iaik.security.ssl
Class SSLServerContext

java.lang.Object
  iaik.security.ssl.SSLContext
      iaik.security.ssl.SSLClientContext
          iaik.security.ssl.SSLServerContext

All Implemented Interfaces:

java.lang.Cloneable

public class SSLServerContext
extends SSLClientContext
implements java.lang.Cloneable

This class extends the SSLContext to add server related information to an SSL/TLS policy.

Note that there is a separate document about the iSaSiLk authentication framework, see your installation directory.

An SSLServerContext is used on the server side to tell iSaSiLk the TLS security parameters like cipher suites, key, certificates to be used.
After having created an SSLServerContext, you may set cipher suites, server credentials, trusted certificates (to check client certificates) and any other parameters you may require for your server configuration, e.g.:

  // create server context
  SSLServerContext serverContext = new SSLServerContext();
  
  // key and certificate of the server
  PrivateKey serverKey = ...;
  X509Certificate[] serverCertChain = ...;
  serverContext.addServerCredentials(serverCertChain, serverKey);
  
  // add some trust anchor(s)
  X509Certificate trustAnchor = ...;
  serverContext.addTrustedCertificate(trustAnchor);
  
  // in this example we assume that we want to use RSA for authentication and key exchange
  CipherSuite[] cipherSuites = CipherSuite.CS_RSA;
  serverContext.setEnabledCipherSuites(cipherSuites);
  serverContext.updateCipherSuites();
  
  ...
 

If you want to use TLS extensions you can set them as ExtensionList, e.g. (for using the server_name extension):

 ServerNameList serverNameList = new ServerNameList();
 // add to ExtensionList
 ExtensionList extensions = new ExtensionList();
 extensions.addExtension(serverNameList);
 // set extensions for the SSLServerContext configuration:
 serverContext.setExtensions(extensions);
 

Finally, when having finished your configuration, set your SSLServerContext for the SSLTransport implementation you are using. Most commonly you will use an SSLServerSocket to listen on and accept client connection requests, e.g.:

 // the port on which the server is listening  
 int serverPort = 443; 
 // create SSLServerSocket 
 int port = 443; 
 SSLServerSocket serverSocket = new SSLServerSocket(port, serverContext); 
 // print debug info to System.out 
 serverSocket.setDebugStream(System.out);
 // wait for and accept client requests  
 while (true) { 
   try { 
     SSLSocket socket = (SSLSocket)serverSocket.accept(); 
     ... 
   } catch( IOException e ) { 
     e.printStackTrace(System.out); 
   } 
 } 
 
 

See Also:

SSLContext, SSLServerSocket

Field Summary

static CipherSuite[]	anon Deprecated. use CipherSuite.CS_DH_ANON instead
static CipherSuite[]	dh_dss Deprecated. use CipherSuite.CS_DH_DSS instead
static CipherSuite[]	dh_rsa Deprecated. use CipherSuite.CS_DH_RSA instead
static CipherSuite[]	dhe_dss Deprecated. use CipherSuite.CS_DHE_DSS instead
static CipherSuite[]	dhe_rsa Deprecated. use CipherSuite.CS_DHE_RSA instead
static CipherSuite[]	rsa Deprecated. use CipherSuite.CS_RSA instead
static CipherSuite[]	rsa_export Deprecated. use CipherSuite.CS_RSA_EXPORT instead

Fields inherited from class iaik.security.ssl.SSLContext

AVAIL_MODE_DECRYPTED, AVAIL_MODE_ENCRYPTED, AVAIL_MODE_ONE_BYTE, CERTTYPE_DSS_FIXED_DH, CERTTYPE_DSS_SIGN, CERTTYPE_ECDSA_EC, CERTTYPE_ECDSA_FIXED_ECDH, CERTTYPE_ECDSA_SIGN, CERTTYPE_RSA_ENCRYPT, CERTTYPE_RSA_FIXED_DH, CERTTYPE_RSA_FIXED_ECDH, CERTTYPE_RSA_SIGN, CERTTYPE_UNKNOWN, LIBRARY_VERSION, LIBRARY_VERSION_STRING, SEND_EMPTY_FRAGMENT, VERSION_NOT_CONNECTED, VERSION_SSL20, VERSION_SSL30, VERSION_TLS10, VERSION_TLS11, VERSION_TLS12, VERSION_TLS13

Constructor Summary

SSLServerContext()
Create a default SSLServerContext.

SSLServerContext(CipherSuiteList cipherSuiteList)
Create a SSLServerContext with the given cipher suite list.

SSLServerContext(java.security.SecureRandom random)
Create a SSLServerContext with a specific random number generator and the given cipher suite list.

SSLServerContext(java.security.SecureRandom random, CipherSuiteList cipherSuiteList)
Create a SSLServerContext with a specific random number generator and the given cipher suite list.

SSLServerContext(SSLServerContext other)
Create an SSLServerContext cloning another context.

