Updated netty-tcnative to version 2.0.0.Final

java/io/netty/internal/tcnative/SSL.java

+/*
+ * Copyright 2016 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package io.netty.internal.tcnative;
+
+import java.nio.ByteBuffer;
+
+import static io.netty.internal.tcnative.NativeStaticallyReferencedJniMethods.*;
+
+public final class SSL {
+
+    private SSL() { }
+
+    /*
+     * Define the SSL Protocol options
+     */
+    public static final int SSL_PROTOCOL_NONE  = 0;
+    public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
+    public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
+    public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
+    public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
+    public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
+
+    /** TLS_*method according to <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html">SSL_CTX_new</a> */
+    public static final int SSL_PROTOCOL_TLS   = (SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
+    public static final int SSL_PROTOCOL_ALL   = (SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLS);
+
+    /*
+     * Define the SSL verify levels
+     */
+    public static final int SSL_CVERIFY_IGNORED            = -1;
+    public static final int SSL_CVERIFY_NONE               = 0;
+    public static final int SSL_CVERIFY_OPTIONAL           = 1;
+    public static final int SSL_CVERIFY_REQUIRED           = 2;
+
+    public static final int SSL_OP_CIPHER_SERVER_PREFERENCE = sslOpCipherServerPreference();
+    public static final int SSL_OP_NO_SSLv2 = sslOpNoSSLv2();
+    public static final int SSL_OP_NO_SSLv3 = sslOpNoSSLv3();
+    public static final int SSL_OP_NO_TLSv1 = sslOpNoTLSv1();
+    public static final int SSL_OP_NO_TLSv1_1 = sslOpNoTLSv11();
+    public static final int SSL_OP_NO_TLSv1_2 = sslOpNoTLSv12();
+    public static final int SSL_OP_NO_TICKET = sslOpNoTicket();
+
+    public static final int SSL_OP_NO_COMPRESSION = sslOpNoCompression();
+
+    public static final int SSL_MODE_CLIENT         = 0;
+    public static final int SSL_MODE_SERVER         = 1;
+    public static final int SSL_MODE_COMBINED       = 2;
+
+    public static final long SSL_SESS_CACHE_OFF = sslSessCacheOff();
+    public static final long SSL_SESS_CACHE_SERVER = sslSessCacheServer();
+
+    public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE = 0;
+    public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL = 1;
+
+    public static final int SSL_ST_CONNECT = sslStConnect();
+    public static final int SSL_ST_ACCEPT =  sslStAccept();
+
+    public static final int SSL_MODE_ENABLE_PARTIAL_WRITE           = sslModeEnablePartialWrite();
+    public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER     = sslModeAcceptMovingWriteBuffer();
+    public static final int SSL_MODE_RELEASE_BUFFERS                = sslModeReleaseBuffers();
+
+    // https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html
+    public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = x509CheckFlagAlwaysCheckSubject();
+    public static final int X509_CHECK_FLAG_NO_WILD_CARDS = x509CheckFlagDisableWildCards();
+    public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS = x509CheckFlagNoPartialWildCards();
+    public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = x509CheckFlagMultiLabelWildCards();
+
+    /* Return OpenSSL version number */
+    public static native int version();
+
+    /* Return OpenSSL version string */
+    public static native String versionString();
+
+    /**
+     * Initialize OpenSSL support.
+     *
+     * This function needs to be called once for the
+     * lifetime of JVM. See {@link Library#initialize(String, String)}
+     *
+     * @param engine Support for external a Crypto Device ("engine"),
+     *                usually a hardware accelerator card for crypto operations.
+     * @return APR status code
+     */
+    static native int initialize(String engine);
+
+    /**
+     * Initialize new in-memory BIO that is located in the secure heap.
+     *
+     * @return New BIO handle
+     * @throws Exception if an error happened.
+     */
+    public static native long newMemBIO() throws Exception;
+
+    /**
+     * Return last SSL error string
+     *
+     * @return the last SSL error string.
+     */
+    public static native String getLastError();
+
+    /**
+     * Return true if all the requested SSL_OP_* are supported by OpenSSL.
