| Index: java/io/netty/internal/tcnative/SSL.java
|
| diff --git a/java/io/netty/internal/tcnative/SSL.java b/java/io/netty/internal/tcnative/SSL.java
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..a126d1837f2486b25a542f33bae5a45b336383a5
|
| --- /dev/null
|
| +++ b/java/io/netty/internal/tcnative/SSL.java
|
| @@ -0,0 +1,628 @@
|
| +/*
|
| + * Copyright 2016 The Netty Project
|
| + *
|
| + * The Netty Project licenses this file to you under the Apache License,
|
| + * version 2.0 (the "License"); you may not use this file except in compliance
|
| + * with the License. You may obtain a copy of the License at:
|
| + *
|
| + * http://www.apache.org/licenses/LICENSE-2.0
|
| + *
|
| + * Unless required by applicable law or agreed to in writing, software
|
| + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
| + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
| + * License for the specific language governing permissions and limitations
|
| + * under the License.
|
| + */
|
| +/*
|
| + * Licensed to the Apache Software Foundation (ASF) under one or more
|
| + * contributor license agreements. See the NOTICE file distributed with
|
| + * this work for additional information regarding copyright ownership.
|
| + * The ASF licenses this file to You under the Apache License, Version 2.0
|
| + * (the "License"); you may not use this file except in compliance with
|
| + * the License. You may obtain a copy of the License at
|
| + *
|
| + * http://www.apache.org/licenses/LICENSE-2.0
|
| + *
|
| + * Unless required by applicable law or agreed to in writing, software
|
| + * distributed under the License is distributed on an "AS IS" BASIS,
|
| + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
| + * See the License for the specific language governing permissions and
|
| + * limitations under the License.
|
| + */
|
| +package io.netty.internal.tcnative;
|
| +
|
| +import java.nio.ByteBuffer;
|
| +
|
| +import static io.netty.internal.tcnative.NativeStaticallyReferencedJniMethods.*;
|
| +
|
| +public final class SSL {
|
| +
|
| + private SSL() { }
|
| +
|
| + /*
|
| + * Define the SSL Protocol options
|
| + */
|
| + public static final int SSL_PROTOCOL_NONE = 0;
|
| + public static final int SSL_PROTOCOL_SSLV2 = (1<<0);
|
| + public static final int SSL_PROTOCOL_SSLV3 = (1<<1);
|
| + public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
|
| + public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
|
| + public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
|
| +
|
| + /** TLS_*method according to <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html">SSL_CTX_new</a> */
|
| + public static final int SSL_PROTOCOL_TLS = (SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
|
| + public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLS);
|
| +
|
| + /*
|
| + * Define the SSL verify levels
|
| + */
|
| + public static final int SSL_CVERIFY_IGNORED = -1;
|
| + public static final int SSL_CVERIFY_NONE = 0;
|
| + public static final int SSL_CVERIFY_OPTIONAL = 1;
|
| + public static final int SSL_CVERIFY_REQUIRED = 2;
|
| +
|
| + public static final int SSL_OP_CIPHER_SERVER_PREFERENCE = sslOpCipherServerPreference();
|
| + public static final int SSL_OP_NO_SSLv2 = sslOpNoSSLv2();
|
| + public static final int SSL_OP_NO_SSLv3 = sslOpNoSSLv3();
|
| + public static final int SSL_OP_NO_TLSv1 = sslOpNoTLSv1();
|
| + public static final int SSL_OP_NO_TLSv1_1 = sslOpNoTLSv11();
|
| + public static final int SSL_OP_NO_TLSv1_2 = sslOpNoTLSv12();
|
| + public static final int SSL_OP_NO_TICKET = sslOpNoTicket();
|
| +
|
| + public static final int SSL_OP_NO_COMPRESSION = sslOpNoCompression();