Method Summary

void	addServerCredentials(KeyAndCert keyAndCert) Adds some server credentials.
void	addServerCredentials(KeyAndCert keyAndCert, int certType) Adds some server credentials for the given cert type.
void	addServerCredentials(KeyAndCert keyAndCert, int certType, boolean setAsDefault) Adds some server credentials for the given cert type.
int	addServerCredentials(java.security.KeyStore keyStore, char[] password) Add some server credentials from a KeyStore.
int	addServerCredentials(java.security.KeyStore keyStore, char[] password, java.lang.String[] aliases) Add some server credentials from a KeyStore.
int	addServerCredentials(java.lang.String keyStoreFile, char[] keyStorePassword, java.lang.String keyStoreType, java.lang.String keyStoreProvider) Add some server credentials from a KeyStore.
void	addServerCredentials(java.security.cert.X509Certificate[] chain, java.security.PrivateKey key) Adds some server credentials.
void	addTemporaryParameter(javax.crypto.spec.DHParameterSpec spec) Add temporary Diffie-Hellman parameters.
void	addTemporaryParameter(javax.crypto.spec.DHParameterSpec spec, int keyLength) Add temporary Diffie-Hellman parameters.
void	addTemporaryParameter(java.security.KeyPair keyPair) Add a temporary RSA KeyPair.
void	clearServerCredentials() Clear the server credentials database.
java.lang.Object	clone() Implements the Cloneable interface.
int[]	getAllowedCertificateTypes() Get the certificate types to allow for client authentication.
boolean	getRequestClientCertificate() Returns wheter a SSLSocket which uses this SSLContext requests a certificate from the client.
boolean	getRequireClientCertificate() Deprecated. use getRequestClientCertificate() instead
boolean	getSendIdentityHint() Asks whether the server shall send a PSK identity to the client if pre-shared keys are used.
KeyAndCert	getServerCredentials(int certType) Gets the server credentials of a particular type.
protected KeyAndCert	getServerCredentials(int certType, ExtensionList extensions, boolean useDefault, SSLTransport transport) Gets the server credentials for given type and extensions (if present).
void	setAllowedCertificateTypes(int[] types) Set the certificate types to allow for client authentication.
void	setAllowedProtocolVersions(int minimumVersion, int maximumVersion) Set the SSL/TLS protocol versions to be accepted during the handshake.
void	setCheckVersionInRSAPremasterSecret(boolean checkVersion) Decides whether to check the version contained in the RSA premaster secret.
void	setDHCertificate(java.security.cert.Certificate[] certificateChain, java.security.PrivateKey privateKey) Deprecated. use addServerCredentials() instead
static void	setDHModpID(int dhModpGroupID) Decides whether to use prime modulus and base generator from a Modular Exponential (MODP) group (RFC 2409, 3526) by default for domestic temporary DH parameters.
void	setDHParameter(javax.crypto.spec.DHParameterSpec dhParameter) Deprecated. use addTemporaryParameter() instead
void	setDSACertificate(java.security.cert.Certificate[] certificateChain, java.security.PrivateKey privateKey) Deprecated. use addServerCredentials() instead
void	setIgnoreClientCipherSuitePreferenceOrder(boolean ignore) Whether to ignore the preference order of the cipher suite list sent by the client when selecting a cipher suite for the current session.
void	setRequestClientCertificate(boolean value) Set whether or not to request client authentication during the handshake.
void	setRequireClientCertificate(byte[] certificateTypes, java.security.Principal[] certificateAuthorities) Deprecated. use setRequestClientCertificate() instead
void	setRSACertificate(java.security.cert.Certificate[] certificateChain, java.security.PrivateKey privateKey) Deprecated. use addServerCredentials() instead
void	setRSATempKeyPair(java.security.KeyPair tempKeyPair) Deprecated. use addTemporaryParameter() instead
void	setSendEmptySessionID(boolean sendEmptyID) Sets whether to create and send an empty session id if no SessionManager is set.
void	setSendPSKIdentityHint(boolean create) Decides whether the server shall send a PSK identity to the client if pre-shared keys are used.
void	setTemporaryParameterScheduling(javax.crypto.spec.DHGenParameterSpec dhGenParameterSpec, long updateInterval) Enables DH parameter scheduling.
java.lang.String	toString() Returns a string representation of this SSLContext.
void	updateCipherSuites() Update the list of currently enabled ciphersuites based on the certificates available.

Methods inherited from class iaik.security.ssl.SSLClientContext

addClientCredentials, addClientCredentials, addClientCredentials, addClientCredentials, addClientCredentials, clearClientCredentials, getClientCredentials, getClientCredentials, getIgnorePSKIdentityHint, setCheckExportRestrictions, setIgnorePSKIdentityHint, setReadPostHandshakeMessageAfterFinsished, setUseMaxVersionForRSAPremasterSecret

