You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
379 lines
14 KiB
379 lines
14 KiB
/*
|
|
* Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved.
|
|
* ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*
|
|
*/
|
|
|
|
package javax.rmi.ssl;
|
|
|
|
import java.io.IOException;
|
|
import java.net.ServerSocket;
|
|
import java.net.Socket;
|
|
import java.rmi.server.RMIServerSocketFactory;
|
|
import java.util.Arrays;
|
|
import java.util.List;
|
|
import javax.net.ssl.SSLContext;
|
|
import javax.net.ssl.SSLServerSocketFactory;
|
|
import javax.net.ssl.SSLSocket;
|
|
import javax.net.ssl.SSLSocketFactory;
|
|
|
|
/**
|
|
* <p>An <code>SslRMIServerSocketFactory</code> instance is used by the RMI
|
|
* runtime in order to obtain server sockets for RMI calls via SSL.</p>
|
|
*
|
|
* <p>This class implements <code>RMIServerSocketFactory</code> over
|
|
* the Secure Sockets Layer (SSL) or Transport Layer Security (TLS)
|
|
* protocols.</p>
|
|
*
|
|
* <p>This class creates SSL sockets using the default
|
|
* <code>SSLSocketFactory</code> (see {@link
|
|
* SSLSocketFactory#getDefault}) or the default
|
|
* <code>SSLServerSocketFactory</code> (see {@link
|
|
* SSLServerSocketFactory#getDefault}) unless the
|
|
* constructor taking an <code>SSLContext</code> is
|
|
* used in which case the SSL sockets are created using
|
|
* the <code>SSLSocketFactory</code> returned by
|
|
* {@link SSLContext#getSocketFactory} or the
|
|
* <code>SSLServerSocketFactory</code> returned by
|
|
* {@link SSLContext#getServerSocketFactory}.
|
|
*
|
|
* When an <code>SSLContext</code> is not supplied all the instances of this
|
|
* class share the same keystore, and the same truststore (when client
|
|
* authentication is required by the server). This behavior can be modified
|
|
* by supplying an already initialized <code>SSLContext</code> instance.
|
|
*
|
|
* @see javax.net.ssl.SSLSocketFactory
|
|
* @see javax.net.ssl.SSLServerSocketFactory
|
|
* @see javax.rmi.ssl.SslRMIClientSocketFactory
|
|
* @since 1.5
|
|
*/
|
|
public class SslRMIServerSocketFactory implements RMIServerSocketFactory {
|
|
|
|
/**
|
|
* <p>Creates a new <code>SslRMIServerSocketFactory</code> with
|
|
* the default SSL socket configuration.</p>
|
|
*
|
|
* <p>SSL connections accepted by server sockets created by this
|
|
* factory have the default cipher suites and protocol versions
|
|
* enabled and do not require client authentication.</p>
|
|
*/
|
|
public SslRMIServerSocketFactory() {
|
|
this(null, null, false);
|
|
}
|
|
|
|
/**
|
|
* <p>Creates a new <code>SslRMIServerSocketFactory</code> with
|
|
* the specified SSL socket configuration.</p>
|
|
*
|
|
* @param enabledCipherSuites names of all the cipher suites to
|
|
* enable on SSL connections accepted by server sockets created by
|
|
* this factory, or <code>null</code> to use the cipher suites
|
|
* that are enabled by default
|
|
*
|
|
* @param enabledProtocols names of all the protocol versions to
|
|
* enable on SSL connections accepted by server sockets created by
|
|
* this factory, or <code>null</code> to use the protocol versions
|
|
* that are enabled by default
|
|
*
|
|
* @param needClientAuth <code>true</code> to require client
|
|
* authentication on SSL connections accepted by server sockets
|
|
* created by this factory; <code>false</code> to not require
|
|
* client authentication
|
|
*
|
|
* @exception IllegalArgumentException when one or more of the cipher
|
|
* suites named by the <code>enabledCipherSuites</code> parameter is
|
|
* not supported, when one or more of the protocols named by the
|
|
* <code>enabledProtocols</code> parameter is not supported or when
|
|
* a problem is encountered while trying to check if the supplied
|
|
* cipher suites and protocols to be enabled are supported.
