org.conscrypt

Class Conscrypt

java.lang.Object

org.conscrypt.Conscrypt

public final class Conscrypt
extends Object

Core API for creating and configuring all Conscrypt types.

Method Summary

Modifier and Type	Method and Description
static void	checkAvailability() Checks that the Conscrypt support is available for the system.
static byte[]	exportKeyingMaterial(SSLEngine engine, String label, byte[] context, int length) Exports a value derived from the TLS master secret as described in RFC 5705.
static byte[]	exportKeyingMaterial(SSLSocket socket, String label, byte[] context, int length) Exports a value derived from the TLS master secret as described in RFC 5705.
static String	getApplicationProtocol(SSLEngine engine) Returns the ALPN protocol agreed upon by client and server.
static String	getApplicationProtocol(SSLSocket socket) Returns the ALPN protocol agreed upon by client and server.
static String[]	getApplicationProtocols(SSLEngine engine) Gets the application-layer protocols (ALPN) in prioritization order.
static String[]	getApplicationProtocols(SSLSocket socket) Gets the application-layer protocols (ALPN) in prioritization order.
static byte[]	getChannelId(SSLEngine engine) Gets the TLS Channel ID for the given server-side engine.
static byte[]	getChannelId(SSLSocket socket) Gets the TLS Channel ID for the given server-side socket.
static X509TrustManager	getDefaultX509TrustManager() Gets the default X.509 trust manager.
static String	getHostname(SSLEngine engine) Returns either the hostname supplied during socket creation or via Conscrypt.setHostname(SSLEngine, String).
static String	getHostname(SSLSocket socket) Returns either the hostname supplied during socket creation or via Conscrypt.setHostname(SSLSocket, String).
static String	getHostnameOrIP(SSLSocket socket) This method attempts to create a textual representation of the peer host or IP.
static byte[]	getTlsUnique(SSLEngine engine) Returns the tls-unique channel binding value for this connection, per RFC 5929.
static byte[]	getTlsUnique(SSLSocket socket) Returns the tls-unique channel binding value for this connection, per RFC 5929.
static int	getTokenBindingParams(SSLEngine engine) Returns the token binding parameters that were negotiated during the handshake, or -1 if token binding parameters were not negotiated, the handshake has not yet completed, or the connection has been closed.
static int	getTokenBindingParams(SSLSocket socket) Returns the token binding parameters that were negotiated during the handshake, or -1 if token binding parameters were not negotiated, the handshake has not yet completed, or the connection has been closed.
static boolean	isAvailable() Returns true if the Conscrypt native library has been successfully loaded.
static boolean	isConscrypt(Provider provider) Indicates whether the given Provider was created by this distribution of Conscrypt.
static boolean	isConscrypt(SSLContext context) Indicates whether the given SSLContext was created by this distribution of Conscrypt.
static boolean	isConscrypt(SSLEngine engine) Indicates whether the given SSLEngine was created by this distribution of Conscrypt.
static boolean	isConscrypt(SSLServerSocketFactory factory) Indicates whether the given SSLServerSocketFactory was created by this distribution of Conscrypt.
static boolean	isConscrypt(SSLSocket socket) Indicates whether the given SSLSocket was created by this distribution of Conscrypt.
static boolean	isConscrypt(SSLSocketFactory factory) Indicates whether the given SSLSocketFactory was created by this distribution of Conscrypt.
static int	maxEncryptedPacketLength() Returns the maximum length (in bytes) of an encrypted packet.
static int	maxSealOverhead(SSLEngine engine) Returns the maximum overhead, in bytes, of sealing a record with SSL.
static SSLContextSpi	newPreferredSSLContextSpi() Constructs a new instance of the preferred SSLContextSpi.
