Produced by Araxis Merge on 9/25/2018 2:13:26 PM Central Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | build 3.zip\build 3\MHLTH_YS_137_Source\JavaScript\resources\javaJDF-1.8.0\src\sun\security\ssl | SSLSessionImpl.java | Mon Jan 22 14:46:54 2018 UTC |
2 | build 3.zip\build 3\MHLTH_YS_137_Source\JavaScript\resources\javaJDF-1.8.0\src\sun\security\ssl | SSLSessionImpl.java | Wed Sep 12 17:54:52 2018 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 4 | 1814 |
Changed | 3 | 6 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | /* | |
2 | * Copyrig ht (c) 199 6, 2017, O racle and/ or its aff iliates. A ll rights reserved. | |
3 | * DO NOT ALTER OR R EMOVE COPY RIGHT NOTI CES OR THI S FILE HEA DER. | |
4 | * | |
5 | * This co de is free software; you can r edistribut e it and/o r modify i t | |
6 | * under t he terms o f the GNU General Pu blic Licen se version 2 only, a s | |
7 | * publish ed by the Free Softw are Founda tion. Ora cle design ates this | |
8 | * particu lar file a s subject to the "Cl asspath" e xception a s provided | |
9 | * by Orac le in the LICENSE fi le that ac companied this code. | |
10 | * | |
11 | * This co de is dist ributed in the hope that it wi ll be usef ul, but WI THOUT | |
12 | * ANY WAR RANTY; wit hout even the implie d warranty of MERCHA NTABILITY or | |
13 | * FITNESS FOR A PAR TICULAR PU RPOSE. Se e the GNU General Pu blic Licen se | |
14 | * version 2 for mor e details (a copy is included in the LIC ENSE file that | |
15 | * accompa nied this code). | |
16 | * | |
17 | * You sho uld have r eceived a copy of th e GNU Gene ral Public License v ersion | |
18 | * 2 along with this work; if not, write to the Fr ee Softwar e Foundati on, | |
19 | * Inc., 5 1 Franklin St, Fifth Floor, Bo ston, MA 0 2110-1301 USA. | |
20 | * | |
21 | * Please contact Or acle, 500 Oracle Par kway, Redw ood Shores , CA 94065 USA | |
22 | * or visi t www.orac le.com if you need a dditional informatio n or have any | |
23 | * questio ns. | |
24 | */ | |
25 | ||
26 | ||
27 | package su n.security .ssl; | |
28 | ||
29 | import jav a.net.*; | |
30 | import jav a.util.Enu meration; | |
31 | import jav a.util.Has htable; | |
32 | import jav a.util.Vec tor; | |
33 | import jav a.util.Col lection; | |
34 | import jav a.util.Col lections; | |
35 | import jav a.util.Lis t; | |
36 | import jav a.util.Arr ayList; | |
37 | ||
38 | import jav a.security .Principal ; | |
39 | import jav a.security .PrivateKe y; | |
40 | import jav a.security .SecureRan dom; | |
41 | import jav a.security .cert.X509 Certificat e; | |
42 | import jav a.security .cert.Cert ificateEnc odingExcep tion; | |
43 | ||
44 | import jav ax.crypto. SecretKey; | |
45 | ||
46 | import jav ax.net.ssl .SSLSessio nContext; | |
47 | import jav ax.net.ssl .SSLSessio nBindingLi stener; | |
48 | import jav ax.net.ssl .SSLSessio nBindingEv ent; | |
49 | import jav ax.net.ssl .SSLPeerUn verifiedEx ception; | |
50 | import jav ax.net.ssl .SSLPermis sion; | |
51 | import jav ax.net.ssl .ExtendedS SLSession; | |
52 | import jav ax.net.ssl .SNIServer Name; | |
53 | ||
54 | import sta tic sun.se curity.ssl .CipherSui te.KeyExch ange.*; | |
55 | ||
56 | /** | |
57 | * Impleme nts the SS L session interface, and expos es the ses sion conte xt | |
58 | * which i s maintain ed by SSL servers. | |
59 | * | |
60 | * <P> Ser vers have the abilit y to manag e the sess ions assoc iated with | |
61 | * their a uthenticat ion contex t(s). The y can do t his by enu merating t he | |
62 | * IDs of the sessio ns which a re cached, examining those ses sions, and then | |
63 | * perhaps invalidat ing a give n session so that it can't be used again . | |
64 | * If serv ers do not explicitl y manage t he cache, sessions w ill linger | |
65 | * until m emory is l ow enough that the r untime env ironment p urges cach e | |
66 | * entries automatic ally to re claim spac e. | |
67 | * | |
68 | * <P><em> The only reason thi s class is not packa ge-private is that | |
69 | * there's no other public way to get at the serve r session context wh ich | |
70 | * is asso ciated wit h any give n authenti cation con text. </em > | |
71 | * | |
72 | * @author David Bro wnell | |
73 | */ | |
74 | final clas s SSLSessi onImpl ext ends Exten dedSSLSess ion { | |
75 | ||
76 | /* | |
77 | * we only reall y need a s ingle null session | |
78 | */ | |
79 | static final SSL SessionImp l nullSessio n = new SS LSessionIm pl(); | |