Methods inherited from class iaik.security.ssl.SSLContext

addPSKCredential, addTrustedCertificate, addTrustedCertificates, addTrustedCertificates, addTrustedCertificates, clearPSKCredentials, convertCertificateChain, getAllowedProtocolVersionNames, getAllowedProtocolVersions, getAllowIdentityChangeDuringRenegotiation, getAllowLegacyRenegotiation, getAllSupportedProtocolVersionNames, getAllSupportedProtocolVersions, getCacheTerminatedSessions, getChainVerifier, getChannelBindings, getDebugStream, getDisableRenegotiation, getDoNotSendServerCloseNotify, getEnabledCipherSuiteList, getEnabledCipherSuites, getEnabledCompressionMethods, getPSKCredential, getPSKManager, getRandomGenerator, getSendEmptyFragment, getSessionManager, getTrustDecider, getUseNoRenegotiationWarnings, setAllowedProtocolVersions, setAllowIdentityChangeDuringRenegotiation, setAllowLegacyRenegotiation, setCacheTerminatedSessions, setChainVerifier, setChannelBindings, setCheckTypeOfNextHandshakeMessage, setDebugStream, setDebugStream, setDisableRenegotiation, setDoNotPackHandshakeMessages, setDoNotSendServerCloseNotify, setDowngradeMaxVersionToTLS12IfNoTLS13CipherSuitesAvailable, setEnabledCipherSuiteList, setEnabledCipherSuites, setEnabledCompressionMethods, setExtensions, setInputStreamAvailableMode, setPSKCredential, setPSKManager, setRandomGenerator, setRecordOverheadSize, setSendEmptyFragment, setSendRecordOverflowAlert, setSessionManager, setTls13MiddleboxCompatibilityMode, setTLS13WaitOnPeerCloseNotify, setTrustDecider, setUseNoRenegotiationWarnings, setUseRecordSplitting

Methods inherited from class java.lang.Object

equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

rsa

public static final CipherSuite[] rsa

Deprecated. use CipherSuite.CS_RSA instead

rsa_export

public static final CipherSuite[] rsa_export

Deprecated. use CipherSuite.CS_RSA_EXPORT instead

dhe_rsa

public static final CipherSuite[] dhe_rsa

Deprecated. use CipherSuite.CS_DHE_RSA instead

dhe_dss

public static final CipherSuite[] dhe_dss

Deprecated. use CipherSuite.CS_DHE_DSS instead

dh_rsa

public static final CipherSuite[] dh_rsa

Deprecated. use CipherSuite.CS_DH_RSA instead

dh_dss

public static final CipherSuite[] dh_dss

Deprecated. use CipherSuite.CS_DH_DSS instead

anon

public static final CipherSuite[] anon

Deprecated. use CipherSuite.CS_DH_ANON instead

Constructor Detail

SSLServerContext

public SSLServerContext()

Create a default SSLServerContext.

SSLServerContext

public SSLServerContext(java.security.SecureRandom random)

Create a SSLServerContext with a specific random number generator and the given cipher suite list.

Parameters:

random - the random number generator to be used or null for the default SecureRandom

SSLServerContext

public SSLServerContext(CipherSuiteList cipherSuiteList)

Create a SSLServerContext with the given cipher suite list.

Parameters:

cipherSuiteList - the cipher suite list to be used or null for the default cipher suite list

SSLServerContext

public SSLServerContext(java.security.SecureRandom random,
                        CipherSuiteList cipherSuiteList)

Create a SSLServerContext with a specific random number generator and the given cipher suite list.

Parameters:

random - the random number generator to be used or null for the default SecureRandom

cipherSuiteList - the cipher suite list to be used or null for the default cipher suite list

SSLServerContext

public SSLServerContext(SSLServerContext other)

Create an SSLServerContext cloning another context.

Method Detail

setDHModpID

public static void setDHModpID(int dhModpGroupID)

Decides whether to use prime modulus and base generator from a Modular Exponential (MODP) group (RFC 2409, 3526) by default for domestic temporary DH parameters. The pre-defined groups are 2 (1024 bit), 5 (1536 bit), 14 (2048 bit), 15 (3072 bit) and 16 (4096 bit). The default value is 14 (2048 bit). A value of 0 indicates that no MODP group shall be used. In this case 2048 bit parameters (ffdhe2048) from RFC 7919 are used (these parameters are also used by default).
If you want to use another group (or DH parameters from some other source) you may set them for your SSLServerContext by calling method addTemporaryParameter.

Note that using DH parameters greater than 2048 bit may cause interoperability problems with some applications. iSaSiLk by default uses MODP group 14 (2048 bit).

Parameters:

dhModpGroupID - The ID of the MODP (RFC 3526) group to be used, either:

• 0: do not use a MODP group
• 2: 1024 bit group 2
• 5: 1536 bit group 5
• 14: 2048 bit group 14 (default)
• 15: 3072 bit group 15
• 16: 4094 bit group 16

Throws:

java.lang.IllegalArgumentException - if the given dhModpGroupID is not supported (not 0, 2, 5, 14, 15, 16)

getAllowedCertificateTypes

public int[] getAllowedCertificateTypes()

Get the certificate types to allow for client authentication. This is an array containing one or more of the certificate types defined in SSLContext. By default all types of certificates are enabled.

Returns:

the allowed certificate types (the returned array is not cloned or copied by this method)

setAllowedCertificateTypes

public void setAllowedCertificateTypes(int[] types)

Set the certificate types to allow for client authentication. Typically there is no need for an application to restrict the certificate types.

Since TLS 1.3 does not use certificate types for the certificate request message this method has no meaning for TLS 1.3.

