SSLContextImpl.java 49.0 KB
Newer Older
D
duke 已提交
1
/*
2
 * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
D
duke 已提交
3 4 5 6
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
D
duke 已提交
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
D
duke 已提交
10 11 12 13 14 15 16 17 18 19 20
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
21 22 23
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
D
duke 已提交
24 25 26 27 28 29
 */

package sun.security.ssl;

import java.net.Socket;

30
import java.io.*;
X
xuelei 已提交
31
import java.util.*;
D
duke 已提交
32 33
import java.security.*;
import java.security.cert.*;
X
xuelei 已提交
34
import java.security.cert.Certificate;
D
duke 已提交
35 36 37

import javax.net.ssl.*;

X
xuelei 已提交
38
import sun.security.provider.certpath.AlgorithmChecker;
39
import sun.security.action.GetPropertyAction;
40
import sun.security.validator.Validator;
X
xuelei 已提交
41

42
public abstract class SSLContextImpl extends SSLContextSpi {
D
duke 已提交
43 44 45 46 47 48 49 50 51 52 53 54 55

    private static final Debug debug = Debug.getInstance("ssl");

    private final EphemeralKeyManager ephemeralKeyManager;
    private final SSLSessionContextImpl clientCache;
    private final SSLSessionContextImpl serverCache;

    private boolean isInitialized;

    private X509ExtendedKeyManager keyManager;
    private X509TrustManager trustManager;
    private SecureRandom secureRandom;

56 57 58 59
    SSLContextImpl() {
        ephemeralKeyManager = new EphemeralKeyManager();
        clientCache = new SSLSessionContextImpl();
        serverCache = new SSLSessionContextImpl();
D
duke 已提交
60 61
    }

62
    @Override
D
duke 已提交
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
    protected void engineInit(KeyManager[] km, TrustManager[] tm,
                                SecureRandom sr) throws KeyManagementException {
        isInitialized = false;
        keyManager = chooseKeyManager(km);

        if (tm == null) {
            try {
                TrustManagerFactory tmf = TrustManagerFactory.getInstance(
                        TrustManagerFactory.getDefaultAlgorithm());
                tmf.init((KeyStore)null);
                tm = tmf.getTrustManagers();
            } catch (Exception e) {
                // eat
            }
        }
        trustManager = chooseTrustManager(tm);

        if (sr == null) {
            secureRandom = JsseJce.getSecureRandom();
        } else {
X
xuelei 已提交
83 84
            if (SunJSSE.isFIPS() &&
                        (sr.getProvider() != SunJSSE.cryptoProvider)) {
D
duke 已提交
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
                throw new KeyManagementException
                    ("FIPS mode: SecureRandom must be from provider "
                    + SunJSSE.cryptoProvider.getName());
            }
            secureRandom = sr;
        }

        /*
         * The initial delay of seeding the random number generator
         * could be long enough to cause the initial handshake on our
         * first connection to timeout and fail. Make sure it is
         * primed and ready by getting some initial output from it.
         */
        if (debug != null && Debug.isOn("sslctx")) {
            System.out.println("trigger seeding of SecureRandom");
        }
        secureRandom.nextInt();
        if (debug != null && Debug.isOn("sslctx")) {
            System.out.println("done seeding SecureRandom");
        }
        isInitialized = true;
    }

    private X509TrustManager chooseTrustManager(TrustManager[] tm)
            throws KeyManagementException {
        // We only use the first instance of X509TrustManager passed to us.
        for (int i = 0; tm != null && i < tm.length; i++) {
            if (tm[i] instanceof X509TrustManager) {
X
xuelei 已提交
113 114
                if (SunJSSE.isFIPS() &&
                        !(tm[i] instanceof X509TrustManagerImpl)) {
D
duke 已提交
115 116 117
                    throw new KeyManagementException
                        ("FIPS mode: only SunJSSE TrustManagers may be used");
                }
X
xuelei 已提交
118 119 120 121 122 123 124

                if (tm[i] instanceof X509ExtendedTrustManager) {
                    return (X509TrustManager)tm[i];
                } else {
                    return new AbstractTrustManagerWrapper(
                                        (X509TrustManager)tm[i]);
                }
D
duke 已提交
125 126 127 128 129 130 131 132 133 134 135
            }
        }

        // nothing found, return a dummy X509TrustManager.
        return DummyX509TrustManager.INSTANCE;
    }

    private X509ExtendedKeyManager chooseKeyManager(KeyManager[] kms)
            throws KeyManagementException {
        for (int i = 0; kms != null && i < kms.length; i++) {
            KeyManager km = kms[i];
136
            if (!(km instanceof X509KeyManager)) {
D
duke 已提交
137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161
                continue;
            }
            if (SunJSSE.isFIPS()) {
                // In FIPS mode, require that one of SunJSSE's own keymanagers
                // is used. Otherwise, we cannot be sure that only keys from
                // the FIPS token are used.
                if ((km instanceof X509KeyManagerImpl)
                            || (km instanceof SunX509KeyManagerImpl)) {
                    return (X509ExtendedKeyManager)km;
                } else {
                    // throw exception, we don't want to silently use the
                    // dummy keymanager without telling the user.
                    throw new KeyManagementException
                        ("FIPS mode: only SunJSSE KeyManagers may be used");
                }
            }
            if (km instanceof X509ExtendedKeyManager) {
                return (X509ExtendedKeyManager)km;
            }
            if (debug != null && Debug.isOn("sslctx")) {
                System.out.println(
                    "X509KeyManager passed to " +
                    "SSLContext.init():  need an " +
                    "X509ExtendedKeyManager for SSLEngine use");
            }
X
xuelei 已提交
162
            return new AbstractKeyManagerWrapper((X509KeyManager)km);
D
duke 已提交
163 164 165 166 167 168
        }

        // nothing found, return a dummy X509ExtendedKeyManager
        return DummyX509KeyManager.INSTANCE;
    }