static Provider	newProvider() Constructs a new Provider with the default name.
static Provider	newProvider(String providerName) Constructs a new Provider with the given name.
static void	setApplicationProtocols(SSLEngine engine, String[] protocols) Sets the application-layer protocols (ALPN) in prioritization order.
static void	setApplicationProtocols(SSLSocket socket, String[] protocols) Sets the application-layer protocols (ALPN) in prioritization order.
static void	setApplicationProtocolSelector(SSLEngine engine, ApplicationProtocolSelector selector) Sets an application-provided ALPN protocol selector.
static void	setApplicationProtocolSelector(SSLSocket socket, ApplicationProtocolSelector selector) Sets an application-provided ALPN protocol selector.
static void	setBufferAllocator(SSLEngine engine, BufferAllocator bufferAllocator) Provides the given engine with the provided bufferAllocator.
static void	setChannelIdEnabled(SSLEngine engine, boolean enabled) Enables/disables TLS Channel ID for the given server-side engine.
static void	setChannelIdEnabled(SSLSocket socket, boolean enabled) Enables/disables TLS Channel ID for the given server-side socket.
static void	setChannelIdPrivateKey(SSLEngine engine, PrivateKey privateKey) Sets the PrivateKey to be used for TLS Channel ID by this client engine.
static void	setChannelIdPrivateKey(SSLSocket socket, PrivateKey privateKey) Sets the PrivateKey to be used for TLS Channel ID by this client socket.
static void	setClientSessionCache(SSLContext context, SSLClientSessionCache cache) Sets the client-side persistent cache to be used by the context.
static void	setDefaultBufferAllocator(BufferAllocator bufferAllocator) Configures the default BufferAllocator to be used by all future SSLEngine instances from this provider.
static void	setHandshakeListener(SSLEngine engine, HandshakeListener handshakeListener) Sets a listener on the given engine for completion of the TLS handshake
static void	setHostname(SSLEngine engine, String hostname) This method enables Server Name Indication (SNI) and overrides the hostname supplied during engine creation.
static void	setHostname(SSLSocket socket, String hostname) This method enables Server Name Indication (SNI) and overrides the hostname supplied during socket creation.
static void	setServerSessionCache(SSLContext context, org.conscrypt.SSLServerSessionCache cache) Sets the server-side persistent cache to be used by the context.
static void	setTokenBindingParams(SSLEngine engine, int... params) Enables token binding parameter negotiation on this engine, or disables it if an empty set of parameters are provided.
static void	setTokenBindingParams(SSLSocket socket, int... params) Enables token binding parameter negotiation on this socket, or disables it if an empty set of parameters are provided.
static void	setUseEngineSocket(SSLServerSocketFactory factory, boolean useEngineSocket) Configures the socket to be created for the given server socket factory instance.
static void	setUseEngineSocket(SSLSocketFactory factory, boolean useEngineSocket) Configures the socket to be created for the given socket factory instance.
static void	setUseEngineSocketByDefault(boolean useEngineSocket) Configures the default socket to be created for all socket factory instances.
static void	setUseSessionTickets(SSLEngine engine, boolean useSessionTickets) This method enables session ticket support.
static void	setUseSessionTickets(SSLSocket socket, boolean useSessionTickets) This method enables session ticket support.
static SSLEngineResult	unwrap(SSLEngine engine, ByteBuffer[] srcs, ByteBuffer[] dsts) Extended unwrap method for multiple source and destination buffers.
static SSLEngineResult	unwrap(SSLEngine engine, ByteBuffer[] srcs, int srcsOffset, int srcsLength, ByteBuffer[] dsts, int dstsOffset, int dstsLength) Exteneded unwrap method for multiple source and destination buffers.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

