KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > apache > tomcat > jni > SSLContext


1 /*
2  * Licensed to the Apache Software Foundation (ASF) under one or more
3  * contributor license agreements. See the NOTICE file distributed with
4  * this work for additional information regarding copyright ownership.
5  * The ASF licenses this file to You under the Apache License, Version 2.0
6  * (the "License"); you may not use this file except in compliance with
7  * the License. You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */

17
18 package org.apache.tomcat.jni;
19
20 /** SSL Context
21  *
22  * @author Mladen Turk
23  * @version $Revision: 467222 $, $Date: 2006-10-24 05:17:11 +0200 (mar., 24 oct. 2006) $
24  */

25
26 public final class SSLContext {
27
28
29     /**
30      * Initialize new SSL context
31      * @param pool The pool to use.
32      * @param protocol The SSL protocol to use. It can be one of:
33      * <PRE>
34      * SSL_PROTOCOL_SSLV2
35      * SSL_PROTOCOL_SSLV3
36      * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
37      * SSL_PROTOCOL_TLSV1
38      * SSL_PROTOCOL_ALL
39      * </PRE>
40      * @param mode SSL mode to use
41      * <PRE>
42      * SSL_MODE_CLIENT
43      * SSL_MODE_SERVER
44      * SSL_MODE_COMBINED
45      * </PRE>
46      */

47     public static native long make(long pool, int protocol, int mode)
48         throws Exception JavaDoc;
49
50     /**
51      * Free the resources used by the Context
52      * @param ctx Server or Client context to free.
53      * @return APR Status code.
54      */

55     public static native int free(long ctx);
56
57     /**
58      * Set Session context id. Usually host:port combination.
59      * @param ctx Context to use.
60      * @param id String that uniquely identifies this context.
61      */

62     public static native void setContextId(long ctx, String JavaDoc id);
63
64     /**
65      * Asssociate BIOCallback for input or output data capture.
66      * <br />
67      * First word in the output string will contain error
68      * level in the form:
69      * <PRE>
70      * [ERROR] -- Critical error messages
71      * [WARN] -- Varning messages
72      * [INFO] -- Informational messages
73      * [DEBUG] -- Debugging messaged
74      * </PRE>
75      * Callback can use that word to determine application logging level
76      * by intercepting <b>write</b> call.
77      * If the <b>bio</b> is set to 0 no error messages will be displayed.
78      * Default is to use the stderr output stream.
79      * @param ctx Server or Client context to use.
80      * @param bio BIO handle to use, created with SSL.newBIO
81      * @param dir BIO direction (1 for input 0 for output).
82      */

83     public static native void setBIO(long ctx, long bio, int dir);
84
85     /**
86      * Set OpenSSL Option.
87      * @param ctx Server or Client context to use.
88      * @param options See SSL.SSL_OP_* for option flags.
89      */

90     public static native void setOptions(long ctx, int options);
91
92     /**
93      * Sets the "quiet shutdown" flag for <b>ctx</b> to be
94      * <b>mode</b>. SSL objects created from <b>ctx</b> inherit the
95      * <b>mode</b> valid at the time and may be 0 or 1.
96      * <br />
97      * Normally when a SSL connection is finished, the parties must send out
98      * "close notify" alert messages using L<SSL_shutdown(3)|SSL_shutdown(3)>
99      * for a clean shutdown.
100      * <br />
101      * When setting the "quiet shutdown" flag to 1, <b>SSL.shutdown</b>
102      * will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.
103      * (<b>SSL_shutdown</b> then behaves like called with
104      * SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.)
105      * The session is thus considered to be shutdown, but no "close notify" alert
106      * is sent to the peer. This behaviour violates the TLS standard.
107      * The default is normal shutdown behaviour as described by the TLS standard.
108      * @param ctx Server or Client context to use.
109      * @param mode True to set the quiet shutdown.
110      */

