public class SSLServerContext extends SSLClientContext implements java.lang.Cloneable
Note that there is a separate document about the iSaSiLk authentication framework, see your installation directory.
An SSLServerContext
is used on the server side to tell
iSaSiLk the TLS security parameters like cipher suites, key, certificates
to be used.
After having created
an SSLServerContext,
you may set cipher suites
, server credentials
, trusted certificates
(to check client certificates) and any other parameters
you may require for your server configuration, e.g.:
// create server context SSLServerContext serverContext = new SSLServerContext(); // key and certificate of the server PrivateKey serverKey = ...; X509Certificate[] serverCertChain = ...; serverContext.addServerCredentials(serverCertChain, serverKey); // add some trust anchor(s) X509Certificate trustAnchor = ...; serverContext.addTrustedCertificate(trustAnchor); // in this example we assume that we want to use RSA for authentication and key exchange CipherSuite[] cipherSuites = CipherSuite.CS_RSA; serverContext.setEnabledCipherSuites(cipherSuites); serverContext.updateCipherSuites(); ...If you want to use TLS extensions you can set them as
ExtensionList
, e.g. (for using the server_name
extension):
ServerNameList serverNameList = new ServerNameList(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); extensions.addExtension(serverNameList); // set extensions for the SSLServerContext configuration: serverContext.setExtensions(extensions);Finally, when having finished your configuration, set your
SSLServerContext
for the SSLTransport
implementation you are using. Most
commonly you will use an SSLServerSocket
to
listen on and accept client connection requests, e.g.:
// the port on which the server is listening int serverPort = 443; // create SSLServerSocket int port = 443; SSLServerSocket serverSocket = new SSLServerSocket(port, serverContext); // print debug info to System.out serverSocket.setDebugStream(System.out); // wait for and accept client requests while (true) { try { SSLSocket socket = (SSLSocket)serverSocket.accept(); ... } catch( IOException e ) { e.printStackTrace(System.out); } }
SSLContext
,
SSLServerSocket
Modifier and Type | Field and Description |
---|---|
static CipherSuite[] |
anon
Deprecated.
use CipherSuite.CS_DH_ANON instead
|
static CipherSuite[] |
dh_dss
Deprecated.
use CipherSuite.CS_DH_DSS instead
|
static CipherSuite[] |
dh_rsa
Deprecated.
use CipherSuite.CS_DH_RSA instead
|
static CipherSuite[] |
dhe_dss
Deprecated.
use CipherSuite.CS_DHE_DSS instead
|
static CipherSuite[] |
dhe_rsa
Deprecated.
use CipherSuite.CS_DHE_RSA instead
|
static CipherSuite[] |
rsa
Deprecated.
use CipherSuite.CS_RSA instead
|
static CipherSuite[] |
rsa_export
Deprecated.
use CipherSuite.CS_RSA_EXPORT instead
|
AVAIL_MODE_DECRYPTED, AVAIL_MODE_ENCRYPTED, AVAIL_MODE_ONE_BYTE, CERTTYPE_DSS_FIXED_DH, CERTTYPE_DSS_SIGN, CERTTYPE_ECDSA_EC, CERTTYPE_ECDSA_FIXED_ECDH, CERTTYPE_ECDSA_SIGN, CERTTYPE_RSA_ENCRYPT, CERTTYPE_RSA_FIXED_DH, CERTTYPE_RSA_FIXED_ECDH, CERTTYPE_RSA_SIGN, CERTTYPE_UNKNOWN, LIBRARY_VERSION, LIBRARY_VERSION_STRING, SEND_EMPTY_FRAGMENT, VERSION_NOT_CONNECTED, VERSION_SSL20, VERSION_SSL30, VERSION_TLS10, VERSION_TLS11, VERSION_TLS12, VERSION_TLS13
Constructor and Description |
---|
SSLServerContext()
Create a default SSLServerContext.
|
SSLServerContext(CipherSuiteList cipherSuiteList)
Create a SSLServerContext with the given cipher suite list.
|
SSLServerContext(java.security.SecureRandom random)
Create a SSLServerContext with a specific random number generator and the given cipher suite list.
|
SSLServerContext(java.security.SecureRandom random,
CipherSuiteList cipherSuiteList)
Create a SSLServerContext with a specific random number generator and the given cipher suite list.
