Search in sources :

Example 6 with SSLFDProxy

use of org.mozilla.jss.nss.SSLFDProxy in project jss by dogtagpki.

the class JSSEngineReferenceImpl method createBufferFD.

private void createBufferFD() throws SSLException {
    debug("JSSEngine: createBufferFD()");
    // Create the basis for the ssl_fd from the pair of buffers we created
    // above.
    PRFDProxy fd;
    if (peer_info != null && peer_info.length() != 0) {
        // When we have peer information, indicate it via BufferPRFD so
        // that NSS can use it for session resumption.
        fd = PR.NewBufferPRFD(read_buf, write_buf, peer_info.getBytes());
    } else {
        fd = PR.NewBufferPRFD(read_buf, write_buf, null);
    }
    if (fd == null) {
        throw new SSLException("Error creating buffer-backed PRFileDesc.");
    }
    SSLFDProxy model = null;
    if (as_server) {
        // As a performance improvement, we can copy the server template
        // (containing the desired key and certificate) rather than
        // re-creating it from scratch. This saves a significant amount of
        // time during construction. The implementation lives in JSSEngine,
        // to be shared by all other JSSEngine implementations.
        model = getServerTemplate(cert, key);
    }
    // Initialize ssl_fd from the model Buffer-backed PRFileDesc.
    ssl_fd = SSL.ImportFD(model, fd);
    if (ssl_fd == null) {
        PR.Close(fd);
        throw new SSLException("Error creating SSL socket on top of buffer-backed PRFileDesc.");
    }
    fd = null;
    closed_fd = false;
    // Turn on SSL Alert Logging for the ssl_fd object.
    int ret = SSL.EnableAlertLogging(ssl_fd);
    if (ret == SSL.SECFailure) {
        throw new SSLException("Unable to enable SSL Alert Logging on this SSLFDProxy instance.");
    }
    // Turn on notifications of handshake completion. This is the best
    // source of this information, compared to SSL_SecurityStatus().on;
    // the latter can indicate "on" before the final FINISHED method has
    // been sent.
    ret = SSL.EnableHandshakeCallback(ssl_fd);
    if (ret == SSL.SECFailure) {
        throw new SSLException("Unable to enable SSL Handshake Callback on this SSLFDProxy instance.");
    }
// Pass this ssl_fd to the session object so that we can use
// SSL methods to invalidate the session.
}
Also used : PRFDProxy(org.mozilla.jss.nss.PRFDProxy) SSLFDProxy(org.mozilla.jss.nss.SSLFDProxy) SSLException(javax.net.ssl.SSLException)

Example 7 with SSLFDProxy

use of org.mozilla.jss.nss.SSLFDProxy in project jss by dogtagpki.

the class JSSEngine method getServerTemplate.

/**
 * Returns the templated server certificate, if one exists.
 */
protected static SSLFDProxy getServerTemplate(PK11Cert cert, PK11PrivKey key) {
    if (cert == null || key == null) {
        return null;
    }
    SSLFDProxy fd = serverTemplates.get(cert);
    if (fd == null) {
        PRFDProxy base = PR.NewTCPSocket();
        fd = SSL.ImportFD(null, base);
        if (SSL.ConfigServerCert(fd, cert, key) != SSL.SECSuccess) {
            String msg = "Unable to configure certificate and key on ";
            msg += "model SSL PRFileDesc proxy: ";
            msg += errorText(PR.GetError());
            throw new RuntimeException(msg);
        }
        serverTemplates.put(cert, fd);
    }
    return fd;
}
Also used : PRFDProxy(org.mozilla.jss.nss.PRFDProxy) SSLFDProxy(org.mozilla.jss.nss.SSLFDProxy)

Example 8 with SSLFDProxy

use of org.mozilla.jss.nss.SSLFDProxy in project jss by dogtagpki.

the class TestBufferPRFD method TestSSLHandshake.

