1 /* 2 * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package javax.net.ssl; 27 28 import java.security.*; 29 import java.util.*; 30 31 import sun.security.jca.GetInstance; 32 33 /** 34 * Instances of this class represent a secure socket protocol 35 * implementation which acts as a factory for secure socket 36 * factories or <code>SSLEngine</code>s. This class is initialized 37 * with an optional set of key and trust managers and source of 38 * secure random bytes. 39 * 40 * <p> Android provides the following <code>SSLContext</code> protocols: 41 * <table> 42 * <thead> 43 * <tr> 44 * <th>Algorithm</th> 45 * <th>Supported API Levels</th> 46 * </tr> 47 * </thead> 48 * <tbody> 49 * <tr> 50 * <td>Default</td> 51 * <td>10+</td> 52 * </tr> 53 * <tr> 54 * <td>SSL</td> 55 * <td>10+</td> 56 * </tr> 57 * <tr class="deprecated"> 58 * <td>SSLv3</td> 59 * <td>10-25</td> 60 * </tr> 61 * <tr> 62 * <td>TLS</td> 63 * <td>1+</td> 64 * </tr> 65 * <tr> 66 * <td>TLSv1</td> 67 * <td>10+</td> 68 * </tr> 69 * <tr> 70 * <td>TLSv1.1</td> 71 * <td>16+</td> 72 * </tr> 73 * <tr> 74 * <td>TLSv1.2</td> 75 * <td>16+</td> 76 * </tr> 77 * <tr> 78 * <td>TLSv1.3</td> 79 * <td>29+</td> 80 * </tr> 81 * </tbody> 82 * </table> 83 * 84 * This protocol is described in the <a href= 85 * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext"> 86 * SSLContext section</a> of the 87 * Java Cryptography Architecture Standard Algorithm Name Documentation. 88 * 89 * @since 1.4 90 */ 91 public class SSLContext { 92 private final Provider provider; 93 94 private final SSLContextSpi contextSpi; 95 96 private final String protocol; 97 98 /** 99 * Creates an SSLContext object. 100 * 101 * @param contextSpi the delegate 102 * @param provider the provider 103 * @param protocol the protocol 104 */ SSLContext(SSLContextSpi contextSpi, Provider provider, String protocol)105 protected SSLContext(SSLContextSpi contextSpi, Provider provider, 106 String protocol) { 107 this.contextSpi = contextSpi; 108 this.provider = provider; 109 this.protocol = protocol; 110 } 111 112 private static SSLContext defaultContext; 113 114 /** 115 * Returns the default SSL context. 116 * 117 * <p>If a default context was set using the {@link #setDefault 118 * SSLContext.setDefault()} method, it is returned. Otherwise, the first 119 * call of this method triggers the call 120 * <code>SSLContext.getInstance("Default")</code>. 121 * If successful, that object is made the default SSL context and returned. 122 * 123 * <p>The default context is immediately 124 * usable and does not require {@linkplain #init initialization}. 125 * 126 * @return the default SSL context 127 * @throws NoSuchAlgorithmException if the 128 * {@link SSLContext#getInstance SSLContext.getInstance()} call fails 129 * @since 1.6 130 */ getDefault()131 public static synchronized SSLContext getDefault() 132 throws NoSuchAlgorithmException { 133 if (defaultContext == null) { 134 defaultContext = SSLContext.getInstance("Default"); 135 } 136 return defaultContext; 137 } 138 139 // Android-changed: Additional text to strongly discouraged changing the default. 140 /** 141 * Sets the default SSL context. It will be returned by subsequent calls 142 * to {@link #getDefault}. The default context must be immediately usable 143 * and not require {@linkplain #init initialization}. 144 * <p> 145 * Developers are <em>strongly</em> discouraged from changing the default {@code SSLContext} as 146 * it is used as the Android default for secure communication by APIs like 147 * {@link SSLSocketFactory#getDefault()}, {@link SSLServerSocketFactory#getDefault()} and 148 * {@link HttpsURLConnection}. 149 * 150 * @param context the SSLContext 151 * @throws NullPointerException if context is null 152 * @throws SecurityException if a security manager exists and its 153 * <code>checkPermission</code> method does not allow 154 * <code>SSLPermission("setDefaultSSLContext")</code> 155 * @since 1.6 156 */ setDefault(SSLContext context)157 public static synchronized void setDefault(SSLContext context) { 158 if (context == null) { 159 throw new NullPointerException(); 160 } 161 SecurityManager sm = System.getSecurityManager(); 162 if (sm != null) { 163 sm.checkPermission(new SSLPermission("setDefaultSSLContext")); 164 } 165 defaultContext = context; 166 } 167 168 /** 169 * Returns a <code>SSLContext</code> object that implements the 170 * specified secure socket protocol. 