Package io.netty.handler.ssl

Class ReferenceCountedOpenSslContext

java.lang.Object

io.netty.handler.ssl.SslContext

io.netty.handler.ssl.ReferenceCountedOpenSslContext

All Implemented Interfaces:

ReferenceCounted

Direct Known Subclasses:

OpenSslContext, ReferenceCountedOpenSslClientContext, ReferenceCountedOpenSslServerContext

public abstract class ReferenceCountedOpenSslContext
extends SslContext
implements ReferenceCounted

An implementation of SslContext which works with libraries that support the OpenSsl C library API.

Instances of this class must be released or else native memory will leak!

Instances of this class must not be released before any ReferenceCountedOpenSslEngine which depends upon the instance of this class is released. Otherwise if any method of ReferenceCountedOpenSslEngine is called which uses this class's JNI resources the JVM may crash.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
(package private) static class	ReferenceCountedOpenSslContext.AbstractCertificateVerifier
private static final class	ReferenceCountedOpenSslContext.AsyncPrivateKeyMethod
private static final class	ReferenceCountedOpenSslContext.CompressionAlgorithm
private static final class	ReferenceCountedOpenSslContext.DefaultOpenSslEngineMap
private static final class	ReferenceCountedOpenSslContext.PrivateKeyMethod

Field Summary

Fields

Modifier and Type	Field	Description
private final OpenSslApplicationProtocolNegotiator	apn
private int	bioNonApplicationBufferSize
(package private) static final boolean	CLIENT_ENABLE_SESSION_CACHE
(package private) static final boolean	CLIENT_ENABLE_SESSION_TICKET
(package private) static final boolean	CLIENT_ENABLE_SESSION_TICKET_TLSV13
(package private) final ClientAuth	clientAuth
protected long	ctx	The OpenSSL SSL_CTX object.
(package private) final ReadWriteLock	ctxLock
private static final int	DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE
private static final Integer	DH_KEY_LENGTH
(package private) final boolean	enableOcsp
(package private) final String	endpointIdentificationAlgorithm
(package private) final OpenSslEngineMap	engineMap
(package private) final boolean	hasTLSv13Cipher
(package private) final boolean	hasTmpDhKeys
(package private) final Certificate[]	keyCertChain
private final ResourceLeakTracker<ReferenceCountedOpenSslContext>	leak
private static final ResourceLeakDetector<ReferenceCountedOpenSslContext>	leakDetector
private static final InternalLogger	logger
private final int	mode
(package private) static final OpenSslApplicationProtocolNegotiator	NONE_PROTOCOL_NEGOTIATOR
(package private) final String[]	protocols
private final AbstractReferenceCounted	refCnt
(package private) static final boolean	SERVER_ENABLE_SESSION_CACHE
(package private) static final boolean	SERVER_ENABLE_SESSION_TICKET
(package private) static final boolean	SERVER_ENABLE_SESSION_TICKET_TLSV13
(package private) final boolean	tlsFalseStart
private final List<String>	unmodifiableCiphers
(package private) static final boolean	USE_TASKS
protected static final int	VERIFY_DEPTH

Fields inherited from class io.netty.handler.ssl.SslContext

ALIAS, resumptionController, X509_CERT_FACTORY

Constructor Summary

Constructors

Constructor

Description

ReferenceCountedOpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn, int mode, Certificate[] keyCertChain, ClientAuth clientAuth, String[] protocols, boolean startTls, String endpointIdentificationAlgorithm, boolean enableOcsp, boolean leakDetection, ResumptionController resumptionController, Map.Entry<SslContextOption<?>,Object>... ctxOptions)

