se.entra.phantom.server.ssl

Class NetPhantomJSSEServerSocket

java.lang.Object

se.entra.phantom.server.SocketHelper

se.entra.phantom.server.ssl.NetPhantomJSSEServerSocket

All Implemented Interfaces:

TrustManager, X509TrustManager, ServerSocketInterface, ServerSocketInterface2, ServerSocketInterface3

public class NetPhantomJSSEServerSocket
extends SocketHelper
implements ServerSocketInterface3, X509TrustManager

ServerSocketInterface2 is used by servers to listen for requests from clients for [SSL] socket connections. The ServerSocketInterface2 listens on the specified port; optional arguments specify the backlog of client connection requests.

As SSL requires additional parameters that are generally implementation dependent, the "server.ini" file object is passed along. This makes it possible to access information in - typically - the SSL section of the file.

Field Summary

Fields

Modifier and Type	Field and Description
static boolean	DEBUG Debug flag.

Fields inherited from class se.entra.phantom.server.SocketHelper

id, isLoadBalanced

Fields inherited from interface se.entra.phantom.server.ServerSocketInterface

SSLINFO_CLIENTCERT_ISSUER, SSLINFO_CLIENTCERT_PUBLICKEYFORMAT, SSLINFO_CLIENTCERT_SERIALNUMBER, SSLINFO_CLIENTCERT_SIGNATUREALGORITHM, SSLINFO_CLIENTCERT_SUBJECT, SSLINFO_CLIENTCERT_VALIDFROM, SSLINFO_CLIENTCERT_VALIDTO, SSLINFO_CLIENTCERT_VERSION, SSLINFO_GETCIPHER, SSLINFO_GETEFFECTIVEBITS, SSLINFO_ISENCRYPTED, SSLINFO_ISSTRONGENCRYPTED

Constructor Summary

Constructors

Constructor and Description
NetPhantomJSSEServerSocket() Constructor for the SSL server socket from the NetPhantom Server.

Method Summary

Modifier and Type	Method and Description
ISocket	acceptNoHandshake() Listens for a connection to be made to this socket and accepts it.
void	checkClientTrusted(X509Certificate[] chain, String authType) Checks if connected client can be trusted.
void	checkServerTrusted(X509Certificate[] chain, String authType) Can the application trust a server? Throws the exception immediately since this is not an alternative for the server (which in this case would act as a client).
void	close() Closes this socket.
ServerSocketInterface3	createServerSocket(String id, int port, int mapToPort, int count, InetAddress address) Creates the ServerSocket listener.
static String	format(BigInteger serial) Formats a certificate serial number into (minimum 5) groups of 4 digits
static String	format(X500Principal p, char d) Formats an X.500 Principal with "d" as delimiters instead of ", ".
X509Certificate[]	getAcceptedIssuers() What would be the type of certificates that would be acceptable (based on issuer)? Return the list of CA certificates specified.
static List<String>	getCurrentAllowedCertificates() Gets the per-access control revoked certificates.
static Map<X500Principal,Map<BigInteger,X509CRLEntry>>	getCurrentCRLs() Gets the list of currently used CRLs in the CRL directory.
static List<String>	getCurrentRevokedCertificates() Gets the per-access control revoked certificates.
InetAddress	getInetAddress() Returns the local address of this server socket.
String	getInformation(ISocket socket, int index) Returns SSL information about this socket.
IniFile	getIniFile() Gets the previous INI file used to load the SSL section.
LetsEncryptDomain[]	getLetsEncryptDomains() Gets the Let's Encrypt domains for this SSL configuration.
int	getLocalPort() Returns the port on which this socket is listening.
int	getMapToPort() Gets the port number being mapped to externally.
String	getSSLConfigInfo() Gets information about the SSL configuration for logging when initializing has completed.
void	initialize(IniFile ini, String name) Initializes the server socket with information in the INI file for the SSL protocol.
boolean	isEncrypted(ISocket socket) Checks if encryption (with SSL with any encryption - not only signing) is used.
boolean	isStrongEncrypted(ISocket socket) Checks if strong encryption (using SSL) is used.
boolean	isUsingSSL() Returns if SSL is used or not.
void	performAcceptHandshake(ISocket s2) Performs the accept handshake for SSL in another thread.
static boolean	reloadAllowedAccessControl() Loads or reloads allowed certificates per access control in the "clientcerts/"+accessControlName directory.
static boolean	reloadCRLs() Causes a load or reload of the CRL directory.
static boolean	reloadRevokedAccessControl() Loads or reloads revoked certificates per access control in the "revokedcerts/"+accessControlName directory.
boolean	renegotiateSession(ISocket socket, boolean isStrongEncryptionRequired, boolean isClientAuthenticationRequired, String accessControlID, Thread readerThread) If an SSL connection is not using strong encryption or if a client certificate is required, call this method.
void	setExternalSSL(boolean isExternal) Sets the external SSL flag.
void	setLetsEncryptDomains(LetsEncryptDomain[] domains) Assigns the Let's Encrypt domains for this SSL configuration.
String	toString() Returns the implementation address and implementation port of this socket as a String.

