Search in sources :

Example 21 with SNIHostName

use of javax.net.ssl.SNIHostName in project service-proxy by membrane.

the class SSLExplorer method exploreSNIExt.

/*
	 * struct {
	 *     NameType name_type;
	 *     select (name_type) {
	 *         case host_name: HostName;
	 *     } name;
	 * } ServerName;
	 *
	 * enum {
	 *     host_name(0), (255)
	 * } NameType;
	 *
	 * opaque HostName<1..2^16-1>;
	 *
	 * struct {
	 *     ServerName server_name_list<1..2^16-1>
	 * } ServerNameList;
	 */
private static List<SNIServerName> exploreSNIExt(ByteBuffer input, int extLen) throws IOException {
    Map<Integer, SNIServerName> sniMap = new LinkedHashMap<Integer, SNIServerName>();
    int remains = extLen;
    if (extLen >= 2) {
        // "server_name" extension in ClientHello
        // length of server_name_list
        int listLen = getInt16(input);
        if (listLen == 0 || listLen + 2 != extLen) {
            throw new SSLProtocolException("Invalid server name indication extension");
        }
        // 0x02: the length field of server_name_list
        remains -= 2;
        while (remains > 0) {
            // name_type
            int code = getInt8(input);
            // length field of server name
            int snLen = getInt16(input);
            if (snLen > remains) {
                throw new SSLProtocolException("Not enough data to fill declared vector size");
            }
            byte[] encoded = new byte[snLen];
            input.get(encoded);
            SNIServerName serverName;
            switch(code) {
                case StandardConstants.SNI_HOST_NAME:
                    if (encoded.length == 0) {
                        throw new SSLProtocolException("Empty HostName in server name indication");
                    }
                    serverName = new SNIHostName(encoded);
                    break;
                default:
                    serverName = new UnknownServerName(code, encoded);
            }
            // check for duplicated server name type
            if (sniMap.put(serverName.getType(), serverName) != null) {
                throw new SSLProtocolException("Duplicated server name of type " + serverName.getType());
            }
            // NameType: 1 byte
            remains -= encoded.length + 3;
        // HostName length: 2 bytes
        }
    } else if (extLen == 0) {
        // "server_name" extension in ServerHello
        throw new SSLProtocolException("Not server name indication extension in client");
    }
    if (remains != 0) {
        throw new SSLProtocolException("Invalid server name indication extension");
    }
    return Collections.<SNIServerName>unmodifiableList(new ArrayList<SNIServerName>(sniMap.values()));
}
Also used : SNIServerName(javax.net.ssl.SNIServerName) SSLProtocolException(javax.net.ssl.SSLProtocolException) SNIHostName(javax.net.ssl.SNIHostName) LinkedHashMap(java.util.LinkedHashMap)

Example 22 with SNIHostName

use of javax.net.ssl.SNIHostName in project netty by netty.

the class SSLEngineTest method testUsingX509TrustManagerVerifiesHostname.

private void testUsingX509TrustManagerVerifiesHostname(SSLEngineTestParam param, boolean useSNI) throws Exception {
    if (clientSslContextProvider() != null) {
        // Not supported when using conscrypt
        return;
    }
    String fqdn = "something.netty.io";
    SelfSignedCertificate cert = new SelfSignedCertificate(fqdn);
    clientSslCtx = wrapContext(param, SslContextBuilder.forClient().trustManager(new TrustManagerFactory(new TrustManagerFactorySpi() {

        @Override
        protected void engineInit(KeyStore keyStore) {
        // NOOP
        }

        @Override
        protected TrustManager[] engineGetTrustManagers() {
            // Provide a custom trust manager, this manager trust all certificates
            return new TrustManager[] { new X509TrustManager() {

                @Override
                public void checkClientTrusted(java.security.cert.X509Certificate[] x509Certificates, String s) {
                // NOOP
                }

                @Override
                public void checkServerTrusted(java.security.cert.X509Certificate[] x509Certificates, String s) {
                // NOOP
                }

                @Override
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    return EmptyArrays.EMPTY_X509_CERTIFICATES;
                }
            } };
        }

        @Override
        protected void engineInit(ManagerFactoryParameters managerFactoryParameters) {
        }
    }, null, TrustManagerFactory.getDefaultAlgorithm()) {
    }).sslContextProvider(clientSslContextProvider()).sslProvider(sslClientProvider()).build());
    SSLEngine client = wrapEngine(clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT, "127.0.0.1", 1234));
    SSLParameters sslParameters = client.getSSLParameters();
    sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
    if (useSNI) {
        sslParameters.setServerNames(Collections.<SNIServerName>singletonList(new SNIHostName(fqdn)));
    }
    client.setSSLParameters(sslParameters);
    serverSslCtx = wrapContext(param, SslContextBuilder.forServer(cert.certificate(), cert.privateKey()).sslContextProvider(serverSslContextProvider()).sslProvider(sslServerProvider()).build());
    SSLEngine server = wrapEngine(serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT));
    try {
        handshake(param.type(), param.delegate(), client, server);
        if (!useSNI) {
            fail();
        }
    } catch (SSLException exception) {
        if (useSNI) {
            throw exception;
        }
    // expected as the hostname not matches.
    } finally {
        cleanupClientSslEngine(client);
        cleanupServerSslEngine(server);
        cert.delete();
    }
}
Also used : SelfSignedCertificate(io.netty.handler.ssl.util.SelfSignedCertificate) SSLEngine(javax.net.ssl.SSLEngine) KeyStore(java.security.KeyStore) SSLException(javax.net.ssl.SSLException) X509Certificate(javax.security.cert.X509Certificate) SSLParameters(javax.net.ssl.SSLParameters) X509TrustManager(javax.net.ssl.X509TrustManager) SNIHostName(javax.net.ssl.SNIHostName) SimpleTrustManagerFactory(io.netty.handler.ssl.util.SimpleTrustManagerFactory) InsecureTrustManagerFactory(io.netty.handler.ssl.util.InsecureTrustManagerFactory) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) TrustManagerFactorySpi(javax.net.ssl.TrustManagerFactorySpi) ManagerFactoryParameters(javax.net.ssl.ManagerFactoryParameters)

