OLD | NEW |
(Empty) | |
| 1 /* |
| 2 * Copyright 2016 The Netty Project |
| 3 * |
| 4 * The Netty Project licenses this file to you under the Apache License, |
| 5 * version 2.0 (the "License"); you may not use this file except in compliance |
| 6 * with the License. You may obtain a copy of the License at: |
| 7 * |
| 8 * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 * |
| 10 * Unless required by applicable law or agreed to in writing, software |
| 11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 13 * License for the specific language governing permissions and limitations |
| 14 * under the License. |
| 15 */ |
| 16 /* |
| 17 * Licensed to the Apache Software Foundation (ASF) under one or more |
| 18 * contributor license agreements. See the NOTICE file distributed with |
| 19 * this work for additional information regarding copyright ownership. |
| 20 * The ASF licenses this file to You under the Apache License, Version 2.0 |
| 21 * (the "License"); you may not use this file except in compliance with |
| 22 * the License. You may obtain a copy of the License at |
| 23 * |
| 24 * http://www.apache.org/licenses/LICENSE-2.0 |
| 25 * |
| 26 * Unless required by applicable law or agreed to in writing, software |
| 27 * distributed under the License is distributed on an "AS IS" BASIS, |
| 28 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 29 * See the License for the specific language governing permissions and |
| 30 * limitations under the License. |
| 31 */ |
| 32 package io.netty.internal.tcnative; |
| 33 |
| 34 import java.nio.ByteBuffer; |
| 35 |
| 36 import static io.netty.internal.tcnative.NativeStaticallyReferencedJniMethods.*; |
| 37 |
| 38 public final class SSL { |
| 39 |
| 40 private SSL() { } |
| 41 |
| 42 /* |
| 43 * Define the SSL Protocol options |
| 44 */ |
| 45 public static final int SSL_PROTOCOL_NONE = 0; |
| 46 public static final int SSL_PROTOCOL_SSLV2 = (1<<0); |
| 47 public static final int SSL_PROTOCOL_SSLV3 = (1<<1); |
| 48 public static final int SSL_PROTOCOL_TLSV1 = (1<<2); |
| 49 public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3); |
| 50 public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4); |
| 51 |
| 52 /** TLS_*method according to <a href="https://www.openssl.org/docs/man1.0.2/
ssl/SSL_CTX_new.html">SSL_CTX_new</a> */ |
| 53 public static final int SSL_PROTOCOL_TLS = (SSL_PROTOCOL_SSLV3 | SSL_PROTO
COL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2); |
| 54 public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV2 | SSL_PROTO
COL_TLS); |
| 55 |
| 56 /* |
| 57 * Define the SSL verify levels |
| 58 */ |
| 59 public static final int SSL_CVERIFY_IGNORED = -1; |
| 60 public static final int SSL_CVERIFY_NONE = 0; |
| 61 public static final int SSL_CVERIFY_OPTIONAL = 1; |
| 62 public static final int SSL_CVERIFY_REQUIRED = 2; |
| 63 |
| 64 public static final int SSL_OP_CIPHER_SERVER_PREFERENCE = sslOpCipherServerP
reference(); |
| 65 public static final int SSL_OP_NO_SSLv2 = sslOpNoSSLv2(); |
| 66 public static final int SSL_OP_NO_SSLv3 = sslOpNoSSLv3(); |
| 67 public static final int SSL_OP_NO_TLSv1 = sslOpNoTLSv1(); |
| 68 public static final int SSL_OP_NO_TLSv1_1 = sslOpNoTLSv11(); |
| 69 public static final int SSL_OP_NO_TLSv1_2 = sslOpNoTLSv12(); |
| 70 public static final int SSL_OP_NO_TICKET = sslOpNoTicket(); |
| 71 |
| 72 public static final int SSL_OP_NO_COMPRESSION = sslOpNoCompression(); |
| 73 |
| 74 public static final int SSL_MODE_CLIENT = 0; |
| 75 public static final int SSL_MODE_SERVER = 1; |
