/* |
|
* Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved. |
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
* |
|
* This code is free software; you can redistribute it and/or modify it |
|
* under the terms of the GNU General Public License version 2 only, as |
|
* published by the Free Software Foundation. Oracle designates this |
|
* particular file as subject to the "Classpath" exception as provided |
|
* by Oracle in the LICENSE file that accompanied this code. |
|
* |
|
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
* version 2 for more details (a copy is included in the LICENSE file that |
|
* accompanied this code). |
|
* |
|
* You should have received a copy of the GNU General Public License version |
|
* 2 along with this work; if not, write to the Free Software Foundation, |
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
* |
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
* or visit www.oracle.com if you need additional information or have any |
|
* questions. |
|
*/ |
|
package javax.rmi.ssl; |
|
import java.io.IOException; |
|
import java.net.ServerSocket; |
|
import java.net.Socket; |
|
import java.rmi.server.RMIServerSocketFactory; |
|
import java.util.Arrays; |
|
import java.util.List; |
|
import javax.net.ssl.SSLContext; |
|
import javax.net.ssl.SSLServerSocketFactory; |
|
import javax.net.ssl.SSLSocket; |
|
import javax.net.ssl.SSLSocketFactory; |
|
/** |
|
* <p>An <code>SslRMIServerSocketFactory</code> instance is used by the RMI |
|
* runtime in order to obtain server sockets for RMI calls via SSL.</p> |
|
* |
|
* <p>This class implements <code>RMIServerSocketFactory</code> over |
|
* the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) |
|
* protocols.</p> |
|
* |
|
* <p>This class creates SSL sockets using the default |
|
* <code>SSLSocketFactory</code> (see {@link |
|
* SSLSocketFactory#getDefault}) or the default |
|
* <code>SSLServerSocketFactory</code> (see {@link |
|
* SSLServerSocketFactory#getDefault}) unless the |
|
* constructor taking an <code>SSLContext</code> is |
|
* used in which case the SSL sockets are created using |
|
* the <code>SSLSocketFactory</code> returned by |
|
* {@link SSLContext#getSocketFactory} or the |
|
* <code>SSLServerSocketFactory</code> returned by |
|
* {@link SSLContext#getServerSocketFactory}. |
|
* |
|
* When an <code>SSLContext</code> is not supplied all the instances of this |
|
* class share the same keystore, and the same truststore (when client |
|
* authentication is required by the server). This behavior can be modified |
|
* by supplying an already initialized <code>SSLContext</code> instance. |
|
* |
|
* @see javax.net.ssl.SSLSocketFactory |
|
* @see javax.net.ssl.SSLServerSocketFactory |
|
* @see javax.rmi.ssl.SslRMIClientSocketFactory |
|
* @since 1.5 |
|
*/ |
|
public class SslRMIServerSocketFactory implements RMIServerSocketFactory { |
|
/** |
|
* <p>Creates a new <code>SslRMIServerSocketFactory</code> with |
|
* the default SSL socket configuration.</p> |
|
* |
|
* <p>SSL connections accepted by server sockets created by this |
|
* factory have the default cipher suites and protocol versions |
|
* enabled and do not require client authentication.</p> |
|
*/ |
|
public SslRMIServerSocketFactory() { |
|
this(null, null, false); |
|
} |
|
/** |
|
* <p>Creates a new <code>SslRMIServerSocketFactory</code> with |
|
* the specified SSL socket configuration.</p> |
|
* |
|
* @param enabledCipherSuites names of all the cipher suites to |
|
* enable on SSL connections accepted by server sockets created by |
|
* this factory, or <code>null</code> to use the cipher suites |
|
