2 * Copyright (C) 2008 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 package org.apache.harmony.xnet.provider.jsse;
19 import java.io.FileDescriptor;
20 import java.io.IOException;
21 import java.lang.reflect.Field;
22 import java.net.Socket;
23 import java.net.SocketImpl;
24 import java.net.SocketTimeoutException;
25 import java.security.cert.Certificate;
26 import java.security.cert.CertificateEncodingException;
27 import java.security.cert.CertificateException;
28 import java.security.cert.X509Certificate;
29 import java.security.interfaces.RSAPublicKey;
30 import java.util.ArrayList;
31 import java.util.HashMap;
32 import java.util.LinkedHashMap;
33 import java.util.List;
35 import javax.net.ssl.SSLException;
38 * Provides the Java side of our JNI glue for OpenSSL.
40 public final class NativeCrypto {
42 // --- OpenSSL library initialization --------------------------------------
47 private native static void clinit();
49 // --- DSA/RSA public/private key handling functions -----------------------
51 public static native int EVP_PKEY_new_DSA(byte[] p, byte[] q, byte[] g,
52 byte[] priv_key, byte[] pub_key);
54 public static native int EVP_PKEY_new_RSA(byte[] n, byte[] e, byte[] d, byte[] p, byte[] q);
56 public static native void EVP_PKEY_free(int pkey);
58 // --- General context handling functions (despite the names) --------------
60 public static native int EVP_MD_CTX_create();
62 public static native void EVP_MD_CTX_destroy(int ctx);
64 public static native int EVP_MD_CTX_copy(int ctx);
66 // --- Digest handling functions -------------------------------------------
68 public static native void EVP_DigestInit(int ctx, String algorithm);
70 public static native void EVP_DigestUpdate(int ctx, byte[] buffer, int offset, int length);
72 public static native int EVP_DigestFinal(int ctx, byte[] hash, int offset);
74 public static native int EVP_MD_CTX_size(int ctx);
76 public static native int EVP_MD_CTX_block_size(int ctx);
78 // --- Signature handling functions ----------------------------------------
80 public static native void EVP_VerifyInit(int ctx, String algorithm);
82 public static native void EVP_VerifyUpdate(int ctx, byte[] buffer,
83 int offset, int length);
85 public static native int EVP_VerifyFinal(int ctx, byte[] signature,
86 int offset, int length, int key);
88 // --- Legacy Signature handling -------------------------------------------
89 // TODO rewrite/replace with EVP_Verify*
91 * Verifies an RSA signature. Conceptually, this method doesn't really
92 * belong here, but due to its native code being closely tied to OpenSSL
93 * (just like the rest of this class), we put it here for the time being.
94 * This also solves potential problems with native library initialization.
96 * @param message The message to verify
97 * @param signature The signature to verify
98 * @param algorithm The hash/sign algorithm to use, i.e. "RSA-SHA1"
99 * @param key The RSA public key to use
100 * @return true if the verification succeeds, false otherwise
102 public static boolean verifySignature(
103 byte[] message, byte[] signature, String algorithm, RSAPublicKey key) {
104 byte[] modulus = key.getModulus().toByteArray();
105 byte[] exponent = key.getPublicExponent().toByteArray();
107 return verifySignature(message, signature, algorithm, modulus, exponent) == 1;
110 private static native int verifySignature(byte[] message, byte[] signature,
111 String algorithm, byte[] modulus, byte[] exponent);
113 // --- RAND seeding --------------------------------------------------------
115 public static final int RAND_SEED_LENGTH_IN_BYTES = 1024;
117 public static native void RAND_seed(byte[] seed);
119 public static native int RAND_load_file(String filename, long max_bytes);
121 // --- SSL handling --------------------------------------------------------
123 private static final Field JAVA_NET_SOCKET_IMPL;
124 private static final Field JAVA_NET_SOCKETIMPL_FD;
127 JAVA_NET_SOCKET_IMPL = Socket.class.getDeclaredField("impl");
128 JAVA_NET_SOCKET_IMPL.setAccessible(true);
129 JAVA_NET_SOCKETIMPL_FD = SocketImpl.class.getDeclaredField("fd");
130 JAVA_NET_SOCKETIMPL_FD.setAccessible(true);
131 } catch (Exception e) {
132 throw new AssertionError(e);
136 * Return the FileDescriptor associated with the provided socket.
