001: /*
002: * Licensed to the Apache Software Foundation (ASF) under one or more
003: * contributor license agreements. See the NOTICE file distributed with
004: * this work for additional information regarding copyright ownership.
005: * The ASF licenses this file to You under the Apache License, Version 2.0
006: * (the "License"); you may not use this file except in compliance with
007: * the License. You may obtain a copy of the License at
008: *
009: * http://www.apache.org/licenses/LICENSE-2.0
010: *
011: * Unless required by applicable law or agreed to in writing, software
012: * distributed under the License is distributed on an "AS IS" BASIS,
013: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014: * See the License for the specific language governing permissions and
015: * limitations under the License.
016: */
017:
018: package org.apache.tomcat.jni;
019:
020: /** SSL
021: *
022: * @author Mladen Turk
023: * @version $Revision: 467222 $, $Date: 2006-10-24 05:17:11 +0200 (mar., 24 oct. 2006) $
024: */
025:
026: public final class SSL {
027:
028: /*
029: * Type definitions mostly from mod_ssl
030: */
031: public static final int UNSET = -1;
032: /*
033: * Define the certificate algorithm types
034: */
035: public static final int SSL_ALGO_UNKNOWN = 0;
036: public static final int SSL_ALGO_RSA = (1 << 0);
037: public static final int SSL_ALGO_DSA = (1 << 1);
038: public static final int SSL_ALGO_ALL = (SSL_ALGO_RSA | SSL_ALGO_DSA);
039:
040: public static final int SSL_AIDX_RSA = 0;
041: public static final int SSL_AIDX_DSA = 1;
042: public static final int SSL_AIDX_MAX = 2;
043: /*
044: * Define IDs for the temporary RSA keys and DH params
045: */
046:
047: public static final int SSL_TMP_KEY_RSA_512 = 0;
048: public static final int SSL_TMP_KEY_RSA_1024 = 1;
049: public static final int SSL_TMP_KEY_RSA_2048 = 2;
050: public static final int SSL_TMP_KEY_RSA_4096 = 3;
051: public static final int SSL_TMP_KEY_DH_512 = 4;
052: public static final int SSL_TMP_KEY_DH_1024 = 5;
053: public static final int SSL_TMP_KEY_DH_2048 = 6;
054: public static final int SSL_TMP_KEY_DH_4096 = 7;
055: public static final int SSL_TMP_KEY_MAX = 8;
056:
057: /*
058: * Define the SSL options
059: */
060: public static final int SSL_OPT_NONE = 0;
061: public static final int SSL_OPT_RELSET = (1 << 0);
062: public static final int SSL_OPT_STDENVVARS = (1 << 1);
063: public static final int SSL_OPT_EXPORTCERTDATA = (1 << 3);
064: public static final int SSL_OPT_FAKEBASICAUTH = (1 << 4);
065: public static final int SSL_OPT_STRICTREQUIRE = (1 << 5);
066: public static final int SSL_OPT_OPTRENEGOTIATE = (1 << 6);
067: public static final int SSL_OPT_ALL = (SSL_OPT_STDENVVARS
068: | SSL_OPT_EXPORTCERTDATA | SSL_OPT_FAKEBASICAUTH
069: | SSL_OPT_STRICTREQUIRE | SSL_OPT_OPTRENEGOTIATE);
070:
071: /*
072: * Define the SSL Protocol options
073: */
074: public static final int SSL_PROTOCOL_NONE = 0;
075: public static final int SSL_PROTOCOL_SSLV2 = (1 << 0);
076: public static final int SSL_PROTOCOL_SSLV3 = (1 << 1);
077: public static final int SSL_PROTOCOL_TLSV1 = (1 << 2);
078: public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV2
079: | SSL_PROTOCOL_SSLV3 | SSL_PROTOCOL_TLSV1);
080:
081: /*
082: * Define the SSL verify levels
083: */
084: public static final int SSL_CVERIFY_UNSET = UNSET;
085: public static final int SSL_CVERIFY_NONE = 0;
086: public static final int SSL_CVERIFY_OPTIONAL = 1;
087: public static final int SSL_CVERIFY_REQUIRE = 2;