80 | ||
81 | // com pression m ethods | |
82 | privat e static f inal byte compressio n_null = 0 ; | |
83 | ||
84 | /* | |
85 | * The state of a single s ession, as described in sectio n 7.1 | |
86 | * of the SSLv3 spec. | |
87 | */ | |
88 | privat e final Pr otocolVers ion protocolVe rsion; | |
89 | privat e final Se ssionId sessionId; | |
90 | privat e X509Cert ificate[] peerCert s; | |
91 | privat e byte compress ionMethod; | |
92 | privat e CipherSu ite cipherSu ite; | |
93 | privat e SecretKe y masterSe cret; | |
94 | privat e final bo olean useExten dedMasterS ecret; | |
95 | ||
96 | /* | |
97 | * Inf ormation n ot part of the SSLv3 protocol spec, but used | |
98 | * to support se ssion mana gement pol icies. | |
99 | */ | |
100 | privat e final lo ng creation Time = Sys tem.curren tTimeMilli s(); | |
101 | privat e long lastUsed Time = 0; | |
102 | privat e final St ring host; | |
103 | privat e final in t port; | |
104 | privat e SSLSessi onContextI mpl context; | |
105 | privat e int sessionC ount; | |
106 | privat e boolean invalida ted; | |
107 | privat e X509Cert ificate[] localCer ts; | |
108 | privat e PrivateK ey localPri vateKey; | |
109 | privat e String[] localSup portedSign Algs; | |
110 | privat e String[] peerSupp ortedSignA lgs; | |
111 | privat e List<SNI ServerName > reque stedServer Names; | |
112 | ||
113 | ||
114 | // Pri ncipals fo r non-cert ificate ba sed cipher suites | |
115 | privat e Principa l peerPrin cipal; | |
116 | privat e Principa l localPri ncipal; | |
117 | ||
118 | /* | |
119 | * Is the sessio n currentl y re-estab lished wit h a sessio n-resumpti on | |
120 | * abb reviated i nitial han dshake? | |
121 | * | |
122 | * Not e that cur rently we only set t his variab le in clie nt side. | |
123 | */ | |
124 | privat e boolean isSessionR esumption = false; | |
125 | ||
126 | /* | |
127 | * We count sess ion creati ons, event ually for statistica l data but | |
128 | * als o since co unters mak e shorter debugging IDs than t he big one s | |
129 | * we use in the protocol for unique ness-over- time. | |
130 | */ | |
131 | privat e static v olatile in t counter = 0; | |
132 | ||
133 | /* | |
134 | * Use of sessio n caches i s globally enabled/d isabled. | |
135 | */ | |
136 | privat e static b oolean defaultR ejoinable = true; | |
137 | ||
138 | /* Cla ss and sub class dyna mic debugg ing suppor t */ | |
139 | privat e static f inal Debug debug = D ebug.getIn stance("ss l"); | |
140 | ||
141 | /* | |
142 | * Cre ate a new non-rejoin able sessi on, using the defaul t (null) | |
143 | * cip her spec. This cons tructor re turns a se ssion whic h could | |
144 | * be used eithe r by a cli ent or by a server, as a conne ction is | |
145 | * fir st opened and before handshaki ng begins. | |
146 | */ | |
147 | privat e SSLSessi onImpl() { | |
148 | th is(Protoco lVersion.N ONE, Ciphe rSuite.C_N ULL, null, | |
149 | new Sess ionId(fals e, null), null, -1, false); | |
150 | } | |
151 | ||
152 | /* | |
153 | * Cre ate a new session, u sing a giv en cipher spec. Thi s will | |
154 | * be rejoinable if sessio n caching is enabled ; the cons tructor | |
155 | * is intended m ostly for use by ser ves. | |
156 | */ | |
157 | SSLSes sionImpl(P rotocolVer sion proto colVersion , CipherSu ite cipher Suite, | |
158 | Collecti on<Signatu reAndHashA lgorithm> algorithms , | |
159 | SecureRa ndom gener ator, Stri ng host, i nt port, | |
160 | boolean useExtende dMasterSec ret) { | |
161 | th is(protoco lVersion, cipherSuit e, algorit hms, | |
162 | new Ses sionId(def aultRejoin able, gene rator), ho st, port, | |
163 | useExte ndedMaster Secret); | |
164 | } | |
165 | ||
166 | /* | |
167 | * Rec ord a new session, u sing a giv en cipher spec and s ession ID. | |
168 | */ | |
169 | SSLSes sionImpl(P rotocolVer sion proto colVersion , CipherSu ite cipher Suite, | |
170 | Collecti on<Signatu reAndHashA lgorithm> algorithms , | |
171 | SessionI d id, Stri ng host, i nt port, | |
172 | boolean useExtende dMasterSec ret) { | |
173 | th is.protoco lVersion = protocolV ersion; | |
174 | se ssionId = id; | |
175 | pe erCerts = null; | |
176 | co mpressionM ethod = co mpression_ null; | |
177 | th is.cipherS uite = cip herSuite; | |
178 | ma sterSecret = null; | |
179 | th is.host = host; | |
180 | th is.port = port; | |
181 | se ssionCount = ++count er; | |
