Java SSL类代码示例

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
/**
 * Creates a new instance
 *
 * @param sslCtx an OpenSSL {@code SSL_CTX} object
 * @param alloc the {@link ByteBufAllocator} that will be used by this engine
 * @param clientMode {@code true} if this is used for clients, {@code false} otherwise
 * @param sessionContext the {@link OpenSslSessionContext} this {@link SSLEngine} belongs to.
 */
OpenSslEngine(long sslCtx, ByteBufAllocator alloc, String fallbackApplicationProtocol,
              boolean clientMode, OpenSslSessionContext sessionContext, OpenSslEngineMap engineMap) {
    OpenSsl.ensureAvailability();
    if (sslCtx == 0) {
        throw new NullPointerException("sslCtx");
    }

    this.alloc = ObjectUtil.checkNotNull(alloc, "alloc");
    ssl = SSL.newSSL(sslCtx, !clientMode);
    networkBIO = SSL.makeNetworkBIO(ssl);
    this.fallbackApplicationProtocol = fallbackApplicationProtocol;
    this.clientMode = clientMode;
    this.sessionContext = sessionContext;
    this.engineMap = engineMap;
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
@Override
public synchronized void closeOutbound() {
    if (isOutboundDone) {
        return;
    }

    isOutboundDone = true;
    engineClosed = true;

    if (accepted != 0 && destroyed == 0) {
        int mode = SSL.getShutdown(ssl);
        if ((mode & SSL.SSL_SENT_SHUTDOWN) != SSL.SSL_SENT_SHUTDOWN) {
            SSL.shutdownSSL(ssl);
        }
    } else {
        // engine closing before initial handshake
        shutdown();
    }
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
private void handshake() throws SSLException {
    int code = SSL.doHandshake(ssl);
    if (code <= 0) {
        // Check for OpenSSL errors caused by the handshake
        long error = SSL.getLastErrorNumber();
        if (OpenSsl.isError(error)) {
            String err = SSL.getErrorString(error);
            if (logger.isDebugEnabled()) {
                logger.debug(
                        "SSL_do_handshake failed: OpenSSL error: '" + err + '\'');
            }

            // There was an internal error -- shutdown
            shutdown();
            throw new SSLException(err);
        }
    } else {
        // if SSL_do_handshake returns > 0 it means the handshake was finished. This means we can update
        // handshakeFinished directly and so eliminate uncessary calls to SSL.isInInit(...)
        handshakeFinished = true;
    }
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
private void setClientAuth(ClientAuthMode mode) {
    if (clientMode) {
        return;
    }
    synchronized (this) {
        if (clientAuth == mode) {
            // No need to issue any JNI calls if the mode is the same
            return;
        }
        switch (mode) {
            case NONE:
                SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, OpenSslContext.VERIFY_DEPTH);
                break;
            case REQUIRE:
                SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRE, OpenSslContext.VERIFY_DEPTH);
                break;
            case OPTIONAL:
                SSL.setVerify(ssl, SSL.SSL_CVERIFY_OPTIONAL, OpenSslContext.VERIFY_DEPTH);
                break;
        }
        clientAuth = mode;
    }
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
@Override
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
    // these are lazy created to reduce memory overhead
    X509Certificate[] c = x509PeerCerts;
    if (c == null) {
        if (SSL.isInInit(ssl) != 0) {
            throw new SSLPeerUnverifiedException("peer not verified");
        }
        byte[][] chain = SSL.getPeerCertChain(ssl);
        if (chain == null) {
            throw new SSLPeerUnverifiedException("peer not verified");
        }
        X509Certificate[] peerCerts = new X509Certificate[chain.length];
        for (int i = 0; i < peerCerts.length; i++) {
            try {
                peerCerts[i] = X509Certificate.getInstance(chain[i]);
            } catch (CertificateException e) {
                throw new IllegalStateException(e);
            }
        }
        c = x509PeerCerts = peerCerts;
    }
    return c;
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
@Override
public String getProtocol() {
    String applicationProtocol = OpenSslEngine.this.applicationProtocol;
    if (applicationProtocol == null) {
        applicationProtocol = SSL.getNextProtoNegotiated(ssl);
        if (applicationProtocol == null) {
            applicationProtocol = fallbackApplicationProtocol;
        }
        if (applicationProtocol != null) {
            OpenSslEngine.this.applicationProtocol = applicationProtocol.replace(':', '_');
        } else {
            OpenSslEngine.this.applicationProtocol = applicationProtocol = "";
        }
    }
    String version = SSL.getVersion(ssl);
    if (applicationProtocol.isEmpty()) {
        return version;
    } else {
        return version + ':' + applicationProtocol;
    }
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
/**
 * Process the specified connection.
 */
protected boolean setSocketOptions(long socket) {
    // Process the connection
    int step = 1;
    try {