* that are enabled by default |
|
* |
|
* @param enabledProtocols names of all the protocol versions to |
|
* enable on SSL connections accepted by server sockets created by |
|
* this factory, or <code>null</code> to use the protocol versions |
|
* that are enabled by default |
|
* |
|
* @param needClientAuth <code>true</code> to require client |
|
* authentication on SSL connections accepted by server sockets |
|
* created by this factory; <code>false</code> to not require |
|
* client authentication |
|
* |
|
* @exception IllegalArgumentException when one or more of the cipher |
|
* suites named by the <code>enabledCipherSuites</code> parameter is |
|
* not supported, when one or more of the protocols named by the |
|
* <code>enabledProtocols</code> parameter is not supported or when |
|
* a problem is encountered while trying to check if the supplied |
|
* cipher suites and protocols to be enabled are supported. |
|
* |
|
* @see SSLSocket#setEnabledCipherSuites |
|
* @see SSLSocket#setEnabledProtocols |
|
* @see SSLSocket#setNeedClientAuth |
|
*/ |
|
public SslRMIServerSocketFactory( |
|
String[] enabledCipherSuites, |
|
String[] enabledProtocols, |
|
boolean needClientAuth) |
|
throws IllegalArgumentException { |
|
this(null, enabledCipherSuites, enabledProtocols, needClientAuth); |
|
} |
|
/** |
|
* <p>Creates a new <code>SslRMIServerSocketFactory</code> with the |
|
* specified <code>SSLContext</code> and SSL socket configuration.</p> |
|
* |
|
* @param context the SSL context to be used for creating SSL sockets. |
|
* If <code>context</code> is null the default <code>SSLSocketFactory</code> |
|
* or the default <code>SSLServerSocketFactory</code> will be used to |
|
* create SSL sockets. Otherwise, the socket factory returned by |
|
* <code>SSLContext.getSocketFactory()</code> or |
|
* <code>SSLContext.getServerSocketFactory()</code> will be used instead. |
|
* |
|
* @param enabledCipherSuites names of all the cipher suites to |
|
* enable on SSL connections accepted by server sockets created by |
|
* this factory, or <code>null</code> to use the cipher suites |
|
* that are enabled by default |
|
* |
|
* @param enabledProtocols names of all the protocol versions to |
|
* enable on SSL connections accepted by server sockets created by |
|
* this factory, or <code>null</code> to use the protocol versions |
|
* that are enabled by default |
|
* |
|
* @param needClientAuth <code>true</code> to require client |
|
* authentication on SSL connections accepted by server sockets |
|
* created by this factory; <code>false</code> to not require |
|
* client authentication |
|
* |
|
* @exception IllegalArgumentException when one or more of the cipher |
|
* suites named by the <code>enabledCipherSuites</code> parameter is |
|
* not supported, when one or more of the protocols named by the |
|
* <code>enabledProtocols</code> parameter is not supported or when |
|
* a problem is encountered while trying to check if the supplied |
|
* cipher suites and protocols to be enabled are supported. |
|
* |
|
* @see SSLSocket#setEnabledCipherSuites |
|
* @see SSLSocket#setEnabledProtocols |
|
* @see SSLSocket#setNeedClientAuth |
|
* @since 1.7 |
|
*/ |
|
public SslRMIServerSocketFactory( |
|
SSLContext context, |
|
String[] enabledCipherSuites, |
|
String[] enabledProtocols, |
|
boolean needClientAuth) |
|
throws IllegalArgumentException { |
|
// Initialize the configuration parameters. |
|
// |
|
this.enabledCipherSuites = enabledCipherSuites == null ? |
|
null : enabledCipherSuites.clone(); |
|
this.enabledProtocols = enabledProtocols == null ? |
|
null : enabledProtocols.clone(); |
|
this.needClientAuth = needClientAuth; |