169
    @Override
D
duke 已提交
170 171 172 173 174
    protected SSLSocketFactory engineGetSocketFactory() {
        if (!isInitialized) {
            throw new IllegalStateException(
                "SSLContextImpl is not initialized");
        }
175
       return new SSLSocketFactoryImpl(this);
D
duke 已提交
176 177
    }

178
    @Override
D
duke 已提交
179 180 181 182 183 184
    protected SSLServerSocketFactory engineGetServerSocketFactory() {
        if (!isInitialized) {
            throw new IllegalStateException("SSLContext is not initialized");
        }
        return new SSLServerSocketFactoryImpl(this);
    }
185 186
    abstract SSLEngine createSSLEngineImpl();
    abstract SSLEngine createSSLEngineImpl(String host, int port);
D
duke 已提交
187

188
    @Override
D
duke 已提交
189 190 191 192 193
    protected SSLEngine engineCreateSSLEngine() {
        if (!isInitialized) {
            throw new IllegalStateException(
                "SSLContextImpl is not initialized");
        }
194
        return createSSLEngineImpl();
D
duke 已提交
195 196
    }

197
    @Override
D
duke 已提交
198 199 200 201 202
    protected SSLEngine engineCreateSSLEngine(String host, int port) {
        if (!isInitialized) {
            throw new IllegalStateException(
                "SSLContextImpl is not initialized");
        }
203
        return createSSLEngineImpl(host, port);
D
duke 已提交
204 205
    }

206
    @Override
D
duke 已提交
207 208 209 210
    protected SSLSessionContext engineGetClientSessionContext() {
        return clientCache;
    }

211
    @Override
D
duke 已提交
212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231
    protected SSLSessionContext engineGetServerSessionContext() {
        return serverCache;
    }

    SecureRandom getSecureRandom() {
        return secureRandom;
    }

    X509ExtendedKeyManager getX509KeyManager() {
        return keyManager;
    }

    X509TrustManager getX509TrustManager() {
        return trustManager;
    }

    EphemeralKeyManager getEphemeralKeyManager() {
        return ephemeralKeyManager;
    }

232

233
    // Get supported ProtocolList.
234
    abstract ProtocolList getSuportedProtocolList();
235

236 237
    // Get default ProtocolList for server mode.
    abstract ProtocolList getServerDefaultProtocolList();
238

239 240
    // Get default ProtocolList for client mode.
    abstract ProtocolList getClientDefaultProtocolList();
241

242 243
    // Get supported CipherSuiteList.
    abstract CipherSuiteList getSupportedCipherSuiteList();
244

245 246
    // Get default CipherSuiteList for server mode.
    abstract CipherSuiteList getServerDefaultCipherSuiteList();
247

248 249
    // Get default CipherSuiteList for client mode.
    abstract CipherSuiteList getClientDefaultCipherSuiteList();
250

251 252 253 254
    // Get default ProtocolList.
    ProtocolList getDefaultProtocolList(boolean roleIsServer) {
        return roleIsServer ? getServerDefaultProtocolList()
                : getClientDefaultProtocolList();
255 256 257 258
    }

    // Get default CipherSuiteList.
    CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) {
259 260
        return roleIsServer ? getServerDefaultCipherSuiteList()
                : getClientDefaultCipherSuiteList();
261 262 263 264 265 266 267
    }

    /**
     * Return whether a protocol list is the original default enabled
     * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()
     */
    boolean isDefaultProtocolList(ProtocolList protocols) {
268 269
        return (protocols == getServerDefaultProtocolList()) ||
                (protocols == getClientDefaultProtocolList());
270 271
    }

272 273 274 275 276 277 278 279
    /**
     * Return whether a protocol list is the original default enabled
     * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()
     */
    boolean isDefaultCipherSuiteList(CipherSuiteList cipherSuites) {
        return (cipherSuites == getServerDefaultCipherSuiteList()) ||
                (cipherSuites == getClientDefaultCipherSuiteList());
    }
280 281 282 283 284

    /*
     * Return the list of all available CipherSuites with a priority of
     * minPriority or above.
     */
285
    private static CipherSuiteList getApplicableCipherSuiteList(
286 287 288 289 290 291 292 293 294 295
            ProtocolList protocols, boolean onlyEnabled) {

        int minPriority = CipherSuite.SUPPORTED_SUITES_PRIORITY;
        if (onlyEnabled) {
            minPriority = CipherSuite.DEFAULT_SUITES_PRIORITY;
        }

        Collection<CipherSuite> allowedCipherSuites =
                                    CipherSuite.allowedCipherSuites();

296
        TreeSet<CipherSuite> suites = new TreeSet<>();
297 298 299
        if (!(protocols.collection().isEmpty()) &&
                protocols.min.v != ProtocolVersion.NONE.v) {
            for (CipherSuite suite : allowedCipherSuites) {
300
                if (!suite.allowed || suite.priority < minPriority) {
301 302 303 304 305 306
                    continue;
                }

                if (suite.isAvailable() &&
                        suite.obsoleted > protocols.min.v &&
                        suite.supported <= protocols.max.v) {
X
xuelei 已提交
307
                    if (SSLAlgorithmConstraints.DEFAULT.permits(
308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330
                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                            suite.name, null)) {
                        suites.add(suite);
                    }
                } else if (debug != null &&
                        Debug.isOn("sslctx") && Debug.isOn("verbose")) {
                    if (suite.obsoleted <= protocols.min.v) {
                        System.out.println(
                            "Ignoring obsoleted cipher suite: " + suite);
                    } else if (suite.supported > protocols.max.v) {
                        System.out.println(
                            "Ignoring unsupported cipher suite: " + suite);
                    } else {
                        System.out.println(
                            "Ignoring unavailable cipher suite: " + suite);
                    }
                }
            }
        }

        return new CipherSuiteList(suites);
    }

331 332 333 334 335 336 337 338 339 340 341
    private static String[] getAvailableProtocols(
            ProtocolVersion[] protocolCandidates) {