+     *
+     * @param op Bitwise-OR of all SSL_OP_* to test.
+     *
+     * @return true if all SSL_OP_* are supported by OpenSSL library.
+     */
+    public static native boolean hasOp(int op);
+
+    /*
+     * Begin Twitter API additions
+     */
+
+    public static final int SSL_SENT_SHUTDOWN = sslSendShutdown();
+    public static final int SSL_RECEIVED_SHUTDOWN = sslReceivedShutdown();
+
+    public static final int SSL_ERROR_NONE             = sslErrorNone();
+    public static final int SSL_ERROR_SSL              = sslErrorSSL();
+    public static final int SSL_ERROR_WANT_READ        = sslErrorWantRead();
+    public static final int SSL_ERROR_WANT_WRITE       = sslErrorWantWrite();
+    public static final int SSL_ERROR_WANT_X509_LOOKUP = sslErrorWantX509Lookup();
+    public static final int SSL_ERROR_SYSCALL          = sslErrorSyscall(); /* look at error stack/return value/errno */
+    public static final int SSL_ERROR_ZERO_RETURN      = sslErrorZeroReturn();
+    public static final int SSL_ERROR_WANT_CONNECT     = sslErrorWantConnect();
+    public static final int SSL_ERROR_WANT_ACCEPT      = sslErrorWantAccept();
+
+    /**
+     * SSL_new
+     * @param ctx Server or Client context to use.
+     * @param server if true configure SSL instance to use accept handshake routines
+     *               if false configure SSL instance to use connect handshake routines
+     * @return pointer to SSL instance (SSL *)
+     */
+    public static native long newSSL(long ctx, boolean server);
+
+    /**
+     * SSL_get_error
+     * @param ssl SSL pointer (SSL *)
+     * @param ret TLS/SSL I/O return value
+     * @return the error code
+     */
+    public static native int getError(long ssl, int ret);
+
+    /**
+     * BIO_write
+     * @param bioAddress The address of a {@code BIO*}.
+     * @param wbufAddress The address of a native {@code char*}.
+     * @param wlen The length to write starting at {@code wbufAddress}.
+     * @return The number of bytes that were written.
+     * See <a href="https://www.openssl.org/docs/man1.0.1/crypto/BIO_write.html">BIO_write</a> for exceptional return values.
+     */
+    public static native int bioWrite(long bioAddress, long wbufAddress, int wlen);
+
+    /**
+     * Initialize the BIO for the SSL instance. This is a custom BIO which is designed to play nicely with a direct
+     * {@link ByteBuffer}. Because it is a special BIO it requires special usage such that
+     * {@link #bioSetByteBuffer(long, long, int, boolean)} and {@link #bioClearByteBuffer(long)} are called in order to provide
+     * to supply data to SSL, and also to ensure the internal SSL buffering mechanism is expecting write at the appropriate times.
+     *
+     * @param ssl the SSL instance (SSL *)
+     * @param nonApplicationBufferSize The size of the internal buffer for write operations that are not
+     *                                 initiated directly by the application attempting to encrypt data.
+     *                                 Must be &gt;{@code 0}.
+     * @return pointer to the Network BIO (BIO *).
+     *         The memory is owned by {@code ssl} and will be cleaned up by {@link #freeSSL(long)}.
+     */
+    public static native long bioNewByteBuffer(long ssl, int nonApplicationBufferSize);
+
+    /**
+     * Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted
+     * data from.
+     * <p>
+     * After you are done buffering data you should call {@link #bioClearByteBuffer(long)}.
+     * @param bio {@code BIO*}.
+     * @param bufferAddress The memory address (typically from a direct {@link ByteBuffer}) which will be used
+     *                    to either write encrypted data to, or read encrypted data from by OpenSSL's internal BIO pair.
+     * @param maxUsableBytes The maximum usable length in bytes starting at {@code bufferAddress}.
+     * @param isSSLWriteSink {@code true} if this buffer is expected to buffer data as a result of calls to {@code SSL_write}.
+     *                       {@code false} if this buffer is expected to buffer data as a result of calls to {@code SSL_read}.
