Swiftdiff options
| -rw-r--r-- | src/com/isode/stroke/tls/PlatformTLSFactories.java | 6 | ||||
| -rw-r--r-- | src/com/isode/stroke/tls/java/JSSEContext.java | 37 | ||||
| -rw-r--r-- | src/com/isode/stroke/tls/java/JSSEContextFactory.java | 35 |
3 files changed, 70 insertions, 8 deletions
diff --git a/src/com/isode/stroke/tls/PlatformTLSFactories.java b/src/com/isode/stroke/tls/PlatformTLSFactories.java index 6b98a95..cbfcfe2 100644 --- a/src/com/isode/stroke/tls/PlatformTLSFactories.java +++ b/src/com/isode/stroke/tls/PlatformTLSFactories.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012 Isode Limited, London, England. + * Copyright (c) 2012-2013 Isode Limited, London, England. * All rights reserved. */ /* @@ -11,8 +11,10 @@ package com.isode.stroke.tls; import com.isode.stroke.tls.java.JSSEContextFactory; public class PlatformTLSFactories { + private JSSEContextFactory contextFactory = new JSSEContextFactory(); + public TLSContextFactory getTLSContextFactory() { - return new JSSEContextFactory(); + return contextFactory; } public CertificateFactory getCertificateFactory() { diff --git a/src/com/isode/stroke/tls/java/JSSEContext.java b/src/com/isode/stroke/tls/java/JSSEContext.java index 9cb0109..257a70c 100644 --- a/src/com/isode/stroke/tls/java/JSSEContext.java +++ b/src/com/isode/stroke/tls/java/JSSEContext.java @@ -26,6 +26,8 @@ import java.security.cert.CertificateException; import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateNotYetValidException; import java.security.cert.X509Certificate; +import java.util.HashSet; +import java.util.Set; import java.util.Vector; import java.util.logging.Level; import java.util.logging.Logger; @@ -117,13 +119,14 @@ public class JSSEContext extends TLSContext { @Override public void connect() { try { - doSetup(); + doSetup(); } catch (SSLException e) { emitError(e,"doSetup() failed"); } } + private void doSetup() throws SSLException { SSLContext sslContext = getSSLContext(); @@ -143,6 +146,23 @@ public class JSSEContext extends TLSContext { /* "the SSLContextImpl requires initialization and init() has not been called" */ throw new SSLException(e); } + + /* Restrict cipher suites if necessary */ + if (restrictedCipherSuites != null) { + String[] supportedSuites = sslEngine.getSupportedCipherSuites(); + Set<String> matchedSuites = new HashSet<String>(); + for (String suite:supportedSuites) { + if (restrictedCipherSuites.contains(suite)) { + matchedSuites.add(suite); + } + } + String[] suitesToEnable = new String[]{}; + if (!matchedSuites.isEmpty()) { + suitesToEnable = (String[])matchedSuites.toArray(); + } + + sslEngine.setEnabledCipherSuites(suitesToEnable); + } sslEngine.setUseClientMode(true); /* I am a client */ sslEngine.setEnableSessionCreation(true); /* can create new sessions */ @@ -1018,10 +1038,21 @@ public class JSSEContext extends TLSContext { /** * Construct a new JSSEContext object. + * @param restrictedCipherSuites a list of cipher suites that are to be + * enabled for this context. Null means no restriction */ - public JSSEContext() { - /* */ + public JSSEContext(Set<String> restrictedCipherSuites) { + if (restrictedCipherSuites != null) { + this.restrictedCipherSuites = new HashSet<String>(restrictedCipherSuites); + } } + + + /** + * Specific list of suites to allow - null (the default) means + * no restriction. + */ + private Set<String> restrictedCipherSuites = null; /** * Reference to the SSLEngine being used diff --git a/src/com/isode/stroke/tls/java/JSSEContextFactory.java b/src/com/isode/stroke/tls/java/JSSEContextFactory.java index 0ddb4fd..63b184d 100644 --- a/src/com/isode/stroke/tls/java/JSSEContextFactory.java +++ b/src/com/isode/stroke/tls/java/JSSEContextFactory.java @@ -1,4 +1,4 @@ -/* Copyright (c) 2012, Isode Limited, London, England. +/* Copyright (c) 2012-2013, Isode Limited, London, England. * All rights reserved. * * Acquisition and use of this software and related materials for any @@ -10,12 +10,19 @@ package com.isode.stroke.tls.java; +import java.util.HashSet; +import java.util.Set; + import com.isode.stroke.tls.TLSContext; import com.isode.stroke.tls.TLSContextFactory; /** * Concrete implementation of a TLSContextFactory which uses SSLEngine - * and maybe other stuff? ..tbs... + * + * <p>Ciphersuite names recognised by this class correspond to the standard + * names as described in + * <a href=http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites> + * Oracle's "Java Cryptography Architecture Standard Algorithm Name Documentation"</a>. * */ public class JSSEContextFactory implements TLSContextFactory { @@ -27,7 +34,29 @@ public class JSSEContextFactory implements TLSContextFactory { @Override public TLSContext createTLSContext() { - return new JSSEContext(); + return new JSSEContext(restrictedCipherSuites); } + + private static Set<String> restrictedCipherSuites = null; + + /** + * Restrict which cipher suites are to be enabled for any TLSContexts + * returned by this factory from now on. Any name which is + * not recognised, or not available is ignored: this method cannot be + * used to enable otherwise unavailable ciphersuites. + * + * @param cipherSuites a set of cipher suite names. If this parameter is + * null, then no restriction on cipher suites applies (all suites available + * to the implementation will be enabled). + * + */ + public static void setRestrictedCipherSuites(Set<String> cipherSuites) { + if (cipherSuites == null) { + restrictedCipherSuites = null; + return; + } + + restrictedCipherSuites = new HashSet<String>(cipherSuites); + } } |