|
| +
|
| + public static final int SSL_MODE_CLIENT = 0;
|
| + public static final int SSL_MODE_SERVER = 1;
|
| + public static final int SSL_MODE_COMBINED = 2;
|
| +
|
| + public static final long SSL_SESS_CACHE_OFF = sslSessCacheOff();
|
| + public static final long SSL_SESS_CACHE_SERVER = sslSessCacheServer();
|
| +
|
| + public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE = 0;
|
| + public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL = 1;
|
| +
|
| + public static final int SSL_ST_CONNECT = sslStConnect();
|
| + public static final int SSL_ST_ACCEPT = sslStAccept();
|
| +
|
| + public static final int SSL_MODE_ENABLE_PARTIAL_WRITE = sslModeEnablePartialWrite();
|
| + public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = sslModeAcceptMovingWriteBuffer();
|
| + public static final int SSL_MODE_RELEASE_BUFFERS = sslModeReleaseBuffers();
|
| +
|
| + // https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html
|
| + public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = x509CheckFlagAlwaysCheckSubject();
|
| + public static final int X509_CHECK_FLAG_NO_WILD_CARDS = x509CheckFlagDisableWildCards();
|
| + public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS = x509CheckFlagNoPartialWildCards();
|
| + public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = x509CheckFlagMultiLabelWildCards();
|
| +
|
| + /* Return OpenSSL version number */
|
| + public static native int version();
|
| +
|
| + /* Return OpenSSL version string */
|
| + public static native String versionString();
|
| +
|
| + /**
|
| + * Initialize OpenSSL support.
|
| + *
|
| + * This function needs to be called once for the
|
| + * lifetime of JVM. See {@link Library#initialize(String, String)}
|
| + *
|
| + * @param engine Support for external a Crypto Device ("engine"),
|
| + * usually a hardware accelerator card for crypto operations.
|
| + * @return APR status code
|
| + */
|
| + static native int initialize(String engine);
|
| +
|
| + /**
|
| + * Initialize new in-memory BIO that is located in the secure heap.
|
| + *
|
| + * @return New BIO handle
|
| + * @throws Exception if an error happened.
|
| + */
|
| + public static native long newMemBIO() throws Exception;
|
| +
|
| + /**
|
| + * Return last SSL error string
|
| + *
|
| + * @return the last SSL error string.
|
| + */
|
| + public static native String getLastError();
|
| +
|
| + /**
|
| + * Return true if all the requested SSL_OP_* are supported by OpenSSL.
|
| + *
|
| + * @param op Bitwise-OR of all SSL_OP_* to test.
|
| + *
|
| + * @return true if all SSL_OP_* are supported by OpenSSL library.
|
| + */
|
| + public static native boolean hasOp(int op);
|
| +
|
| + /*
|
| + * Begin Twitter API additions
|
| + */
|
| +
|
| + public static final int SSL_SENT_SHUTDOWN = sslSendShutdown();
|
| + public static final int SSL_RECEIVED_SHUTDOWN = sslReceivedShutdown();
|
| +
|
| + public static final int SSL_ERROR_NONE = sslErrorNone();
|
| + public static final int SSL_ERROR_SSL = sslErrorSSL();
|
| + public static final int SSL_ERROR_WANT_READ = sslErrorWantRead();
|
| + public static final int SSL_ERROR_WANT_WRITE = sslErrorWantWrite();
|
| + public static final int SSL_ERROR_WANT_X509_LOOKUP = sslErrorWantX509Lookup();
|
| + public static final int SSL_ERROR_SYSCALL = sslErrorSyscall(); /* look at error stack/return value/errno */
|
| + public static final int SSL_ERROR_ZERO_RETURN = sslErrorZeroReturn();
|
| + public static final int SSL_ERROR_WANT_CONNECT = sslErrorWantConnect();
|
| + public static final int SSL_ERROR_WANT_ACCEPT = sslErrorWantAccept();
|
| +
|
| + /**
|
| + * SSL_new
|
| + * @param ctx Server or Client context to use.