|
|
*
|
|
* @see SSLSocket#setEnabledCipherSuites
|
|
* @see SSLSocket#setEnabledProtocols
|
|
* @see SSLSocket#setNeedClientAuth
|
|
*/
|
|
public SslRMIServerSocketFactory(
|
|
String[] enabledCipherSuites,
|
|
String[] enabledProtocols,
|
|
boolean needClientAuth)
|
|
throws IllegalArgumentException {
|
|
this(null, enabledCipherSuites, enabledProtocols, needClientAuth);
|
|
}
|
|
|
|
/**
|
|
* <p>Creates a new <code>SslRMIServerSocketFactory</code> with the
|
|
* specified <code>SSLContext</code> and SSL socket configuration.</p>
|
|
*
|
|
* @param context the SSL context to be used for creating SSL sockets.
|
|
* If <code>context</code> is null the default <code>SSLSocketFactory</code>
|
|
* or the default <code>SSLServerSocketFactory</code> will be used to
|
|
* create SSL sockets. Otherwise, the socket factory returned by
|
|
* <code>SSLContext.getSocketFactory()</code> or
|
|
* <code>SSLContext.getServerSocketFactory()</code> will be used instead.
|
|
*
|
|
* @param enabledCipherSuites names of all the cipher suites to
|
|
* enable on SSL connections accepted by server sockets created by
|
|
* this factory, or <code>null</code> to use the cipher suites
|
|
* that are enabled by default
|
|
*
|
|
* @param enabledProtocols names of all the protocol versions to
|
|
* enable on SSL connections accepted by server sockets created by
|
|
* this factory, or <code>null</code> to use the protocol versions
|
|
* that are enabled by default
|
|
*
|
|
* @param needClientAuth <code>true</code> to require client
|
|
* authentication on SSL connections accepted by server sockets
|
|
* created by this factory; <code>false</code> to not require
|
|
* client authentication
|
|
*
|
|
* @exception IllegalArgumentException when one or more of the cipher
|
|
* suites named by the <code>enabledCipherSuites</code> parameter is
|
|
* not supported, when one or more of the protocols named by the
|
|
* <code>enabledProtocols</code> parameter is not supported or when
|
|
* a problem is encountered while trying to check if the supplied
|
|
* cipher suites and protocols to be enabled are supported.
|
|
*
|
|
* @see SSLSocket#setEnabledCipherSuites
|
|
* @see SSLSocket#setEnabledProtocols
|
|
* @see SSLSocket#setNeedClientAuth
|
|
* @since 1.7
|
|
*/
|
|
public SslRMIServerSocketFactory(
|
|
SSLContext context,
|
|
String[] enabledCipherSuites,
|
|
String[] enabledProtocols,
|
|
boolean needClientAuth)
|
|
throws IllegalArgumentException {
|
|
// Initialize the configuration parameters.
|
|
//
|
|
this.enabledCipherSuites = enabledCipherSuites == null ?
|
|
null : enabledCipherSuites.clone();
|
|
this.enabledProtocols = enabledProtocols == null ?
|
|
null : enabledProtocols.clone();
|
|
this.needClientAuth = needClientAuth;
|
|
|
|
// Force the initialization of the default at construction time,
|
|
// rather than delaying it to the first time createServerSocket()
|
|
// is called.
|
|
//
|
|
this.context = context;
|
|
final SSLSocketFactory sslSocketFactory =
|
|
context == null ?
