andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
9621a5b981
netty5/codec-http2/src/main/java/io/netty/handler/codec/http2/Http2SecurityUtil.java

75 lines
3.1 KiB
Java
Raw Normal View History

Back port HTTP/2 codec from master to 4.1 Motivation: HTTP/2 codec was implemented in master branch. Since, master is not yet stable and will be some time before it gets released, backporting it to 4.1, enables people to use the codec with a stable netty version. Modification: The code has been copied from master branch as is, with minor modifications to suit the `ChannelHandler` API in 4.x. Apart from that change, there are two backward incompatible API changes included, namely, - Added an abstract method: `public abstract Map.Entry<CharSequence, CharSequence> forEachEntry(EntryVisitor<CharSequence> visitor) throws Exception;` to `HttpHeaders` and implemented the same in `DefaultHttpHeaders` as a delegate to the internal `TextHeader` instance. - Added a method: `FullHttpMessage copy(ByteBuf newContent);` in `FullHttpMessage` with the implementations copied from relevant places in the master branch. - Added missing abstract method related to setting/adding short values to `HttpHeaders` Result: HTTP/2 codec can be used with netty 4.1
2015-01-20 01:48:11 +01:00
/*
* Copyright 2014 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.codec.http2;
[#5088] Add annotation which marks packages/interfaces/classes as unstable Motivation: Some codecs should be considered unstable as these are relative new. For this purpose we should introduce an annotation which these codecs should us to be marked as unstable in terms of API. Modifications: - Add UnstableApi annotation and use it on codecs that are not stable - Move http2.hpack to http2.internal.hpack as it is internal. Result: Better document unstable APIs.
2016-04-12 14:22:41 +02:00
import io.netty.util.internal.UnstableApi;
Back port HTTP/2 codec from master to 4.1 Motivation: HTTP/2 codec was implemented in master branch. Since, master is not yet stable and will be some time before it gets released, backporting it to 4.1, enables people to use the codec with a stable netty version. Modification: The code has been copied from master branch as is, with minor modifications to suit the `ChannelHandler` API in 4.x. Apart from that change, there are two backward incompatible API changes included, namely, - Added an abstract method: `public abstract Map.Entry<CharSequence, CharSequence> forEachEntry(EntryVisitor<CharSequence> visitor) throws Exception;` to `HttpHeaders` and implemented the same in `DefaultHttpHeaders` as a delegate to the internal `TextHeader` instance. - Added a method: `FullHttpMessage copy(ByteBuf newContent);` in `FullHttpMessage` with the implementations copied from relevant places in the master branch. - Added missing abstract method related to setting/adding short values to `HttpHeaders` Result: HTTP/2 codec can be used with netty 4.1
2015-01-20 01:48:11 +01:00
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
/**
* Provides utilities related to security requirements specific to HTTP/2.
*/
[#5088] Add annotation which marks packages/interfaces/classes as unstable Motivation: Some codecs should be considered unstable as these are relative new. For this purpose we should introduce an annotation which these codecs should us to be marked as unstable in terms of API. Modifications: - Add UnstableApi annotation and use it on codecs that are not stable - Move http2.hpack to http2.internal.hpack as it is internal. Result: Better document unstable APIs.
2016-04-12 14:22:41 +02:00
@UnstableApi
Back port HTTP/2 codec from master to 4.1 Motivation: HTTP/2 codec was implemented in master branch. Since, master is not yet stable and will be some time before it gets released, backporting it to 4.1, enables people to use the codec with a stable netty version. Modification: The code has been copied from master branch as is, with minor modifications to suit the `ChannelHandler` API in 4.x. Apart from that change, there are two backward incompatible API changes included, namely, - Added an abstract method: `public abstract Map.Entry<CharSequence, CharSequence> forEachEntry(EntryVisitor<CharSequence> visitor) throws Exception;` to `HttpHeaders` and implemented the same in `DefaultHttpHeaders` as a delegate to the internal `TextHeader` instance. - Added a method: `FullHttpMessage copy(ByteBuf newContent);` in `FullHttpMessage` with the implementations copied from relevant places in the master branch. - Added missing abstract method related to setting/adding short values to `HttpHeaders` Result: HTTP/2 codec can be used with netty 4.1
2015-01-20 01:48:11 +01:00
public final class Http2SecurityUtil {
/**
* The following list is derived from <a
* href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html">SunJSSE Supported
* Ciphers</a> and <a
Update Http2SecurityUtil cipher suites Motivation: Mozilla's Server Side cipher suite recommendations have been updated [1]. [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility Modifications: - Update Http2SecurityUtil to exclude older ciphers. - Remove support for DHE ciphersuites because they are now Intermediate and BoringSSL dropped support for these ciphers [2] [2] https://boringssl.googlesource.com/boringssl/+/7e06de5d2d1b53c57c0c81e8d6ba4122b64cf626 Result: Updated default ciphers for HTTP/2.
2017-06-28 03:21:02 +02:00
* href="https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility">Mozilla Modern Cipher
Back port HTTP/2 codec from master to 4.1 Motivation: HTTP/2 codec was implemented in master branch. Since, master is not yet stable and will be some time before it gets released, backporting it to 4.1, enables people to use the codec with a stable netty version. Modification: The code has been copied from master branch as is, with minor modifications to suit the `ChannelHandler` API in 4.x. Apart from that change, there are two backward incompatible API changes included, namely, - Added an abstract method: `public abstract Map.Entry<CharSequence, CharSequence> forEachEntry(EntryVisitor<CharSequence> visitor) throws Exception;` to `HttpHeaders` and implemented the same in `DefaultHttpHeaders` as a delegate to the internal `TextHeader` instance. - Added a method: `FullHttpMessage copy(ByteBuf newContent);` in `FullHttpMessage` with the implementations copied from relevant places in the master branch. - Added missing abstract method related to setting/adding short values to `HttpHeaders` Result: HTTP/2 codec can be used with netty 4.1
2015-01-20 01:48:11 +01:00
* Suites</a> in accordance with the <a
* href="https://tools.ietf.org/html/draft-ietf-httpbis-http2-16#section-9.2.2">HTTP/2 Specification</a>.