| 76 public static final int SSL_MODE_COMBINED = 2; |
| 77 |
| 78 public static final long SSL_SESS_CACHE_OFF = sslSessCacheOff(); |
| 79 public static final long SSL_SESS_CACHE_SERVER = sslSessCacheServer(); |
| 80 |
| 81 public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE = 0; |
| 82 public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL = 1; |
| 83 |
| 84 public static final int SSL_ST_CONNECT = sslStConnect(); |
| 85 public static final int SSL_ST_ACCEPT = sslStAccept(); |
| 86 |
| 87 public static final int SSL_MODE_ENABLE_PARTIAL_WRITE = sslModeEna
blePartialWrite(); |
| 88 public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = sslModeAcc
eptMovingWriteBuffer(); |
| 89 public static final int SSL_MODE_RELEASE_BUFFERS = sslModeRel
easeBuffers(); |
| 90 |
| 91 // https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html |
| 92 public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = x509CheckFlag
AlwaysCheckSubject(); |
| 93 public static final int X509_CHECK_FLAG_NO_WILD_CARDS = x509CheckFlagDisable
WildCards(); |
| 94 public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS = x509CheckFla
gNoPartialWildCards(); |
| 95 public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = x509CheckFla
gMultiLabelWildCards(); |
| 96 |
| 97 /* Return OpenSSL version number */ |
| 98 public static native int version(); |
| 99 |
| 100 /* Return OpenSSL version string */ |
| 101 public static native String versionString(); |
| 102 |
| 103 /** |
| 104 * Initialize OpenSSL support. |
| 105 * |
| 106 * This function needs to be called once for the |
| 107 * lifetime of JVM. See {@link Library#initialize(String, String)} |
| 108 * |
| 109 * @param engine Support for external a Crypto Device ("engine"), |
| 110 * usually a hardware accelerator card for crypto operations. |
| 111 * @return APR status code |
| 112 */ |
| 113 static native int initialize(String engine); |
| 114 |
| 115 /** |
| 116 * Initialize new in-memory BIO that is located in the secure heap. |
| 117 * |
| 118 * @return New BIO handle |
| 119 * @throws Exception if an error happened. |
| 120 */ |
| 121 public static native long newMemBIO() throws Exception; |
| 122 |
| 123 /** |
| 124 * Return last SSL error string |
| 125 * |
| 126 * @return the last SSL error string. |
| 127 */ |
| 128 public static native String getLastError(); |
| 129 |
| 130 /** |
| 131 * Return true if all the requested SSL_OP_* are supported by OpenSSL. |
| 132 * |
| 133 * @param op Bitwise-OR of all SSL_OP_* to test. |
| 134 * |
| 135 * @return true if all SSL_OP_* are supported by OpenSSL library. |
| 136 */ |
| 137 public static native boolean hasOp(int op); |
| 138 |
| 139 /* |
| 140 * Begin Twitter API additions |
| 141 */ |
| 142 |
| 143 public static final int SSL_SENT_SHUTDOWN = sslSendShutdown(); |
| 144 public static final int SSL_RECEIVED_SHUTDOWN = sslReceivedShutdown(); |
| 145 |
| 146 public static final int SSL_ERROR_NONE = sslErrorNone(); |
| 147 public static final int SSL_ERROR_SSL = sslErrorSSL(); |
| 148 public static final int SSL_ERROR_WANT_READ = sslErrorWantRead(); |
| 149 public static final int SSL_ERROR_WANT_WRITE = sslErrorWantWrite(); |
| 150 public static final int SSL_ERROR_WANT_X509_LOOKUP = sslErrorWantX509Lookup(
); |
| 151 public static final int SSL_ERROR_SYSCALL = sslErrorSyscall(); /* l
ook at error stack/return value/errno */ |
| 152 public static final int SSL_ERROR_ZERO_RETURN = sslErrorZeroReturn(); |
| 153 public static final int SSL_ERROR_WANT_CONNECT = sslErrorWantConnect(); |
