com.sun.jndi.ldap.ext
Class StartTlsResponseImpl

java.lang.Object
  extended by javax.naming.ldap.StartTlsResponse
      extended by com.sun.jndi.ldap.ext.StartTlsResponseImpl
All Implemented Interfaces:
java.io.Serializable, javax.naming.ldap.ExtendedResponse

public final class StartTlsResponseImpl
extends javax.naming.ldap.StartTlsResponse

This class implements the LDAPv3 Extended Response for StartTLS as defined in Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security The object identifier for StartTLS is 1.3.6.1.4.1.1466.20037 and no extended response value is defined.

The Start TLS extended request and response are used to establish a TLS connection over the existing LDAP connection associated with the JNDI context on which extendedOperation() is invoked.

Author:
Vincent Ryan
See Also:
StartTlsRequest, Serialized Form

Field Summary
private  javax.net.ssl.SSLSocketFactory currentFactory
           
private static boolean debug
           
private  javax.net.ssl.SSLSocketFactory defaultFactory
           
private static int DNSNAME_TYPE
           
private  java.lang.String hostname
           
private  boolean isClosed
           
private  com.sun.jndi.ldap.Connection ldapConnection
           
private  java.io.InputStream originalInputStream
           
private  java.io.OutputStream originalOutputStream
           
private static long serialVersionUID
           
private  javax.net.ssl.SSLSocket sslSocket
           
private  java.lang.String[] suites
           
private  javax.net.ssl.HostnameVerifier verifier
           
 
Fields inherited from class javax.naming.ldap.StartTlsResponse
OID
 
Constructor Summary
StartTlsResponseImpl()
           
 
Method Summary
 void close()
          Closes the TLS connection gracefully and reverts back to the underlying connection.
private  javax.net.ssl.SSLSocketFactory getDefaultFactory()
           
private static java.security.Principal getPeerPrincipal(javax.net.ssl.SSLSession session)
           
 javax.net.ssl.SSLSession negotiate()
          Negotiates a TLS session using the default SSL socket factory.
 javax.net.ssl.SSLSession negotiate(javax.net.ssl.SSLSocketFactory factory)
          Negotiates a TLS session using an SSL socket factory.
 void setConnection(com.sun.jndi.ldap.Connection ldapConnection, java.lang.String hostname)
          Sets the connection for TLS to use.
 void setEnabledCipherSuites(java.lang.String[] suites)
          Overrides the default list of cipher suites enabled for use on the TLS connection.
 void setHostnameVerifier(javax.net.ssl.HostnameVerifier verifier)
          Overrides the default hostname verifier used by negotiate() after the TLS handshake has completed.
private  javax.net.ssl.SSLSocket startHandshake(javax.net.ssl.SSLSocketFactory factory)
           
private  boolean verify(java.lang.String hostname, javax.net.ssl.SSLSession session)
           
 
Methods inherited from class javax.naming.ldap.StartTlsResponse
getEncodedValue, getID
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

debug

private static final boolean debug
See Also:
Constant Field Values

DNSNAME_TYPE

private static final int DNSNAME_TYPE
See Also:
Constant Field Values

hostname

private transient java.lang.String hostname

ldapConnection

private transient com.sun.jndi.ldap.Connection ldapConnection

originalInputStream

private transient java.io.InputStream originalInputStream

originalOutputStream

private transient java.io.OutputStream originalOutputStream

sslSocket

private transient javax.net.ssl.SSLSocket sslSocket

defaultFactory

private transient javax.net.ssl.SSLSocketFactory defaultFactory

currentFactory

private transient javax.net.ssl.SSLSocketFactory currentFactory

suites

private transient java.lang.String[] suites

verifier

private transient javax.net.ssl.HostnameVerifier verifier

isClosed

private transient boolean isClosed

serialVersionUID

private static final long serialVersionUID
See Also:
Constant Field Values
Constructor Detail

StartTlsResponseImpl

public StartTlsResponseImpl()
Method Detail

setEnabledCipherSuites

public void setEnabledCipherSuites(java.lang.String[] suites)
Overrides the default list of cipher suites enabled for use on the TLS connection. The cipher suites must have already been listed by SSLSocketFactory.getSupportedCipherSuites() as being supported. Even if a suite has been enabled, it still might not be used because the peer does not support it, or because the requisite certificates (and private keys) are not available.

