OLD | NEW |
1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file | 1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file |
2 // for details. All rights reserved. Use of this source code is governed by a | 2 // for details. All rights reserved. Use of this source code is governed by a |
3 // BSD-style license that can be found in the LICENSE file. | 3 // BSD-style license that can be found in the LICENSE file. |
4 | 4 |
5 part of dart.io; | 5 part of dart.io; |
6 | 6 |
7 /** | 7 /** |
8 * A high-level class for communicating securely over a TCP socket, using | 8 * A high-level class for communicating securely over a TCP socket, using |
9 * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an | 9 * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an |
10 * [IOSink] interface, making it ideal for using together with | 10 * [IOSink] interface, making it ideal for using together with |
11 * other [Stream]s. | 11 * other [Stream]s. |
12 */ | 12 */ |
13 abstract class SecureSocket implements Socket { | 13 abstract class SecureSocket implements Socket { |
14 external factory SecureSocket._(RawSecureSocket rawSocket); | 14 external factory SecureSocket._(RawSecureSocket rawSocket); |
15 | 15 |
16 /** | 16 /** |
17 * Constructs a new secure client socket and connect it to the given | 17 * Constructs a new secure client socket and connect it to the given |
18 * [host] on port [port]. The returned Future will complete with a | 18 * [host] on port [port]. The returned Future will complete with a |
19 * [SecureSocket] that is connected and ready for subscription. | 19 * [SecureSocket] that is connected and ready for subscription. |
20 * | 20 * |
| 21 * The certificate provided by the server is checked |
| 22 * using the trusted certificates set in the SecurityContext object. |
| 23 * The default SecurityContext object contains a built-in set of trusted |
| 24 * root certificates for well-known certificate authorities. |
| 25 * |
21 * [onBadCertificate] is an optional handler for unverifiable certificates. | 26 * [onBadCertificate] is an optional handler for unverifiable certificates. |
22 * The handler receives the [X509Certificate], and can inspect it and | 27 * The handler receives the [X509Certificate], and can inspect it and |
23 * decide (or let the user decide) whether to accept | 28 * decide (or let the user decide) whether to accept |
24 * the connection or not. The handler should return true | 29 * the connection or not. The handler should return true |
25 * to continue the [SecureSocket] connection. | 30 * to continue the [SecureSocket] connection. |
26 */ | 31 */ |
27 static Future<SecureSocket> connect( | 32 static Future<SecureSocket> connect( |
28 host, | 33 host, |
29 int port, | 34 int port, |
30 {SecurityContext context, | 35 {SecurityContext context, |
31 bool onBadCertificate(X509Certificate certificate), | 36 bool onBadCertificate(X509Certificate certificate), |
32 bool sendClientCertificate, | |
33 List<String> supportedProtocols}) { | 37 List<String> supportedProtocols}) { |
34 return RawSecureSocket.connect(host, | 38 return RawSecureSocket.connect(host, |
35 port, | 39 port, |
36 context: context, | 40 context: context, |
37 onBadCertificate: onBadCertificate, | 41 onBadCertificate: onBadCertificate, |
38 supportedProtocols: supportedProtocols) | 42 supportedProtocols: supportedProtocols) |
39 .then((rawSocket) => new SecureSocket._(rawSocket)); | 43 .then((rawSocket) => new SecureSocket._(rawSocket)); |
40 } | 44 } |
41 | 45 |
42 /** | 46 /** |
(...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
159 } | 163 } |
160 | 164 |
161 | 165 |
162 /** | 166 /** |
163 * RawSecureSocket provides a secure (SSL or TLS) network connection. | 167 * RawSecureSocket provides a secure (SSL or TLS) network connection. |
164 * Client connections to a server are provided by calling | 168 * Client connections to a server are provided by calling |
165 * RawSecureSocket.connect. A secure server, created with | 169 * RawSecureSocket.connect. A secure server, created with |
