OLD | NEW |
(Empty) | |
| 1 /* |
| 2 * Copyright 2014 The Netty Project |
| 3 * |
| 4 * The Netty Project licenses this file to you under the Apache License, |
| 5 * version 2.0 (the "License"); you may not use this file except in compliance |
| 6 * with the License. You may obtain a copy of the License at: |
| 7 * |
| 8 * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 * |
| 10 * Unless required by applicable law or agreed to in writing, software |
| 11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 13 * License for the specific language governing permissions and limitations |
| 14 * under the License. |
| 15 */ |
| 16 package io.netty.internal.tcnative; |
| 17 |
| 18 import static io.netty.internal.tcnative.NativeStaticallyReferencedJniMethods.*; |
| 19 |
| 20 /** |
| 21 * Is called during handshake and hooked into openssl via {@code SSL_CTX_set_cer
t_verify_callback}. |
| 22 * |
| 23 * IMPORTANT: Implementations of this interface should be static as it is stored
as a global reference via JNI. This |
| 24 * means if you use an inner / anonymous class to implement this and
also depend on the finalizer of the |
| 25 * class to free up the SSLContext the finalizer will never run as th
e object is never GC, due the hard |
| 26 * reference to the enclosing class. This will most likely result in
a memory leak. |
| 27 */ |
| 28 public interface CertificateVerifier { |
| 29 int X509_V_OK = x509vOK(); |
| 30 int X509_V_ERR_UNSPECIFIED = x509vErrUnspecified(); |
| 31 int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = x509vErrUnableToGetIssuerCert(); |
| 32 int X509_V_ERR_UNABLE_TO_GET_CRL = x509vErrUnableToGetCrl(); |
| 33 int X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = x509vErrUnableToDecryptCer
tSignature(); |
| 34 int X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = x509vErrUnableToDecryptCrlS
ignature(); |
| 35 int X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = x509vErrUnableToDecodeIs
suerPublicKey(); |
| 36 int X509_V_ERR_CERT_SIGNATURE_FAILURE = x509vErrCertSignatureFailure(); |
| 37 int X509_V_ERR_CRL_SIGNATURE_FAILURE = x509vErrCrlSignatureFailure(); |
| 38 int X509_V_ERR_CERT_NOT_YET_VALID = x509vErrCertNotYetValid(); |
| 39 int X509_V_ERR_CERT_HAS_EXPIRED = x509vErrCertHasExpired(); |
| 40 int X509_V_ERR_CRL_NOT_YET_VALID = x509vErrCrlNotYetValid(); |
| 41 int X509_V_ERR_CRL_HAS_EXPIRED = x509vErrCrlHasExpired(); |
| 42 int X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = x509vErrErrorInCertNotBefore
Field(); |
| 43 int X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = x509vErrErrorInCertNotAfterFi
eld(); |
| 44 int X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = x509vErrErrorInCrlLastUpdate
Field(); |
| 45 int X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = x509vErrErrorInCrlNextUpdate
Field(); |
| 46 int X509_V_ERR_OUT_OF_MEM = x509vErrOutOfMem(); |
| 47 int X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = x509vErrDepthZeroSelfSignedCert
(); |
| 48 int X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = x509vErrSelfSignedCertInChain(); |
| 49 int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = x509vErrUnableToGetIssuer
CertLocally(); |
| 50 int X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = x509vErrUnableToVerifyLeaf
Signature(); |
| 51 int X509_V_ERR_CERT_CHAIN_TOO_LONG = x509vErrCertChainTooLong(); |
| 52 int X509_V_ERR_CERT_REVOKED = x509vErrCertRevoked(); |
| 53 int X509_V_ERR_INVALID_CA = x509vErrInvalidCa(); |
| 54 int X509_V_ERR_PATH_LENGTH_EXCEEDED = x509vErrPathLengthExceeded(); |
| 55 int X509_V_ERR_INVALID_PURPOSE = x509vErrInvalidPurpose(); |
| 56 int X509_V_ERR_CERT_UNTRUSTED = x509vErrCertUntrusted(); |