Parameters:

types - the certificate types to be set (the types array is not cloned or copied by this method)

setCheckVersionInRSAPremasterSecret

public void setCheckVersionInRSAPremasterSecret(boolean checkVersion)

Decides whether to check the version contained in the RSA premaster secret.

According to SSL/TLS the server should check the version contained in the RSA premaster secret to prevent version rollback attacks. However, although SSL/TLS requires that the max version (sent within the ClientHello message) is included in the RSA premaster secret, many implementations send the negotiated version. For that reason -- to not break with current implementations -- iSaSiLk servers by default do not check the RSA premaster secret version if the max client version is lower than TLS 1.1. Otherwise -- if the max client version is equal or higher than TLS 1.2, or if the server is configured to do so, the version number is checked according to RFC 5246 (TLS 1.2), 7.4.7.1.:

 Note: The version number in the PreMasterSecret is the version
 offered by the client in the ClientHello.client_version, not the
 version negotiated for the connection.  This feature is designed to
 prevent rollback attacks.  Unfortunately, some old implementations
 use the negotiated version instead, and therefore checking the
 version number may lead to failure to interoperate with such
 incorrect client implementations.
 
 Client implementations MUST always send the correct version number in
 PreMasterSecret.  If ClientHello.client_version is TLS 1.1 or higher,
 server implementations MUST check the version number as described in
 the note below.  If the version number is TLS 1.0 or earlier, server
 implementations SHOULD check the version number, but MAY have a
 configuration option to disable the check.   
 

You may call this method if you want to check the RSA premaster secret version:

 ...
 sslServerContext.setCheckVersionInRSAPremasterSecret(true);
 

Parameters:

checkVersion - whether to check the version in the RSA premaster secret (default: false)

setSendPSKIdentityHint

public void setSendPSKIdentityHint(boolean create)

Decides whether the server shall send a PSK identity to the client if pre-shared keys are used. By default no identity hint is sent as recommended by the TLS-PSK specification (RFC 4279).

Parameters:

create - whether to create an identity hint or not

getSendIdentityHint

public boolean getSendIdentityHint()

Asks whether the server shall send a PSK identity to the client if pre-shared keys are used. By default no identity hint is sent as recommended by the TLS-PSK specification (RFC 4279). return true if an identity hint shall be created, false if not

clearServerCredentials

public void clearServerCredentials()

Clear the server credentials database.

addServerCredentials

public void addServerCredentials(java.security.cert.X509Certificate[] chain,
                                 java.security.PrivateKey key)

Adds some server credentials.

This method adds the given server credentials based on their server names (which are automatically calculated). Any already existing credentials that have the same server name(s) are replaced. The server credentials are also set as default credentials for the given cert type (which is calculated from the server certificate public key algorithm). Default credentials are used if the client does not send a server_name extension within an extended ClientHello message.

Any RSA credentials passed to this method are automatically set as both signature and encryption RSA credentials. If this behavior is not intended use a addServerCredentials(KeyAndCert, int) method which allows to explicitly specify the cert type.

Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.

Parameters:

chain - the certificate chain of the server containing the server certificate as index 0

key - the private key of the server

addServerCredentials

public void addServerCredentials(KeyAndCert keyAndCert)

Adds some server credentials.

This method adds the given server credentials based on their server names (which are automatically calculated if not set) and trusted authorities (if set). Any already existing credentials that have the same server name(s) / trusted authorities are replaced. The given credentials are also set as default credentials for the given cert type (which is calculated from the certificate public key algorithm). Default credentials are used if the client does not send a server_name or trusted_ca_keys extension within an extended ClientHello message.

Any RSA credentials passed to this method are automatically set as both signature and encryption RSA credentials. If this behavior is not intended use a addServerCredentials(KeyAndCert, int) method which allows to explicitly specify the cert type.

Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.

Parameters:

keyAndCert - the server KeyAndCert to be added

addServerCredentials

public void addServerCredentials(KeyAndCert keyAndCert,
                                 int certType)

Adds some server credentials for the given cert type.

This method adds the given server credentials based on their server names and trusted authorities (if set). Any already existing credentials that have the same server name(s) / trusted authorities are replaced. The given credentials are also set as default credentials for the given cert type. Default credentials are used if the client does not send a server_name or trusted_ca_keys extension within an extended ClientHello message.

The certType should be one of the CERTTYPE_* constants defined in class SSLContext:

• CERTTYPE_RSA_SIGN for RSA signature certificates
• CERTTYPE_RSA_ENCRYPT for RSA encryption certificates
• CERTTYPE_DSS_SIGN for DSA signature certificates
• CERTTYPE_RSA_FIXED_DH for RSA signed DH certificates
• CERTTYPE_DSS_FIXED_DH for DSA signed DH certificates
• CERTTYPE_ECDSA_SIGN for ECDSA signature certificates
• CERTTYPE_RSA_FIXED_ECDH for RSA signed ECDH certificates
• CERTTYPE_ECDSA_FIXED_ECDH for ECDSA signed ECDH certificates

This method is maybe used to set separate signature and encryption credentials for RSA. It can also be used to clear previously set credentials by setting them to null.

Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.