isAvailable

public static boolean isAvailable()

Returns true if the Conscrypt native library has been successfully loaded.

checkAvailability

public static void checkAvailability()

Checks that the Conscrypt support is available for the system.

Throws:

UnsatisfiedLinkError - if unavailable

isConscrypt

public static boolean isConscrypt(Provider provider)

Indicates whether the given Provider was created by this distribution of Conscrypt.

newProvider

public static Provider newProvider()

Constructs a new Provider with the default name.

newProvider

public static Provider newProvider(String providerName)

Constructs a new Provider with the given name.

maxEncryptedPacketLength

public static int maxEncryptedPacketLength()

Returns the maximum length (in bytes) of an encrypted packet.

getDefaultX509TrustManager

@ExperimentalApi
public static X509TrustManager getDefaultX509TrustManager()
                                                                    throws KeyManagementException

Gets the default X.509 trust manager.

Throws:

KeyManagementException

isConscrypt

public static boolean isConscrypt(SSLContext context)

Indicates whether the given SSLContext was created by this distribution of Conscrypt.

newPreferredSSLContextSpi

public static SSLContextSpi newPreferredSSLContextSpi()

Constructs a new instance of the preferred SSLContextSpi.

setClientSessionCache

public static void setClientSessionCache(SSLContext context,
                                         SSLClientSessionCache cache)

Sets the client-side persistent cache to be used by the context.

setServerSessionCache

public static void setServerSessionCache(SSLContext context,
                                         org.conscrypt.SSLServerSessionCache cache)

Sets the server-side persistent cache to be used by the context.

isConscrypt

public static boolean isConscrypt(SSLSocketFactory factory)

Indicates whether the given SSLSocketFactory was created by this distribution of Conscrypt.

setUseEngineSocketByDefault

@ExperimentalApi
public static void setUseEngineSocketByDefault(boolean useEngineSocket)

Configures the default socket to be created for all socket factory instances.

setUseEngineSocket

@ExperimentalApi
public static void setUseEngineSocket(SSLSocketFactory factory,
                                                       boolean useEngineSocket)

Configures the socket to be created for the given socket factory instance.

isConscrypt

public static boolean isConscrypt(SSLServerSocketFactory factory)

Indicates whether the given SSLServerSocketFactory was created by this distribution of Conscrypt.

setUseEngineSocket

@ExperimentalApi
public static void setUseEngineSocket(SSLServerSocketFactory factory,
                                                       boolean useEngineSocket)

Configures the socket to be created for the given server socket factory instance.

isConscrypt

public static boolean isConscrypt(SSLSocket socket)

Indicates whether the given SSLSocket was created by this distribution of Conscrypt.

setHostname

public static void setHostname(SSLSocket socket,
                               String hostname)

This method enables Server Name Indication (SNI) and overrides the hostname supplied during socket creation.

Parameters:

socket - the socket

hostname - the desired SNI hostname, or null to disable

getHostname

public static String getHostname(SSLSocket socket)

Returns either the hostname supplied during socket creation or via Conscrypt.setHostname(SSLSocket, String). No DNS resolution is attempted before returning the hostname.

getHostnameOrIP

public static String getHostnameOrIP(SSLSocket socket)

This method attempts to create a textual representation of the peer host or IP. Does not perform a reverse DNS lookup. This is typically used during session creation.

setUseSessionTickets

public static void setUseSessionTickets(SSLSocket socket,
                                        boolean useSessionTickets)

This method enables session ticket support.

Parameters:

socket - the socket

useSessionTickets - True to enable session tickets

setChannelIdEnabled

public static void setChannelIdEnabled(SSLSocket socket,
                                       boolean enabled)

Enables/disables TLS Channel ID for the given server-side socket.

This method needs to be invoked before the handshake starts.

Parameters:

socket - the socket

enabled - Whether to enable channel ID.

Throws:

IllegalStateException - if this is a client socket or if the handshake has already started.

getChannelId

public static byte[] getChannelId(SSLSocket socket)
                           throws SSLException

Gets the TLS Channel ID for the given server-side socket. Channel ID is only available once the handshake completes.

Parameters:

socket - the socket

Returns:

channel ID or null if not available.

Throws:

IllegalStateException - if this is a client socket or if the handshake has not yet completed.

SSLException - if channel ID is available but could not be obtained.

setChannelIdPrivateKey

public static void setChannelIdPrivateKey(SSLSocket socket,
                                          PrivateKey privateKey)

Sets the PrivateKey to be used for TLS Channel ID by this client socket.

This method needs to be invoked before the handshake starts.

Parameters:

socket - the socket

privateKey - private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).

Throws:

IllegalStateException - if this is a server socket or if the handshake has already started.

getApplicationProtocol

public static String getApplicationProtocol(SSLSocket socket)

Returns the ALPN protocol agreed upon by client and server.

Parameters:

socket - the socket

Returns:

the selected protocol or null if no protocol was agreed upon.

setApplicationProtocolSelector

public static void setApplicationProtocolSelector(SSLSocket socket,
                                                  ApplicationProtocolSelector selector)

Sets an application-provided ALPN protocol selector. If provided, this will override the list of protocols set by Conscrypt.setApplicationProtocols(SSLSocket, String[]).

Parameters:

socket - the socket

selector - the ALPN protocol selector

setApplicationProtocols

public static void setApplicationProtocols(SSLSocket socket,
                                           String[] protocols)

Sets the application-layer protocols (ALPN) in prioritization order.

Parameters:

socket - the socket being configured

protocols - the protocols in descending order of preference. If empty, no protocol indications will be used. This array will be copied.

Throws:

IllegalArgumentException - - if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) string

getApplicationProtocols

public static String[] getApplicationProtocols(SSLSocket socket)

Gets the application-layer protocols (ALPN) in prioritization order.

