OLD | NEW |
| (Empty) |
1 /* | |
2 * Licensed to the Apache Software Foundation (ASF) under one or more | |
3 * contributor license agreements. See the NOTICE file distributed with | |
4 * this work for additional information regarding copyright ownership. | |
5 * The ASF licenses this file to You under the Apache License, Version 2.0 | |
6 * (the "License"); you may not use this file except in compliance with | |
7 * the License. You may obtain a copy of the License at | |
8 * | |
9 * http://www.apache.org/licenses/LICENSE-2.0 | |
10 * | |
11 * Unless required by applicable law or agreed to in writing, software | |
12 * distributed under the License is distributed on an "AS IS" BASIS, | |
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
14 * See the License for the specific language governing permissions and | |
15 * limitations under the License. | |
16 */ | |
17 | |
18 package org.apache.tomcat.jni; | |
19 | |
20 /** SSL Context | |
21 * | |
22 * @author Mladen Turk | |
23 */ | |
24 public final class SSLContext { | |
25 | |
26 | |
27 /** | |
28 * Initialize new SSL context | |
29 * @param pool The pool to use. | |
30 * @param protocol The SSL protocol to use. It can be any combination of | |
31 * the following: | |
32 * <PRE> | |
33 * {@link SSL#SSL_PROTOCOL_SSLV2} | |
34 * {@link SSL#SSL_PROTOCOL_SSLV3} | |
35 * {@link SSL#SSL_PROTOCOL_TLSV1} | |
36 * {@link SSL#SSL_PROTOCOL_TLSV1_1} | |
37 * {@link SSL#SSL_PROTOCOL_TLSV1_2} | |
38 * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL) | |
39 * </PRE> | |
40 * @param mode SSL mode to use | |
41 * <PRE> | |
42 * SSL_MODE_CLIENT | |
43 * SSL_MODE_SERVER | |
44 * SSL_MODE_COMBINED | |
45 * </PRE> | |
46 */ | |
47 public static native long make(long pool, int protocol, int mode) | |
48 throws Exception; | |
49 | |
50 /** | |
51 * Free the resources used by the Context | |
52 * @param ctx Server or Client context to free. | |
53 * @return APR Status code. | |
54 */ | |
55 public static native int free(long ctx); | |
56 | |
57 /** | |
58 * Set Session context id. Usually host:port combination. | |
59 * @param ctx Context to use. | |
60 * @param id String that uniquely identifies this context. | |
61 */ | |
62 public static native void setContextId(long ctx, String id); | |
63 | |
64 /** | |
65 * Associate BIOCallback for input or output data capture. | |
66 * <br> | |
67 * First word in the output string will contain error | |
68 * level in the form: | |
69 * <PRE> | |
70 * [ERROR] -- Critical error messages | |
71 * [WARN] -- Warning messages | |
72 * [INFO] -- Informational messages | |
73 * [DEBUG] -- Debugging messaged | |
74 * </PRE> | |
75 * Callback can use that word to determine application logging level | |
76 * by intercepting <b>write</b> call. | |
77 * If the <b>bio</b> is set to 0 no error messages will be displayed. | |
78 * Default is to use the stderr output stream. | |
79 * @param ctx Server or Client context to use. | |
80 * @param bio BIO handle to use, created with SSL.newBIO | |
81 * @param dir BIO direction (1 for input 0 for output). | |
82 */ | |
83 public static native void setBIO(long ctx, long bio, int dir); | |
84 | |
85 /** | |
86 * Set OpenSSL Option. | |
87 * @param ctx Server or Client context to use. | |
88 * @param options See SSL.SSL_OP_* for option flags. | |
89 */ | |
90 public static native void setOptions(long ctx, int options); | |
91 | |
92 /** | |
93 * Get OpenSSL Option. | |
94 * @param ctx Server or Client context to use. | |
95 * @return options See SSL.SSL_OP_* for option flags. | |
96 */ | |
97 public static native int getOptions(long ctx); | |
98 | |
99 /** | |
100 * Clears OpenSSL Options. | |
101 * @param ctx Server or Client context to use. | |
102 * @param options See SSL.SSL_OP_* for option flags. | |
103 */ | |
104 public static native void clearOptions(long ctx, int options); | |
105 | |
106 /** | |
107 * Sets the "quiet shutdown" flag for <b>ctx</b> to be | |