Method Summary

Modifier and Type	Method	Description
ApplicationProtocolNegotiator	applicationProtocolNegotiator()	Returns the object responsible for negotiating application layer protocols for the TLS NPN/ALPN extensions.
protected static X509Certificate[]	certificates(byte[][] chain)
protected static X509TrustManager	chooseTrustManager(TrustManager[] managers)	Deprecated. This method is kept for API backwards compatibility.
(package private) static X509TrustManager	chooseTrustManager(TrustManager[] managers, ResumptionController resumptionController)
protected static X509KeyManager	chooseX509KeyManager(KeyManager[] kms)
final List<String>	cipherSuites()	Returns the list of enabled cipher suites, in the order of preference.
final long	context()	Deprecated. this method is considered unsafe as the returned pointer may be released later.
private void	destroy()
(package private) static void	freeBio(long bio)
int	getBioNonApplicationBufferSize()	Returns the size of the buffer used by the BIO for non-application based writes
boolean	getRejectRemoteInitiatedRenegotiation()	Deprecated.
final boolean	isClient()	Returns the true if and only if this context is for client-side.
private static long	newBIO(ByteBuf buffer)
final SSLEngine	newEngine(ByteBufAllocator alloc)	Returns a new server-side SSLEngine with the current configuration.
final SSLEngine	newEngine(ByteBufAllocator alloc, String peerHost, int peerPort)	Creates a new SSLEngine using advisory peer information.
(package private) SSLEngine	newEngine0(ByteBufAllocator alloc, String peerHost, int peerPort, boolean jdkCompatibilityMode)
protected final SslHandler	newHandler(ByteBufAllocator alloc, boolean startTls)	Create a new SslHandler.
protected SslHandler	newHandler(ByteBufAllocator alloc, boolean startTls, Executor executor)	Create a new SslHandler.
protected final SslHandler	newHandler(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls)	Create a new SslHandler.
protected SslHandler	newHandler(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls, Executor executor)
private static int	opensslSelectorFailureBehavior(ApplicationProtocolConfig.SelectorFailureBehavior behavior)
(package private) static OpenSslKeyMaterialProvider	providerFor(KeyManagerFactory factory, String password)	Returns the OpenSslKeyMaterialProvider that should be used for OpenSSL.
final int	refCnt()	Returns the reference count of this object.
final boolean	release()	Decreases the reference count by 1 and deallocates this object if the reference count reaches at 0.
final boolean	release(int decrement)	Decreases the reference count by the specified decrement and deallocates this object if the reference count reaches at 0.
final ReferenceCounted	retain()	Increases the reference count by 1.
final ReferenceCounted	retain(int increment)	Increases the reference count by the specified increment.
private static ReferenceCountedOpenSslEngine	retrieveEngine(OpenSslEngineMap engineMap, long ssl)
abstract OpenSslSessionContext	sessionContext()	Returns the SSLSessionContext object held by this context.
void	setBioNonApplicationBufferSize(int bioNonApplicationBufferSize)	Set the size of the buffer used by the BIO for non-application based writes (e.g.
(package private) static void	setKeyMaterial(long ctx, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword)
final void	setPrivateKeyMethod(OpenSslPrivateKeyMethod method)	Deprecated. use SslContextBuilder.option(SslContextOption, Object) with OpenSslContextOption.PRIVATE_KEY_METHOD.
void	setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation)	Deprecated.
final void	setTicketKeys(byte[] keys)	Deprecated. use OpenSslSessionContext.setTicketKeys(byte[])
final void	setUseTasks(boolean useTasks)	Deprecated. use SslContextBuilder.option(SslContextOption, Object) with OpenSslContextOption.USE_TASKS.
final long	sslCtxPointer()	Deprecated. this method is considered unsafe as the returned pointer may be released later.
final OpenSslSessionStats	stats()	Deprecated. use invalid @link {@link #sessionContext#stats() }
(package private) static long	toBIO(ByteBufAllocator allocator, PemEncoded pem)
(package private) static long	toBIO(ByteBufAllocator allocator, X509Certificate... certChain)	Return the pointer to a in-memory BIO or 0 if the certChain is null.
(package private) static long	toBIO(ByteBufAllocator allocator, PrivateKey key)	Return the pointer to a in-memory BIO or 0 if the key is null.
(package private) static OpenSslApplicationProtocolNegotiator	toNegotiator(ApplicationProtocolConfig config)	Translate a ApplicationProtocolConfig object to a OpenSslApplicationProtocolNegotiator object.
final ReferenceCounted	touch()	Records the current access location of this object for debugging purposes.
final ReferenceCounted	touch(Object hint)	Records the current access location of this object with an additional arbitrary information for debugging purposes.
(package private) static boolean	useExtendedTrustManager(X509TrustManager trustManager)
private static byte[]	verifyResult(byte[] result)

Methods inherited from class io.netty.handler.ssl.SslContext

attributes, buildKeyManagerFactory, buildKeyManagerFactory, buildKeyStore, buildTrustManagerFactory, buildTrustManagerFactory, buildTrustManagerFactory, defaultClientProvider, defaultServerProvider, generateKeySpec, isServer, keyStorePassword, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContext, newClientContextInternal, newHandler, newHandler, newHandler, newHandler, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContext, newServerContextInternal, nextProtocols, sessionCacheSize, sessionTimeout, toApplicationProtocolConfig, toPrivateKey, toPrivateKey, toPrivateKey, toPrivateKeyInternal, toX509Certificates, toX509Certificates, toX509CertificatesInternal