182 | lo calSupport edSignAlgs = | |
183 | Signatur eAndHashAl gorithm.ge tAlgorithm Names(algo rithms); | |
184 | th is.useExte ndedMaster Secret = u seExtended MasterSecr et; | |
185 | ||
186 | if (debug != null && D ebug.isOn( "session") ) { | |
187 | System.o ut.println ("%% Initi alized: " + this); | |
188 | } | |
189 | } | |
190 | ||
191 | void setMa sterSecret (SecretKey PW ) { | |
192 | if (masterSe cret == nu ll) { | |
193 | masterSecr et = PW ; | |
194 | } else { | |
195 | throw ne w RuntimeE xception(" setMasterS ecret() er ror"); | |
196 | } | |
197 | } | |
198 | ||
199 | /** | |
200 | * Returns the master PW ... treat with extre me caution ! | |
201 | */ | |
202 | Secret Key getMas terSecret( ) { | |
203 | re turn maste rSecret; | |
204 | } | |
205 | ||
206 | boolea n getUseEx tendedMast erSecret() { | |
207 | re turn useEx tendedMast erSecret; | |
208 | } | |
209 | ||
210 | void s etPeerCert ificates(X 509Certifi cate[] pee r) { | |
211 | if (peerCert s == null) { | |
212 | peerCert s = peer; | |
213 | } | |
214 | } | |
215 | ||
216 | void s etLocalCer tificates( X509Certif icate[] lo cal) { | |
217 | lo calCerts = local; | |
218 | } | |
219 | ||
220 | void s etLocalPri vateKey(Pr ivateKey p rivateKey) { | |
221 | lo calPrivate Key = priv ateKey; | |
222 | } | |
223 | ||
224 | void s etPeerSupp ortedSigna tureAlgori thms( | |
225 | Collecti on<Signatu reAndHashA lgorithm> algorithms ) { | |
226 | pe erSupporte dSignAlgs = | |
227 | Signatur eAndHashAl gorithm.ge tAlgorithm Names(algo rithms); | |
228 | } | |
229 | ||
230 | void s etRequeste dServerNam es(List<SN IServerNam e> request edServerNa mes) { | |
231 | th is.request edServerNa mes = new ArrayList< >(requeste dServerNam es); | |
232 | } | |
233 | ||
234 | /** | |
235 | * Set the peer principal. | |
236 | */ | |
237 | void s etPeerPrin cipal(Prin cipal prin cipal) { | |
238 | if (peerPrin cipal == n ull) { | |
239 | peerPrin cipal = pr incipal; | |
240 | } | |
241 | } | |
242 | ||
243 | /** | |
244 | * Set the local principal . | |
245 | */ | |
246 | void s etLocalPri ncipal(Pri ncipal pri ncipal) { | |
247 | lo calPrincip al = princ ipal; | |
248 | } | |
249 | ||
250 | /** | |
251 | * Ret urns true iff this s ession may be resume d ... sess ions are | |
252 | * usu ally resum able. Sec urity poli cies may s uggest oth erwise, | |
253 | * for example s essions th at haven't been used for a whi le (say, | |
254 | * a w orking day ) won't be resumable , and sess ions might have a | |
255 | * max imum lifet ime in any case. | |
256 | */ | |
257 | boolea n isRejoin able() { | |
258 | re turn sessi onId != nu ll && sess ionId.leng th() != 0 && | |
259 | !invalid ated && is LocalAuthe nticationV alid(); | |
260 | } | |
261 | ||
262 | @Overr ide | |
263 | public synchroni zed boolea n isValid( ) { | |
264 | re turn isRej oinable(); | |
265 | } | |
266 | ||
267 | /** | |
268 | * Che ck if the authentica tion used when estab lishing th is session | |
269 | * is still vali d. Returns true if n o authenti cation was used | |
270 | */ | |
271 | boolea n isLocalA uthenticat ionValid() { | |
272 | if (localPri vateKey != null) { | |
273 | try { | |
274 | // i f the priv ate key is no longer valid, ge tAlgorithm () | |
275 | // s hould thro w an excep tion | |
276 | // ( e.g. Smart card has b een remove d from the reader) | |
277 | loca lPrivateKe y.getAlgor ithm(); | |
278 | } catch (Exception e) { | |
279 | inva lidate(); | |
280 | retu rn false; | |
281 | } | |
282 | } | |
283 | re turn true; | |
284 | } | |
285 | ||
286 | /** | |
287 | * Ret urns the I D for this session. The ID is fixed for the | |
288 | * dur ation of t he session ; neither it, nor it s value, c hanges. | |
289 | */ | |
290 | @Overr ide | |
291 | public byte[] ge tId() { | |
292 | re turn sessi onId.getId (); | |
293 | } | |
294 | ||
295 | /** | |
296 | * For server se ssions, th is returns the set o f sessions which | |
297 | * are currently valid in this proce ss. For c lient sess ions, | |
298 | * thi s returns null. | |
299 | */ | |
300 | @Overr ide | |
301 | public SSLSessio nContext g etSessionC ontext() { | |
302 | /* | |
303 | * An interi m security policy un til we can do someth ing | |
304 | * more spec ific in 1. 2. Only al low truste d code (co de which | |
305 | * can set s ystem prop erties) to get an | |
306 | * SSLSessio nContext. This is to limit the ability o f code to | |