166 * RawSecureServerSocket, also returns RawSecureSocket objects representing | 170 * RawSecureServerSocket, also returns RawSecureSocket objects representing |
167 * the server end of a secure connection. | 171 * the server end of a secure connection. |
168 * The certificate provided by the server is checked | 172 * The certificate provided by the server is checked |
169 * using the trusted certificates set in the SecurityContext object and/or | 173 * using the trusted certificates set in the SecurityContext object. |
170 * the default built-in root certificates. | 174 * The default SecurityContext object contains a built-in set of trusted |
| 175 * root certificates for well-known certificate authorities. |
171 */ | 176 */ |
172 abstract class RawSecureSocket implements RawSocket { | 177 abstract class RawSecureSocket implements RawSocket { |
173 /** | 178 /** |
174 * Constructs a new secure client socket and connect it to the given | 179 * Constructs a new secure client socket and connect it to the given |
175 * host on the given port. The returned Future is completed with the | 180 * host on the given port. The returned Future is completed with the |
176 * RawSecureSocket when it is connected and ready for subscription. | 181 * RawSecureSocket when it is connected and ready for subscription. |
177 * | 182 * |
178 * The certificate provided by the server is checked | 183 * The certificate provided by the server is checked |
179 * using the trusted certificates set in the SecurityContext object and/or | 184 * using the trusted certificates set in the SecurityContext object |
180 * the default built-in | 185 * If a certificate and key are set on the client, using useCertificateChain |
181 * root certificates. If [sendClientCertificate] is | 186 * and usePrivateKey, and the server asks for a client certificate, |
182 * set to true, the socket will send a client certificate if one is | 187 * then that client certificate is sent to the server. |
183 * requested by the server. If [certificateName] is the nickname of | |
184 * a certificate in the certificate database, that certificate will be sent. | |
185 * If [certificateName] is null, which is the usual use case, an | |
186 * appropriate certificate will be searched for in the database and | |
187 * sent automatically, based on what the server says it will accept. | |
188 * | 188 * |
189 * [onBadCertificate] is an optional handler for unverifiable certificates. | 189 * [onBadCertificate] is an optional handler for unverifiable certificates. |
190 * The handler receives the [X509Certificate], and can inspect it and | 190 * The handler receives the [X509Certificate], and can inspect it and |
191 * decide (or let the user decide) whether to accept | 191 * decide (or let the user decide) whether to accept |
192 * the connection or not. The handler should return true | 192 * the connection or not. The handler should return true |
193 * to continue the [RawSecureSocket] connection. | 193 * to continue the [RawSecureSocket] connection. |
194 */ | 194 */ |
195 static Future<RawSecureSocket> connect( | 195 static Future<RawSecureSocket> connect( |
196 host, | 196 host, |
197 int port, | 197 int port, |
(...skipping 220 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
418 static Future<_RawSecureSocket> connect( | 418 static Future<_RawSecureSocket> connect( |
419 host, | 419 host, |
420 int requestedPort, | 420 int requestedPort, |
421 {bool is_server, | 421 {bool is_server, |
422 SecurityContext context, | 422 SecurityContext context, |
423 RawSocket socket, | 423 RawSocket socket, |
424 StreamSubscription subscription, | 424 StreamSubscription subscription, |
425 List<int> bufferedData, | 425 List<int> bufferedData, |
426 bool requestClientCertificate: false, | 426 bool requestClientCertificate: false, |
427 bool requireClientCertificate: false, | 427 bool requireClientCertificate: false, |
428 bool sendClientCertificate: false, | |
429 bool onBadCertificate(X509Certificate certificate), | 428 bool onBadCertificate(X509Certificate certificate), |
430 List<String> supportedProtocols}) { | 429 List<String> supportedProtocols}) { |