+     */
+    public static native void bioSetByteBuffer(long bio, long bufferAddress, int maxUsableBytes, boolean isSSLWriteSink);
+
+    /**
+     * After you are done buffering data from {@link #bioSetByteBuffer(long, long, int, boolean)}, this will ensure the
+     * internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..).
+     * @param bio {@code BIO*}.
+     */
+    public static native void bioClearByteBuffer(long bio);
+
+    /**
+     * Flush any pending bytes in the internal SSL write buffer.
+     * <p>
+     * This does the same thing as {@code BIO_flush} for a {@code BIO*} of type {@link #bioNewByteBuffer(long, int)} but
+     * returns the number of bytes that were flushed.
+     * @param bio {@code BIO*}.
+     * @return The number of bytes that were flushed.
+     */
+    public static native int bioFlushByteBuffer(long bio);
+
+    /**
+     * Get the remaining length of the {@link ByteBuffer} set by {@link #bioSetByteBuffer(long, long, int, boolean)}.
+     * @param bio {@code BIO*}.
+     * @return The remaining length of the {@link ByteBuffer} set by {@link #bioSetByteBuffer(long, long, int, boolean)}.
+     */
+    public static native int bioLengthByteBuffer(long bio);
+
+    /**
+     * Get the amount of data pending in buffer used for non-application writes.
+     * This value will not exceed the value configured in {@link #bioNewByteBuffer(long, int)}.
+     * @param bio {@code BIO*}.
+     * @return the amount of data pending in buffer used for non-application writes.
+     */
+    public static native int bioLengthNonApplication(long bio);
+
+    /**
+     * SSL_write
+     * @param ssl the SSL instance (SSL *)
+     * @param wbuf the memory address of the buffer
+     * @param wlen the length
+     * @return the number of written bytes
+     */
+    public static native int writeToSSL(long ssl, long wbuf, int wlen);
+
+    /**
+     * SSL_read
+     * @param ssl the SSL instance (SSL *)
+     * @param rbuf the memory address of the buffer
+     * @param rlen the length
+     * @return the number of read bytes
+     */
+    public static native int readFromSSL(long ssl, long rbuf, int rlen);
+
+    /**
+     * SSL_get_shutdown
+     * @param ssl the SSL instance (SSL *)
+     * @return the return code of {@code SSL_get_shutdown}
+     */
+    public static native int getShutdown(long ssl);
+
+    /**
+     * SSL_set_shutdown
+     * @param ssl the SSL instance (SSL *)
+     * @param mode the mode to use
+     */
+    public static native void setShutdown(long ssl, int mode);
+
+    /**
+     * SSL_free
+     * @param ssl the SSL instance (SSL *)
+     */
+    public static native void freeSSL(long ssl);
+
+    /**
+     * BIO_free
+     * @param bio the BIO
+     */
+    public static native void freeBIO(long bio);
+
+    /**
+     * SSL_shutdown
+     * @param ssl the SSL instance (SSL *)
+     * @return the return code of {@code SSL_shutdown}
+     */
+    public static native int shutdownSSL(long ssl);
+
+    /**
+     * Get the error number representing the last error OpenSSL encountered on this thread.
+     * @return the last error code for the calling thread.
+     */
+    public static native int getLastErrorNumber();
+
+    /**
+     * SSL_get_cipher
+     * @param ssl the SSL instance (SSL *)
+     * @return the name of the current cipher.
+     */
+    public static native String getCipherForSSL(long ssl);
+
+    /**
+     * SSL_get_version
+     * @param ssl the SSL instance (SSL *)
+     * @return the version.
+     */
+    public static native String getVersion(long ssl);
+
+    /**
+     * SSL_do_handshake
+     * @param ssl the SSL instance (SSL *)
+     * @return the return code of {@code SSL_do_handshake}.
+     */
+    public static native int doHandshake(long ssl);
+
+    /**
+     * SSL_in_init
+     * @param ssl the SSL instance (SSL *)
+     * @return the return code of {@code SSL_in_init}.
