Back to index...

	/*
	* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	/*
	* NOTE: this file was copied from javax.net.ssl.SSLSecurity,
	* but was heavily modified to allow com.sun.* users to
	* access providers written using the javax.sun.* APIs.
	*/

	package com.sun.net.ssl;

	import java.util.*;
	import java.io.*;
	import java.security.*;
	import java.security.Provider.Service;
	import java.net.Socket;

	import sun.security.jca.*;

	/**
	* This class instantiates implementations of JSSE engine classes from
	* providers registered with the java.security.Security object.
	*
	* @author Jan Luehe
	* @author Jeff Nisewanger
	* @author Brad Wetmore
	*/

	final class SSLSecurity {

	/*
	* Don't let anyone instantiate this.
	*/
	private SSLSecurity() {
	}


	// ProviderList.getService() is not accessible now, implement our own loop
	private static Service getService(String type, String alg) {
	ProviderList list = Providers.getProviderList();
	for (Provider p : list.providers()) {
	Service s = p.getService(type, alg);
	if (s != null) {
	return s;
	}
	}
	return null;
	}

	/**
	* The body of the driver for the getImpl method.
	*/
	private static Object[] getImpl1(String algName, String engineType,
	Service service) throws NoSuchAlgorithmException
	{
	Provider provider = service.getProvider();
	String className = service.getClassName();
	Class<?> implClass;
	try {
	ClassLoader cl = provider.getClass().getClassLoader();
	if (cl == null) {
	// system class
	implClass = Class.forName(className);
	} else {
	implClass = cl.loadClass(className);
	}
	} catch (ClassNotFoundException e) {
	throw new NoSuchAlgorithmException("Class " + className +
	" configured for " +
	engineType +
	" not found: " +
	e.getMessage());
	} catch (SecurityException e) {
	throw new NoSuchAlgorithmException("Class " + className +
	" configured for " +
	engineType +
	" cannot be accessed: " +
	e.getMessage());
	}

	/*
	* JSSE 1.0, 1.0.1, and 1.0.2 used the com.sun.net.ssl API as the
	* API was being developed. As JSSE was folded into the main
	* release, it was decided to promote the com.sun.net.ssl API to
	* be javax.net.ssl. It is desired to keep binary compatibility
	* with vendors of JSSE implementation written using the
	* com.sun.net.sll API, so we do this magic to handle everything.
	*
	* API used Implementation used Supported?
	* ======== =================== ==========
	* com.sun javax Yes
	* com.sun com.sun Yes
	* javax javax Yes
	* javax com.sun Not Currently
	*
	* Make sure the implementation class is a subclass of the
	* corresponding engine class.
	*
	* In wrapping these classes, there's no way to know how to
	* wrap all possible classes that extend the TrustManager/KeyManager.
	* We only wrap the x509 variants.
	*/

	try { // catch instantiation errors

	/*
	* (The following Class.forName()s should alway work, because
	* this class and all the SPI classes in javax.crypto are
	* loaded by the same class loader.) That is, unless they
	* give us a SPI class that doesn't exist, say SSLFoo,
	* or someone has removed classes from the jsse.jar file.
	*/

	Class<?> typeClassJavax;
	Class<?> typeClassCom;
	Object obj = null;

	/*
	* Odds are more likely that we have a javax variant, try this
	* first.
	*/
	if (((typeClassJavax = Class.forName("javax.net.ssl." +
	engineType + "Spi")) != null) &&
	(checkSuperclass(implClass, typeClassJavax))) {

	if (engineType.equals("SSLContext")) {
	obj = new SSLContextSpiWrapper(algName, provider);
	} else if (engineType.equals("TrustManagerFactory")) {
	obj = new TrustManagerFactorySpiWrapper(algName, provider);
	} else if (engineType.equals("KeyManagerFactory")) {
	obj = new KeyManagerFactorySpiWrapper(algName, provider);
	} else {
	/*
	* We should throw an error if we get
	* something totally unexpected. Don't ever
	* expect to see this one...
	*/
	throw new IllegalStateException(
	"Class " + implClass.getName() +
	" unknown engineType wrapper:" + engineType);
	}