138 public static FileDescriptor getFileDescriptor(Socket socket) {
140 SocketImpl socketImpl = (SocketImpl) JAVA_NET_SOCKET_IMPL.get(socket);
141 FileDescriptor fd = (FileDescriptor) JAVA_NET_SOCKETIMPL_FD.get(socketImpl);
143 } catch (IllegalAccessException e) {
144 throw new AssertionError(e);
148 private static final String SUPPORTED_PROTOCOL_SSLV3 = "SSLv3";
149 private static final String SUPPORTED_PROTOCOL_TLSV1 = "TLSv1";
151 public static final Map<String, String> OPENSSL_TO_STANDARD_CIPHER_SUITES
152 = new HashMap<String, String>();
153 public static final Map<String, String> STANDARD_TO_OPENSSL_CIPHER_SUITES
154 = new LinkedHashMap<String, String>();
156 private static void add(String standard, String openssl) {
157 OPENSSL_TO_STANDARD_CIPHER_SUITES.put(openssl, standard);
158 STANDARD_TO_OPENSSL_CIPHER_SUITES.put(standard, openssl);
162 // Note these are added in priority order
163 // Android doesn't currently support Elliptic Curve
164 add("SSL_RSA_WITH_RC4_128_MD5", "RC4-MD5");
165 add("SSL_RSA_WITH_RC4_128_SHA", "RC4-SHA");
166 add("TLS_RSA_WITH_AES_128_CBC_SHA", "AES128-SHA");
167 add("TLS_RSA_WITH_AES_256_CBC_SHA", "AES256-SHA");
168 // add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "ECDH-ECDSA-RC4-SHA");
169 // add("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "ECDH-ECDSA-AES128-SHA");
170 // add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "ECDH-ECDSA-AES256-SHA");
171 // add("TLS_ECDH_RSA_WITH_RC4_128_SHA", "ECDH-RSA-RC4-SHA");
172 // add("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "ECDH-RSA-AES128-SHA");
173 // add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "ECDH-RSA-AES256-SHA");
174 // add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "ECDHE-ECDSA-RC4-SHA");
175 // add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "ECDHE-ECDSA-AES128-SHA");
176 // add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "ECDHE-ECDSA-AES256-SHA");
177 // add("TLS_ECDHE_RSA_WITH_RC4_128_SHA", "ECDHE-RSA-RC4-SHA");
178 // add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "ECDHE-RSA-AES128-SHA");
179 // add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "ECDHE-RSA-AES256-SHA");
180 add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "DHE-RSA-AES128-SHA");
181 add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "DHE-RSA-AES256-SHA");
182 add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "DHE-DSS-AES128-SHA");
183 add("TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "DHE-DSS-AES256-SHA");
184 add("SSL_RSA_WITH_3DES_EDE_CBC_SHA", "DES-CBC3-SHA");
185 // add("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "ECDH-ECDSA-DES-CBC3-SHA");
186 // add("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "ECDH-RSA-DES-CBC3-SHA");
187 // add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "ECDHE-ECDSA-DES-CBC3-SHA");
188 // add("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "ECDHE-RSA-DES-CBC3-SHA");
189 add("SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "EDH-RSA-DES-CBC3-SHA");
190 add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "EDH-DSS-DES-CBC3-SHA");
191 add("SSL_RSA_WITH_DES_CBC_SHA", "DES-CBC-SHA");
192 add("SSL_DHE_RSA_WITH_DES_CBC_SHA", "EDH-RSA-DES-CBC-SHA");
193 add("SSL_DHE_DSS_WITH_DES_CBC_SHA", "EDH-DSS-DES-CBC-SHA");
194 add("SSL_RSA_EXPORT_WITH_RC4_40_MD5", "EXP-RC4-MD5");
195 add("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "EXP-DES-CBC-SHA");
196 add("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "EXP-EDH-RSA-DES-CBC-SHA");
197 add("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "EXP-EDH-DSS-DES-CBC-SHA");
198 add("SSL_RSA_WITH_NULL_MD5", "NULL-MD5");
199 add("SSL_RSA_WITH_NULL_SHA", "NULL-SHA");
200 // add("TLS_ECDH_ECDSA_WITH_NULL_SHA", "ECDH-ECDSA-NULL-SHA");