|
SSLServerContext(SSLServerContext other)
Create an SSLServerContext cloning another context.
|
Modifier and Type | Method and Description |
---|---|
void |
addServerCredentials(KeyAndCert keyAndCert)
Adds some server credentials.
|
void |
addServerCredentials(KeyAndCert keyAndCert,
int certType)
Adds some server credentials for the given cert type.
|
void |
addServerCredentials(KeyAndCert keyAndCert,
int certType,
boolean setAsDefault)
Adds some server credentials for the given cert type.
|
int |
addServerCredentials(java.security.KeyStore keyStore,
char[] password)
Add some server credentials from a KeyStore.
|
int |
addServerCredentials(java.security.KeyStore keyStore,
char[] password,
java.lang.String[] aliases)
Add some server credentials from a KeyStore.
|
int |
addServerCredentials(java.lang.String keyStoreFile,
char[] keyStorePassword,
java.lang.String keyStoreType,
java.lang.String keyStoreProvider)
Add some server credentials from a KeyStore.
|
void |
addServerCredentials(java.security.cert.X509Certificate[] chain,
java.security.PrivateKey key)
Adds some server credentials.
|
void |
addTemporaryParameter(javax.crypto.spec.DHParameterSpec spec)
Add temporary Diffie-Hellman parameters.
|
void |
addTemporaryParameter(javax.crypto.spec.DHParameterSpec spec,
int keyLength)
Add temporary Diffie-Hellman parameters.
|
void |
addTemporaryParameter(java.security.KeyPair keyPair)
Add a temporary RSA KeyPair.
|
void |
clearServerCredentials()
Clear the server credentials database.
|
java.lang.Object |
clone()
Implements the Cloneable interface.
|
int[] |
getAllowedCertificateTypes()
Get the certificate types to allow for client authentication.
|
boolean |
getRequestClientCertificate()
Returns wheter a SSLSocket which uses this SSLContext requests a certificate
from the client.
|
boolean |
getRequireClientCertificate()
Deprecated.
use getRequestClientCertificate() instead
|
boolean |
getSendIdentityHint()
Asks whether the server shall send a PSK identity
to the client if pre-shared keys are used.
|
KeyAndCert |
getServerCredentials(int certType)
Gets the server credentials of a particular type.
|
protected KeyAndCert |
getServerCredentials(int certType,
ExtensionList extensions,
boolean useDefault,
SSLTransport transport)
Gets the server credentials for given type and extensions (if present).
|
void |
setAllowedCertificateTypes(int[] types)
Set the certificate types to allow for client authentication.
|
void |
setAllowedProtocolVersions(int minimumVersion,
int maximumVersion)
Set the SSL/TLS protocol versions to be accepted during the handshake.
|
void |
setCheckVersionInRSAPremasterSecret(boolean checkVersion)
Decides whether to check the version contained in the RSA premaster
secret.
|
void |
setDHCertificate(java.security.cert.Certificate[] certificateChain,
java.security.PrivateKey privateKey)
Deprecated.
use addServerCredentials() instead
|
static void |
setDHModpID(int dhModpGroupID)
Decides whether to use prime modulus and base generator from
a Modular Exponential (MODP) group (RFC 2409, 3526)
by default for domestic temporary DH parameters.
|
void |
setDHParameter(javax.crypto.spec.DHParameterSpec dhParameter)
Deprecated.
use addTemporaryParameter() instead
|
void |
setDSACertificate(java.security.cert.Certificate[] certificateChain,
java.security.PrivateKey privateKey)
Deprecated.
use addServerCredentials() instead
|
void |
setIgnoreClientCipherSuitePreferenceOrder(boolean ignore)
Whether to ignore the preference order of the cipher suite list
sent by the client when selecting a cipher suite for the current
session.
|
void |
setRequestClientCertificate(boolean value)
Set whether or not to request client authentication during the handshake.
|
void |
setRequireClientCertificate(byte[] certificateTypes,
java.security.Principal[] certificateAuthorities)
Deprecated.
use setRequestClientCertificate() instead
|
void |
setRSACertificate(java.security.cert.Certificate[] certificateChain,
java.security.PrivateKey privateKey)
Deprecated.