307 | * look up s pecific se ssions or enumerate over them. Otherwise , | |
308 | * code can only get s ession obj ects from successful SSL | |
309 | * connectio ns which i mplies tha t they mus t have had permissio n | |
310 | * to make t he network connectio n in the f irst place . | |
311 | * / | |
312 | Se curityMana ger sm; | |
313 | if ((sm = Sy stem.getSe curityMana ger()) != null) { | |
314 | sm.check Permission (new SSLPe rmission(" getSSLSess ionContext ")); | |
315 | } | |
316 | ||
317 | re turn conte xt; | |
318 | } | |
319 | ||
320 | ||
321 | Sessio nId getSes sionId() { | |
322 | re turn sessi onId; | |
323 | } | |
324 | ||
325 | ||
326 | /** | |
327 | * Ret urns the c ipher spec in use on this sess ion | |
328 | */ | |
329 | Cipher Suite getS uite() { | |
330 | re turn ciphe rSuite; | |
331 | } | |
332 | ||
333 | /** | |
334 | * Res ets the ci pher spec in use on this sessi on | |
335 | */ | |
336 | void s etSuite(Ci pherSuite suite) { | |
337 | cip herSuite = suite; | |
338 | ||
339 | if (debug != null && De bug.isOn(" session")) { | |
340 | System.ou t.println( "%% Negoti ating: " + this); | |
341 | } | |
342 | } | |
343 | ||
344 | /** | |
345 | * Ret urn true i f the sess ion is cur rently re- establishe d with a | |
346 | * ses sion-resum ption abbr eviated in itial hand shake. | |
347 | */ | |
348 | boolea n isSessio nResumptio n() { | |
349 | re turn isSes sionResump tion; | |
350 | } | |
351 | ||
352 | /** | |
353 | * Res ets whethe r the sess ion is re- establishe d with a s ession-res umption | |
354 | * abb reviated i nitial han dshake. | |
355 | */ | |
356 | void s etAsSessio nResumptio n(boolean flag) { | |
357 | is SessionRes umption = flag; | |
358 | } | |
359 | ||
360 | /** | |
361 | * Ret urns the n ame of the cipher su ite in use on this s ession | |
362 | */ | |
363 | @Overr ide | |
364 | public String ge tCipherSui te() { | |
365 | re turn getSu ite().name ; | |
366 | } | |
367 | ||
368 | Protoc olVersion getProtoco lVersion() { | |
369 | re turn proto colVersion ; | |
370 | } | |
371 | ||
372 | /** | |
373 | * Ret urns the s tandard na me of the protocol i n use on t his sessio n | |
374 | */ | |
375 | @Overr ide | |
376 | public String ge tProtocol( ) { | |
377 | re turn getPr otocolVers ion().name ; | |
378 | } | |
379 | ||
380 | /** | |
381 | * Ret urns the c ompression technique used in t his sessio n | |
382 | */ | |
383 | byte g etCompress ion() { | |
384 | re turn compr essionMeth od; | |
385 | } | |
386 | ||
387 | /** | |
388 | * Ret urns the h ashcode fo r this ses sion | |
389 | */ | |
390 | @Overr ide | |
391 | public int hashC ode() { | |
392 | re turn sessi onId.hashC ode(); | |
393 | } | |
394 | ||
395 | ||
396 | /** | |
397 | * Ret urns true if session s have sam e ids, fal se otherwi se. | |
398 | */ | |
399 | @Overr ide | |
400 | public boolean e quals(Obje ct obj) { | |
401 | ||
402 | if (obj == t his) { | |
403 | return t rue; | |
404 | } | |
405 | ||
406 | if (obj inst anceof SSL SessionImp l) { | |
407 | SSLSessi onImpl ses s = (SSLSe ssionImpl) obj; | |
408 | return ( sessionId != null) & & (session Id.equals( | |
409 | sess.g etSessionI d())); | |
410 | } | |
411 | ||
412 | re turn false ; | |
413 | } | |
414 | ||
415 | ||
416 | /** | |
417 | * Ret urn the ce rt chain p resented b y the peer in the | |
418 | * jav a.security .cert form at. | |
419 | * Not e: This me thod can b e used onl y when usi ng certifi cate-based | |
420 | * cip her suites ; using it with non- certificat e-based ci pher suite s, | |
421 | * suc h as Kerbe ros, will throw an S SLPeerUnve rifiedExce ption. | |
422 | * | |
423 | * @re turn array of peer X .509 certs , with the peer's ow n cert | |
424 | * fi rst in the chain, an d with the "root" CA last. | |
425 | */ | |
426 | @Overr ide | |
427 | public java.secu rity.cert. Certificat e[] getPee rCertifica tes() | |
428 | throws S SLPeerUnve rifiedExce ption { | |
429 | // | |
430 | // clone to preserve i ntegrity o f session ... caller can't | |
431 | // change re cord of pe er identit y even by accident, much | |
432 | // less do i t intentio nally. | |
433 | // | |
434 | if ((cipherS uite.keyEx change == K_KRB5) || | |
435 | (cipherS uite.keyEx change == K_KRB5_EXP ORT)) { | |
436 | throw ne w SSLPeerU nverifiedE xception(" no certifi cates expe cted" | |
437 | + " fo r Kerberos cipher su ites"); | |
438 | } | |
439 | if (peerCert s == null) { | |
