pingidentity
diff --git a/‎src/main/java/sun/security/ssl/ALPNExtension.java‎
Lines changed: 168 additions & 0 deletions b/‎src/main/java/sun/security/ssl/ALPNExtension.java‎
Lines changed: 168 additions & 0 deletions
diff --git a/‎src/main/java/sun/security/ssl/Alerts.java‎
Lines changed: 223 additions & 0 deletions b/‎src/main/java/sun/security/ssl/Alerts.java‎
Lines changed: 223 additions & 0 deletions
@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.charset.*;
+import java.util.*;
+
+import javax.net.ssl.*;
+
+/*
+ * [RFC 7301]
+ * This TLS extension facilitates the negotiation of application-layer protocols
+ * within the TLS handshake. Clients MAY include an extension of type
+ * "application_layer_protocol_negotiation" in the (extended) ClientHello
+ * message. The "extension_data" field of this extension SHALL contain a
+ * "ProtocolNameList" value:
+ *
+ *     enum {
+ *         application_layer_protocol_negotiation(16), (65535)
+ *     } ExtensionType;
+ *
+ *     opaque ProtocolName<1..2^8-1>;
+ *
+ *     struct {
+ *         ProtocolName protocol_name_list<2..2^16-1>
+ *     } ProtocolNameList;
+ */
+final class ALPNExtension extends HelloExtension {
+
+    final static int ALPN_HEADER_LENGTH = 1;
+    final static int MAX_APPLICATION_PROTOCOL_LENGTH = 255;
+    final static int MAX_APPLICATION_PROTOCOL_LIST_LENGTH = 65535;
+    private int listLength = 0;     // ProtocolNameList length
+    private List<String> protocolNames = null;
+
+    // constructor for ServerHello
+    ALPNExtension(String protocolName) throws SSLException {
+        this(new String[]{ protocolName });
+    }
+
+    // constructor for ClientHello
+    ALPNExtension(String[] protocolNames) throws SSLException {
+        super(ExtensionType.EXT_ALPN);
+        if (protocolNames.length == 0) { // never null, never empty
+            throw new IllegalArgumentException(
+                "The list of application protocols cannot be empty");
+        }
+        this.protocolNames = Arrays.asList(protocolNames);
+        for (String p : protocolNames) {
+            int length = p.getBytes(StandardCharsets.UTF_8).length;
+            if (length == 0) {
+                throw new SSLProtocolException(
+                    "Application protocol name is empty");
+            }
+            if (length <= MAX_APPLICATION_PROTOCOL_LENGTH) {
+                listLength += length + ALPN_HEADER_LENGTH;
+            } else {
+                throw new SSLProtocolException(
+                    "Application protocol name is too long: " + p);
+            }
+            if (listLength > MAX_APPLICATION_PROTOCOL_LIST_LENGTH) {
+                throw new SSLProtocolException(
+                    "Application protocol name list is too long");
+            }
+        }
+    }
+
+    // constructor for ServerHello for parsing ALPN extension
+    ALPNExtension(HandshakeInStream s, int len) throws IOException {
+        super(ExtensionType.EXT_ALPN);
+
+        if (len >= 2) {
+            listLength = s.getInt16(); // list length
+            if (listLength < 2 || listLength + 2 != len) {
+                throw new SSLProtocolException(
+                    "Invalid " + type + " extension: incorrect list length " +
+                    "(length=" + listLength + ")");
+            }
+        } else {
+            throw new SSLProtocolException(
+                "Invalid " + type + " extension: insufficient data " +
+                "(length=" + len + ")");
+        }
+
+        int remaining = listLength;
+        this.protocolNames = new ArrayList<>();
+        while (remaining > 0) {
+            // opaque ProtocolName<1..2^8-1>; // RFC 7301
+            byte[] bytes = s.getBytes8();
+            if (bytes.length == 0) {
+                throw new SSLProtocolException("Invalid " + type +
+                    " extension: empty application protocol name");
+            }
+            String p =
+                new String(bytes, StandardCharsets.UTF_8); // app protocol
+            protocolNames.add(p);
+            remaining -= bytes.length + ALPN_HEADER_LENGTH;
+        }
+
+        if (remaining != 0) {
+            throw new SSLProtocolException(
+                "Invalid " + type + " extension: extra data " +
+                "(length=" + remaining + ")");
+        }
+    }
+
+    List<String> getPeerAPs() {
+        return protocolNames;
+    }
+
+    /*
+     * Return the length in bytes, including extension type and length fields.