171 * 172 * <p> This method traverses the list of registered security Providers, 173 * starting with the most preferred Provider. 174 * A new SSLContext object encapsulating the 175 * SSLContextSpi implementation from the first 176 * Provider that supports the specified protocol is returned. 177 * 178 * <p> Note that the list of registered providers may be retrieved via 179 * the {@link Security#getProviders() Security.getProviders()} method. 180 * 181 * @param protocol the standard name of the requested protocol. 182 * See the SSLContext section in the <a href= 183 * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext"> 184 * Java Cryptography Architecture Standard Algorithm Name 185 * Documentation</a> 186 * for information about standard protocol names. 187 * 188 * @return the new <code>SSLContext</code> object. 189 * 190 * @exception NoSuchAlgorithmException if no Provider supports a 191 * SSLContextSpi implementation for the 192 * specified protocol. 193 * @exception NullPointerException if protocol is null. 194 * 195 * @see java.security.Provider 196 */ getInstance(String protocol)197 public static SSLContext getInstance(String protocol) 198 throws NoSuchAlgorithmException { 199 GetInstance.Instance instance = GetInstance.getInstance 200 ("SSLContext", SSLContextSpi.class, protocol); 201 return new SSLContext((SSLContextSpi)instance.impl, instance.provider, 202 protocol); 203 } 204 205 /** 206 * Returns a <code>SSLContext</code> object that implements the 207 * specified secure socket protocol. 208 * 209 * <p> A new SSLContext object encapsulating the 210 * SSLContextSpi implementation from the specified provider 211 * is returned. The specified provider must be registered 212 * in the security provider list. 213 * 214 * <p> Note that the list of registered providers may be retrieved via 215 * the {@link Security#getProviders() Security.getProviders()} method. 216 * 217 * @param protocol the standard name of the requested protocol. 218 * See the SSLContext section in the <a href= 219 * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext"> 220 * Java Cryptography Architecture Standard Algorithm Name 221 * Documentation</a> 222 * for information about standard protocol names. 223 * 224 * @param provider the name of the provider. 225 * 226 * @return the new <code>SSLContext</code> object. 227 * 228 * @throws NoSuchAlgorithmException if a SSLContextSpi 229 * implementation for the specified protocol is not 230 * available from the specified provider. 231 * 232 * @throws NoSuchProviderException if the specified provider is not 233 * registered in the security provider list. 234 * 235 * @throws IllegalArgumentException if the provider name is null or empty. 236 * @throws NullPointerException if protocol is null. 237 * 238 * @see java.security.Provider 239 */ getInstance(String protocol, String provider)240 public static SSLContext getInstance(String protocol, String provider) 241 throws NoSuchAlgorithmException, NoSuchProviderException { 242 GetInstance.Instance instance = GetInstance.getInstance 243 ("SSLContext", SSLContextSpi.class, protocol, provider); 244 return new SSLContext((SSLContextSpi)instance.impl, instance.provider, 245 protocol); 246 } 247 248 /** 249 * Returns a <code>SSLContext</code> object that implements the 250 * specified secure socket protocol. 251 * 252 * <p> A new SSLContext object encapsulating the 253 * SSLContextSpi implementation from the specified Provider 254 * object is returned. Note that the specified Provider object 255 * does not have to be registered in the provider list. 256 * 257 * @param protocol the standard name of the requested protocol. 258 * See the SSLContext section in the <a href= 259 * "https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext"> 260 * Java Cryptography Architecture Standard Algorithm Name 261 * Documentation</a> 262 * for information about standard protocol names. 263 * 264 * @param provider an instance of the provider. 265 * 266 * @return the new <code>SSLContext</code> object. 