| 154 public static final int SSL_ERROR_WANT_ACCEPT = sslErrorWantAccept(); |
| 155 |
| 156 /** |
| 157 * SSL_new |
| 158 * @param ctx Server or Client context to use. |
| 159 * @param server if true configure SSL instance to use accept handshake rout
ines |
| 160 * if false configure SSL instance to use connect handshake ro
utines |
| 161 * @return pointer to SSL instance (SSL *) |
| 162 */ |
| 163 public static native long newSSL(long ctx, boolean server); |
| 164 |
| 165 /** |
| 166 * SSL_get_error |
| 167 * @param ssl SSL pointer (SSL *) |
| 168 * @param ret TLS/SSL I/O return value |
| 169 * @return the error code |
| 170 */ |
| 171 public static native int getError(long ssl, int ret); |
| 172 |
| 173 /** |
| 174 * BIO_write |
| 175 * @param bioAddress The address of a {@code BIO*}. |
| 176 * @param wbufAddress The address of a native {@code char*}. |
| 177 * @param wlen The length to write starting at {@code wbufAddress}. |
| 178 * @return The number of bytes that were written. |
| 179 * See <a href="https://www.openssl.org/docs/man1.0.1/crypto/BIO_write.html"
>BIO_write</a> for exceptional return values. |
| 180 */ |
| 181 public static native int bioWrite(long bioAddress, long wbufAddress, int wle
n); |
| 182 |
| 183 /** |
| 184 * Initialize the BIO for the SSL instance. This is a custom BIO which is de
signed to play nicely with a direct |
| 185 * {@link ByteBuffer}. Because it is a special BIO it requires special usage
such that |
| 186 * {@link #bioSetByteBuffer(long, long, int, boolean)} and {@link #bioClearB
yteBuffer(long)} are called in order to provide |
| 187 * to supply data to SSL, and also to ensure the internal SSL buffering mech
anism is expecting write at the appropriate times. |
| 188 * |
| 189 * @param ssl the SSL instance (SSL *) |
| 190 * @param nonApplicationBufferSize The size of the internal buffer for write
operations that are not |
| 191 * initiated directly by the application att
empting to encrypt data. |
| 192 * Must be >{@code 0}. |
| 193 * @return pointer to the Network BIO (BIO *). |
| 194 * The memory is owned by {@code ssl} and will be cleaned up by {@li
nk #freeSSL(long)}. |
| 195 */ |
| 196 public static native long bioNewByteBuffer(long ssl, int nonApplicationBuffe
rSize); |
| 197 |
| 198 /** |
| 199 * Set the memory location which that OpenSSL's internal BIO will use to wri
te encrypted data to, or read encrypted |
| 200 * data from. |
| 201 * <p> |
| 202 * After you are done buffering data you should call {@link #bioClearByteBuf
fer(long)}. |
| 203 * @param bio {@code BIO*}. |
| 204 * @param bufferAddress The memory address (typically from a direct {@link B
yteBuffer}) which will be used |
| 205 * to either write encrypted data to, or read encrypted d
ata from by OpenSSL's internal BIO pair. |
| 206 * @param maxUsableBytes The maximum usable length in bytes starting at {@co
de bufferAddress}. |
| 207 * @param isSSLWriteSink {@code true} if this buffer is expected to buffer d
ata as a result of calls to {@code SSL_write}. |
| 208 * {@code false} if this buffer is expected to buffer
data as a result of calls to {@code SSL_read}. |
| 209 */ |
| 210 public static native void bioSetByteBuffer(long bio, long bufferAddress, int
maxUsableBytes, boolean isSSLWriteSink); |
| 211 |
| 212 /** |
| 213 * After you are done buffering data from {@link #bioSetByteBuffer(long, lon
g, int, boolean)}, this will ensure the |
| 214 * internal SSL write buffers are ready to capture data which may unexpected
ly happen (e.g. handshake, renegotiation, etc..). |
