1 /* 2 * Copyright 2016 The Netty Project 3 * 4 * The Netty Project licenses this file to you under the Apache License, 5 * version 2.0 (the "License"); you may not use this file except in compliance 6 * with the License. You may obtain a copy of the License at: 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13 * License for the specific language governing permissions and limitations 14 * under the License. 15 */ 16 /* 17 * Licensed to the Apache Software Foundation (ASF) under one or more 18 * contributor license agreements. See the NOTICE file distributed with 19 * this work for additional information regarding copyright ownership. 20 * The ASF licenses this file to You under the Apache License, Version 2.0 21 * (the "License"); you may not use this file except in compliance with 22 * the License. You may obtain a copy of the License at 23 * 24 * http://www.apache.org/licenses/LICENSE-2.0 25 * 26 * Unless required by applicable law or agreed to in writing, software 27 * distributed under the License is distributed on an "AS IS" BASIS, 28 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 29 * See the License for the specific language governing permissions and 30 * limitations under the License. 31 */ 32 package io.netty.internal.tcnative; 33 34 import java.nio.ByteBuffer; 35 36 import static io.netty.internal.tcnative.NativeStaticallyReferencedJniMethods.*; 37 38 public final class SSL { 39 SSL()40 private SSL() { } 41 42 /* 43 * Define the SSL Protocol options 44 */ 45 public static final int SSL_PROTOCOL_NONE = 0; 46 public static final int SSL_PROTOCOL_SSLV2 = (1<<0); 47 public static final int SSL_PROTOCOL_SSLV3 = (1<<1); 48 public static final int SSL_PROTOCOL_TLSV1 = (1<<2); 49 public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3); 50 public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4); 51 52 /** TLS_*method according to <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_new.html">SSL_CTX_new</a> */ 53 public static final int SSL_PROTOCOL_TLS = (SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2); 54 public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_TLS); 55 56 /* 57 * Define the SSL verify levels 58 */ 59 public static final int SSL_CVERIFY_IGNORED = -1; 60 public static final int SSL_CVERIFY_NONE = 0; 61 public static final int SSL_CVERIFY_OPTIONAL = 1; 62 public static final int SSL_CVERIFY_REQUIRED = 2; 63 64 public static final int SSL_OP_CIPHER_SERVER_PREFERENCE = sslOpCipherServerPreference(); 65 public static final int SSL_OP_NO_SSLv2 = sslOpNoSSLv2(); 66 public static final int SSL_OP_NO_SSLv3 = sslOpNoSSLv3(); 67 public static final int SSL_OP_NO_TLSv1 = sslOpNoTLSv1(); 68 public static final int SSL_OP_NO_TLSv1_1 = sslOpNoTLSv11(); 69 public static final int SSL_OP_NO_TLSv1_2 = sslOpNoTLSv12(); 70 public static final int SSL_OP_NO_TICKET = sslOpNoTicket(); 71 72 public static final int SSL_OP_NO_COMPRESSION = sslOpNoCompression(); 73 74 public static final int SSL_MODE_CLIENT = 0; 75 public static final int SSL_MODE_SERVER = 1; 76 public static final int SSL_MODE_COMBINED = 2; 77 78 public static final long SSL_SESS_CACHE_OFF = sslSessCacheOff(); 79 public static final long SSL_SESS_CACHE_SERVER = sslSessCacheServer(); 80 81 public static final int SSL_SELECTOR_FAILURE_NO_ADVERTISE = 0; 82 public static final int SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL = 1; 83 84 public static final int SSL_ST_CONNECT = sslStConnect(); 85 public static final int SSL_ST_ACCEPT = sslStAccept(); 86 87 public static final int SSL_MODE_ENABLE_PARTIAL_WRITE = sslModeEnablePartialWrite(); 88 public static final int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER = sslModeAcceptMovingWriteBuffer(); 89 public static final int SSL_MODE_RELEASE_BUFFERS = sslModeReleaseBuffers(); 90 91 // https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html 92 public static