OLD | NEW |
1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file | 1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file |
2 // for details. All rights reserved. Use of this source code is governed by a | 2 // for details. All rights reserved. Use of this source code is governed by a |
3 // BSD-style license that can be found in the LICENSE file. | 3 // BSD-style license that can be found in the LICENSE file. |
4 | 4 |
5 part of dart.io; | 5 part of dart.io; |
6 | 6 |
7 /** | 7 /** |
8 * A high-level class for communicating securely over a TCP socket, using | 8 * A high-level class for communicating securely over a TCP socket, using |
9 * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an | 9 * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an |
10 * [IOSink] interface, making it ideal for using together with | 10 * [IOSink] interface, making it ideal for using together with |
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
89 host: host, | 89 host: host, |
90 sendClientCertificate: sendClientCertificate, | 90 sendClientCertificate: sendClientCertificate, |
91 onBadCertificate: onBadCertificate); | 91 onBadCertificate: onBadCertificate); |
92 }) | 92 }) |
93 .then((raw) { | 93 .then((raw) { |
94 completer.complete(new SecureSocket._(raw)); | 94 completer.complete(new SecureSocket._(raw)); |
95 }); | 95 }); |
96 return completer.future; | 96 return completer.future; |
97 } | 97 } |
98 | 98 |
| 99 |
99 /** | 100 /** |
100 * Takes an already connected [socket] and starts server side TLS | 101 * Takes an already connected [socket] and starts server side TLS |
101 * handshake to make the communication secure. When the returned | 102 * handshake to make the communication secure. When the returned |
102 * future completes the [SecureSocket] has completed the TLS | 103 * future completes the [SecureSocket] has completed the TLS |
103 * handshake. Using this function requires that the other end of the | 104 * handshake. Using this function requires that the other end of the |
104 * connection is going to start the TLS handshake. | 105 * connection is going to start the TLS handshake. |
105 * | 106 * |
106 * If the [socket] already has a subscription, this subscription | 107 * If the [socket] already has a subscription, this subscription |
107 * will no longer receive and events. In most cases calling | 108 * will no longer receive and events. In most cases calling |
108 * [:pause:] on this subscription before starting TLS handshake is | 109 * [:pause:] on this subscription before starting TLS handshake is |
(...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
198 * | 199 * |
199 * The database should be an NSS certificate database directory | 200 * The database should be an NSS certificate database directory |
200 * containing a cert9.db file, not a cert8.db file. This version of | 201 * containing a cert9.db file, not a cert8.db file. This version of |
201 * the database can be created using the NSS certutil tool with "sql:" in | 202 * the database can be created using the NSS certutil tool with "sql:" in |
202 * front of the absolute path of the database directory, or setting the | 203 * front of the absolute path of the database directory, or setting the |
203 * environment variable [[NSS_DEFAULT_DB_TYPE]] to "sql". | 204 * environment variable [[NSS_DEFAULT_DB_TYPE]] to "sql". |
204 */ | 205 */ |
205 external static void initialize({String database, | 206 external static void initialize({String database, |
206 String password, | 207 String password, |
207 bool useBuiltinRoots: true}); | 208 bool useBuiltinRoots: true}); |
| 209 |
| 210 |
| 211 /** |
| 212 * Trust strings for use in [addCertificate]. |
| 213 */ |
| 214 static const String TRUST_ISSUE_SERVER_CERTIFICATES = 'C,,'; |
| 215 static const String TRUST_ISSUE_CLIENT_CERTIFICATES = 'T,,'; |
| 216 static const String TRUST_ISSUE_CLIENT_SERVER_CERTIFICATES = 'TC,,'; |
| 217 static const String TRUST_CERTIFICATE = 'P,,'; |
| 218 |
| 219 |
| 220 /** |
| 221 * Adds a X509 certificate (for SSL and TLS secure networking) to the |
| 222 * in-memory certificate database. Returns an X509Certificate object |
| 223 * with information about the added certificate. |
| 224 * |
| 225 * [certificate] must be a list of bytes encoding a certificate in |
| 226 * PEM format: a base64 encoded DER certificate, enclosed between |