201 // add("TLS_ECDH_RSA_WITH_NULL_SHA", "ECDH-RSA-NULL-SHA");
202 // add("TLS_ECDHE_ECDSA_WITH_NULL_SHA", "ECDHE-ECDSA-NULL-SHA");
203 // add("TLS_ECDHE_RSA_WITH_NULL_SHA", "ECDHE-RSA-NULL-SHA");
204 add("SSL_DH_anon_WITH_RC4_128_MD5", "ADH-RC4-MD5");
205 add("TLS_DH_anon_WITH_AES_128_CBC_SHA", "ADH-AES128-SHA");
206 add("TLS_DH_anon_WITH_AES_256_CBC_SHA", "ADH-AES256-SHA");
207 add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", "ADH-DES-CBC3-SHA");
208 add("SSL_DH_anon_WITH_DES_CBC_SHA", "ADH-DES-CBC-SHA");
209 // add("TLS_ECDH_anon_WITH_RC4_128_SHA", "AECDH-RC4-SHA");
210 // add("TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "AECDH-AES128-SHA");
211 // add("TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "AECDH-AES256-SHA");
212 // add("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "AECDH-DES-CBC3-SHA");
213 add("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", "EXP-ADH-RC4-MD5");
214 add("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", "EXP-ADH-DES-CBC-SHA");
215 // add("TLS_ECDH_anon_WITH_NULL_SHA", "AECDH-NULL-SHA");
217 // No Kerberos in Android
218 // add("TLS_KRB5_WITH_RC4_128_SHA", "KRB5-RC4-SHA");
219 // add("TLS_KRB5_WITH_RC4_128_MD5", "KRB5-RC4-MD5");
220 // add("TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "KRB5-DES-CBC3-SHA");
221 // add("TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "KRB5-DES-CBC3-MD5");
222 // add("TLS_KRB5_WITH_DES_CBC_SHA", "KRB5-DES-CBC-SHA");
223 // add("TLS_KRB5_WITH_DES_CBC_MD5", "KRB5-DES-CBC-MD5");
224 // add("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "EXP-KRB5-RC4-SHA");
225 // add("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "EXP-KRB5-RC4-MD5");
226 // add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "EXP-KRB5-DES-CBC-SHA");
227 // add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "EXP-KRB5-DES-CBC-MD5");
229 // not implemented by either RI or OpenSSL
230 // add("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA", null);
231 // add("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA", null);
233 // EXPORT1024 suites were never standardized but were widely implemented.
234 // OpenSSL 0.9.8c and later have disabled TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
235 // add("SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA", "EXP1024-DES-CBC-SHA");
236 // add("SSL_RSA_EXPORT1024_WITH_RC4_56_SHA", "EXP1024-RC4-SHA");
239 // add("SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", "EXP-RC2-CBC-MD5");
240 // add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", "EXP-KRB5-RC2-CBC-SHA");
241 // add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", "EXP-KRB5-RC2-CBC-MD5");
243 // PSK is Private Shared Key - didn't exist in Froyo's openssl - no JSSE equivalent
244 // add(null, "PSK-3DES-EDE-CBC-SHA");
245 // add(null, "PSK-AES128-CBC-SHA");
246 // add(null, "PSK-AES256-CBC-SHA");
247 // add(null, "PSK-RC4-SHA");
250 private static final String[] SUPPORTED_CIPHER_SUITES
251 = STANDARD_TO_OPENSSL_CIPHER_SUITES.keySet().toArray(new String[0]);
253 // SSL mode from ssl.h
254 public static long SSL_MODE_HANDSHAKE_CUTTHROUGH = 0x00000040L;
256 // SSL options from ssl.h
257 public static long SSL_OP_NO_TICKET = 0x00004000L;
258 public static long SSL_OP_NO_COMPRESSION = 0x00020000L;
259 public static long SSL_OP_NO_SSLv3 = 0x02000000L;
260 public static long SSL_OP_NO_TLSv1 = 0x04000000L;
262 public static native int SSL_CTX_new();
264 public static String[] getDefaultCipherSuites() {
265 return new String[] {
266 "SSL_RSA_WITH_RC4_128_MD5",
267 "SSL_RSA_WITH_RC4_128_SHA",
268 "TLS_RSA_WITH_AES_128_CBC_SHA",
269 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
270 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
271 "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
