Class SSL


  • public final class SSL
    extends Object
    SSL
    Author:
    Mladen Turk
    • Constructor Detail

      • SSL

        public SSL()
    • Method Detail

      • version

        public static int version()
      • versionString

        public static String versionString()
      • initialize

        public static int initialize​(String engine)
        Initialize OpenSSL support. This function needs to be called once for the lifetime of JVM. Library.init() has to be called before.
        Parameters:
        engine - Support for external a Crypto Device ("engine"), usually a hardware accelerator card for crypto operations.
        Returns:
        APR status code
      • fipsModeGet

        public static int fipsModeGet()
                               throws Exception
        Get the status of FIPS Mode.
        Returns:
        FIPS_mode return code. It is 0 if OpenSSL is not in FIPS mode, 1 if OpenSSL is in FIPS Mode.
        Throws:
        Exception - If tcnative was not compiled with FIPS Mode available.
        See Also:
        OpenSSL method FIPS_mode()
      • fipsModeSet

        public static int fipsModeSet​(int mode)
                               throws Exception
        Enable/Disable FIPS Mode.
        Parameters:
        mode - 1 - enable, 0 - disable
        Returns:
        FIPS_mode_set return code
        Throws:
        Exception - If tcnative was not compiled with FIPS Mode available, or if FIPS_mode_set() call returned an error value.
        See Also:
        OpenSSL method FIPS_mode_set()
      • randLoad

        @Deprecated
        public static boolean randLoad​(String filename)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        Add content of the file to the PRNG
        Parameters:
        filename - Filename containing random data. If null the default file will be tested. The seed file is $RANDFILE if that environment variable is set, $HOME/.rnd otherwise. In case both files are unavailable builtin random seed generator is used.
        Returns:
        true if the operation was successful
      • randSave

        @Deprecated
        public static boolean randSave​(String filename)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        Writes a number of random bytes (currently 1024) to file filename which can be used to initialize the PRNG by calling randLoad in a later session.
        Parameters:
        filename - Filename to save the data
        Returns:
        true if the operation was successful
      • randMake

        @Deprecated
        public static boolean randMake​(String filename,
                                       int len,
                                       boolean base64)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        Creates random data to filename
        Parameters:
        filename - Filename to save the data
        len - The length of random sequence in bytes
        base64 - Output the data in Base64 encoded format
        Returns:
        true if the operation was successful
      • randSet

        public static void randSet​(String filename)
        Sets global random filename.
        Parameters:
        filename - Filename to use. If set it will be used for SSL initialization and all contexts where explicitly not set.
      • newBIO

        @Deprecated
        public static long newBIO​(long pool,
                                  BIOCallback callback)
                           throws Exception
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        Initialize new BIO
        Parameters:
        pool - The pool to use.
        callback - BIOCallback to use
        Returns:
        New BIO handle
        Throws:
        Exception - An error occurred
      • closeBIO

        @Deprecated
        public static int closeBIO​(long bio)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        Close BIO and dereference callback object
        Parameters:
        bio - BIO to close and destroy.
        Returns:
        APR Status code
      • setPasswordCallback

        @Deprecated
        public static void setPasswordCallback​(PasswordCallback callback)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        Set global Password callback for obtaining passwords.
        Parameters:
        callback - PasswordCallback implementation to use.
      • setPassword

        @Deprecated
        public static void setPassword​(String password)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        Set global Password for decrypting certificates and keys.
        Parameters:
        password - Password to use.
      • getLastError

        @Deprecated
        public static String getLastError()
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        Return last SSL error string
        Returns:
        the error string
      • hasOp

