/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.ssl;
import sun.security.action.GetPropertyAction;
import java.io.File;
import java.io.FilePermission;
import java.io.IOException;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.util.*;
Models a service that provides support for a particular client key exchange
mode. Currently used to implement Kerberos-related cipher suites.
Since: 9
/**
* Models a service that provides support for a particular client key exchange
* mode. Currently used to implement Kerberos-related cipher suites.
*
* @since 9
*/
public interface ClientKeyExchangeService {
static class Loader {
private static final Map<String,ClientKeyExchangeService>
providers = new HashMap<>();
static {
String path = GetPropertyAction.privilegedGetProperty("java.home");
ServiceLoader<ClientKeyExchangeService> sc =
AccessController.doPrivileged(
(PrivilegedAction<ServiceLoader<ClientKeyExchangeService>>)
() -> ServiceLoader.loadInstalled(ClientKeyExchangeService.class),
null,
new FilePermission(new File(path, "-").toString(), "read"));
Iterator<ClientKeyExchangeService> iter = sc.iterator();
while (iter.hasNext()) {
ClientKeyExchangeService cs = iter.next();
for (String ex: cs.supported()) {
providers.put(ex, cs);
}
}
}
}
public static ClientKeyExchangeService find(String ex) {
return Loader.providers.get(ex);
}
Returns the supported key exchange modes by this provider.
Returns: the supported key exchange modes
/**
* Returns the supported key exchange modes by this provider.
* @return the supported key exchange modes
*/
String[] supported();
Returns a generalized credential object on the server side. The server
side can use the info to determine if a cipher suite can be enabled.
Params: - acc – the AccessControlContext of the SSL session
Returns: the credential object
/**
* Returns a generalized credential object on the server side. The server
* side can use the info to determine if a cipher suite can be enabled.
* @param acc the AccessControlContext of the SSL session
* @return the credential object
*/
Object getServiceCreds(AccessControlContext acc);
Returns the host name for a service principal. The info can be used in
SNI or host name verifier.
Params: - principal – the principal of a service
Returns: the string formed host name
/**
* Returns the host name for a service principal. The info can be used in
* SNI or host name verifier.
* @param principal the principal of a service
* @return the string formed host name
*/
String getServiceHostName(Principal principal);
Returns whether the specified principal is related to the current
SSLSession. The info can be used to verify a SSL resume.
Params: - isClient – if true called from client side, otherwise from server
- acc – the AccessControlContext of the SSL session
- p – the specified principal
Returns: true if related
/**
* Returns whether the specified principal is related to the current
* SSLSession. The info can be used to verify a SSL resume.
* @param isClient if true called from client side, otherwise from server
* @param acc the AccessControlContext of the SSL session
* @param p the specified principal
* @return true if related
*/
boolean isRelated(boolean isClient, AccessControlContext acc, Principal p);
Creates the ClientKeyExchange object on the client side.
Params: - serverName – the intented peer name
- acc – the AccessControlContext of the SSL session
- protocolVersion – the TLS protocol version
- rand – the SecureRandom that will used to generate the premaster
Throws: - IOException – if there is an error
Returns: the new Exchanger object
/**
* Creates the ClientKeyExchange object on the client side.
* @param serverName the intented peer name
* @param acc the AccessControlContext of the SSL session
* @param protocolVersion the TLS protocol version
* @param rand the SecureRandom that will used to generate the premaster
* @return the new Exchanger object
* @throws IOException if there is an error
*/
ClientKeyExchange createClientExchange(String serverName, AccessControlContext acc,
ProtocolVersion protocolVersion, SecureRandom rand) throws IOException;
Create the ClientKeyExchange on the server side.
Params: - protocolVersion – the protocol version
- clientVersion – the input protocol version
- rand – a SecureRandom object used to generate premaster
(if the server has to create one)
- encodedTicket – the ticket from client
- encrypted – the encrypted premaster secret from client
- acc – the AccessControlContext of the SSL session
- ServiceCreds – the service side credentials object as retrived from
getServiceCreds
Throws: - IOException – if there is an error
Returns: the new Exchanger object
/**
* Create the ClientKeyExchange on the server side.
* @param protocolVersion the protocol version
* @param clientVersion the input protocol version
* @param rand a SecureRandom object used to generate premaster
* (if the server has to create one)
* @param encodedTicket the ticket from client
* @param encrypted the encrypted premaster secret from client
* @param acc the AccessControlContext of the SSL session
* @param ServiceCreds the service side credentials object as retrived from
* {@link #getServiceCreds}
* @return the new Exchanger object
* @throws IOException if there is an error
*/
ClientKeyExchange createServerExchange(
ProtocolVersion protocolVersion, ProtocolVersion clientVersion,
SecureRandom rand, byte[] encodedTicket, byte[] encrypted,
AccessControlContext acc, Object ServiceCreds) throws IOException;
}