Parameters:

keyAndCert - the server KeyAndCert to be added

certType - the cert type for which to use the given server credential (KeyAndCert); either:

• RSA_SIGN for RSA signature certificates
• RSA_ENCRYPT for RSA encryption certificates
• DSS_SIGN for DSA signature certificates
• RSA_FIXED_DH for RSA signed DH certificates
• DSS_FIXED_DH for DSA signed DH certificates
• CERTTYPE_ECDSA_SIGN for ECDSA signature certificates
• CERTTYPE_RSA_FIXED_ECDH for RSA signed ECDH certificates
• CERTTYPE_ECDSA_FIXED_ECDH for ECDSA signed ECDH certificates

Throws:

java.lang.IllegalArgumentException - if the cert type is not supported

addServerCredentials

public void addServerCredentials(KeyAndCert keyAndCert,
                                 int certType,
                                 boolean setAsDefault)

Adds some server credentials for the given cert type.

This method adds the given server credentials based on their server names and trusted authorities (if set). Any already existing credentials that have the same server name(s) / trusted authorities are replaced. If no server names are included in the given KeyAndCert (or if no server names can be calculated for the inherent server certificate) and if no trusted authorities are set for the given KeyAndCert, the server credentials are only added if setAsDefault is true. In this case any previously set default credentials of the same type are replaced. Default credentials are used if the client does not send a server_name or trusted_ca_keys extension within its extended ClientHello message.

The certType should be one of the CERTTYPE_* constants defined in class SSLContext:

• CERTTYPE_RSA_SIGN for RSA signature certificates
• CERTTYPE_RSA_ENCRYPT for RSA encryption certificates
• CERTTYPE_DSS_SIGN for DSA signature certificates
• CERTTYPE_RSA_FIXED_DH for RSA signed DH certificates
• CERTTYPE_DSS_FIXED_DH for DSA signed DH certificates
• CERTTYPE_ECDSA_SIGN for ECDSA signature certificates
• CERTTYPE_RSA_FIXED_ECDH for RSA signed ECDH certificates
• CERTTYPE_ECDSA_FIXED_ECDH for ECDSA signed ECDH certificates

Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.

Parameters:

keyAndCert - the server KeyAndCert to be added

certType - the cert type for which to use the given server credential (KeyAndCert); either:

• CERTTYPE_RSA_SIGN for RSA signature certificates
• CERTTYPE_RSA_ENCRYPT for RSA encryption certificates
• CERTTYPE_DSS_SIGN for DSA signature certificates
• CERTTYPE_RSA_FIXED_DH for RSA signed DH certificates
• CERTTYPE_DSS_FIXED_DH for DSA signed DH certificates
• CERTTYPE_ECDSA_SIGN for ECDSA signature certificates
• CERTTYPE_RSA_FIXED_ECDH for RSA signed ECDH certificates
• CERTTYPE_ECDSA_FIXED_ECDH for ECDSA signed ECDH certificates

setAsDefault - whether to set the given server KeyAndCert as default credentials to be used if the client does not send a server_name and/or trusted_ca_keys extension

Throws:

java.lang.IllegalArgumentException - if the cert type is not supported

addServerCredentials

public int addServerCredentials(java.lang.String keyStoreFile,
                                char[] keyStorePassword,
                                java.lang.String keyStoreType,
                                java.lang.String keyStoreProvider)
                         throws java.security.KeyStoreException

Add some server credentials from a KeyStore.

Note that this method does not allow the same fine granularity as when adding some particular key and certificate. Any key entry (and its corresponding certificate) chain) contained in the KeyStore is added to the key/cert database. This method adds credentials (keys and corresponding certificate chains) contained in the KeyStore based on their server names (which are automatically calculated). Any already existing credentials of the same type that have the same server name(s) are replaced. If the KeyStore contains more than one credentials with same type and server name(s), only one of them will be added.

Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.
If the KeyStore contains SecretKeys, they are added as PSKCredentials.

All key entries must have the same password.

Parameters:

keyStoreFile - the name of the KeyStore file

keyStorePassword - the KeyStore password

keyStoreType - the KeyStore type; default: IAIKKeyStore

keyStoreProvider - the KeyStore provider; default: IAIK

Returns:

the number of credentials added from the KeyStore

Throws:

java.security.KeyStoreException - if an error occurs while getting keys/certificates from the KeyStore

addServerCredentials

public int addServerCredentials(java.security.KeyStore keyStore,
                                char[] password)
                         throws java.security.KeyStoreException

Add some server credentials from a KeyStore.

Note that this method does not allow the same fine granularity as when adding some particular key and certificate. Any key entry (and its corresponding certificate) chain) contained in the KeyStore is added to the key/cert database. This method adds credentials (keys and corresponding certificate chains) contained in the KeyStore based on their server names (which are automatically calculated). Any already existing credentials of the same type that have the same server name(s) are replaced. If the KeyStore contains more than one credentials with same type and server name(s), only one of them will be added.

Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.
If the KeyStore contains SecretKeys, they are added as PSKCredentials.

The KeyStore must have been already loaded when calling this method. All key entries must have the same password.