final int X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = x509CheckFlagAlwaysCheckSubject(); 93 public static final int X509_CHECK_FLAG_NO_WILD_CARDS = x509CheckFlagDisableWildCards(); 94 public static final int X509_CHECK_FLAG_NO_PARTIAL_WILD_CARDS = x509CheckFlagNoPartialWildCards(); 95 public static final int X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = x509CheckFlagMultiLabelWildCards(); 96 97 /* Return OpenSSL version number */ version()98 public static native int version(); 99 100 /* Return OpenSSL version string */ versionString()101 public static native String versionString(); 102 103 /** 104 * Initialize OpenSSL support. 105 * 106 * This function needs to be called once for the 107 * lifetime of JVM. See {@link Library#initialize(String, String)} 108 * 109 * @param engine Support for external a Crypto Device ("engine"), 110 * usually a hardware accelerator card for crypto operations. 111 * @return APR status code 112 */ initialize(String engine)113 static native int initialize(String engine); 114 115 /** 116 * Initialize new in-memory BIO that is located in the secure heap. 117 * 118 * @return New BIO handle 119 * @throws Exception if an error happened. 120 */ newMemBIO()121 public static native long newMemBIO() throws Exception; 122 123 /** 124 * Return last SSL error string 125 * 126 * @return the last SSL error string. 127 */ getLastError()128 public static native String getLastError(); 129 130 /** 131 * Return true if all the requested SSL_OP_* are supported by OpenSSL. 132 * 133 * @param op Bitwise-OR of all SSL_OP_* to test. 134 * 135 * @return true if all SSL_OP_* are supported by OpenSSL library. 136 */ hasOp(int op)137 public static native boolean hasOp(int op); 138 139 /* 140 * Begin Twitter API additions 141 */ 142 143 public static final int SSL_SENT_SHUTDOWN = sslSendShutdown(); 144 public static final int SSL_RECEIVED_SHUTDOWN = sslReceivedShutdown(); 145 146 public static final int SSL_ERROR_NONE = sslErrorNone(); 147 public static final int SSL_ERROR_SSL = sslErrorSSL(); 148 public static final int SSL_ERROR_WANT_READ = sslErrorWantRead(); 149 public static final int SSL_ERROR_WANT_WRITE = sslErrorWantWrite(); 150 public static final int SSL_ERROR_WANT_X509_LOOKUP = sslErrorWantX509Lookup(); 151 public static final int SSL_ERROR_SYSCALL = sslErrorSyscall(); /* look at error stack/return value/errno */ 152 public static final int SSL_ERROR_ZERO_RETURN = sslErrorZeroReturn(); 153 public static final int SSL_ERROR_WANT_CONNECT = sslErrorWantConnect(); 154 public static final int SSL_ERROR_WANT_ACCEPT = sslErrorWantAccept(); 155 156 /** 157 * SSL_new 158 * @param ctx Server or Client context to use. 159 * @param server if true configure SSL instance to use accept handshake routines 160 * if false configure SSL instance to use connect handshake routines 161 * @return pointer to SSL instance (SSL *) 162 */ newSSL(long ctx, boolean server)163 public static native long newSSL(long ctx, boolean server); 164 165 /** 166 * SSL_get_error 167 * @param ssl SSL pointer (SSL *) 168 * @param ret TLS/SSL I/O return value 169 * @return the error code 170 */ getError(long ssl, int ret)171 public static native int getError(long ssl, int ret); 172 173 /** 174 * BIO_write 175 * @param bioAddress The address of a {@code BIO*}. 176 * @param wbufAddress The address of a native {@code char*}. 177 * @param wlen The length to write starting at {@code wbufAddress}. 178 * @return The number of bytes that were written. 179 * See <a href="https://www.openssl.org/docs/man1.0.1/crypto/BIO_write.html">BIO_write</a> for exceptional return values. 