Package org.conscrypt

Class Conscrypt

  • public final class Conscrypt
extends Object
    Core API for creating and configuring all Conscrypt types.

    • Method Detail

      • isAvailable

        public static boolean isAvailable()
        Returns true if the Conscrypt native library has been successfully loaded.

      • version

        public static Conscrypt.Version version()
        Returns the version of this distribution of Conscrypt. If version information is unavailable, returns null.

      • checkAvailability

        public static void checkAvailability()
        Checks that the Conscrypt support is available for the system.
        Throws:
        UnsatisfiedLinkError - if unavailable

      • isConscrypt

        public static boolean isConscrypt​(Provider provider)
        Indicates whether the given Provider was created by this distribution of Conscrypt.

      • newProvider

        public static Provider newProvider()
        Constructs a new Provider with the default name.

      • maxEncryptedPacketLength

        public static int maxEncryptedPacketLength()
        Returns the maximum length (in bytes) of an encrypted packet.

      • isConscrypt

        public static boolean isConscrypt​(SSLContext context)
        Indicates whether the given SSLContext was created by this distribution of Conscrypt.

      • newPreferredSSLContextSpi

        public static SSLContextSpi newPreferredSSLContextSpi()
        Constructs a new instance of the preferred SSLContextSpi.

      • setClientSessionCache

        public static void setClientSessionCache​(SSLContext context,
                                         SSLClientSessionCache cache)
        Sets the client-side persistent cache to be used by the context.

      • setServerSessionCache

        public static void setServerSessionCache​(SSLContext context,
                                         org.conscrypt.SSLServerSessionCache cache)
        Sets the server-side persistent cache to be used by the context.

      • isConscrypt

        public static boolean isConscrypt​(SSLSocketFactory factory)
        Indicates whether the given SSLSocketFactory was created by this distribution of Conscrypt.

      • setUseEngineSocketByDefault

        @ExperimentalApi
public static void setUseEngineSocketByDefault​(boolean useEngineSocket)
        Configures the default socket to be created for all socket factory instances.

      • setUseEngineSocket

        @ExperimentalApi
public static void setUseEngineSocket​(SSLSocketFactory factory,
                                      boolean useEngineSocket)
        Configures the socket to be created for the given socket factory instance.

      • setUseEngineSocket

        @ExperimentalApi
public static void setUseEngineSocket​(SSLServerSocketFactory factory,
                                      boolean useEngineSocket)
        Configures the socket to be created for the given server socket factory instance.

      • isConscrypt

        public static boolean isConscrypt​(SSLSocket socket)
        Indicates whether the given SSLSocket was created by this distribution of Conscrypt.

      • setHostname

        public static void setHostname​(SSLSocket socket,
                               String hostname)
        This method enables Server Name Indication (SNI) and overrides the hostname supplied during socket creation. If the hostname is not a valid SNI hostname, the SNI extension will be omitted from the handshake.
        Parameters:
        socket - the socket
        hostname - the desired SNI hostname, or null to disable

      • getHostname

        public static String getHostname​(SSLSocket socket)
        Returns either the hostname supplied during socket creation or via setHostname(SSLSocket, String). No DNS resolution is attempted before returning the hostname.

      • getHostnameOrIP

        public static String getHostnameOrIP​(SSLSocket socket)
        This method attempts to create a textual representation of the peer host or IP. Does not perform a reverse DNS lookup. This is typically used during session creation.

      • setUseSessionTickets

        public static void setUseSessionTickets​(SSLSocket socket,
                                        boolean useSessionTickets)
        This method enables session ticket support.
        Parameters:
        socket - the socket
        useSessionTickets - True to enable session tickets

      • setChannelIdEnabled

        public static void setChannelIdEnabled​(SSLSocket socket,
                                       boolean enabled)
        Enables/disables TLS Channel ID for the given server-side socket.

        This method needs to be invoked before the handshake starts.

        Parameters:
        socket - the socket
        enabled - Whether to enable channel ID.
        Throws:
        IllegalStateException - if this is a client socket or if the handshake has already started.

      • getChannelId

        public static byte[] getChannelId​(SSLSocket socket)
                           throws SSLException
        Gets the TLS Channel ID for the given server-side socket. Channel ID is only available once the handshake completes.
        Parameters:
        socket - the socket
        Returns:
        channel ID or null if not available.
        Throws:
        IllegalStateException - if this is a client socket or if the handshake has not yet completed.
        SSLException - if channel ID is available but could not be obtained.