public static void TestSSLHandshake(String server_nickname, String client_nickname) throws Exception {
    /* Constants */
    String host = "localhost";
    byte[] peer_info = host.getBytes();
    /* Find SSL Server Certificate */
    CryptoManager manager = CryptoManager.getInstance();
    PK11Cert server_cert = (PK11Cert) manager.findCertByNickname(server_nickname);
    PK11PrivKey server_key = (PK11PrivKey) manager.findPrivKeyByCert(server_cert);
    assert (server_cert != null);
    assert (server_key != null);
    /* Find SSL Client Certificate, if nickname given. */
    PK11Cert client_cert = null;
    if (client_nickname != null) {
        client_cert = (PK11Cert) manager.findCertByNickname(client_nickname);
        assert (client_cert != null);
    }
    /* Create Buffers and BufferPRFDs */
    BufferProxy read_buf = Buffer.Create(1024);
    BufferProxy write_buf = Buffer.Create(1024);
    assert (read_buf != null);
    assert (write_buf != null);
    PRFDProxy c_buffer = PR.NewBufferPRFD(read_buf, write_buf, peer_info);
    PRFDProxy s_buffer = PR.NewBufferPRFD(write_buf, read_buf, peer_info);
    assert (c_buffer != null);
    assert (s_buffer != null);
    SSLFDProxy c_nspr = Setup_NSS_Client(c_buffer, host);
    SSLFDProxy s_nspr = Setup_NSS_Server(s_buffer, host, server_cert, server_key);
    assert (c_nspr != null);
    assert (s_nspr != null);
    /* Apply Client Certificate, if given. When given, request it as the
         * server. */
    if (client_cert != null) {
        c_nspr.SetClientCert(client_cert);
        assert (SSL.AttachClientCertCallback(c_nspr) == SSL.SECSuccess);
        assert (SSL.OptionSet(s_nspr, SSL.REQUEST_CERTIFICATE, 1) == SSL.SECSuccess);
    }
    /* Attach alert logging callback handler. */
    assert (SSL.EnableAlertLogging(c_nspr) == SSL.SECSuccess);
    assert (SSL.EnableAlertLogging(s_nspr) == SSL.SECSuccess);
    assert (!IsHandshakeFinished(c_nspr, s_nspr));
    /* Try a handshake */
    int count = 0;
    while (!IsHandshakeFinished(c_nspr, s_nspr)) {
        if (SSL.ForceHandshake(c_nspr) != SSL.SECSuccess) {
            int error = PR.GetError();
            if (error != PRErrors.WOULD_BLOCK_ERROR) {
                System.out.println("Unexpected error: " + new String(PR.ErrorToName(error)) + " (" + error + ")");
                System.exit(1);
            }
        }
        if (SSL.ForceHandshake(s_nspr) != SSL.SECSuccess) {
            int error = PR.GetError();
            if (error != PRErrors.WOULD_BLOCK_ERROR) {
                System.out.println("Unexpected error: " + new String(PR.ErrorToName(error)) + " (" + error + ")");
                System.exit(1);
            }
        }
        count += 1;
        if (count >= 40) {
            System.err.println("Error: unable to make progress after " + count + " steps!");
            System.exit(1);
        }
    }
    System.out.println("Handshake completed successfully!\n");
    assert (IsHandshakeFinished(c_nspr, s_nspr));
    /* Test peer data */
    assert (SSL.PeerCertificate(c_nspr) != null);
    assert (SSL.PeerCertificateChain(c_nspr) != null);
    if (client_nickname == null) {
        assert (SSL.PeerCertificate(s_nspr) == null);
        assert (SSL.PeerCertificateChain(s_nspr) == null);
    } else {
        assert (SSL.PeerCertificate(s_nspr) != null);
        assert (SSL.PeerCertificateChain(s_nspr) != null);
    }
    /* Send data from client -> server */
    byte[] client_message = "Cooking MCs".getBytes();
    assert (PR.Write(c_nspr, client_message) == client_message.length);
    byte[] server_received = PR.Read(s_nspr, client_message.length);
    assert (server_received != null);
    if (server_received.length != client_message.length) {
        System.out.println("Expected a client message of length " + client_message.length + " but got one of " + server_received.length);
        System.exit(1);
    }
    for (int i = 0; i < client_message.length && i < server_received.length; i++) {
        if (client_message[i] != server_received[i]) {
            System.out.println("Received byte " + server_received[i] + " on server but expected " + client_message[i]);
            System.exit(1);
        }
    }
    /* Send data from server -> client */
    byte[] server_message = "like a pound of bacon".getBytes();
    assert (PR.Write(s_nspr, server_message) == server_message.length);
    byte[] client_received = PR.Read(c_nspr, server_message.length);
    assert (client_received != null);
    if (client_received.length != server_message.length) {
        System.out.println("Expected a server message of length " + server_message.length + " but got one of " + client_received.length);
        System.exit(1);
    }
    for (int i = 0; i < server_message.length && i < client_received.length; i++) {
        if (server_message[i] != client_received[i]) {
            System.out.println("Received byte " + client_received[i] + " on client but expected " + server_message[i]);
            System.exit(1);
        }
    }
    /* Close connections */
    assert (PR.Shutdown(c_nspr, PR.SHUTDOWN_BOTH) == PR.SUCCESS);
    assert (PR.Shutdown(s_nspr, PR.SHUTDOWN_BOTH) == PR.SUCCESS);
    /* Print all alerts. */
    for (SSLAlertEvent alert : c_nspr.inboundAlerts) {
        System.err.println("client inbound: " + alert);
    }
    for (SSLAlertEvent alert : c_nspr.outboundAlerts) {
        System.err.println("client outbound: " + alert);
    }
    for (SSLAlertEvent alert : s_nspr.inboundAlerts) {
        System.err.println("server inbound: " + alert);
    }
    for (SSLAlertEvent alert : s_nspr.outboundAlerts) {
        System.err.println("server outbound: " + alert);
    }
    /* Clean up */
    assert (PR.Close(c_nspr) == PR.SUCCESS);
    assert (PR.Close(s_nspr) == PR.SUCCESS);
    Buffer.Free(read_buf);
    Buffer.Free(write_buf);
}
Also used : BufferProxy(org.mozilla.jss.nss.BufferProxy) PRFDProxy(org.mozilla.jss.nss.PRFDProxy) SSLFDProxy(org.mozilla.jss.nss.SSLFDProxy) CryptoManager(org.mozilla.jss.CryptoManager) SSLAlertEvent(org.mozilla.jss.ssl.SSLAlertEvent) PK11PrivKey(org.mozilla.jss.pkcs11.PK11PrivKey) PK11Cert(org.mozilla.jss.pkcs11.PK11Cert)