272 "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
273 "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
274 "SSL_RSA_WITH_DES_CBC_SHA",
275 "SSL_DHE_RSA_WITH_DES_CBC_SHA",
276 "SSL_DHE_DSS_WITH_DES_CBC_SHA",
277 "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
278 "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
279 "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
280 "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
284 public static String[] getSupportedCipherSuites() {
285 return SUPPORTED_CIPHER_SUITES.clone();
288 public static native void SSL_CTX_free(int ssl_ctx);
290 public static native int SSL_new(int ssl_ctx) throws SSLException;
292 public static final String[] KEY_TYPES = new String[] {
300 public static String keyType(int keyType) {
302 case 1: // TLS_CT_RSA_SIGN
304 case 2: // TLS_CT_DSS_SIGN
306 case 3: // TLS_CT_RSA_FIXED_DH
308 case 4: // TLS_CT_DSS_FIXED_DH
310 case 64: // TLS_CT_ECDSA_SIGN
317 public static byte[][] encodeCertificates(Certificate[] certificates)
318 throws CertificateEncodingException {
319 byte[][] certificateBytes = new byte[certificates.length][];
320 for (int i = 0; i < certificates.length; i++) {
321 certificateBytes[i] = certificates[i].getEncoded();
323 return certificateBytes;
326 public static native void SSL_use_certificate(int ssl, byte[][] asn1DerEncodedCertificateChain);
328 public static native void SSL_use_PrivateKey(int ssl, byte[] pkcs8EncodedPrivateKey);
330 public static native void SSL_check_private_key(int ssl) throws SSLException;
332 public static byte[][] encodeIssuerX509Principals(X509Certificate[] certificates)
333 throws CertificateEncodingException {
334 byte[][] principalBytes = new byte[certificates.length][];
335 for (int i = 0; i < certificates.length; i++) {
336 principalBytes[i] = certificates[i].getIssuerX500Principal().getEncoded();
338 return principalBytes;
341 public static native void SSL_set_client_CA_list(int ssl, byte[][] asn1DerEncodedX500Principals);
343 public static native long SSL_get_mode(int ssl);
345 public static native long SSL_set_mode(int ssl, long mode);
347 public static native long SSL_clear_mode(int ssl, long mode);
349 public static native long SSL_get_options(int ssl);
351 public static native long SSL_set_options(int ssl, long options);
353 public static native long SSL_clear_options(int ssl, long options);
355 public static String[] getSupportedProtocols() {
356 return new String[] { SUPPORTED_PROTOCOL_SSLV3, SUPPORTED_PROTOCOL_TLSV1 };
359 public static void setEnabledProtocols(int ssl, String[] protocols) {
360 checkEnabledProtocols(protocols);
361 // openssl uses negative logic letting you disable protocols.
362 // so first, assume we need to set all (disable all) and clear none (enable none).
363 // in the loop, selectively move bits from set to clear (from disable to enable)
364 long optionsToSet = (SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
365 long optionsToClear = 0;
366 for (int i = 0; i < protocols.length; i++) {
367 String protocol = protocols[i];
368 if (protocol.equals(SUPPORTED_PROTOCOL_SSLV3)) {
369 optionsToSet &= ~SSL_OP_NO_SSLv3;
370 optionsToClear |= SSL_OP_NO_SSLv3;
371 } else if (protocol.equals(SUPPORTED_PROTOCOL_TLSV1)) {
372 optionsToSet &= ~SSL_OP_NO_TLSv1;
373 optionsToClear |= SSL_OP_NO_TLSv1;
375 // error checked by checkEnabledProtocols
376 throw new IllegalStateException();
380 SSL_set_options(ssl, optionsToSet);
381 SSL_clear_options(ssl, optionsToClear);
384 public static String[] checkEnabledProtocols(String[] protocols) {
385 if (protocols == null) {
386 throw new IllegalArgumentException("protocols == null");
388 for (int i = 0; i < protocols.length; i++) {
389 String protocol = protocols[i];
390 if (protocol == null) {
391 throw new IllegalArgumentException("protocols[" + i + "] == null");
