public final class SSL
extends java.lang.Object
| 限定符和类型 | 方法和说明 |
|---|---|
static java.lang.String[] |
authenticationMethods(long ssl)
Return the methods used for authentication.
|
static void |
bioClearByteBuffer(long bio)
After you are done buffering data from
bioSetByteBuffer(long, long, int, boolean), this will ensure the
internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..). |
static int |
bioFlushByteBuffer(long bio)
Flush any pending bytes in the internal SSL write buffer.
|
static int |
bioLengthByteBuffer(long bio)
Get the remaining length of the
ByteBuffer set by bioSetByteBuffer(long, long, int, boolean). |
static int |
bioLengthNonApplication(long bio)
Get the amount of data pending in buffer used for non-application writes.
|
static long |
bioNewByteBuffer(long ssl,
int nonApplicationBufferSize)
Initialize the BIO for the SSL instance.
|
static void |
bioSetByteBuffer(long bio,
long bufferAddress,
int maxUsableBytes,
boolean isSSLWriteSink)
Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted
data from.
|
static int |
bioWrite(long bioAddress,
long wbufAddress,
int wlen)
BIO_write
|
static void |
clearError()
Clear all the errors from the error queue that OpenSSL encountered on this thread.
|
static void |
clearOptions(long ssl,
int options)
Clear OpenSSL Option.
|
static int |
doHandshake(long ssl)
SSL_do_handshake
|
static void |
enableOcsp(long ssl)
Enables OCSP stapling for the given
SSLEngine or throws an
exception if OCSP stapling is not supported. |
static void |
freeBIO(long bio)
BIO_free
|
static void |
freePrivateKey(long privateKey)
Free private key (
EVP_PKEY pointer). |
static void |
freeSSL(long ssl)
SSL_free
|
static void |
freeX509Chain(long x509Chain)
Free x509 chain (
STACK_OF(X509) pointer). |
static java.lang.String |
getAlpnSelected(long ssl)
SSL_get0_alpn_selected
|
static java.lang.String |
getCipherForSSL(long ssl)
SSL_get_cipher
|
static java.lang.String[] |
getCiphers(long ssl)
Returns all Returns the cipher suites that are available for negotiation in an SSL handshake.
|
static int |
getError(long ssl,
int ret)
SSL_get_error
|
static java.lang.String |
getErrorString(long errorNumber)
Get the error string representing for the given
errorNumber. |
static int |
getHandshakeCount(long ssl)
Returns the number of handshakes done for this SSL instance.
|
static java.lang.String |
getLastError()
Return last SSL error string
|
static int |
getLastErrorNumber()
Get the error number representing the last error OpenSSL encountered on this thread.
|
static int |
getMaxWrapOverhead(long ssl)
Get the maximum overhead, in bytes, of wrapping (a.k.a sealing) a record with ssl.
|
static int |
getMode(long ssl)
Call SSL_get_mode
|
static java.lang.String |
getNextProtoNegotiated(long ssl)
SSL_get0_next_proto_negotiated
|
static byte[] |
getOcspResponse(long ssl)
Returns the OCSP response for the given
SSLEngine or null
if the server didn't provide a stapled OCSP response. |
static int |
getOptions(long ssl)
Get OpenSSL Option.
|
static byte[][] |
getPeerCertChain(long ssl)
Get the peer certificate chain or
null if none was send. |
static byte[] |
getPeerCertificate(long ssl)
Get the peer certificate or
null if non was send. |
static byte[] |
getSessionId(long ssl)
Returns the ID of the session as byte array representation.
|
static int |
getShutdown(long ssl)
SSL_get_shutdown
|
static long |
getTime(long ssl)
SSL_get_time
|
static long |
getTimeout(long ssl)
SSL_get_timeout
|
static java.lang.String |
getVersion(long ssl)
SSL_get_version
|
static int |
isInInit(long ssl)
SSL_in_init
|
static long |
newMemBIO()
Initialize new in-memory BIO that is located in the secure heap.
|
static long |
newSSL(long ctx,
boolean server)
SSL_new
|
static long |
parsePrivateKey(long privateKeyBio,
java.lang.String password)
Parse private key from BIO and return
EVP_PKEY pointer. |
static long |
parseX509Chain(long x509ChainBio)
Parse X509 chain from BIO and return (
STACK_OF(X509) pointer). |
static int |
readFromSSL(long ssl,
long rbuf,
int rlen)
SSL_read
|
static int |
renegotiate(long ssl)
Call SSL_renegotiate.
|
static void |
setCertificateBio(long ssl,
long certBio,
long keyBio,
java.lang.String password)
Set Certificate
Point setCertificate at a PEM encoded certificate stored in a BIO. |
static void |
setCertificateChainBio(long ssl,
long bio,
boolean skipfirst)
Set BIO of PEM-encoded Server CA Certificates
This directive sets the optional all-in-one file where you can assemble the
certificates of Certification Authorities (CA) which form the certificate
chain of the server certificate.