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

logger

private static final InternalLogger logger

DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE

private static final int DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE

USE_TASKS

static final boolean USE_TASKS

DH_KEY_LENGTH

private static final Integer DH_KEY_LENGTH

leakDetector

private static final ResourceLeakDetector<ReferenceCountedOpenSslContext> leakDetector

VERIFY_DEPTH

protected static final int VERIFY_DEPTH

See Also:

• Constant Field Values

CLIENT_ENABLE_SESSION_TICKET

static final boolean CLIENT_ENABLE_SESSION_TICKET

CLIENT_ENABLE_SESSION_TICKET_TLSV13

static final boolean CLIENT_ENABLE_SESSION_TICKET_TLSV13

SERVER_ENABLE_SESSION_TICKET

static final boolean SERVER_ENABLE_SESSION_TICKET

SERVER_ENABLE_SESSION_TICKET_TLSV13

static final boolean SERVER_ENABLE_SESSION_TICKET_TLSV13

SERVER_ENABLE_SESSION_CACHE

static final boolean SERVER_ENABLE_SESSION_CACHE

CLIENT_ENABLE_SESSION_CACHE

static final boolean CLIENT_ENABLE_SESSION_CACHE

ctx

protected long ctx

The OpenSSL SSL_CTX object. ctxLock must be hold while using ctx!

unmodifiableCiphers

private final List<String> unmodifiableCiphers

apn

private final OpenSslApplicationProtocolNegotiator apn

mode

private final int mode

leak

private final ResourceLeakTracker<ReferenceCountedOpenSslContext> leak

refCnt

private final AbstractReferenceCounted refCnt

keyCertChain

final Certificate[] keyCertChain

clientAuth

final ClientAuth clientAuth

protocols

final String[] protocols

endpointIdentificationAlgorithm

final String endpointIdentificationAlgorithm

hasTLSv13Cipher

final boolean hasTLSv13Cipher

hasTmpDhKeys

final boolean hasTmpDhKeys

enableOcsp

final boolean enableOcsp

engineMap

final OpenSslEngineMap engineMap

ctxLock

final ReadWriteLock ctxLock

bioNonApplicationBufferSize

private volatile int bioNonApplicationBufferSize

NONE_PROTOCOL_NEGOTIATOR

static final OpenSslApplicationProtocolNegotiator NONE_PROTOCOL_NEGOTIATOR

tlsFalseStart

final boolean tlsFalseStart

Constructor Details

ReferenceCountedOpenSslContext

ReferenceCountedOpenSslContext(Iterable<String> ciphers,
 CipherSuiteFilter cipherFilter,
 OpenSslApplicationProtocolNegotiator apn,
 int mode,
 Certificate[] keyCertChain,
 ClientAuth clientAuth,
 String[] protocols,
 boolean startTls,
 String endpointIdentificationAlgorithm,
 boolean enableOcsp,
 boolean leakDetection,
 ResumptionController resumptionController,
 Map.Entry<SslContextOption<?>,Object>... ctxOptions)
                        throws SSLException

Throws:

SSLException

Method Details

opensslSelectorFailureBehavior

private static int opensslSelectorFailureBehavior(ApplicationProtocolConfig.SelectorFailureBehavior behavior)

cipherSuites

public final List<String> cipherSuites()

Description copied from class: SslContext

Returns the list of enabled cipher suites, in the order of preference.

Specified by:

cipherSuites in class SslContext

applicationProtocolNegotiator

public ApplicationProtocolNegotiator applicationProtocolNegotiator()

Description copied from class: SslContext

Returns the object responsible for negotiating application layer protocols for the TLS NPN/ALPN extensions.

Specified by:

applicationProtocolNegotiator in class SslContext

isClient

public final boolean isClient()

Description copied from class: SslContext

Returns the true if and only if this context is for client-side.

Specified by:

isClient in class SslContext

newEngine

public final SSLEngine newEngine(ByteBufAllocator alloc,
 String peerHost,
 int peerPort)

Description copied from class: SslContext

Creates a new SSLEngine using advisory peer information.