088: public static final int SSL_CVERIFY_OPTIONAL_NO_CA = 3;
089:
090: /* Use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
091: * are 'ored' with SSL_VERIFY_PEER if they are desired
092: */
093: public static final int SSL_VERIFY_NONE = 0;
094: public static final int SSL_VERIFY_PEER = 1;
095: public static final int SSL_VERIFY_FAIL_IF_NO_PEER_CERT = 2;
096: public static final int SSL_VERIFY_CLIENT_ONCE = 4;
097: public static final int SSL_VERIFY_PEER_STRICT = (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
098:
099: public static final int SSL_OP_MICROSOFT_SESS_ID_BUG = 0x00000001;
100: public static final int SSL_OP_NETSCAPE_CHALLENGE_BUG = 0x00000002;
101: public static final int SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 0x00000008;
102: public static final int SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 0x00000010;
103: public static final int SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 0x00000020;
104: public static final int SSL_OP_MSIE_SSLV2_RSA_PADDING = 0x00000040;
105: public static final int SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 0x00000080;
106: public static final int SSL_OP_TLS_D5_BUG = 0x00000100;
107: public static final int SSL_OP_TLS_BLOCK_PADDING_BUG = 0x00000200;
108:
109: /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
110: * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
111: * the workaround is not needed. Unfortunately some broken SSL/TLS
112: * implementations cannot handle it at all, which is why we include
113: * it in SSL_OP_ALL. */
114: public static final int SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 0x00000800;
115:
116: /* SSL_OP_ALL: various bug workarounds that should be rather harmless.
117: * This used to be 0x000FFFFFL before 0.9.7. */
118: public static final int SSL_OP_ALL = 0x00000FFF;
119:
120: /* As server, disallow session resumption on renegotiation */
121: public static final int SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00010000;
122: /* If set, always create a new key when using tmp_dh parameters */
123: public static final int SSL_OP_SINGLE_DH_USE = 0x00100000;
124: /* Set to always use the tmp_rsa key when doing RSA operations,
125: * even when this violates protocol specs */
126: public static final int SSL_OP_EPHEMERAL_RSA = 0x00200000;
127: /* Set on servers to choose the cipher according to the server's
128: * preferences */
129: public static final int SSL_OP_CIPHER_SERVER_PREFERENCE = 0x00400000;
130: /* If set, a server will allow a client to issue a SSLv3.0 version number
131: * as latest version supported in the premaster secret, even when TLSv1.0
132: * (version 3.1) was announced in the client hello. Normally this is
133: * forbidden to prevent version rollback attacks. */
134: public static final int SSL_OP_TLS_ROLLBACK_BUG = 0x00800000;
135:
136: public static final int SSL_OP_NO_SSLv2 = 0x01000000;
137: public static final int SSL_OP_NO_SSLv3 = 0x02000000;
138: public static final int SSL_OP_NO_TLSv1 = 0x04000000;
139:
140: /* The next flag deliberately changes the ciphertest, this is a check
141: * for the PKCS#1 attack */
142: public static final int SSL_OP_PKCS1_CHECK_1 = 0x08000000;
143: public static final int SSL_OP_PKCS1_CHECK_2 = 0x10000000;
144: public static final int SSL_OP_NETSCAPE_CA_DN_BUG = 0x20000000;
145: public static final int SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 0x40000000;
146:
147: public static final int SSL_CRT_FORMAT_UNDEF = 0;
148: public static final int SSL_CRT_FORMAT_ASN1 = 1;
149: public static final int SSL_CRT_FORMAT_TEXT = 2;
150: public static final int SSL_CRT_FORMAT_PEM = 3;
151: public static final int SSL_CRT_FORMAT_NETSCAPE = 4;
152: public static final int SSL_CRT_FORMAT_PKCS12 = 5;
153: public static final int SSL_CRT_FORMAT_SMIME = 6;
154: public static final int SSL_CRT_FORMAT_ENGINE = 7;
155:
156: public static final int SSL_MODE_CLIENT = 0;
157: public static final int SSL_MODE_SERVER = 1;
158: public static final int SSL_MODE_COMBINED = 2;
159:
160: public static final int SSL_SHUTDOWN_TYPE_UNSET = 0;
161: public static final int SSL_SHUTDOWN_TYPE_STANDARD = 1;
162: public static final int SSL_SHUTDOWN_TYPE_UNCLEAN = 2;
163: public static final int SSL_SHUTDOWN_TYPE_ACCURATE = 3;
164:
165: public static final int SSL_INFO_SESSION_ID = 0x0001;
166: public static final int SSL_INFO_CIPHER = 0x0002;
167: public static final int SSL_INFO_CIPHER_USEKEYSIZE = 0x0003;
168: public static final int SSL_INFO_CIPHER_ALGKEYSIZE = 0x0004;
169: public static final int SSL_INFO_CIPHER_VERSION = 0x0005;
170: public static final int SSL_INFO_CIPHER_DESCRIPTION = 0x0006;
171: public static final int SSL_INFO_PROTOCOL = 0x0007;
172:
173: /* To obtain the CountryName of the Client Certificate Issuer
174: * use the SSL_INFO_CLIENT_I_DN + SSL_INFO_DN_COUNTRYNAME
175: */
176: public static final int SSL_INFO_CLIENT_S_DN = 0x0010;
177: public static final int SSL_INFO_CLIENT_I_DN = 0x0020;
178: public static final int SSL_INFO_SERVER_S_DN = 0x0040;
179: public static final int SSL_INFO_SERVER_I_DN = 0x0080;
180:
181: public static final int SSL_INFO_DN_COUNTRYNAME = 0x0001;
182: public static final int SSL_INFO_DN_STATEORPROVINCENAME = 0x0002;
183: public static final int SSL_INFO_DN_LOCALITYNAME = 0x0003;
184: public static final int SSL_INFO_DN_ORGANIZATIONNAME = 0x0004;
185: public static final int SSL_INFO_DN_ORGANIZATIONALUNITNAME = 0x0005;
186: public static final int SSL_INFO_DN_COMMONNAME = 0x0006;
187: public static final int SSL_INFO_DN_TITLE = 0x0007;
188: public static final int SSL_INFO_DN_INITIALS = 0x0008;
189: public static final int SSL_INFO_DN_GIVENNAME = 0x0009;
190: public static final int SSL_INFO_DN_SURNAME = 0x000A;
191: public static final int SSL_INFO_DN_DESCRIPTION = 0x000B;
192: public static final int SSL_INFO_DN_UNIQUEIDENTIFIER = 0x000C;
193: public static final int SSL_INFO_DN_EMAILADDRESS = 0x000D;
194:
195: public static final int SSL_INFO_CLIENT_M_VERSION = 0x0101;
196: public static final int SSL_INFO_CLIENT_M_SERIAL = 0x0102;
197: public static final int SSL_INFO_CLIENT_V_START = 0x0103;
198: public static final int SSL_INFO_CLIENT_V_END = 0x0104;
199: public static final int SSL_INFO_CLIENT_A_SIG = 0x0105;
200: public static final int SSL_INFO_CLIENT_A_KEY = 0x0106;
201: public static final int SSL_INFO_CLIENT_CERT = 0x0107;
202: public static final int SSL_INFO_CLIENT_V_REMAIN = 0x0108;
203:
204: public static final int SSL_INFO_SERVER_M_VERSION = 0x0201;
205: public static final int SSL_INFO_SERVER_M_SERIAL = 0x0202;
206: public static final int SSL_INFO_SERVER_V_START = 0x0203;
207: public static final int SSL_INFO_SERVER_V_END = 0x0204;
208: public static final int SSL_INFO_SERVER_A_SIG = 0x0205;
209: public static final int SSL_INFO_SERVER_A_KEY = 0x0206;
210: public static final int SSL_INFO_SERVER_CERT = 0x0207;
211: /* Return client certificate chain.
