Package: org.conscrypt

Conscrypt

public final class Conscrypt
Core API for creating and configuring all Conscrypt types.

Public Methods

isAvailable

public static boolean isAvailable()
Returns true if the Conscrypt native library has been successfully loaded.

isBoringSslFIPSBuild

public static boolean isBoringSslFIPSBuild()
Return true if BoringSSL has been built in FIPS mode.

version

public static Version version()
Returns the version of this distribution of Conscrypt. If version information is unavailable, returns null .

checkAvailability

public static void checkAvailability()
Checks that the Conscrypt support is available for the system.
Throws
UnsatisfiedLinkError if unavailable

isConscrypt

public static boolean isConscrypt(Provider provider)
Indicates whether the given Provider was created by this distribution of Conscrypt.

newProvider

public static Provider newProvider()
Constructs a new Provider with the default name.

newProvider

public static Provider newProvider(String providerName)
Constructs a new Provider with the given name.

newProviderBuilder

public static ProviderBuilder newProviderBuilder()

maxEncryptedPacketLength

public static int maxEncryptedPacketLength()
Returns the maximum length (in bytes) of an encrypted packet.

getDefaultX509TrustManager

public static X509TrustManager getDefaultX509TrustManager() throws java.security.KeyManagementException
Gets the default X.509 trust manager.

isConscrypt

public static boolean isConscrypt(SSLContext context)
Indicates whether the given SSLContext was created by this distribution of Conscrypt.

newPreferredSSLContextSpi

public static SSLContextSpi newPreferredSSLContextSpi()
Constructs a new instance of the preferred SSLContextSpi .

setClientSessionCache

public static void setClientSessionCache(SSLContext context, SSLClientSessionCache cache)
Sets the client-side persistent cache to be used by the context.

setServerSessionCache

public static void setServerSessionCache(SSLContext context, SSLServerSessionCache cache)
Sets the server-side persistent cache to be used by the context.

isConscrypt

public static boolean isConscrypt(SSLSocketFactory factory)
Indicates whether the given SSLSocketFactory was created by this distribution of Conscrypt.

setUseEngineSocketByDefault

public static void setUseEngineSocketByDefault(boolean useEngineSocket)
Configures the default socket to be created for all socket factory instances.

setUseEngineSocket

public static void setUseEngineSocket(SSLSocketFactory factory, boolean useEngineSocket)
Configures the socket to be created for the given socket factory instance.

isConscrypt

public static boolean isConscrypt(SSLServerSocketFactory factory)
Indicates whether the given SSLServerSocketFactory was created by this distribution of Conscrypt.

setUseEngineSocket

public static void setUseEngineSocket(SSLServerSocketFactory factory, boolean useEngineSocket)
Configures the socket to be created for the given server socket factory instance.

isConscrypt

public static boolean isConscrypt(SSLSocket socket)
Indicates whether the given SSLSocket was created by this distribution of Conscrypt.

setHostname

public static void setHostname(SSLSocket socket, String hostname)
This method enables Server Name Indication (SNI) and overrides the hostname supplied during socket creation. If the hostname is not a valid SNI hostname, the SNI extension will be omitted from the handshake.
Parameters
socket the socket
hostname the desired SNI hostname, or null to disable

getHostname

public static String getHostname(SSLSocket socket)
Returns either the hostname supplied during socket creation or via #setHostname(SSLSocket, String) . No DNS resolution is attempted before returning the hostname.

getHostnameOrIP

public static String getHostnameOrIP(SSLSocket socket)
This method attempts to create a textual representation of the peer host or IP. Does not perform a reverse DNS lookup. This is typically used during session creation.

setUseSessionTickets

public static void setUseSessionTickets(SSLSocket socket, boolean useSessionTickets)
This method enables session ticket support.
Parameters
socket the socket
useSessionTickets True to enable session tickets

setChannelIdEnabled

public static void setChannelIdEnabled(SSLSocket socket, boolean enabled)
Enables/disables TLS Channel ID for the given server-side socket.