Parameters:

keyStore - the KeyStore from which to read the server credentials

password - the password for the private/secret key entries

Returns:

the number of credentials added from the KeyStore

Throws:

java.security.KeyStoreException - if an error occurs while getting keys/certificates from the KeyStore

addServerCredentials

public int addServerCredentials(java.security.KeyStore keyStore,
                                char[] password,
                                java.lang.String[] aliases)
                         throws java.security.KeyStoreException

Add some server credentials from a KeyStore.

This method is similar to method addServerCredentials(KeyStore, char[]) except that are only those key entries are added that are specified by their aliases. If no aliases are specified, all key entries are added (in this case this method does the same as method addServerCredentials(KeyStore, char[])).
This method adds credentials (keys and corresponding certificate chains) contained in the KeyStore based on their server names (which are automatically calculated). Any already existing credentials of the same type that have the same server name(s) are replaced. If the KeyStore contains more than one credentials with same type and server name(s), only one of them will be added.

Note: Adding/Setting of server credentials is not thread-safe and server credentials are shared between clones of the same SSLServerContext object. Thus you should not set add/server credentials to an SSLServerContext from different threads.
If any of the referenced key entries represents a SecretKeys, it is added as PSKCredential.

The KeyStore must have been already loaded when calling this method. All key entries must have the same password.

Parameters:

keyStore - the KeyStore from which to read the server credentials

password - the password for the private/secret key entries

aliases - the alias names of the key entries to be added

Returns:

the number of credentials added from the KeyStore

Throws:

java.security.KeyStoreException - if an error occurs while getting keys/certificates from the KeyStore, or no key entry is available for any of the specified alias names

getServerCredentials

public KeyAndCert getServerCredentials(int certType)

Gets the server credentials of a particular type. If no server credentials for the requested type are available a NullPointerException is thrown.
The certType should be one of the CERTTYPE_* constants defined in class SSLContext:

• CERTTYPE_RSA_SIGN for RSA signature certificates
• CERTTYPE_RSA_ENCRYPT for RSA encryption certificates
• CERTTYPE_DSS_SIGN for DSA signature certificates
• CERTTYPE_RSA_FIXED_DH for RSA signed DH certificates
• CERTTYPE_DSS_FIXED_DH for DSA signed DH certificates
• CERTTYPE_ECDSA_SIGN for ECDSA signature certificates
• CERTTYPE_RSA_FIXED_ECDH for RSA signed ECDH certificates
• CERTTYPE_ECDSA_FIXED_ECDH for ECDSA signed ECDH certificates

Parameters:

certType - the type for which a server credential (KeyAndCert) is requested; either:

• CERTTYPE_RSA_SIGN for RSA signature certificates
• CERTTYPE_RSA_ENCRYPT for RSA encryption certificates
• CERTTYPE_DSS_SIGN for DSA signature certificates
• CERTTYPE_RSA_FIXED_DH for RSA signed DH certificates
• CERTTYPE_DSS_FIXED_DH for DSA signed DH certificates
• CERTTYPE_ECDSA_SIGN for ECDSA signature certificates
• CERTTYPE_RSA_FIXED_ECDH for RSA signed ECDH certificates
• CERTTYPE_ECDSA_FIXED_ECDH for ECDSA signed ECDH certificates *

Returns:

the server credentials (KeyAndCert) for the requested cert type

Throws:

java.lang.IllegalArgumentException - if the cert type is not supported

java.lang.NullPointerException - of no KeyAndCert for the requested type can be found

getServerCredentials

protected KeyAndCert getServerCredentials(int certType,
                                          ExtensionList extensions,
                                          boolean useDefault,
                                          SSLTransport transport)

Gets the server credentials for given type and extensions (if present). If no server credentials for the requested type (and extensions) are available a NullPointerException is thrown. The given ExtensionList may contain a server_name extension, a trusted_ca_keys, an elliptic_curves and/or an ec_point_formats extension which all may impact the search for appropriate server credentials.

Depending on if the given ExtensionList is not null and does contain some of the extensions listed above, this method searches for server credentials according to the following algorithm (if elliptic_curves and/or ec_point_formats) extensions are present, the credentials returned by this method must be ECC credentials and match to any of the elliptic curves named by the elliptic_curves extension and any of the point formats (default: uncompressed) listed in the ec_point_formats extension):

1. If both server_name and trusted_ca_keys extensions are present, this method searches for a server KeyAndCert that conatins a server certificate referenced by a server name included in the server_name extension and identified by a TrustedAuthority included in the trusted_ca_keys extension. If a proper KeyAndCert object is found it will contain the trusted (ca) cert at certChain index [n-1] (or will contain all its original certificates if it has been explicitly configured to be used for specific trusted authorities). If no proper KeyAndCert can be found but useDefault is true this method returns the default server credentials (if available) for the requested type. Otherwise a NullPointerException is thrown indicating that no server credentials with the requested properties are available.
2. If only the server_name extension is present (but not the trusted_ca_keys extension), this method searches for a server KeyAndCert that contains a server certificate referenced by a server name included in the server_name extension. If no proper KeyAndCert can be found but useDefault is true this method returns the default server credentials (if available) for the requested type. Otherwise a NullPointerException is thrown indicating that no server credentials with the requested properties are available.
3. If only the trusted_ca_keys extension is present (but not the server_name extension), this method searches for a server KeyAndCert that is identified by a TrustedAuthority included in the trusted_ca_keys extension. If a proper KeyAndCert object is found it will contain the trusted (ca) cert at certChain index [n-1] (or will contain all its original certificates if it has been explicitly configured to be used for specific trusted authorities). If no proper KeyAndCert can be found but useDefault is true this method returns the default server credentials (if available) for the requested type. Otherwise a NullPointerException is thrown indicating that no server credentials with the requested properties are available.
4. If neither server_name nor trusted_ca_keys extensions are present, this method returns the default server credentials (if available) for the requested type. Otherwise a NullPointerException is thrown indicating that no server credentials for the requested type are available.