use addServerCredentials() instead
|
void |
setRSATempKeyPair(java.security.KeyPair tempKeyPair)
Deprecated.
use addTemporaryParameter() instead
|
void |
setSendEmptySessionID(boolean sendEmptyID)
Sets whether to create and send an empty session id if no
SessionManager is set.
|
void |
setSendPSKIdentityHint(boolean create)
Decides whether the server shall send a PSK identity
to the client if pre-shared keys are used.
|
void |
setTemporaryParameterScheduling(javax.crypto.spec.DHGenParameterSpec dhGenParameterSpec,
long updateInterval)
Enables DH parameter scheduling.
|
java.lang.String |
toString()
Returns a string representation of this SSLContext.
|
void |
updateCipherSuites()
Update the list of currently enabled ciphersuites based on the
certificates available.
|
void |
updateCipherSuites(boolean enforce)
Update the list of currently enabled ciphersuites based on the
certificates available.
|
addClientCredentials, addClientCredentials, addClientCredentials, addClientCredentials, addClientCredentials, clearClientCredentials, getClientCredentials, getClientCredentials, getIgnorePSKIdentityHint, setCheckExportRestrictions, setIgnorePSKIdentityHint, setReadPostHandshakeMessageAfterFinsished, setUseMaxVersionForRSAPremasterSecret
addPSKCredential, addTrustedCertificate, addTrustedCertificates, addTrustedCertificates, addTrustedCertificates, clearPSKCredentials, convertCertificateChain, getAllowedProtocolVersionNames, getAllowedProtocolVersions, getAllowIdentityChangeDuringRenegotiation, getAllowLegacyRenegotiation, getAllSupportedProtocolVersionNames, getAllSupportedProtocolVersions, getCacheTerminatedSessions, getChainVerifier, getChannelBindings, getDebugStream, getDisableRenegotiation, getDoNotSendServerCloseNotify, getEnabledCipherSuiteList, getEnabledCipherSuites, getEnabledCompressionMethods, getPSKCredential, getPSKManager, getRandomGenerator, getSendEmptyFragment, getSessionManager, getTrustDecider, getUseNoRenegotiationWarnings, setAllowedProtocolVersions, setAllowIdentityChangeDuringRenegotiation, setAllowLegacyRenegotiation, setCacheTerminatedSessions, setChainVerifier, setChannelBindings, setCheckTypeOfNextHandshakeMessage, setDebugStream, setDebugStream, setDisableRenegotiation, setDoNotPackHandshakeMessages, setDoNotSendServerCloseNotify, setDowngradeMaxVersionToTLS12IfNoTLS13CipherSuitesAvailable, setEnabledCipherSuiteList, setEnabledCipherSuites, setEnabledCompressionMethods, setExtensions, setInputStreamAvailableMode, setPSKCredential, setPSKManager, setRandomGenerator, setRecordOverheadSize, setSendEmptyFragment, setSendRecordOverflowAlert, setSessionManager, setTls13MiddleboxCompatibilityMode, setTLS13WaitOnPeerCloseNotify, setTrustDecider, setUseNoRenegotiationWarnings, setUseRecordSplitting
public static final CipherSuite[] rsa
public static final CipherSuite[] rsa_export
public static final CipherSuite[] dhe_rsa
public static final CipherSuite[] dhe_dss
public static final CipherSuite[] dh_rsa
public static final CipherSuite[] dh_dss
public static final CipherSuite[] anon
public SSLServerContext()
public SSLServerContext(java.security.SecureRandom random)
random
- the random number generator to be used or null for the default SecureRandompublic SSLServerContext(CipherSuiteList cipherSuiteList)
cipherSuiteList
- the cipher suite list to be used or null for the default cipher suite listpublic SSLServerContext(java.security.SecureRandom random, CipherSuiteList cipherSuiteList)
random
- the random number generator to be used or null for the default SecureRandomcipherSuiteList
- the cipher suite list to be used or null for the default cipher suite listpublic SSLServerContext(SSLServerContext other)
public static void setDHModpID(int dhModpGroupID)
addTemporaryParameter
.
