1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
|
/*
* Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package javax.net.ssl;
import java.security.*;
import java.util.*;
import sun.security.jca.GetInstance;
/**
* Instances of this class represent a secure socket protocol
* implementation which acts as a factory for secure socket
* factories or <code>SSLEngine</code>s. This class is initialized
* with an optional set of key and trust managers and source of
* secure random bytes.
*
* <p> Android provides the following <code>SSLContext</code> protocols:
* <table>
* <thead>
* <tr>
* <th>Algorithm</th>
* <th>Supported API Levels</th>
* </tr>
* </thead>
* <tbody>
* <tr>
* <td>Default</td>
* <td>10+</td>
* </tr>
* <tr>
* <td>SSL</td>
* <td>10+</td>
* </tr>
* <tr class="deprecated">
* <td>SSLv3</td>
* <td>10-25</td>
* </tr>
* <tr>
* <td>TLS</td>
* <td>1+</td>
* </tr>
* <tr>
* <td>TLSv1</td>
* <td>10+</td>
* </tr>
* <tr>
* <td>TLSv1.1</td>
* <td>16+</td>
* </tr>
* <tr>
* <td>TLSv1.2</td>
* <td>16+</td>
* </tr>
* <tr>
* <td>TLSv1.3</td>
* <td>29+</td>
* </tr>
* </tbody>
* </table>
*
* This protocol is described in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#SSLContext">
* SSLContext section</a> of the
* Java Cryptography Architecture Standard Algorithm Name Documentation.
*
* @since 1.4
*/
public class SSLContext {
private final Provider provider;
private final SSLContextSpi contextSpi;
private final String protocol;
/**
* Creates an SSLContext object.
*
* @param contextSpi the delegate
* @param provider the provider
* @param protocol the protocol
*/
protected SSLContext(SSLContextSpi contextSpi, Provider provider,
String protocol) {
this.contextSpi = contextSpi;
this.provider = provider;
this.protocol = protocol;
}
private static SSLContext defaultContext;
/**
* Returns the default SSL context.
*
* <p>If a default context was set using the {@link #setDefault
* SSLContext.setDefault()} method, it is returned. Otherwise, the first
* call of this method triggers the call
* <code>SSLContext.getInstance("Default")</code>.
* If successful, that object is made the default SSL context and returned.
*
* <p>The default context is immediately
* usable and does not require {@linkplain #init initialization}.
*
* @return the default SSL context
* @throws NoSuchAlgorithmException if the
* {@link SSLContext#getInstance SSLContext.getInstance()} call fails
* @since 1.6
*/
public static synchronized SSLContext getDefault()
throws NoSuchAlgorithmException {
if (defaultContext == null) {
defaultContext = SSLContext.getInstance("Default");
}
return defaultContext;
}
// Android-changed: Additional text to strongly discouraged changing the default.
/**
* Sets the default SSL context. It will be returned by subsequent calls
* to {@link #getDefault}. The default context must be immediately usable
* and not require {@linkplain #init initialization}.
* <p>
* Developers are <em>strongly</em> discouraged from changing the default {@code SSLContext} as
* it is used as the Android default for secure communication by APIs like
* {@link SSLSocketFactory#getDefault()}, {@link SSLServerSocketFactory#getDefault()} and
* {@link HttpsURLConnection}.
*
* @param context the SSLContext
* @throws NullPointerException if context is null
* @throws SecurityException if a security manager exists and its
* <code>checkPermission</code> method does not allow
* <code>SSLPermission("setDefaultSSLContext")</code>
* @since 1.6
*/
public static synchronized void setDefault(SSLContext context) {
if (context == null) {
throw new NullPointerException();
}
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SSLPermission("setDefaultSSLContext"));
}
defaultContext = context;
}
/**
* Returns a <code>SSLContext</code> object that implements the
* specified secure socket protocol.
*
* <p> This method traverses the list of registered security Providers,
* starting with the most preferred Provider.
* A new SSLContext object encapsulating the
* SSLContextSpi implementation from the first
* Provider that supports the specified protocol is returned.
*
* <p> Note that the list of registered providers may be retrieved via
* the {@link Security#getProviders() Security.getProviders()} method.
*
* @param protocol the standard name of the requested protocol.
* See the SSLContext section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#SSLContext">
* Java Cryptography Architecture Standard Algorithm Name
* Documentation</a>
* for information about standard protocol names.
*
* @return the new <code>SSLContext</code> object.
*
* @exception NoSuchAlgorithmException if no Provider supports a
* SSLContextSpi implementation for the
* specified protocol.