| 215 * @param bio {@code BIO*}. |
| 216 */ |
| 217 public static native void bioClearByteBuffer(long bio); |
| 218 |
| 219 /** |
| 220 * Flush any pending bytes in the internal SSL write buffer. |
| 221 * <p> |
| 222 * This does the same thing as {@code BIO_flush} for a {@code BIO*} of type
{@link #bioNewByteBuffer(long, int)} but |
| 223 * returns the number of bytes that were flushed. |
| 224 * @param bio {@code BIO*}. |
| 225 * @return The number of bytes that were flushed. |
| 226 */ |
| 227 public static native int bioFlushByteBuffer(long bio); |
| 228 |
| 229 /** |
| 230 * Get the remaining length of the {@link ByteBuffer} set by {@link #bioSetB
yteBuffer(long, long, int, boolean)}. |
| 231 * @param bio {@code BIO*}. |
| 232 * @return The remaining length of the {@link ByteBuffer} set by {@link #bio
SetByteBuffer(long, long, int, boolean)}. |
| 233 */ |
| 234 public static native int bioLengthByteBuffer(long bio); |
| 235 |
| 236 /** |
| 237 * Get the amount of data pending in buffer used for non-application writes. |
| 238 * This value will not exceed the value configured in {@link #bioNewByteBuff
er(long, int)}. |
| 239 * @param bio {@code BIO*}. |
| 240 * @return the amount of data pending in buffer used for non-application wri
tes. |
| 241 */ |
| 242 public static native int bioLengthNonApplication(long bio); |
| 243 |
| 244 /** |
| 245 * SSL_write |
| 246 * @param ssl the SSL instance (SSL *) |
| 247 * @param wbuf the memory address of the buffer |
| 248 * @param wlen the length |
| 249 * @return the number of written bytes |
| 250 */ |
| 251 public static native int writeToSSL(long ssl, long wbuf, int wlen); |
| 252 |
| 253 /** |
| 254 * SSL_read |
| 255 * @param ssl the SSL instance (SSL *) |
| 256 * @param rbuf the memory address of the buffer |
| 257 * @param rlen the length |
| 258 * @return the number of read bytes |
| 259 */ |
| 260 public static native int readFromSSL(long ssl, long rbuf, int rlen); |
| 261 |
| 262 /** |
| 263 * SSL_get_shutdown |
| 264 * @param ssl the SSL instance (SSL *) |
| 265 * @return the return code of {@code SSL_get_shutdown} |
| 266 */ |
| 267 public static native int getShutdown(long ssl); |
| 268 |
| 269 /** |
| 270 * SSL_set_shutdown |
| 271 * @param ssl the SSL instance (SSL *) |
| 272 * @param mode the mode to use |
| 273 */ |
| 274 public static native void setShutdown(long ssl, int mode); |
| 275 |
| 276 /** |
| 277 * SSL_free |
| 278 * @param ssl the SSL instance (SSL *) |
| 279 */ |
| 280 public static native void freeSSL(long ssl); |
| 281 |
| 282 /** |
| 283 * BIO_free |
| 284 * @param bio the BIO |
| 285 */ |
| 286 public static native void freeBIO(long bio); |
| 287 |
| 288 /** |
| 289 * SSL_shutdown |
| 290 * @param ssl the SSL instance (SSL *) |
| 291 * @return the return code of {@code SSL_shutdown} |
| 292 */ |
| 293 public static native int shutdownSSL(long ssl); |
| 294 |
| 295 /** |
| 296 * Get the error number representing the last error OpenSSL encountered on t
his thread. |
| 297 * @return the last error code for the calling thread. |
| 298 */ |
| 299 public static native int getLastErrorNumber(); |
| 300 |
| 301 /** |
| 302 * SSL_get_cipher |
| 303 * @param ssl the SSL instance (SSL *) |
| 304 * @return the name of the current cipher. |
| 305 */ |
| 306 public static native String getCipherForSSL(long ssl); |
| 307 |
| 308 /** |
| 309 * SSL_get_version |
| 310 * @param ssl the SSL instance (SSL *) |
| 311 * @return the version. |
| 312 */ |
| 313 public static native String getVersion(long ssl); |