108 * <b>mode</b>. SSL objects created from <b>ctx</b> inherit the | |
109 * <b>mode</b> valid at the time and may be 0 or 1. | |
110 * <br> | |
111 * Normally when a SSL connection is finished, the parties must send out | |
112 * "close notify" alert messages using L<SSL_shutdown(3)|SSL_shutdown(3)&
gt; | |
113 * for a clean shutdown. | |
114 * <br> | |
115 * When setting the "quiet shutdown" flag to 1, <b>SSL.shutdown</b> | |
116 * will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN. | |
117 * (<b>SSL_shutdown</b> then behaves like called with | |
118 * SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.) | |
119 * The session is thus considered to be shutdown, but no "close notify" aler
t | |
120 * is sent to the peer. This behaviour violates the TLS standard. | |
121 * The default is normal shutdown behaviour as described by the TLS standard
. | |
122 * @param ctx Server or Client context to use. | |
123 * @param mode True to set the quiet shutdown. | |
124 */ | |
125 public static native void setQuietShutdown(long ctx, boolean mode); | |
126 | |
127 /** | |
128 * Cipher Suite available for negotiation in SSL handshake. | |
129 * <br> | |
130 * This complex directive uses a colon-separated cipher-spec string consisti
ng | |
131 * of OpenSSL cipher specifications to configure the Cipher Suite the client | |
132 * is permitted to negotiate in the SSL handshake phase. Notice that this | |
133 * directive can be used both in per-server and per-directory context. | |
134 * In per-server context it applies to the standard SSL handshake when a | |
135 * connection is established. In per-directory context it forces a SSL | |
136 * renegotiation with the reconfigured Cipher Suite after the HTTP request | |
137 * was read but before the HTTP response is sent. | |
138 * @param ctx Server or Client context to use. | |
139 * @param ciphers An SSL cipher specification. | |
140 */ | |
141 public static native boolean setCipherSuite(long ctx, String ciphers) | |
142 throws Exception; | |
143 | |
144 /** | |
145 * Set File of concatenated PEM-encoded CA CRLs or | |
146 * directory of PEM-encoded CA Certificates for Client Auth | |
147 * <br> | |
148 * This directive sets the all-in-one file where you can assemble the | |
149 * Certificate Revocation Lists (CRL) of Certification Authorities (CA) | |
150 * whose clients you deal with. These are used for Client Authentication. | |
151 * Such a file is simply the concatenation of the various PEM-encoded CRL | |
152 * files, in order of preference. | |
153 * <br> | |
154 * The files in this directory have to be PEM-encoded and are accessed throu
gh | |
155 * hash filenames. So usually you can't just place the Certificate files the
re: | |
156 * you also have to create symbolic links named hash-value.N. And you should | |
157 * always make sure this directory contains the appropriate symbolic links. | |
158 * Use the Makefile which comes with mod_ssl to accomplish this task. | |
159 * @param ctx Server or Client context to use. | |
160 * @param file File of concatenated PEM-encoded CA CRLs for Client Auth. | |
161 * @param path Directory of PEM-encoded CA Certificates for Client Auth. | |
162 */ | |
163 public static native boolean setCARevocation(long ctx, String file, | |
164 String path) | |
165 throws Exception; | |
166 | |
167 /** | |
168 * Set File of PEM-encoded Server CA Certificates | |
169 * <br> | |
170 * This directive sets the optional all-in-one file where you can assemble t
he | |
171 * certificates of Certification Authorities (CA) which form the certificate | |
172 * chain of the server certificate. This starts with the issuing CA certific
ate | |
173 * of of the server certificate and can range up to the root CA certificate. | |
174 * Such a file is simply the concatenation of the various PEM-encoded CA | |
175 * Certificate files, usually in certificate chain order. | |
176 * <br> | |
177 * But be careful: Providing the certificate chain works only if you are usi