	} else if (((typeClassCom = Class.forName("com.sun.net.ssl." +
	engineType + "Spi")) != null) &&
	(checkSuperclass(implClass, typeClassCom))) {
	obj = service.newInstance(null);
	}

	if (obj != null) {
	return new Object[] { obj, provider };
	} else {
	throw new NoSuchAlgorithmException(
	"Couldn't locate correct object or wrapper: " +
	engineType + " " + algName);
	}

	} catch (ClassNotFoundException e) {
	IllegalStateException exc = new IllegalStateException(
	"Engine Class Not Found for " + engineType);
	exc.initCause(e);
	throw exc;
	}
	}

	/**
	* Returns an array of objects: the first object in the array is
	* an instance of an implementation of the requested algorithm
	* and type, and the second object in the array identifies the provider
	* of that implementation.
	* The <code>provName</code> argument can be null, in which case all
	* configured providers will be searched in order of preference.
	*/
	static Object[] getImpl(String algName, String engineType, String provName)
	throws NoSuchAlgorithmException, NoSuchProviderException
	{
	Service service;
	if (provName != null) {
	ProviderList list = Providers.getProviderList();
	Provider prov = list.getProvider(provName);
	if (prov == null) {
	throw new NoSuchProviderException("No such provider: " +
	provName);
	}
	service = prov.getService(engineType, algName);
	} else {
	service = getService(engineType, algName);
	}
	if (service == null) {
	throw new NoSuchAlgorithmException("Algorithm " + algName
	+ " not available");
	}
	return getImpl1(algName, engineType, service);
	}


	/**
	* Returns an array of objects: the first object in the array is
	* an instance of an implementation of the requested algorithm
	* and type, and the second object in the array identifies the provider
	* of that implementation.
	* The <code>prov</code> argument can be null, in which case all
	* configured providers will be searched in order of preference.
	*/
	static Object[] getImpl(String algName, String engineType, Provider prov)
	throws NoSuchAlgorithmException
	{
	Service service = prov.getService(engineType, algName);
	if (service == null) {
	throw new NoSuchAlgorithmException("No such algorithm: " +
	algName);
	}
	return getImpl1(algName, engineType, service);
	}

	/*
	* Checks whether one class is the superclass of another
	*/
	private static boolean checkSuperclass(Class<?> subclass, Class<?> superclass) {
	if ((subclass == null) \|\| (superclass == null))
	return false;

	while (!subclass.equals(superclass)) {
	subclass = subclass.getSuperclass();
	if (subclass == null) {
	return false;
	}
	}
	return true;
	}

	/*
	* Return at most the first "resize" elements of an array.
	*
	* Didn't want to use java.util.Arrays, as PJava may not have it.
	*/
	static Object[] truncateArray(Object[] oldArray, Object[] newArray) {

	for (int i = 0; i < newArray.length; i++) {
	newArray[i] = oldArray[i];
	}

	return newArray;
	}

	}


	/*
	* =================================================================
	* The remainder of this file is for the wrapper and wrapper-support
	* classes. When SSLSecurity finds something which extends the
	* javax.net.ssl.*Spi, we need to go grab a real instance of the
	* thing that the Spi supports, and wrap into a com.sun.net.ssl.*Spi
	* object. This also mean that anything going down into the SPI
	* needs to be wrapped, as well as anything coming back up.
	*/
	final class SSLContextSpiWrapper extends SSLContextSpi {

	private javax.net.ssl.SSLContext theSSLContext;

	SSLContextSpiWrapper(String algName, Provider prov) throws
	NoSuchAlgorithmException {
	theSSLContext = javax.net.ssl.SSLContext.getInstance(algName, prov);
	}

	protected void engineInit(KeyManager[] kma, TrustManager[] tma,
	SecureRandom sr) throws KeyManagementException {

	// Keep track of the actual number of array elements copied
	int dst;
	int src;
	javax.net.ssl.KeyManager[] kmaw;
	javax.net.ssl.TrustManager[] tmaw;