This method needs to be invoked before the handshake starts.

Parameters
socket the socket
enabled Whether to enable channel ID.
Throws
IllegalStateException if this is a client socket or if the handshake has already started.

getChannelId

public static byte[] getChannelId(SSLSocket socket) throws javax.net.ssl.SSLException
Gets the TLS Channel ID for the given server-side socket. Channel ID is only available once the handshake completes.
Parameters
socket the socket
Returns
byte[] channel ID or null if not available.
Throws
IllegalStateException if this is a client socket or if the handshake has not yet completed.
SSLException if channel ID is available but could not be obtained.

setChannelIdPrivateKey

public static void setChannelIdPrivateKey(SSLSocket socket, PrivateKey privateKey)
Sets the PrivateKey to be used for TLS Channel ID by this client socket.

This method needs to be invoked before the handshake starts.

Parameters
socket the socket
privateKey private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).
Throws
IllegalStateException if this is a server socket or if the handshake has already started.

getApplicationProtocol

public static String getApplicationProtocol(SSLSocket socket)
Returns the ALPN protocol agreed upon by client and server.
Parameters
socket the socket
Returns
java.lang.String the selected protocol or null if no protocol was agreed upon.
Throws
IllegalArgumentException if the socket is not a Conscrypt socket.

setApplicationProtocolSelector

public static void setApplicationProtocolSelector(SSLSocket socket, ApplicationProtocolSelector selector)
Sets an application-provided ALPN protocol selector. If provided, this will override the list of protocols set by #setApplicationProtocols(SSLSocket, String[]) .
Parameters
socket the socket
selector the ALPN protocol selector

setApplicationProtocols

public static void setApplicationProtocols(SSLSocket socket, String[] protocols)
Sets the application-layer protocols (ALPN) in prioritization order.
Parameters
socket the socket being configured
protocols the protocols in descending order of preference. If empty, no protocol indications will be used. This array will be copied.
Throws
IllegalArgumentException - if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) string

getApplicationProtocols

public static String[] getApplicationProtocols(SSLSocket socket)
Gets the application-layer protocols (ALPN) in prioritization order.
Parameters
socket the socket
Returns
java.lang.String[] the protocols in descending order of preference, or an empty array if protocol indications are not being used. Always returns a new array.

getTlsUnique

public static byte[] getTlsUnique(SSLSocket socket)
Returns the tls-unique channel binding value for this connection, per RFC 5929. This will return null if there is no such value available, such as if the handshake has not yet completed or this connection is closed.

exportKeyingMaterial

public static byte[] exportKeyingMaterial(SSLSocket socket, String label, byte[] context, int length) throws javax.net.ssl.SSLException
Exports a value derived from the TLS master secret as described in RFC 5705.
Parameters
label the label to use in calculating the exported value. This must be an ASCII-only string.
context the application-specific context value to use in calculating the exported value. This may be null to use no application context, which is treated differently than an empty byte array.
length the number of bytes of keying material to return.
Returns
byte[] a value of the specified length, or null if the handshake has not yet completed or the connection has been closed.
Throws
SSLException if the value could not be exported.

isConscrypt

public static boolean isConscrypt(SSLEngine engine)
Indicates whether the given SSLEngine was created by this distribution of Conscrypt.

setBufferAllocator

public static void setBufferAllocator(SSLEngine engine, BufferAllocator bufferAllocator)
Provides the given engine with the provided bufferAllocator.
Throws
IllegalArgumentException if the provided engine is not a Conscrypt engine.
IllegalStateException if the provided engine has already begun its handshake.

setBufferAllocator

public static void setBufferAllocator(SSLSocket socket, BufferAllocator bufferAllocator)
Provides the given socket with the provided bufferAllocator. If the given socket is a Conscrypt socket but does not use buffer allocators, this method does nothing.
Throws
IllegalArgumentException if the provided socket is not a Conscrypt socket.
IllegalStateException if the provided socket has already begun its handshake.