|
| + * @param server if true configure SSL instance to use accept handshake routines
|
| + * if false configure SSL instance to use connect handshake routines
|
| + * @return pointer to SSL instance (SSL *)
|
| + */
|
| + public static native long newSSL(long ctx, boolean server);
|
| +
|
| + /**
|
| + * SSL_get_error
|
| + * @param ssl SSL pointer (SSL *)
|
| + * @param ret TLS/SSL I/O return value
|
| + * @return the error code
|
| + */
|
| + public static native int getError(long ssl, int ret);
|
| +
|
| + /**
|
| + * BIO_write
|
| + * @param bioAddress The address of a {@code BIO*}.
|
| + * @param wbufAddress The address of a native {@code char*}.
|
| + * @param wlen The length to write starting at {@code wbufAddress}.
|
| + * @return The number of bytes that were written.
|
| + * See <a href="https://www.openssl.org/docs/man1.0.1/crypto/BIO_write.html">BIO_write</a> for exceptional return values.
|
| + */
|
| + public static native int bioWrite(long bioAddress, long wbufAddress, int wlen);
|
| +
|
| + /**
|
| + * Initialize the BIO for the SSL instance. This is a custom BIO which is designed to play nicely with a direct
|
| + * {@link ByteBuffer}. Because it is a special BIO it requires special usage such that
|
| + * {@link #bioSetByteBuffer(long, long, int, boolean)} and {@link #bioClearByteBuffer(long)} are called in order to provide
|
| + * to supply data to SSL, and also to ensure the internal SSL buffering mechanism is expecting write at the appropriate times.
|
| + *
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param nonApplicationBufferSize The size of the internal buffer for write operations that are not
|
| + * initiated directly by the application attempting to encrypt data.
|
| + * Must be >{@code 0}.
|
| + * @return pointer to the Network BIO (BIO *).
|
| + * The memory is owned by {@code ssl} and will be cleaned up by {@link #freeSSL(long)}.
|
| + */
|
| + public static native long bioNewByteBuffer(long ssl, int nonApplicationBufferSize);
|
| +
|
| + /**
|
| + * Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted
|
| + * data from.
|
| + * <p>
|
| + * After you are done buffering data you should call {@link #bioClearByteBuffer(long)}.
|
| + * @param bio {@code BIO*}.
|
| + * @param bufferAddress The memory address (typically from a direct {@link ByteBuffer}) which will be used
|
| + * to either write encrypted data to, or read encrypted data from by OpenSSL's internal BIO pair.
|
| + * @param maxUsableBytes The maximum usable length in bytes starting at {@code bufferAddress}.
|
| + * @param isSSLWriteSink {@code true} if this buffer is expected to buffer data as a result of calls to {@code SSL_write}.
|
| + * {@code false} if this buffer is expected to buffer data as a result of calls to {@code SSL_read}.
|
| + */
|
| + public static native void bioSetByteBuffer(long bio, long bufferAddress, int maxUsableBytes, boolean isSSLWriteSink);
|
| +
|
| + /**
|
| + * After you are done buffering data from {@link #bioSetByteBuffer(long, long, int, boolean)}, this will ensure the
|
| + * internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..).
|
| + * @param bio {@code BIO*}.
|
| + */
|
| + public static native void bioClearByteBuffer(long bio);
|
| +
|
| + /**
|
| + * Flush any pending bytes in the internal SSL write buffer.
|
| + * <p>
|
| + * This does the same thing as {@code BIO_flush} for a {@code BIO*} of type {@link #bioNewByteBuffer(long, int)} but
|
| + * returns the number of bytes that were flushed.
|
| + * @param bio {@code BIO*}.
|
| + * @return The number of bytes that were flushed.
|
| + */
|
| + public static native int bioFlushByteBuffer(long bio);
|
| +
|
| + /**
|
| + * Get the remaining length of the {@link ByteBuffer} set by {@link #bioSetByteBuffer(long, long, int, boolean)}.