440 | throw ne w SSLPeerU nverifiedE xception(" peer not a uthenticat ed"); | |
441 | } | |
442 | // Certs are immutable objects, therefore we don't c lone them. | |
443 | // But do ne ed to clon e the arra y, so that nothing i s inserted | |
444 | // into peer Certs. | |
445 | re turn (java .security. cert.Certi ficate[])p eerCerts.c lone(); | |
446 | } | |
447 | ||
448 | /** | |
449 | * Ret urn the ce rt chain p resented t o the peer in the | |
450 | * jav a.security .cert form at. | |
451 | * Not e: This me thod is us eful only when using certifica te-based | |
452 | * cip her suites . | |
453 | * | |
454 | * @re turn array of peer X .509 certs , with the peer's ow n cert | |
455 | * fi rst in the chain, an d with the "root" CA last. | |
456 | */ | |
457 | @Overr ide | |
458 | public java.secu rity.cert. Certificat e[] getLoc alCertific ates() { | |
459 | // | |
460 | // clone to preserve i ntegrity o f session ... caller can't | |
461 | // change re cord of pe er identit y even by accident, much | |
462 | // less do i t intentio nally. | |
463 | re turn (loca lCerts == null ? nul l : | |
464 | (java.se curity.cer t.Certific ate[])loca lCerts.clo ne()); | |
465 | } | |
466 | ||
467 | /** | |
468 | * Ret urn the ce rt chain p resented b y the peer in the | |
469 | * jav ax.securit y.cert for mat. | |
470 | * Not e: This me thod can b e used onl y when usi ng certifi cate-based | |
471 | * cip her suites ; using it with non- certificat e-based ci pher suite s, | |
472 | * suc h as Kerbe ros, will throw an S SLPeerUnve rifiedExce ption. | |
473 | * | |
474 | * @re turn array of peer X .509 certs , with the peer's ow n cert | |
475 | * fi rst in the chain, an d with the "root" CA last. | |
476 | */ | |
477 | @Overr ide | |
478 | public javax.sec urity.cert .X509Certi ficate[] g etPeerCert ificateCha in() | |
479 | throws S SLPeerUnve rifiedExce ption { | |
480 | // | |
481 | // clone to preserve i ntegrity o f session ... caller can't | |
482 | // change re cord of pe er identit y even by accident, much | |
483 | // less do i t intentio nally. | |
484 | // | |
485 | if ((cipherS uite.keyEx change == K_KRB5) || | |
486 | (cipherS uite.keyEx change == K_KRB5_EXP ORT)) { | |
487 | throw ne w SSLPeerU nverifiedE xception(" no certifi cates expe cted" | |
488 | + " fo r Kerberos cipher su ites"); | |
489 | } | |
490 | if (peerCert s == null) { | |
491 | throw ne w SSLPeerU nverifiedE xception(" peer not a uthenticat ed"); | |
492 | } | |
493 | ja vax.securi ty.cert.X5 09Certific ate[] cert s; | |
494 | ce rts = new javax.secu rity.cert. X509Certif icate[peer Certs.leng th]; | |
495 | fo r (int i = 0; i < pe erCerts.le ngth; i++) { | |
496 | byte[] d er = null; | |
497 | try { | |
498 | der = peerCert s[i].getEn coded(); | |
499 | cert s[i] = jav ax.securit y.cert.X50 9Certifica te.getInst ance(der); | |
500 | } catch (Certifica teEncoding Exception e) { | |
501 | thro w new SSLP eerUnverif iedExcepti on(e.getMe ssage()); | |
502 | } catch (javax.sec urity.cert .Certifica teExceptio n e) { | |
503 | thro w new SSLP eerUnverif iedExcepti on(e.getMe ssage()); | |
504 | } | |
505 | } | |
506 | ||
507 | re turn certs ; | |
508 | } | |
509 | ||
510 | /** | |
511 | * Ret urn the ce rt chain p resented b y the peer . | |
512 | * Not e: This me thod can b e used onl y when usi ng certifi cate-based | |
513 | * cip her suites ; using it with non- certificat e-based ci pher suite s, | |
514 | * suc h as Kerbe ros, will throw an S SLPeerUnve rifiedExce ption. | |
515 | * | |
516 | * @re turn array of peer X .509 certs , with the peer's ow n cert | |
517 | * fi rst in the chain, an d with the "root" CA last. | |
518 | */ | |
519 | public X509Certi ficate[] g etCertific ateChain() | |
520 | throws S SLPeerUnve rifiedExce ption { | |
521 | /* | |
522 | * clone to preserve i ntegrity o f session ... caller can't | |
523 | * change re cord of pe er identit y even by accident, much | |
524 | * less do i t intentio nally. | |
525 | * / | |
526 | if ((cipherS uite.keyEx change == K_KRB5) || | |
527 | (cipherS uite.keyEx change == K_KRB5_EXP ORT)) { | |
528 | throw ne w SSLPeerU nverifiedE xception(" no certifi cates expe cted" | |
529 | + " fo r Kerberos cipher su ites"); | |
530 | } | |
531 | if (peerCert s != null) { | |
532 | return p eerCerts.c lone(); | |
533 | } else { | |
534 | throw ne w SSLPeerU nverifiedE xception(" peer not a uthenticat ed"); | |
