org.bouncycastle.est.jcajce.DefaultESTClientSourceProvider Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of bcpkix-fips Show documentation
Show all versions of bcpkix-fips Show documentation
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. The APIs are designed primarily to be used in conjunction with the BC FIPS provider. The APIs may also be used with other providers although if being used in a FIPS context it is the responsibility of the user to ensure that any other providers used are FIPS certified.
package org.bouncycastle.est.jcajce;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import org.bouncycastle.est.ESTClientSourceProvider;
import org.bouncycastle.est.Source;
import org.bouncycastle.util.Strings;
class DefaultESTClientSourceProvider
implements ESTClientSourceProvider
{
private final SSLSocketFactory sslSocketFactory;
private final JsseHostnameAuthorizer hostNameAuthorizer;
private final int timeout;
private final ChannelBindingProvider bindingProvider;
private final Set cipherSuites;
private final Long absoluteLimit;
private final boolean filterSupportedSuites;
public DefaultESTClientSourceProvider(
SSLSocketFactory socketFactory,
JsseHostnameAuthorizer hostNameAuthorizer,
int timeout, ChannelBindingProvider bindingProvider,
Set cipherSuites, Long absoluteLimit,
boolean filterSupportedSuites)
throws GeneralSecurityException
{
this.sslSocketFactory = socketFactory;
this.hostNameAuthorizer = hostNameAuthorizer;
this.timeout = timeout;
this.bindingProvider = bindingProvider;
this.cipherSuites = cipherSuites;
this.absoluteLimit = absoluteLimit;
this.filterSupportedSuites = filterSupportedSuites;
}
public Source makeSource(String host, int port)
throws IOException
{
SSLSocket sock = (SSLSocket)sslSocketFactory.createSocket(host, port);
sock.setSoTimeout(timeout);
if (cipherSuites != null && !cipherSuites.isEmpty())
{
// Filter supplied list with what is actually supported.
if (filterSupportedSuites)
{
HashSet fs = new HashSet();
String[] supportedCipherSuites = sock.getSupportedCipherSuites();
for (int i = 0; i != supportedCipherSuites.length; i++)
{
fs.add(supportedCipherSuites[i]);
}
List j = new ArrayList();
for (Iterator it = cipherSuites.iterator(); it.hasNext();)
{
String s = (String)it.next();
if (fs.contains(s))
{
j.add(s);
}
}
if (j.isEmpty())
{
throw new IllegalStateException("No supplied cipher suite is supported by the provider.");
}
sock.setEnabledCipherSuites(j.toArray(new String[j.size()]));
}
else
{
sock.setEnabledCipherSuites(cipherSuites.toArray(new String[cipherSuites.size()]));
}
}
sock.startHandshake();
if (hostNameAuthorizer != null)
{
if (!hostNameAuthorizer.verified(host, sock.getSession()))
{
throw new IOException("Host name could not be verified.");
}
}
{
String t = Strings.toLowerCase(sock.getSession().getCipherSuite());
if (t.contains("_des_") || t.contains("_des40_") || t.contains("_3des_"))
{
throw new IOException("EST clients must not use DES ciphers");
}
}
// check for use of null cipher and fail.
if (Strings.toLowerCase(sock.getSession().getCipherSuite()).contains("null"))
{
throw new IOException("EST clients must not use NULL ciphers");
}
// check for use of anon cipher and fail.
if (Strings.toLowerCase(sock.getSession().getCipherSuite()).contains("anon"))
{
throw new IOException("EST clients must not use anon ciphers");
}
// check for use of export cipher.
if (Strings.toLowerCase(sock.getSession().getCipherSuite()).contains("export"))
{
throw new IOException("EST clients must not use export ciphers");
}
if (sock.getSession().getProtocol().equalsIgnoreCase("tlsv1"))
{
try
{
sock.close();
}
catch (Exception ex)
{
// Deliberately ignored.
}
throw new IOException("EST clients must not use TLSv1");
}
if (hostNameAuthorizer != null && !hostNameAuthorizer.verified(host, sock.getSession()))
{
throw new IOException("Hostname was not verified: " + host);
}
return new LimitedSSLSocketSource(sock, bindingProvider, absoluteLimit);
}
}
© 2015 - 2024 Weber Informatics LLC | Privacy Policy