        // 1: Set socket options: timeout, linger, etc
        if (socketProperties.getSoLingerOn() && socketProperties.getSoLingerTime() >= 0)
            Socket.optSet(socket, Socket.APR_SO_LINGER, socketProperties.getSoLingerTime());
        if (socketProperties.getTcpNoDelay())
            Socket.optSet(socket, Socket.APR_TCP_NODELAY, (socketProperties.getTcpNoDelay() ? 1 : 0));
        Socket.timeoutSet(socket, socketProperties.getSoTimeout() * 1000);

        // 2: SSL handshake
        step = 2;
        if (sslContext != 0) {
            SSLSocket.attach(sslContext, socket);
            if (SSLSocket.handshake(socket) != 0) {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("endpoint.err.handshake") + ": " + SSL.getLastError());
                }
                return false;
            }
        }

    } catch (Throwable t) {
        ExceptionUtils.handleThrowable(t);
        if (log.isDebugEnabled()) {
            if (step == 2) {
                log.debug(sm.getString("endpoint.err.handshake"), t);
            } else {
                log.debug(sm.getString("endpoint.err.unexpected"), t);
            }
        }
        // Tell to close the socket
        return false;
    }
    return true;
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
/**
 * Process the specified connection.
 */
protected boolean setSocketOptions(long socket) {
    // Process the connection
    int step = 1;
    try {

        // 1: Set socket options: timeout, linger, etc
        if (soLinger >= 0)
            Socket.optSet(socket, Socket.APR_SO_LINGER, soLinger);
        if (tcpNoDelay)
            Socket.optSet(socket, Socket.APR_TCP_NODELAY, (tcpNoDelay ? 1 : 0));
        if (soTimeout > 0)
            Socket.timeoutSet(socket, soTimeout * 1000);

        // 2: SSL handshake
        step = 2;
        if (sslContext != 0) {
            SSLSocket.attach(sslContext, socket);
            if (SSLSocket.handshake(socket) != 0) {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("endpoint.err.handshake") + ": " + SSL.getLastError());
                }
                return false;
            }
        }

    } catch (Throwable t) {
        if (log.isDebugEnabled()) {
            if (step == 2) {
                log.debug(sm.getString("endpoint.err.handshake"), t);
            } else {
                log.debug(sm.getString("endpoint.err.unexpected"), t);
            }
        }
        // Tell to close the socket
        return false;
    }
    return true;
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
/**
 * Process the specified connection.
 */
protected boolean setSocketOptions(long socket) {
	// Process the connection
	int step = 1;
	try {

		// 1: Set socket options: timeout, linger, etc
		if (socketProperties.getSoLingerOn() && socketProperties.getSoLingerTime() >= 0)
			Socket.optSet(socket, Socket.APR_SO_LINGER, socketProperties.getSoLingerTime());
		if (socketProperties.getTcpNoDelay())
			Socket.optSet(socket, Socket.APR_TCP_NODELAY, (socketProperties.getTcpNoDelay() ? 1 : 0));
		Socket.timeoutSet(socket, socketProperties.getSoTimeout() * 1000);

		// 2: SSL handshake
		step = 2;
		if (sslContext != 0) {
			SSLSocket.attach(sslContext, socket);
			if (SSLSocket.handshake(socket) != 0) {
				if (log.isDebugEnabled()) {
					log.debug(sm.getString("endpoint.err.handshake") + ": " + SSL.getLastError());
				}
				return false;
			}
		}

	} catch (Throwable t) {
		ExceptionUtils.handleThrowable(t);
		if (log.isDebugEnabled()) {
			if (step == 2) {
				log.debug(sm.getString("endpoint.err.handshake"), t);
			} else {
				log.debug(sm.getString("endpoint.err.unexpected"), t);
			}
		}
		// Tell to close the socket
		return false;
	}
	return true;
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
/**
 * Destroys this engine.
 */
public synchronized void shutdown() {
    if (DESTROYED_UPDATER.compareAndSet(this, 0, 1)) {
        engineMap.remove(ssl);
        SSL.freeSSL(ssl);
        SSL.freeBIO(networkBIO);
        ssl = networkBIO = 0;