535 | } | |
536 | } | |
537 | ||
538 | /** | |
539 | * Ret urns the i dentity of the peer which was establishe d as part of | |
540 | * def ining the session. | |
541 | * | |
542 | * @re turn the p eer's prin cipal. Ret urns an X5 00Principa l of the | |
543 | * end -entity ce rtificate for X509-b ased ciphe r suites, and | |
544 | * Pri ncipal for Kerberos cipher sui tes. | |
545 | * | |
546 | * @th rows SSLPe erUnverifi edExceptio n if the p eer's iden tity has n ot | |
547 | * been verified | |
548 | */ | |
549 | @Overr ide | |
550 | public Principal getPeerPr incipal() | |
551 | thro ws SSLPeer Unverified Exception | |
552 | { | |
553 | if ((cipherS uite.keyEx change == K_KRB5) || | |
554 | (cipherS uite.keyEx change == K_KRB5_EXP ORT)) { | |
555 | if (peer Principal == null) { | |
556 | thro w new SSLP eerUnverif iedExcepti on("peer n ot authent icated"); | |
557 | } else { | |
558 | // E liminate d ependency on Kerbero sPrincipal | |
559 | retu rn peerPri ncipal; | |
560 | } | |
561 | } | |
562 | if (peerCert s == null) { | |
563 | throw ne w SSLPeerU nverifiedE xception(" peer not a uthenticat ed"); | |
564 | } | |
565 | re turn peerC erts[0].ge tSubjectX5 00Principa l(); | |
566 | } | |
567 | ||
568 | /** | |
569 | * Ret urns the p rincipal t hat was se nt to the peer durin g handshak ing. | |
570 | * | |
571 | * @re turn the p rincipal s ent to the peer. Ret urns an X5 00Principa l | |
572 | * of the end-en tity certi ficate for X509-base d cipher s uites, and | |
573 | * Pri ncipal for Kerberos cipher sui tes. If no principal was | |
574 | * sen t, then nu ll is retu rned. | |
575 | */ | |
576 | @Overr ide | |
577 | public Principal getLocalP rincipal() { | |
578 | ||
579 | if ((cipherS uite.keyEx change == K_KRB5) || | |
580 | (cipherS uite.keyEx change == K_KRB5_EXP ORT)) { | |
581 | // E liminate d ependency on Kerbero sPrincipal | |
582 | retu rn (localP rincipal = = null ? n ull : loca lPrincipal ); | |
583 | } | |
584 | re turn (loca lCerts == null ? nul l : | |
585 | loca lCerts[0]. getSubject X500Princi pal()); | |
586 | } | |
587 | ||
588 | /** | |
589 | * Ret urns the t ime this s ession was created. | |
590 | */ | |
591 | @Overr ide | |
592 | public long getC reationTim e() { | |
593 | re turn creat ionTime; | |
594 | } | |
595 | ||
596 | /** | |
597 | * Ret urns the l ast time t his sessio n was used to initia lize | |
598 | * a c onnection. | |
599 | */ | |
600 | @Overr ide | |
601 | public long getL astAccesse dTime() { | |
602 | re turn (last UsedTime ! = 0) ? las tUsedTime : creation Time; | |
603 | } | |
604 | ||
605 | void s etLastAcce ssedTime(l ong time) { | |
606 | la stUsedTime = time; | |
607 | } | |
608 | ||
609 | ||
610 | /** | |
611 | * Ret urns the n etwork add ress of th e session' s peer. T his | |
612 | * imp lementatio n does not insist th at connect ions betwe en | |
613 | * dif ferent por ts on the same host must neces sarily bel ong | |
614 | * to different sessions, though tha t is of co urse allow ed. | |
615 | */ | |
616 | public InetAddre ss getPeer Address() { | |
617 | tr y { | |
618 | return I netAddress .getByName (host); | |
619 | } catch (jav a.net.Unkn ownHostExc eption e) { | |
620 | return n ull; | |
621 | } | |
622 | } | |
623 | ||
624 | @Overr ide | |
625 | public String ge tPeerHost( ) { | |
626 | re turn host; | |
627 | } | |
628 | ||
629 | /** | |
630 | * Nee d to provi de the por t info for caching s essions ba sed on | |
631 | * hos t and port . Accessed by SSLSes sionContex tImpl | |
632 | */ | |
633 | @Overr ide | |
634 | public int getPe erPort() { | |
635 | re turn port; | |
636 | } | |
637 | ||
638 | void s etContext( SSLSession ContextImp l ctx) { | |
639 | if (context == null) { | |
640 | context = ctx; | |
641 | } | |
642 | } | |
643 | ||
644 | /** | |
645 | * Inv alidate a session. Active con nections m ay still e xist, but | |
646 | * no connection s will be able to re join this session. | |
647 | */ | |
648 | @Overr ide | |
649 | synchr onized pub lic void i nvalidate( ) { | |
650 | // | |
651 | // Can't inv alidate th e NULL ses sion -- th is would b e | |
652 | // attempted when we g et a hands haking err or on a br and | |
653 | // new conne ction, wit h no "real " session yet. | |
654 | // | |
655 | if (this == nullSessio n) { | |
656 | return; | |
657 | } | |
658 | in validated = true; | |