If SslProvider.OPENSSL_REFCNT is used then the object must be released. One way to do this is to wrap in a SslHandler and insert it into a pipeline. See SslContext.newHandler(ByteBufAllocator, String, int).

Specified by:

newEngine in class SslContext

Parameters:

peerHost - the non-authoritative name of the host

peerPort - the non-authoritative port

Returns:

a new SSLEngine

newHandler

protected final SslHandler newHandler(ByteBufAllocator alloc,
 boolean startTls)

Description copied from class: SslContext

Create a new SslHandler.

Overrides:

newHandler in class SslContext

See Also:

• SslContext.newHandler(ByteBufAllocator)

newHandler

protected final SslHandler newHandler(ByteBufAllocator alloc,
 String peerHost,
 int peerPort,
 boolean startTls)

Description copied from class: SslContext

Create a new SslHandler.

Overrides:

newHandler in class SslContext

See Also:

• SslContext.newHandler(ByteBufAllocator, String, int, boolean, Executor)

newHandler

protected SslHandler newHandler(ByteBufAllocator alloc,
 boolean startTls,
 Executor executor)

Description copied from class: SslContext

Create a new SslHandler.

Overrides:

newHandler in class SslContext

See Also:

• SslContext.newHandler(ByteBufAllocator, String, int, boolean, Executor)

newHandler

protected SslHandler newHandler(ByteBufAllocator alloc,
 String peerHost,
 int peerPort,
 boolean startTls,
 Executor executor)

Overrides:

newHandler in class SslContext

newEngine0

SSLEngine newEngine0(ByteBufAllocator alloc,
 String peerHost,
 int peerPort,
 boolean jdkCompatibilityMode)

newEngine

public final SSLEngine newEngine(ByteBufAllocator alloc)

Returns a new server-side SSLEngine with the current configuration.

Specified by:

newEngine in class SslContext

Returns:

a new SSLEngine

context

@Deprecated
public final long context()

Deprecated.

this method is considered unsafe as the returned pointer may be released later. Dont use it!

Returns the pointer to the SSL_CTX object for this ReferenceCountedOpenSslContext. Be aware that it is freed as soon as the Object.finalize() method is called. At this point 0 will be returned.

stats

@Deprecated
public final OpenSslSessionStats stats()

Deprecated.

use

invalid @link

{@link #sessionContext#stats()

}

Returns the stats of this context.

setRejectRemoteInitiatedRenegotiation

@Deprecated
public void setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation)

Deprecated.

Specify if remote initiated renegotiation is supported or not. If not supported and the remote side tries to initiate a renegotiation a SSLHandshakeException will be thrown during decoding.

getRejectRemoteInitiatedRenegotiation

@Deprecated
public boolean getRejectRemoteInitiatedRenegotiation()

Deprecated.

Returns:

true because renegotiation is not supported.

setBioNonApplicationBufferSize

public void setBioNonApplicationBufferSize(int bioNonApplicationBufferSize)

Set the size of the buffer used by the BIO for non-application based writes (e.g. handshake, renegotiation, etc...).

getBioNonApplicationBufferSize

public int getBioNonApplicationBufferSize()

Returns the size of the buffer used by the BIO for non-application based writes

setTicketKeys

@Deprecated
public final void setTicketKeys(byte[] keys)

Deprecated.

use OpenSslSessionContext.setTicketKeys(byte[])

Sets the SSL session ticket keys of this context.

sessionContext

public abstract OpenSslSessionContext sessionContext()

Description copied from class: SslContext

Returns the SSLSessionContext object held by this context.

Specified by:

sessionContext in class SslContext

sslCtxPointer

@Deprecated
public final long sslCtxPointer()

Deprecated.

this method is considered unsafe as the returned pointer may be released later. Dont use it!

Returns the pointer to the SSL_CTX object for this ReferenceCountedOpenSslContext. Be aware that it is freed as soon as the release() method is called. At this point 0 will be returned.

setPrivateKeyMethod

@Deprecated
@UnstableApi
public final void setPrivateKeyMethod(OpenSslPrivateKeyMethod method)

Deprecated.

use SslContextBuilder.option(SslContextOption, Object) with OpenSslContextOption.PRIVATE_KEY_METHOD.

Set the OpenSslPrivateKeyMethod to use. This allows to offload private-key operations if needed. This method is currently only supported when BoringSSL is used.