111     public static native void setQuietShutdown(long ctx, boolean mode);
112
113     /**
114      * Cipher Suite available for negotiation in SSL handshake.
115      * <br />
116      * This complex directive uses a colon-separated cipher-spec string consisting
117      * of OpenSSL cipher specifications to configure the Cipher Suite the client
118      * is permitted to negotiate in the SSL handshake phase. Notice that this
119      * directive can be used both in per-server and per-directory context.
120      * In per-server context it applies to the standard SSL handshake when a
121      * connection is established. In per-directory context it forces a SSL
122      * renegotation with the reconfigured Cipher Suite after the HTTP request
123      * was read but before the HTTP response is sent.
124      * @param ctx Server or Client context to use.
125      * @param ciphers An SSL cipher specification.
126      */

127     public static native boolean setCipherSuite(long ctx, String JavaDoc ciphers)
128         throws Exception JavaDoc;
129
130     /**
131      * Set File of concatenated PEM-encoded CA CRLs or
132      * directory of PEM-encoded CA Certificates for Client Auth
133      * <br />
134      * This directive sets the all-in-one file where you can assemble the
135      * Certificate Revocation Lists (CRL) of Certification Authorities (CA)
136      * whose clients you deal with. These are used for Client Authentication.
137      * Such a file is simply the concatenation of the various PEM-encoded CRL
138      * files, in order of preference.
139      * <br />
140      * The files in this directory have to be PEM-encoded and are accessed through
141      * hash filenames. So usually you can't just place the Certificate files there:
142      * you also have to create symbolic links named hash-value.N. And you should
143      * always make sure this directory contains the appropriate symbolic links.
144      * Use the Makefile which comes with mod_ssl to accomplish this task.
145      * @param ctx Server or Client context to use.
146      * @param file File of concatenated PEM-encoded CA CRLs for Client Auth.
147      * @param path Directory of PEM-encoded CA Certificates for Client Auth.
148      */

149     public static native boolean setCARevocation(long ctx, String JavaDoc file,
150                                                  String JavaDoc path)
151         throws Exception JavaDoc;
152
153     /**
154      * Set File of PEM-encoded Server CA Certificates
155      * <br />
156      * This directive sets the optional all-in-one file where you can assemble the
157      * certificates of Certification Authorities (CA) which form the certificate
158      * chain of the server certificate. This starts with the issuing CA certificate
159      * of of the server certificate and can range up to the root CA certificate.
160      * Such a file is simply the concatenation of the various PEM-encoded CA
161      * Certificate files, usually in certificate chain order.
162      * <br />
163      * But be careful: Providing the certificate chain works only if you are using
164      * a single (either RSA or DSA) based server certificate. If you are using a
165      * coupled RSA+DSA certificate pair, this will work only if actually both
166      * certificates use the same certificate chain. Else the browsers will be
167      * confused in this situation.
168      * @param ctx Server or Client context to use.
169      * @param file File of PEM-encoded Server CA Certificates.
170      * @param skipfirst Skip first certificate if chain file is inside
171      * certificate file.
172      */

173     public static native boolean setCertificateChainFile(long ctx, String JavaDoc file,
174                                                          boolean skipfirst);
175
176     /**
177      * Set Certificate
178      * <br />
179      * Point setCertificateFile at a PEM encoded certificate. If
180      * the certificate is encrypted, then you will be prompted for a
181      * pass phrase. Note that a kill -HUP will prompt again. A test
182      * certificate can be generated with `make certificate' under
183      * built time. Keep in mind that if you've both a RSA and a DSA
184      * certificate you can configure both in parallel (to also allow
185      * the use of DSA ciphers, etc.)
186      * <br />
187      * If the key is not combined with the certificate, use key param
188      * to point at the key file. Keep in mind that if
189      * you've both a RSA and a DSA private key you can configure
190      * both in parallel (to also allow the use of DSA ciphers, etc.)
191      * @param ctx Server or Client context to use.
192      * @param cert Certificate file.
193      * @param key Private Key file to use if not in cert.
194      * @param password Certificate password. If null and certificate
195      * is encrypted, password prompt will be dispayed.
196      * @param idx Certificate index SSL_AIDX_RSA or SSL_AIDX_DSA.
197      */