Example 9 with SSLFDProxy

use of org.mozilla.jss.nss.SSLFDProxy in project jss by dogtagpki.

the class TestRawSSL method TestSSLGetPreliminaryChannelInfo.

public static void TestSSLGetPreliminaryChannelInfo() throws Exception {
    PRFDProxy fd = PR.NewTCPSocket();
    assert (fd != null);
    SSLFDProxy ssl_fd = SSL.ImportFD(null, fd);
    assert (ssl_fd != null);
    SSLPreliminaryChannelInfo r = SSL.GetPreliminaryChannelInfo(ssl_fd);
    assert (r != null);
    assert (r.haveProtocolVersion() == false);
    assert (r.haveCipherSuite() == false);
    assert (r.haveZeroRttCipherSuite() == false);
    assert (r.havePeerAuth() == false);
    System.out.println(r.toString());
    assert (PR.Close(ssl_fd) == PR.SUCCESS);
}
Also used : PRFDProxy(org.mozilla.jss.nss.PRFDProxy) SSLFDProxy(org.mozilla.jss.nss.SSLFDProxy) SSLPreliminaryChannelInfo(org.mozilla.jss.nss.SSLPreliminaryChannelInfo)

Example 10 with SSLFDProxy

use of org.mozilla.jss.nss.SSLFDProxy in project jss by dogtagpki.

the class TestRawSSL method TestSSLSetURL.

public static void TestSSLSetURL() throws Exception {
    PRFDProxy fd = PR.NewTCPSocket();
    assert (fd != null);
    SSLFDProxy ssl_fd = SSL.ImportFD(null, fd);
    assert (ssl_fd != null);
    assert (SSL.SetURL(ssl_fd, "https://google.com") == SSL.SECSuccess);
    assert (PR.Close(ssl_fd) == PR.SUCCESS);
}
Also used : PRFDProxy(org.mozilla.jss.nss.PRFDProxy) SSLFDProxy(org.mozilla.jss.nss.SSLFDProxy)

Aggregations

SSLFDProxy (org.mozilla.jss.nss.SSLFDProxy)13 PRFDProxy (org.mozilla.jss.nss.PRFDProxy)11 SSLException (javax.net.ssl.SSLException)1 CryptoManager (org.mozilla.jss.CryptoManager)1 BufferProxy (org.mozilla.jss.nss.BufferProxy)1 SSLChannelInfo (org.mozilla.jss.nss.SSLChannelInfo)1 SSLPreliminaryChannelInfo (org.mozilla.jss.nss.SSLPreliminaryChannelInfo)1 SecurityStatusResult (org.mozilla.jss.nss.SecurityStatusResult)1 PK11Cert (org.mozilla.jss.pkcs11.PK11Cert)1 PK11PrivKey (org.mozilla.jss.pkcs11.PK11PrivKey)1 SSLAlertEvent (org.mozilla.jss.ssl.SSLAlertEvent)1