        List<String> availableProtocols = Collections.<String>emptyList();
        if (protocolCandidates !=  null && protocolCandidates.length != 0) {
            availableProtocols = new ArrayList<>(protocolCandidates.length);
            for (ProtocolVersion p : protocolCandidates) {
                if (ProtocolVersion.availableProtocols.contains(p)) {
                    availableProtocols.add(p.name);
                }
            }
342
        }
343 344

        return availableProtocols.toArray(new String[0]);
345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376
    }

    /*
     * The SSLContext implementation for TLS/SSL algorithm
     *
     * SSL/TLS protocols specify the forward compatibility and version
     * roll-back attack protections, however, a number of SSL/TLS server
     * vendors did not implement these aspects properly, and some current
     * SSL/TLS servers may refuse to talk to a TLS 1.1 or later client.
     *
     * Considering above interoperability issues, SunJSSE will not set
     * TLS 1.1 and TLS 1.2 as the enabled protocols for client by default.
     *
     * For SSL/TLS servers, there is no such interoperability issues as
     * SSL/TLS clients. In SunJSSE, TLS 1.1 or later version will be the
     * enabled protocols for server by default.
     *
     * We may change the behavior when popular TLS/SSL vendors support TLS
     * forward compatibility properly.
     *
     * SSLv2Hello is no longer necessary.  This interoperability option was
     * put in place in the late 90's when SSLv3/TLS1.0 were relatively new
     * and there were a fair number of SSLv2-only servers deployed.  Because
     * of the security issues in SSLv2, it is rarely (if ever) used, as
     * deployments should now be using SSLv3 and TLSv1.
     *
     * Considering the issues of SSLv2Hello, we should not enable SSLv2Hello
     * by default. Applications still can use it by enabling SSLv2Hello with
     * the series of setEnabledProtocols APIs.
     */

    /*
377 378
     * The base abstract SSLContext implementation for the Transport Layer
     * Security (TLS) protocols.
379
     *
380
     * This abstract class encapsulates supported and the default server
381
     * SSL/TLS parameters.
382 383 384
     *
     * @see SSLContext
     */
385 386 387
    private abstract static class AbstractTLSContext extends SSLContextImpl {
        private static final ProtocolList supportedProtocolList;
        private static final ProtocolList serverDefaultProtocolList;
X
xuelei 已提交
388

389 390
        private static final CipherSuiteList supportedCipherSuiteList;
        private static final CipherSuiteList serverDefaultCipherSuiteList;
X
xuelei 已提交
391

392
        static {
393
            if (SunJSSE.isFIPS()) {
394
                supportedProtocolList = new ProtocolList(new String[] {
395 396 397 398 399
                    ProtocolVersion.TLS10.name,
                    ProtocolVersion.TLS11.name,
                    ProtocolVersion.TLS12.name
                });

400 401
                serverDefaultProtocolList = new ProtocolList(
                        getAvailableProtocols(new ProtocolVersion[] {
X
xuelei 已提交
402 403 404
                    ProtocolVersion.TLS10,
                    ProtocolVersion.TLS11,
                    ProtocolVersion.TLS12
405
                }));
406
            } else {
407
                supportedProtocolList = new ProtocolList(new String[] {
408 409 410 411 412 413 414
                    ProtocolVersion.SSL20Hello.name,
                    ProtocolVersion.SSL30.name,
                    ProtocolVersion.TLS10.name,
                    ProtocolVersion.TLS11.name,
                    ProtocolVersion.TLS12.name
                });

415 416
                serverDefaultProtocolList = new ProtocolList(
                        getAvailableProtocols(new ProtocolVersion[] {
X
xuelei 已提交
417 418 419 420 421
                    ProtocolVersion.SSL20Hello,
                    ProtocolVersion.SSL30,
                    ProtocolVersion.TLS10,
                    ProtocolVersion.TLS11,
                    ProtocolVersion.TLS12
422
                }));
423
            }
X
xuelei 已提交
424

425 426 427 428
            supportedCipherSuiteList = getApplicableCipherSuiteList(
                    supportedProtocolList, false);          // all supported
            serverDefaultCipherSuiteList = getApplicableCipherSuiteList(
                    serverDefaultProtocolList, true);       // enabled only
429 430 431
        }

        @Override
432 433
        ProtocolList getSuportedProtocolList() {
            return supportedProtocolList;
434
        }
435

436
        @Override
437 438
        CipherSuiteList getSupportedCipherSuiteList() {
            return supportedCipherSuiteList;
439
        }
X
xuelei 已提交
440

441 442 443 444
        @Override
        ProtocolList getServerDefaultProtocolList() {
            return serverDefaultProtocolList;
        }
X
xuelei 已提交
445

446 447 448 449
        @Override
        CipherSuiteList getServerDefaultCipherSuiteList() {
            return serverDefaultCipherSuiteList;
        }
X
xuelei 已提交
450

451 452 453 454 455 456 457 458
        @Override
        SSLEngine createSSLEngineImpl() {
            return new SSLEngineImpl(this);
        }

        @Override
        SSLEngine createSSLEngineImpl(String host, int port) {
            return new SSLEngineImpl(this, host, port);
X
xuelei 已提交
459
        }
460 461 462 463 464 465 466
    }

    /*
     * The SSLContext implementation for SSLv3 and TLS10 algorithm
     *
     * @see SSLContext
     */
467 468 469
    public static final class TLS10Context extends AbstractTLSContext {
        private static final ProtocolList clientDefaultProtocolList;
        private static final CipherSuiteList clientDefaultCipherSuiteList;
470 471 472

        static {
            if (SunJSSE.isFIPS()) {
473 474
                clientDefaultProtocolList = new ProtocolList(
                        getAvailableProtocols(new ProtocolVersion[] {
X
xuelei 已提交
475
                    ProtocolVersion.TLS10
476
                }));
477
            } else {
478 479
                clientDefaultProtocolList = new ProtocolList(
                        getAvailableProtocols(new ProtocolVersion[] {
X
xuelei 已提交
480 481
                    ProtocolVersion.SSL30,
                    ProtocolVersion.TLS10
482
                }));
483
            }
X
xuelei 已提交
484