	// Convert com.sun.net.ssl.kma to a javax.net.ssl.kma
	// wrapper if need be.
	if (kma != null) {
	kmaw = new javax.net.ssl.KeyManager[kma.length];
	for (src = 0, dst = 0; src < kma.length; ) {
	/*
	* These key managers may implement both javax
	* and com.sun interfaces, so if they do
	* javax, there's no need to wrap them.
	*/
	if (!(kma[src] instanceof javax.net.ssl.KeyManager)) {
	/*
	* Do we know how to convert them? If not, oh well...
	* We'll have to drop them on the floor in this
	* case, cause we don't know how to handle them.
	* This will be pretty rare, but put here for
	* completeness.
	*/
	if (kma[src] instanceof X509KeyManager) {
	kmaw[dst] = (javax.net.ssl.KeyManager)
	new X509KeyManagerJavaxWrapper(
	(X509KeyManager)kma[src]);
	dst++;
	}
	} else {
	// We can convert directly, since they implement.
	kmaw[dst] = (javax.net.ssl.KeyManager)kma[src];
	dst++;
	}
	src++;
	}

	/*
	* If dst != src, there were more items in the original array
	* than in the new array. Compress the new elements to avoid
	* any problems down the road.
	*/
	if (dst != src) {
	kmaw = (javax.net.ssl.KeyManager [])
	SSLSecurity.truncateArray(kmaw,
	new javax.net.ssl.KeyManager [dst]);
	}
	} else {
	kmaw = null;
	}

	// Now do the same thing with the TrustManagers.
	if (tma != null) {
	tmaw = new javax.net.ssl.TrustManager[tma.length];

	for (src = 0, dst = 0; src < tma.length; ) {
	/*
	* These key managers may implement both...see above...
	*/
	if (!(tma[src] instanceof javax.net.ssl.TrustManager)) {
	// Do we know how to convert them?
	if (tma[src] instanceof X509TrustManager) {
	tmaw[dst] = (javax.net.ssl.TrustManager)
	new X509TrustManagerJavaxWrapper(
	(X509TrustManager)tma[src]);
	dst++;
	}
	} else {
	tmaw[dst] = (javax.net.ssl.TrustManager)tma[src];
	dst++;
	}
	src++;
	}

	if (dst != src) {
	tmaw = (javax.net.ssl.TrustManager [])
	SSLSecurity.truncateArray(tmaw,
	new javax.net.ssl.TrustManager [dst]);
	}
	} else {
	tmaw = null;
	}

	theSSLContext.init(kmaw, tmaw, sr);
	}

	protected javax.net.ssl.SSLSocketFactory
	engineGetSocketFactory() {
	return theSSLContext.getSocketFactory();
	}

	protected javax.net.ssl.SSLServerSocketFactory
	engineGetServerSocketFactory() {
	return theSSLContext.getServerSocketFactory();
	}

	}

	final class TrustManagerFactorySpiWrapper extends TrustManagerFactorySpi {

	private javax.net.ssl.TrustManagerFactory theTrustManagerFactory;

	TrustManagerFactorySpiWrapper(String algName, Provider prov) throws
	NoSuchAlgorithmException {
	theTrustManagerFactory =
	javax.net.ssl.TrustManagerFactory.getInstance(algName, prov);
	}

	protected void engineInit(KeyStore ks) throws KeyStoreException {
	theTrustManagerFactory.init(ks);
	}

	protected TrustManager[] engineGetTrustManagers() {

	int dst;
	int src;

	javax.net.ssl.TrustManager[] tma =
	theTrustManagerFactory.getTrustManagers();