|
static boolean |
setCipherSuites(long ssl,
java.lang.String ciphers)
Returns the cipher suites available for negotiation in SSL handshake.
|
static void |
setHostNameValidation(long ssl,
int flags,
java.lang.String hostname)
Explicitly control hostname validation
see X509_check_host for X509_CHECK_FLAG* definitions.
|
static int |
setMode(long ssl,
int mode)
Call SSL_set_mode
|
static void |
setOcspResponse(long ssl,
byte[] response)
Sets the OCSP response for the given
SSLEngine or throws an
exception in case of an error. |
static void |
setOptions(long ssl,
int options)
Set OpenSSL Option.
|
static void |
setShutdown(long ssl,
int mode)
SSL_set_shutdown
|
static void |
setState(long ssl,
int state)
Call SSL_set_state.
|
static long |
setTimeout(long ssl,
long seconds)
SSL_set_timeout
|
static void |
setTlsExtHostName(long ssl,
java.lang.String hostname)
Call SSL_set_tlsext_host_name
|
static void |
setVerify(long ssl,
int level,
int depth)
Set Type of Client Certificate verification and Maximum depth of CA Certificates
in Client Certificate verification.
|
static int |
shutdownSSL(long ssl)
SSL_shutdown
|
static int |
sslPending(long ssl)
The number of bytes pending in SSL which can be read immediately.
|
static int |
version() |
static java.lang.String |
versionString() |
static int |
writeToSSL(long ssl,
long wbuf,
int wlen)
SSL_write
|
public static final int SSL_PROTOCOL_NONE
public static final int SSL_PROTOCOL_SSLV2
public static final int SSL_PROTOCOL_SSLV3
public static final int SSL_PROTOCOL_TLSV1
public static final int SSL_PROTOCOL_TLSV1_1
public static final int SSL_PROTOCOL_TLSV1_2
public static final int SSL_PROTOCOL_TLS
public static final int SSL_PROTOCOL_ALL
public static final int SSL_CVERIFY_IGNORED
public static final int SSL_CVERIFY_NONE
public static final int SSL_CVERIFY_OPTIONAL
public static final int SSL_CVERIFY_REQUIRED
public static final int SSL_OP_CIPHER_SERVER_PREFERENCE
public static final int SSL_OP_NO_SSLv2
public static final int SSL_OP_NO_SSLv3
public static final int SSL_OP_NO_TLSv1
public static final int SSL_OP_NO_TLSv1_1
public static final int SSL_OP_NO_TLSv1_2
public static final int SSL_OP_NO_TICKET
public static final int SSL_OP_NO_COMPRESSION
public static final int SSL_MODE_CLIENT
public static final int SSL_MODE_SERVER
public static final int SSL_MODE_COMBINED
public static final long SSL_SESS_CACHE_OFF
public static final long SSL_SESS_CACHE_SERVER
public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE
public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL
public static final int SSL_ST_CONNECT
public static final int SSL_ST_ACCEPT
public static final int SSL_MODE_ENABLE_PARTIAL_WRITE
public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
public static final int SSL_MODE_RELEASE_BUFFERS
public static final int SSL_MAX_PLAINTEXT_LENGTH
public static final int SSL_MAX_RECORD_LENGTH
SSL_MAX_PLAINTEXT_LENGTH, but there are some implementations such as
OpenJDK's SSLEngineImpl
that also allow sending larger packets. This can be used as a upper bound for data to support legacy systems.public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
public static final int X509_CHECK_FLAG_NO_WILD_CARDS
public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS
public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
public static final int SSL_SENT_SHUTDOWN
public static final int SSL_RECEIVED_SHUTDOWN
public static final int SSL_ERROR_NONE
public static final int SSL_ERROR_SSL
public static final int SSL_ERROR_WANT_READ
public static final int SSL_ERROR_WANT_WRITE
public static final int SSL_ERROR_WANT_X509_LOOKUP
public static final int SSL_ERROR_SYSCALL
public static final int SSL_ERROR_ZERO_RETURN
public static final int SSL_ERROR_WANT_CONNECT
public static final int SSL_ERROR_WANT_ACCEPT
public static int version()
public static java.lang.String versionString()
public static long newMemBIO()
throws java.lang.Exception
java.lang.Exception - if an error happened.public static java.lang.String getLastError()
public static long newSSL(long ctx,
boolean server)
ctx - Server or Client context to use.server - if true configure SSL instance to use accept handshake routines
if false configure SSL instance to use connect handshake routinespublic static int getError(long ssl,
int ret)
ssl - SSL pointer (SSL *)ret - TLS/SSL I/O return valuepublic static int bioWrite(long bioAddress,
long wbufAddress,
int wlen)
bioAddress - The address of a BIO*.wbufAddress - The address of a native char*.wlen - The length to write starting at wbufAddress.public static long bioNewByteBuffer(long ssl,
int nonApplicationBufferSize)
ByteBuffer. Because it is a special BIO it requires special usage such that
bioSetByteBuffer(long, long, int, boolean) and bioClearByteBuffer(long) are called in order to provide
to supply data to SSL, and also to ensure the internal SSL buffering mechanism is expecting write at the appropriate times.ssl - the SSL instance (SSL *)nonApplicationBufferSize - The size of the internal buffer for write operations that are not
initiated directly by the application attempting to encrypt data.