180 */ bioWrite(long bioAddress, long wbufAddress, int wlen)181 public static native int bioWrite(long bioAddress, long wbufAddress, int wlen); 182 183 /** 184 * Initialize the BIO for the SSL instance. This is a custom BIO which is designed to play nicely with a direct 185 * {@link ByteBuffer}. Because it is a special BIO it requires special usage such that 186 * {@link #bioSetByteBuffer(long, long, int, boolean)} and {@link #bioClearByteBuffer(long)} are called in order to provide 187 * to supply data to SSL, and also to ensure the internal SSL buffering mechanism is expecting write at the appropriate times. 188 * 189 * @param ssl the SSL instance (SSL *) 190 * @param nonApplicationBufferSize The size of the internal buffer for write operations that are not 191 * initiated directly by the application attempting to encrypt data. 192 * Must be >{@code 0}. 193 * @return pointer to the Network BIO (BIO *). 194 * The memory is owned by {@code ssl} and will be cleaned up by {@link #freeSSL(long)}. 195 */ bioNewByteBuffer(long ssl, int nonApplicationBufferSize)196 public static native long bioNewByteBuffer(long ssl, int nonApplicationBufferSize); 197 198 /** 199 * Set the memory location which that OpenSSL's internal BIO will use to write encrypted data to, or read encrypted 200 * data from. 201 * <p> 202 * After you are done buffering data you should call {@link #bioClearByteBuffer(long)}. 203 * @param bio {@code BIO*}. 204 * @param bufferAddress The memory address (typically from a direct {@link ByteBuffer}) which will be used 205 * to either write encrypted data to, or read encrypted data from by OpenSSL's internal BIO pair. 206 * @param maxUsableBytes The maximum usable length in bytes starting at {@code bufferAddress}. 207 * @param isSSLWriteSink {@code true} if this buffer is expected to buffer data as a result of calls to {@code SSL_write}. 208 * {@code false} if this buffer is expected to buffer data as a result of calls to {@code SSL_read}. 209 */ bioSetByteBuffer(long bio, long bufferAddress, int maxUsableBytes, boolean isSSLWriteSink)210 public static native void bioSetByteBuffer(long bio, long bufferAddress, int maxUsableBytes, boolean isSSLWriteSink); 211 212 /** 213 * After you are done buffering data from {@link #bioSetByteBuffer(long, long, int, boolean)}, this will ensure the 214 * internal SSL write buffers are ready to capture data which may unexpectedly happen (e.g. handshake, renegotiation, etc..). 215 * @param bio {@code BIO*}. 216 */ bioClearByteBuffer(long bio)217 public static native void bioClearByteBuffer(long bio); 218 219 /** 220 * Flush any pending bytes in the internal SSL write buffer. 221 * <p> 222 * This does the same thing as {@code BIO_flush} for a {@code BIO*} of type {@link #bioNewByteBuffer(long, int)} but 223 * returns the number of bytes that were flushed. 224 * @param bio {@code BIO*}. 225 * @return The number of bytes that were flushed. 226 */ bioFlushByteBuffer(long bio)227 public static native int bioFlushByteBuffer(long bio); 228 229 /** 230 * Get the remaining length of the {@link ByteBuffer} set by {@link #bioSetByteBuffer(long, long, int, boolean)}. 231 * @param bio {@code BIO*}. 232 * @return The remaining length of the {@link ByteBuffer} set by {@link #bioSetByteBuffer(long, long, int, boolean)}. 233 */ bioLengthByteBuffer(long bio)234 public static native int bioLengthByteBuffer(long bio); 235 236 /** 237 * Get the amount of data pending in buffer used for non-application writes. 238 * This value will not exceed the value configured in {@link #bioNewByteBuffer(long, int)}. 239 * @param bio {@code BIO*}. 240 * @return the amount of data pending in buffer used for non-application writes. 