The certType should be one of the CERTTYPE_* constants defined in class SSLContext:

• CERTTYPE_RSA_SIGN for RSA signature certificates
• CERTTYPE_RSA_ENCRYPT for RSA encryption certificates
• CERTTYPE_DSS_SIGN for DSA signature certificates
• CERTTYPE_RSA_FIXED_DH for RSA signed DH certificates
• CERTTYPE_DSS_FIXED_DH for DSA signed DH certificates
• CERTTYPE_ECDSA_SIGN for ECDSA signature certificates
• CERTTYPE_RSA_FIXED_ECDH for RSA signed ECDH certificates
• CERTTYPE_ECDSA_FIXED_ECDH for ECDSA signed ECDH certificates

Parameters:

certType - the type for which a server credential (KeyAndCert) is requested; either:

• CERTTYPE_RSA_SIGN for RSA signature certificates
• CERTTYPE_RSA_ENCRYPT for RSA encryption certificates
• CERTTYPE_DSS_SIGN for DSA signature certificates
• CERTTYPE_RSA_FIXED_DH for RSA signed DH certificates
• CERTTYPE_DSS_FIXED_DH for DSA signed DH certificates
• CERTTYPE_ECDSA_SIGN for ECDSA signature certificates
• CERTTYPE_RSA_FIXED_ECDH for RSA signed ECDH certificates
• CERTTYPE_ECDSA_FIXED_ECDH for ECDSA signed ECDH certificates

extensions - an ExtensionList; if it is not null and does contain a server_name and/or trusted_ca_keys extension, the credential search is based on the server names included in the server_name extension and/or trusted authorities included in the trusted_ca_keys} extension

useDefault - whether to return the default credentials for the requested cert type if no credentials for the requested server names and/or trusted authorities can be found (if extensions is not null and does contain a server_name and/or trusted_ca_keys extension; if extensions is null or does not contain a server_name and/or trusted_ca_keys extensions, the default credentials are returned in any case, if set)

transport - SSLTransport for debugging (may be null)

Returns:

the server credentials (KeyAndCert) for the requested cert type (and server names / trusted authorities, if extensions is not null and does contain a server_name and/or trusted_ca_keys extension)

Throws:

java.lang.IllegalArgumentException - if the cert type is not supported

java.lang.NullPointerException - of no KeyAndCert for the requested properties can be found

updateCipherSuites

public void updateCipherSuites()

Update the list of currently enabled ciphersuites based on the certificates available. This method will take the list of currently enabled ciphersuites in this context and disable all that cannot be used because the required certificates or keys are not available.

Note that the semantics of this method were changed in 3.0. Previously this method would enable all ciphersuites that were available, now all currently enabled ciphersuites that are not available are disabled.

Also note that this method will not work correctly for user added ciphersuites.

Overrides:

updateCipherSuites in class SSLContext

addTemporaryParameter

public void addTemporaryParameter(java.security.KeyPair keyPair)

Add a temporary RSA KeyPair. Temporary RSA keypairs are used with exportable RSA ciphersuites. The keys should be either 512 or 1024 bit long. If none are set but needed during the handshake a keypair is generated on the fly.

addTemporaryParameter

public void addTemporaryParameter(javax.crypto.spec.DHParameterSpec spec)

Add temporary Diffie-Hellman parameters. This method extracts the length of the parameters and then calls addTemporaryParameters() with that length.

See Also:

addTemporaryParameter(DHParameterSpec, int)

addTemporaryParameter

public void addTemporaryParameter(javax.crypto.spec.DHParameterSpec spec,
                                  int keyLength)

Add temporary Diffie-Hellman parameters. Temporary Diffie-Hellman parameters are required for DHE ciphersuites. There are three temporary DH parameters, one for export ciphersuites (512 bit), one for export 1024 ciphersuites (1024 bit), and on for domestic ciphersuites (no limit). If no parameters have been set but are required for a DHE ciphersuite defaults will be used. First possibly set Diffie-Hellman server certificates will be checked, if no parameters of the required length are found built in defaults of 512 and 1024 bit are used.

The keyLength parameters determines which parameters you want to set. If not greater than 512 the 512 bit export parameters are set, if not greater than 1024 then 1024 bit export parameters are set. If greater than 1024 the domestic parameters are set. In addition, parameters between 512 and 1024 bit are automatically set as the domestic parameters if domestic parameters have not been set previously.

Note that it is not checked if the keyLength parameter you pass is the actual length of the parameters. It is generally recommended that you use the method without the keyLength parameter.