Note that using DH parameters greater than 2048 bit may cause interoperability problems with some applications. iSaSiLk by default uses MODP group 14 (2048 bit).
dhModpGroupID
- The ID of the MODP (RFC 3526) group to be used, either:
java.lang.IllegalArgumentException
- if the given dhModpGroupID is
not supported (not 0, 2, 5, 14, 15, 16)public int[] getAllowedCertificateTypes()
public void setAllowedCertificateTypes(int[] types)
Since TLS 1.3 does not use certificate types for the certificate request message this method has no meaning for TLS 1.3.
types
- the certificate types to be set
(the types
array is not cloned or copied by this method)public void setCheckVersionInRSAPremasterSecret(boolean checkVersion)
According to SSL/TLS the server should check the version contained
in the RSA premaster secret to prevent version rollback attacks.
However, although SSL/TLS requires that the max version (sent within the
ClientHello
message) is included in the RSA premaster
secret, many implementations send the negotiated version.
For that reason -- to not break with current implementations -- iSaSiLk
servers by default do not check the RSA premaster secret version if the
max client version is lower than TLS 1.1. Otherwise -- if the
max client version is equal or higher than TLS 1.2, or if the
server is configured
to do so, the version number is checked according to
RFC 5246 (TLS 1.2), 7.4.7.1.:
Note: The version number in the PreMasterSecret is the version offered by the client in the ClientHello.client_version, not the version negotiated for the connection. This feature is designed to prevent rollback attacks. Unfortunately, some old implementations use the negotiated version instead, and therefore checking the version number may lead to failure to interoperate with such incorrect client implementations. Client implementations MUST always send the correct version number in PreMasterSecret. If ClientHello.client_version is TLS 1.1 or higher, server implementations MUST check the version number as described in the note below. If the version number is TLS 1.0 or earlier, server implementations SHOULD check the version number, but MAY have a configuration option to disable the check.You may call this method if you want to check the RSA premaster secret version:
... sslServerContext.setCheckVersionInRSAPremasterSecret(true);
checkVersion
- whether to check the version in the RSA
premaster secret (default: false
)public void setSendPSKIdentityHint(boolean create)
create
- whether to create an identity hint or notpublic boolean getSendIdentityHint()
true
if an identity hint shall be created,
false
if notpublic void clearServerCredentials()
public void addServerCredentials(java.security.cert.X509Certificate[] chain, java.security.PrivateKey key)
This method adds the given server credentials based on their server names
(which are automatically
calculated). Any already existing credentials that have the same server name(s)
are replaced. The server credentials are also set as default credentials
for the given cert type (which is calculated from the server certificate
public key algorithm). Default credentials are used if the client does
not send a server_name
extension within an
extended ClientHello message.
Any RSA credentials passed to this method are automatically set as both
signature and encryption RSA credentials. If this behavior is not intended
use a addServerCredentials(KeyAndCert, int)
method which allows to explicitly specify the cert type.
Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.
chain
- the certificate chain of the server containing the server
certificate as index 0key
- the private key of the serverpublic void addServerCredentials(KeyAndCert keyAndCert)
This method adds the given server credentials based on their server names
(which are automatically
calculated if not set) and trusted authorities
(if set). Any already existing credentials that have the same
server name(s) / trusted authorities are replaced.
The given credentials are also set as default credentials for the given cert type
(which is calculated from the certificate public key algorithm).
Default credentials are used if the client does not send a
server_name
or trusted_ca_keys
extension within an extended ClientHello message.
Any RSA credentials passed to this method are automatically set as both
signature and encryption RSA credentials. If this behavior is not intended
use a addServerCredentials(KeyAndCert, int)
method which allows to explicitly specify the cert type.
Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.
keyAndCert
- the server KeyAndCert to be addedpublic void addServerCredentials(KeyAndCert keyAndCert, int certType)
This method adds the given server credentials based on their server names
and trusted authorities
(if set).
Any already existing credentials that have the same server name(s) / trusted authorities
are replaced.
The given credentials are also set as default credentials for the given cert type.
Default credentials are used if the client does not send a
server_name
or trusted_ca_keys
extension within an extended ClientHello message.