ng | |
178 * a single (either RSA or DSA) based server certificate. If you are using a | |
179 * coupled RSA+DSA certificate pair, this will work only if actually both | |
180 * certificates use the same certificate chain. Else the browsers will be | |
181 * confused in this situation. | |
182 * @param ctx Server or Client context to use. | |
183 * @param file File of PEM-encoded Server CA Certificates. | |
184 * @param skipfirst Skip first certificate if chain file is inside | |
185 * certificate file. | |
186 */ | |
187 public static native boolean setCertificateChainFile(long ctx, String file, | |
188 boolean skipfirst); | |
189 /** | |
190 * Set BIO of PEM-encoded Server CA Certificates | |
191 * <p> | |
192 * This directive sets the optional all-in-one file where you can assemble t
he | |
193 * certificates of Certification Authorities (CA) which form the certificate | |
194 * chain of the server certificate. This starts with the issuing CA certific
ate | |
195 * of of the server certificate and can range up to the root CA certificate. | |
196 * Such a file is simply the concatenation of the various PEM-encoded CA | |
197 * Certificate files, usually in certificate chain order. | |
198 * <p> | |
199 * But be careful: Providing the certificate chain works only if you are usi
ng | |
200 * a single (either RSA or DSA) based server certificate. If you are using a | |
201 * coupled RSA+DSA certificate pair, this will work only if actually both | |
202 * certificates use the same certificate chain. Otherwsie the browsers will
be | |
203 * confused in this situation. | |
204 * @param ctx Server or Client context to use. | |
205 * @param bio BIO of PEM-encoded Server CA Certificates. | |
206 * @param skipfirst Skip first certificate if chain file is inside | |
207 * certificate file. | |
208 */ | |
209 public static native boolean setCertificateChainBio(long ctx, long bio, bool
ean skipfirst); | |
210 | |
211 /** | |
212 * Set Certificate | |
213 * <br> | |
214 * Point setCertificateFile at a PEM encoded certificate. If | |
215 * the certificate is encrypted, then you will be prompted for a | |
216 * pass phrase. Note that a kill -HUP will prompt again. A test | |
217 * certificate can be generated with `make certificate' under | |
218 * built time. Keep in mind that if you've both a RSA and a DSA | |
219 * certificate you can configure both in parallel (to also allow | |
220 * the use of DSA ciphers, etc.) | |
221 * <br> | |
222 * If the key is not combined with the certificate, use key param | |
223 * to point at the key file. Keep in mind that if | |
224 * you've both a RSA and a DSA private key you can configure | |
225 * both in parallel (to also allow the use of DSA ciphers, etc.) | |
226 * @param ctx Server or Client context to use. | |
227 * @param cert Certificate file. | |
228 * @param key Private Key file to use if not in cert. | |
229 * @param password Certificate password. If null and certificate | |
230 * is encrypted, password prompt will be displayed. | |
231 * @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA. | |
232 */ | |
233 public static native boolean setCertificate(long ctx, String cert, | |
234 String key, String password, | |
235 int idx) | |
236 throws Exception; | |
237 | |
238 /** | |
239 * Set Certificate | |
240 * <br> | |
241 * Point setCertificate at a PEM encoded certificate stored in a BIO. If | |
242 * the certificate is encrypted, then you will be prompted for a | |
243 * pass phrase. Note that a kill -HUP will prompt again. A test | |
244 * certificate can be generated with `make certificate' under | |
245 * built time. Keep in mind that if you've both a RSA and a DSA | |
246 * certificate you can configure both in parallel (to also allow | |
247 * the use of DSA ciphers, etc.) | |
248 * <br> | |
249 * If the key is not combined with the certificate, use key param | |
250 * to point at the key file. Keep in mind that if | |
251 * you've both a RSA and a DSA private key you can configure | |