+     */
+    @Override
+    int length() {
+        return 6 + listLength;
+    }
+
+    @Override
+    void send(HandshakeOutStream s) throws IOException {
+        s.putInt16(type.id);
+        s.putInt16(listLength + 2); // length of extension_data
+        s.putInt16(listLength);     // length of ProtocolNameList
+
+        for (String p : protocolNames) {
+            s.putBytes8(p.getBytes(StandardCharsets.UTF_8));
+        }
+    }
+
+    @Override
+    public String toString() {
+        StringBuilder sb = new StringBuilder();
+        if (protocolNames == null || protocolNames.isEmpty()) {
+            sb.append("<empty>");
+        } else {
+            for (String protocolName : protocolNames) {
+                sb.append("[" + protocolName + "]");
+            }
+        }
+
+        return "Extension " + type +
+            ", protocol names: " + sb;
+    }
+}
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import javax.net.ssl.*;
+
+/*
+ * A simple class to congregate alerts, their definitions, and common
+ * support methods.
+ */
+
+final class Alerts {
+
+    /*
+     * Alerts are always a fixed two byte format (level/description).
+     */
+
+    // warnings and fatal errors are package private facilities/constants
+
+    // Alert levels (enum AlertLevel)
+    static final byte           alert_warning = 1;
+    static final byte           alert_fatal = 2;
+
+    /*
+     * Alert descriptions (enum AlertDescription)
+     *
+     * We may not use them all in our processing, but if someone
+     * sends us one, we can at least convert it to a string for the
+     * user.
+     */
+    static final byte           alert_close_notify = 0;
+    static final byte           alert_unexpected_message = 10;
+    static final byte           alert_bad_record_mac = 20;
+    static final byte           alert_decryption_failed = 21;
+    static final byte           alert_record_overflow = 22;
+    static final byte           alert_decompression_failure = 30;
+    static final byte           alert_handshake_failure = 40;
+    static final byte           alert_no_certificate = 41;
+    static final byte           alert_bad_certificate = 42;
+    static final byte           alert_unsupported_certificate = 43;
+    static final byte           alert_certificate_revoked = 44;
+    static final byte           alert_certificate_expired = 45;
+    static final byte           alert_certificate_unknown = 46;
+    static final byte           alert_illegal_parameter = 47;
+    static final byte           alert_unknown_ca = 48;
+    static final byte           alert_access_denied = 49;
+    static final byte           alert_decode_error = 50;
+    static final byte           alert_decrypt_error = 51;
+    static final byte           alert_export_restriction = 60;
+    static final byte           alert_protocol_version = 70;
+    static final byte           alert_insufficient_security = 71;
+    static final byte           alert_internal_error = 80;
+    static final byte           alert_user_canceled = 90;
+    static final byte           alert_no_renegotiation = 100;
+
+    // from RFC 3546 (TLS Extensions)
+    static final byte           alert_unsupported_extension = 110;
+    static final byte           alert_certificate_unobtainable = 111;
+    static final byte           alert_unrecognized_name = 112;
+    static final byte           alert_bad_certificate_status_response = 113;
+    static final byte           alert_bad_certificate_hash_value = 114;
+
+    // from RFC 7301 (TLS ALPN Extension)
+    static final byte           alert_no_application_protocol = 120;
+
+    static String alertDescription(byte code) {
+        switch (code) {
+
+        case alert_close_notify:
+            return "close_notify";
+        case alert_unexpected_message:
+            return "unexpected_message";
+        case alert_bad_record_mac:
+            return "bad_record_mac";
+        case alert_decryption_failed:
+            return "decryption_failed";
+        case alert_record_overflow:
+            return "record_overflow";
+        case alert_decompression_failure:
+            return "decompression_failure";
+        case alert_handshake_failure:
+            return "handshake_failure";
+        case alert_no_certificate:
+            return "no_certificate";
+        case alert_bad_certificate:
+            return "bad_certificate";
+        case alert_unsupported_certificate:
+            return "unsupported_certificate";
+        case alert_certificate_revoked:
+            return "certificate_revoked";
+        case alert_certificate_expired:
+            return "certificate_expired";
+        case alert_certificate_unknown:
+            return "certificate_unknown";
+        case alert_illegal_parameter:
+            return "illegal_parameter";
+        case alert_unknown_ca:
+            return "unknown_ca";
+        case alert_access_denied:
+            return "access_denied";
+        case alert_decode_error:
+            return "decode_error";
+        case alert_decrypt_error:
+            return "decrypt_error";
+        case alert_export_restriction:
+            return "export_restriction";
+        case alert_protocol_version:
+            return "protocol_version";
+        case alert_insufficient_security:
+            return "insufficient_security";
+        case alert_internal_error:
+            return "internal_error";
+        case alert_user_canceled:
+            return "user_canceled";
+        case alert_no_renegotiation:
+            return "no_renegotiation";
+        case alert_unsupported_extension:
+            return "unsupported_extension";
+        case alert_certificate_unobtainable:
+            return "certificate_unobtainable";
+        case alert_unrecognized_name:
+            return "unrecognized_name";
+        case alert_bad_certificate_status_response:
+            return "bad_certificate_status_response";
+        case alert_bad_certificate_hash_value:
+            return "bad_certificate_hash_value";
+        case alert_no_application_protocol:
+            return "no_application_protocol";
+
+        default:
+            return "<UNKNOWN ALERT: " + (code & 0x0ff) + ">";
+        }
+    }
+
+    static SSLException getSSLException(byte description, String reason) {
+        return getSSLException(description, null, reason);
+    }
+
+    /*
+     * Try to be a little more specific in our choice of
+     * exceptions to throw.
+     */
+    static SSLException getSSLException(byte description, Throwable cause,
+            String reason) {
+
+        SSLException e;
+        // the SSLException classes do not have a no-args constructor
+        // make up a message if there is none
+        if (reason == null) {
+            if (cause != null) {
+                reason = cause.toString();
+            } else {
+                reason = "";
+            }
+        }
+        switch (description) {
+        case alert_handshake_failure:
+        case alert_no_certificate:
+        case alert_bad_certificate:
+        case alert_unsupported_certificate:
+        case alert_certificate_revoked:
+        case alert_certificate_expired:
+        case alert_certificate_unknown:
+        case alert_unknown_ca:
+        case alert_access_denied:
+        case alert_decrypt_error:
+        case alert_export_restriction:
+        case alert_insufficient_security:
+        case alert_unsupported_extension:
+        case alert_certificate_unobtainable:
+        case alert_unrecognized_name:
+        case alert_bad_certificate_status_response:
+        case alert_bad_certificate_hash_value:
+        case alert_no_application_protocol:
+            e = new SSLHandshakeException(reason);
+            break;
+
+        case alert_close_notify:
+        case alert_unexpected_message:
+        case alert_bad_record_mac:
+        case alert_decryption_failed:
+        case alert_record_overflow:
+        case alert_decompression_failure:
+        case alert_illegal_parameter:
+        case alert_decode_error:
+        case alert_protocol_version:
+        case alert_internal_error:
+        case alert_user_canceled:
+        case alert_no_renegotiation:
+        default:
+            e = new SSLException(reason);
+            break;
+        }
+
+        if (cause != null) {
+            e.initCause(cause);
+        }
+        return e;
+    }
+}