      • setChannelIdPrivateKey

        public static void setChannelIdPrivateKey​(SSLSocket socket,
                                          PrivateKey privateKey)
        Sets the PrivateKey to be used for TLS Channel ID by this client socket.

        This method needs to be invoked before the handshake starts.

        Parameters:
        socket - the socket
        privateKey - private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).
        Throws:
        IllegalStateException - if this is a server socket or if the handshake has already started.

      • getApplicationProtocol

        public static String getApplicationProtocol​(SSLSocket socket)
        Returns the ALPN protocol agreed upon by client and server.
        Parameters:
        socket - the socket
        Returns:
        the selected protocol or null if no protocol was agreed upon.

      • setApplicationProtocols

        public static void setApplicationProtocols​(SSLSocket socket,
                                           String[] protocols)
        Sets the application-layer protocols (ALPN) in prioritization order.
        Parameters:
        socket - the socket being configured
        protocols - the protocols in descending order of preference. If empty, no protocol indications will be used. This array will be copied.
        Throws:
        IllegalArgumentException - - if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) string

      • getApplicationProtocols

        public static String[] getApplicationProtocols​(SSLSocket socket)
        Gets the application-layer protocols (ALPN) in prioritization order.
        Parameters:
        socket - the socket
        Returns:
        the protocols in descending order of preference, or an empty array if protocol indications are not being used. Always returns a new array.

      • getTlsUnique

        public static byte[] getTlsUnique​(SSLSocket socket)
        Returns the tls-unique channel binding value for this connection, per RFC 5929. This will return null if there is no such value available, such as if the handshake has not yet completed or this connection is closed.

      • exportKeyingMaterial

        public static byte[] exportKeyingMaterial​(SSLSocket socket,
                                          String label,
                                          byte[] context,
                                          int length)
                                   throws SSLException
        Exports a value derived from the TLS master secret as described in RFC 5705.
        Parameters:
        label - the label to use in calculating the exported value. This must be an ASCII-only string.
        context - the application-specific context value to use in calculating the exported value. This may be null to use no application context, which is treated differently than an empty byte array.
        length - the number of bytes of keying material to return.
        Returns:
        a value of the specified length, or null if the handshake has not yet completed or the connection has been closed.
        Throws:
        SSLException - if the value could not be exported.

      • isConscrypt

        public static boolean isConscrypt​(SSLEngine engine)
        Indicates whether the given SSLEngine was created by this distribution of Conscrypt.

      • setBufferAllocator

        @ExperimentalApi
public static void setBufferAllocator​(SSLSocket socket,
                                      BufferAllocator bufferAllocator)
        Provides the given socket with the provided bufferAllocator. If the given socket is a Conscrypt socket but does not use buffer allocators, this method does nothing.
        Throws:
        IllegalArgumentException - if the provided socket is not a Conscrypt socket.
        IllegalStateException - if the provided socket has already begun its handshake.

      • setHostname

        public static void setHostname​(SSLEngine engine,
                               String hostname)
        This method enables Server Name Indication (SNI) and overrides the hostname supplied during engine creation.
        Parameters:
        engine - the engine
        hostname - the desired SNI hostname, or null to disable

      • getHostname

        public static String getHostname​(SSLEngine engine)
        Returns either the hostname supplied during socket creation or via setHostname(SSLEngine, String). No DNS resolution is attempted before returning the hostname.

      • maxSealOverhead

        public static int maxSealOverhead​(SSLEngine engine)
        Returns the maximum overhead, in bytes, of sealing a record with SSL.

      • setHandshakeListener

        public static void setHandshakeListener​(SSLEngine engine,
                                        HandshakeListener handshakeListener)
        Sets a listener on the given engine for completion of the TLS handshake

      • setChannelIdEnabled

        public static void setChannelIdEnabled​(SSLEngine engine,
                                       boolean enabled)
        Enables/disables TLS Channel ID for the given server-side engine.

        This method needs to be invoked before the handshake starts.

        Parameters:
        engine - the engine
        enabled - Whether to enable channel ID.
        Throws:
        IllegalStateException - if this is a client engine or if the handshake has already started.