|
| + * @param bio {@code BIO*}.
|
| + * @return The remaining length of the {@link ByteBuffer} set by {@link #bioSetByteBuffer(long, long, int, boolean)}.
|
| + */
|
| + public static native int bioLengthByteBuffer(long bio);
|
| +
|
| + /**
|
| + * Get the amount of data pending in buffer used for non-application writes.
|
| + * This value will not exceed the value configured in {@link #bioNewByteBuffer(long, int)}.
|
| + * @param bio {@code BIO*}.
|
| + * @return the amount of data pending in buffer used for non-application writes.
|
| + */
|
| + public static native int bioLengthNonApplication(long bio);
|
| +
|
| + /**
|
| + * SSL_write
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param wbuf the memory address of the buffer
|
| + * @param wlen the length
|
| + * @return the number of written bytes
|
| + */
|
| + public static native int writeToSSL(long ssl, long wbuf, int wlen);
|
| +
|
| + /**
|
| + * SSL_read
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param rbuf the memory address of the buffer
|
| + * @param rlen the length
|
| + * @return the number of read bytes
|
| + */
|
| + public static native int readFromSSL(long ssl, long rbuf, int rlen);
|
| +
|
| + /**
|
| + * SSL_get_shutdown
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the return code of {@code SSL_get_shutdown}
|
| + */
|
| + public static native int getShutdown(long ssl);
|
| +
|
| + /**
|
| + * SSL_set_shutdown
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param mode the mode to use
|
| + */
|
| + public static native void setShutdown(long ssl, int mode);
|
| +
|
| + /**
|
| + * SSL_free
|
| + * @param ssl the SSL instance (SSL *)
|
| + */
|
| + public static native void freeSSL(long ssl);
|
| +
|
| + /**
|
| + * BIO_free
|
| + * @param bio the BIO
|
| + */
|
| + public static native void freeBIO(long bio);
|
| +
|
| + /**
|
| + * SSL_shutdown
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the return code of {@code SSL_shutdown}
|
| + */
|
| + public static native int shutdownSSL(long ssl);
|
| +
|
| + /**
|
| + * Get the error number representing the last error OpenSSL encountered on this thread.
|
| + * @return the last error code for the calling thread.
|
| + */
|
| + public static native int getLastErrorNumber();
|
| +
|
| + /**
|
| + * SSL_get_cipher
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the name of the current cipher.
|
| + */
|
| + public static native String getCipherForSSL(long ssl);
|
| +
|
| + /**
|
| + * SSL_get_version
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the version.
|
| + */
|
| + public static native String getVersion(long ssl);
|
| +
|
| + /**
|
| + * SSL_do_handshake
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the return code of {@code SSL_do_handshake}.
|
| + */
|
| + public static native int doHandshake(long ssl);
|
| +
|
| + /**
|
| + * SSL_in_init
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the return code of {@code SSL_in_init}.
|
| + */
|
| + public static native int isInInit(long ssl);
|
| +
|
| + /**
|
| + * SSL_get0_next_proto_negotiated
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the name of the negotiated proto
|
| + */
|
| + public static native String getNextProtoNegotiated(long ssl);
|
| +
|
| + /*
|
| + * End Twitter API Additions
|
| + */
|
| +
|
| + /**
|
| + * SSL_get0_alpn_selected
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the name of the selected ALPN protocol
|
| + */
|
| + public static native String getAlpnSelected(long ssl);
|
| +
|
| + /**
|
| + * Get the peer certificate chain or {@code null} if none was send.
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the chain or {@code null} if none was send
|
| + */
|
| + public static native byte[][] getPeerCertChain(long ssl);
|
| +
|
| + /**
|
| + * Get the peer certificate or {@code null} if non was send.
