use of org.mozilla.jss.nss.SSLFDProxy in project jss by dogtagpki.
the class JSSEngineReferenceImpl method createBufferFD.
private void createBufferFD() throws SSLException {
debug("JSSEngine: createBufferFD()");
// Create the basis for the ssl_fd from the pair of buffers we created
// above.
PRFDProxy fd;
if (peer_info != null && peer_info.length() != 0) {
// When we have peer information, indicate it via BufferPRFD so
// that NSS can use it for session resumption.
fd = PR.NewBufferPRFD(read_buf, write_buf, peer_info.getBytes());
} else {
fd = PR.NewBufferPRFD(read_buf, write_buf, null);
}
if (fd == null) {
throw new SSLException("Error creating buffer-backed PRFileDesc.");
}
SSLFDProxy model = null;
if (as_server) {
// As a performance improvement, we can copy the server template
// (containing the desired key and certificate) rather than
// re-creating it from scratch. This saves a significant amount of
// time during construction. The implementation lives in JSSEngine,
// to be shared by all other JSSEngine implementations.
model = getServerTemplate(cert, key);
}
// Initialize ssl_fd from the model Buffer-backed PRFileDesc.
ssl_fd = SSL.ImportFD(model, fd);
if (ssl_fd == null) {
PR.Close(fd);
throw new SSLException("Error creating SSL socket on top of buffer-backed PRFileDesc.");
}
fd = null;
closed_fd = false;
// Turn on SSL Alert Logging for the ssl_fd object.
int ret = SSL.EnableAlertLogging(ssl_fd);
if (ret == SSL.SECFailure) {
throw new SSLException("Unable to enable SSL Alert Logging on this SSLFDProxy instance.");
}
// Turn on notifications of handshake completion. This is the best
// source of this information, compared to SSL_SecurityStatus().on;
// the latter can indicate "on" before the final FINISHED method has
// been sent.
ret = SSL.EnableHandshakeCallback(ssl_fd);
if (ret == SSL.SECFailure) {
throw new SSLException("Unable to enable SSL Handshake Callback on this SSLFDProxy instance.");
}
// Pass this ssl_fd to the session object so that we can use
// SSL methods to invalidate the session.
}
use of org.mozilla.jss.nss.SSLFDProxy in project jss by dogtagpki.
the class JSSEngine method getServerTemplate.
/**
* Returns the templated server certificate, if one exists.
*/
protected static SSLFDProxy getServerTemplate(PK11Cert cert, PK11PrivKey key) {
if (cert == null || key == null) {
return null;
}
SSLFDProxy fd = serverTemplates.get(cert);
if (fd == null) {
PRFDProxy base = PR.NewTCPSocket();
fd = SSL.ImportFD(null, base);
if (SSL.ConfigServerCert(fd, cert, key) != SSL.SECSuccess) {
String msg = "Unable to configure certificate and key on ";
msg += "model SSL PRFileDesc proxy: ";
msg += errorText(PR.GetError());
throw new RuntimeException(msg);
}
serverTemplates.put(cert, fd);
}
return fd;
}
use of org.mozilla.jss.nss.SSLFDProxy in project jss by dogtagpki.
the class TestBufferPRFD method TestSSLHandshake.
public static void TestSSLHandshake(String server_nickname, String client_nickname) throws Exception {
/* Constants */
String host = "localhost";
byte[] peer_info = host.getBytes();
/* Find SSL Server Certificate */
CryptoManager manager = CryptoManager.getInstance();
PK11Cert server_cert = (PK11Cert) manager.findCertByNickname(server_nickname);
PK11PrivKey server_key = (PK11PrivKey) manager.findPrivKeyByCert(server_cert);
assert (server_cert != null);
assert (server_key != null);
/* Find SSL Client Certificate, if nickname given. */
PK11Cert client_cert = null;
if (client_nickname != null) {
client_cert = (PK11Cert) manager.findCertByNickname(client_nickname);
assert (client_cert != null);
}
/* Create Buffers and BufferPRFDs */
BufferProxy read_buf = Buffer.Create(1024);
BufferProxy write_buf = Buffer.Create(1024);
assert (read_buf != null);
assert (write_buf != null);
PRFDProxy c_buffer = PR.NewBufferPRFD(read_buf, write_buf, peer_info);
PRFDProxy s_buffer = PR.NewBufferPRFD(write_buf, read_buf, peer_info);
assert (c_buffer != null);
assert (s_buffer != null);
SSLFDProxy c_nspr = Setup_NSS_Client(c_buffer, host);
SSLFDProxy s_nspr = Setup_NSS_Server(s_buffer, host, server_cert, server_key);
assert (c_nspr != null);
assert (s_nspr != null);
/* Apply Client Certificate, if given. When given, request it as the
* server. */
if (client_cert != null) {
c_nspr.SetClientCert(client_cert);
assert (SSL.AttachClientCertCallback(c_nspr) == SSL.SECSuccess);
assert (SSL.OptionSet(s_nspr, SSL.REQUEST_CERTIFICATE, 1) == SSL.SECSuccess);
}
/* Attach alert logging callback handler. */
assert (SSL.EnableAlertLogging(c_nspr) == SSL.SECSuccess);