|
|
getDefaultSSLSocketFactory() : context.getSocketFactory();
|
|
SSLSocket sslSocket = null;
|
|
if (this.enabledCipherSuites != null || this.enabledProtocols != null) {
|
|
try {
|
|
sslSocket = (SSLSocket) sslSocketFactory.createSocket();
|
|
} catch (Exception e) {
|
|
final String msg = "Unable to check if the cipher suites " +
|
|
"and protocols to enable are supported";
|
|
throw (IllegalArgumentException)
|
|
new IllegalArgumentException(msg).initCause(e);
|
|
}
|
|
}
|
|
|
|
// Check if all the cipher suites and protocol versions to enable
|
|
// are supported by the underlying SSL/TLS implementation and if
|
|
// true create lists from arrays.
|
|
//
|
|
if (this.enabledCipherSuites != null) {
|
|
sslSocket.setEnabledCipherSuites(this.enabledCipherSuites);
|
|
enabledCipherSuitesList = Arrays.asList(this.enabledCipherSuites);
|
|
}
|
|
if (this.enabledProtocols != null) {
|
|
sslSocket.setEnabledProtocols(this.enabledProtocols);
|
|
enabledProtocolsList = Arrays.asList(this.enabledProtocols);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* <p>Returns the names of the cipher suites enabled on SSL
|
|
* connections accepted by server sockets created by this factory,
|
|
* or <code>null</code> if this factory uses the cipher suites
|
|
* that are enabled by default.</p>
|
|
*
|
|
* @return an array of cipher suites enabled, or <code>null</code>
|
|
*
|
|
* @see SSLSocket#setEnabledCipherSuites
|
|
*/
|
|
public final String[] getEnabledCipherSuites() {
|
|
return enabledCipherSuites == null ?
|
|
null : enabledCipherSuites.clone();
|
|
}
|
|
|
|
/**
|
|
* <p>Returns the names of the protocol versions enabled on SSL
|
|
* connections accepted by server sockets created by this factory,
|
|
* or <code>null</code> if this factory uses the protocol versions
|
|
* that are enabled by default.</p>
|
|
*
|
|
* @return an array of protocol versions enabled, or
|
|
* <code>null</code>
|
|
*
|
|
* @see SSLSocket#setEnabledProtocols
|
|
*/
|
|
public final String[] getEnabledProtocols() {
|
|
return enabledProtocols == null ?
|
|
null : enabledProtocols.clone();
|
|
}
|
|
|
|
/**
|
|
* <p>Returns <code>true</code> if client authentication is
|
|
* required on SSL connections accepted by server sockets created
|
|
* by this factory.</p>
|
|
*
|
|
* @return <code>true</code> if client authentication is required
|
|
*
|
|
* @see SSLSocket#setNeedClientAuth
|
|
*/
|
|
public final boolean getNeedClientAuth() {
|
|
return needClientAuth;
|
|
}
|
|
|
|
/**
|
|
* <p>Creates a server socket that accepts SSL connections
|
|
* configured according to this factory's SSL socket configuration
|
|
* parameters.</p>
|
|
*/
|
|
public ServerSocket createServerSocket(int port) throws IOException {
|
|
final SSLSocketFactory sslSocketFactory =
|
|
context == null ?