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the peer certificate or {@code null} if none was send
|
| + */
|
| + public static native byte[] getPeerCertificate(long ssl);
|
| +
|
| + /**
|
| + * Get the error string representing for the given {@code errorNumber}.
|
| + *
|
| + * @param errorNumber the error number / code
|
| + * @return the error string
|
| + */
|
| + public static native String getErrorString(long errorNumber);
|
| +
|
| + /**
|
| + * SSL_get_time
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return returns the time at which the session ssl was established. The time is given in seconds since the Epoch
|
| + */
|
| + public static native long getTime(long ssl);
|
| +
|
| + /**
|
| + * SSL_get_timeout
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return returns the timeout for the session ssl The time is given in seconds since the Epoch
|
| + */
|
| + public static native long getTimeout(long ssl);
|
| +
|
| + /**
|
| + * SSL_set_timeout
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param seconds timeout in seconds
|
| + * @return returns the timeout for the session ssl before this call. The time is given in seconds since the Epoch
|
| + */
|
| + public static native long setTimeout(long ssl, long seconds);
|
| +
|
| + /**
|
| + * Set Type of Client Certificate verification and Maximum depth of CA Certificates
|
| + * in Client Certificate verification.
|
| + * <p>
|
| + * This directive sets the Certificate verification level for the Client
|
| + * Authentication. Notice that this directive can be used both in per-server
|
| + * and per-directory context. In per-server context it applies to the client
|
| + * authentication process used in the standard SSL handshake when a connection
|
| + * is established. In per-directory context it forces a SSL renegotiation with
|
| + * the reconfigured client verification level after the HTTP request was read
|
| + * but before the HTTP response is sent.
|
| + * <p>
|
| + * The following levels are available for level:
|
| + * <ul>
|
| + * <li>{@link #SSL_CVERIFY_IGNORED} - The level is ignored. Only depth will change.</li>
|
| + * <li>{@link #SSL_CVERIFY_NONE} - No client Certificate is required at all</li>
|
| + * <li>{@link #SSL_CVERIFY_OPTIONAL} - The client may present a valid Certificate</li>
|
| + * <li>{@link #SSL_CVERIFY_REQUIRED} - The client has to present a valid Certificate</li>
|
| + * </ul>
|
| + * The depth actually is the maximum number of intermediate certificate issuers,
|
| + * i.e. the number of CA certificates which are max allowed to be followed while
|
| + * verifying the client certificate. A depth of 0 means that self-signed client
|
| + * certificates are accepted only, the default depth of 1 means the client
|
| + * certificate can be self-signed or has to be signed by a CA which is directly
|
| + * known to the server (i.e. the CA's certificate is under
|
| + * {@code setCACertificatePath}, etc.
|
| + *
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param level Type of Client Certificate verification.
|
| + * @param depth Maximum depth of CA Certificates in Client Certificate
|
| + * verification. Ignored if value is {@code <0}.
|
| + */
|
| + public static native void setVerify(long ssl, int level, int depth);
|
| +
|
| + /**
|
| + * Set OpenSSL Option.
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param options See SSL.SSL_OP_* for option flags.
|
| + */
|
| + public static native void setOptions(long ssl, int options);
|
| +
|
| + /**
|
| + * Clear OpenSSL Option.
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param options See SSL.SSL_OP_* for option flags.
|
| + */
|
| + public static native void clearOptions(long ssl, int options);
|
| +
|
| + /**
|
| + * Get OpenSSL Option.
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return options See SSL.SSL_OP_* for option flags.
|
| + */
|
| + public static native int getOptions(long ssl);
|
| +
|
| + /**
|
| + * Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return ciphers
|
| + */
|
| + public static native String[] getCiphers(long ssl);
|
| +
|
| + /**
|
| + * Returns the cipher suites available for negotiation in SSL handshake.
|
| + * <p>
|
| + * This complex directive uses a colon-separated cipher-spec string consisting
|
| + * of OpenSSL cipher specifications to configure the Cipher Suite the client
|
| + * is permitted to negotiate in the SSL handshake phase. Notice that this
|
| + * directive can be used both in per-server and per-directory context.
|
| + * In per-server context it applies to the standard SSL handshake when a
|
| + * connection is established. In per-directory context it forces a SSL
|
| + * renegotiation with the reconfigured Cipher Suite after the HTTP request
|
| + * was read but before the HTTP response is sent.