252 * both in parallel (to also allow the use of DSA ciphers, etc.) | |
253 * @param ctx Server or Client context to use. | |
254 * @param certBio Certificate BIO. | |
255 * @param keyBio Private Key BIO to use if not in cert. | |
256 * @param password Certificate password. If null and certificate | |
257 * is encrypted, password prompt will be displayed. | |
258 * @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA. | |
259 */ | |
260 public static native boolean setCertificateBio( | |
261 long ctx, long certBio, long keyBio, String password, int idx) throw
s Exception; | |
262 | |
263 /** | |
264 * Set the size of the internal session cache. | |
265 * http://www.openssl.org/docs/ssl/SSL_CTX_sess_set_cache_size.html | |
266 */ | |
267 public static native long setSessionCacheSize(long ctx, long size); | |
268 | |
269 /** | |
270 * Get the size of the internal session cache. | |
271 * http://www.openssl.org/docs/ssl/SSL_CTX_sess_get_cache_size.html | |
272 */ | |
273 public static native long getSessionCacheSize(long ctx); | |
274 | |
275 /** | |
276 * Set the timeout for the internal session cache in seconds. | |
277 * http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html | |
278 */ | |
279 public static native long setSessionCacheTimeout(long ctx, long timeoutSecon
ds); | |
280 | |
281 /** | |
282 * Get the timeout for the internal session cache in seconds. | |
283 * http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html | |
284 */ | |
285 public static native long getSessionCacheTimeout(long ctx); | |
286 | |
287 /** | |
288 * Set the mode of the internal session cache and return the previous used m
ode. | |
289 */ | |
290 public static native long setSessionCacheMode(long ctx, long mode); | |
291 | |
292 /** | |
293 * Get the mode of the current used internal session cache. | |
294 */ | |
295 public static native long getSessionCacheMode(long ctx); | |
296 | |
297 /** | |
298 * Session resumption statistics methods. | |
299 * http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html | |
300 */ | |
301 public static native long sessionAccept(long ctx); | |
302 public static native long sessionAcceptGood(long ctx); | |
303 public static native long sessionAcceptRenegotiate(long ctx); | |
304 public static native long sessionCacheFull(long ctx); | |
305 public static native long sessionCbHits(long ctx); | |
306 public static native long sessionConnect(long ctx); | |
307 public static native long sessionConnectGood(long ctx); | |
308 public static native long sessionConnectRenegotiate(long ctx); | |
309 public static native long sessionHits(long ctx); | |
310 public static native long sessionMisses(long ctx); | |
311 public static native long sessionNumber(long ctx); | |
312 public static native long sessionTimeouts(long ctx); | |
313 | |
314 /** | |
315 * Set TLS session keys. | |
316 */ | |
317 public static void setSessionTicketKeys(long ctx, SessionTicketKey[] keys) { | |
318 if (keys == null || keys.length == 0) { | |
319 throw new IllegalArgumentException("Length of the keys should be lon
ger than 0."); | |
320 } | |
321 byte[] binaryKeys = new byte[keys.length * SessionTicketKey.TICKET_KEY_S
IZE]; | |
322 for (int i = 0; i < keys.length; i++) { | |
323 SessionTicketKey key = keys[i]; | |
324 int dstCurPos = SessionTicketKey.TICKET_KEY_SIZE * i; | |
325 System.arraycopy(key.getName(), 0, binaryKeys, dstCurPos, SessionTic
ketKey.NAME_SIZE); | |
326 dstCurPos += SessionTicketKey.NAME_SIZE; | |
327 System.arraycopy(key.getHmacKey(), 0, binaryKeys, dstCurPos, Session
TicketKey.HMAC_KEY_SIZE); | |
328 dstCurPos += SessionTicketKey.HMAC_KEY_SIZE; | |
329 System.arraycopy(key.getAesKey(), 0, binaryKeys, dstCurPos, SessionT
icketKey.AES_KEY_SIZE); | |
330 } | |
331 setSessionTicketKeys0(ctx, binaryKeys); | |
332 } | |
333 | |
334 /** | |
335 * Set TLS session keys. This allows us to share keys across TFEs. | |
336 */ | |
337 @Deprecated | |