485 486 487 488 489 490 491
            clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
                    clientDefaultProtocolList, true);       // enabled only
        }

        @Override
        ProtocolList getClientDefaultProtocolList() {
            return clientDefaultProtocolList;
492 493
        }

494
        @Override
495 496
        CipherSuiteList getClientDefaultCipherSuiteList() {
            return clientDefaultCipherSuiteList;
497 498 499 500 501 502 503 504
        }
    }

    /*
     * The SSLContext implementation for TLS11 algorithm
     *
     * @see SSLContext
     */
505 506 507
    public static final class TLS11Context extends AbstractTLSContext {
        private static final ProtocolList clientDefaultProtocolList;
        private static final CipherSuiteList clientDefaultCipherSuiteList;
508 509 510

        static {
            if (SunJSSE.isFIPS()) {
511 512
                clientDefaultProtocolList = new ProtocolList(
                        getAvailableProtocols(new ProtocolVersion[] {
X
xuelei 已提交
513 514
                    ProtocolVersion.TLS10,
                    ProtocolVersion.TLS11
515
                }));
516
            } else {
517 518
                clientDefaultProtocolList = new ProtocolList(
                        getAvailableProtocols(new ProtocolVersion[] {
X
xuelei 已提交
519 520 521
                    ProtocolVersion.SSL30,
                    ProtocolVersion.TLS10,
                    ProtocolVersion.TLS11
522
                }));
523
            }
X
xuelei 已提交
524

525 526
            clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
                    clientDefaultProtocolList, true);       // enabled only
527 528 529
        }

        @Override
530 531 532 533 534 535 536
        ProtocolList getClientDefaultProtocolList() {
            return clientDefaultProtocolList;
        }

        @Override
        CipherSuiteList getClientDefaultCipherSuiteList() {
            return clientDefaultCipherSuiteList;
537 538 539 540 541 542 543 544
        }
    }

    /*
     * The SSLContext implementation for TLS12 algorithm
     *
     * @see SSLContext
     */
545 546 547
    public static final class TLS12Context extends AbstractTLSContext {
        private static final ProtocolList clientDefaultProtocolList;
        private static final CipherSuiteList clientDefaultCipherSuiteList;
548 549 550

        static {
            if (SunJSSE.isFIPS()) {
551 552
                clientDefaultProtocolList = new ProtocolList(
                        getAvailableProtocols(new ProtocolVersion[] {
X
xuelei 已提交
553 554 555
                    ProtocolVersion.TLS10,
                    ProtocolVersion.TLS11,
                    ProtocolVersion.TLS12
556
                }));
557
            } else {
558 559
                clientDefaultProtocolList = new ProtocolList(
                        getAvailableProtocols(new ProtocolVersion[] {
X
xuelei 已提交
560 561 562 563
                    ProtocolVersion.SSL30,
                    ProtocolVersion.TLS10,
                    ProtocolVersion.TLS11,
                    ProtocolVersion.TLS12
564
                }));
565
            }
X
xuelei 已提交
566

567 568 569 570 571 572 573
            clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
                    clientDefaultProtocolList, true);       // enabled only
        }

        @Override
        ProtocolList getClientDefaultProtocolList() {
            return clientDefaultProtocolList;
574 575
        }

576
        @Override
577 578
        CipherSuiteList getClientDefaultCipherSuiteList() {
            return clientDefaultCipherSuiteList;
579
        }
580 581 582
    }

    /*
583
     * The interface for the customized SSL/(D)TLS SSLContext.
584 585 586
     *
     * @see SSLContext
     */
587
    private static class CustomizedSSLProtocols {
X
xuelei 已提交
588
        private static final String PROPERTY_NAME = "jdk.tls.client.protocols";
589 590 591
        static IllegalArgumentException reservedException = null;
        static ArrayList<ProtocolVersion>
                customizedProtocols = new ArrayList<>();
592 593 594 595 596

        // Don't want a java.lang.LinkageError for illegal system property.
        //
        // Please don't throw exception in this static block.  Otherwise,
        // java.lang.LinkageError may be thrown during the instantiation of
597 598
        // the provider service. Instead, please handle the initialization
        // exception in the caller's constructor.
599 600 601
        static {
            String property = AccessController.doPrivileged(
                    new GetPropertyAction(PROPERTY_NAME));
602
            if (property != null && property.length() != 0) {
603
                // remove double quote marks from beginning/end of the property
X
xuelei 已提交
604
                if (property.length() > 1 && property.charAt(0) == '"' &&
605 606 607
                        property.charAt(property.length() - 1) == '"') {
                    property = property.substring(1, property.length() - 1);
                }
608
            }
609

610 611
            if (property != null && property.length() != 0) {
                String[] protocols = property.split(",");
612 613 614 615
                for (int i = 0; i < protocols.length; i++) {
                    protocols[i] = protocols[i].trim();
                    // Is it a supported protocol name?
                    try {
616 617
                        ProtocolVersion pro =
                                ProtocolVersion.valueOf(protocols[i]);
618

619 620 621
                        if (SunJSSE.isFIPS() &&
                                ((pro.v == ProtocolVersion.SSL30.v) ||
                                        (pro.v == ProtocolVersion.SSL20Hello.v))) {
622
                            reservedException = new IllegalArgumentException(
623 624 625 626 627 628 629 630 631
                                    PROPERTY_NAME + ": " + pro +
                                            " is not FIPS compliant");