|
|
getDefaultSSLSocketFactory() : context.getSocketFactory();
|
|
return new ServerSocket(port) {
|
|
public Socket accept() throws IOException {
|
|
Socket socket = super.accept();
|
|
SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(
|
|
socket, socket.getInetAddress().getHostName(),
|
|
socket.getPort(), true);
|
|
sslSocket.setUseClientMode(false);
|
|
if (enabledCipherSuites != null) {
|
|
sslSocket.setEnabledCipherSuites(enabledCipherSuites);
|
|
}
|
|
if (enabledProtocols != null) {
|
|
sslSocket.setEnabledProtocols(enabledProtocols);
|
|
}
|
|
sslSocket.setNeedClientAuth(needClientAuth);
|
|
return sslSocket;
|
|
}
|
|
};
|
|
}
|
|
|
|
/**
|
|
* <p>Indicates whether some other object is "equal to" this one.</p>
|
|
*
|
|
* <p>Two <code>SslRMIServerSocketFactory</code> objects are equal
|
|
* if they have been constructed with the same SSL context and
|
|
* SSL socket configuration parameters.</p>
|
|
*
|
|
* <p>A subclass should override this method (as well as
|
|
* {@link #hashCode()}) if it adds instance state that affects
|
|
* equality.</p>
|
|
*/
|
|
public boolean equals(Object obj) {
|
|
if (obj == null) return false;
|
|
if (obj == this) return true;
|
|
if (!(obj instanceof SslRMIServerSocketFactory))
|
|
return false;
|
|
SslRMIServerSocketFactory that = (SslRMIServerSocketFactory) obj;
|
|
return (getClass().equals(that.getClass()) && checkParameters(that));
|
|
}
|
|
|
|
private boolean checkParameters(SslRMIServerSocketFactory that) {
|
|
// SSL context
|
|
//
|
|
if (context == null ? that.context != null : !context.equals(that.context))
|
|
return false;
|
|
|
|
// needClientAuth flag
|
|
//
|
|
if (needClientAuth != that.needClientAuth)
|
|
return false;
|
|
|
|
// enabledCipherSuites
|
|
//
|
|
if ((enabledCipherSuites == null && that.enabledCipherSuites != null) ||
|
|
(enabledCipherSuites != null && that.enabledCipherSuites == null))
|
|
return false;
|
|
if (enabledCipherSuites != null && that.enabledCipherSuites != null) {
|
|
List<String> thatEnabledCipherSuitesList =
|
|
Arrays.asList(that.enabledCipherSuites);
|
|
if (!enabledCipherSuitesList.equals(thatEnabledCipherSuitesList))
|
|
return false;
|
|
}
|
|
|
|
// enabledProtocols
|
|
//
|
|
if ((enabledProtocols == null && that.enabledProtocols != null) ||
|
|
(enabledProtocols != null && that.enabledProtocols == null))
|
|
return false;
|
|
if (enabledProtocols != null && that.enabledProtocols != null) {
|
|
List<String> thatEnabledProtocolsList =
|
|
Arrays.asList(that.enabledProtocols);
|
|
if (!enabledProtocolsList.equals(thatEnabledProtocolsList))
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* <p>Returns a hash code value for this
|
|
* <code>SslRMIServerSocketFactory</code>.</p>
|
|
*
|
|
* @return a hash code value for this
|
|
* <code>SslRMIServerSocketFactory</code>.
|
|
*/
|
|
public int hashCode() {
|
|
return getClass().hashCode() +
|
|
(context == null ? 0 : context.hashCode()) +
|
|
(needClientAuth ? Boolean.TRUE.hashCode() : Boolean.FALSE.hashCode()) +
|
|
(enabledCipherSuites == null ? 0 : enabledCipherSuitesList.hashCode()) +
|
|
(enabledProtocols == null ? 0 : enabledProtocolsList.hashCode());
|
|
}
|
|
|
|
// We use a static field because:
|
|
//
|
|
// SSLSocketFactory.getDefault() always returns the same object
|
|
// (at least on Sun's implementation), and we want to make sure
|
|
// that the Javadoc & the implementation stay in sync.
|
|
//
|
|
// If someone needs to have different SslRMIServerSocketFactory
|
|
// factories with different underlying SSLSocketFactory objects
|
|
// using different keystores and truststores, he/she can always
|
|
// use the constructor that takes an SSLContext as input.
|
|
//
|
|
private static SSLSocketFactory defaultSSLSocketFactory = null;
|
|
|
|
private static synchronized SSLSocketFactory getDefaultSSLSocketFactory() {
|
|
if (defaultSSLSocketFactory == null)
|
|
defaultSSLSocketFactory =
|
|
(SSLSocketFactory) SSLSocketFactory.getDefault();
|
|
return defaultSSLSocketFactory;
|
|
}
|
|
|
|
private final String[] enabledCipherSuites;
|
|
private final String[] enabledProtocols;
|
|
private final boolean needClientAuth;
|
|
private List<String> enabledCipherSuitesList;
|
|
private List<String> enabledProtocolsList;
|
|
private SSLContext context;
|
|
}
|