267 * 268 * @throws NoSuchAlgorithmException if a SSLContextSpi 269 * implementation for the specified protocol is not available 270 * from the specified Provider object. 271 * 272 * @throws IllegalArgumentException if the provider is null. 273 * @throws NullPointerException if protocol is null. 274 * 275 * @see java.security.Provider 276 */ getInstance(String protocol, Provider provider)277 public static SSLContext getInstance(String protocol, Provider provider) 278 throws NoSuchAlgorithmException { 279 GetInstance.Instance instance = GetInstance.getInstance 280 ("SSLContext", SSLContextSpi.class, protocol, provider); 281 return new SSLContext((SSLContextSpi)instance.impl, instance.provider, 282 protocol); 283 } 284 285 /** 286 * Returns the protocol name of this <code>SSLContext</code> object. 287 * 288 * <p>This is the same name that was specified in one of the 289 * <code>getInstance</code> calls that created this 290 * <code>SSLContext</code> object. 291 * 292 * @return the protocol name of this <code>SSLContext</code> object. 293 */ getProtocol()294 public final String getProtocol() { 295 return this.protocol; 296 } 297 298 /** 299 * Returns the provider of this <code>SSLContext</code> object. 300 * 301 * @return the provider of this <code>SSLContext</code> object 302 */ getProvider()303 public final Provider getProvider() { 304 return this.provider; 305 } 306 307 /** 308 * Initializes this context. Either of the first two parameters 309 * may be null in which case the installed security providers will 310 * be searched for the highest priority implementation of the 311 * appropriate factory. Likewise, the secure random parameter may 312 * be null in which case the default implementation will be used. 313 * <P> 314 * Only the first instance of a particular key and/or trust manager 315 * implementation type in the array is used. (For example, only 316 * the first javax.net.ssl.X509KeyManager in the array will be used.) 317 * 318 * @param km the sources of authentication keys or null 319 * @param tm the sources of peer authentication trust decisions or null 320 * @param random the source of randomness for this generator or null 321 * @throws KeyManagementException if this operation fails 322 */ init(KeyManager[] km, TrustManager[] tm, SecureRandom random)323 public final void init(KeyManager[] km, TrustManager[] tm, 324 SecureRandom random) 325 throws KeyManagementException { 326 contextSpi.engineInit(km, tm, random); 327 } 328 329 /** 330 * Returns a <code>SocketFactory</code> object for this 331 * context. 332 * 333 * @return the <code>SocketFactory</code> object 334 * @throws IllegalStateException if the SSLContextImpl requires 335 * initialization and the <code>init()</code> has not been called 336 */ getSocketFactory()337 public final SSLSocketFactory getSocketFactory() { 338 return contextSpi.engineGetSocketFactory(); 339 } 340 341 /** 342 * Returns a <code>ServerSocketFactory</code> object for 343 * this context. 344 * 345 * @return the <code>ServerSocketFactory</code> object 346 * @throws IllegalStateException if the SSLContextImpl requires 347 * initialization and the <code>init()</code> has not been called 348 */ getServerSocketFactory()349 public final SSLServerSocketFactory getServerSocketFactory() { 350 return contextSpi.engineGetServerSocketFactory(); 351 } 352 353 /** 354 * Creates a new <code>SSLEngine</code> using this context. 355 * <P> 356 * Applications using this factory method are providing no hints 357 * for an internal session reuse strategy. If hints are desired, 358 * {@link #createSSLEngine(String, int)} should be used 359 * instead. 360 * <P> 361 * Some cipher suites (such as Kerberos) require remote hostname 362 * information, in which case this factory method should not be used. 363 * 364 * @return the <code>SSLEngine</code> object 365 * @throws UnsupportedOperationException if the underlying provider 366 * does not implement the operation. 