+     */
+    public static native int isInInit(long ssl);
+
+    /**
+     * SSL_get0_next_proto_negotiated
+     * @param ssl the SSL instance (SSL *)
+     * @return the name of the negotiated proto
+     */
+    public static native String getNextProtoNegotiated(long ssl);
+
+    /*
+     * End Twitter API Additions
+     */
+
+    /**
+     * SSL_get0_alpn_selected
+     * @param ssl the SSL instance (SSL *)
+     * @return the name of the selected ALPN protocol
+     */
+    public static native String getAlpnSelected(long ssl);
+
+    /**
+     * Get the peer certificate chain or {@code null} if none was send.
+     * @param ssl the SSL instance (SSL *)
+     * @return the chain or {@code null} if none was send
+     */
+    public static native byte[][] getPeerCertChain(long ssl);
+
+    /**
+     * Get the peer certificate or {@code null} if non was send.
+     * @param ssl the SSL instance (SSL *)
+     * @return the peer certificate or {@code null} if none was send
+     */
+    public static native byte[] getPeerCertificate(long ssl);
+
+    /**
+     * Get the error string representing for the given {@code errorNumber}.
+     *
+     * @param errorNumber the error number / code
+     * @return the error string
+     */
+    public static native String getErrorString(long errorNumber);
+
+    /**
+     * SSL_get_time
+     * @param ssl the SSL instance (SSL *)
+     * @return returns the time at which the session ssl was established. The time is given in seconds since the Epoch
+     */
+    public static native long getTime(long ssl);
+
+    /**
+     * SSL_get_timeout
+     * @param ssl the SSL instance (SSL *)
+     * @return returns the timeout for the session ssl The time is given in seconds since the Epoch
+     */
+    public static native long getTimeout(long ssl);
+
+    /**
+     * SSL_set_timeout
+     * @param ssl the SSL instance (SSL *)
+     * @param seconds timeout in seconds
+     * @return returns the timeout for the session ssl before this call. The time is given in seconds since the Epoch
+     */
+    public static native long setTimeout(long ssl, long seconds);
+
+    /**
+     * Set Type of Client Certificate verification and Maximum depth of CA Certificates
+     * in Client Certificate verification.
+     * <p>
+     * This directive sets the Certificate verification level for the Client
+     * Authentication. Notice that this directive can be used both in per-server
+     * and per-directory context. In per-server context it applies to the client
+     * authentication process used in the standard SSL handshake when a connection
+     * is established. In per-directory context it forces a SSL renegotiation with
+     * the reconfigured client verification level after the HTTP request was read
+     * but before the HTTP response is sent.
+     * <p>
+     * The following levels are available for level:
+     * <ul>
+     * <li>{@link #SSL_CVERIFY_IGNORED} - The level is ignored. Only depth will change.</li>
+     * <li>{@link #SSL_CVERIFY_NONE} - No client Certificate is required at all</li>
+     * <li>{@link #SSL_CVERIFY_OPTIONAL} - The client may present a valid Certificate</li>
+     * <li>{@link #SSL_CVERIFY_REQUIRED} - The client has to present a valid Certificate</li>
+     * </ul>
+     * The depth actually is the maximum number of intermediate certificate issuers,
+     * i.e. the number of CA certificates which are max allowed to be followed while
+     * verifying the client certificate. A depth of 0 means that self-signed client
+     * certificates are accepted only, the default depth of 1 means the client
+     * certificate can be self-signed or has to be signed by a CA which is directly
+     * known to the server (i.e. the CA's certificate is under
+     * {@code setCACertificatePath}, etc.
+     *
+     * @param ssl the SSL instance (SSL *)
+     * @param level Type of Client Certificate verification.
+     * @param depth Maximum depth of CA Certificates in Client Certificate
+     *              verification. Ignored if value is {@code <0}.
+     */
+    public static native void setVerify(long ssl, int level, int depth);
+
+    /**
+     * Set OpenSSL Option.
+     * @param ssl the SSL instance (SSL *)
+     * @param options  See SSL.SSL_OP_* for option flags.