setDefaultBufferAllocator

public static void setDefaultBufferAllocator(BufferAllocator bufferAllocator)
Configures the default BufferAllocator to be used by all future SSLEngine instances from this provider.

setHostname

public static void setHostname(SSLEngine engine, String hostname)
This method enables Server Name Indication (SNI) and overrides the hostname supplied during engine creation.
Parameters
engine the engine
hostname the desired SNI hostname, or null to disable

getHostname

public static String getHostname(SSLEngine engine)
Returns either the hostname supplied during socket creation or via #setHostname(SSLEngine, String) . No DNS resolution is attempted before returning the hostname.

maxSealOverhead

public static int maxSealOverhead(SSLEngine engine)
Returns the maximum overhead, in bytes, of sealing a record with SSL.

setHandshakeListener

public static void setHandshakeListener(SSLEngine engine, HandshakeListener handshakeListener)
Sets a listener on the given engine for completion of the TLS handshake

setChannelIdEnabled

public static void setChannelIdEnabled(SSLEngine engine, boolean enabled)
Enables/disables TLS Channel ID for the given server-side engine.

This method needs to be invoked before the handshake starts.

Parameters
engine the engine
enabled Whether to enable channel ID.
Throws
IllegalStateException if this is a client engine or if the handshake has already started.

getChannelId

public static byte[] getChannelId(SSLEngine engine) throws javax.net.ssl.SSLException
Gets the TLS Channel ID for the given server-side engine. Channel ID is only available once the handshake completes.
Parameters
engine the engine
Returns
byte[] channel ID or null if not available.
Throws
IllegalStateException if this is a client engine or if the handshake has not yet completed.
SSLException if channel ID is available but could not be obtained.

setChannelIdPrivateKey

public static void setChannelIdPrivateKey(SSLEngine engine, PrivateKey privateKey)
Sets the PrivateKey to be used for TLS Channel ID by this client engine.

This method needs to be invoked before the handshake starts.

Parameters
engine the engine
privateKey private key (enables TLS Channel ID) or null for no key (disables TLS Channel ID). The private key must be an Elliptic Curve (EC) key based on the NIST P-256 curve (aka SECG secp256r1 or ANSI X9.62 prime256v1).
Throws
IllegalStateException if this is a server engine or if the handshake has already started.

unwrap

public static SSLEngineResult unwrap(SSLEngine engine, ByteBuffer[] srcs, ByteBuffer[] dsts) throws javax.net.ssl.SSLException
Extended unwrap method for multiple source and destination buffers.
Parameters
engine the target engine for the unwrap
srcs the source buffers
dsts the destination buffers
Returns
javax.net.ssl.SSLEngineResult the result of the unwrap operation
Throws
SSLException thrown if an SSL error occurred

unwrap

public static SSLEngineResult unwrap(SSLEngine engine, ByteBuffer[] srcs, int srcsOffset, int srcsLength, ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws javax.net.ssl.SSLException
Exteneded unwrap method for multiple source and destination buffers.
Parameters
engine the target engine for the unwrap.
srcs the source buffers
srcsOffset the offset in the srcs array of the first source buffer
srcsLength the number of source buffers starting at srcsOffset
dsts the destination buffers
dstsOffset the offset in the dsts array of the first destination buffer
dstsLength the number of destination buffers starting at dstsOffset
Returns
javax.net.ssl.SSLEngineResult the result of the unwrap operation
Throws
SSLException thrown if an SSL error occurred

setUseSessionTickets

public static void setUseSessionTickets(SSLEngine engine, boolean useSessionTickets)
This method enables session ticket support.
Parameters
engine the engine
useSessionTickets True to enable session tickets