        // internal errors can cause shutdown without marking the engine closed
        isInboundDone = isOutboundDone = engineClosed = true;
    }
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
@Override
public String[] getEnabledCipherSuites() {
    String[] enabled = SSL.getCiphers(ssl);
    if (enabled == null) {
        return EmptyArrays.EMPTY_STRINGS;
    } else {
        for (int i = 0; i < enabled.length; i++) {
            String mapped = toJavaCipherSuite(enabled[i]);
            if (mapped != null) {
                enabled[i] = mapped;
            }
        }
        return enabled;
    }
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
@Override
public void setEnabledCipherSuites(String[] cipherSuites) {
    ObjectUtil.checkNotNull(cipherSuites, "cipherSuites");

    final StringBuilder buf = new StringBuilder();
    for (String c: cipherSuites) {
        if (c == null) {
            break;
        }

        String converted = CipherSuiteConverter.toOpenSsl(c);
        if (converted == null) {
            converted = c;
        }

        if (!OpenSsl.isCipherSuiteAvailable(converted)) {
            throw new IllegalArgumentException("unsupported cipher suite: " + c + '(' + converted + ')');
        }

        buf.append(converted);
        buf.append(':');
    }

    if (buf.length() == 0) {
        throw new IllegalArgumentException("empty cipher suites");
    }
    buf.setLength(buf.length() - 1);

    final String cipherSuiteSpec = buf.toString();
    try {
        SSL.setCipherSuites(ssl, cipherSuiteSpec);
    } catch (Exception e) {
        throw new IllegalStateException("failed to enable cipher suites: " + cipherSuiteSpec, e);
    }
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
@Override
public String[] getEnabledProtocols() {
    List<String> enabled = new ArrayList<String>();
    // Seems like there is no way to explict disable SSLv2Hello in openssl so it is always enabled
    enabled.add(PROTOCOL_SSL_V2_HELLO);
    int opts = SSL.getOptions(ssl);
    if ((opts & SSL.SSL_OP_NO_TLSv1) == 0) {
        enabled.add(PROTOCOL_TLS_V1);
    }
    if ((opts & SSL.SSL_OP_NO_TLSv1_1) == 0) {
        enabled.add(PROTOCOL_TLS_V1_1);
    }
    if ((opts & SSL.SSL_OP_NO_TLSv1_2) == 0) {
        enabled.add(PROTOCOL_TLS_V1_2);
    }
    if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
        enabled.add(PROTOCOL_SSL_V2);
    }
    if ((opts & SSL.SSL_OP_NO_SSLv3) == 0) {
        enabled.add(PROTOCOL_SSL_V3);
    }
    int size = enabled.size();
    if (size == 0) {
        return EmptyArrays.EMPTY_STRINGS;
    } else {
        return enabled.toArray(new String[size]);
    }
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
@Override
public synchronized SSLEngineResult.HandshakeStatus getHandshakeStatus() {
    if (accepted == 0 || destroyed != 0) {
        return NOT_HANDSHAKING;
    }

    // Check if we are in the initial handshake phase
    if (!handshakeFinished) {
        // There is pending data in the network BIO -- call wrap
        if (SSL.pendingWrittenBytesInBIO(networkBIO) != 0) {
            return NEED_WRAP;
        }

        // No pending data to be sent to the peer
        // Check to see if we have finished handshaking
        if (SSL.isInInit(ssl) == 0) {
            handshakeFinished = true;
            return FINISHED;
        }

        // No pending data and still handshaking
        // Must be waiting on the peer to send more data
        return NEED_UNWRAP;
    }

    // Check if we are in the shutdown phase
    if (engineClosed) {
        // Waiting to send the close_notify message
        if (SSL.pendingWrittenBytesInBIO(networkBIO) != 0) {
            return NEED_WRAP;
        }

        // Must be waiting to receive the close_notify message
        return NEED_UNWRAP;
    }

    return NOT_HANDSHAKING;
}
 

import org.apache.tomcat.jni.SSL; //导入依赖的package包/类
/**
 * Converts the specified OpenSSL cipher suite to the Java cipher suite.
 */
private String toJavaCipherSuite(String openSslCipherSuite) {
    if (openSslCipherSuite == null) {
        return null;
    }

    String prefix = toJavaCipherSuitePrefix(SSL.getVersion(ssl));
    return CipherSuiteConverter.toJava(openSslCipherSuite, prefix);
}