393 if ((!protocol.equals(SUPPORTED_PROTOCOL_SSLV3))
394 && (!protocol.equals(SUPPORTED_PROTOCOL_TLSV1))) {
395 throw new IllegalArgumentException("protocol " + protocol
396 + " is not supported");
402 public static native void SSL_set_cipher_lists(int ssl, String[] ciphers);
404 public static void setEnabledCipherSuites(int ssl, String[] cipherSuites) {
405 checkEnabledCipherSuites(cipherSuites);
406 List<String> opensslSuites = new ArrayList<String>();
407 for (int i = 0; i < cipherSuites.length; i++) {
408 String cipherSuite = cipherSuites[i];
409 String openssl = STANDARD_TO_OPENSSL_CIPHER_SUITES.get(cipherSuite);
410 String cs = (openssl == null) ? cipherSuite : openssl;
411 opensslSuites.add(cs);
413 SSL_set_cipher_lists(ssl, opensslSuites.toArray(new String[opensslSuites.size()]));
416 public static String[] checkEnabledCipherSuites(String[] cipherSuites) {
417 if (cipherSuites == null) {
418 throw new IllegalArgumentException("cipherSuites == null");
420 // makes sure all suites are valid, throwing on error
421 for (int i = 0; i < cipherSuites.length; i++) {
422 String cipherSuite = cipherSuites[i];
423 if (cipherSuite == null) {
424 throw new IllegalArgumentException("cipherSuites[" + i + "] == null");
426 if (STANDARD_TO_OPENSSL_CIPHER_SUITES.containsKey(cipherSuite)) {
429 if (OPENSSL_TO_STANDARD_CIPHER_SUITES.containsKey(cipherSuite)) {
430 // TODO log warning about using backward compatability
433 throw new IllegalArgumentException("cipherSuite " + cipherSuite + " is not supported.");
438 private static final String SUPPORTED_COMPRESSION_METHOD_ZLIB = "ZLIB";
439 private static final String SUPPORTED_COMPRESSION_METHOD_NULL = "NULL";
441 private static final String[] SUPPORTED_COMPRESSION_METHODS
442 = { SUPPORTED_COMPRESSION_METHOD_ZLIB, SUPPORTED_COMPRESSION_METHOD_NULL };
444 public static String[] getSupportedCompressionMethods() {
445 return SUPPORTED_COMPRESSION_METHODS.clone();
448 public static final String[] getDefaultCompressionMethods() {
449 return new String[] { SUPPORTED_COMPRESSION_METHOD_NULL };
452 public static String[] checkEnabledCompressionMethods(String[] methods) {
453 if (methods == null) {
454 throw new IllegalArgumentException("methods == null");
456 if (methods.length < 1
457 && !methods[methods.length-1].equals(SUPPORTED_COMPRESSION_METHOD_NULL)) {
458 throw new IllegalArgumentException("last method must be NULL");
460 for (int i = 0; i < methods.length; i++) {
461 String method = methods[i];
462 if (method == null) {
463 throw new IllegalArgumentException("methods[" + i + "] == null");
465 if (!method.equals(SUPPORTED_COMPRESSION_METHOD_ZLIB)
466 && !method.equals(SUPPORTED_COMPRESSION_METHOD_NULL)) {
467 throw new IllegalArgumentException("method " + method
468 + " is not supported");
474 public static void setEnabledCompressionMethods(int ssl, String[] methods) {
475 checkEnabledCompressionMethods(methods);
476 // openssl uses negative logic letting you disable compression.
477 // so first, assume we need to set all (disable all) and clear none (enable none).
478 // in the loop, selectively move bits from set to clear (from disable to enable)
479 long optionsToSet = (SSL_OP_NO_COMPRESSION);
480 long optionsToClear = 0;
481 for (int i = 0; i < methods.length; i++) {
482 String method = methods[i];
483 if (method.equals(SUPPORTED_COMPRESSION_METHOD_NULL)) {
484 // nothing to do to support NULL
485 } else if (method.equals(SUPPORTED_COMPRESSION_METHOD_ZLIB)) {
486 optionsToSet &= ~SSL_OP_NO_COMPRESSION;
487 optionsToClear |= SSL_OP_NO_COMPRESSION;
489 // error checked by checkEnabledCompressionMethods
490 throw new IllegalStateException();
494 SSL_set_options(ssl, optionsToSet);
495 SSL_clear_options(ssl, optionsToClear);
499 * See the OpenSSL ssl.h header file for more information.