See Also:

addTemporaryParameter(DHParameterSpec)

setTemporaryParameterScheduling

public void setTemporaryParameterScheduling(javax.crypto.spec.DHGenParameterSpec dhGenParameterSpec,
                                            long updateInterval)

Enables DH parameter scheduling.
If DH parameter scheduling is enabled new temporary domestic parameters are generated according the given update interval. Any time the update interval has expired a thread is started with minimum priority to generate new DH parameters based on the prime and exponent size specified by the given DHGenParameterSpec. Thus the time when the new parameters become active may not be exactly the time of the update interval, rather the new parameters will become active somewhat later than updateTime + parameterGenerationTime.
Although the update interval has to be given in milli seconds, it should be not too short to not stress the server with unnessary hight parameter generation work. For instance, the update interval may be chosen in terms of weeks or months.

By default no DH parameter scheduling is used.

Parameters:

dhGenParameterSpec - the DHGenParameterSpec specifying prime and exponent size of the to-be-generated DH parameters; if null DH parameter scheduling is disabled

updateInterval - the update interval specifying when new parameters shall be generated (should be not too short)

setRequestClientCertificate

public void setRequestClientCertificate(boolean value)

Set whether or not to request client authentication during the handshake. If enabled the current ChainVerifier is called during the handshake to verify if the provided credentials are acceptable. It has the option to accept clients that send no certificates as well.

See Also:

ChainVerifier

getRequestClientCertificate

public boolean getRequestClientCertificate()

Returns wheter a SSLSocket which uses this SSLContext requests a certificate from the client.

setIgnoreClientCipherSuitePreferenceOrder

public void setIgnoreClientCipherSuitePreferenceOrder(boolean ignore)

Whether to ignore the preference order of the cipher suite list sent by the client when selecting a cipher suite for the current session. By default the cipher suite is selected according to the preference order sent by the client. A server that wants to use its own cipher suite list preference order may call this method with true as parameter:

 serverContext.setIgnoreClientCipherSuitePreferenceOrder(true);
 

Parameters:

ignore - whether to ignore the client cipher suite list preference order when selecting the cipher suite for the current session

setSendEmptySessionID

public void setSendEmptySessionID(boolean sendEmptyID)

Sets whether to create and send an empty session id if no SessionManager is set. By default a non-empty session is created when no SessionManager is set, too. An empty session id may be used to tell the client that the session will no be cached and therefore cannot be resumed.

Parameters:

sendEmptyID - whether to create and send an empty session id if no SessionManager is set

setAllowedProtocolVersions

public void setAllowedProtocolVersions(int minimumVersion,
                                       int maximumVersion)

Description copied from class: SSLContext

Set the SSL/TLS protocol versions to be accepted during the handshake. You normally will not need this method as the SSL handshake makes sure that always the highest protocol version supported by both the client and the server is selected. However, you may want to use this method if

• You want to communicate with a buggy server that fails if a certain protocol version is enabled.
• You want to enable SSL 2.0, which is disabled by default.
• You want to disable less secure protocol versions, e.g. use only TLS 1.0, TLS 1.1, or TLS 1.2.

The parameters passed should be from the VERSION_xxx list defined in this class. Per default both SSLv3 and TLS are enabled, SSLv2 is disabled.

If you want to enable e.g. SSLv3 and TLS use setAllowedProtocolVersions(SSLContext.VERSION_SSL30, SSLContext.VERSION_TLS12);.

Overrides:

setAllowedProtocolVersions in class SSLContext

clone

public java.lang.Object clone()

Implements the Cloneable interface.

Overrides:

clone in class SSLClientContext

Returns:

a clone of this SSLClientContext

toString

public java.lang.String toString()

Returns a string representation of this SSLContext.

Overrides:

toString in class SSLClientContext

Returns:

a string representation

setRequireClientCertificate

public void setRequireClientCertificate(byte[] certificateTypes,
                                        java.security.Principal[] certificateAuthorities)

Deprecated. use setRequestClientCertificate() instead

setRSACertificate

public void setRSACertificate(java.security.cert.Certificate[] certificateChain,
                              java.security.PrivateKey privateKey)
                       throws java.security.cert.CertificateException

Deprecated. use addServerCredentials() instead

Throws:

java.security.cert.CertificateException

setDSACertificate

public void setDSACertificate(java.security.cert.Certificate[] certificateChain,
                              java.security.PrivateKey privateKey)
                       throws java.security.cert.CertificateException

Deprecated. use addServerCredentials() instead

Throws:

java.security.cert.CertificateException

setDHCertificate

public void setDHCertificate(java.security.cert.Certificate[] certificateChain,
                             java.security.PrivateKey privateKey)
                      throws java.security.cert.CertificateException

Deprecated. use addServerCredentials() instead

Throws:

java.security.cert.CertificateException

setDHParameter

public void setDHParameter(javax.crypto.spec.DHParameterSpec dhParameter)

Deprecated. use addTemporaryParameter() instead

setRSATempKeyPair

public void setRSATempKeyPair(java.security.KeyPair tempKeyPair)

Deprecated. use addTemporaryParameter() instead

getRequireClientCertificate

public boolean getRequireClientCertificate()

Deprecated. use getRequestClientCertificate() instead