Specified by:
setEnabledCipherSuites in class javax.naming.ldap.StartTlsResponse
Parameters:
suites - The non-null list of names of all the cipher suites to enable.
See Also:
negotiate()

setHostnameVerifier

public void setHostnameVerifier(javax.net.ssl.HostnameVerifier verifier)
Overrides the default hostname verifier used by negotiate() after the TLS handshake has completed. If setHostnameVerifier() has not been called before negotiate() is invoked, negotiate() will perform a simple case ignore match. If called after negotiate(), this method does not do anything.

Specified by:
setHostnameVerifier in class javax.naming.ldap.StartTlsResponse
Parameters:
verifier - The non-null hostname verifier callback.
See Also:
negotiate()

negotiate

public javax.net.ssl.SSLSession negotiate()
                                   throws java.io.IOException
Negotiates a TLS session using the default SSL socket factory.

This method is equivalent to negotiate(null).

Specified by:
negotiate in class javax.naming.ldap.StartTlsResponse
Returns:
The negotiated SSL session
Throws:
java.io.IOException
See Also:
setEnabledCipherSuites(java.lang.String[]), setHostnameVerifier(javax.net.ssl.HostnameVerifier)

negotiate

public javax.net.ssl.SSLSession negotiate(javax.net.ssl.SSLSocketFactory factory)
                                   throws java.io.IOException
Negotiates a TLS session using an SSL socket factory.

Creates an SSL socket using the supplied SSL socket factory and attaches it to the existing connection. Performs the TLS handshake and returns the negotiated session information.

If cipher suites have been set via setEnabledCipherSuites then they are enabled before the TLS handshake begins.

Hostname verification is performed after the TLS handshake completes. The default check performs a case insensitive match of the server's hostname against that in the server's certificate. The server's hostname is extracted from the subjectAltName in the server's certificate (if present). Otherwise the value of the common name attribute of the subject name is used. If a callback has been set via setHostnameVerifier then that verifier is used if the default check fails.

If an error occurs then the SSL socket is closed and an IOException is thrown. The underlying connection remains intact.

Specified by:
negotiate in class javax.naming.ldap.StartTlsResponse
Parameters:
factory - The possibly null SSL socket factory to use. If null, the default SSL socket factory is used.
Returns:
The negotiated SSL session
Throws:
java.io.IOException
See Also:
setEnabledCipherSuites(java.lang.String[]), setHostnameVerifier(javax.net.ssl.HostnameVerifier)

close

public void close()
           throws java.io.IOException
Closes the TLS connection gracefully and reverts back to the underlying connection.

Specified by:
close in class javax.naming.ldap.StartTlsResponse
Throws:
java.io.IOException

setConnection

public void setConnection(com.sun.jndi.ldap.Connection ldapConnection,
                          java.lang.String hostname)
Sets the connection for TLS to use. The TLS connection will be attached to this connection.

Parameters:
ldapConnection - The non-null connection to use.
hostname - The server's hostname. If null, the hostname used to open the connection will be used instead.

getDefaultFactory

private javax.net.ssl.SSLSocketFactory getDefaultFactory()
                                                  throws java.io.IOException
Throws:
java.io.IOException

startHandshake

private javax.net.ssl.SSLSocket startHandshake(javax.net.ssl.SSLSocketFactory factory)
                                        throws java.io.IOException
Throws:
java.io.IOException

verify

private boolean verify(java.lang.String hostname,
                       javax.net.ssl.SSLSession session)
                throws javax.net.ssl.SSLPeerUnverifiedException
Throws:
javax.net.ssl.SSLPeerUnverifiedException

getPeerPrincipal

private static java.security.Principal getPeerPrincipal(javax.net.ssl.SSLSession session)
                                                 throws javax.net.ssl.SSLPeerUnverifiedException
Throws:
javax.net.ssl.SSLPeerUnverifiedException