                            break;
                        }

                        // ignore duplicated protocols
                        if (!customizedProtocols.contains(pro)) {
                            customizedProtocols.add(pro);
632
                        }
633 634 635 636
                    } catch (IllegalArgumentException iae) {
                        reservedException = new IllegalArgumentException(
                                PROPERTY_NAME + ": " + protocols[i] +
                                        " is not a standard SSL protocol name", iae);
637 638
                    }
                }
X
xuelei 已提交
639
            }
640 641
        }
    }
642

643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662
    /*
     * The SSLContext implementation for customized TLS protocols
     *
     * @see SSLContext
     */
    private static class CustomizedTLSContext extends AbstractTLSContext {

        private static final ProtocolList clientDefaultProtocolList;
        private static final CipherSuiteList clientDefaultCipherSuiteList;

        private static IllegalArgumentException reservedException = null;

        // Don't want a java.lang.LinkageError for illegal system property.
        //
        // Please don't throw exception in this static block.  Otherwise,
        // java.lang.LinkageError may be thrown during the instantiation of
        // the provider service. Instead, let's handle the initialization
        // exception in constructor.
        static {
            reservedException = CustomizedSSLProtocols.reservedException;
X
xuelei 已提交
663
            if (reservedException == null) {
664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703
                ArrayList<ProtocolVersion>
                        customizedTLSProtocols = new ArrayList<>();
                for (ProtocolVersion protocol :
                        CustomizedSSLProtocols.customizedProtocols) {
                        customizedTLSProtocols.add(protocol);
                }

                // candidates for available protocols
                ProtocolVersion[] candidates;
                if (customizedTLSProtocols.isEmpty()) {
                    // Use the default enabled client protocols if no
                    // customized TLS protocols.
                    if (SunJSSE.isFIPS()) {
                        candidates = new ProtocolVersion[] {
                                ProtocolVersion.TLS10,
                                ProtocolVersion.TLS11,
                                ProtocolVersion.TLS12
                        };
                    } else {
                        candidates = new ProtocolVersion[] {
                                ProtocolVersion.SSL30,
                                ProtocolVersion.TLS10,
                                ProtocolVersion.TLS11,
                                ProtocolVersion.TLS12
                        };
                    }
                } else {
                    // Use the customized TLS protocols.
                    candidates =
                            new ProtocolVersion[customizedTLSProtocols.size()];
                    candidates = customizedTLSProtocols.toArray(candidates);
                }

                clientDefaultProtocolList = new ProtocolList(
                        getAvailableProtocols(candidates));
                clientDefaultCipherSuiteList = getApplicableCipherSuiteList(
                        clientDefaultProtocolList, true);   // enabled only
            } else {
                clientDefaultProtocolList = null;       // unlikely to be used
                clientDefaultCipherSuiteList = null;    // unlikely to be used
704 705 706
            }
        }

707
        protected CustomizedTLSContext() {
708 709 710 711
            if (reservedException != null) {
                throw reservedException;
            }
        }
712

713
        @Override
714 715 716 717 718 719 720
        ProtocolList getClientDefaultProtocolList() {
            return clientDefaultProtocolList;
        }

        @Override
        CipherSuiteList getClientDefaultCipherSuiteList() {
            return clientDefaultCipherSuiteList;
721 722 723 724
        }
    }

    /*
725 726 727 728
     * The SSLContext implementation for default "TLS" algorithm
     *
     * @see SSLContext
     */
729
    public static final class TLSContext extends CustomizedTLSContext {
730 731 732
        // use the default constructor and methods
    }

733 734 735 736
    // lazy initialization holder class idiom for static default parameters
    //
    // See Effective Java Second Edition: Item 71.
    private static final class DefaultManagersHolder {
737 738 739
        private static final String NONE = "NONE";
        private static final String P11KEYSTORE = "PKCS11";

740 741
        private static final TrustManager[] trustManagers;
        private static final KeyManager[] keyManagers;
742

743
        static Exception reservedException = null;
744

745 746
        static {
            TrustManager[] tmMediator;
747
            try {
748
                tmMediator = getTrustManagers();
749
            } catch (Exception e) {
750 751
                reservedException = e;
                tmMediator = new TrustManager[0];
752
            }
753
            trustManagers = tmMediator;
754

755 756 757 758 759 760 761 762 763 764 765
            if (reservedException == null) {
                KeyManager[] kmMediator;
                try {
                    kmMediator = getKeyManagers();
                } catch (Exception e) {
                    reservedException = e;
                    kmMediator = new KeyManager[0];
                }
                keyManagers = kmMediator;
            } else {
                keyManagers = new KeyManager[0];
766 767 768
            }
        }

769
        private static TrustManager[] getTrustManagers() throws Exception {
770 771 772 773 774 775
            KeyStore ks =
                TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");

            TrustManagerFactory tmf = TrustManagerFactory.getInstance(
                TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(ks);
776
            return tmf.getTrustManagers();
777 778
        }

779
        private static KeyManager[] getKeyManagers() throws Exception {
780 781 782 783

            final Map<String,String> props = new HashMap<>();
            AccessController.doPrivileged(
                        new PrivilegedExceptionAction<Object>() {
784
                @Override
785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817
                public Object run() throws Exception {
                    props.put("keyStore",  System.getProperty(
                                "javax.net.ssl.keyStore", ""));
                    props.put("keyStoreType", System.getProperty(
                                "javax.net.ssl.keyStoreType",
                                KeyStore.getDefaultType()));
                    props.put("keyStoreProvider", System.getProperty(
                                "javax.net.ssl.keyStoreProvider", ""));
                    props.put("keyStorePasswd", System.getProperty(
                                "javax.net.ssl.keyStorePassword", ""));
                    return null;
                }
            });

            final String defaultKeyStore = props.get("keyStore");
            String defaultKeyStoreType = props.get("keyStoreType");
            String defaultKeyStoreProvider = props.get("keyStoreProvider");
            if (debug != null && Debug.isOn("defaultctx")) {
                System.out.println("keyStore is : " + defaultKeyStore);
                System.out.println("keyStore type is : " +
                                        defaultKeyStoreType);
                System.out.println("keyStore provider is : " +
                                        defaultKeyStoreProvider);
            }

            if (P11KEYSTORE.equals(defaultKeyStoreType) &&
                    !NONE.equals(defaultKeyStore)) {
                throw new IllegalArgumentException("if keyStoreType is "
                    + P11KEYSTORE + ", then keyStore must be " + NONE);
            }

