org.conscrypt

Class SSLParametersImpl

java.lang.Object

org.conscrypt.SSLParametersImpl

All Implemented Interfaces:

Cloneable

public class SSLParametersImpl
extends Object
implements Cloneable

The instances of this class encapsulate all the info about enabled cipher suites and protocols, as well as the information about client/server mode of ssl socket, whether it require/want client authentication or not, and controls whether new SSL sessions may be established by this socket or not.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	SSLParametersImpl.AliasChooser For abstracting the X509KeyManager calls between X509KeyManager.chooseClientAlias(String[], java.security.Principal[], java.net.Socket) and X509ExtendedKeyManager.chooseEngineClientAlias(String[], java.security.Principal[], javax.net.ssl.SSLEngine)
static interface	SSLParametersImpl.PSKCallbacks For abstracting the PSKKeyManager calls between those taking an SSLSocket and those taking an SSLEngine.

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	SSLParametersImpl(KeyManager[] kms, TrustManager[] tms, SecureRandom sr, ClientSessionContext clientSessionContext, ServerSessionContext serverSessionContext, String[] protocols) Initializes the parameters.

Method Summary

Modifier and Type	Method and Description
protected Object	clone() Returns the clone of this object.
static String	getClientKeyType(byte clientCertificateType) Similar to getServerKeyType, but returns value given TLS ClientCertificateType byte values from a CertificateRequest message for use with X509KeyManager.chooseClientAlias or X509ExtendedKeyManager.chooseEngineClientAlias.
protected ClientSessionContext	getClientSessionContext()
protected static SSLParametersImpl	getDefault()
static X509TrustManager	getDefaultX509TrustManager() Gets the default X.509 trust manager.
protected String[]	getEnabledCipherSuites()
protected String[]	getEnabledProtocols()
protected boolean	getEnableSessionCreation() Returns the value indicating if the peer with this parameters allowed to cteate new SSL session
String	getEndpointIdentificationAlgorithm()
protected boolean	getNeedClientAuth() Returns the value indicating if the peer with this parameters tuned to require client authentication
byte[]	getOCSPResponse()
protected PSKKeyManager	getPSKKeyManager()
protected SecureRandom	getSecureRandom()
protected SecureRandom	getSecureRandomMember()
protected ServerSessionContext	getServerSessionContext()
org.conscrypt.AbstractSessionContext	getSessionContext() Returns the appropriate session context.
static Set<String>	getSupportedClientKeyTypes(byte[] clientCertificateTypes) Gets the supported key types for client certificates based on the ClientCertificateType values provided by the server.
boolean	getUseCipherSuitesOrder()
protected boolean	getUseClientMode() Returns the value indicating if the parameters configured to work in client mode.
protected boolean	getUseSni() Returns whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).
protected boolean	getWantClientAuth() Returns the value indicating if the peer with this parameters tuned to request client authentication
protected X509KeyManager	getX509KeyManager()
protected X509TrustManager	getX509TrustManager()
boolean	isCTVerificationEnabled(String hostname) Check if SCT verification is enforced for a given hostname.
void	setCTVerificationEnabled(boolean enabled)
protected void	setEnabledCipherSuites(String[] cipherSuites) Sets the enabled cipher suites after filtering through OpenSSL.
protected void	setEnabledProtocols(String[] protocols) Sets the list of available protocols for use in SSL connection.
protected void	setEnableSessionCreation(boolean flag) Allows/disallows the peer holding this parameters to create new SSL session
void	setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
protected void	setNeedClientAuth(boolean need) Tunes the peer holding this parameters to require client authentication
void	setOCSPResponse(byte[] response)
void	setSCTExtension(byte[] extension)
void	setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
protected void	setUseClientMode(boolean mode) Tunes the peer holding this parameters to work in client mode.
protected void	setUseSni(boolean flag) Whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).
protected void	setWantClientAuth(boolean want) Tunes the peer holding this parameters to request client authentication

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SSLParametersImpl

protected SSLParametersImpl(KeyManager[] kms,
                            TrustManager[] tms,
                            SecureRandom sr,
                            ClientSessionContext clientSessionContext,
                            ServerSessionContext serverSessionContext,
                            String[] protocols)
                     throws KeyManagementException

Initializes the parameters. Naturally this constructor is used in SSLContextImpl.engineInit method which directly passes its parameters. In other words this constructor holds all the functionality provided by SSLContext.init method. See SSLContext.init(KeyManager[],TrustManager[], SecureRandom) for more information

Throws:

KeyManagementException

Method Detail

getDefault

protected static SSLParametersImpl getDefault()
                                       throws KeyManagementException

Throws:

KeyManagementException

getSessionContext

public org.conscrypt.AbstractSessionContext getSessionContext()

Returns the appropriate session context.

getServerSessionContext

protected ServerSessionContext getServerSessionContext()

Returns:

server session context

getClientSessionContext

protected ClientSessionContext getClientSessionContext()

Returns:

client session context

getX509KeyManager

protected X509KeyManager getX509KeyManager()

Returns:

X.509 key manager or null for none.

getPSKKeyManager

protected PSKKeyManager getPSKKeyManager()

Returns:

Pre-Shared Key (PSK) key manager or null for none.

getX509TrustManager

protected X509TrustManager getX509TrustManager()

Returns:

X.509 trust manager or null for none.

getSecureRandom

protected SecureRandom getSecureRandom()

Returns:

secure random

getSecureRandomMember

protected SecureRandom getSecureRandomMember()

Returns:

the secure random member reference, even it is null

getEnabledCipherSuites

protected String[] getEnabledCipherSuites()

Returns:

the names of enabled cipher suites

setEnabledCipherSuites

protected void setEnabledCipherSuites(String[] cipherSuites)

Sets the enabled cipher suites after filtering through OpenSSL.

getEnabledProtocols

protected String[] getEnabledProtocols()

Returns:

the set of enabled protocols

setEnabledProtocols

protected void setEnabledProtocols(String[] protocols)

Sets the list of available protocols for use in SSL connection.

Throws:

IllegalArgumentException - if protocols == null

setUseClientMode

protected void setUseClientMode(boolean mode)

Tunes the peer holding this parameters to work in client mode.

Parameters:

mode - if the peer is configured to work in client mode

getUseClientMode

protected boolean getUseClientMode()

Returns the value indicating if the parameters configured to work in client mode.

setNeedClientAuth

protected void setNeedClientAuth(boolean need)

Tunes the peer holding this parameters to require client authentication

getNeedClientAuth

protected boolean getNeedClientAuth()

Returns the value indicating if the peer with this parameters tuned to require client authentication

setWantClientAuth

protected void setWantClientAuth(boolean want)

Tunes the peer holding this parameters to request client authentication

getWantClientAuth

protected boolean getWantClientAuth()

Returns the value indicating if the peer with this parameters tuned to request client authentication

setEnableSessionCreation

protected void setEnableSessionCreation(boolean flag)

Allows/disallows the peer holding this parameters to create new SSL session

getEnableSessionCreation

protected boolean getEnableSessionCreation()

Returns the value indicating if the peer with this parameters allowed to cteate new SSL session

setUseSni

protected void setUseSni(boolean flag)

Whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).

getUseSni

protected boolean getUseSni()

Returns whether connections using this SSL connection should use the TLS extension Server Name Indication (SNI).

setCTVerificationEnabled

public void setCTVerificationEnabled(boolean enabled)

setSCTExtension

public void setSCTExtension(byte[] extension)

setOCSPResponse

public void setOCSPResponse(byte[] response)

getOCSPResponse

public byte[] getOCSPResponse()

clone

protected Object clone()

Returns the clone of this object.

Overrides:

clone in class Object

Returns:

the clone.

getDefaultX509TrustManager

public static X509TrustManager getDefaultX509TrustManager()
                                                   throws KeyManagementException

Gets the default X.509 trust manager.

TODO: Move this to a published API under dalvik.system.

Throws:

KeyManagementException

getEndpointIdentificationAlgorithm

public String getEndpointIdentificationAlgorithm()

setEndpointIdentificationAlgorithm

public void setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)

getUseCipherSuitesOrder

public boolean getUseCipherSuitesOrder()

setUseCipherSuitesOrder

public void setUseCipherSuitesOrder(boolean useCipherSuitesOrder)

getClientKeyType

public static String getClientKeyType(byte clientCertificateType)

Similar to getServerKeyType, but returns value given TLS ClientCertificateType byte values from a CertificateRequest message for use with X509KeyManager.chooseClientAlias or X509ExtendedKeyManager.chooseEngineClientAlias.

Visible for testing.

getSupportedClientKeyTypes

public static Set<String> getSupportedClientKeyTypes(byte[] clientCertificateTypes)

Gets the supported key types for client certificates based on the ClientCertificateType values provided by the server.

Parameters:

clientCertificateTypes - ClientCertificateType values provided by the server. See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml.

Returns:

supported key types that can be used in X509KeyManager.chooseClientAlias and X509ExtendedKeyManager.chooseEngineClientAlias. Visible for testing.

isCTVerificationEnabled

public boolean isCTVerificationEnabled(String hostname)

Check if SCT verification is enforced for a given hostname.