The certType
should be one of the CERTTYPE_*
constants
defined in class SSLContext
:
CERTTYPE_RSA_SIGN
for RSA signature certificates
CERTTYPE_RSA_ENCRYPT
for RSA encryption certificates
CERTTYPE_DSS_SIGN
for DSA signature certificates
CERTTYPE_RSA_FIXED_DH
for RSA signed DH certificates
CERTTYPE_DSS_FIXED_DH
for DSA signed DH certificates
CERTTYPE_ECDSA_SIGN
for ECDSA signature certificates
CERTTYPE_RSA_FIXED_ECDH
for RSA signed ECDH certificates
CERTTYPE_ECDSA_FIXED_ECDH
for ECDSA signed ECDH certificates
Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.
keyAndCert
- the server KeyAndCert to be addedcertType
- the cert type for which to use the given
server credential (KeyAndCert);
either:
RSA_SIGN
for RSA signature certificates
RSA_ENCRYPT
for RSA encryption certificates
DSS_SIGN
for DSA signature certificates
RSA_FIXED_DH
for RSA signed DH certificates
DSS_FIXED_DH
for DSA signed DH certificates
CERTTYPE_ECDSA_SIGN
for ECDSA signature certificates
CERTTYPE_RSA_FIXED_ECDH
for RSA signed ECDH certificates
CERTTYPE_ECDSA_FIXED_ECDH
for ECDSA signed ECDH certificates
java.lang.IllegalArgumentException
- if the cert type is not supportedpublic void addServerCredentials(KeyAndCert keyAndCert, int certType, boolean setAsDefault)
This method adds the given server credentials based on their server names
and trusted authorities
(if set).
Any already existing credentials that have the same server name(s) / trusted authorities
are replaced. If no server names are included in the given KeyAndCert
(or
if no server names can be calculated for the inherent server certificate) and if
no trusted authorities are set for the given KeyAndCert
, the
server credentials are only added if setAsDefault
is true
. In this case any previously set default credentials
of the same type are replaced. Default credentials are used if
the client does not send a server_name
or trusted_ca_keys
extension within its extended ClientHello message.
The certType
should be one of the CERTTYPE_*
constants defined in
class SSLContext
:
CERTTYPE_RSA_SIGN
for RSA signature certificates
CERTTYPE_RSA_ENCRYPT
for RSA encryption certificates
CERTTYPE_DSS_SIGN
for DSA signature certificates
CERTTYPE_RSA_FIXED_DH
for RSA signed DH certificates
CERTTYPE_DSS_FIXED_DH
for DSA signed DH certificates
CERTTYPE_ECDSA_SIGN
for ECDSA signature certificates
CERTTYPE_RSA_FIXED_ECDH
for RSA signed ECDH certificates
CERTTYPE_ECDSA_FIXED_ECDH
for ECDSA signed ECDH certificates
Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.
keyAndCert
- the server KeyAndCert to be addedcertType
- the cert type for which to use the given
server credential (KeyAndCert);
either:
CERTTYPE_RSA_SIGN
for RSA signature certificates
CERTTYPE_RSA_ENCRYPT
for RSA encryption certificates
CERTTYPE_DSS_SIGN
for DSA signature certificates
CERTTYPE_RSA_FIXED_DH
for RSA signed DH certificates
CERTTYPE_DSS_FIXED_DH
for DSA signed DH certificates
CERTTYPE_ECDSA_SIGN
for ECDSA signature certificates
CERTTYPE_RSA_FIXED_ECDH
for RSA signed ECDH certificates
CERTTYPE_ECDSA_FIXED_ECDH
for ECDSA signed ECDH certificates
setAsDefault
- whether to set the given server KeyAndCert as default credentials to
be used if the client does not send a server_name
and/or trusted_ca_keys
extensionjava.lang.IllegalArgumentException
- if the cert type is not supportedpublic int addServerCredentials(java.lang.String keyStoreFile, char[] keyStorePassword, java.lang.String keyStoreType, java.lang.String keyStoreProvider) throws java.security.KeyStoreException
Note that this method does not allow the same fine granularity as when
adding
some particular
key and certificate. Any key entry (and its corresponding certificate)
chain) contained in the KeyStore is added to the key/cert database.
This method adds credentials (keys and corresponding certificate
chains) contained in the KeyStore based on their server names (which are
automatically calculated). Any already existing credentials of the same
type that have the same server name(s) are replaced. If the KeyStore contains
more than one credentials with same type and server name(s), only one
of them will be added.