* @exception NullPointerException if protocol is null.
*
* @see java.security.Provider
*/
public static SSLContext getInstance(String protocol)
throws NoSuchAlgorithmException {
GetInstance.Instance instance = GetInstance.getInstance
("SSLContext", SSLContextSpi.class, protocol);
return new SSLContext((SSLContextSpi)instance.impl, instance.provider,
protocol);
}
/**
* Returns a <code>SSLContext</code> object that implements the
* specified secure socket protocol.
*
* <p> A new SSLContext object encapsulating the
* SSLContextSpi implementation from the specified provider
* is returned. The specified provider must be registered
* in the security provider list.
*
* <p> Note that the list of registered providers may be retrieved via
* the {@link Security#getProviders() Security.getProviders()} method.
*
* @param protocol the standard name of the requested protocol.
* See the SSLContext section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#SSLContext">
* Java Cryptography Architecture Standard Algorithm Name
* Documentation</a>
* for information about standard protocol names.
*
* @param provider the name of the provider.
*
* @return the new <code>SSLContext</code> object.
*
* @throws NoSuchAlgorithmException if a SSLContextSpi
* implementation for the specified protocol is not
* available from the specified provider.
*
* @throws NoSuchProviderException if the specified provider is not
* registered in the security provider list.
*
* @throws IllegalArgumentException if the provider name is null or empty.
* @throws NullPointerException if protocol is null.
*
* @see java.security.Provider
*/
public static SSLContext getInstance(String protocol, String provider)
throws NoSuchAlgorithmException, NoSuchProviderException {
GetInstance.Instance instance = GetInstance.getInstance
("SSLContext", SSLContextSpi.class, protocol, provider);
return new SSLContext((SSLContextSpi)instance.impl, instance.provider,
protocol);
}
/**
* Returns a <code>SSLContext</code> object that implements the
* specified secure socket protocol.
*
* <p> A new SSLContext object encapsulating the
* SSLContextSpi implementation from the specified Provider
* object is returned. Note that the specified Provider object
* does not have to be registered in the provider list.
*
* @param protocol the standard name of the requested protocol.
* See the SSLContext section in the <a href=
* "{@docRoot}/../technotes/guides/security/StandardNames.html#SSLContext">
* Java Cryptography Architecture Standard Algorithm Name
* Documentation</a>
* for information about standard protocol names.
*
* @param provider an instance of the provider.
*
* @return the new <code>SSLContext</code> object.
*
* @throws NoSuchAlgorithmException if a SSLContextSpi
* implementation for the specified protocol is not available
* from the specified Provider object.
*
* @throws IllegalArgumentException if the provider is null.
* @throws NullPointerException if protocol is null.
*
* @see java.security.Provider
*/
public static SSLContext getInstance(String protocol, Provider provider)
throws NoSuchAlgorithmException {
GetInstance.Instance instance = GetInstance.getInstance
("SSLContext", SSLContextSpi.class, protocol, provider);
return new SSLContext((SSLContextSpi)instance.impl, instance.provider,
protocol);
}
/**
* Returns the protocol name of this <code>SSLContext</code> object.
*
* <p>This is the same name that was specified in one of the
* <code>getInstance</code> calls that created this
* <code>SSLContext</code> object.
*
* @return the protocol name of this <code>SSLContext</code> object.
*/
public final String getProtocol() {
return this.protocol;
}
/**
* Returns the provider of this <code>SSLContext</code> object.
*
* @return the provider of this <code>SSLContext</code> object
*/
public final Provider getProvider() {
return this.provider;
}
/**
* Initializes this context. Either of the first two parameters
* may be null in which case the installed security providers will
* be searched for the highest priority implementation of the
* appropriate factory. Likewise, the secure random parameter may
* be null in which case the default implementation will be used.
* <P>
* Only the first instance of a particular key and/or trust manager
* implementation type in the array is used. (For example, only
* the first javax.net.ssl.X509KeyManager in the array will be used.)
*
* @param km the sources of authentication keys or null
* @param tm the sources of peer authentication trust decisions or null
* @param random the source of randomness for this generator or null
* @throws KeyManagementException if this operation fails
*/
public final void init(KeyManager[] km, TrustManager[] tm,
SecureRandom random)
throws KeyManagementException {
contextSpi.engineInit(km, tm, random);
}
/**
* Returns a <code>SocketFactory</code> object for this
* context.