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param ciphers an SSL cipher specification
|
| + * @return {@code true} if successful
|
| + * @throws Exception if an error happened
|
| + */
|
| + public static native boolean setCipherSuites(long ssl, String ciphers)
|
| + throws Exception;
|
| +
|
| + /**
|
| + * Returns the ID of the session as byte array representation.
|
| + *
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the session as byte array representation obtained via SSL_SESSION_get_id.
|
| + */
|
| + public static native byte[] getSessionId(long ssl);
|
| +
|
| + /**
|
| + * Returns the number of handshakes done for this SSL instance. This also includes renegations.
|
| + *
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the number of handshakes done for this SSL instance.
|
| + */
|
| + public static native int getHandshakeCount(long ssl);
|
| +
|
| + /**
|
| + * Clear all the errors from the error queue that OpenSSL encountered on this thread.
|
| + */
|
| + public static native void clearError();
|
| +
|
| + /**
|
| + * Call SSL_renegotiate.
|
| + *
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @return the result of the operation
|
| + */
|
| + public static native int renegotiate(long ssl);
|
| +
|
| + /**
|
| + * Call SSL_set_state.
|
| + *
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param state the state to set
|
| + */
|
| + public static native void setState(long ssl, int state);
|
| +
|
| + /**
|
| + * Call SSL_set_tlsext_host_name
|
| + *
|
| + * @param ssl the SSL instance (SSL *)
|
| + * @param hostname the hostname
|
| + */
|
| + public static native void setTlsExtHostName(long ssl, String hostname);
|
| +
|
| + /**
|
| + * Explicitly control <a href="https://wiki.openssl.org/index.php/Hostname_validation">hostname validation</a>
|
| + * <a href="https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html">see X509_check_host for X509_CHECK_FLAG* definitions</a>.
|
| + * Values are defined as a bitmask of {@code X509_CHECK_FLAG*} values.
|
| + * @param ssl the SSL instance (SSL*).
|
| + * @param flags a bitmask of {@code X509_CHECK_FLAG*} values.
|
| + * @param hostname the hostname which is expected for validation.
|
| + */
|
| + public static native void setHostNameValidation(long ssl, int flags, String hostname);
|
| +
|
| + /**
|
| + * Return the methods used for authentication.
|
| + *
|
| + * @param ssl the SSL instance (SSL*)
|
| + * @return the methods
|
| + */
|
| + public static native String[] authenticationMethods(long ssl);
|
| +
|
| + /**
|
| + * Set BIO of PEM-encoded Server CA Certificates
|
| + * <p>
|
| + * This directive sets the optional all-in-one file where you can assemble the
|
| + * certificates of Certification Authorities (CA) which form the certificate
|
| + * chain of the server certificate. This starts with the issuing CA certificate
|
| + * of of the server certificate and can range up to the root CA certificate.
|
| + * Such a file is simply the concatenation of the various PEM-encoded CA
|
| + * Certificate files, usually in certificate chain order.
|
| + * <p>
|
| + * But be careful: Providing the certificate chain works only if you are using
|
| + * a single (either RSA or DSA) based server certificate. If you are using a
|
| + * coupled RSA+DSA certificate pair, this will work only if actually both
|
| + * certificates use the same certificate chain. Otherwsie the browsers will be
|
| + * confused in this situation.
|
| + * @param ssl Server or Client to use.
|
| + * @param bio BIO of PEM-encoded Server CA Certificates.
|
| + * @param skipfirst Skip first certificate if chain file is inside
|
| + * certificate file.
