Skip to content
Permalink
Browse files

Updated SSL API; client certificate inspection support

  • Loading branch information...
apangin committed Sep 4, 2019
1 parent 8197553 commit 7a7b32aa282d61a87800aae22b1048fafef1a9b6
@@ -335,6 +335,11 @@ public SslContext getSslContext() {
return null;
}

@Override
public <T> T getSslOption(SslOption<T> option) {
return null;
}

@Override
public SelectableChannel getSelectableChannel() {
return ch;
@@ -303,6 +303,11 @@ public SslContext getSslContext() {
return null;
}

@Override
public <T> T getSslOption(SslOption<T> option) {
return null;
}

@Override
public SelectableChannel getSelectableChannel() {
return ch;
@@ -353,6 +353,11 @@ public SslContext getSslContext() {
return null;
}

@Override
public <T> T getSslOption(SslOption<T> option) {
return null;
}

@Override
public SelectableChannel getSelectableChannel() {
return ch;
@@ -103,6 +103,11 @@ public SslContext getSslContext() {
return null;
}

@Override
public <T> T getSslOption(SslOption<T> option) {
return null;
}

@Override
public final void connect(InetAddress address, int port) throws IOException {
connect0(address.getAddress(), port);
@@ -110,10 +110,13 @@ public void setProtocols(String protocols) {
case "tlsv1.2":
enabled |= 0x08000000;
break;
case "tlsv1.3":
enabled |= 0x20000000;
break;
}
}

int all = 0x00020000 + 0x01000000 + 0x02000000 + 0x04000000 + 0x08000000 + 0x10000000;
int all = 0x00020000 + 0x01000000 + 0x02000000 + 0x04000000 + 0x08000000 + 0x10000000 + 0x20000000;
clearOptions(enabled);
setOptions(all - enabled);
}
@@ -60,11 +60,25 @@ public SslContext getSslContext() {
}

@Override
public byte[] getOption(int level, int option) {
if (level == SOL_SSL) {
return sslGetOption(option);
@SuppressWarnings("unchecked")
public Object getSslOption(SslOption option) {
switch (option.id) {
case 1:
return sslPeerCertificate();
case 2:
return sslCertName(0);
case 3:
return sslCertName(1);
case 4:
return sslVerifyResult();
case 5:
return sslSessionReused();
case 6:
return sslSessionTicket();
case 7:
return sslCurrentCipher();
}
return super.getOption(level, option);
return null;
}

@Override
@@ -90,7 +104,14 @@ public long sendFile(RandomAccessFile file, long offset, long count) throws IOEx
@Override
public synchronized native void readFully(byte[] data, int offset, int count) throws IOException;

private synchronized native byte[] sslGetOption(int option);
private synchronized native byte[] sslPeerCertificate();
private synchronized native String sslCertName(int which);
private synchronized native String sslVerifyResult();

private synchronized native boolean sslSessionReused();
private synchronized native int sslSessionTicket();

private synchronized native String sslCurrentCipher();

static native long sslNew(int fd, long ctx, boolean serverMode) throws IOException;
static native void sslFree(long ssl);
@@ -33,16 +33,6 @@
public static final int SOL_IPV6 = 41;
public static final int SOL_TCP = 6;
public static final int SOL_UDP = 17;
public static final int SOL_SSL = 1024;

// Options to use with SOL_SSL

// Session ID as a byte array
public static final int SSL_SESSION = 1;
// 0 = new SSL session; 1 = reused SSL session
public static final int SSL_SESSION_REUSED = 2;
// 0 = no ticket; 1 = reused ticket; 2 = reused older ticket; 3 = newly issued ticket
public static final int SSL_SESSION_TICKET = 3;

// Flags for readRaw / writeRaw
public static final int MSG_OOB = 0x01;
@@ -54,7 +44,6 @@
public static final int MSG_MORE = 0x8000;

// Options for setTos

public static final int IPTOS_MINCOST = 0x02;
public static final int IPTOS_RELIABILITY = 0x04;
public static final int IPTOS_THROUGHPUT = 0x08;
@@ -103,6 +92,7 @@
public abstract Socket sslWrap(SslContext context) throws IOException;
public abstract Socket sslUnwrap();
public abstract SslContext getSslContext();
public abstract <T> T getSslOption(SslOption<T> option);

public Socket acceptNonBlocking() throws IOException {
Socket s = accept();
@@ -23,8 +23,8 @@

@Config
public class SslConfig {
// Intermediate compatibility ciphersuite according to https://wiki.mozilla.org/Security/Server_Side_TLS
static final String DEFAULT_CIPHERS = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
// Conservative ciphersuite according to https://wiki.mozilla.org/Security/Server_Side_TLS
static final String DEFAULT_CIPHERS = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA";
static final int DEFAULT_CACHE_SIZE = 262144;
static final long DEFAULT_TIMEOUT_SEC = 300;
static final long DEFAULT_REFRESH_INTERVAL = 300_000;
@@ -58,6 +58,8 @@ public static SslConfig from(Properties props) {
config.ciphers = props.getProperty("one.nio.ssl.ciphers");
config.certFile = toArray(props.getProperty("one.nio.ssl.certFile"));
config.privateKeyFile = toArray(props.getProperty("one.nio.ssl.privateKeyFile"));
config.passphrase = props.getProperty("one.nio.ssl.passphrase");
config.caFile = props.getProperty("one.nio.ssl.caFile");
config.ticketKeyFile = props.getProperty("one.nio.ssl.ticketKeyFile");
return config;
}
@@ -0,0 +1,47 @@
/*
* Copyright 2019 Odnoklassniki Ltd, Mail.Ru Group
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package one.nio.net;

public class SslOption<T> {
public static final SslOption<byte[]> PEER_CERTIFICATE = new SslOption<>(1, byte[].class);
public static final SslOption<String> PEER_SUBJECT = new SslOption<>(2, String.class);
public static final SslOption<String> PEER_ISSUER = new SslOption<>(3, String.class);
public static final SslOption<String> VERIFY_RESULT = new SslOption<>(4, String.class);

public static final SslOption<Boolean> SESSION_REUSED = new SslOption<>(5, Boolean.class);
public static final SslOption<Integer> SESSION_TICKET = new SslOption<>(6, Integer.class);

public static final SslOption<String> CURRENT_CIPHER = new SslOption<>(7, String.class);

final int id;
final Class<T> type;

private SslOption(int id, Class<T> type) {
this.id = id;
this.type = type;
}

@Override
public int hashCode() {
return id;
}

@Override
public String toString() {
return "SslOption(" + id + ")";
}
}

0 comments on commit 7a7b32a

Please sign in to comment.
You can’t perform that action at this time.