javax.net.ssl.SSLProtocolException Java Examples

SignatureAlgorithmsExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_SIGNATURE_ALGORITHMS);

    algorithmsLen = s.getInt16();
    if (algorithmsLen == 0 || algorithmsLen + 2 != len) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    algorithms = new ArrayList<SignatureAndHashAlgorithm>();
    int remains = algorithmsLen;
    int sequence = 0;
    while (remains > 1) {   // needs at least two bytes
        int hash = s.getInt8();         // hash algorithm
        int signature = s.getInt8();    // signature algorithm

        SignatureAndHashAlgorithm algorithm =
            SignatureAndHashAlgorithm.valueOf(hash, signature, ++sequence);
        algorithms.add(algorithm);
        remains -= 2;  // one byte for hash, one byte for signature
    }

    if (remains != 0) {
        throw new SSLProtocolException("Invalid server_name extension");
    }
}
 

private CertStatusResponseSpec(ByteBuffer buffer) throws IOException {
    if (buffer.remaining() < 2) {
        throw new SSLProtocolException(
            "Invalid status_request extension: insufficient data");
    }

    // Get the status type (1 byte) and response data (vector)
    byte type = (byte)Record.getInt8(buffer);
    byte[] respData = Record.getBytes24(buffer);

    // Create the CertStatusResponse based on the type
    if (type == CertStatusRequestType.OCSP.id) {
        this.statusResponse = new OCSPStatusResponse(type, respData);
    } else {
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
            SSLLogger.info(
                "Unknown certificate status response " +
                "(status type: " + type + ")");
        }

        this.statusResponse = new CertStatusResponse(type, respData);
    }
}
 

RenegotiationInfoExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_RENEGOTIATION_INFO);

    // check the extension length
    if (len < 1) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    int renegoInfoDataLen = s.getInt8();
    if (renegoInfoDataLen + 1 != len) {  // + 1 = the byte we just read
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    renegotiated_connection = new byte[renegoInfoDataLen];
    if (renegoInfoDataLen != 0) {
        s.read(renegotiated_connection, 0, renegoInfoDataLen);
    }
}
 

private SHKeyShareSpec(ByteBuffer buffer) throws IOException {
    // struct {
    //      KeyShareEntry server_share;
    // } KeyShareServerHello;
    if (buffer.remaining() < 5) {       // 5: minimal server_share
        throw new SSLProtocolException(
            "Invalid key_share extension: " +
            "insufficient data (length=" + buffer.remaining() + ")");
    }

    int namedGroupId = Record.getInt16(buffer);
    byte[] keyExchange = Record.getBytes16(buffer);

    if (buffer.hasRemaining()) {
        throw new SSLProtocolException(
            "Invalid key_share extension: unknown extra data");
    }

    this.serverShare = new KeyShareEntry(namedGroupId, keyExchange);
}
 

private SHKeyShareSpec(ByteBuffer buffer) throws IOException {
    // struct {
    //      KeyShareEntry server_share;
    // } KeyShareServerHello;
    if (buffer.remaining() < 5) {       // 5: minimal server_share
        throw new SSLProtocolException(
            "Invalid key_share extension: " +
            "insufficient data (length=" + buffer.remaining() + ")");
    }

    int namedGroupId = Record.getInt16(buffer);
    byte[] keyExchange = Record.getBytes16(buffer);

    if (buffer.hasRemaining()) {
        throw new SSLProtocolException(
            "Invalid key_share extension: unknown extra data");
    }

    this.serverShare = new KeyShareEntry(namedGroupId, keyExchange);
}
 

EllipticPointFormatsExtension(HandshakeInStream s, int len)
        throws IOException {
    super(ExtensionType.EXT_EC_POINT_FORMATS);
    formats = s.getBytes8();
    // RFC 4492 says uncompressed points must always be supported.
    // Check just to make sure.
    boolean uncompressed = false;
    for (int format : formats) {
        if (format == FMT_UNCOMPRESSED) {
            uncompressed = true;
            break;
        }
    }
    if (uncompressed == false) {
        throw new SSLProtocolException
            ("Peer does not support uncompressed points");
    }
}
 