assert (SSL.EnableAlertLogging(s_nspr) == SSL.SECSuccess);
assert (!IsHandshakeFinished(c_nspr, s_nspr));
/* Try a handshake */
int count = 0;
while (!IsHandshakeFinished(c_nspr, s_nspr)) {
if (SSL.ForceHandshake(c_nspr) != SSL.SECSuccess) {
int error = PR.GetError();
if (error != PRErrors.WOULD_BLOCK_ERROR) {
System.out.println("Unexpected error: " + new String(PR.ErrorToName(error)) + " (" + error + ")");
System.exit(1);
}
}
if (SSL.ForceHandshake(s_nspr) != SSL.SECSuccess) {
int error = PR.GetError();
if (error != PRErrors.WOULD_BLOCK_ERROR) {
System.out.println("Unexpected error: " + new String(PR.ErrorToName(error)) + " (" + error + ")");
System.exit(1);
}
}
count += 1;
if (count >= 40) {
System.err.println("Error: unable to make progress after " + count + " steps!");
System.exit(1);
}
}
System.out.println("Handshake completed successfully!\n");
assert (IsHandshakeFinished(c_nspr, s_nspr));
/* Test peer data */
assert (SSL.PeerCertificate(c_nspr) != null);
assert (SSL.PeerCertificateChain(c_nspr) != null);
if (client_nickname == null) {
assert (SSL.PeerCertificate(s_nspr) == null);
assert (SSL.PeerCertificateChain(s_nspr) == null);
} else {
assert (SSL.PeerCertificate(s_nspr) != null);
assert (SSL.PeerCertificateChain(s_nspr) != null);
}
/* Send data from client -> server */
byte[] client_message = "Cooking MCs".getBytes();
assert (PR.Write(c_nspr, client_message) == client_message.length);
byte[] server_received = PR.Read(s_nspr, client_message.length);
assert (server_received != null);
if (server_received.length != client_message.length) {
System.out.println("Expected a client message of length " + client_message.length + " but got one of " + server_received.length);
System.exit(1);
}
for (int i = 0; i < client_message.length && i < server_received.length; i++) {
if (client_message[i] != server_received[i]) {
System.out.println("Received byte " + server_received[i] + " on server but expected " + client_message[i]);
System.exit(1);
}
}
/* Send data from server -> client */
byte[] server_message = "like a pound of bacon".getBytes();
assert (PR.Write(s_nspr, server_message) == server_message.length);
byte[] client_received = PR.Read(c_nspr, server_message.length);
assert (client_received != null);
if (client_received.length != server_message.length) {
System.out.println("Expected a server message of length " + server_message.length + " but got one of " + client_received.length);
System.exit(1);
}
for (int i = 0; i < server_message.length && i < client_received.length; i++) {
if (server_message[i] != client_received[i]) {
System.out.println("Received byte " + client_received[i] + " on client but expected " + server_message[i]);
System.exit(1);
}
}
/* Close connections */
assert (PR.Shutdown(c_nspr, PR.SHUTDOWN_BOTH) == PR.SUCCESS);
assert (PR.Shutdown(s_nspr, PR.SHUTDOWN_BOTH) == PR.SUCCESS);
/* Print all alerts. */
for (SSLAlertEvent alert : c_nspr.inboundAlerts) {
System.err.println("client inbound: " + alert);
}
for (SSLAlertEvent alert : c_nspr.outboundAlerts) {
System.err.println("client outbound: " + alert);
}
for (SSLAlertEvent alert : s_nspr.inboundAlerts) {
System.err.println("server inbound: " + alert);
}
for (SSLAlertEvent alert : s_nspr.outboundAlerts) {
System.err.println("server outbound: " + alert);
}
/* Clean up */
assert (PR.Close(c_nspr) == PR.SUCCESS);
assert (PR.Close(s_nspr) == PR.SUCCESS);
Buffer.Free(read_buf);
Buffer.Free(write_buf);
}
use of org.mozilla.jss.nss.SSLFDProxy in project jss by dogtagpki.
the class TestRawSSL method TestSSLGetPreliminaryChannelInfo.
public static void TestSSLGetPreliminaryChannelInfo() throws Exception {
PRFDProxy fd = PR.NewTCPSocket();
assert (fd != null);
SSLFDProxy ssl_fd = SSL.ImportFD(null, fd);
assert (ssl_fd != null);
SSLPreliminaryChannelInfo r = SSL.GetPreliminaryChannelInfo(ssl_fd);
assert (r != null);
assert (r.haveProtocolVersion() == false);
assert (r.haveCipherSuite() == false);
assert (r.haveZeroRttCipherSuite() == false);
assert (r.havePeerAuth() == false);
System.out.println(r.toString());
assert (PR.Close(ssl_fd) == PR.SUCCESS);
}
use of org.mozilla.jss.nss.SSLFDProxy in project jss by dogtagpki.
the class TestRawSSL method TestSSLSetURL.
public static void TestSSLSetURL() throws Exception {
PRFDProxy fd = PR.NewTCPSocket();
assert (fd != null);
SSLFDProxy ssl_fd = SSL.ImportFD(null, fd);
assert (ssl_fd != null);
assert (SSL.SetURL(ssl_fd, "https://google.com") == SSL.SECSuccess);
assert (PR.Close(ssl_fd) == PR.SUCCESS);
}
Aggregations