Parameters:

method - method to use.

setUseTasks

@Deprecated
public final void setUseTasks(boolean useTasks)

Deprecated.

use SslContextBuilder.option(SslContextOption, Object) with OpenSslContextOption.USE_TASKS.

destroy

private void destroy()

certificates

protected static X509Certificate[] certificates(byte[][] chain)

chooseTrustManager

@Deprecated
protected static X509TrustManager chooseTrustManager(TrustManager[] managers)

Deprecated.

This method is kept for API backwards compatibility.

chooseTrustManager

static X509TrustManager chooseTrustManager(TrustManager[] managers,
 ResumptionController resumptionController)

chooseX509KeyManager

protected static X509KeyManager chooseX509KeyManager(KeyManager[] kms)

toNegotiator

static OpenSslApplicationProtocolNegotiator toNegotiator(ApplicationProtocolConfig config)

Translate a ApplicationProtocolConfig object to a OpenSslApplicationProtocolNegotiator object.

Parameters:

config - The configuration which defines the translation

Returns:

The results of the translation

useExtendedTrustManager

static boolean useExtendedTrustManager(X509TrustManager trustManager)

refCnt

public final int refCnt()

Description copied from interface: ReferenceCounted

Returns the reference count of this object. If 0, it means this object has been deallocated.

Specified by:

refCnt in interface ReferenceCounted

retain

public final ReferenceCounted retain()

Description copied from interface: ReferenceCounted

Increases the reference count by 1.

Specified by:

retain in interface ReferenceCounted

retain

public final ReferenceCounted retain(int increment)

Description copied from interface: ReferenceCounted

Increases the reference count by the specified increment.

Specified by:

retain in interface ReferenceCounted

touch

public final ReferenceCounted touch()

Description copied from interface: ReferenceCounted

Records the current access location of this object for debugging purposes. If this object is determined to be leaked, the information recorded by this operation will be provided to you via ResourceLeakDetector. This method is a shortcut to touch(null).

Specified by:

touch in interface ReferenceCounted

touch

public final ReferenceCounted touch(Object hint)

Description copied from interface: ReferenceCounted

Records the current access location of this object with an additional arbitrary information for debugging purposes. If this object is determined to be leaked, the information recorded by this operation will be provided to you via ResourceLeakDetector.

Specified by:

touch in interface ReferenceCounted

release

public final boolean release()

Description copied from interface: ReferenceCounted

Decreases the reference count by 1 and deallocates this object if the reference count reaches at 0.

Specified by:

release in interface ReferenceCounted

Returns:

true if and only if the reference count became 0 and this object has been deallocated

release

public final boolean release(int decrement)

Description copied from interface: ReferenceCounted

Decreases the reference count by the specified decrement and deallocates this object if the reference count reaches at 0.

Specified by:

release in interface ReferenceCounted

Returns:

true if and only if the reference count became 0 and this object has been deallocated

setKeyMaterial

static void setKeyMaterial(long ctx,
 X509Certificate[] keyCertChain,
 PrivateKey key,
 String keyPassword)
                    throws SSLException

Throws:

SSLException

freeBio

static void freeBio(long bio)

toBIO

static long toBIO(ByteBufAllocator allocator,
 PrivateKey key)
           throws Exception

Return the pointer to a in-memory BIO or 0 if the key is null. The BIO contains the content of the key.

Throws:

Exception

toBIO

static long toBIO(ByteBufAllocator allocator,
 X509Certificate... certChain)
           throws Exception

Return the pointer to a in-memory BIO or 0 if the certChain is null. The BIO contains the content of the certChain.

Throws:

Exception

toBIO

static long toBIO(ByteBufAllocator allocator,
 PemEncoded pem)
           throws Exception

Throws:

Exception

newBIO

private static long newBIO(ByteBuf buffer)
                    throws Exception

Throws:

Exception

providerFor

static OpenSslKeyMaterialProvider providerFor(KeyManagerFactory factory,
 String password)

Returns the OpenSslKeyMaterialProvider that should be used for OpenSSL. Depending on the given KeyManagerFactory this may cache the OpenSslKeyMaterial for better performance if it can ensure that the same material is always returned for the same alias.

retrieveEngine

private static ReferenceCountedOpenSslEngine retrieveEngine(OpenSslEngineMap engineMap,
 long ssl)
                                                     throws SSLException

Throws:

SSLException

verifyResult

private static byte[] verifyResult(byte[] result)
                            throws SignatureException

Throws:

SignatureException