        @Deprecated
        public static boolean hasOp​(int op)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        Return true if all the requested SSL_OP_* are supported by OpenSSL. Note that for versions of tcnative < 1.1.25, this method will return true if and only if op= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION and tcnative supports that flag.
        Parameters:
        op - Bitwise-OR of all SSL_OP_* to test.
        Returns:
        true if all SSL_OP_* are supported by OpenSSL library.
      • getHandshakeCount

        public static int getHandshakeCount​(long ssl)
        Return the handshake completed count.
        Parameters:
        ssl - SSL pointer
        Returns:
        the count
      • newSSL

        public static long newSSL​(long ctx,
                                  boolean server)
        SSL_new
        Parameters:
        ctx - Server or Client context to use.
        server - if true configure SSL instance to use accept handshake routines if false configure SSL instance to use connect handshake routines
        Returns:
        pointer to SSL instance (SSL *)
      • setBIO

        @Deprecated
        public static void setBIO​(long ssl,
                                  long rbio,
                                  long wbio)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        SSL_set_bio
        Parameters:
        ssl - SSL pointer (SSL *)
        rbio - read BIO pointer (BIO *)
        wbio - write BIO pointer (BIO *)
      • getError

        @Deprecated
        public static int getError​(long ssl,
                                   int ret)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        SSL_get_error
        Parameters:
        ssl - SSL pointer (SSL *)
        ret - TLS/SSL I/O return value
        Returns:
        the error status
      • pendingWrittenBytesInBIO

        public static int pendingWrittenBytesInBIO​(long bio)
        BIO_ctrl_pending.
        Parameters:
        bio - BIO pointer (BIO *)
        Returns:
        the pending bytes count
      • pendingReadableBytesInSSL

        public static int pendingReadableBytesInSSL​(long ssl)
        SSL_pending.
        Parameters:
        ssl - SSL pointer (SSL *)
        Returns:
        the pending bytes count
      • writeToBIO

        public static int writeToBIO​(long bio,
                                     long wbuf,
                                     int wlen)
        BIO_write.
        Parameters:
        bio - BIO pointer
        wbuf - Buffer pointer
        wlen - Write length
        Returns:
        the bytes count written
      • readFromBIO

        public static int readFromBIO​(long bio,
                                      long rbuf,
                                      int rlen)
        BIO_read.
        Parameters:
        bio - BIO pointer
        rbuf - Buffer pointer
        rlen - Read length
        Returns:
        the bytes count read
      • writeToSSL

        public static int writeToSSL​(long ssl,
                                     long wbuf,
                                     int wlen)
        SSL_write.
        Parameters:
        ssl - the SSL instance (SSL *)
        wbuf - Buffer pointer
        wlen - Write length
        Returns:
        the bytes count written
      • readFromSSL

        public static int readFromSSL​(long ssl,
                                      long rbuf,
                                      int rlen)
        SSL_read
        Parameters:
        ssl - the SSL instance (SSL *)
        rbuf - Buffer pointer
        rlen - Read length
        Returns:
        the bytes count read
      • getShutdown

        public static int getShutdown​(long ssl)
        SSL_get_shutdown
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the operation status
      • setShutdown

        @Deprecated
        public static void setShutdown​(long ssl,
                                       int mode)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1
        SSL_set_shutdown
        Parameters:
        ssl - the SSL instance (SSL *)
        mode - Shutdown mode
      • freeSSL

        public static void freeSSL​(long ssl)
        SSL_free
        Parameters:
        ssl - the SSL instance (SSL *)
      • makeNetworkBIO

        public static long makeNetworkBIO​(long ssl)
        Wire up internal and network BIOs for the given SSL instance. Warning: you must explicitly free this resource by calling freeBIO While the SSL's internal/application data BIO will be freed when freeSSL is called on the provided SSL instance, you must call freeBIO on the returned network BIO.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        pointer to the Network BIO (BIO *)
      • freeBIO

        public static void freeBIO​(long bio)
        BIO_free
        Parameters:
        bio - BIO pointer
      • shutdownSSL

        public static int shutdownSSL​(long ssl)
        SSL_shutdown
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the operation status
      • getLastErrorNumber

        public static int getLastErrorNumber()
        Get the error number representing the last error OpenSSL encountered on this thread.
        Returns:
        the last error number
      • getCipherForSSL

        public static String getCipherForSSL​(long ssl)
        SSL_get_cipher.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the cipher name
      • getVersion