Example 23 with SNIHostName

use of javax.net.ssl.SNIHostName in project netty by netty.

the class Java8SslUtils method getSniHostNames.

static List<String> getSniHostNames(SSLParameters sslParameters) {
    List<SNIServerName> names = sslParameters.getServerNames();
    if (names == null || names.isEmpty()) {
        return Collections.emptyList();
    }
    List<String> strings = new ArrayList<String>(names.size());
    for (SNIServerName serverName : names) {
        if (serverName instanceof SNIHostName) {
            strings.add(((SNIHostName) serverName).getAsciiName());
        } else {
            throw new IllegalArgumentException("Only " + SNIHostName.class.getName() + " instances are supported, but found: " + serverName);
        }
    }
    return strings;
}
Also used : SNIServerName(javax.net.ssl.SNIServerName) SNIHostName(javax.net.ssl.SNIHostName) ArrayList(java.util.ArrayList)

Example 24 with SNIHostName

use of javax.net.ssl.SNIHostName in project Conversations by siacs.

the class SSLSocketHelper method setHostnameNougat.

@RequiresApi(api = Build.VERSION_CODES.N)
private static void setHostnameNougat(final SSLSocket socket, final String hostname) {
    final SSLParameters parameters = new SSLParameters();
    parameters.setServerNames(Collections.singletonList(new SNIHostName(hostname)));
    socket.setSSLParameters(parameters);
}
Also used : SSLParameters(javax.net.ssl.SSLParameters) SNIHostName(javax.net.ssl.SNIHostName) RequiresApi(androidx.annotation.RequiresApi)

Example 25 with SNIHostName

use of javax.net.ssl.SNIHostName in project mongo-java-driver by mongodb.

the class ServerTlsChannel method getServerNameIndication.

private Optional<SNIServerName> getServerNameIndication() throws IOException, EofException {
    inEncrypted.prepare();
    try {
        int recordHeaderSize = readRecordHeaderSize();
        while (inEncrypted.buffer.position() < recordHeaderSize) {
            if (!inEncrypted.buffer.hasRemaining()) {
                inEncrypted.enlarge();
            }
            // IO block
            TlsChannelImpl.readFromChannel(underlying, inEncrypted.buffer);
        }
        ((Buffer) inEncrypted.buffer).flip();
        Map<Integer, SNIServerName> serverNames = TlsExplorer.explore(inEncrypted.buffer);
        inEncrypted.buffer.compact();
        SNIServerName hostName = serverNames.get(StandardConstants.SNI_HOST_NAME);
        if (hostName != null && hostName instanceof SNIHostName) {
            SNIHostName sniHostName = (SNIHostName) hostName;
            return Optional.of(sniHostName);
        } else {
            return Optional.empty();
        }
    } finally {
        inEncrypted.release();
    }
}
Also used : ByteBuffer(java.nio.ByteBuffer) Buffer(java.nio.Buffer) SNIServerName(javax.net.ssl.SNIServerName) SNIHostName(javax.net.ssl.SNIHostName)

Aggregations

SNIHostName (javax.net.ssl.SNIHostName)29 SNIServerName (javax.net.ssl.SNIServerName)17 SSLParameters (javax.net.ssl.SSLParameters)16 SSLSocket (javax.net.ssl.SSLSocket)10 ArrayList (java.util.ArrayList)8 SSLSocketFactory (javax.net.ssl.SSLSocketFactory)8 X509Certificate (java.security.cert.X509Certificate)6 IOException (java.io.IOException)5 InetSocketAddress (java.net.InetSocketAddress)5 SSLContext (javax.net.ssl.SSLContext)4 SslContextFactory (org.eclipse.jetty.util.ssl.SslContextFactory)4 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 Certificate (java.security.cert.Certificate)3 SSLProtocolException (javax.net.ssl.SSLProtocolException)3 Matchers.containsString (org.hamcrest.Matchers.containsString)3 InputStream (java.io.InputStream)2 OutputStream (java.io.OutputStream)2 Socket (java.net.Socket)2 KeyManagementException (java.security.KeyManagementException)2 ExtendedSSLSession (javax.net.ssl.ExtendedSSLSession)2