      • getChannelId

        public static byte[] getChannelId​(SSLEngine engine)
                           throws SSLException
        Gets the TLS Channel ID for the given server-side engine. Channel ID is only available once the handshake completes.
        Parameters:
        engine - the engine
        Returns:
        channel ID or null if not available.
        Throws:
        IllegalStateException - if this is a client engine or if the handshake has not yet completed.
        SSLException - if channel ID is available but could not be obtained.

      • setChannelIdPrivateKey

        public static void setChannelIdPrivateKey​(SSLEngine engine,
                                          PrivateKey privateKey)
        Sets the PrivateKey to be used for TLS Channel ID by this client engine.

        This method needs to be invoked before the handshake starts.

        Parameters:
        engine - the engine
        privateKey - private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).
        Throws:
        IllegalStateException - if this is a server engine or if the handshake has already started.

      • unwrap

        public static SSLEngineResult unwrap​(SSLEngine engine,
                                     ByteBuffer[] srcs,
                                     ByteBuffer[] dsts)
                              throws SSLException
        Extended unwrap method for multiple source and destination buffers.
        Parameters:
        engine - the target engine for the unwrap
        srcs - the source buffers
        dsts - the destination buffers
        Returns:
        the result of the unwrap operation
        Throws:
        SSLException - thrown if an SSL error occurred

      • unwrap

        public static SSLEngineResult unwrap​(SSLEngine engine,
                                     ByteBuffer[] srcs,
                                     int srcsOffset,
                                     int srcsLength,
                                     ByteBuffer[] dsts,
                                     int dstsOffset,
                                     int dstsLength)
                              throws SSLException
        Exteneded unwrap method for multiple source and destination buffers.
        Parameters:
        engine - the target engine for the unwrap.
        srcs - the source buffers
        srcsOffset - the offset in the srcs array of the first source buffer
        srcsLength - the number of source buffers starting at srcsOffset
        dsts - the destination buffers
        dstsOffset - the offset in the dsts array of the first destination buffer
        dstsLength - the number of destination buffers starting at dstsOffset
        Returns:
        the result of the unwrap operation
        Throws:
        SSLException - thrown if an SSL error occurred

      • setUseSessionTickets

        public static void setUseSessionTickets​(SSLEngine engine,
                                        boolean useSessionTickets)
        This method enables session ticket support.
        Parameters:
        engine - the engine
        useSessionTickets - True to enable session tickets

      • setApplicationProtocols

        public static void setApplicationProtocols​(SSLEngine engine,
                                           String[] protocols)
        Sets the application-layer protocols (ALPN) in prioritization order.
        Parameters:
        engine - the engine being configured
        protocols - the protocols in descending order of preference. If empty, no protocol indications will be used. This array will be copied.
        Throws:
        IllegalArgumentException - - if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) string

      • getApplicationProtocols

        public static String[] getApplicationProtocols​(SSLEngine engine)
        Gets the application-layer protocols (ALPN) in prioritization order.
        Parameters:
        engine - the engine
        Returns:
        the protocols in descending order of preference, or an empty array if protocol indications are not being used. Always returns a new array.

      • getApplicationProtocol

        public static String getApplicationProtocol​(SSLEngine engine)
        Returns the ALPN protocol agreed upon by client and server.
        Parameters:
        engine - the engine
        Returns:
        the selected protocol or null if no protocol was agreed upon.

      • getTlsUnique

        public static byte[] getTlsUnique​(SSLEngine engine)
        Returns the tls-unique channel binding value for this connection, per RFC 5929. This will return null if there is no such value available, such as if the handshake has not yet completed or this connection is closed.

      • exportKeyingMaterial

        public static byte[] exportKeyingMaterial​(SSLEngine engine,
                                          String label,
                                          byte[] context,
                                          int length)
                                   throws SSLException
        Exports a value derived from the TLS master secret as described in RFC 5705.
        Parameters:
        label - the label to use in calculating the exported value. This must be an ASCII-only string.
        context - the application-specific context value to use in calculating the exported value. This may be null to use no application context, which is treated differently than an empty byte array.
        length - the number of bytes of keying material to return.
        Returns:
        a value of the specified length, or null if the handshake has not yet completed or the connection has been closed.
        Throws:
        SSLException - if the value could not be exported.

      • isConscrypt

        public static boolean isConscrypt​(TrustManager trustManager)
        Indicates whether the given TrustManager was created by this distribution of Conscrypt.