|
// Force the initialization of the default at construction time, |
|
// rather than delaying it to the first time createServerSocket() |
|
// is called. |
|
// |
|
this.context = context; |
|
final SSLSocketFactory sslSocketFactory = |
|
context == null ? |
|
getDefaultSSLSocketFactory() : context.getSocketFactory(); |
|
SSLSocket sslSocket = null; |
|
if (this.enabledCipherSuites != null || this.enabledProtocols != null) { |
|
try { |
|
sslSocket = (SSLSocket) sslSocketFactory.createSocket(); |
|
} catch (Exception e) { |
|
final String msg = "Unable to check if the cipher suites " + |
|
"and protocols to enable are supported"; |
|
throw (IllegalArgumentException) |
|
new IllegalArgumentException(msg).initCause(e); |
|
} |
|
} |
|
// Check if all the cipher suites and protocol versions to enable |
|
// are supported by the underlying SSL/TLS implementation and if |
|
// true create lists from arrays. |
|
// |
|
if (this.enabledCipherSuites != null) { |
|
sslSocket.setEnabledCipherSuites(this.enabledCipherSuites); |
|
enabledCipherSuitesList = Arrays.asList(this.enabledCipherSuites); |
|
} |
|
if (this.enabledProtocols != null) { |
|
sslSocket.setEnabledProtocols(this.enabledProtocols); |
|
enabledProtocolsList = Arrays.asList(this.enabledProtocols); |
|
} |
|
} |
|
/** |
|
* <p>Returns the names of the cipher suites enabled on SSL |
|
* connections accepted by server sockets created by this factory, |
|
* or <code>null</code> if this factory uses the cipher suites |
|
* that are enabled by default.</p> |
|
* |
|
* @return an array of cipher suites enabled, or <code>null</code> |
|
* |
|
* @see SSLSocket#setEnabledCipherSuites |
|
*/ |
|
public final String[] getEnabledCipherSuites() { |
|
return enabledCipherSuites == null ? |
|
null : enabledCipherSuites.clone(); |
|
} |
|
/** |
|
* <p>Returns the names of the protocol versions enabled on SSL |
|
* connections accepted by server sockets created by this factory, |
|
* or <code>null</code> if this factory uses the protocol versions |
|
* that are enabled by default.</p> |
|
* |
|
* @return an array of protocol versions enabled, or |
|
* <code>null</code> |
|
* |
|
* @see SSLSocket#setEnabledProtocols |
|
*/ |
|
public final String[] getEnabledProtocols() { |
|
return enabledProtocols == null ? |
|
null : enabledProtocols.clone(); |
|
} |
|
/** |
|
* <p>Returns <code>true</code> if client authentication is |
|
* required on SSL connections accepted by server sockets created |
|
* by this factory.</p> |
|
* |
|
* @return <code>true</code> if client authentication is required |
|
* |
|
* @see SSLSocket#setNeedClientAuth |
|
*/ |
|
public final boolean getNeedClientAuth() { |
|
return needClientAuth; |
|
} |
|
/** |
|
* <p>Creates a server socket that accepts SSL connections |
|
* configured according to this factory's SSL socket configuration |
|
* parameters.</p> |
|
*/ |
|
public ServerSocket createServerSocket(int port) throws IOException { |
|
final SSLSocketFactory sslSocketFactory = |
|
context == null ? |
|
getDefaultSSLSocketFactory() : context.getSocketFactory(); |
|
return new ServerSocket(port) { |
|
public Socket accept() throws IOException { |
|
Socket socket = super.accept(); |
|
SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket( |
|
socket, socket.getInetAddress().getHostName(), |
|
socket.getPort(), true); |
|
sslSocket.setUseClientMode(false); |
|
if (enabledCipherSuites != null) { |
|
sslSocket.setEnabledCipherSuites(enabledCipherSuites); |
|
} |
|
if (enabledProtocols != null) { |
|
sslSocket.setEnabledProtocols(enabledProtocols); |
|
} |
|
sslSocket.setNeedClientAuth(needClientAuth); |
|