241 */ bioLengthNonApplication(long bio)242 public static native int bioLengthNonApplication(long bio); 243 244 /** 245 * SSL_write 246 * @param ssl the SSL instance (SSL *) 247 * @param wbuf the memory address of the buffer 248 * @param wlen the length 249 * @return the number of written bytes 250 */ writeToSSL(long ssl, long wbuf, int wlen)251 public static native int writeToSSL(long ssl, long wbuf, int wlen); 252 253 /** 254 * SSL_read 255 * @param ssl the SSL instance (SSL *) 256 * @param rbuf the memory address of the buffer 257 * @param rlen the length 258 * @return the number of read bytes 259 */ readFromSSL(long ssl, long rbuf, int rlen)260 public static native int readFromSSL(long ssl, long rbuf, int rlen); 261 262 /** 263 * SSL_get_shutdown 264 * @param ssl the SSL instance (SSL *) 265 * @return the return code of {@code SSL_get_shutdown} 266 */ getShutdown(long ssl)267 public static native int getShutdown(long ssl); 268 269 /** 270 * SSL_set_shutdown 271 * @param ssl the SSL instance (SSL *) 272 * @param mode the mode to use 273 */ setShutdown(long ssl, int mode)274 public static native void setShutdown(long ssl, int mode); 275 276 /** 277 * SSL_free 278 * @param ssl the SSL instance (SSL *) 279 */ freeSSL(long ssl)280 public static native void freeSSL(long ssl); 281 282 /** 283 * BIO_free 284 * @param bio the BIO 285 */ freeBIO(long bio)286 public static native void freeBIO(long bio); 287 288 /** 289 * SSL_shutdown 290 * @param ssl the SSL instance (SSL *) 291 * @return the return code of {@code SSL_shutdown} 292 */ shutdownSSL(long ssl)293 public static native int shutdownSSL(long ssl); 294 295 /** 296 * Get the error number representing the last error OpenSSL encountered on this thread. 297 * @return the last error code for the calling thread. 298 */ getLastErrorNumber()299 public static native int getLastErrorNumber(); 300 301 /** 302 * SSL_get_cipher 303 * @param ssl the SSL instance (SSL *) 304 * @return the name of the current cipher. 305 */ getCipherForSSL(long ssl)306 public static native String getCipherForSSL(long ssl); 307 308 /** 309 * SSL_get_version 310 * @param ssl the SSL instance (SSL *) 311 * @return the version. 312 */ getVersion(long ssl)313 public static native String getVersion(long ssl); 314 315 /** 316 * SSL_do_handshake 317 * @param ssl the SSL instance (SSL *) 318 * @return the return code of {@code SSL_do_handshake}. 319 */ doHandshake(long ssl)320 public static native int doHandshake(long ssl); 321 322 /** 323 * SSL_in_init 324 * @param ssl the SSL instance (SSL *) 325 * @return the return code of {@code SSL_in_init}. 326 */ isInInit(long ssl)327 public static native int isInInit(long ssl); 328 329 /** 330 * SSL_get0_next_proto_negotiated 331 * @param ssl the SSL instance (SSL *) 332 * @return the name of the negotiated proto 333 */ getNextProtoNegotiated(long ssl)334 public static native String getNextProtoNegotiated(long ssl); 335 336 /* 337 * End Twitter API Additions 338 */ 339 340 /** 341 * SSL_get0_alpn_selected 342 * @param ssl the SSL instance (SSL *) 343 * @return the name of the selected ALPN protocol 344 */ getAlpnSelected(long ssl)345 public static native String getAlpnSelected(long ssl); 346 347 /** 348 * Get the peer certificate chain or {@code null} if none was send. 349 * @param ssl the SSL instance (SSL *) 350 * @return the chain or {@code null} if none was send 351 */ getPeerCertChain(long ssl)352 public static native byte[][] getPeerCertChain(long ssl); 353 354 /** 355 * Get the peer certificate or {@code null} if non was send. 356 * @param ssl the SSL instance (SSL *) 357 * @return the peer certificate or {@code null} if none was send 358 */ getPeerCertificate(long ssl)359 public static native byte[] getPeerCertificate(long ssl); 360 361 /** 362 * Get the error string representing for the given {@code errorNumber}. 