            FileInputStream fs = null;
            KeyStore ks = null;
X
xuelei 已提交
818 819 820 821 822 823
            char[] passwd = null;
            try {
                if (defaultKeyStore.length() != 0 &&
                        !NONE.equals(defaultKeyStore)) {
                    fs = AccessController.doPrivileged(
                            new PrivilegedExceptionAction<FileInputStream>() {
824
                        @Override
X
xuelei 已提交
825 826 827 828
                        public FileInputStream run() throws Exception {
                            return new FileInputStream(defaultKeyStore);
                        }
                    });
829
                }
X
xuelei 已提交
830 831 832 833

                String defaultKeyStorePassword = props.get("keyStorePasswd");
                if (defaultKeyStorePassword.length() != 0) {
                    passwd = defaultKeyStorePassword.toCharArray();
834 835
                }

X
xuelei 已提交
836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857
                /**
                 * Try to initialize key store.
                 */
                if ((defaultKeyStoreType.length()) != 0) {
                    if (debug != null && Debug.isOn("defaultctx")) {
                        System.out.println("init keystore");
                    }
                    if (defaultKeyStoreProvider.length() == 0) {
                        ks = KeyStore.getInstance(defaultKeyStoreType);
                    } else {
                        ks = KeyStore.getInstance(defaultKeyStoreType,
                                            defaultKeyStoreProvider);
                    }

                    // if defaultKeyStore is NONE, fs will be null
                    ks.load(fs, passwd);
                }
            } finally {
                if (fs != null) {
                    fs.close();
                    fs = null;
                }
858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875
            }

            /*
             * Try to initialize key manager.
             */
            if (debug != null && Debug.isOn("defaultctx")) {
                System.out.println("init keymanager of type " +
                    KeyManagerFactory.getDefaultAlgorithm());
            }
            KeyManagerFactory kmf = KeyManagerFactory.getInstance(
                KeyManagerFactory.getDefaultAlgorithm());

            if (P11KEYSTORE.equals(defaultKeyStoreType)) {
                kmf.init(ks, null); // do not pass key passwd if using token
            } else {
                kmf.init(ks, passwd);
            }

876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900
            return kmf.getKeyManagers();
        }
    }

    // lazy initialization holder class idiom for static default parameters
    //
    // See Effective Java Second Edition: Item 71.
    private static final class DefaultSSLContextHolder {

        private static final SSLContextImpl sslContext;
        static Exception reservedException = null;

        static {
            SSLContextImpl mediator = null;
            if (DefaultManagersHolder.reservedException != null) {
                reservedException = DefaultManagersHolder.reservedException;
            } else {
                try {
                    mediator = new DefaultSSLContext();
                } catch (Exception e) {
                    reservedException = e;
                }
            }

            sslContext = mediator;
901 902 903
        }
    }

904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944
    /*
     * The SSLContext implementation for default "Default" algorithm
     *
     * @see SSLContext
     */
    public static final class DefaultSSLContext extends CustomizedTLSContext {

        // public constructor for SSLContext.getInstance("Default")
        public DefaultSSLContext() throws Exception {
            if (DefaultManagersHolder.reservedException != null) {
                throw DefaultManagersHolder.reservedException;
            }

            try {
                super.engineInit(DefaultManagersHolder.keyManagers,
                        DefaultManagersHolder.trustManagers, null);
            } catch (Exception e) {
                if (debug != null && Debug.isOn("defaultctx")) {
                    System.out.println("default context init failed: " + e);
                }
                throw e;
            }
        }

        @Override
        protected void engineInit(KeyManager[] km, TrustManager[] tm,
                                  SecureRandom sr) throws KeyManagementException {
            throw new KeyManagementException
                    ("Default SSLContext is initialized automatically");
        }

        static SSLContextImpl getDefaultImpl() throws Exception {
            if (DefaultSSLContextHolder.reservedException != null) {
                throw DefaultSSLContextHolder.reservedException;
            }

            return DefaultSSLContextHolder.sslContext;
        }
    }


D
duke 已提交
945 946
}

X
xuelei 已提交
947 948 949 950

final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
            implements X509TrustManager {

951
    // the delegated trust manager
X
xuelei 已提交
952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043
    private final X509TrustManager tm;

    AbstractTrustManagerWrapper(X509TrustManager tm) {
        this.tm = tm;
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        tm.checkClientTrusted(chain, authType);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        tm.checkServerTrusted(chain, authType);
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return tm.getAcceptedIssuers();
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType,
                Socket socket) throws CertificateException {
        tm.checkClientTrusted(chain, authType);
        checkAdditionalTrust(chain, authType, socket, true);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType,
            Socket socket) throws CertificateException {
        tm.checkServerTrusted(chain, authType);
        checkAdditionalTrust(chain, authType, socket, false);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType,
            SSLEngine engine) throws CertificateException {
        tm.checkClientTrusted(chain, authType);
        checkAdditionalTrust(chain, authType, engine, true);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType,
            SSLEngine engine) throws CertificateException {
        tm.checkServerTrusted(chain, authType);
        checkAdditionalTrust(chain, authType, engine, false);
    }

    private void checkAdditionalTrust(X509Certificate[] chain, String authType,
                Socket socket, boolean isClient) throws CertificateException {
        if (socket != null && socket.isConnected() &&
                                    socket instanceof SSLSocket) {

