Package org.mozilla.jss.ssl.javax
Class JSSEngineReferenceImpl
java.lang.Object
javax.net.ssl.SSLEngine
org.mozilla.jss.ssl.javax.JSSEngine
org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl
The reference JSSEngine implementation.
This JSSEngine implementation is a reference for future JSSEngine
implementations, providing a pure-Java overview of what should happen at
each step of the init, wrap, and unwrap calls.
This implementation allows for extended debug logging, but also debug
packet logging. The latter writes out packets sent via wrap(...) and
received from unwrap(...) to a port on localhost. This allows one to easily
attach Wireshark or tcpdump and inspect the TLS packets, even if errors
occur during the test suite (where packets aren't sent over the wire by
default). This maintains the client/server relationship, and are logged
as being from the appropriate side of the TLS connection.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionprivate class
private class
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate InputStream
private OutputStream
private Socket
private boolean
Whether or not the underlying ssl_fd is closed or not.private int
private String
Internal name for this JSSEngine instance; most commonly used during testing.private String
Faked peer information that we pass to the underlying BufferPRFD implementation.private String
Automatically generated prefix for debug information.private BufferProxy
Data to be read by the NSS SSL implementation; data from the peer.private boolean
Whether or not a FINISHED handshake status has been returned to our caller.private InputStream
private OutputStream
private Socket
private boolean
Whether or not we've seen an ssl exception.private ServerSocket
private SSLException
Value of the SSLException we've encountered.private boolean
Whether or not to step the handshake.Runnable task; this performs certificate validation against user-provided TrustManager instances, passing the result back to NSS.private int
Number of times heuristic has not matched the current state.private BufferProxy
Data written by the NSS SSL implementation; data sent to the peer.Fields inherited from class org.mozilla.jss.ssl.javax.JSSEngine
as_server, BUFFER_SIZE, cert, certAlias, config, enabled_ciphers, handshake_state, hostname, is_inbound_closed, is_outbound_closed, key, key_managers, logger, max_protocol, min_protocol, need_client_auth, serverTemplates, session, ssl_fd, trust_managers, want_client_auth
-
Constructor Summary
ConstructorsConstructorDescriptionJSSEngineReferenceImpl
(String peerHost, int peerPort) JSSEngineReferenceImpl
(String peerHost, int peerPort, X509Certificate localCert, PrivateKey localKey) -
Method Summary
Modifier and TypeMethodDescriptionprivate void
private void
private void
private void
private void
void
private boolean
private SSLException
void
cleanup()
Performs cleanup of internal data, closing both inbound and outbound data streams if still open.private void
private void
void
void
private int
computeSize
(ByteBuffer[] buffers, int offset, int length) private void
private void
private void
private void
private void
void
enableSafeDebugLogging
(int port) Enable writing of encrypted TLS traffic to the specified port in a client-server relationship (mirroring the actual role of this SSLEngine) to enable debugging with Wireshark.protected void
finalize()
Gets the current security status of this JSSEngine instance.private void
private void
init()
private void
private void
private void
private void
logUnwrap
(ByteBuffer src) private void
logWrap
(ByteBuffer dst) private int
putData
(byte[] data, ByteBuffer[] buffers, int offset, int length) protected void
Implementation-specific handler to handle reconfiguration of client authentication after the handshake has completed.void
Set the name of this JSSEngine instance, to be printed in logging calls.void
Calls cleanup only if both inbound and outbound data streams are closed.unwrap
(ByteBuffer src, ByteBuffer[] dsts, int offset, int length) private void
private void
wrap
(ByteBuffer[] srcs, int offset, int length, ByteBuffer dst) int
writeData
(ByteBuffer[] srcs, int offset, int length) Methods inherited from class org.mozilla.jss.ssl.javax.JSSEngine
addConfiguration, errorText, fireAlertReceived, fireAlertSent, fireHandshakeComplete, getDefaultConfiguration, getEnabledCipherSuites, getEnabledProtocols, getEnableSessionCreation, getListeners, getNeedClientAuth, getServerTemplate, getSession, getSSLFDProxy, getSSLParameters, getSupportedCipherSuites, getSupportedProtocols, getUseClientMode, getWantClientAuth, initializeSessionCache, isInboundDone, isOutboundDone, queryEnabledCipherSuites, queryEnabledProtocols, removeConfiguration, setCertFromAlias, setConfiguration, setEnabledCipherSuites, setEnabledCipherSuites, setEnabledProtocols, setEnabledProtocols, setEnabledProtocols, setEnableSessionCreation, setHostname, setKeyManager, setKeyManagers, setKeyMaterials, setListeners, setNeedClientAuth, setSSLParameters, setTrustManager, setTrustManagers, setUseClientMode, setWantClientAuth
Methods inherited from class javax.net.ssl.SSLEngine
getApplicationProtocol, getHandshakeApplicationProtocol, getHandshakeApplicationProtocolSelector, getHandshakeSession, getPeerHost, getPeerPort, setHandshakeApplicationProtocolSelector, unwrap, unwrap, wrap, wrap
-
Field Details
-
peer_info
Faked peer information that we pass to the underlying BufferPRFD implementation. This is used by NSS for session resumption. However, because we don't have the exact peer information at the JSSEngine level, at best we can guess. -
closed_fd
private boolean closed_fdWhether or not the underlying ssl_fd is closed or not. Because the socket isn't open yet, we set it to true, to indicate that no data can be sent or received. -
read_buf
Data to be read by the NSS SSL implementation; data from the peer. -
write_buf
Data written by the NSS SSL implementation; data sent to the peer. -
unknown_state_count
private int unknown_state_countNumber of times heuristic has not matched the current state. Because this JSSEngine uses a heuristic for determining when the handshake is completed (or, when we need to switch from WRAP to UNWRAP), and the heuristic is sometimes wrong, we track how many times it is in an unknown state. When we hit some internal threshold, we swap states. -
step_handshake
private boolean step_handshakeWhether or not to step the handshake. -
returned_finished
private boolean returned_finishedWhether or not a FINISHED handshake status has been returned to our caller. Because this JSSEngine implementation re-enters the updateHandshakeState() method potentially multiple times during a single call to wrap() or unwrap(), we need to know whether or not the top-level call has returned a FINISHED result. If it hasn't, we want to keep the state on FINISHED until it has been returned, otherwise we'll skip straight to NOT_HANDSHAKING, confusing our peer. -
ssl_exception
Value of the SSLException we've encountered. -
seen_exception
private boolean seen_exceptionWhether or not we've seen an ssl exception. Note that, when the exception ultimately gets thrown to the caller, ssl_exception will be NULLed; this tracks whether or not the connection has failed previously for some reason. -
debug_port
private int debug_port -
ss_socket
-
s_socket
-
c_socket
-
s_istream
-
s_ostream
-
c_istream
-
c_ostream
-
name
Internal name for this JSSEngine instance; most commonly used during testing. -
prefix
Automatically generated prefix for debug information. -
task
Runnable task; this performs certificate validation against user-provided TrustManager instances, passing the result back to NSS.