Parameters:

socket - the socket

Returns:

the protocols in descending order of preference, or an empty array if protocol indications are not being used. Always returns a new array.

getTlsUnique

public static byte[] getTlsUnique(SSLSocket socket)

Returns the tls-unique channel binding value for this connection, per RFC 5929. This will return null if there is no such value available, such as if the handshake has not yet completed or this connection is closed.

setTokenBindingParams

@ExperimentalApi
public static void setTokenBindingParams(SSLSocket socket,
                                                          int... params)
                                                   throws SSLException

Enables token binding parameter negotiation on this socket, or disables it if an empty set of parameters are provided.

This method needs to be invoked before the handshake starts.

Token binding is currently an Internet Draft that's subject to change, so the current implementation may not be compatible with future changes in the protocol.

Parameters:

params - a list of Token Binding key parameters in descending order of preference, as described in draft-ietf-tokbind-negotiation-09.

Throws:

IllegalStateException - if the handshake has already started.

SSLException - if the setting could not be applied.

getTokenBindingParams

@ExperimentalApi
public static int getTokenBindingParams(SSLSocket socket)

Returns the token binding parameters that were negotiated during the handshake, or -1 if token binding parameters were not negotiated, the handshake has not yet completed, or the connection has been closed.

exportKeyingMaterial

public static byte[] exportKeyingMaterial(SSLSocket socket,
                                          String label,
                                          byte[] context,
                                          int length)
                                   throws SSLException

Exports a value derived from the TLS master secret as described in RFC 5705.

Parameters:

label - the label to use in calculating the exported value. This must be an ASCII-only string.

context - the application-specific context value to use in calculating the exported value. This may be null to use no application context, which is treated differently than an empty byte array.

length - the number of bytes of keying material to return.

Returns:

a value of the specified length, or null if the handshake has not yet completed or the connection has been closed.

Throws:

SSLException - if the value could not be exported.

isConscrypt

public static boolean isConscrypt(SSLEngine engine)

Indicates whether the given SSLEngine was created by this distribution of Conscrypt.

setBufferAllocator

@ExperimentalApi
public static void setBufferAllocator(SSLEngine engine,
                                                       BufferAllocator bufferAllocator)

Provides the given engine with the provided bufferAllocator.

setDefaultBufferAllocator

@ExperimentalApi
public static void setDefaultBufferAllocator(BufferAllocator bufferAllocator)

Configures the default BufferAllocator to be used by all future SSLEngine instances from this provider.

setHostname

public static void setHostname(SSLEngine engine,
                               String hostname)

This method enables Server Name Indication (SNI) and overrides the hostname supplied during engine creation.

Parameters:

engine - the engine

hostname - the desired SNI hostname, or null to disable

getHostname

public static String getHostname(SSLEngine engine)

Returns either the hostname supplied during socket creation or via Conscrypt.setHostname(SSLEngine, String). No DNS resolution is attempted before returning the hostname.

maxSealOverhead

public static int maxSealOverhead(SSLEngine engine)

Returns the maximum overhead, in bytes, of sealing a record with SSL.

setHandshakeListener

public static void setHandshakeListener(SSLEngine engine,
                                        HandshakeListener handshakeListener)

Sets a listener on the given engine for completion of the TLS handshake

setChannelIdEnabled

public static void setChannelIdEnabled(SSLEngine engine,
                                       boolean enabled)

Enables/disables TLS Channel ID for the given server-side engine.

This method needs to be invoked before the handshake starts.

Parameters:

engine - the engine

enabled - Whether to enable channel ID.

Throws:

IllegalStateException - if this is a client engine or if the handshake has already started.

getChannelId

public static byte[] getChannelId(SSLEngine engine)
                           throws SSLException

Gets the TLS Channel ID for the given server-side engine. Channel ID is only available once the handshake completes.

Parameters:

engine - the engine

Returns:

channel ID or null if not available.

Throws:

IllegalStateException - if this is a client engine or if the handshake has not yet completed.

SSLException - if channel ID is available but could not be obtained.

setChannelIdPrivateKey

public static void setChannelIdPrivateKey(SSLEngine engine,
                                          PrivateKey privateKey)

Sets the PrivateKey to be used for TLS Channel ID by this client engine.

This method needs to be invoked before the handshake starts.

Parameters:

engine - the engine

privateKey - private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).