| 314 |
| 315 /** |
| 316 * SSL_do_handshake |
| 317 * @param ssl the SSL instance (SSL *) |
| 318 * @return the return code of {@code SSL_do_handshake}. |
| 319 */ |
| 320 public static native int doHandshake(long ssl); |
| 321 |
| 322 /** |
| 323 * SSL_in_init |
| 324 * @param ssl the SSL instance (SSL *) |
| 325 * @return the return code of {@code SSL_in_init}. |
| 326 */ |
| 327 public static native int isInInit(long ssl); |
| 328 |
| 329 /** |
| 330 * SSL_get0_next_proto_negotiated |
| 331 * @param ssl the SSL instance (SSL *) |
| 332 * @return the name of the negotiated proto |
| 333 */ |
| 334 public static native String getNextProtoNegotiated(long ssl); |
| 335 |
| 336 /* |
| 337 * End Twitter API Additions |
| 338 */ |
| 339 |
| 340 /** |
| 341 * SSL_get0_alpn_selected |
| 342 * @param ssl the SSL instance (SSL *) |
| 343 * @return the name of the selected ALPN protocol |
| 344 */ |
| 345 public static native String getAlpnSelected(long ssl); |
| 346 |
| 347 /** |
| 348 * Get the peer certificate chain or {@code null} if none was send. |
| 349 * @param ssl the SSL instance (SSL *) |
| 350 * @return the chain or {@code null} if none was send |
| 351 */ |
| 352 public static native byte[][] getPeerCertChain(long ssl); |
| 353 |
| 354 /** |
| 355 * Get the peer certificate or {@code null} if non was send. |
| 356 * @param ssl the SSL instance (SSL *) |
| 357 * @return the peer certificate or {@code null} if none was send |
| 358 */ |
| 359 public static native byte[] getPeerCertificate(long ssl); |
| 360 |
| 361 /** |
| 362 * Get the error string representing for the given {@code errorNumber}. |
| 363 * |
| 364 * @param errorNumber the error number / code |
| 365 * @return the error string |
| 366 */ |
| 367 public static native String getErrorString(long errorNumber); |
| 368 |
| 369 /** |
| 370 * SSL_get_time |
| 371 * @param ssl the SSL instance (SSL *) |
| 372 * @return returns the time at which the session ssl was established. The ti
me is given in seconds since the Epoch |
| 373 */ |
| 374 public static native long getTime(long ssl); |
| 375 |
| 376 /** |
| 377 * SSL_get_timeout |
| 378 * @param ssl the SSL instance (SSL *) |
| 379 * @return returns the timeout for the session ssl The time is given in seco
nds since the Epoch |
| 380 */ |
| 381 public static native long getTimeout(long ssl); |
| 382 |
| 383 /** |
| 384 * SSL_set_timeout |
| 385 * @param ssl the SSL instance (SSL *) |
| 386 * @param seconds timeout in seconds |
| 387 * @return returns the timeout for the session ssl before this call. The tim
e is given in seconds since the Epoch |
| 388 */ |
| 389 public static native long setTimeout(long ssl, long seconds); |
| 390 |
| 391 /** |
| 392 * Set Type of Client Certificate verification and Maximum depth of CA Certi
ficates |
| 393 * in Client Certificate verification. |
| 394 * <p> |
| 395 * This directive sets the Certificate verification level for the Client |
| 396 * Authentication. Notice that this directive can be used both in per-server |
| 397 * and per-directory context. In per-server context it applies to the client |
| 398 * authentication process used in the standard SSL handshake when a connecti
on |
| 399 * is established. In per-directory context it forces a SSL renegotiation wi
th |
| 400 * the reconfigured client verification level after the HTTP request was rea
d |
| 401 * but before the HTTP response is sent. |
| 402 * <p> |
| 403 * The following levels are available for level: |
| 404 * <ul> |