setApplicationProtocols

public static void setApplicationProtocols(SSLEngine engine, String[] protocols)
Sets the application-layer protocols (ALPN) in prioritization order.
Parameters
engine the engine being configured
protocols the protocols in descending order of preference. If empty, no protocol indications will be used. This array will be copied.
Throws
IllegalArgumentException - if protocols is null, or if any element in a non-empty array is null or an empty (zero-length) string

getApplicationProtocols

public static String[] getApplicationProtocols(SSLEngine engine)
Gets the application-layer protocols (ALPN) in prioritization order.
Parameters
engine the engine
Returns
java.lang.String[] the protocols in descending order of preference, or an empty array if protocol indications are not being used. Always returns a new array.

setApplicationProtocolSelector

public static void setApplicationProtocolSelector(SSLEngine engine, ApplicationProtocolSelector selector)
Sets an application-provided ALPN protocol selector. If provided, this will override the list of protocols set by #setApplicationProtocols(SSLEngine, String[]) .
Parameters
engine the engine
selector the ALPN protocol selector

getApplicationProtocol

public static String getApplicationProtocol(SSLEngine engine)
Returns the ALPN protocol agreed upon by client and server.
Parameters
engine the engine
Returns
java.lang.String the selected protocol or null if no protocol was agreed upon.
Throws
IllegalArgumentException if the engine is not a Conscrypt engine.

getTlsUnique

public static byte[] getTlsUnique(SSLEngine engine)
Returns the tls-unique channel binding value for this connection, per RFC 5929. This will return null if there is no such value available, such as if the handshake has not yet completed or this connection is closed.

exportKeyingMaterial

public static byte[] exportKeyingMaterial(SSLEngine engine, String label, byte[] context, int length) throws javax.net.ssl.SSLException
Exports a value derived from the TLS master secret as described in RFC 5705.
Parameters
label the label to use in calculating the exported value. This must be an ASCII-only string.
context the application-specific context value to use in calculating the exported value. This may be null to use no application context, which is treated differently than an empty byte array.
length the number of bytes of keying material to return.
Returns
byte[] a value of the specified length, or null if the handshake has not yet completed or the connection has been closed.
Throws
SSLException if the value could not be exported.

isConscrypt

public static boolean isConscrypt(TrustManager trustManager)
Indicates whether the given TrustManager was created by this distribution of Conscrypt.

setDefaultHostnameVerifier

public static synchronized void setDefaultHostnameVerifier(ConscryptHostnameVerifier verifier)
Set the default hostname verifier that will be used for HTTPS endpoint identification by Conscrypt trust managers. If null (the default), endpoint identification will use the default hostname verifier set in HttpsURLConnection#setDefaultHostnameVerifier(javax.net.ssl.HostnameVerifier) .

getDefaultHostnameVerifier

public static synchronized ConscryptHostnameVerifier getDefaultHostnameVerifier(TrustManager trustManager)
Returns the currently-set default hostname verifier for Conscrypt trust managers.

setHostnameVerifier

public static void setHostnameVerifier(TrustManager trustManager, ConscryptHostnameVerifier verifier)
Set the hostname verifier that will be used for HTTPS endpoint identification by the given trust manager. If null (the default), endpoint identification will use the default hostname verifier set in #setDefaultHostnameVerifier(ConscryptHostnameVerifier) .
Throws
IllegalArgumentException if the provided trust manager is not a Conscrypt trust manager per #isConscrypt(TrustManager)

getHostnameVerifier

public static ConscryptHostnameVerifier getHostnameVerifier(TrustManager trustManager)
Returns the currently-set hostname verifier for the given trust manager.
Throws
IllegalArgumentException if the provided trust manager is not a Conscrypt trust manager per #isConscrypt(TrustManager)

wrapHostnameVerifier

public static ConscryptHostnameVerifier wrapHostnameVerifier(HostnameVerifier verifier)
Wraps the HttpsURLConnection.HostnameVerifier into a ConscryptHostnameVerifier

Nested Classes

Version

ProviderBuilder