            SSLSocket sslSocket = (SSLSocket)socket;
            SSLSession session = sslSocket.getHandshakeSession();
            if (session == null) {
                throw new CertificateException("No handshake session");
            }

            // check endpoint identity
            String identityAlg = sslSocket.getSSLParameters().
                                        getEndpointIdentificationAlgorithm();
            if (identityAlg != null && identityAlg.length() != 0) {
                String hostname = session.getPeerHost();
                X509TrustManagerImpl.checkIdentity(
                                    hostname, chain[0], identityAlg);
            }

            // try the best to check the algorithm constraints
            ProtocolVersion protocolVersion =
                ProtocolVersion.valueOf(session.getProtocol());
            AlgorithmConstraints constraints = null;
            if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
                if (session instanceof ExtendedSSLSession) {
                    ExtendedSSLSession extSession =
                                    (ExtendedSSLSession)session;
                    String[] peerSupportedSignAlgs =
                            extSession.getLocalSupportedSignatureAlgorithms();

                    constraints = new SSLAlgorithmConstraints(
                                    sslSocket, peerSupportedSignAlgs, true);
                } else {
                    constraints =
                            new SSLAlgorithmConstraints(sslSocket, true);
                }
            } else {
                constraints = new SSLAlgorithmConstraints(sslSocket, true);
            }

1044
            checkAlgorithmConstraints(chain, constraints, isClient);
X
xuelei 已提交
1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085
        }
    }

    private void checkAdditionalTrust(X509Certificate[] chain, String authType,
            SSLEngine engine, boolean isClient) throws CertificateException {
        if (engine != null) {
            SSLSession session = engine.getHandshakeSession();
            if (session == null) {
                throw new CertificateException("No handshake session");
            }

            // check endpoint identity
            String identityAlg = engine.getSSLParameters().
                                        getEndpointIdentificationAlgorithm();
            if (identityAlg != null && identityAlg.length() != 0) {
                String hostname = session.getPeerHost();
                X509TrustManagerImpl.checkIdentity(
                                    hostname, chain[0], identityAlg);
            }

            // try the best to check the algorithm constraints
            ProtocolVersion protocolVersion =
                ProtocolVersion.valueOf(session.getProtocol());
            AlgorithmConstraints constraints = null;
            if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
                if (session instanceof ExtendedSSLSession) {
                    ExtendedSSLSession extSession =
                                    (ExtendedSSLSession)session;
                    String[] peerSupportedSignAlgs =
                            extSession.getLocalSupportedSignatureAlgorithms();

                    constraints = new SSLAlgorithmConstraints(
                                    engine, peerSupportedSignAlgs, true);
                } else {
                    constraints =
                            new SSLAlgorithmConstraints(engine, true);
                }
            } else {
                constraints = new SSLAlgorithmConstraints(engine, true);
            }

1086
            checkAlgorithmConstraints(chain, constraints, isClient);
1087 1088
        }
    }
X
xuelei 已提交
1089

1090
    private void checkAlgorithmConstraints(X509Certificate[] chain,
1091
            AlgorithmConstraints constraints, boolean isClient) throws CertificateException {
1092 1093 1094 1095

        try {
            // Does the certificate chain end with a trusted certificate?
            int checkedLength = chain.length - 1;
1096 1097 1098 1099 1100 1101 1102

            Collection<X509Certificate> trustedCerts = new HashSet<>();
            X509Certificate[] certs = tm.getAcceptedIssuers();
            if ((certs != null) && (certs.length > 0)){
                Collections.addAll(trustedCerts, certs);
            }

1103 1104 1105 1106 1107 1108
            if (trustedCerts.contains(chain[checkedLength])) {
                    checkedLength--;
            }

            // A forward checker, need to check from trust to target
            if (checkedLength >= 0) {
1109 1110 1111
                AlgorithmChecker checker =
                        new AlgorithmChecker(constraints, null,
                                (isClient ? Validator.VAR_TLS_CLIENT : Validator.VAR_TLS_SERVER));
1112 1113
                checker.init(false);
                for (int i = checkedLength; i >= 0; i--) {
X
xuelei 已提交
1114 1115 1116 1117 1118
                    Certificate cert = chain[i];
                    // We don't care about the unresolved critical extensions.
                    checker.check(cert, Collections.<String>emptySet());
                }
            }
1119 1120 1121
        } catch (CertPathValidatorException cpve) {
            throw new CertificateException(
                "Certificates does not conform to algorithm constraints");
X
xuelei 已提交
1122 1123 1124 1125
        }
    }
}

D
duke 已提交
1126 1127
// Dummy X509TrustManager implementation, rejects all peer certificates.
// Used if the application did not specify a proper X509TrustManager.
X
xuelei 已提交
1128 1129
final class DummyX509TrustManager extends X509ExtendedTrustManager
            implements X509TrustManager {
D
duke 已提交
1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143

    static final X509TrustManager INSTANCE = new DummyX509TrustManager();

    private DummyX509TrustManager() {
        // empty
    }

    /*
     * Given the partial or complete certificate chain
     * provided by the peer, build a certificate path
     * to a trusted root and return if it can be
     * validated and is trusted for client SSL authentication.
     * If not, it throws an exception.
     */
X
xuelei 已提交
1144
    @Override
D
duke 已提交
1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157
    public void checkClientTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        throw new CertificateException(
            "No X509TrustManager implementation avaiable");
    }

    /*
     * Given the partial or complete certificate chain
     * provided by the peer, build a certificate path
     * to a trusted root and return if it can be
     * validated and is trusted for server SSL authentication.
     * If not, it throws an exception.
     */
X
xuelei 已提交
1158
    @Override
D
duke 已提交
1159 1160 1161 1162 1163 1164 1165 1166 1167 1168
    public void checkServerTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        throw new CertificateException(
            "No X509TrustManager implementation available");
    }