| 405 * <li>{@link #SSL_CVERIFY_IGNORED} - The level is ignored. Only depth will
change.</li> |
| 406 * <li>{@link #SSL_CVERIFY_NONE} - No client Certificate is required at all<
/li> |
| 407 * <li>{@link #SSL_CVERIFY_OPTIONAL} - The client may present a valid Certif
icate</li> |
| 408 * <li>{@link #SSL_CVERIFY_REQUIRED} - The client has to present a valid Cer
tificate</li> |
| 409 * </ul> |
| 410 * The depth actually is the maximum number of intermediate certificate issu
ers, |
| 411 * i.e. the number of CA certificates which are max allowed to be followed w
hile |
| 412 * verifying the client certificate. A depth of 0 means that self-signed cli
ent |
| 413 * certificates are accepted only, the default depth of 1 means the client |
| 414 * certificate can be self-signed or has to be signed by a CA which is direc
tly |
| 415 * known to the server (i.e. the CA's certificate is under |
| 416 * {@code setCACertificatePath}, etc. |
| 417 * |
| 418 * @param ssl the SSL instance (SSL *) |
| 419 * @param level Type of Client Certificate verification. |
| 420 * @param depth Maximum depth of CA Certificates in Client Certificate |
| 421 * verification. Ignored if value is {@code <0}. |
| 422 */ |
| 423 public static native void setVerify(long ssl, int level, int depth); |
| 424 |
| 425 /** |
| 426 * Set OpenSSL Option. |
| 427 * @param ssl the SSL instance (SSL *) |
| 428 * @param options See SSL.SSL_OP_* for option flags. |
| 429 */ |
| 430 public static native void setOptions(long ssl, int options); |
| 431 |
| 432 /** |
| 433 * Clear OpenSSL Option. |
| 434 * @param ssl the SSL instance (SSL *) |
| 435 * @param options See SSL.SSL_OP_* for option flags. |
| 436 */ |
| 437 public static native void clearOptions(long ssl, int options); |
| 438 |
| 439 /** |
| 440 * Get OpenSSL Option. |
| 441 * @param ssl the SSL instance (SSL *) |
| 442 * @return options See SSL.SSL_OP_* for option flags. |
| 443 */ |
| 444 public static native int getOptions(long ssl); |
| 445 |
| 446 /** |
| 447 * Returns all Returns the cipher suites that are available for negotiation
in an SSL handshake. |
| 448 * @param ssl the SSL instance (SSL *) |
| 449 * @return ciphers |
| 450 */ |
| 451 public static native String[] getCiphers(long ssl); |
| 452 |
| 453 /** |
| 454 * Returns the cipher suites available for negotiation in SSL handshake. |
| 455 * <p> |
| 456 * This complex directive uses a colon-separated cipher-spec string consisti
ng |
| 457 * of OpenSSL cipher specifications to configure the Cipher Suite the client |
| 458 * is permitted to negotiate in the SSL handshake phase. Notice that this |
| 459 * directive can be used both in per-server and per-directory context. |
| 460 * In per-server context it applies to the standard SSL handshake when a |
| 461 * connection is established. In per-directory context it forces a SSL |
| 462 * renegotiation with the reconfigured Cipher Suite after the HTTP request |
| 463 * was read but before the HTTP response is sent. |
| 464 * @param ssl the SSL instance (SSL *) |
| 465 * @param ciphers an SSL cipher specification |
| 466 * @return {@code true} if successful |
| 467 * @throws Exception if an error happened |
| 468 */ |
| 469 public static native boolean setCipherSuites(long ssl, String ciphers) |
| 470 throws Exception; |
| 471 |
| 472 /** |
| 473 * Returns the ID of the session as byte array representation. |
| 474 * |
| 475 * @param ssl the SSL instance (SSL *) |
| 476 * @return the session as byte array representation obtained via SSL_SESSION
_get_id. |
| 477 */ |