367 * @throws IllegalStateException if the SSLContextImpl requires 368 * initialization and the <code>init()</code> has not been called 369 * @since 1.5 370 */ createSSLEngine()371 public final SSLEngine createSSLEngine() { 372 try { 373 return contextSpi.engineCreateSSLEngine(); 374 } catch (AbstractMethodError e) { 375 UnsupportedOperationException unsup = 376 new UnsupportedOperationException( 377 "Provider: " + getProvider() + 378 " doesn't support this operation"); 379 unsup.initCause(e); 380 throw unsup; 381 } 382 } 383 384 /** 385 * Creates a new <code>SSLEngine</code> using this context using 386 * advisory peer information. 387 * <P> 388 * Applications using this factory method are providing hints 389 * for an internal session reuse strategy. 390 * <P> 391 * Some cipher suites (such as Kerberos) require remote hostname 392 * information, in which case peerHost needs to be specified. 393 * 394 * @param peerHost the non-authoritative name of the host 395 * @param peerPort the non-authoritative port 396 * @return the new <code>SSLEngine</code> object 397 * @throws UnsupportedOperationException if the underlying provider 398 * does not implement the operation. 399 * @throws IllegalStateException if the SSLContextImpl requires 400 * initialization and the <code>init()</code> has not been called 401 * @since 1.5 402 */ createSSLEngine(String peerHost, int peerPort)403 public final SSLEngine createSSLEngine(String peerHost, int peerPort) { 404 try { 405 return contextSpi.engineCreateSSLEngine(peerHost, peerPort); 406 } catch (AbstractMethodError e) { 407 UnsupportedOperationException unsup = 408 new UnsupportedOperationException( 409 "Provider: " + getProvider() + 410 " does not support this operation"); 411 unsup.initCause(e); 412 throw unsup; 413 } 414 } 415 416 /** 417 * Returns the server session context, which represents the set of 418 * SSL sessions available for use during the handshake phase of 419 * server-side SSL sockets. 420 * <P> 421 * This context may be unavailable in some environments, in which 422 * case this method returns null. For example, when the underlying 423 * SSL provider does not provide an implementation of SSLSessionContext 424 * interface, this method returns null. A non-null session context 425 * is returned otherwise. 426 * 427 * @return server session context bound to this SSL context 428 */ getServerSessionContext()429 public final SSLSessionContext getServerSessionContext() { 430 return contextSpi.engineGetServerSessionContext(); 431 } 432 433 /** 434 * Returns the client session context, which represents the set of 435 * SSL sessions available for use during the handshake phase of 436 * client-side SSL sockets. 437 * <P> 438 * This context may be unavailable in some environments, in which 439 * case this method returns null. For example, when the underlying 440 * SSL provider does not provide an implementation of SSLSessionContext 441 * interface, this method returns null. A non-null session context 442 * is returned otherwise. 443 * 444 * @return client session context bound to this SSL context 445 */ getClientSessionContext()446 public final SSLSessionContext getClientSessionContext() { 447 return contextSpi.engineGetClientSessionContext(); 448 } 449 450 /** 451 * Returns a copy of the SSLParameters indicating the default 452 * settings for this SSL context. 453 * 454 * <p>The parameters will always have the ciphersuites and protocols 455 * arrays set to non-null values. 456 * 457 * @return a copy of the SSLParameters object with the default settings 458 * @throws UnsupportedOperationException if the default SSL parameters 459 * could not be obtained. 460 * @since 1.6 461 */ getDefaultSSLParameters()462 public final SSLParameters getDefaultSSLParameters() { 463 return contextSpi.engineGetDefaultSSLParameters(); 464 } 465 466 /** 467 * Returns a copy of the SSLParameters indicating the supported 468 * settings for this SSL context. 469 * 470 * <p>The parameters will always have the ciphersuites and protocols 471 * arrays set to non-null values. 472 * 473 * @return a copy of the SSLParameters object with the supported 474 * settings 475 * @throws UnsupportedOperationException if the supported SSL parameters 476 * could not be obtained. 477 * @since 1.6 478 */ getSupportedSSLParameters()479 public final SSLParameters getSupportedSSLParameters() { 480 return contextSpi.engineGetSupportedSSLParameters(); 481 } 482 483 } 484