Throws:

IllegalStateException - if this is a server engine or if the handshake has already started.

unwrap

public static SSLEngineResult unwrap(SSLEngine engine,
                                     ByteBuffer[] srcs,
                                     ByteBuffer[] dsts)
                              throws SSLException

Extended unwrap method for multiple source and destination buffers.

Parameters:

engine - the target engine for the unwrap

srcs - the source buffers

dsts - the destination buffers

Returns:

the result of the unwrap operation

Throws:

SSLException - thrown if an SSL error occurred

unwrap

public static SSLEngineResult unwrap(SSLEngine engine,
                                     ByteBuffer[] srcs,
                                     int srcsOffset,
                                     int srcsLength,
                                     ByteBuffer[] dsts,
                                     int dstsOffset,
                                     int dstsLength)
                              throws SSLException

Exteneded unwrap method for multiple source and destination buffers.

Parameters:

engine - the target engine for the unwrap.

srcs - the source buffers

srcsOffset - the offset in the srcs array of the first source buffer

srcsLength - the number of source buffers starting at srcsOffset

dsts - the destination buffers

dstsOffset - the offset in the dsts array of the first destination buffer

dstsLength - the number of destination buffers starting at dstsOffset

Returns:

the result of the unwrap operation

Throws:

SSLException - thrown if an SSL error occurred

setUseSessionTickets

public static void setUseSessionTickets(SSLEngine engine,
                                        boolean useSessionTickets)

This method enables session ticket support.

Parameters:

engine - the engine

useSessionTickets - True to enable session tickets

setApplicationProtocols

public static void setApplicationProtocols(SSLEngine engine,
                                           String[] protocols)

Sets the application-layer protocols (ALPN) in prioritization order.

Parameters:

engine - the engine being configured

protocols - the protocols in descending order of preference. If empty, no protocol indications will be used. This array will be copied.

Throws:

IllegalArgumentException - - if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) string

getApplicationProtocols

public static String[] getApplicationProtocols(SSLEngine engine)

Gets the application-layer protocols (ALPN) in prioritization order.

Parameters:

engine - the engine

Returns:

the protocols in descending order of preference, or an empty array if protocol indications are not being used. Always returns a new array.

setApplicationProtocolSelector

public static void setApplicationProtocolSelector(SSLEngine engine,
                                                  ApplicationProtocolSelector selector)

Sets an application-provided ALPN protocol selector. If provided, this will override the list of protocols set by Conscrypt.setApplicationProtocols(SSLEngine, String[]).

Parameters:

engine - the engine

selector - the ALPN protocol selector

getApplicationProtocol

public static String getApplicationProtocol(SSLEngine engine)

Returns the ALPN protocol agreed upon by client and server.

Parameters:

engine - the engine

Returns:

the selected protocol or null if no protocol was agreed upon.

getTlsUnique

public static byte[] getTlsUnique(SSLEngine engine)

Returns the tls-unique channel binding value for this connection, per RFC 5929. This will return null if there is no such value available, such as if the handshake has not yet completed or this connection is closed.

setTokenBindingParams

public static void setTokenBindingParams(SSLEngine engine,
                                         int... params)
                                  throws SSLException

Enables token binding parameter negotiation on this engine, or disables it if an empty set of parameters are provided.

This method needs to be invoked before the handshake starts.

Parameters:

params - a list of Token Binding key parameters in descending order of preference, as described in draft-ietf-tokbind-negotiation-09.

Throws:

IllegalStateException - if the handshake has already started.

SSLException - if the setting could not be applied.

getTokenBindingParams

public static int getTokenBindingParams(SSLEngine engine)

Returns the token binding parameters that were negotiated during the handshake, or -1 if token binding parameters were not negotiated, the handshake has not yet completed, or the connection has been closed.

exportKeyingMaterial

public static byte[] exportKeyingMaterial(SSLEngine engine,
                                          String label,
                                          byte[] context,
                                          int length)
                                   throws SSLException

Exports a value derived from the TLS master secret as described in RFC 5705.

Parameters:

label - the label to use in calculating the exported value. This must be an ASCII-only string.

context - the application-specific context value to use in calculating the exported value. This may be null to use no application context, which is treated differently than an empty byte array.

length - the number of bytes of keying material to return.

Returns:

a value of the specified length, or null if the handshake has not yet completed or the connection has been closed.

Throws:

SSLException - if the value could not be exported.