Must be >0.ssl and will be cleaned up by freeSSL(long).public static void bioSetByteBuffer(long bio,
long bufferAddress,
int maxUsableBytes,
boolean isSSLWriteSink)
After you are done buffering data you should call bioClearByteBuffer(long).
bio - BIO*.bufferAddress - The memory address (typically from a direct ByteBuffer) which will be used
to either write encrypted data to, or read encrypted data from by OpenSSL's internal BIO pair.maxUsableBytes - The maximum usable length in bytes starting at bufferAddress.isSSLWriteSink - true if this buffer is expected to buffer data as a result of calls to SSL_write.
false if this buffer is expected to buffer data as a result of calls to SSL_read.public static void bioClearByteBuffer(long bio)
bioSetByteBuffer(long, long, int, boolean), this will ensure the
internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..).bio - BIO*.public static int bioFlushByteBuffer(long bio)
This does the same thing as BIO_flush for a BIO* of type bioNewByteBuffer(long, int) but
returns the number of bytes that were flushed.
bio - BIO*.public static int bioLengthByteBuffer(long bio)
ByteBuffer set by bioSetByteBuffer(long, long, int, boolean).bio - BIO*.ByteBuffer set by bioSetByteBuffer(long, long, int, boolean).public static int bioLengthNonApplication(long bio)
bioNewByteBuffer(long, int).bio - BIO*.public static int sslPending(long ssl)
ssl - the SSL instance (SSL *)public static int writeToSSL(long ssl,
long wbuf,
int wlen)
ssl - the SSL instance (SSL *)wbuf - the memory address of the bufferwlen - the lengthpublic static int readFromSSL(long ssl,
long rbuf,
int rlen)
ssl - the SSL instance (SSL *)rbuf - the memory address of the bufferrlen - the lengthpublic static int getShutdown(long ssl)
ssl - the SSL instance (SSL *)SSL_get_shutdownpublic static void setShutdown(long ssl,
int mode)
ssl - the SSL instance (SSL *)mode - the mode to usepublic static void freeSSL(long ssl)
ssl - the SSL instance (SSL *)public static void freeBIO(long bio)
bio - the BIOpublic static int shutdownSSL(long ssl)
ssl - the SSL instance (SSL *)SSL_shutdownpublic static int getLastErrorNumber()
public static java.lang.String getCipherForSSL(long ssl)
ssl - the SSL instance (SSL *)public static java.lang.String getVersion(long ssl)
ssl - the SSL instance (SSL *)public static int doHandshake(long ssl)
ssl - the SSL instance (SSL *)SSL_do_handshake.public static int isInInit(long ssl)
ssl - the SSL instance (SSL *)SSL_in_init.public static java.lang.String getNextProtoNegotiated(long ssl)
ssl - the SSL instance (SSL *)public static java.lang.String getAlpnSelected(long ssl)
ssl - the SSL instance (SSL *)public static byte[][] getPeerCertChain(long ssl)
null if none was send.ssl - the SSL instance (SSL *)null if none was sendpublic static byte[] getPeerCertificate(long ssl)
null if non was send.ssl - the SSL instance (SSL *)null if none was sendpublic static java.lang.String getErrorString(long errorNumber)
errorNumber.errorNumber - the error number / codepublic static long getTime(long ssl)
ssl - the SSL instance (SSL *)public static long getTimeout(long ssl)
ssl - the SSL instance (SSL *)public static long setTimeout(long ssl,
long seconds)
ssl - the SSL instance (SSL *)seconds - timeout in secondspublic static void setVerify(long ssl,
int level,
int depth)
This directive sets the Certificate verification level for the Client Authentication. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.