Methods inherited from class se.entra.phantom.server.SocketHelper

getLocalAddress, getLocalName, getPortID, isLoadBalanced, setLoadBalancing

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface se.entra.phantom.server.ServerSocketInterface

getLocalAddress, getLocalName, getPortID, isLoadBalanced, setLoadBalancing

Field Detail

DEBUG

public static final boolean DEBUG

Debug flag.

See Also:

Constant Field Values

Constructor Detail

NetPhantomJSSEServerSocket

public NetPhantomJSSEServerSocket()

Constructor for the SSL server socket from the NetPhantom Server.

Method Detail

getIniFile

public IniFile getIniFile()

Gets the previous INI file used to load the SSL section.

Returns:

The INI file instance.

setLetsEncryptDomains

public void setLetsEncryptDomains(LetsEncryptDomain[] domains)

Assigns the Let's Encrypt domains for this SSL configuration.

Specified by:

setLetsEncryptDomains in interface ServerSocketInterface3

Parameters:

domains - The domains.

getLetsEncryptDomains

public LetsEncryptDomain[] getLetsEncryptDomains()

Gets the Let's Encrypt domains for this SSL configuration.

Note: this method is intended to be used by the framework and should not be called directly.

Specified by:

getLetsEncryptDomains in interface ServerSocketInterface3

Returns:

The domains, or null for none.

Throws:

RuntimeException - If called outside the NetPhantom framework.

initialize

public void initialize(IniFile ini,
                       String name)
                throws IOException

Initializes the server socket with information in the INI file for the SSL protocol. This method is called for non-SSL server sockets with the name parameter set to null.

Specified by:

initialize in interface ServerSocketInterface2

Parameters:

ini - the "server.ini" file from where the potential SSL package reads information to create the server socket.

name - the section name in the INI file where all settings are stored (null when no SSL).

Throws:

IOException - When there is an I/O failure.

getSSLConfigInfo

public String getSSLConfigInfo()

Gets information about the SSL configuration for logging when initializing has completed.

Specified by:

getSSLConfigInfo in interface ServerSocketInterface3

Returns:

Informational string with new lines before each relevant element.

createServerSocket

public ServerSocketInterface3 createServerSocket(String id,
                                                 int port,
                                                 int mapToPort,
                                                 int count,
                                                 InetAddress address)
                                          throws IOException

Creates the ServerSocket listener. Because this is an interface, the creation routine must create the SSLServerSocket with the appropriate parameters. This will cause a listen for connection requests with the specified port, backlog count.

Specified by:

createServerSocket in interface ServerSocketInterface2

Parameters:

id - the ID of the port.

port - the port.

mapToPort - the port externally mapped.

count - the number of queued connection requests.

address - the address to listen to (null means all local addresses).

Returns:

The server socket interface ServerSocketInterface3.

Throws:

IOException - When there is an I/O failure.

acceptNoHandshake

public ISocket acceptNoHandshake()
                          throws IOException

Listens for a connection to be made to this socket and accepts it. The method blocks until a connection is made (without a potential SSL handshake is complete).

Specified by:

acceptNoHandshake in interface ServerSocketInterface2

Throws:

IOException - if an I/O error occurs when waiting for a connection.

performAcceptHandshake

public void performAcceptHandshake(ISocket s2)
                            throws IOException

Performs the accept handshake for SSL in another thread.

Specified by:

performAcceptHandshake in interface ServerSocketInterface2

Throws:

IOException - if an I/O error occurs when waiting for a connection.

getInetAddress

public InetAddress getInetAddress()

Returns the local address of this server socket.

Specified by:

getInetAddress in interface ServerSocketInterface

Returns:

the address to which this socket is connected, or null if the socket is not yet connected.

getLocalPort

public int getLocalPort()

Returns the port on which this socket is listening.

Specified by:

getLocalPort in interface ServerSocketInterface

Returns:

the port number to which this socket is listening.

getMapToPort

public int getMapToPort()

Gets the port number being mapped to externally. If no mapping is done, the same value as getLocalPort is returned.

Specified by:

getMapToPort in interface ServerSocketInterface

Returns:

the port number to which this socket is listening and is mapped to. If the server socket is not yet created, -1 is returned.

getInformation

public String getInformation(ISocket socket,
                             int index)

Returns SSL information about this socket.

Specified by:

getInformation in interface ServerSocketInterface

Parameters:

socket -

index - index of the information requested.

Returns:

null when this is not an SSL socket.

checkClientTrusted

public void checkClientTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException

Checks if connected client can be trusted. This is a callback from the handshake process.