363 * 364 * @param errorNumber the error number / code 365 * @return the error string 366 */ getErrorString(long errorNumber)367 public static native String getErrorString(long errorNumber); 368 369 /** 370 * SSL_get_time 371 * @param ssl the SSL instance (SSL *) 372 * @return returns the time at which the session ssl was established. The time is given in seconds since the Epoch 373 */ getTime(long ssl)374 public static native long getTime(long ssl); 375 376 /** 377 * SSL_get_timeout 378 * @param ssl the SSL instance (SSL *) 379 * @return returns the timeout for the session ssl The time is given in seconds since the Epoch 380 */ getTimeout(long ssl)381 public static native long getTimeout(long ssl); 382 383 /** 384 * SSL_set_timeout 385 * @param ssl the SSL instance (SSL *) 386 * @param seconds timeout in seconds 387 * @return returns the timeout for the session ssl before this call. The time is given in seconds since the Epoch 388 */ setTimeout(long ssl, long seconds)389 public static native long setTimeout(long ssl, long seconds); 390 391 /** 392 * Set Type of Client Certificate verification and Maximum depth of CA Certificates 393 * in Client Certificate verification. 394 * <p> 395 * This directive sets the Certificate verification level for the Client 396 * Authentication. Notice that this directive can be used both in per-server 397 * and per-directory context. In per-server context it applies to the client 398 * authentication process used in the standard SSL handshake when a connection 399 * is established. In per-directory context it forces a SSL renegotiation with 400 * the reconfigured client verification level after the HTTP request was read 401 * but before the HTTP response is sent. 402 * <p> 403 * The following levels are available for level: 404 * <ul> 405 * <li>{@link #SSL_CVERIFY_IGNORED} - The level is ignored. Only depth will change.</li> 406 * <li>{@link #SSL_CVERIFY_NONE} - No client Certificate is required at all</li> 407 * <li>{@link #SSL_CVERIFY_OPTIONAL} - The client may present a valid Certificate</li> 408 * <li>{@link #SSL_CVERIFY_REQUIRED} - The client has to present a valid Certificate</li> 409 * </ul> 410 * The depth actually is the maximum number of intermediate certificate issuers, 411 * i.e. the number of CA certificates which are max allowed to be followed while 412 * verifying the client certificate. A depth of 0 means that self-signed client 413 * certificates are accepted only, the default depth of 1 means the client 414 * certificate can be self-signed or has to be signed by a CA which is directly 415 * known to the server (i.e. the CA's certificate is under 416 * {@code setCACertificatePath}, etc. 417 * 418 * @param ssl the SSL instance (SSL *) 419 * @param level Type of Client Certificate verification. 420 * @param depth Maximum depth of CA Certificates in Client Certificate 421 * verification. Ignored if value is {@code <0}. 422 */ setVerify(long ssl, int level, int depth)423 public static native void setVerify(long ssl, int level, int depth); 424 425 /** 426 * Set OpenSSL Option. 427 * @param ssl the SSL instance (SSL *) 428 * @param options See SSL.SSL_OP_* for option flags. 429 */ setOptions(long ssl, int options)430 public static native void setOptions(long ssl, int options); 431 432 /** 433 * Clear OpenSSL Option. 434 * @param ssl the SSL instance (SSL *) 435 * @param options See SSL.SSL_OP_* for option flags. 436 */ clearOptions(long ssl, int options)437 public static native void clearOptions(long ssl, int options); 438 439 /** 440 * Get OpenSSL Option. 441 * @param ssl the SSL instance (SSL *) 442 * @return options See SSL.SSL_OP_* for option flags. 443 */ getOptions(long ssl)444 public static native int getOptions(long ssl); 445 446 /** 447 * Returns all Returns the cipher suites that are available for negotiation in an SSL handshake. 448 * @param ssl the SSL instance (SSL *) 449 * @return ciphers 450 */ getCiphers(long ssl)451 public static native String[] getCiphers(long ssl); 452 453 /** 454 * Returns the cipher suites available for negotiation in SSL handshake. 455 * <p> 456 * This complex directive uses a colon-separated cipher-spec string consisting 457 * of OpenSSL cipher specifications to configure the Cipher Suite the client 458 * is permitted to negotiate in the SSL handshake phase. Notice that this 459 * directive can be used both in per-server and per-directory context. 