	TrustManager[] tmaw = new TrustManager[tma.length];

	for (src = 0, dst = 0; src < tma.length; ) {
	if (!(tma[src] instanceof com.sun.net.ssl.TrustManager)) {
	// We only know how to wrap X509TrustManagers, as
	// TrustManagers don't have any methods to wrap.
	if (tma[src] instanceof javax.net.ssl.X509TrustManager) {
	tmaw[dst] = (TrustManager)
	new X509TrustManagerComSunWrapper(
	(javax.net.ssl.X509TrustManager)tma[src]);
	dst++;
	}
	} else {
	tmaw[dst] = (TrustManager)tma[src];
	dst++;
	}
	src++;
	}

	if (dst != src) {
	tmaw = (TrustManager [])
	SSLSecurity.truncateArray(tmaw, new TrustManager [dst]);
	}

	return tmaw;
	}

	}

	final class KeyManagerFactorySpiWrapper extends KeyManagerFactorySpi {

	private javax.net.ssl.KeyManagerFactory theKeyManagerFactory;

	KeyManagerFactorySpiWrapper(String algName, Provider prov) throws
	NoSuchAlgorithmException {
	theKeyManagerFactory =
	javax.net.ssl.KeyManagerFactory.getInstance(algName, prov);
	}

	protected void engineInit(KeyStore ks, char[] password)
	throws KeyStoreException, NoSuchAlgorithmException,
	UnrecoverableKeyException {
	theKeyManagerFactory.init(ks, password);
	}

	protected KeyManager[] engineGetKeyManagers() {

	int dst;
	int src;

	javax.net.ssl.KeyManager[] kma =
	theKeyManagerFactory.getKeyManagers();

	KeyManager[] kmaw = new KeyManager[kma.length];

	for (src = 0, dst = 0; src < kma.length; ) {
	if (!(kma[src] instanceof com.sun.net.ssl.KeyManager)) {
	// We only know how to wrap X509KeyManagers, as
	// KeyManagers don't have any methods to wrap.
	if (kma[src] instanceof javax.net.ssl.X509KeyManager) {
	kmaw[dst] = (KeyManager)
	new X509KeyManagerComSunWrapper(
	(javax.net.ssl.X509KeyManager)kma[src]);
	dst++;
	}
	} else {
	kmaw[dst] = (KeyManager)kma[src];
	dst++;
	}
	src++;
	}

	if (dst != src) {
	kmaw = (KeyManager [])
	SSLSecurity.truncateArray(kmaw, new KeyManager [dst]);
	}

	return kmaw;
	}

	}

	// =================================

	final class X509KeyManagerJavaxWrapper implements
	javax.net.ssl.X509KeyManager {

	private X509KeyManager theX509KeyManager;

	X509KeyManagerJavaxWrapper(X509KeyManager obj) {
	theX509KeyManager = obj;
	}

	public String[] getClientAliases(String keyType, Principal[] issuers) {
	return theX509KeyManager.getClientAliases(keyType, issuers);
	}

	public String chooseClientAlias(String[] keyTypes, Principal[] issuers,
	Socket socket) {
	String retval;

	if (keyTypes == null) {
	return null;
	}

	/*
	* Scan the list, look for something we can pass back.
	*/
	for (int i = 0; i < keyTypes.length; i++) {
	if ((retval = theX509KeyManager.chooseClientAlias(keyTypes[i],
	issuers)) != null)
	return retval;
	}
	return null;

	}

	/*
	* JSSE 1.0.x was only socket based, but it's possible someone might
	* want to install a really old provider. We should at least
	* try to be nice.
	*/
	public String chooseEngineClientAlias(
	String[] keyTypes, Principal[] issuers,
	javax.net.ssl.SSLEngine engine) {
	String retval;

	if (keyTypes == null) {
	return null;
	}

	/*
	* Scan the list, look for something we can pass back.
	*/
	for (int i = 0; i < keyTypes.length; i++) {
	if ((retval = theX509KeyManager.chooseClientAlias(keyTypes[i],
	issuers)) != null)
	return retval;
	}

	return null;
	}

	public String[] getServerAliases(String keyType, Principal[] issuers) {
	return theX509KeyManager.getServerAliases(keyType, issuers);
	}

	public String chooseServerAlias(String keyType, Principal[] issuers,
	Socket socket) {

	if (keyType == null) {
	return null;
	}
	return theX509KeyManager.chooseServerAlias(keyType, issuers);
	}