Specified by:

checkClientTrusted in interface X509TrustManager

Throws:

CertificateException - To indicate that the certificate (chain) supplied does not qualify as credentials for communication.

checkServerTrusted

public void checkServerTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException

Can the application trust a server? Throws the exception immediately since this is not an alternative for the server (which in this case would act as a client).

Specified by:

checkServerTrusted in interface X509TrustManager

Throws:

CertificateException - To indicate that this is not a viable alternative.

getAcceptedIssuers

public X509Certificate[] getAcceptedIssuers()

What would be the type of certificates that would be acceptable (based on issuer)? Return the list of CA certificates specified.

Specified by:

getAcceptedIssuers in interface X509TrustManager

Returns:

X509Certificate the array of CA certificates.

setExternalSSL

public void setExternalSSL(boolean isExternal)

Sets the external SSL flag. The method isUsingSSL may then return true even if the interface is not really SSL.

Specified by:

setExternalSSL in interface ServerSocketInterface

isUsingSSL

public boolean isUsingSSL()

Returns if SSL is used or not.

Specified by:

isUsingSSL in interface ServerSocketInterface

Returns:

true, always.

isEncrypted

public boolean isEncrypted(ISocket socket)

Checks if encryption (with SSL with any encryption - not only signing) is used.

Specified by:

isEncrypted in interface ServerSocketInterface

Parameters:

socket -

Returns:

true if the socket is encrypted.

isStrongEncrypted

public boolean isStrongEncrypted(ISocket socket)

Checks if strong encryption (using SSL) is used.

Specified by:

isStrongEncrypted in interface ServerSocketInterface

Parameters:

socket -

Returns:

true if the encryption used is using 128 bit or "stronger" encryption.

renegotiateSession

public boolean renegotiateSession(ISocket socket,
                                  boolean isStrongEncryptionRequired,
                                  boolean isClientAuthenticationRequired,
                                  String accessControlID,
                                  Thread readerThread)
                           throws IOException

If an SSL connection is not using strong encryption or if a client certificate is required, call this method.

It requests a new SSL handshake. Use this if you want to renegotiate modified security parameters; for example, to upgrade security strength or to add client authentication to a server-authenticated session.

It is dangerous to attempt a security renegotiation on a connection where the peer is not reading data (e.g., a client attempting to renegotiate security parameters in the middle of a download) as the peer will not read the renegotiation request and will therefore not respond in a timely manner.

Specified by:

renegotiateSession in interface ServerSocketInterface

Returns:

false if the socket is not an SSL socket connection.

Throws:

IOException - for negotiation or other I/O failures.

close

public void close()
           throws IOException

Closes this socket.

Specified by:

close in interface ServerSocketInterface

Throws:

IOException - if an I/O error occurs when closing the socket.

toString

public String toString()

Returns the implementation address and implementation port of this socket as a String.

Specified by:

toString in interface ServerSocketInterface

Overrides:

toString in class Object

Returns:

a string representation of this socket.

reloadCRLs

public static boolean reloadCRLs()

Causes a load or reload of the CRL directory.

Returns:

true if the directory contained at least one CRL file.

getCurrentCRLs

public static Map<X500Principal,Map<BigInteger,X509CRLEntry>> getCurrentCRLs()

Gets the list of currently used CRLs in the CRL directory.

Returns:

A map of CRLs, null for none. If not null, it's an immutable map of all issuers with immutable maps of revoked certificates.

reloadAllowedAccessControl

public static boolean reloadAllowedAccessControl()

Loads or reloads allowed certificates per access control in the "clientcerts/"+accessControlName directory. Each file in this directory must be a X.509 certificate.

Returns:

true If at least one certificate is loaded, false otherwise.

getCurrentAllowedCertificates

public static List<String> getCurrentAllowedCertificates()

Gets the per-access control revoked certificates. The format is tab delimited "Serial Number", "Subject", "Issuer", "Access Control", with delimiters of "(char)160" (non-breaking space) for Subject and Issuer.

Returns:

null if none is currently loaded, otherwise the list.

reloadRevokedAccessControl

public static boolean reloadRevokedAccessControl()

Loads or reloads revoked certificates per access control in the "revokedcerts/"+accessControlName directory. Each file in this directory must be a certificate.

Returns:

true if at least one certificate is loaded, false otherwise.

getCurrentRevokedCertificates

public static List<String> getCurrentRevokedCertificates()

Gets the per-access control revoked certificates. The format is tab delimited "Serial Number", "Subject", "Issuer", "Access Control", with delimiters of "(char)160" (non-breaking space) for Subject and Issuer.

Returns:

null if none is currently loaded, otherwise the list.

format

public static String format(BigInteger serial)

Formats a certificate serial number into (minimum 5) groups of 4 digits

Parameters:

serial - The certificate serial number.

Returns:

the formatted string, five sets of four numbers

format

public static String format(X500Principal p,
                            char d)

Formats an X.500 Principal with "d" as delimiters instead of ", ".

Parameters:

p - The principal.

d - The delimiter character.

Returns:

The formatted string.