460 * In per-server context it applies to the standard SSL handshake when a 461 * connection is established. In per-directory context it forces a SSL 462 * renegotiation with the reconfigured Cipher Suite after the HTTP request 463 * was read but before the HTTP response is sent. 464 * @param ssl the SSL instance (SSL *) 465 * @param ciphers an SSL cipher specification 466 * @return {@code true} if successful 467 * @throws Exception if an error happened 468 */ setCipherSuites(long ssl, String ciphers)469 public static native boolean setCipherSuites(long ssl, String ciphers) 470 throws Exception; 471 472 /** 473 * Returns the ID of the session as byte array representation. 474 * 475 * @param ssl the SSL instance (SSL *) 476 * @return the session as byte array representation obtained via SSL_SESSION_get_id. 477 */ getSessionId(long ssl)478 public static native byte[] getSessionId(long ssl); 479 480 /** 481 * Returns the number of handshakes done for this SSL instance. This also includes renegations. 482 * 483 * @param ssl the SSL instance (SSL *) 484 * @return the number of handshakes done for this SSL instance. 485 */ getHandshakeCount(long ssl)486 public static native int getHandshakeCount(long ssl); 487 488 /** 489 * Clear all the errors from the error queue that OpenSSL encountered on this thread. 490 */ clearError()491 public static native void clearError(); 492 493 /** 494 * Call SSL_renegotiate. 495 * 496 * @param ssl the SSL instance (SSL *) 497 * @return the result of the operation 498 */ renegotiate(long ssl)499 public static native int renegotiate(long ssl); 500 501 /** 502 * Call SSL_set_state. 503 * 504 * @param ssl the SSL instance (SSL *) 505 * @param state the state to set 506 */ setState(long ssl, int state)507 public static native void setState(long ssl, int state); 508 509 /** 510 * Call SSL_set_tlsext_host_name 511 * 512 * @param ssl the SSL instance (SSL *) 513 * @param hostname the hostname 514 */ setTlsExtHostName(long ssl, String hostname)515 public static native void setTlsExtHostName(long ssl, String hostname); 516 517 /** 518 * Explicitly control <a href="https://wiki.openssl.org/index.php/Hostname_validation">hostname validation</a> 519 * <a href="https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html">see X509_check_host for X509_CHECK_FLAG* definitions</a>. 520 * Values are defined as a bitmask of {@code X509_CHECK_FLAG*} values. 521 * @param ssl the SSL instance (SSL*). 522 * @param flags a bitmask of {@code X509_CHECK_FLAG*} values. 523 * @param hostname the hostname which is expected for validation. 524 */ setHostNameValidation(long ssl, int flags, String hostname)525 public static native void setHostNameValidation(long ssl, int flags, String hostname); 526 527 /** 528 * Return the methods used for authentication. 529 * 530 * @param ssl the SSL instance (SSL*) 531 * @return the methods 532 */ authenticationMethods(long ssl)533 public static native String[] authenticationMethods(long ssl); 534 535 /** 536 * Set BIO of PEM-encoded Server CA Certificates 537 * <p> 538 * This directive sets the optional all-in-one file where you can assemble the 539 * certificates of Certification Authorities (CA) which form the certificate 540 * chain of the server certificate. This starts with the issuing CA certificate 541 * of of the server certificate and can range up to the root CA certificate. 542 * Such a file is simply the concatenation of the various PEM-encoded CA 543 * Certificate files, usually in certificate chain order. 544 * <p> 545 * But be careful: Providing the certificate chain works only if you are using 546 * a single (either RSA or DSA) based server certificate. If you are using a 547 * coupled RSA+DSA certificate pair, this will work only if actually both 548 * certificates use the same certificate chain. Otherwsie the browsers will be 549 * confused in this situation. 