2 * Copyright (c) 2007, Cameron Rich
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
9 * * Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 * * Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 * * Neither the name of the axTLS project nor the names of its contributors
15 * may be used to endorse or promote products derived from this software
16 * without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
22 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 * A wrapper around the unmanaged interface to give a semi-decent Java API
42 * @brief A base object for SSLServer/SSLClient.
47 * A reference to the real client/server context.
52 * @brief Establish a new client/server context.
54 * This function is called before any client/server SSL connections are
55 * made. If multiple threads are used, then each thread will have its
56 * own SSLCTX context. Any number of connections may be made with a single
59 * Each new connection will use the this context's private key and
60 * certificate chain. If a different certificate chain is required, then a
61 * different context needs to be be used.
63 * @param options [in] Any particular options. At present the options
65 * - SSL_SERVER_VERIFY_LATER (client only): Don't stop a handshake if the
66 * server authentication fails. The certificate can be authenticated later
67 * with a call to verifyCert().
68 * - SSL_CLIENT_AUTHENTICATION (server only): Enforce client authentication
69 * i.e. each handshake will include a "certificate request" message from
71 * - SSL_DISPLAY_BYTES (full mode build only): Display the byte sequences
72 * during the handshake.
73 * - SSL_DISPLAY_STATES (full mode build only): Display the state changes
74 * during the handshake.
75 * - SSL_DISPLAY_CERTS (full mode build only): Display the certificates that
76 * are passed during a handshake.
77 * - SSL_DISPLAY_RSA (full mode build only): Display the RSA key details
78 * that are passed during a handshake.
80 * @param num_sessions [in] The number of sessions to be used for session
81 * caching. If this value is 0, then there is no session caching.
83 * If this option is null, then the default internal private key/
84 * certificate pair is used (if CONFIG_SSL_USE_DEFAULT_KEY is set).
86 * The resources used by this object are automatically freed.
87 * @return A client/server context.
89 protected SSLCTX(int options, int num_sessions)
91 m_ctx = axtlsj.ssl_ctx_new(options, num_sessions);
95 * @brief Remove a client/server context.
97 * Frees any used resources used by this context. Each connection will be
98 * sent a "Close Notify" alert (if possible).
100 public void dispose()
102 axtlsj.ssl_ctx_free(m_ctx);
106 * @brief Read the SSL data stream.
107 * @param ssl [in] An SSL object reference.
108 * @param rh [out] After a successful read, the decrypted data can be
109 * retrieved with rh.getData(). It will be null otherwise.
110 * @return The number of decrypted bytes:
111 * - if > 0, then the handshaking is complete and we are returning the
112 * number of decrypted bytes.
113 * - SSL_OK if the handshaking stage is successful (but not yet complete).
115 * @see ssl.h for the error code list.
116 * @note Use rh before doing any successive ssl calls.
118 public int read(SSL ssl, SSLReadHolder rh)
120 return axtlsj.ssl_read(ssl.m_ssl, rh);
124 * @brief Write to the SSL data stream.
125 * @param ssl [in] An SSL obect reference.
126 * @param out_data [in] The data to be written
127 * @return The number of bytes sent, or if < 0 if an error.
128 * @see ssl.h for the error code list.
130 public int write(SSL ssl, byte[] out_data)
132 return axtlsj.ssl_write(ssl.m_ssl, out_data, out_data.length);
136 * @brief Write to the SSL data stream.
137 * @param ssl [in] An SSL obect reference.
138 * @param out_data [in] The data to be written
139 * @param out_len [in] The number of bytes to be written
140 * @return The number of bytes sent, or if < 0 if an error.
141 * @see ssl.h for the error code list.
143 public int write(SSL ssl, byte[] out_data, int out_len)
145 return axtlsj.ssl_write(ssl.m_ssl, out_data, out_len);
149 * @brief Find an ssl object based on a Socket reference.
151 * Goes through the list of SSL objects maintained in a client/server
152 * context to look for a socket match.
153 * @param s [in] A reference to a <A HREF="http://java.sun.com/j2se/1.4.2/docs/api">Socket</A> object.
154 * @return A reference to the SSL object. Returns null if the object
155 * could not be found.
157 public SSL find(Socket s)
159 int client_fd = axtlsj.getFd(s);
160 return new SSL(axtlsj.ssl_find(m_ctx, client_fd));
164 * @brief Authenticate a received certificate.
166 * This call is usually made by a client after a handshake is complete
167 * and the context is in SSL_SERVER_VERIFY_LATER mode.
168 * @param ssl [in] An SSL object reference.
169 * @return SSL_OK if the certificate is verified.
171 public int verifyCert(SSL ssl)
173 return axtlsj.ssl_verify_cert(ssl.m_ssl);
177 * @brief Force the client to perform its handshake again.
179 * For a client this involves sending another "client hello" message.
180 * For the server is means sending a "hello request" message.
182 * This is a blocking call on the client (until the handshake completes).
183 * @param ssl [in] An SSL object reference.
184 * @return SSL_OK if renegotiation instantiation was ok
186 public int renegotiate(SSL ssl)
188 return axtlsj.ssl_renegotiate(ssl.m_ssl);
192 * @brief Load a file into memory that is in binary DER or ASCII PEM format.
194 * These are temporary objects that are used to load private keys,
195 * certificates etc into memory.
196 * @param obj_type [in] The format of the file. Can be one of:
197 * - SSL_OBJ_X509_CERT (no password required)
198 * - SSL_OBJ_X509_CACERT (no password required)
199 * - SSL_OBJ_RSA_KEY (AES128/AES256 PEM encryption supported)
200 * - SSL_OBJ_P8 (RC4-128 encrypted data supported)
201 * - SSL_OBJ_P12 (RC4-128 encrypted data supported)
203 * PEM files are automatically detected (if supported).
204 * @param filename [in] The location of a file in DER/PEM format.
205 * @param password [in] The password used. Can be null if not required.
206 * @return SSL_OK if all ok
208 public int objLoad(int obj_type, String filename, String password)
210 return axtlsj.ssl_obj_load(m_ctx, obj_type, filename, password);
214 * @brief Transfer binary data into the object loader.
216 * These are temporary objects that are used to load private keys,
217 * certificates etc into memory.
218 * @param obj_type [in] The format of the memory data.
219 * @param data [in] The binary data to be loaded.
220 * @param len [in] The amount of data to be loaded.
221 * @param password [in] The password used. Can be null if not required.
222 * @return SSL_OK if all ok
225 public int objLoad(int obj_type, byte[] data, int len, String password)
227 return axtlsj.ssl_obj_memory_load(m_ctx, obj_type, data, len, password);