*
* @return the <code>SocketFactory</code> object
* @throws IllegalStateException if the SSLContextImpl requires
* initialization and the <code>init()</code> has not been called
*/
public final SSLSocketFactory getSocketFactory() {
return contextSpi.engineGetSocketFactory();
}
/**
* Returns a <code>ServerSocketFactory</code> object for
* this context.
*
* @return the <code>ServerSocketFactory</code> object
* @throws IllegalStateException if the SSLContextImpl requires
* initialization and the <code>init()</code> has not been called
*/
public final SSLServerSocketFactory getServerSocketFactory() {
return contextSpi.engineGetServerSocketFactory();
}
/**
* Creates a new <code>SSLEngine</code> using this context.
* <P>
* Applications using this factory method are providing no hints
* for an internal session reuse strategy. If hints are desired,
* {@link #createSSLEngine(String, int)} should be used
* instead.
* <P>
* Some cipher suites (such as Kerberos) require remote hostname
* information, in which case this factory method should not be used.
*
* @return the <code>SSLEngine</code> object
* @throws UnsupportedOperationException if the underlying provider
* does not implement the operation.
* @throws IllegalStateException if the SSLContextImpl requires
* initialization and the <code>init()</code> has not been called
* @since 1.5
*/
public final SSLEngine createSSLEngine() {
try {
return contextSpi.engineCreateSSLEngine();
} catch (AbstractMethodError e) {
UnsupportedOperationException unsup =
new UnsupportedOperationException(
"Provider: " + getProvider() +
" doesn't support this operation");
unsup.initCause(e);
throw unsup;
}
}
/**
* Creates a new <code>SSLEngine</code> using this context using
* advisory peer information.
* <P>
* Applications using this factory method are providing hints
* for an internal session reuse strategy.
* <P>
* Some cipher suites (such as Kerberos) require remote hostname
* information, in which case peerHost needs to be specified.
*
* @param peerHost the non-authoritative name of the host
* @param peerPort the non-authoritative port
* @return the new <code>SSLEngine</code> object
* @throws UnsupportedOperationException if the underlying provider
* does not implement the operation.
* @throws IllegalStateException if the SSLContextImpl requires
* initialization and the <code>init()</code> has not been called
* @since 1.5
*/
public final SSLEngine createSSLEngine(String peerHost, int peerPort) {
try {
return contextSpi.engineCreateSSLEngine(peerHost, peerPort);
} catch (AbstractMethodError e) {
UnsupportedOperationException unsup =
new UnsupportedOperationException(
"Provider: " + getProvider() +
" does not support this operation");
unsup.initCause(e);
throw unsup;
}
}
/**
* Returns the server session context, which represents the set of
* SSL sessions available for use during the handshake phase of
* server-side SSL sockets.
* <P>
* This context may be unavailable in some environments, in which
* case this method returns null. For example, when the underlying
* SSL provider does not provide an implementation of SSLSessionContext
* interface, this method returns null. A non-null session context
* is returned otherwise.
*
* @return server session context bound to this SSL context
*/
public final SSLSessionContext getServerSessionContext() {
return contextSpi.engineGetServerSessionContext();
}
/**
* Returns the client session context, which represents the set of
* SSL sessions available for use during the handshake phase of
* client-side SSL sockets.
* <P>
* This context may be unavailable in some environments, in which
* case this method returns null. For example, when the underlying
* SSL provider does not provide an implementation of SSLSessionContext
* interface, this method returns null. A non-null session context
* is returned otherwise.
*
* @return client session context bound to this SSL context
*/
public final SSLSessionContext getClientSessionContext() {
return contextSpi.engineGetClientSessionContext();
}
/**
* Returns a copy of the SSLParameters indicating the default
* settings for this SSL context.
*
* <p>The parameters will always have the ciphersuites and protocols
* arrays set to non-null values.
*
* @return a copy of the SSLParameters object with the default settings
* @throws UnsupportedOperationException if the default SSL parameters
* could not be obtained.
* @since 1.6
*/
public final SSLParameters getDefaultSSLParameters() {
return contextSpi.engineGetDefaultSSLParameters();
}
/**
* Returns a copy of the SSLParameters indicating the supported
* settings for this SSL context.
*
* <p>The parameters will always have the ciphersuites and protocols
* arrays set to non-null values.
*
* @return a copy of the SSLParameters object with the supported
* settings
* @throws UnsupportedOperationException if the supported SSL parameters
* could not be obtained.
* @since 1.6
*/
public final SSLParameters getSupportedSSLParameters() {
return contextSpi.engineGetSupportedSSLParameters();
}
}
|