	/*
	* JSSE 1.0.x was only socket based, but it's possible someone might
	* want to install a really old provider. We should at least
	* try to be nice.
	*/
	public String chooseEngineServerAlias(
	String keyType, Principal[] issuers,
	javax.net.ssl.SSLEngine engine) {

	if (keyType == null) {
	return null;
	}
	return theX509KeyManager.chooseServerAlias(keyType, issuers);
	}

	public java.security.cert.X509Certificate[]
	getCertificateChain(String alias) {
	return theX509KeyManager.getCertificateChain(alias);
	}

	public PrivateKey getPrivateKey(String alias) {
	return theX509KeyManager.getPrivateKey(alias);
	}
	}

	final class X509TrustManagerJavaxWrapper implements
	javax.net.ssl.X509TrustManager {

	private X509TrustManager theX509TrustManager;

	X509TrustManagerJavaxWrapper(X509TrustManager obj) {
	theX509TrustManager = obj;
	}

	public void checkClientTrusted(
	java.security.cert.X509Certificate[] chain, String authType)
	throws java.security.cert.CertificateException {
	if (!theX509TrustManager.isClientTrusted(chain)) {
	throw new java.security.cert.CertificateException(
	"Untrusted Client Certificate Chain");
	}
	}

	public void checkServerTrusted(
	java.security.cert.X509Certificate[] chain, String authType)
	throws java.security.cert.CertificateException {
	if (!theX509TrustManager.isServerTrusted(chain)) {
	throw new java.security.cert.CertificateException(
	"Untrusted Server Certificate Chain");
	}
	}

	public java.security.cert.X509Certificate[] getAcceptedIssuers() {
	return theX509TrustManager.getAcceptedIssuers();
	}
	}

	final class X509KeyManagerComSunWrapper implements X509KeyManager {

	private javax.net.ssl.X509KeyManager theX509KeyManager;

	X509KeyManagerComSunWrapper(javax.net.ssl.X509KeyManager obj) {
	theX509KeyManager = obj;
	}

	public String[] getClientAliases(String keyType, Principal[] issuers) {
	return theX509KeyManager.getClientAliases(keyType, issuers);
	}

	public String chooseClientAlias(String keyType, Principal[] issuers) {
	String [] keyTypes = new String [] { keyType };
	return theX509KeyManager.chooseClientAlias(keyTypes, issuers, null);
	}

	public String[] getServerAliases(String keyType, Principal[] issuers) {
	return theX509KeyManager.getServerAliases(keyType, issuers);
	}

	public String chooseServerAlias(String keyType, Principal[] issuers) {
	return theX509KeyManager.chooseServerAlias(keyType, issuers, null);
	}

	public java.security.cert.X509Certificate[]
	getCertificateChain(String alias) {
	return theX509KeyManager.getCertificateChain(alias);
	}

	public PrivateKey getPrivateKey(String alias) {
	return theX509KeyManager.getPrivateKey(alias);
	}
	}

	final class X509TrustManagerComSunWrapper implements X509TrustManager {

	private javax.net.ssl.X509TrustManager theX509TrustManager;

	X509TrustManagerComSunWrapper(javax.net.ssl.X509TrustManager obj) {
	theX509TrustManager = obj;
	}

	public boolean isClientTrusted(
	java.security.cert.X509Certificate[] chain) {
	try {
	theX509TrustManager.checkClientTrusted(chain, "UNKNOWN");
	return true;
	} catch (java.security.cert.CertificateException e) {
	return false;
	}
	}

	public boolean isServerTrusted(
	java.security.cert.X509Certificate[] chain) {
	try {
	theX509TrustManager.checkServerTrusted(chain, "UNKNOWN");
	return true;
	} catch (java.security.cert.CertificateException e) {
	return false;
	}
	}

	public java.security.cert.X509Certificate[] getAcceptedIssuers() {
	return theX509TrustManager.getAcceptedIssuers();
	}
	}

Back to index...