| 227 * "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". |
| 228 * |
| 229 * [trust] is a string specifying the allowed uses of this certificate. |
| 230 * For example, 'TC,,' specifies that the certificate is for a certificate |
| 231 * authority that is trusted to issue server and client certificates, so |
| 232 * that a server or client certificate signed by this authority will be |
| 233 * accepted. |
| 234 * |
| 235 * See the documentation of NSS certutil at |
| 236 * http://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil |
| 237 * or |
| 238 * http://blogs.oracle.com/meena/entry/notes_about_trust_flags |
| 239 * for more information about trust attributes. |
| 240 */ |
| 241 external static X509Certificate addCertificate(List<int> certificate, |
| 242 String trust); |
208 } | 243 } |
209 | 244 |
210 | 245 |
211 /** | 246 /** |
212 * RawSecureSocket provides a secure (SSL or TLS) network connection. | 247 * RawSecureSocket provides a secure (SSL or TLS) network connection. |
213 * Client connections to a server are provided by calling | 248 * Client connections to a server are provided by calling |
214 * RawSecureSocket.connect. A secure server, created with | 249 * RawSecureSocket.connect. A secure server, created with |
215 * RawSecureServerSocket, also returns RawSecureSocket objects representing | 250 * RawSecureServerSocket, also returns RawSecureSocket objects representing |
216 * the server end of a secure connection. | 251 * the server end of a secure connection. |
217 * The certificate provided by the server is checked | 252 * The certificate provided by the server is checked |
(...skipping 187 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
405 | 440 |
406 // Buffer identifiers. | 441 // Buffer identifiers. |
407 // These must agree with those in the native C++ implementation. | 442 // These must agree with those in the native C++ implementation. |
408 static final int READ_PLAINTEXT = 0; | 443 static final int READ_PLAINTEXT = 0; |
409 static final int WRITE_PLAINTEXT = 1; | 444 static final int WRITE_PLAINTEXT = 1; |
410 static final int READ_ENCRYPTED = 2; | 445 static final int READ_ENCRYPTED = 2; |
411 static final int WRITE_ENCRYPTED = 3; | 446 static final int WRITE_ENCRYPTED = 3; |
412 static final int NUM_BUFFERS = 4; | 447 static final int NUM_BUFFERS = 4; |
413 | 448 |
414 // Is a buffer identifier for an encrypted buffer? | 449 // Is a buffer identifier for an encrypted buffer? |
415 static bool _isBufferEncrypted(int identifier) => identifier >= READ_ENCRYPTED
; | 450 static bool _isBufferEncrypted(int identifier) => |
| 451 identifier >= READ_ENCRYPTED; |
416 | 452 |
417 RawSocket _socket; | 453 RawSocket _socket; |
418 final Completer<_RawSecureSocket> _handshakeComplete = | 454 final Completer<_RawSecureSocket> _handshakeComplete = |
419 new Completer<_RawSecureSocket>(); | 455 new Completer<_RawSecureSocket>(); |
420 StreamController<RawSocketEvent> _controller; | 456 StreamController<RawSocketEvent> _controller; |
421 Stream<RawSocketEvent> _stream; | 457 Stream<RawSocketEvent> _stream; |
422 StreamSubscription<RawSocketEvent> _socketSubscription; | 458 StreamSubscription<RawSocketEvent> _socketSubscription; |
423 List<int> _bufferedData; | 459 List<int> _bufferedData; |
424 int _bufferedDataIndex = 0; | 460 int _bufferedDataIndex = 0; |
425 final InternetAddress address; | 461 final InternetAddress address; |
(...skipping 842 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1268 /** | 1304 /** |
1269 * An exception that happens in the handshake phase of establishing | 1305 * An exception that happens in the handshake phase of establishing |
1270 * a secure network connection, when looking up or verifying a | 1306 * a secure network connection, when looking up or verifying a |
1271 * certificate. | 1307 * certificate. |
1272 */ | 1308 */ |
1273 class CertificateException extends TlsException { | 1309 class CertificateException extends TlsException { |
1274 const CertificateException([String message = "", | 1310 const CertificateException([String message = "", |
1275 OSError osError = null]) | 1311 OSError osError = null]) |
1276 : super._("CertificateException", message, osError); | 1312 : super._("CertificateException", message, osError); |
1277 } | 1313 } |
OLD | NEW |