431 _verifyFields(host, requestedPort, is_server, | 430 _verifyFields(host, requestedPort, is_server, |
432 requestClientCertificate, requireClientCertificate, | 431 requestClientCertificate, requireClientCertificate, |
433 onBadCertificate); | 432 onBadCertificate); |
434 if (host is InternetAddress) host = host.host; | 433 if (host is InternetAddress) host = host.host; |
435 var address = socket.address; | 434 var address = socket.address; |
436 if (host != null) address = address._cloneWithNewHost(host); | 435 if (host != null) address = address._cloneWithNewHost(host); |
437 return new _RawSecureSocket(address, | 436 return new _RawSecureSocket(address, |
438 requestedPort, | 437 requestedPort, |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
506 } | 505 } |
507 try { | 506 try { |
508 var encodedProtocols = | 507 var encodedProtocols = |
509 SecurityContext._protocolsToLengthEncoding(supportedProtocols); | 508 SecurityContext._protocolsToLengthEncoding(supportedProtocols); |
510 _secureFilter.connect(address.host, | 509 _secureFilter.connect(address.host, |
511 context, | 510 context, |
512 is_server, | 511 is_server, |
513 requestClientCertificate || | 512 requestClientCertificate || |
514 requireClientCertificate, | 513 requireClientCertificate, |
515 requireClientCertificate, | 514 requireClientCertificate, |
516 // TODO(whesse): Remove sendClientCertificate | |
517 // argument, or add it to API. | |
518 false, // sendClientCertificate, | |
519 encodedProtocols); | 515 encodedProtocols); |
520 _secureHandshake(); | 516 _secureHandshake(); |
521 } catch (e, s) { | 517 } catch (e, s) { |
522 _reportError(e, s); | 518 _reportError(e, s); |
523 } | 519 } |
524 } | 520 } |
525 | 521 |
526 StreamSubscription listen(void onData(RawSocketEvent data), | 522 StreamSubscription listen(void onData(RawSocketEvent data), |
527 {Function onError, | 523 {Function onError, |
528 void onDone(), | 524 void onDone(), |
(...skipping 632 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1161 | 1157 |
1162 | 1158 |
1163 abstract class _SecureFilter { | 1159 abstract class _SecureFilter { |
1164 external factory _SecureFilter(); | 1160 external factory _SecureFilter(); |
1165 | 1161 |
1166 void connect(String hostName, | 1162 void connect(String hostName, |
1167 SecurityContext context, | 1163 SecurityContext context, |
1168 bool is_server, | 1164 bool is_server, |
1169 bool requestClientCertificate, | 1165 bool requestClientCertificate, |
1170 bool requireClientCertificate, | 1166 bool requireClientCertificate, |
1171 bool sendClientCertificate, | |
1172 Uint8List protocols); | 1167 Uint8List protocols); |
1173 void destroy(); | 1168 void destroy(); |
1174 void handshake(); | 1169 void handshake(); |
1175 String selectedProtocol(); | 1170 String selectedProtocol(); |
1176 void rehandshake(); | 1171 void rehandshake(); |
1177 void renegotiate(bool useSessionCache, | 1172 void renegotiate(bool useSessionCache, |
1178 bool requestClientCertificate, | 1173 bool requestClientCertificate, |
1179 bool requireClientCertificate); | 1174 bool requireClientCertificate); |
1180 void init(); | 1175 void init(); |
1181 X509Certificate get peerCertificate; | 1176 X509Certificate get peerCertificate; |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1231 /** | 1226 /** |
1232 * An exception that happens in the handshake phase of establishing | 1227 * An exception that happens in the handshake phase of establishing |
1233 * a secure network connection, when looking up or verifying a | 1228 * a secure network connection, when looking up or verifying a |
1234 * certificate. | 1229 * certificate. |
1235 */ | 1230 */ |
1236 class CertificateException extends TlsException { | 1231 class CertificateException extends TlsException { |
1237 const CertificateException([String message = "", | 1232 const CertificateException([String message = "", |
1238 OSError osError = null]) | 1233 OSError osError = null]) |
1239 : super._("CertificateException", message, osError); | 1234 : super._("CertificateException", message, osError); |
1240 } | 1235 } |
OLD | NEW |