+     */
+    public static native void setOptions(long ssl, int options);
+
+    /**
+     * Clear OpenSSL Option.
+     * @param ssl the SSL instance (SSL *)
+     * @param options  See SSL.SSL_OP_* for option flags.
+     */
+    public static native void clearOptions(long ssl, int options);
+
+    /**
+     * Get OpenSSL Option.
+     * @param ssl the SSL instance (SSL *)
+     * @return options  See SSL.SSL_OP_* for option flags.
+     */
+    public static native int getOptions(long ssl);
+
+    /**
+     * Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.
+     * @param ssl the SSL instance (SSL *)
+     * @return ciphers
+     */
+    public static native String[] getCiphers(long ssl);
+
+    /**
+     * Returns the cipher suites available for negotiation in SSL handshake.
+     * <p>
+     * This complex directive uses a colon-separated cipher-spec string consisting
+     * of OpenSSL cipher specifications to configure the Cipher Suite the client
+     * is permitted to negotiate in the SSL handshake phase. Notice that this
+     * directive can be used both in per-server and per-directory context.
+     * In per-server context it applies to the standard SSL handshake when a
+     * connection is established. In per-directory context it forces a SSL
+     * renegotiation with the reconfigured Cipher Suite after the HTTP request
+     * was read but before the HTTP response is sent.
+     * @param ssl the SSL instance (SSL *)
+     * @param ciphers an SSL cipher specification
+     * @return {@code true} if successful
+     * @throws Exception if an error happened
+     */
+    public static native boolean setCipherSuites(long ssl, String ciphers)
+            throws Exception;
+
+    /**
+     * Returns the ID of the session as byte array representation.
+     *
+     * @param ssl the SSL instance (SSL *)
+     * @return the session as byte array representation obtained via SSL_SESSION_get_id.
+     */
+    public static native byte[] getSessionId(long ssl);
+
+    /**
+     * Returns the number of handshakes done for this SSL instance. This also includes renegations.
+     *
+     * @param ssl the SSL instance (SSL *)
+     * @return the number of handshakes done for this SSL instance.
+     */
+    public static native int getHandshakeCount(long ssl);
+
+    /**
+     * Clear all the errors from the error queue that OpenSSL encountered on this thread.
+     */
+    public static native void clearError();
+
+    /**
+     * Call SSL_renegotiate.
+     *
+     * @param ssl the SSL instance (SSL *)
+     * @return the result of the operation
+     */
+    public static native int renegotiate(long ssl);
+
+    /**
+     * Call SSL_set_state.
+     *
+     * @param ssl the SSL instance (SSL *)
+     * @param state the state to set
+     */
+    public static native void setState(long ssl, int state);
+
+    /**
+     * Call SSL_set_tlsext_host_name
+     *
+     * @param ssl the SSL instance (SSL *)
+     * @param hostname the hostname
+     */
+    public static native void setTlsExtHostName(long ssl, String hostname);
+
+    /**
+     * Explicitly control <a href="https://wiki.openssl.org/index.php/Hostname_validation">hostname validation</a>
+     * <a href="https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html">see X509_check_host for X509_CHECK_FLAG* definitions</a>.
+     * Values are defined as a bitmask of {@code X509_CHECK_FLAG*} values.
+     * @param ssl the SSL instance (SSL*).
+     * @param flags a bitmask of {@code X509_CHECK_FLAG*} values.
+     * @param hostname the hostname which is expected for validation.
+     */
+    public static native void setHostNameValidation(long ssl, int flags, String hostname);
+
+    /**
+     * Return the methods used for authentication.
+     *
+     * @param ssl the SSL instance (SSL*)
+     * @return the methods
+     */
+    public static native String[] authenticationMethods(long ssl);
+
+    /**
+     * Set BIO of PEM-encoded Server CA Certificates
+     * <p>
+     * This directive sets the optional all-in-one file where you can assemble the
+     * certificates of Certification Authorities (CA) which form the certificate
+     * chain of the server certificate. This starts with the issuing CA certificate
+     * of of the server certificate and can range up to the root CA certificate.
