1
/*
2
 * Copyright (c) 2000, 2001, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package javax.naming.ldap;
27

28
import java.io.IOException;
29
import javax.net.ssl.SSLSession;
30
import javax.net.ssl.SSLSocketFactory;
31
import javax.net.ssl.HostnameVerifier;
32

33
/**
34
 * This class implements the LDAPv3 Extended Response for StartTLS as
35
 * defined in
36
 * <a href="http://www.ietf.org/rfc/rfc2830.txt">Lightweight Directory
37
 * Access Protocol (v3): Extension for Transport Layer Security</a>
38
 *
39
 * The object identifier for StartTLS is 1.3.6.1.4.1.1466.20037
40
 * and no extended response value is defined.
41
 *
42
 *<p>
43
 * The Start TLS extended request and response are used to establish
44
 * a TLS connection over the existing LDAP connection associated with
45
 * the JNDI context on which {@code extendedOperation()} is invoked.
46
 * Typically, a JNDI program uses the StartTLS extended request and response
47
 * classes as follows.
48
 * <blockquote><pre>
49
 * import javax.naming.ldap.*;
50
 *
51
 * // Open an LDAP association
52
 * LdapContext ctx = new InitialLdapContext();
53
 *
54
 * // Perform a StartTLS extended operation
55
 * StartTlsResponse tls =
56
 *     (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
57
 *
58
 * // Open a TLS connection (over the existing LDAP association) and get details
59
 * // of the negotiated TLS session: cipher suite, peer certificate, ...
60
 * SSLSession session = tls.negotiate();
61
 *
62
 * // ... use ctx to perform protected LDAP operations
63
 *
64
 * // Close the TLS connection (revert back to the underlying LDAP association)
65
 * tls.close();
66
 *
67
 * // ... use ctx to perform unprotected LDAP operations
68
 *
69
 * // Close the LDAP association
70
 * ctx.close;
71
 * </pre></blockquote>
72
 *
73
 * @since 1.4
74
 * @see StartTlsRequest
75
 * @author Vincent Ryan
76
 */
77
public abstract class StartTlsResponse implements ExtendedResponse {
78

79
    // Constant
80

81
    /**
82
     * The StartTLS extended response's assigned object identifier
83
     * is 1.3.6.1.4.1.1466.20037.
84
     */
85
    public static final String OID = "1.3.6.1.4.1.1466.20037";
86

87

88
    // Called by subclass
89

90
    /**
91
     * Constructs a StartTLS extended response.
92
     * A concrete subclass must have a public no-arg constructor.
93
     */
94
    protected StartTlsResponse() {
95
    }
96

97

98
    // ExtendedResponse methods
99

100
    /**
101
     * Retrieves the StartTLS response's object identifier string.
102
     *
103
     * @return The object identifier string, "1.3.6.1.4.1.1466.20037".
104
     */
105
    public String getID() {
106
        return OID;
107
    }
108

109
    /**
110
     * Retrieves the StartTLS response's ASN.1 BER encoded value.
111
     * Since the response has no defined value, null is always
112
     * returned.
113
     *
114
     * @return The null value.
115
     */
116
    public byte[] getEncodedValue() {
117
        return null;
118
    }
119

120
    // StartTls-specific methods
121

122
    /**
123
     * Overrides the default list of cipher suites enabled for use on the
124
     * TLS connection. The cipher suites must have already been listed by
125
     * {@code SSLSocketFactory.getSupportedCipherSuites()} as being supported.
126
     * Even if a suite has been enabled, it still might not be used because
127
     * the peer does not support it, or because the requisite certificates
128
     * (and private keys) are not available.
129
     *
130
     * @param suites The non-null list of names of all the cipher suites to
131
     * enable.
132
     * @see #negotiate
133
     */
134
    public abstract void setEnabledCipherSuites(String[] suites);
135

136
    /**
137
     * Sets the hostname verifier used by {@code negotiate()}
138
     * after the TLS handshake has completed and the default hostname
139
     * verification has failed.
140
     * {@code setHostnameVerifier()} must be called before
141
     * {@code negotiate()} is invoked for it to have effect.
142
     * If called after
143
     * {@code negotiate()}, this method does not do anything.
144
     *
145
     * @param verifier The non-null hostname verifier callback.
146
     * @see #negotiate
147
     */
148
    public abstract void setHostnameVerifier(HostnameVerifier verifier);
149

150
    /**
151
     * Negotiates a TLS session using the default SSL socket factory.
152
     * <p>
153
     * This method is equivalent to {@code negotiate(null)}.
154
     *
155
     * @return The negotiated SSL session
156
     * @throws IOException If an IO error was encountered while establishing
157
     * the TLS session.
158
     * @see #setEnabledCipherSuites
159
     * @see #setHostnameVerifier
160
     */
161
    public abstract SSLSession negotiate() throws IOException;
162

163
    /**
164
     * Negotiates a TLS session using an SSL socket factory.
165
     * <p>
166
     * Creates an SSL socket using the supplied SSL socket factory and
167
     * attaches it to the existing connection. Performs the TLS handshake
168
     * and returns the negotiated session information.
169
     * <p>
170
     * If cipher suites have been set via {@code setEnabledCipherSuites}
171
     * then they are enabled before the TLS handshake begins.
172
     * <p>
173
     * Hostname verification is performed after the TLS handshake completes.
174
     * The default hostname verification performs a match of the server's
175
     * hostname against the hostname information found in the server's certificate.
176
     * If this verification fails and no callback has been set via
177
     * {@code setHostnameVerifier} then the negotiation fails.
178
     * If this verification fails and a callback has been set via
179
     * {@code setHostnameVerifier}, then the callback is used to determine whether
180
     * the negotiation succeeds.
181
     * <p>
182
     * If an error occurs then the SSL socket is closed and an IOException
183
     * is thrown. The underlying connection remains intact.
184
     *
185
     * @param factory The possibly null SSL socket factory to use.
186
     * If null, the default SSL socket factory is used.
187
     * @return The negotiated SSL session
188
     * @throws IOException If an IO error was encountered while establishing
189
     * the TLS session.
190
     * @see #setEnabledCipherSuites
191
     * @see #setHostnameVerifier
192
     */
193
    public abstract SSLSession negotiate(SSLSocketFactory factory)
194
        throws IOException;
195

196
    /**
197
     * Closes the TLS connection gracefully and reverts back to the underlying
198
     * connection.
199
     *
200
     * @throws IOException If an IO error was encountered while closing the
201
     * TLS connection
202
     */
203
    public abstract void close() throws IOException;
204

205
    private static final long serialVersionUID = 8372842182579276418L;
206
}
207

208