659 | if (debug != null && D ebug.isOn( "session") ) { | |
660 | System.o ut.println ("%% Inval idated: " + this); | |
661 | } | |
662 | if (context != null) { | |
663 | context. remove(ses sionId); | |
664 | context = null; | |
665 | } | |
666 | } | |
667 | ||
668 | /* | |
669 | * Tab le of appl ication-sp ecific ses sion data indexed by an applic ation | |
670 | * key and the c alling sec urity cont ext. This is importa nt since | |
671 | * ses sions can be shared across dif ferent pro tection do mains. | |
672 | */ | |
673 | privat e Hashtabl e<SecureKe y, Object> table = n ew Hashtab le<>(); | |
674 | ||
675 | /** | |
676 | * Ass igns a ses sion value . Session change ev ents are g iven if | |
677 | * app ropriate, to any ori ginal valu e as well as the new value. | |
678 | */ | |
679 | @Overr ide | |
680 | public void putV alue(Strin g key, Obj ect value) { | |
681 | if ((key == null) || ( value == n ull)) { | |
682 | throw ne w IllegalA rgumentExc eption("ar guments ca n not be n ull"); | |
683 | } | |
684 | ||
685 | Se cureKey se cureKey = new Secure Key(key); | |
686 | Ob ject oldVa lue = tabl e.put(secu reKey, val ue); | |
687 | ||
688 | if (oldValue instanceo f SSLSessi onBindingL istener) { | |
689 | SSLSessi onBindingE vent e; | |
690 | ||
691 | e = new SSLSession BindingEve nt(this, k ey); | |
692 | ((SSLSes sionBindin gListener) oldValue). valueUnbou nd(e); | |
693 | } | |
694 | if (value in stanceof S SLSessionB indingList ener) { | |
695 | SSLSessi onBindingE vent e; | |
696 | ||
697 | e = new SSLSession BindingEve nt(this, k ey); | |
698 | ((SSLSes sionBindin gListener) value).val ueBound(e) ; | |
699 | } | |
700 | } | |
701 | ||
702 | ||
703 | /** | |
704 | * Ret urns the s pecified s ession val ue. | |
705 | */ | |
706 | @Overr ide | |
707 | public Object ge tValue(Str ing key) { | |
708 | if (key == n ull) { | |
709 | throw ne w IllegalA rgumentExc eption("ar gument can not be nu ll"); | |
710 | } | |
711 | ||
712 | Se cureKey se cureKey = new Secure Key(key); | |
713 | re turn table .get(secur eKey); | |
714 | } | |
715 | ||
716 | ||
717 | /** | |
718 | * Rem oves the s pecified s ession val ue, delive ring a ses sion chang ed | |
719 | * eve nt as appr opriate. | |
720 | */ | |
721 | @Overr ide | |
722 | public void remo veValue(St ring key) { | |
723 | if (key == n ull) { | |
724 | throw ne w IllegalA rgumentExc eption("ar gument can not be nu ll"); | |
725 | } | |
726 | ||
727 | Se cureKey se cureKey = new Secure Key(key); | |
728 | Ob ject value = table.r emove(secu reKey); | |
729 | ||
730 | if (value in stanceof S SLSessionB indingList ener) { | |
731 | SSLSessi onBindingE vent e; | |
732 | ||
733 | e = new SSLSession BindingEve nt(this, k ey); | |
734 | ((SSLSes sionBindin gListener) value).val ueUnbound( e); | |
735 | } | |
736 | } | |
737 | ||
738 | ||
739 | /** | |
740 | * Lis ts the nam es of the session va lues. | |
741 | */ | |
742 | @Overr ide | |
743 | public String[] getValueNa mes() { | |
744 | En umeration< SecureKey> e; | |
745 | Ve ctor<Objec t> v = new Vector<>( ); | |
746 | Se cureKey ke y; | |
747 | Ob ject secur ityCtx = S ecureKey.g etCurrentS ecurityCon text(); | |
748 | ||
749 | fo r (e = tab le.keys(); e.hasMore Elements() ; ) { | |
750 | key = e. nextElemen t(); | |
751 | ||
752 | if (secu rityCtx.eq uals(key.g etSecurity Context()) ) { | |
753 | v.ad dElement(k ey.getAppK ey()); | |
754 | } | |
755 | } | |
756 | St ring[] nam es = new S tring[v.si ze()]; | |
757 | v. copyInto(n ames); | |
758 | ||
759 | re turn names ; | |
760 | } | |
761 | ||
762 | /** | |
763 | * Use large pac ket sizes now or fol low RFC 22 46 packet sizes (2^1 4) | |
764 | * unt il changed . | |
765 | * | |
766 | * In the TLS sp ecificatio n (section 6.2.1, RF C2246), it is not | |
767 | * rec ommended t hat the pl aintext ha s more tha n 2^14 byt es. | |
768 | * How ever, some TLS imple mentations violate t he specifi cation. | |
769 | * Thi s is a wor karound fo r interope rability w ith these stacks. | |
770 | * | |
771 | * App lication c ould accep t large fr agments up to 2^15 b ytes by | |
772 | * set ting the s ystem prop erty jsse. SSLEngine. acceptLarg eFragments | |
773 | * to "true". | |
774 | */ | |
775 | privat e boolean acceptLarg eFragments = | |
776 | De bug.getBoo leanProper ty("jsse.S SLEngine.a cceptLarge Fragments" , false); | |
777 | ||
778 | /** | |
779 | * Exp and the bu ffer size of both SS L/TLS netw ork packet and | |