| 478 public static native byte[] getSessionId(long ssl); |
| 479 |
| 480 /** |
| 481 * Returns the number of handshakes done for this SSL instance. This also in
cludes renegations. |
| 482 * |
| 483 * @param ssl the SSL instance (SSL *) |
| 484 * @return the number of handshakes done for this SSL instance. |
| 485 */ |
| 486 public static native int getHandshakeCount(long ssl); |
| 487 |
| 488 /** |
| 489 * Clear all the errors from the error queue that OpenSSL encountered on thi
s thread. |
| 490 */ |
| 491 public static native void clearError(); |
| 492 |
| 493 /** |
| 494 * Call SSL_renegotiate. |
| 495 * |
| 496 * @param ssl the SSL instance (SSL *) |
| 497 * @return the result of the operation |
| 498 */ |
| 499 public static native int renegotiate(long ssl); |
| 500 |
| 501 /** |
| 502 * Call SSL_set_state. |
| 503 * |
| 504 * @param ssl the SSL instance (SSL *) |
| 505 * @param state the state to set |
| 506 */ |
| 507 public static native void setState(long ssl, int state); |
| 508 |
| 509 /** |
| 510 * Call SSL_set_tlsext_host_name |
| 511 * |
| 512 * @param ssl the SSL instance (SSL *) |
| 513 * @param hostname the hostname |
| 514 */ |
| 515 public static native void setTlsExtHostName(long ssl, String hostname); |
| 516 |
| 517 /** |
| 518 * Explicitly control <a href="https://wiki.openssl.org/index.php/Hostname_v
alidation">hostname validation</a> |
| 519 * <a href="https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.htm
l">see X509_check_host for X509_CHECK_FLAG* definitions</a>. |
| 520 * Values are defined as a bitmask of {@code X509_CHECK_FLAG*} values. |
| 521 * @param ssl the SSL instance (SSL*). |
| 522 * @param flags a bitmask of {@code X509_CHECK_FLAG*} values. |
| 523 * @param hostname the hostname which is expected for validation. |
| 524 */ |
| 525 public static native void setHostNameValidation(long ssl, int flags, String
hostname); |
| 526 |
| 527 /** |
| 528 * Return the methods used for authentication. |
| 529 * |
| 530 * @param ssl the SSL instance (SSL*) |
| 531 * @return the methods |
| 532 */ |
| 533 public static native String[] authenticationMethods(long ssl); |
| 534 |
| 535 /** |
| 536 * Set BIO of PEM-encoded Server CA Certificates |
| 537 * <p> |
| 538 * This directive sets the optional all-in-one file where you can assemble t
he |
| 539 * certificates of Certification Authorities (CA) which form the certificate |
| 540 * chain of the server certificate. This starts with the issuing CA certific
ate |
| 541 * of of the server certificate and can range up to the root CA certificate. |
| 542 * Such a file is simply the concatenation of the various PEM-encoded CA |
| 543 * Certificate files, usually in certificate chain order. |
| 544 * <p> |
| 545 * But be careful: Providing the certificate chain works only if you are usi
ng |
| 546 * a single (either RSA or DSA) based server certificate. If you are using a |
| 547 * coupled RSA+DSA certificate pair, this will work only if actually both |
| 548 * certificates use the same certificate chain. Otherwsie the browsers will
be |
| 549 * confused in this situation. |
| 550 * @param ssl Server or Client to use. |
| 551 * @param bio BIO of PEM-encoded Server CA Certificates. |
| 552 * @param skipfirst Skip first certificate if chain file is inside |
| 553 * certificate file. |
| 554 */ |
| 555 public static native void setCertificateChainBio(long ssl, long bio, boolean
skipfirst); |
| 556 |
| 557 /** |
| 558 * Set Certificate |
| 559 * <br> |
| 560 * Point setCertificate at a PEM encoded certificate stored in a BIO. If |