        public static String getVersion​(long ssl)
        SSL_get_version
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the SSL version in use
      • doHandshake

        public static int doHandshake​(long ssl)
        SSL_do_handshake
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the handshake status
      • renegotiate

        public static int renegotiate​(long ssl)
        SSL_renegotiate
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the operation status
      • renegotiatePending

        public static int renegotiatePending​(long ssl)
        SSL_renegotiate_pending
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the operation status
      • verifyClientPostHandshake

        public static int verifyClientPostHandshake​(long ssl)
        SSL_verify_client_post_handshake
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the operation status
      • getPostHandshakeAuthInProgress

        public static int getPostHandshakeAuthInProgress​(long ssl)
        Is post handshake authentication in progress on this connection?
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the operation status
      • isInInit

        public static int isInInit​(long ssl)
        SSL_in_init.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the status
      • getNextProtoNegotiated

        @Deprecated
        public static String getNextProtoNegotiated​(long ssl)
        Deprecated.
        Unused. Will be removed in Tomcat 10.1.x
        SSL_get0_next_proto_negotiated
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the NPN protocol negotiated
      • getAlpnSelected

        public static String getAlpnSelected​(long ssl)
        SSL_get0_alpn_selected
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the ALPN protocol negotiated
      • getPeerCertChain

        public static byte[][] getPeerCertChain​(long ssl)
        Get the peer certificate chain or null if non was send.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the certificate chain bytes
      • getPeerCertificate

        public static byte[] getPeerCertificate​(long ssl)
        Get the peer certificate or null if non was send.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the certificate bytes
      • getErrorString

        public static String getErrorString​(long errorNumber)
        Get the error number representing for the given errorNumber.
        Parameters:
        errorNumber - The error code
        Returns:
        an error message
      • getTime

        public static long getTime​(long ssl)
        SSL_get_time
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        returns the time at which the session ssl was established. The time is given in seconds since the Epoch
      • setVerify

        public static void setVerify​(long ssl,
                                     int level,
                                     int depth)
        Set Type of Client Certificate verification and Maximum depth of CA Certificates in Client Certificate verification.
        This directive sets the Certificate verification level for the Client Authentication. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces an SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.
        The following levels are available for level:
         SSL_CVERIFY_NONE           - No client Certificate is required at all
         SSL_CVERIFY_OPTIONAL       - The client may present a valid Certificate
         SSL_CVERIFY_REQUIRE        - The client has to present a valid Certificate
         SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate
                                      but it need not to be (successfully) verifiable
         

        The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate. A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under setCACertificatePath, etc.
        Parameters:
        ssl - the SSL instance (SSL *)
        level - Type of Client Certificate verification.
        depth - Maximum depth of CA Certificates in Client Certificate verification.
      • setOptions

        public static void setOptions​(long ssl,
                                      int options)
        Set OpenSSL Option.
        Parameters:
        ssl - the SSL instance (SSL *)
        options - See SSL.SSL_OP_* for option flags.
      • getOptions

        public static int getOptions​(long ssl)
        Get OpenSSL Option.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        options See SSL.SSL_OP_* for option flags.
      • getCiphers

        public static String[] getCiphers​(long ssl)
        Returns all cipher suites that are enabled for negotiation in an SSL handshake.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        ciphers
      • setCipherSuites

        public static boolean setCipherSuites​(long ssl,
                                              String ciphers)
                                       throws Exception
        Returns the cipher suites available for negotiation in SSL handshake.
        This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces an SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.
        Parameters:
        ssl - the SSL instance (SSL *)
        ciphers - an SSL cipher specification
        Returns:
        true if the operation was successful
        Throws:
        Exception - An error occurred
      • getSessionId

        public static byte[] getSessionId​(long ssl)
        Returns the ID of the session as byte array representation.
        Parameters:
        ssl - the SSL instance (SSL *)
        Returns:
        the session as byte array representation obtained via SSL_SESSION_get_id.