Note: Adding/Setting of server credentials is not thread-safe and server credentials are
shared between clones of the same SSLServerContext object. Thus you should not set
add/server credentials to an SSLServerContext from different threads.
If the KeyStore contains SecretKeys, they are added as PSKCredentials
.
All key entries must have the same password.
keyStoreFile
- the name of the KeyStore filekeyStorePassword
- the KeyStore passwordkeyStoreType
- the KeyStore type; default: IAIKKeyStore
keyStoreProvider
- the KeyStore provider; default: IAIK
java.security.KeyStoreException
- if an error occurs while getting keys/certificates
from the KeyStorepublic int addServerCredentials(java.security.KeyStore keyStore, char[] password) throws java.security.KeyStoreException
Note that this method does not allow the same fine granularity as when
adding
some particular
key and certificate. Any key entry (and its corresponding certificate)
chain) contained in the KeyStore is added to the key/cert database.
This method adds credentials (keys and corresponding certificate
chains) contained in the KeyStore based on their server names (which are
automatically calculated). Any already existing credentials of the same
type that have the same server name(s) are replaced. If the KeyStore contains
more than one credentials with same type and server name(s), only one
of them will be added.
Note: Adding/Setting of server credentials is not thread-safe and server credentials are
shared between clones of the same SSLServerContext object. Thus you should not set
add/server credentials to an SSLServerContext from different threads.
If the KeyStore contains SecretKeys, they are added as PSKCredentials
.
The KeyStore must have been already loaded when calling this method. All key entries must have the same password.
keyStore
- the KeyStore from which to read the server credentialspassword
- the password for the private/secret key entriesjava.security.KeyStoreException
- if an error occurs while getting keys/certificates
from the KeyStorepublic int addServerCredentials(java.security.KeyStore keyStore, char[] password, java.lang.String[] aliases) throws java.security.KeyStoreException
This method is similar to method addServerCredentials(KeyStore, char[])
except that are only those key entries are added
that are specified by their aliases. If no aliases are specified, all
key entries are added (in this case this method does the same as method
addServerCredentials(KeyStore, char[])
).
This method adds credentials (keys and corresponding certificate
chains) contained in the KeyStore based on their server names (which are
automatically calculated). Any already existing credentials of the same
type that have the same server name(s) are replaced. If the KeyStore contains
more than one credentials with same type and server name(s), only one
of them will be added.
Note: Adding/Setting of server credentials is not thread-safe and server credentials are
shared between clones of the same SSLServerContext object. Thus you should not set
add/server credentials to an SSLServerContext from different threads.
If any of the referenced key entries represents a SecretKeys, it is added as PSKCredential
.
The KeyStore must have been already loaded when calling this method. All key entries must have the same password.
keyStore
- the KeyStore from which to read the server credentialspassword
- the password for the private/secret key entriesaliases
- the alias names of the key entries to be addedjava.security.KeyStoreException
- if an error occurs while getting keys/certificates
from the KeyStore, or no key entry is available for
any of the specified alias namespublic KeyAndCert getServerCredentials(int certType)
certType
should be one of the CERTTYPE_*
constants defined in class SSLContext
:
CERTTYPE_RSA_SIGN
for RSA signature certificates
CERTTYPE_RSA_ENCRYPT
for RSA encryption certificates
CERTTYPE_DSS_SIGN
for DSA signature certificates
CERTTYPE_RSA_FIXED_DH
for RSA signed DH certificates
CERTTYPE_DSS_FIXED_DH
for DSA signed DH certificates
CERTTYPE_ECDSA_SIGN
for ECDSA signature certificates
CERTTYPE_RSA_FIXED_ECDH
for RSA signed ECDH certificates
CERTTYPE_ECDSA_FIXED_ECDH
for ECDSA signed ECDH certificates
certType
- the type for which a server credential (KeyAndCert) is requested;
either:
CERTTYPE_RSA_SIGN
for RSA signature certificates
CERTTYPE_RSA_ENCRYPT
for RSA encryption certificates
CERTTYPE_DSS_SIGN
for DSA signature certificates
CERTTYPE_RSA_FIXED_DH
for RSA signed DH certificates
CERTTYPE_DSS_FIXED_DH
for DSA signed DH certificates
CERTTYPE_ECDSA_SIGN
for ECDSA signature certificates
CERTTYPE_RSA_FIXED_ECDH
for RSA signed ECDH certificates
CERTTYPE_ECDSA_FIXED_ECDH
for ECDSA signed ECDH certificates *
java.lang.IllegalArgumentException
- if the cert type is not supportedjava.lang.NullPointerException
- of no KeyAndCert for the requested type can be foundprotected KeyAndCert getServerCredentials(int certType, ExtensionList extensions, boolean useDefault, SSLTransport transport)
ExtensionList
may contain a server_name
extension,
a trusted_ca_keys
, an elliptic_curves
and/or an ec_point_formats
extension which all may impact the search for appropriate server credentials.