| 561 * the certificate is encrypted, then you will be prompted for a |
| 562 * pass phrase. Note that a kill -HUP will prompt again. A test |
| 563 * certificate can be generated with `make certificate' under |
| 564 * built time. Keep in mind that if you've both a RSA and a DSA |
| 565 * certificate you can configure both in parallel (to also allow |
| 566 * the use of DSA ciphers, etc.) |
| 567 * <br> |
| 568 * If the key is not combined with the certificate, use key param |
| 569 * to point at the key file. Keep in mind that if |
| 570 * you've both a RSA and a DSA private key you can configure |
| 571 * both in parallel (to also allow the use of DSA ciphers, etc.) |
| 572 * @param ssl Server or Client to use. |
| 573 * @param certBio Certificate BIO. |
| 574 * @param keyBio Private Key BIO to use if not in cert. |
| 575 * @param password Certificate password. If null and certificate |
| 576 * is encrypted. |
| 577 * @throws Exception if an error happened |
| 578 */ |
| 579 public static native void setCertificateBio( |
| 580 long ssl, long certBio, long keyBio, String password) throws Excepti
on; |
| 581 |
| 582 /** |
| 583 * Parse private key from BIO and return {@code EVP_PKEY} pointer. |
| 584 * |
| 585 * <p>Be sure you understand how OpenSsl will behave with respect to referen
ce counting! |
| 586 * |
| 587 * If the {@code EVP_PKEY} pointer is used with the client certificate callb
ack |
| 588 * {@link CertificateRequestedCallback} the ownership goes over to OpenSsl /
Tcnative and so calling |
| 589 * {@link #freePrivateKey(long)} should <strong>NOT</strong> be done in this
case. Otherwise you may |
| 590 * need to call {@link #freePrivateKey(long)} to decrement the reference cou
nt and free memory. |
| 591 * |
| 592 * @param privateKeyBio the pointer to the {@code BIO} that contains the pri
vate key |
| 593 * @param password the password or {@code null} if no password is needed |
| 594 * @return {@code EVP_PKEY} pointer |
| 595 * @throws Exception if an error happened |
| 596 */ |
| 597 public static native long parsePrivateKey(long privateKeyBio, String passwor
d) throws Exception; |
| 598 |
| 599 /** |
| 600 * Free private key ({@code EVP_PKEY} pointer). |
| 601 * |
| 602 * @param privateKey {@code EVP_PKEY} pointer |
| 603 */ |
| 604 public static native void freePrivateKey(long privateKey); |
| 605 |
| 606 /** |
| 607 * Parse X509 chain from BIO and return ({@code STACK_OF(X509)} pointer). |
| 608 * |
| 609 * <p>Be sure you understand how OpenSsl will behave with respect to referen
ce counting! |
| 610 * |
| 611 * If the {@code STACK_OF(X509)} pointer is used with the client certificate
callback |
| 612 * {@link CertificateRequestedCallback} the ownership goes over to OpenSsl /
Tcnative and and so calling |
| 613 * {@link #freeX509Chain(long)} should <strong>NOT</strong> be done in this
case. Otherwise you may |
| 614 * need to call {@link #freeX509Chain(long)} to decrement the reference coun
t and free memory. |
| 615 * |
| 616 * @param x509ChainBio the pointer to the {@code BIO} that contains the X509
chain |
| 617 * @return {@code STACK_OF(X509)} pointer |
| 618 * @throws Exception if an error happened |
| 619 */ |
| 620 public static native long parseX509Chain(long x509ChainBio) throws Exception
; |
| 621 |
| 622 /** |
| 623 * Free x509 chain ({@code STACK_OF(X509)} pointer). |
| 624 * |
| 625 * @param x509Chain {@code STACK_OF(X509)} pointer |
| 626 */ |
| 627 public static native void freeX509Chain(long x509Chain); |
| 628 } |
OLD | NEW |