+     * Such a file is simply the concatenation of the various PEM-encoded CA
+     * Certificate files, usually in certificate chain order.
+     * <p>
+     * But be careful: Providing the certificate chain works only if you are using
+     * a single (either RSA or DSA) based server certificate. If you are using a
+     * coupled RSA+DSA certificate pair, this will work only if actually both
+     * certificates use the same certificate chain. Otherwsie the browsers will be
+     * confused in this situation.
+     * @param ssl Server or Client to use.
+     * @param bio BIO of PEM-encoded Server CA Certificates.
+     * @param skipfirst Skip first certificate if chain file is inside
+     *                  certificate file.
+     */
+    public static native void setCertificateChainBio(long ssl, long bio, boolean skipfirst);
+
+    /**
+     * Set Certificate
+     * <br>
+     * Point setCertificate at a PEM encoded certificate stored in a BIO. If
+     * the certificate is encrypted, then you will be prompted for a
+     * pass phrase.  Note that a kill -HUP will prompt again. A test
+     * certificate can be generated with `make certificate' under
+     * built time. Keep in mind that if you've both a RSA and a DSA
+     * certificate you can configure both in parallel (to also allow
+     * the use of DSA ciphers, etc.)
+     * <br>
+     * If the key is not combined with the certificate, use key param
+     * to point at the key file.  Keep in mind that if
+     * you've both a RSA and a DSA private key you can configure
+     * both in parallel (to also allow the use of DSA ciphers, etc.)
+     * @param ssl Server or Client to use.
+     * @param certBio Certificate BIO.
+     * @param keyBio Private Key BIO to use if not in cert.
+     * @param password Certificate password. If null and certificate
+     *                 is encrypted.
+     * @throws Exception if an error happened
+     */
+    public static native void setCertificateBio(
+            long ssl, long certBio, long keyBio, String password) throws Exception;
+
+    /**
+     * Parse private key from BIO and return {@code EVP_PKEY} pointer.
+     *
+     * <p>Be sure you understand how OpenSsl will behave with respect to reference counting!
+     *
+     * If the {@code EVP_PKEY} pointer is used with the client certificate callback
+     * {@link CertificateRequestedCallback} the ownership goes over to OpenSsl / Tcnative and so calling
+     * {@link #freePrivateKey(long)} should <strong>NOT</strong> be done in this case. Otherwise you may
+     * need to call {@link #freePrivateKey(long)} to decrement the reference count and free memory.
+     *
+     * @param privateKeyBio the pointer to the {@code BIO} that contains the private key
+     * @param password the password or {@code null} if no password is needed
+     * @return {@code EVP_PKEY} pointer
+     * @throws Exception if an error happened
+     */
+    public static native long parsePrivateKey(long privateKeyBio, String password) throws Exception;
+
+    /**
+     * Free private key ({@code EVP_PKEY} pointer).
+     *
+     * @param privateKey {@code EVP_PKEY} pointer
+     */
+    public static native void freePrivateKey(long privateKey);
+
+    /**
+     * Parse X509 chain from BIO and return ({@code STACK_OF(X509)} pointer).
+     *
+     * <p>Be sure you understand how OpenSsl will behave with respect to reference counting!
+     *
+     * If the {@code STACK_OF(X509)} pointer is used with the client certificate callback
+     * {@link CertificateRequestedCallback} the ownership goes over to OpenSsl / Tcnative and and so calling
+     * {@link #freeX509Chain(long)} should <strong>NOT</strong> be done in this case. Otherwise you may
+     * need to call {@link #freeX509Chain(long)} to decrement the reference count and free memory.
+     *
+     * @param x509ChainBio the pointer to the {@code BIO} that contains the X509 chain
+     * @return {@code STACK_OF(X509)} pointer
+     * @throws Exception if an error happened
+     */
+    public static native long parseX509Chain(long x509ChainBio) throws Exception;
+
+    /**
+     * Free x509 chain ({@code STACK_OF(X509)} pointer).
+     *
+     * @param x509Chain {@code STACK_OF(X509)} pointer
+     */
+    public static native void freeX509Chain(long x509Chain);
+}