return sslSocket; |
|
} |
|
}; |
|
} |
|
/** |
|
* <p>Indicates whether some other object is "equal to" this one.</p> |
|
* |
|
* <p>Two <code>SslRMIServerSocketFactory</code> objects are equal |
|
* if they have been constructed with the same SSL context and |
|
* SSL socket configuration parameters.</p> |
|
* |
|
* <p>A subclass should override this method (as well as |
|
* {@link #hashCode()}) if it adds instance state that affects |
|
* equality.</p> |
|
*/ |
|
public boolean equals(Object obj) { |
|
if (obj == null) return false; |
|
if (obj == this) return true; |
|
if (!(obj instanceof SslRMIServerSocketFactory)) |
|
return false; |
|
SslRMIServerSocketFactory that = (SslRMIServerSocketFactory) obj; |
|
return (getClass().equals(that.getClass()) && checkParameters(that)); |
|
} |
|
private boolean checkParameters(SslRMIServerSocketFactory that) { |
|
// SSL context |
|
// |
|
if (context == null ? that.context != null : !context.equals(that.context)) |
|
return false; |
|
// needClientAuth flag |
|
// |
|
if (needClientAuth != that.needClientAuth) |
|
return false; |
|
// enabledCipherSuites |
|
// |
|
if ((enabledCipherSuites == null && that.enabledCipherSuites != null) || |
|
(enabledCipherSuites != null && that.enabledCipherSuites == null)) |
|
return false; |
|
if (enabledCipherSuites != null && that.enabledCipherSuites != null) { |
|
List<String> thatEnabledCipherSuitesList = |
|
Arrays.asList(that.enabledCipherSuites); |
|
if (!enabledCipherSuitesList.equals(thatEnabledCipherSuitesList)) |
|
return false; |
|
} |
|
// enabledProtocols |
|
// |
|
if ((enabledProtocols == null && that.enabledProtocols != null) || |
|
(enabledProtocols != null && that.enabledProtocols == null)) |
|
return false; |
|
if (enabledProtocols != null && that.enabledProtocols != null) { |
|
List<String> thatEnabledProtocolsList = |
|
Arrays.asList(that.enabledProtocols); |
|
if (!enabledProtocolsList.equals(thatEnabledProtocolsList)) |
|
return false; |
|
} |
|
return true; |
|
} |
|
/** |
|
* <p>Returns a hash code value for this |
|
* <code>SslRMIServerSocketFactory</code>.</p> |
|
* |
|
* @return a hash code value for this |
|
* <code>SslRMIServerSocketFactory</code>. |
|
*/ |
|
public int hashCode() { |
|
return getClass().hashCode() + |
|
(context == null ? 0 : context.hashCode()) + |
|
(needClientAuth ? Boolean.TRUE.hashCode() : Boolean.FALSE.hashCode()) + |
|
(enabledCipherSuites == null ? 0 : enabledCipherSuitesList.hashCode()) + |
|
(enabledProtocols == null ? 0 : enabledProtocolsList.hashCode()); |
|
} |
|
// We use a static field because: |
|
// |
|
// SSLSocketFactory.getDefault() always returns the same object |
|
// (at least on Sun's implementation), and we want to make sure |
|
// that the Javadoc & the implementation stay in sync. |
|
// |
|
// If someone needs to have different SslRMIServerSocketFactory |
|
// factories with different underlying SSLSocketFactory objects |
|
// using different keystores and truststores, he/she can always |
|
// use the constructor that takes an SSLContext as input. |
|
// |
|
private static SSLSocketFactory defaultSSLSocketFactory = null; |
|
private static synchronized SSLSocketFactory getDefaultSSLSocketFactory() { |
|
if (defaultSSLSocketFactory == null) |
|
defaultSSLSocketFactory = |
|
(SSLSocketFactory) SSLSocketFactory.getDefault(); |
|
return defaultSSLSocketFactory; |
|
} |
|
private final String[] enabledCipherSuites; |
|
private final String[] enabledProtocols; |
|
private final boolean needClientAuth; |
|
private List<String> enabledCipherSuitesList; |
|
private List<String> enabledProtocolsList; |
|
private SSLContext context; |
|
} |