org.bouncycastle.est.jcajce.DefaultESTClientSourceProvider Maven / Gradle / Ivy

Go to download
Show more of this group Show more artifacts with this name
Show all versions of bcpkix-jdk15on Show documentation
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
The newest version!
package org.bouncycastle.est.jcajce;


import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

import org.bouncycastle.est.ESTClientSourceProvider;
import org.bouncycastle.est.Source;
import org.bouncycastle.util.Strings;

class DefaultESTClientSourceProvider
    implements ESTClientSourceProvider
{

    private final SSLSocketFactory sslSocketFactory;
    private final JsseHostnameAuthorizer hostNameAuthorizer;
    private final int timeout;
    private final ChannelBindingProvider bindingProvider;
    private final Set cipherSuites;
    private final Long absoluteLimit;
    private final boolean filterSupportedSuites;


    public DefaultESTClientSourceProvider(
        SSLSocketFactory socketFactory,
        JsseHostnameAuthorizer hostNameAuthorizer,
        int timeout, ChannelBindingProvider bindingProvider,
        Set cipherSuites, Long absoluteLimit,
        boolean filterSupportedSuites)
        throws GeneralSecurityException
    {
        this.sslSocketFactory = socketFactory;
        this.hostNameAuthorizer = hostNameAuthorizer;
        this.timeout = timeout;
        this.bindingProvider = bindingProvider;
        this.cipherSuites = cipherSuites;
        this.absoluteLimit = absoluteLimit;
        this.filterSupportedSuites = filterSupportedSuites;
    }


    public Source makeSource(String host, int port)
        throws IOException
    {
        SSLSocket sock = (SSLSocket)sslSocketFactory.createSocket(host, port);
        sock.setSoTimeout(timeout);

        if (cipherSuites != null && !cipherSuites.isEmpty())
        {
            // Filter supplied list with what is actually supported.
            if (filterSupportedSuites)
            {
                HashSet fs = new HashSet();
                String[] supportedCipherSuites = sock.getSupportedCipherSuites();
                for (int i = 0; i != supportedCipherSuites.length; i++)
                {
                    fs.add(supportedCipherSuites[i]);
                }

                List j = new ArrayList();
                for (Iterator it = cipherSuites.iterator(); it.hasNext();)
                {
                    String s = (String)it.next();
                    if (fs.contains(s))
                    {
                        j.add(s);
                    }
                }

                if (j.isEmpty())
                {
                    throw new IllegalStateException("No supplied cipher suite is supported by the provider.");
                }

                sock.setEnabledCipherSuites(j.toArray(new String[j.size()]));
            }
            else
            {
                sock.setEnabledCipherSuites(cipherSuites.toArray(new String[cipherSuites.size()]));
            }
        }


        sock.startHandshake();

        if (hostNameAuthorizer != null)
        {
            if (!hostNameAuthorizer.verified(host, sock.getSession()))
            {
                throw new IOException("Host name could not be verified.");
            }
        }

        {
            String t = Strings.toLowerCase(sock.getSession().getCipherSuite());
            if (t.contains("_des_") || t.contains("_des40_") || t.contains("_3des_"))
            {
                throw new IOException("EST clients must not use DES ciphers");
            }
        }

        // check for use of null cipher and fail.
        if (Strings.toLowerCase(sock.getSession().getCipherSuite()).contains("null"))
        {
            throw new IOException("EST clients must not use NULL ciphers");
        }

        // check for use of anon cipher and fail.
        if (Strings.toLowerCase(sock.getSession().getCipherSuite()).contains("anon"))
        {
            throw new IOException("EST clients must not use anon ciphers");
        }

        // check for use of export cipher.
        if (Strings.toLowerCase(sock.getSession().getCipherSuite()).contains("export"))
        {
            throw new IOException("EST clients must not use export ciphers");
        }

        if (sock.getSession().getProtocol().equalsIgnoreCase("tlsv1"))
        {
            try
            {
                sock.close();
            }
            catch (Exception ex)
            {
                // Deliberately ignored.
            }
            throw new IOException("EST clients must not use TLSv1");
        }


        if (hostNameAuthorizer != null && !hostNameAuthorizer.verified(host, sock.getSession()))
        {
            throw new IOException("Hostname was not verified: " + host);
        }
        return new LimitedSSLSocketSource(sock, bindingProvider, absoluteLimit);
    }
}