-
-
Constructor Details
-
JSSEngineReferenceImpl
public JSSEngineReferenceImpl() -
JSSEngineReferenceImpl
-
JSSEngineReferenceImpl
public JSSEngineReferenceImpl(String peerHost, int peerPort, X509Certificate localCert, PrivateKey localKey)
-
-
Method Details
-
debug
-
info
-
warn
-
setName
Set the name of this JSSEngine instance, to be printed in logging calls. This helps when debugging output from multiple JSSEngine instances at the same time, such as within the JSS test suite. -
init
- Throws:
SSLException
-
createBuffers
private void createBuffers() -
createBufferFD
- Throws:
SSLException
-
initClient
- Throws:
SSLException
-
initServer
- Throws:
SSLException
-
configureClientAuth
- Throws:
SSLException
-
reconfigureClientAuth
protected void reconfigureClientAuth()Description copied from class:JSSEngine
Implementation-specific handler to handle reconfiguration of client authentication after the handshake has completed. Note that this always gets called, regardless of if the handshake has started; it is up to the implementation to handle this appropriately.- Specified by:
reconfigureClientAuth
in classJSSEngine
-
applyCiphers
- Throws:
SSLException
-
applyProtocols
- Throws:
SSLException
-
applyConfig
- Throws:
SSLException
-
applyHosts
- Throws:
SSLException
-
applyTrustManagers
- Throws:
SSLException
-
createLoggingSocket
- Throws:
SSLException
-
loggingSocketConsumeAllBytes
private void loggingSocketConsumeAllBytes() -
beginHandshake
- Specified by:
beginHandshake
in classSSLEngine
- Throws:
SSLException
-
closeInbound
public void closeInbound()- Specified by:
closeInbound
in classSSLEngine
-
closeOutbound
public void closeOutbound()- Specified by:
closeOutbound
in classSSLEngine
-
getHostname
-
getDelegatedTask
- Specified by:
getDelegatedTask
in classSSLEngine
-
checkNeedCertValidation
private boolean checkNeedCertValidation() -
getHandshakeStatus
- Specified by:
getHandshakeStatus
in classSSLEngine
-
getStatus
Description copied from class:JSSEngine
Gets the current security status of this JSSEngine instance. This is abstract to allow implementations to implement this (and step their handshake mechanism) as they wish. -
enableSafeDebugLogging
public void enableSafeDebugLogging(int port) Enable writing of encrypted TLS traffic to the specified port in a client-server relationship (mirroring the actual role of this SSLEngine) to enable debugging with Wireshark. -
computeSize
private int computeSize(ByteBuffer[] buffers, int offset, int length) throws IllegalArgumentException - Throws:
IllegalArgumentException
-
putData
-
checkSSLAlerts
-
updateHandshakeState
private void updateHandshakeState() -
logUnwrap
-
unwrap
public SSLEngineResult unwrap(ByteBuffer src, ByteBuffer[] dsts, int offset, int length) throws IllegalArgumentException, SSLException - Specified by:
unwrap
in classSSLEngine
- Throws:
IllegalArgumentException
SSLException
-
writeData
-
logWrap
-
wrap
public SSLEngineResult wrap(ByteBuffer[] srcs, int offset, int length, ByteBuffer dst) throws IllegalArgumentException, SSLException - Specified by:
wrap
in classSSLEngine
- Throws:
IllegalArgumentException
SSLException
-
tryCleanup
public void tryCleanup()Calls cleanup only if both inbound and outbound data streams are closed. This prevents accidental cleanup in the case of a partially open connection.- Specified by:
tryCleanup
in classJSSEngine
-
cleanup
public void cleanup()Performs cleanup of internal data, closing both inbound and outbound data streams if still open. -
cleanupLoggingSocket
private void cleanupLoggingSocket() -
cleanupSSLFD
private void cleanupSSLFD() -
finalize
protected void finalize()
-