550 * @param ssl Server or Client to use. 551 * @param bio BIO of PEM-encoded Server CA Certificates. 552 * @param skipfirst Skip first certificate if chain file is inside 553 * certificate file. 554 */ setCertificateChainBio(long ssl, long bio, boolean skipfirst)555 public static native void setCertificateChainBio(long ssl, long bio, boolean skipfirst); 556 557 /** 558 * Set Certificate 559 * <br> 560 * Point setCertificate at a PEM encoded certificate stored in a BIO. If 561 * the certificate is encrypted, then you will be prompted for a 562 * pass phrase. Note that a kill -HUP will prompt again. A test 563 * certificate can be generated with `make certificate' under 564 * built time. Keep in mind that if you've both a RSA and a DSA 565 * certificate you can configure both in parallel (to also allow 566 * the use of DSA ciphers, etc.) 567 * <br> 568 * If the key is not combined with the certificate, use key param 569 * to point at the key file. Keep in mind that if 570 * you've both a RSA and a DSA private key you can configure 571 * both in parallel (to also allow the use of DSA ciphers, etc.) 572 * @param ssl Server or Client to use. 573 * @param certBio Certificate BIO. 574 * @param keyBio Private Key BIO to use if not in cert. 575 * @param password Certificate password. If null and certificate 576 * is encrypted. 577 * @throws Exception if an error happened 578 */ setCertificateBio( long ssl, long certBio, long keyBio, String password)579 public static native void setCertificateBio( 580 long ssl, long certBio, long keyBio, String password) throws Exception; 581 582 /** 583 * Parse private key from BIO and return {@code EVP_PKEY} pointer. 584 * 585 * <p>Be sure you understand how OpenSsl will behave with respect to reference counting! 586 * 587 * If the {@code EVP_PKEY} pointer is used with the client certificate callback 588 * {@link CertificateRequestedCallback} the ownership goes over to OpenSsl / Tcnative and so calling 589 * {@link #freePrivateKey(long)} should <strong>NOT</strong> be done in this case. Otherwise you may 590 * need to call {@link #freePrivateKey(long)} to decrement the reference count and free memory. 591 * 592 * @param privateKeyBio the pointer to the {@code BIO} that contains the private key 593 * @param password the password or {@code null} if no password is needed 594 * @return {@code EVP_PKEY} pointer 595 * @throws Exception if an error happened 596 */ parsePrivateKey(long privateKeyBio, String password)597 public static native long parsePrivateKey(long privateKeyBio, String password) throws Exception; 598 599 /** 600 * Free private key ({@code EVP_PKEY} pointer). 601 * 602 * @param privateKey {@code EVP_PKEY} pointer 603 */ freePrivateKey(long privateKey)604 public static native void freePrivateKey(long privateKey); 605 606 /** 607 * Parse X509 chain from BIO and return ({@code STACK_OF(X509)} pointer). 608 * 609 * <p>Be sure you understand how OpenSsl will behave with respect to reference counting! 610 * 611 * If the {@code STACK_OF(X509)} pointer is used with the client certificate callback 612 * {@link CertificateRequestedCallback} the ownership goes over to OpenSsl / Tcnative and and so calling 613 * {@link #freeX509Chain(long)} should <strong>NOT</strong> be done in this case. Otherwise you may 614 * need to call {@link #freeX509Chain(long)} to decrement the reference count and free memory. 615 * 616 * @param x509ChainBio the pointer to the {@code BIO} that contains the X509 chain 617 * @return {@code STACK_OF(X509)} pointer 618 * @throws Exception if an error happened 619 */ parseX509Chain(long x509ChainBio)620 public static native long parseX509Chain(long x509ChainBio) throws Exception; 621 622 /** 623 * Free x509 chain ({@code STACK_OF(X509)} pointer). 624 * 625 * @param x509Chain {@code STACK_OF(X509)} pointer 626 */ freeX509Chain(long x509Chain)627 public static native void freeX509Chain(long x509Chain); 628 } 629