338 public static void setSessionTicketKeys(long ctx, byte[] keys) { | |
339 if (keys.length % SessionTicketKey.TICKET_KEY_SIZE != 0) { | |
340 throw new IllegalArgumentException("Session ticket keys provided wer
e wrong size. keys.length % " + SessionTicketKey.TICKET_KEY_SIZE + " must be 0")
; | |
341 } | |
342 setSessionTicketKeys0(ctx, keys); | |
343 } | |
344 /** | |
345 * Set TLS session keys. This allows us to share keys across TFEs. | |
346 */ | |
347 private static native void setSessionTicketKeys0(long ctx, byte[] keys); | |
348 | |
349 /** | |
350 * Set File and Directory of concatenated PEM-encoded CA Certificates | |
351 * for Client Auth | |
352 * <br> | |
353 * This directive sets the all-in-one file where you can assemble the | |
354 * Certificates of Certification Authorities (CA) whose clients you deal wit
h. | |
355 * These are used for Client Authentication. Such a file is simply the | |
356 * concatenation of the various PEM-encoded Certificate files, in order of | |
357 * preference. This can be used alternatively and/or additionally to | |
358 * path. | |
359 * <br> | |
360 * The files in this directory have to be PEM-encoded and are accessed throu
gh | |
361 * hash filenames. So usually you can't just place the Certificate files the
re: | |
362 * you also have to create symbolic links named hash-value.N. And you should | |
363 * always make sure this directory contains the appropriate symbolic links. | |
364 * Use the Makefile which comes with mod_ssl to accomplish this task. | |
365 * @param ctx Server or Client context to use. | |
366 * @param file File of concatenated PEM-encoded CA Certificates for | |
367 * Client Auth. | |
368 * @param path Directory of PEM-encoded CA Certificates for Client Auth. | |
369 */ | |
370 public static native boolean setCACertificate(long ctx, String file, | |
371 String path) | |
372 throws Exception; | |
373 | |
374 /** | |
375 * Set file for randomness | |
376 * @param ctx Server or Client context to use. | |
377 * @param file random file. | |
378 */ | |
379 public static native void setRandom(long ctx, String file); | |
380 | |
381 /** | |
382 * Set SSL connection shutdown type | |
383 * <br> | |
384 * The following levels are available for level: | |
385 * <PRE> | |
386 * SSL_SHUTDOWN_TYPE_STANDARD | |
387 * SSL_SHUTDOWN_TYPE_UNCLEAN | |
388 * SSL_SHUTDOWN_TYPE_ACCURATE | |
389 * </PRE> | |
390 * @param ctx Server or Client context to use. | |
391 * @param type Shutdown type to use. | |
392 */ | |
393 public static native void setShutdownType(long ctx, int type); | |
394 | |
395 /** | |
396 * Set Type of Client Certificate verification and Maximum depth of CA Certi
ficates | |
397 * in Client Certificate verification. | |
398 * <br> | |
399 * This directive sets the Certificate verification level for the Client | |
400 * Authentication. Notice that this directive can be used both in per-server | |
401 * and per-directory context. In per-server context it applies to the client | |
402 * authentication process used in the standard SSL handshake when a connecti
on | |
403 * is established. In per-directory context it forces a SSL renegotiation wi
th | |
404 * the reconfigured client verification level after the HTTP request was rea
d | |
405 * but before the HTTP response is sent. | |
406 * <br> | |
407 * The following levels are available for level: | |
408 * <PRE> | |
409 * SSL_CVERIFY_NONE - No client Certificate is required at all | |
410 * SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate | |
411 * SSL_CVERIFY_REQUIRE - The client has to present a valid Certificat
e | |
412 * SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate | |
413 * but it need not to be (successfully) verifia
ble | |
414 * </PRE> | |
415 * <br> | |
416 * The depth actually is the maximum number of intermediate certificate issu
ers, | |
417 * i.e. the number of CA certificates which are max allowed to be followed w
hile | |