|
| + */
|
| + public static native void setCertificateChainBio(long ssl, long bio, boolean skipfirst);
|
| +
|
| + /**
|
| + * Set Certificate
|
| + * <br>
|
| + * Point setCertificate at a PEM encoded certificate stored in a BIO. If
|
| + * the certificate is encrypted, then you will be prompted for a
|
| + * pass phrase. Note that a kill -HUP will prompt again. A test
|
| + * certificate can be generated with `make certificate' under
|
| + * built time. Keep in mind that if you've both a RSA and a DSA
|
| + * certificate you can configure both in parallel (to also allow
|
| + * the use of DSA ciphers, etc.)
|
| + * <br>
|
| + * If the key is not combined with the certificate, use key param
|
| + * to point at the key file. Keep in mind that if
|
| + * you've both a RSA and a DSA private key you can configure
|
| + * both in parallel (to also allow the use of DSA ciphers, etc.)
|
| + * @param ssl Server or Client to use.
|
| + * @param certBio Certificate BIO.
|
| + * @param keyBio Private Key BIO to use if not in cert.
|
| + * @param password Certificate password. If null and certificate
|
| + * is encrypted.
|
| + * @throws Exception if an error happened
|
| + */
|
| + public static native void setCertificateBio(
|
| + long ssl, long certBio, long keyBio, String password) throws Exception;
|
| +
|
| + /**
|
| + * Parse private key from BIO and return {@code EVP_PKEY} pointer.
|
| + *
|
| + * <p>Be sure you understand how OpenSsl will behave with respect to reference counting!
|
| + *
|
| + * If the {@code EVP_PKEY} pointer is used with the client certificate callback
|
| + * {@link CertificateRequestedCallback} the ownership goes over to OpenSsl / Tcnative and so calling
|
| + * {@link #freePrivateKey(long)} should <strong>NOT</strong> be done in this case. Otherwise you may
|
| + * need to call {@link #freePrivateKey(long)} to decrement the reference count and free memory.
|
| + *
|
| + * @param privateKeyBio the pointer to the {@code BIO} that contains the private key
|
| + * @param password the password or {@code null} if no password is needed
|
| + * @return {@code EVP_PKEY} pointer
|
| + * @throws Exception if an error happened
|
| + */
|
| + public static native long parsePrivateKey(long privateKeyBio, String password) throws Exception;
|
| +
|
| + /**
|
| + * Free private key ({@code EVP_PKEY} pointer).
|
| + *
|
| + * @param privateKey {@code EVP_PKEY} pointer
|
| + */
|
| + public static native void freePrivateKey(long privateKey);
|
| +
|
| + /**
|
| + * Parse X509 chain from BIO and return ({@code STACK_OF(X509)} pointer).
|
| + *
|
| + * <p>Be sure you understand how OpenSsl will behave with respect to reference counting!
|
| + *
|
| + * If the {@code STACK_OF(X509)} pointer is used with the client certificate callback
|
| + * {@link CertificateRequestedCallback} the ownership goes over to OpenSsl / Tcnative and and so calling
|
| + * {@link #freeX509Chain(long)} should <strong>NOT</strong> be done in this case. Otherwise you may
|
| + * need to call {@link #freeX509Chain(long)} to decrement the reference count and free memory.
|
| + *
|
| + * @param x509ChainBio the pointer to the {@code BIO} that contains the X509 chain
|
| + * @return {@code STACK_OF(X509)} pointer
|
| + * @throws Exception if an error happened
|
| + */
|
| + public static native long parseX509Chain(long x509ChainBio) throws Exception;
|
| +
|
| + /**
|
| + * Free x509 chain ({@code STACK_OF(X509)} pointer).
|
| + *
|
| + * @param x509Chain {@code STACK_OF(X509)} pointer
|
| + */
|
| + public static native void freeX509Chain(long x509Chain);
|
| +}
|
|
|
Chromium Code Reviews
Issue 2842333002:
Updated netty-tcnative to version 2.0.0.Final (Closed)