Depending on if the given ExtensionList
is not null
and does contain some of the extensions listed above, this method searches for server
credentials according to the following algorithm (if elliptic_curves and/or
ec_point_formats) extensions are present, the credentials returned by this
method must be ECC credentials and match to any of the elliptic curves named by the
elliptic_curves extension and any of the point formats (default: uncompressed)
listed in the ec_point_formats extension):
server name
included in the server_name extension and identified by a
TrustedAuthority
included in the
trusted_ca_keys extension. If a proper KeyAndCert object
is found it will contain the trusted (ca) cert at certChain index [n-1]
(or will contain all its original certificates if it has been explicitly
configured
to be used for specific trusted authorities).
If no proper KeyAndCert can be found but useDefault
is
true
this method returns the default server credentials (if
available) for the requested type. Otherwise a NullPointerException is
thrown indicating that no server credentials with the requested properties
are available.
server name
included in the server_name extension.
If no proper KeyAndCert can be found but useDefault
is
true
this method returns the default server credentials (if
available) for the requested type. Otherwise a NullPointerException is thrown
indicating that no server credentials with the requested properties are available.
TrustedAuthority
included in the
trusted_ca_keys extension. If a proper KeyAndCert object
is found it will contain the trusted (ca) cert at certChain index [n-1]
(or will contain all its original certificates if it has been explicitly
configured
to be used for specific trusted authorities).
If no proper KeyAndCert can be found but useDefault
is
true
this method returns the default server credentials (if
available) for the requested type. Otherwise a NullPointerException is
thrown indicating that no server credentials with the requested properties
are available.
The certType
should be one of the CERTTYPE_*
constants defined in class SSLContext
:
CERTTYPE_RSA_SIGN
for RSA signature certificates
CERTTYPE_RSA_ENCRYPT
for RSA encryption certificates
CERTTYPE_DSS_SIGN
for DSA signature certificates
CERTTYPE_RSA_FIXED_DH
for RSA signed DH certificates
CERTTYPE_DSS_FIXED_DH
for DSA signed DH certificates
CERTTYPE_ECDSA_SIGN
for ECDSA signature certificates
CERTTYPE_RSA_FIXED_ECDH
for RSA signed ECDH certificates
CERTTYPE_ECDSA_FIXED_ECDH
for ECDSA signed ECDH certificates
certType
- the type for which a server credential (KeyAndCert) is requested;
either:
CERTTYPE_RSA_SIGN
for RSA signature certificates
CERTTYPE_RSA_ENCRYPT
for RSA encryption certificates
CERTTYPE_DSS_SIGN
for DSA signature certificates
CERTTYPE_RSA_FIXED_DH
for RSA signed DH certificates
CERTTYPE_DSS_FIXED_DH
for DSA signed DH certificates
CERTTYPE_ECDSA_SIGN
for ECDSA signature certificates
CERTTYPE_RSA_FIXED_ECDH
for RSA signed ECDH certificates
CERTTYPE_ECDSA_FIXED_ECDH
for ECDSA signed ECDH certificates
extensions
- an ExtensionList; if it is not null
and does contain a
server_name
and/or trusted_ca_keys
extension, the credential search is based on the
server names
included in the server_name
extension and/or trusted authorities
included
in the trusted_ca_keys} extensionuseDefault
- whether to return the default credentials for the requested
cert type if no credentials for the requested server names
and/or trusted authorities can be found (if extensions
is
not null
and does contain a server_name
and/or trusted_ca_keys
extension;
if extensions
is null
or does not contain
a server_name and/or trusted_ca_keys extensions, the
default credentials are returned in any case, if set)transport
- SSLTransport for debugging (may be null
)extensions
is not null and does contain a server_name and/or trusted_ca_keys
extension)java.lang.IllegalArgumentException
- if the cert type is not supportedjava.lang.NullPointerException
- of no KeyAndCert for the requested properties can be foundpublic void updateCipherSuites()
Note that the semantics of this method were changed in 3.0. Previously this method would enable all ciphersuites that were available, now all currently enabled ciphersuites that are not available are disabled.