The following levels are available for level:
SSL_CVERIFY_IGNORED - The level is ignored. Only depth will change.SSL_CVERIFY_NONE - No client Certificate is required at allSSL_CVERIFY_OPTIONAL - The client may present a valid CertificateSSL_CVERIFY_REQUIRED - The client has to present a valid CertificatesetCACertificatePath, etc.ssl - the SSL instance (SSL *)level - Type of Client Certificate verification.depth - Maximum depth of CA Certificates in Client Certificate
verification. Ignored if value is <0.public static void setOptions(long ssl,
int options)
ssl - the SSL instance (SSL *)options - See SSL.SSL_OP_* for option flags.public static void clearOptions(long ssl,
int options)
ssl - the SSL instance (SSL *)options - See SSL.SSL_OP_* for option flags.public static int getOptions(long ssl)
ssl - the SSL instance (SSL *)public static int setMode(long ssl,
int mode)
ssl - the SSL instance (SSL *).mode - the modepublic static int getMode(long ssl)
ssl - the SSL instance (SSL *).public static int getMaxWrapOverhead(long ssl)
ssl - the SSL instance (SSL *).public static java.lang.String[] getCiphers(long ssl)
ssl - the SSL instance (SSL *)public static boolean setCipherSuites(long ssl,
java.lang.String ciphers)
throws java.lang.Exception
This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.
ssl - the SSL instance (SSL *)ciphers - an SSL cipher specificationtrue if successfuljava.lang.Exception - if an error happenedpublic static byte[] getSessionId(long ssl)
ssl - the SSL instance (SSL *)public static int getHandshakeCount(long ssl)
ssl - the SSL instance (SSL *)public static void clearError()
public static int renegotiate(long ssl)
ssl - the SSL instance (SSL *)public static void setState(long ssl,
int state)
ssl - the SSL instance (SSL *)state - the state to setpublic static void setTlsExtHostName(long ssl,
java.lang.String hostname)
ssl - the SSL instance (SSL *)hostname - the hostnamepublic static void setHostNameValidation(long ssl,
int flags,
java.lang.String hostname)
X509_CHECK_FLAG* values.ssl - the SSL instance (SSL*).flags - a bitmask of X509_CHECK_FLAG* values.hostname - the hostname which is expected for validation.public static java.lang.String[] authenticationMethods(long ssl)
ssl - the SSL instance (SSL*)public static void setCertificateChainBio(long ssl,
long bio,
boolean skipfirst)
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.
But be careful: Providing the certificate chain works only if you are using a single (either RSA or DSA) based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Otherwsie the browsers will be confused in this situation.
ssl - Server or Client to use.bio - BIO of PEM-encoded Server CA Certificates.skipfirst - Skip first certificate if chain file is inside
certificate file.public static void setCertificateBio(long ssl,
long certBio,
long keyBio,
java.lang.String password)
throws java.lang.Exception
ssl - Server or Client to use.certBio - Certificate BIO.keyBio - Private Key BIO to use if not in cert.password - Certificate password. If null and certificate
is encrypted.java.lang.Exception - if an error happenedpublic static long parsePrivateKey(long privateKeyBio,
java.lang.String password)
throws java.lang.Exception
EVP_PKEY pointer.
Be sure you understand how OpenSsl will behave with respect to reference counting!
If the EVP_PKEY pointer is used with the client certificate callback
CertificateRequestedCallback the ownership goes over to OpenSsl / Tcnative and so calling
freePrivateKey(long) should NOT be done in this case. Otherwise you may
need to call freePrivateKey(long) to decrement the reference count and free memory.
privateKeyBio - the pointer to the BIO that contains the private keypassword - the password or null if no password is neededEVP_PKEY pointerjava.lang.Exception - if an error happenedpublic static void freePrivateKey(long privateKey)
EVP_PKEY pointer).privateKey - EVP_PKEY pointerpublic static long parseX509Chain(long x509ChainBio)
throws java.lang.Exception
STACK_OF(X509) pointer).
Be sure you understand how OpenSsl will behave with respect to reference counting!
If the STACK_OF(X509) pointer is used with the client certificate callback
CertificateRequestedCallback the ownership goes over to OpenSsl / Tcnative and so calling
freeX509Chain(long) should NOT be done in this case. Otherwise you may
need to call freeX509Chain(long) to decrement the reference count and free memory.
x509ChainBio - the pointer to the BIO that contains the X509 chainSTACK_OF(X509) pointerjava.lang.Exception - if an error happenedpublic static void freeX509Chain(long x509Chain)
STACK_OF(X509) pointer).x509Chain - STACK_OF(X509) pointerpublic static void enableOcsp(long ssl)
SSLEngine or throws an
exception if OCSP stapling is not supported.
NOTE: This needs to happen before the SSL handshake.
public static void setOcspResponse(long ssl,
byte[] response)
SSLEngine or throws an
exception in case of an error.
NOTE: This is only meant to be called for server SSLEngines.
ssl - the SSL instance (SSL *)public static byte[] getOcspResponse(long ssl)
SSLEngine or null
if the server didn't provide a stapled OCSP response.
NOTE: This is only meant to be called for client SSLEngines.
ssl - the SSL instance (SSL *)