private SupportedGroupsSpec(ByteBuffer m) throws IOException  {
    if (m.remaining() < 2) {      // 2: the length of the list
        throw new SSLProtocolException(
            "Invalid supported_groups extension: insufficient data");
    }

    byte[] ngs = Record.getBytes16(m);
    if (m.hasRemaining()) {
        throw new SSLProtocolException(
            "Invalid supported_groups extension: unknown extra data");
    }

    if ((ngs == null) || (ngs.length == 0) || (ngs.length % 2 != 0)) {
        throw new SSLProtocolException(
            "Invalid supported_groups extension: incomplete data");
    }

    int[] ids = new int[ngs.length / 2];
    for (int i = 0, j = 0; i < ngs.length;) {
        ids[j++] = ((ngs[i++] & 0xFF) << 8) | (ngs[i++] & 0xFF);
    }

    this.namedGroupsIds = ids;
}
 

SignatureSchemesSpec(ByteBuffer buffer) throws IOException {
    if (buffer.remaining() < 2) {      // 2: the length of the list
        throw new SSLProtocolException(
            "Invalid signature_algorithms: insufficient data");
    }

    byte[] algs = Record.getBytes16(buffer);
    if (buffer.hasRemaining()) {
        throw new SSLProtocolException(
            "Invalid signature_algorithms: unknown extra data");
    }

    if (algs == null || algs.length == 0 || (algs.length & 0x01) != 0) {
        throw new SSLProtocolException(
            "Invalid signature_algorithms: incomplete data");
    }

    int[] schemes = new int[algs.length / 2];
    for (int i = 0, j = 0; i < algs.length;) {
        byte hash = algs[i++];
        byte sign = algs[i++];
        schemes[j++] = ((hash & 0xFF) << 8) | (sign & 0xFF);
    }

    this.signatureSchemes = schemes;
}
 

private SupportedGroupsSpec(ByteBuffer m) throws IOException  {
    if (m.remaining() < 2) {      // 2: the length of the list
        throw new SSLProtocolException(
            "Invalid supported_groups extension: insufficient data");
    }

    byte[] ngs = Record.getBytes16(m);
    if (m.hasRemaining()) {
        throw new SSLProtocolException(
            "Invalid supported_groups extension: unknown extra data");
    }

    if ((ngs == null) || (ngs.length == 0) || (ngs.length % 2 != 0)) {
        throw new SSLProtocolException(
            "Invalid supported_groups extension: incomplete data");
    }

    int[] ids = new int[ngs.length / 2];
    for (int i = 0, j = 0; i < ngs.length;) {
        ids[j++] = ((ngs[i++] & 0xFF) << 8) | (ngs[i++] & 0xFF);
    }

    this.namedGroupsIds = ids;
}
 

SignatureSchemesSpec(ByteBuffer buffer) throws IOException {
    if (buffer.remaining() < 2) {      // 2: the length of the list
        throw new SSLProtocolException(
            "Invalid signature_algorithms: insufficient data");
    }

    byte[] algs = Record.getBytes16(buffer);
    if (buffer.hasRemaining()) {
        throw new SSLProtocolException(
            "Invalid signature_algorithms: unknown extra data");
    }

    if (algs == null || algs.length == 0 || (algs.length & 0x01) != 0) {
        throw new SSLProtocolException(
            "Invalid signature_algorithms: incomplete data");
    }

    int[] schemes = new int[algs.length / 2];
    for (int i = 0, j = 0; i < algs.length;) {
        byte hash = algs[i++];
        byte sign = algs[i++];
        schemes[j++] = ((hash & 0xFF) << 8) | (sign & 0xFF);
    }

    this.signatureSchemes = schemes;
}
 

CertificateAuthoritiesSpec(ByteBuffer buffer) throws IOException {
    if (buffer.remaining() < 2) {      // 2: the length of the list
        throw new SSLProtocolException(
            "Invalid signature_algorithms: insufficient data");
    }
    // read number of certificate authorities
    int caLength = Record.getInt16(buffer);
    if (buffer.remaining() != caLength) {
        throw new SSLProtocolException(
                "Invalid certificate_authorities: incorrect data size");
    }
    ArrayList<X500Principal> dnList = new ArrayList<X500Principal>();
    while(buffer.remaining()>0) {
        byte dn[] = Record.getBytes16(buffer);
        X500Principal ca = new X500Principal(dn);
        dnList.add(ca);
    }
    this.authorities = dnList.toArray(new X500Principal[dnList.size()]);
}
 

private CertStatusResponseSpec(ByteBuffer buffer) throws IOException {
    if (buffer.remaining() < 2) {
        throw new SSLProtocolException(
            "Invalid status_request extension: insufficient data");
    }