    /*
     * Return an array of issuer certificates which are trusted
     * for authenticating peers.
     */
X
xuelei 已提交
1169
    @Override
D
duke 已提交
1170 1171 1172
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
X
xuelei 已提交
1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType,
                Socket socket) throws CertificateException {
        throw new CertificateException(
            "No X509TrustManager implementation available");
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType,
            Socket socket) throws CertificateException {
        throw new CertificateException(
            "No X509TrustManager implementation available");
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType,
            SSLEngine engine) throws CertificateException {
        throw new CertificateException(
            "No X509TrustManager implementation available");
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType,
            SSLEngine engine) throws CertificateException {
        throw new CertificateException(
            "No X509TrustManager implementation available");
    }
D
duke 已提交
1201 1202 1203 1204 1205
}

/*
 * A wrapper class to turn a X509KeyManager into an X509ExtendedKeyManager
 */
X
xuelei 已提交
1206
final class AbstractKeyManagerWrapper extends X509ExtendedKeyManager {
D
duke 已提交
1207 1208 1209

    private final X509KeyManager km;

X
xuelei 已提交
1210
    AbstractKeyManagerWrapper(X509KeyManager km) {
D
duke 已提交
1211 1212 1213
        this.km = km;
    }

1214
    @Override
D
duke 已提交
1215 1216 1217 1218
    public String[] getClientAliases(String keyType, Principal[] issuers) {
        return km.getClientAliases(keyType, issuers);
    }

1219
    @Override
D
duke 已提交
1220 1221 1222 1223 1224
    public String chooseClientAlias(String[] keyType, Principal[] issuers,
            Socket socket) {
        return km.chooseClientAlias(keyType, issuers, socket);
    }

1225
    @Override
D
duke 已提交
1226 1227 1228 1229
    public String[] getServerAliases(String keyType, Principal[] issuers) {
        return km.getServerAliases(keyType, issuers);
    }

1230
    @Override
D
duke 已提交
1231 1232 1233 1234 1235
    public String chooseServerAlias(String keyType, Principal[] issuers,
            Socket socket) {
        return km.chooseServerAlias(keyType, issuers, socket);
    }

1236
    @Override
D
duke 已提交
1237 1238 1239 1240
    public X509Certificate[] getCertificateChain(String alias) {
        return km.getCertificateChain(alias);
    }

1241
    @Override
D
duke 已提交
1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265
    public PrivateKey getPrivateKey(String alias) {
        return km.getPrivateKey(alias);
    }

    // Inherit chooseEngineClientAlias() and chooseEngineServerAlias() from
    // X509ExtendedKeymanager. It defines them to return null;
}


// Dummy X509KeyManager implementation, never returns any certificates/keys.
// Used if the application did not specify a proper X509TrustManager.
final class DummyX509KeyManager extends X509ExtendedKeyManager {

    static final X509ExtendedKeyManager INSTANCE = new DummyX509KeyManager();

    private DummyX509KeyManager() {
        // empty
    }

    /*
     * Get the matching aliases for authenticating the client side of a secure
     * socket given the public key type and the list of
     * certificate issuer authorities recognized by the peer (if any).
     */
1266
    @Override
D
duke 已提交
1267 1268 1269 1270 1271 1272 1273 1274 1275
    public String[] getClientAliases(String keyType, Principal[] issuers) {
        return null;
    }

    /*
     * Choose an alias to authenticate the client side of a secure
     * socket given the public key type and the list of
     * certificate issuer authorities recognized by the peer (if any).
     */
1276
    @Override
D
duke 已提交
1277 1278 1279 1280 1281 1282 1283 1284 1285 1286
    public String chooseClientAlias(String[] keyTypes, Principal[] issuers,
            Socket socket) {
        return null;
    }

    /*
     * Choose an alias to authenticate the client side of an
     * engine given the public key type and the list of
     * certificate issuer authorities recognized by the peer (if any).
     */
1287
    @Override
D
duke 已提交
1288 1289 1290 1291 1292 1293 1294 1295 1296 1297
    public String chooseEngineClientAlias(
            String[] keyTypes, Principal[] issuers, SSLEngine engine) {
        return null;
    }

    /*
     * Get the matching aliases for authenticating the server side of a secure
     * socket given the public key type and the list of
     * certificate issuer authorities recognized by the peer (if any).
     */
1298
    @Override
D
duke 已提交
1299 1300 1301 1302 1303 1304 1305 1306 1307
    public String[] getServerAliases(String keyType, Principal[] issuers) {
        return null;
    }

    /*
     * Choose an alias to authenticate the server side of a secure
     * socket given the public key type and the list of
     * certificate issuer authorities recognized by the peer (if any).
     */
1308
    @Override
D
duke 已提交
1309 1310 1311 1312 1313 1314 1315 1316 1317 1318
    public String chooseServerAlias(String keyType, Principal[] issuers,
            Socket socket) {
        return null;
    }

    /*
     * Choose an alias to authenticate the server side of an engine
     * given the public key type and the list of
     * certificate issuer authorities recognized by the peer (if any).
     */
1319
    @Override
D
duke 已提交
1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332
    public String chooseEngineServerAlias(
            String keyType, Principal[] issuers, SSLEngine engine) {
        return null;
    }

    /**
     * Returns the certificate chain associated with the given alias.
     *
     * @param alias the alias name
     *
     * @return the certificate chain (ordered with the user's certificate first
     * and the root certificate authority last)
     */
1333
    @Override
D
duke 已提交
1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345
    public X509Certificate[] getCertificateChain(String alias) {
        return null;
    }

    /*
     * Returns the key associated with the given alias, using the given
     * password to recover it.
     *
     * @param alias the alias name
     *
     * @return the requested key
     */
1346
    @Override
D
duke 已提交
1347 1348 1349 1350
    public PrivateKey getPrivateKey(String alias) {
        return null;
    }
}