780 | * app lication d ata. | |
781 | */ | |
782 | protec ted synchr onized voi d expandBu fferSizes( ) { | |
783 | ac ceptLargeF ragments = true; | |
784 | } | |
785 | ||
786 | /** | |
787 | * Get s the curr ent size o f the larg est SSL/TL S packet t hat is exp ected | |
788 | * whe n using th is session . | |
789 | */ | |
790 | @Overr ide | |
791 | public synchroni zed int ge tPacketBuf ferSize() { | |
792 | re turn accep tLargeFrag ments ? | |
793 | Reco rd.maxLarg eRecordSiz e : Record .maxRecord Size; | |
794 | } | |
795 | ||
796 | /** | |
797 | * Get s the curr ent size o f the larg est applic ation data that is | |
798 | * exp ected when using thi s session. | |
799 | */ | |
800 | @Overr ide | |
801 | public synchroni zed int ge tApplicati onBufferSi ze() { | |
802 | re turn getPa cketBuffer Size() - R ecord.head erSize; | |
803 | } | |
804 | ||
805 | /** | |
806 | * Get s an array of suppor ted signat ure algori thms that the local side is | |
807 | * wil ling to ve rify. | |
808 | */ | |
809 | @Overr ide | |
810 | public String[] getLocalSu pportedSig natureAlgo rithms() { | |
811 | if (localSup portedSign Algs != nu ll) { | |
812 | return l ocalSuppor tedSignAlg s.clone(); | |
813 | } | |
814 | ||
815 | re turn new S tring[0]; | |
816 | } | |
817 | ||
818 | /** | |
819 | * Get s an array of suppor ted signat ure algori thms that the peer i s | |
820 | * abl e to verif y. | |
821 | */ | |
822 | @Overr ide | |
823 | public String[] getPeerSup portedSign atureAlgor ithms() { | |
824 | if (peerSupp ortedSignA lgs != nul l) { | |
825 | return p eerSupport edSignAlgs .clone(); | |
826 | } | |
827 | ||
828 | re turn new S tring[0]; | |
829 | } | |
830 | ||
831 | /** | |
832 | * Obt ains a <co de>List</c ode> conta ining all {@link SNI ServerName }s | |
833 | * of the reques ted Server Name Indi cation (SN I) extensi on. | |
834 | */ | |
835 | @Overr ide | |
836 | public List<SNIS erverName> getReques tedServerN ames() { | |
837 | if (requeste dServerNam es != null && !reque stedServer Names.isEm pty()) { | |
838 | return C ollections .<SNIServe rName>unmo difiableLi st( | |
839 | re questedSer verNames); | |
840 | } | |
841 | ||
842 | re turn Colle ctions.<SN IServerNam e>emptyLis t(); | |
843 | } | |
844 | ||
845 | /** Re turns a st ring repre sentation of this SS L session */ | |
846 | @Overr ide | |
847 | public String to String() { | |
848 | re turn "[Ses sion-" + s essionCoun t | |
849 | + ", " + getCipher Suite() | |
850 | + "]"; | |
851 | } | |
852 | ||
853 | /** | |
854 | * Whe n SSL sess ions are f inalized, all values bound to | |
855 | * the m are remo ved. | |
856 | */ | |
857 | @Overr ide | |
858 | protec ted void f inalize() throws Thr owable { | |
859 | St ring[] nam es = getVa lueNames() ; | |
860 | fo r (int i = 0; i < na mes.length ; i++) { | |
861 | removeVa lue(names[ i]); | |
862 | } | |
863 | } | |
864 | } | |
865 | ||
866 | ||
867 | /** | |
868 | * This "s truct" cla ss serves as a Hash Key that c ombines an | |
869 | * applica tion-speci fic key an d a securi ty context . | |
870 | */ | |
871 | class Secu reKey { | |
872 | privat e static O bject nullObje ct = new O bject(); | |
873 | privat e Object appK ey; | |
874 | privat e Object securi tyCtx; | |
875 | ||
876 | static Object ge tCurrentSe curityCont ext() { | |
877 | Se curityMana ger sm = S ystem.getS ecurityMan ager(); | |
878 | Ob ject conte xt = null; | |
879 | ||
880 | if (sm != nu ll) | |
881 | context = sm.getSe curityCont ext(); | |
882 | if (context == null) | |
883 | context = nullObje ct; | |
884 | re turn conte xt; | |
885 | } | |
886 | ||
887 | Secure Key(Object key) { | |
888 | th is.appKey = key; | |
889 | th is.securit yCtx = get CurrentSec urityConte xt(); | |
890 | } | |
891 | ||
892 | Object getAppKey () { | |
893 | re turn appKe y; | |
894 | } | |
895 | ||
896 | Object getSecuri tyContext( ) { | |
897 | re turn secur ityCtx; | |
898 | } | |
899 | ||
900 | @Overr ide | |
901 | public int hashC ode() { | |
902 | re turn appKe y.hashCode () ^ secur ityCtx.has hCode(); | |
903 | } | |
904 | ||
905 | @Overr ide | |
906 | public boolean e quals(Obje ct o) { | |
907 | re turn o ins tanceof Se cureKey && ((SecureK ey)o).appK ey.equals( appKey) | |
908 | && ((S ecureKey)o ).security Ctx.equals (securityC tx); | |
909 | } | |
910 | } |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.