    // Get the status type (1 byte) and response data (vector)
    byte type = (byte)Record.getInt8(buffer);
    byte[] respData = Record.getBytes24(buffer);

    // Create the CertStatusResponse based on the type
    if (type == CertStatusRequestType.OCSP.id) {
        this.statusResponse = new OCSPStatusResponse(type, respData);
    } else {
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
            SSLLogger.info(
                "Unknown certificate status response " +
                "(status type: " + type + ")");
        }

        this.statusResponse = new CertStatusResponse(type, respData);
    }
}
 

SignatureAlgorithmsExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_SIGNATURE_ALGORITHMS);

    algorithmsLen = s.getInt16();
    if (algorithmsLen == 0 || algorithmsLen + 2 != len) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    algorithms = new ArrayList<SignatureAndHashAlgorithm>();
    int remains = algorithmsLen;
    int sequence = 0;
    while (remains > 1) {   // needs at least two bytes
        int hash = s.getInt8();         // hash algorithm
        int signature = s.getInt8();    // signature algorithm

        SignatureAndHashAlgorithm algorithm =
            SignatureAndHashAlgorithm.valueOf(hash, signature, ++sequence);
        algorithms.add(algorithm);
        remains -= 2;  // one byte for hash, one byte for signature
    }

    if (remains != 0) {
        throw new SSLProtocolException("Invalid server_name extension");
    }
}
 

RenegotiationInfoExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_RENEGOTIATION_INFO);

    // check the extension length
    if (len < 1) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    int renegoInfoDataLen = s.getInt8();
    if (renegoInfoDataLen + 1 != len) {  // + 1 = the byte we just read
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    renegotiated_connection = new byte[renegoInfoDataLen];
    if (renegoInfoDataLen != 0) {
        s.read(renegotiated_connection, 0, renegoInfoDataLen);
    }
}
 

SignatureAlgorithmsExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_SIGNATURE_ALGORITHMS);

    algorithmsLen = s.getInt16();
    if (algorithmsLen == 0 || algorithmsLen + 2 != len) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    algorithms = new ArrayList<SignatureAndHashAlgorithm>();
    int remains = algorithmsLen;
    int sequence = 0;
    while (remains > 1) {   // needs at least two bytes
        int hash = s.getInt8();         // hash algorithm
        int signature = s.getInt8();    // signature algorithm

        SignatureAndHashAlgorithm algorithm =
            SignatureAndHashAlgorithm.valueOf(hash, signature, ++sequence);
        algorithms.add(algorithm);
        remains -= 2;  // one byte for hash, one byte for signature
    }

    if (remains != 0) {
        throw new SSLProtocolException("Invalid server_name extension");
    }
}
 

EllipticPointFormatsExtension(HandshakeInStream s, int len)
        throws IOException {
    super(ExtensionType.EXT_EC_POINT_FORMATS);
    formats = s.getBytes8();
    // RFC 4492 says uncompressed points must always be supported.
    // Check just to make sure.
    boolean uncompressed = false;
    for (int format : formats) {
        if (format == FMT_UNCOMPRESSED) {
            uncompressed = true;
            break;
        }
    }
    if (uncompressed == false) {
        throw new SSLProtocolException
            ("Peer does not support uncompressed points");
    }
}
 

RenegotiationInfoExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_RENEGOTIATION_INFO);

    // check the extension length
    if (len < 1) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    int renegoInfoDataLen = s.getInt8();
    if (renegoInfoDataLen + 1 != len) {  // + 1 = the byte we just read
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    renegotiated_connection = new byte[renegoInfoDataLen];
    if (renegoInfoDataLen != 0) {
        s.read(renegotiated_connection, 0, renegoInfoDataLen);
    }
}
 