| 57 int X509_V_ERR_CERT_REJECTED = x509vErrCertRejected(); |
| 58 int X509_V_ERR_SUBJECT_ISSUER_MISMATCH = x509vErrSubjectIssuerMismatch(); |
| 59 int X509_V_ERR_AKID_SKID_MISMATCH = x509vErrAkidSkidMismatch(); |
| 60 int X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH = x509vErrAkidIssuerSerialMismatc
h(); |
| 61 int X509_V_ERR_KEYUSAGE_NO_CERTSIGN = x509vErrKeyUsageNoCertSign(); |
| 62 int X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER = x509vErrUnableToGetCrlIssuer(); |
| 63 int X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION = x509vErrUnhandledCriticalExten
sion(); |
| 64 int X509_V_ERR_KEYUSAGE_NO_CRL_SIGN = x509vErrKeyUsageNoCrlSign(); |
| 65 int X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = x509vErrUnhandledCriticalC
rlExtension(); |
| 66 int X509_V_ERR_INVALID_NON_CA = x509vErrInvalidNonCa(); |
| 67 int X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED = x509vErrProxyPathLengthExceeded(
); |
| 68 int X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = x509vErrKeyUsageNoDigitalSign
ature(); |
| 69 int X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED = x509vErrProxyCertificatesNot
Allowed(); |
| 70 int X509_V_ERR_INVALID_EXTENSION = x509vErrInvalidExtension(); |
| 71 int X509_V_ERR_INVALID_POLICY_EXTENSION = x509vErrInvalidPolicyExtension(); |
| 72 int X509_V_ERR_NO_EXPLICIT_POLICY = x509vErrNoExplicitPolicy(); |
| 73 int X509_V_ERR_DIFFERENT_CRL_SCOPE = x509vErrDifferntCrlScope(); |
| 74 int X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE = x509vErrUnsupportedExtensionF
eature(); |
| 75 int X509_V_ERR_UNNESTED_RESOURCE = x509vErrUnnestedResource(); |
| 76 int X509_V_ERR_PERMITTED_VIOLATION = x509vErrPermittedViolation(); |
| 77 int X509_V_ERR_EXCLUDED_VIOLATION = x509vErrExcludedViolation(); |
| 78 int X509_V_ERR_SUBTREE_MINMAX = x509vErrSubtreeMinMax(); |
| 79 int X509_V_ERR_APPLICATION_VERIFICATION = x509vErrApplicationVerification(); |
| 80 int X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE = x509vErrUnsupportedConstraintTy
pe(); |
| 81 int X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = x509vErrUnsupportedConstraint
Syntax(); |
| 82 int X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = x509vErrUnsupportedNameSyntax(); |
| 83 int X509_V_ERR_CRL_PATH_VALIDATION_ERROR = x509vErrCrlPathValidationError(); |
| 84 int X509_V_ERR_PATH_LOOP = x509vErrPathLoop(); |
| 85 int X509_V_ERR_SUITE_B_INVALID_VERSION = x509vErrSuiteBInvalidVersion(); |
| 86 int X509_V_ERR_SUITE_B_INVALID_ALGORITHM = x509vErrSuiteBInvalidAlgorithm(); |
| 87 int X509_V_ERR_SUITE_B_INVALID_CURVE = x509vErrSuiteBInvalidCurve(); |
| 88 int X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = x509vErrSuiteBInvalidSi
gnatureAlgorithm(); |
| 89 int X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = x509vErrSuiteBLosNotAllowed(); |
| 90 int X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = x509vErrSuiteBCannotSi
gnP384WithP256(); |
| 91 int X509_V_ERR_HOSTNAME_MISMATCH = x509vErrHostnameMismatch(); |
| 92 int X509_V_ERR_EMAIL_MISMATCH = x509vErrEmailMismatch(); |
| 93 int X509_V_ERR_IP_ADDRESS_MISMATCH = x509vErrIpAddressMismatch(); |
| 94 int X509_V_ERR_DANE_NO_MATCH = x509vErrDaneNoMatch(); |
| 95 |
| 96 /** |
| 97 * Returns {@code true} if the passed in certificate chain could be verified
and so the handshake |
| 98 * should be successful, {@code false} otherwise. |
| 99 * |
| 100 * @param ssl the SSL instance |
| 101 * @param x509 the {@code X509} certificate chain |
| 102 * @param authAlgorithm the auth algorithm |
| 103 * @return verified {@code true} if verified successful, {@code fals
e} otherwise |
| 104 */ |
| 105 int verify(long ssl, byte[][] x509, String authAlgorithm); |
| 106 } |
OLD | NEW |