAlias

public String chooseClientAlias(X509KeyManager keyManager,
                                X500Principal[] issuers,
                                String[] keyTypes)

Specified by:

chooseClientAlias in interface SSLParametersImpl.AliasChooser

chooseServerPSKIdentityHint

public String chooseServerPSKIdentityHint(PSKKeyManager keyManager)

Specified by:

chooseServerPSKIdentityHint in interface SSLParametersImpl.PSKCallbacks

chooseClientPSKIdentity

public String chooseClientPSKIdentity(PSKKeyManager keyManager,
                                      String identityHint)

Specified by:

chooseClientPSKIdentity in interface SSLParametersImpl.PSKCallbacks

getPSKKey

public SecretKey getPSKKey(PSKKeyManager keyManager,
                           String identityHint,
                           String identity)

Specified by:

getPSKKey in interface SSLParametersImpl.PSKCallbacks