SupportedEllipticPointFormatsExtension(HandshakeInStream s, int len)
        throws IOException {
    super(ExtensionType.EXT_EC_POINT_FORMATS);
    formats = s.getBytes8();
    // RFC 4492 says uncompressed points must always be supported.
    // Check just to make sure.
    boolean uncompressed = false;
    for (int format : formats) {
        if (format == FMT_UNCOMPRESSED) {
            uncompressed = true;
            break;
        }
    }
    if (uncompressed == false) {
        throw new SSLProtocolException
            ("Peer does not support uncompressed points");
    }
}
 

RenegotiationInfoExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_RENEGOTIATION_INFO);

    // check the extension length
    if (len < 1) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    int renegoInfoDataLen = s.getInt8();
    if (renegoInfoDataLen + 1 != len) {  // + 1 = the byte we just read
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    renegotiated_connection = new byte[renegoInfoDataLen];
    if (renegoInfoDataLen != 0) {
        s.read(renegotiated_connection, 0, renegoInfoDataLen);
    }
}
 

SignatureAlgorithmsExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_SIGNATURE_ALGORITHMS);

    algorithmsLen = s.getInt16();
    if (algorithmsLen == 0 || algorithmsLen + 2 != len) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    algorithms = new ArrayList<SignatureAndHashAlgorithm>();
    int remains = algorithmsLen;
    int sequence = 0;
    while (remains > 1) {   // needs at least two bytes
        int hash = s.getInt8();         // hash algorithm
        int signature = s.getInt8();    // signature algorithm

        SignatureAndHashAlgorithm algorithm =
            SignatureAndHashAlgorithm.valueOf(hash, signature, ++sequence);
        algorithms.add(algorithm);
        remains -= 2;  // one byte for hash, one byte for signature
    }

    if (remains != 0) {
        throw new SSLProtocolException("Invalid server_name extension");
    }
}
 

SignatureAlgorithmsExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_SIGNATURE_ALGORITHMS);

    algorithmsLen = s.getInt16();
    if (algorithmsLen == 0 || algorithmsLen + 2 != len) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    algorithms = new ArrayList<SignatureAndHashAlgorithm>();
    int remains = algorithmsLen;
    int sequence = 0;
    while (remains > 1) {   // needs at least two bytes
        int hash = s.getInt8();         // hash algorithm
        int signature = s.getInt8();    // signature algorithm

        SignatureAndHashAlgorithm algorithm =
            SignatureAndHashAlgorithm.valueOf(hash, signature, ++sequence);
        algorithms.add(algorithm);
        remains -= 2;  // one byte for hash, one byte for signature
    }

    if (remains != 0) {
        throw new SSLProtocolException("Invalid server_name extension");
    }
}
 

SignatureAlgorithmsExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_SIGNATURE_ALGORITHMS);

    algorithmsLen = s.getInt16();
    if (algorithmsLen == 0 || algorithmsLen + 2 != len) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    algorithms = new ArrayList<SignatureAndHashAlgorithm>();
    int remains = algorithmsLen;
    int sequence = 0;
    while (remains > 1) {   // needs at least two bytes
        int hash = s.getInt8();         // hash algorithm
        int signature = s.getInt8();    // signature algorithm

        SignatureAndHashAlgorithm algorithm =
            SignatureAndHashAlgorithm.valueOf(hash, signature, ++sequence);
        algorithms.add(algorithm);
        remains -= 2;  // one byte for hash, one byte for signature
    }

    if (remains != 0) {
        throw new SSLProtocolException("Invalid server_name extension");
    }
}
 

EllipticPointFormatsExtension(HandshakeInStream s, int len)
        throws IOException {
    super(ExtensionType.EXT_EC_POINT_FORMATS);
    formats = s.getBytes8();
    // RFC 4492 says uncompressed points must always be supported.
    // Check just to make sure.
    boolean uncompressed = false;
    for (int format : formats) {
        if (format == FMT_UNCOMPRESSED) {
            uncompressed = true;
            break;
        }
    }
    if (uncompressed == false) {
        throw new SSLProtocolException
            ("Peer does not support uncompressed points");
    }
}
 