501 public static final int SSL_VERIFY_NONE = 0x00;
502 public static final int SSL_VERIFY_PEER = 0x01;
503 public static final int SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 0x02;
505 public static native void SSL_set_verify(int sslNativePointer, int mode);
507 public static native void SSL_set_session(int sslNativePointer, int sslSessionNativePointer)
510 public static native void SSL_set_session_creation_enabled(
511 int sslNativePointer, boolean creationEnabled) throws SSLException;
513 public static native void SSL_set_tlsext_host_name(int sslNativePointer, String hostname)
515 public static native String SSL_get_servername(int sslNativePointer);
518 * Returns the sslSessionNativePointer of the negotiated session
520 public static native int SSL_do_handshake(int sslNativePointer,
522 SSLHandshakeCallbacks shc,
525 throws SSLException, SocketTimeoutException, CertificateException;
528 * Currently only intended for forcing renegotiation for testing.
529 * Not used within OpenSSLSocketImpl.
531 public static native void SSL_renegotiate(int sslNativePointer) throws SSLException;
534 * Returns the local ASN.1 DER encoded X509 certificates.
536 public static native byte[][] SSL_get_certificate(int sslNativePointer);
539 * Returns the peer ASN.1 DER encoded X509 certificates.
541 public static native byte[][] SSL_get_peer_cert_chain(int sslNativePointer);
544 * Reads with the native SSL_read function from the encrypted data stream
545 * @return -1 if error or the end of the stream is reached.
547 public static native int SSL_read_byte(int sslNativePointer,
549 SSLHandshakeCallbacks shc,
550 int timeout) throws IOException;
551 public static native int SSL_read(int sslNativePointer,
553 SSLHandshakeCallbacks shc,
554 byte[] b, int off, int len, int timeout)
558 * Writes with the native SSL_write function to the encrypted data stream.
560 public static native void SSL_write_byte(int sslNativePointer,
562 SSLHandshakeCallbacks shc,
563 int b) throws IOException;
564 public static native void SSL_write(int sslNativePointer,
566 SSLHandshakeCallbacks shc,
567 byte[] b, int off, int len)
570 public static native void SSL_interrupt(int sslNativePointer) throws IOException;
571 public static native void SSL_shutdown(int sslNativePointer,
573 SSLHandshakeCallbacks shc) throws IOException;
575 public static native void SSL_free(int sslNativePointer);
577 public static native byte[] SSL_SESSION_session_id(int sslSessionNativePointer);
579 public static native long SSL_SESSION_get_time(int sslSessionNativePointer);
581 public static native String SSL_SESSION_get_version(int sslSessionNativePointer);
583 public static native String SSL_SESSION_cipher(int sslSessionNativePointer);
585 public static native String SSL_SESSION_compress_meth(int sslCtxNativePointer,
586 int sslSessionNativePointer);
588 public static native void SSL_SESSION_free(int sslSessionNativePointer);
590 public static native byte[] i2d_SSL_SESSION(int sslSessionNativePointer);
592 public static native int d2i_SSL_SESSION(byte[] data);
595 * A collection of callbacks from the native OpenSSL code that are
596 * related to the SSL handshake initiated by SSL_do_handshake.
598 public interface SSLHandshakeCallbacks {
600 * Verify that we trust the certificate chain is trusted.
602 * @param asn1DerEncodedCertificateChain A chain of ASN.1 DER encoded certficates
603 * @param authMethod auth algorithm name
605 * @throws CertificateException if the certificate is untrusted
607 public void verifyCertificateChain(byte[][] asn1DerEncodedCertificateChain, String authMethod)
608 throws CertificateException;
611 * Called on an SSL client when the server requests (or
612 * requires a certificate). The client can respond by using
613 * SSL_use_certificate and SSL_use_PrivateKey to set a
614 * certificate if has an appropriate one available, similar to
615 * how the server provides its certificate.
617 * @param keyTypes key types supported by the server,
618 * convertible to strings with #keyType
619 * @param asn1DerEncodedX500Principals CAs known to the server
621 public void clientCertificateRequested(byte[] keyTypes,
622 byte[][] asn1DerEncodedX500Principals)
623 throws CertificateEncodingException, SSLException;
626 * Called when SSL handshake is completed. Note that this can
627 * be after SSL_do_handshake returns when handshake cutthrough
630 public void handshakeCompleted();