198     public static native boolean setCertificate(long ctx, String JavaDoc cert,
199                                                 String JavaDoc key, String JavaDoc password,
200                                                 int idx)
201         throws Exception JavaDoc;
202
203     /**
204      * Set File and Directory of concatenated PEM-encoded CA Certificates
205      * for Client Auth
206      * <br />
207      * This directive sets the all-in-one file where you can assemble the
208      * Certificates of Certification Authorities (CA) whose clients you deal with.
209      * These are used for Client Authentication. Such a file is simply the
210      * concatenation of the various PEM-encoded Certificate files, in order of
211      * preference. This can be used alternatively and/or additionally to
212      * path.
213      * <br />
214      * The files in this directory have to be PEM-encoded and are accessed through
215      * hash filenames. So usually you can't just place the Certificate files there:
216      * you also have to create symbolic links named hash-value.N. And you should
217      * always make sure this directory contains the appropriate symbolic links.
218      * Use the Makefile which comes with mod_ssl to accomplish this task.
219      * @param ctx Server or Client context to use.
220      * @param file File of concatenated PEM-encoded CA Certificates for
221      * Client Auth.
222      * @param path Directory of PEM-encoded CA Certificates for Client Auth.
223      */

224     public static native boolean setCACertificate(long ctx, String JavaDoc file,
225                                                   String JavaDoc path)
226         throws Exception JavaDoc;
227
228     /**
229      * Set SSL connection shutdown type
230      * <br />
231      * The following levels are available for level:
232      * <PRE>
233      * SSL_SHUTDOWN_TYPE_STANDARD
234      * SSL_SHUTDOWN_TYPE_UNCLEAN
235      * SSL_SHUTDOWN_TYPE_ACCURATE
236      * </PRE>
237      * @param ctx Server or Client context to use.
238      * @param type Shutdown type to use.
239      */

240     public static native void setShutdowType(long ctx, int type);
241
242     /**
243      * Set Type of Client Certificate verification and Maximum depth of CA Certificates
244      * in Client Certificate verification.
245      * <br />
246      * This directive sets the Certificate verification level for the Client
247      * Authentication. Notice that this directive can be used both in per-server
248      * and per-directory context. In per-server context it applies to the client
249      * authentication process used in the standard SSL handshake when a connection
250      * is established. In per-directory context it forces a SSL renegotation with
251      * the reconfigured client verification level after the HTTP request was read
252      * but before the HTTP response is sent.
253      * <br />
254      * The following levels are available for level:
255      * <PRE>
256      * SSL_CVERIFY_NONE - No client Certificate is required at all
257      * SSL_CVERIFY_OPTIONAL - The client may present a valid Certificate
258      * SSL_CVERIFY_REQUIRE - The client has to present a valid Certificate
259      * SSL_CVERIFY_OPTIONAL_NO_CA - The client may present a valid Certificate
260      * but it need not to be (successfully) verifiable
261      * </PRE>
262      * <br />
263      * The depth actually is the maximum number of intermediate certificate issuers,
264      * i.e. the number of CA certificates which are max allowed to be followed while
265      * verifying the client certificate. A depth of 0 means that self-signed client
266      * certificates are accepted only, the default depth of 1 means the client
267      * certificate can be self-signed or has to be signed by a CA which is directly
268      * known to the server (i.e. the CA's certificate is under
269      * <code>setCACertificatePath</code>), etc.
270      * @param ctx Server or Client context to use.
271      * @param level Type of Client Certificate verification.
272      * @param depth Maximum depth of CA Certificates in Client Certificate
273      * verification.
274      */

275     public static native void setVerify(long ctx, int level, int depth);
276
277 }
278
Popular Tags