RenegotiationInfoExtension(HandshakeInStream s, int len)
            throws IOException {
    super(ExtensionType.EXT_RENEGOTIATION_INFO);

    // check the extension length
    if (len < 1) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    int renegoInfoDataLen = s.getInt8();
    if (renegoInfoDataLen + 1 != len) {  // + 1 = the byte we just read
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    renegotiated_connection = new byte[renegoInfoDataLen];
    if (renegoInfoDataLen != 0) {
        s.read(renegotiated_connection, 0, renegoInfoDataLen);
    }
}
 

/**
 * Checks the length of the session ID to make sure it sits within
 * the range called out in the specification
 */
void checkLength(ProtocolVersion pv) throws SSLProtocolException {
    // As of today all versions of TLS have a 32-byte maximum length.
    // In the future we can do more here to support protocol versions
    // that may have longer max lengths.
    if (sessionId.length > MAX_LENGTH) {
        throw new SSLProtocolException("Invalid session ID length (" +
                sessionId.length + " bytes)");
    }
}
 

private MaxFragLenSpec(ByteBuffer buffer) throws IOException {
    if (buffer.remaining() != 1) {
        throw new SSLProtocolException(
            "Invalid max_fragment_length extension data");
    }

    this.id = buffer.get();
}
 

SupportedEllipticCurvesExtension(HandshakeInStream s, int len)
        throws IOException {
    super(ExtensionType.EXT_ELLIPTIC_CURVES);
    int k = s.getInt16();
    if (((len & 1) != 0) || (k + 2 != len)) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }

    // Note: unknown curves will be ignored later.
    curveIds = new int[k >> 1];
    for (int i = 0; i < curveIds.length; i++) {
        curveIds[i] = s.getInt16();
    }
}
 

SupportedEllipticCurvesExtension(HandshakeInStream s, int len)
        throws IOException {
    super(ExtensionType.EXT_ELLIPTIC_CURVES);
    int k = s.getInt16();
    if (((len & 1) != 0) || (k + 2 != len)) {
        throw new SSLProtocolException("Invalid " + type + " extension");
    }
    curveIds = new int[k >> 1];
    for (int i = 0; i < curveIds.length; i++) {
        curveIds[i] = s.getInt16();
    }
}
 

/**
 * Reports a failure to complete a connection. Determines the next {@link ConnectionSpec} to try,
 * if any.
 *
 * @return {@code true} if the connection should be retried using {@link
 * #configureSecureSocket(SSLSocket)} or {@code false} if not
 */
public boolean connectionFailed(IOException e) {
  // Any future attempt to connect using this strategy will be a fallback attempt.
  isFallback = true;

  if (!isFallbackPossible) {
    return false;
  }

  // If there was a protocol problem, don't recover.
  if (e instanceof ProtocolException) {
    return false;
  }

  // If there was an interruption or timeout (SocketTimeoutException), don't recover.
  // For the socket connect timeout case we do not try the same host with a different
  // ConnectionSpec: we assume it is unreachable.
  if (e instanceof InterruptedIOException) {
    return false;
  }

  // Look for known client-side or negotiation errors that are unlikely to be fixed by trying
  // again with a different connection spec.
  if (e instanceof SSLHandshakeException) {
    // If the problem was a CertificateException from the X509TrustManager,
    // do not retry.
    if (e.getCause() instanceof CertificateException) {
      return false;
    }
  }
  if (e instanceof SSLPeerUnverifiedException) {
    // e.g. a certificate pinning error.
    return false;
  }

  // On Android, SSLProtocolExceptions can be caused by TLS_FALLBACK_SCSV failures, which means we
  // retry those when we probably should not.
  return (e instanceof SSLHandshakeException || e instanceof SSLProtocolException);
}
 

private ECPointFormatsSpec(ByteBuffer m) throws IOException {
    if (!m.hasRemaining()) {
        throw new SSLProtocolException(
            "Invalid ec_point_formats extension: " +
            "insufficient data");
    }

    this.formats = Record.getBytes8(m);
}