418 * verifying the client certificate. A depth of 0 means that self-signed cli
ent | |
419 * certificates are accepted only, the default depth of 1 means the client | |
420 * certificate can be self-signed or has to be signed by a CA which is direc
tly | |
421 * known to the server (i.e. the CA's certificate is under | |
422 * <code>setCACertificatePath</code>), etc. | |
423 * @param ctx Server or Client context to use. | |
424 * @param level Type of Client Certificate verification. | |
425 * @param depth Maximum depth of CA Certificates in Client Certificate | |
426 * verification. | |
427 */ | |
428 public static native void setVerify(long ctx, int level, int depth); | |
429 | |
430 /** | |
431 * Allow to hook {@link CertificateVerifier} into the handshake processing. | |
432 * This will call {@code SSL_CTX_set_cert_verify_callback} and so replace th
e default verification | |
433 * callback used by openssl | |
434 * @param ctx Server or Client context to use. | |
435 * @param verifier the verifier to call during handshake. | |
436 */ | |
437 public static native void setCertVerifyCallback(long ctx, CertificateVerifie
r verifier); | |
438 | |
439 /** | |
440 * Set next protocol for next protocol negotiation extension | |
441 * @param ctx Server context to use. | |
442 * @param nextProtos comma delimited list of protocols in priority order | |
443 * | |
444 * @deprecated use {@link #setNpnProtos(long, String[], int)} | |
445 */ | |
446 @Deprecated | |
447 public static void setNextProtos(long ctx, String nextProtos) { | |
448 setNpnProtos(ctx, nextProtos.split(","), SSL.SSL_SELECTOR_FAILURE_CHOOSE
_MY_LAST_PROTOCOL); | |
449 } | |
450 | |
451 /** | |
452 * Set next protocol for next protocol negotiation extension | |
453 * @param ctx Server context to use. | |
454 * @param nextProtos protocols in priority order | |
455 * @param selectorFailureBehavior see {@link SSL#SSL_SELECTOR_FAILURE_NO_ADV
ERTISE} | |
456 * and {@link SSL#SSL_SELECTOR_FAILURE_CHOOSE
_MY_LAST_PROTOCOL} | |
457 */ | |
458 public static native void setNpnProtos(long ctx, String[] nextProtos, int se
lectorFailureBehavior); | |
459 | |
460 /** | |
461 * Set application layer protocol for application layer protocol negotiation
extension | |
462 * @param ctx Server context to use. | |
463 * @param alpnProtos protocols in priority order | |
464 * @param selectorFailureBehavior see {@link SSL#SSL_SELECTOR_FAILURE_NO_ADV
ERTISE} | |
465 * and {@link SSL#SSL_SELECTOR_FAILURE_CHOOSE
_MY_LAST_PROTOCOL} | |
466 */ | |
467 public static native void setAlpnProtos(long ctx, String[] alpnProtos, int s
electorFailureBehavior); | |
468 | |
469 /** | |
470 * Set DH parameters | |
471 * @param ctx Server context to use. | |
472 * @param cert DH param file (can be generated from e.g. {@code openssl dhpa
ram -rand - 2048 > dhparam.pem} - | |
473 * see the <a href="https://www.openssl.org/docs/apps/dhparam.ht
ml">OpenSSL documentation</a>). | |
474 */ | |
475 public static native void setTmpDH(long ctx, String cert) | |
476 throws Exception; | |
477 | |
478 /** | |
479 * Set ECDH elliptic curve by name | |
480 * @param ctx Server context to use. | |
481 * @param curveName the name of the elliptic curve to use | |
482 * (available names can be obtained from {@code openssl ecparam
-list_curves}). | |
483 */ | |
484 public static native void setTmpECDHByCurveName(long ctx, String curveName) | |
485 throws Exception; | |
486 | |
487 /** | |
488 * Set the context within which session be reused (server side only) | |
489 * http://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html | |
490 * | |
491 * @param ctx Server context to use. | |
492 * @param sidCtx can be any kind of binary data, it is therefore possible to
use e.g. the name | |
493 * of the application and/or the hostname and/or service name | |
494 * @return {@code true} if success, {@code false} otherwise. | |
495 */ | |
496 public static native boolean setSessionIdContext(long ctx, byte[] sidCtx); | |
497 } | |
OLD | NEW |