212: * Add certificate chain number to that flag (0 ... verify depth)
213: */
214: public static final int SSL_INFO_CLIENT_CERT_CHAIN = 0x0400;
215:
216: /* Return OpenSSL version number */
217: public static native int version();
218:
219: /* Return OpenSSL version string */
220: public static native String versionString();
221:
222: /**
223: * Initialize OpenSSL support.
224: * This function needs to be called once for the
225: * lifetime of JVM. Library.init() has to be called before.
226: * @param engine Support for external a Crypto Device ("engine"),
227: * usually
228: * a hardware accellerator card for crypto operations.
229: * @return APR status code
230: */
231: public static native int initialize(String engine);
232:
233: /**
234: * Add content of the file to the PRNG
235: * @param filename Filename containing random data.
236: * If null the default file will be tested.
237: * The seed file is $RANDFILE if that environment variable is
238: * set, $HOME/.rnd otherwise.
239: * In case both files are unavailable builtin
240: * random seed generator is used.
241: */
242: public static native boolean randLoad(String filename);
243:
244: /**
245: * Writes a number of random bytes (currently 1024) to
246: * file <code>filename</code> which can be used to initialize the PRNG
247: * by calling randLoad in a later session.
248: * @param filename Filename to save the data
249: */
250: public static native boolean randSave(String filename);
251:
252: /**
253: * Creates random data to filename
254: * @param filename Filename to save the data
255: * @param len The length of random sequence in bytes
256: * @param base64 Output the data in Base64 encoded format
257: */
258: public static native boolean randMake(String filename, int len,
259: boolean base64);
260:
261: /**
262: * Initialize new BIO
263: * @param pool The pool to use.
264: * @param callback BIOCallback to use
265: * @return New BIO handle
266: */
267: public static native long newBIO(long pool, BIOCallback callback)
268: throws Exception;
269:
270: /**
271: * Close BIO and derefrence callback object
272: * @param bio BIO to close and destroy.
273: * @return APR Status code
274: */
275: public static native int closeBIO(long bio);
276:
277: /**
278: * Set global Password callback for obtaining passwords.
279: * @param callback PasswordCallback implementation to use.
280: */
281: public static native void setPasswordCallback(
282: PasswordCallback callback);
283:
284: /**
285: * Set global Password for decrypting certificates and keys.
286: * @param password Password to use.
287: */
288: public static native void setPassword(String password);
289:
290: /**
291: * Generate temporary RSA key.
292: * <br />
293: * Index can be one of:
294: * <PRE>
295: * SSL_TMP_KEY_RSA_512
296: * SSL_TMP_KEY_RSA_1024
297: * SSL_TMP_KEY_RSA_2048
298: * SSL_TMP_KEY_RSA_4096
299: * </PRE>
300: * By default 512 and 1024 keys are generated on startup.
301: * You can use a low priority thread to generate them on the fly.
302: * @param idx temporary key index.
303: */
304: public static native boolean generateRSATempKey(int idx);
305:
306: /**
307: * Load temporary DSA key from file
308: * <br />
309: * Index can be one of:
310: * <PRE>
311: * SSL_TMP_KEY_DH_512
312: * SSL_TMP_KEY_DH_1024
313: * SSL_TMP_KEY_DH_2048
314: * SSL_TMP_KEY_DH_4096
315: * </PRE>
316: * @param idx temporary key index.
317: * @param file File contatining DH params.
318: */
319: public static native boolean loadDSATempKey(int idx, String file);
320:
321: /**
322: * Return last SSL error string
323: */
324: public static native String getLastError();
325: }
|