Also note that this method will not work correctly for user added ciphersuites.
updateCipherSuites
in class SSLContext
public void updateCipherSuites(boolean enforce)
Note that the semantics of this method were changed in 3.0. Previously this method would enable all ciphersuites that were available, now all currently enabled ciphersuites that are not available are disabled.
Also note that this method will not work correctly for user added ciphersuites.
public void addTemporaryParameter(java.security.KeyPair keyPair)
public void addTemporaryParameter(javax.crypto.spec.DHParameterSpec spec)
public void addTemporaryParameter(javax.crypto.spec.DHParameterSpec spec, int keyLength)
The keyLength parameters determines which parameters you want to set. If not greater than 512 the 512 bit export parameters are set, if not greater than 1024 then 1024 bit export parameters are set. If greater than 1024 the domestic parameters are set. In addition, parameters between 512 and 1024 bit are automatically set as the domestic parameters if domestic parameters have not been set previously.
Note that it is not checked if the keyLength parameter you pass is the actual length of the parameters. It is generally recommended that you use the method without the keyLength parameter.
addTemporaryParameter(DHParameterSpec)
public void setTemporaryParameterScheduling(javax.crypto.spec.DHGenParameterSpec dhGenParameterSpec, long updateInterval)
updateTime + parameterGenerationTime
.
By default no DH parameter scheduling is used.
dhGenParameterSpec
- the DHGenParameterSpec specifying prime and exponent size
of the to-be-generated DH parameters; if null
DH parameter scheduling is disabledupdateInterval
- the update interval specifying when new parameters shall be
generated (should be not too short)public void setRequestClientCertificate(boolean value)
ChainVerifier
public boolean getRequestClientCertificate()
public void setIgnoreClientCipherSuitePreferenceOrder(boolean ignore)
true
as parameter:
serverContext.setIgnoreClientCipherSuitePreferenceOrder(true);
ignore
- whether to ignore the client cipher suite list preference
order when selecting the cipher suite for the current
sessionpublic void setSendEmptySessionID(boolean sendEmptyID)
sendEmptyID
- whether to create and send an empty
session id if no SessionManager is setpublic void setAllowedProtocolVersions(int minimumVersion, int maximumVersion)
SSLContext
The parameters passed should be from the VERSION_xxx list defined in this class. Per default both SSLv3 and TLS are enabled, SSLv2 is disabled.
If you want to enable e.g. SSLv3 and TLS use
setAllowedProtocolVersions(SSLContext.VERSION_SSL30, SSLContext.VERSION_TLS12);
.
setAllowedProtocolVersions
in class SSLContext
public java.lang.Object clone()
clone
in class SSLClientContext
public java.lang.String toString()
toString
in class SSLClientContext
public void setRequireClientCertificate(byte[] certificateTypes, java.security.Principal[] certificateAuthorities)
public void setRSACertificate(java.security.cert.Certificate[] certificateChain, java.security.PrivateKey privateKey) throws java.security.cert.CertificateException
java.security.cert.CertificateException
public void setDSACertificate(java.security.cert.Certificate[] certificateChain, java.security.PrivateKey privateKey) throws java.security.cert.CertificateException
java.security.cert.CertificateException
public void setDHCertificate(java.security.cert.Certificate[] certificateChain, java.security.PrivateKey privateKey) throws java.security.cert.CertificateException
java.security.cert.CertificateException
public void setDHParameter(javax.crypto.spec.DHParameterSpec dhParameter)
public void setRSATempKeyPair(java.security.KeyPair tempKeyPair)
public boolean getRequireClientCertificate()