Support SSL_ prefixed cipher suites in addition to TLS_ prefixed ones. Motivation: Http2SecurityUtil currently lists HTTP/2 ciphers as documented by JSSE docs [1] and the IANA [2] using the TLS_ prefix. In some IBM J9 implementations the SSL_ prefix is used, which is also covered by the JSSE. [1] http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html [2] http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Modifications: Add both variants of the cipher names (prefixed with SSL_ in additon to TLS_) Result: HTTP/2 connections can now be created using the SslProvider.JDK on IBM J9 and potentially other JVMs which use the SSL_ prefix.
2017-03-08 19:55:15 +01:00
*
* According to the <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html">
* JSSE documentation</a> "the names mentioned in the TLS RFCs prefixed with TLS_ are functionally equivalent
* to the JSSE cipher suites prefixed with SSL_".
* Both variants are used to support JVMs supporting the one or the other.
Back port HTTP/2 codec from master to 4.1 Motivation: HTTP/2 codec was implemented in master branch. Since, master is not yet stable and will be some time before it gets released, backporting it to 4.1, enables people to use the codec with a stable netty version. Modification: The code has been copied from master branch as is, with minor modifications to suit the `ChannelHandler` API in 4.x. Apart from that change, there are two backward incompatible API changes included, namely, - Added an abstract method: `public abstract Map.Entry<CharSequence, CharSequence> forEachEntry(EntryVisitor<CharSequence> visitor) throws Exception;` to `HttpHeaders` and implemented the same in `DefaultHttpHeaders` as a delegate to the internal `TextHeader` instance. - Added a method: `FullHttpMessage copy(ByteBuf newContent);` in `FullHttpMessage` with the implementations copied from relevant places in the master branch. - Added missing abstract method related to setting/adding short values to `HttpHeaders` Result: HTTP/2 codec can be used with netty 4.1
2015-01-20 01:48:11 +01:00
*/
public static final List<String> CIPHERS;
Update Http2SecurityUtil cipher suites Motivation: Mozilla's Server Side cipher suite recommendations have been updated [1]. [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility Modifications: - Update Http2SecurityUtil to exclude older ciphers. - Remove support for DHE ciphersuites because they are now Intermediate and BoringSSL dropped support for these ciphers [2] [2] https://boringssl.googlesource.com/boringssl/+/7e06de5d2d1b53c57c0c81e8d6ba4122b64cf626 Result: Updated default ciphers for HTTP/2.
2017-06-28 03:21:02 +02:00
/**
* <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility">Mozilla Modern Cipher
* Suites</a> minus the following cipher suites that are black listed by the
* <a href="https://tools.ietf.org/html/rfc7540#appendix-A">HTTP/2 RFC</a>.
*/
private static final List<String> CIPHERS_JAVA_MOZILLA_MODERN_SECURITY = Collections.unmodifiableList(Arrays
Back port HTTP/2 codec from master to 4.1 Motivation: HTTP/2 codec was implemented in master branch. Since, master is not yet stable and will be some time before it gets released, backporting it to 4.1, enables people to use the codec with a stable netty version. Modification: The code has been copied from master branch as is, with minor modifications to suit the `ChannelHandler` API in 4.x. Apart from that change, there are two backward incompatible API changes included, namely, - Added an abstract method: `public abstract Map.Entry<CharSequence, CharSequence> forEachEntry(EntryVisitor<CharSequence> visitor) throws Exception;` to `HttpHeaders` and implemented the same in `DefaultHttpHeaders` as a delegate to the internal `TextHeader` instance. - Added a method: `FullHttpMessage copy(ByteBuf newContent);` in `FullHttpMessage` with the implementations copied from relevant places in the master branch. - Added missing abstract method related to setting/adding short values to `HttpHeaders` Result: HTTP/2 codec can be used with netty 4.1
2015-01-20 01:48:11 +01:00
.asList(
Support SSL_ prefixed cipher suites in addition to TLS_ prefixed ones. Motivation: Http2SecurityUtil currently lists HTTP/2 ciphers as documented by JSSE docs [1] and the IANA [2] using the TLS_ prefix. In some IBM J9 implementations the SSL_ prefix is used, which is also covered by the JSSE. [1] http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html [2] http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Modifications: Add both variants of the cipher names (prefixed with SSL_ in additon to TLS_) Result: HTTP/2 connections can now be created using the SslProvider.JDK on IBM J9 and potentially other JVMs which use the SSL_ prefix.
2017-03-08 19:55:15 +01:00
/* openssl = ECDHE-ECDSA-AES256-GCM-SHA384 */
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
/* openssl = ECDHE-RSA-AES256-GCM-SHA384 */
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
Update Http2SecurityUtil cipher suites Motivation: Mozilla's Server Side cipher suite recommendations have been updated [1]. [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility Modifications: - Update Http2SecurityUtil to exclude older ciphers. - Remove support for DHE ciphersuites because they are now Intermediate and BoringSSL dropped support for these ciphers [2] [2] https://boringssl.googlesource.com/boringssl/+/7e06de5d2d1b53c57c0c81e8d6ba4122b64cf626 Result: Updated default ciphers for HTTP/2.
2017-06-28 03:21:02 +02:00
/* openssl = ECDHE-ECDSA-CHACHA20-POLY1305 */
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
/* openssl = ECDHE-RSA-CHACHA20-POLY1305 */
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
/* openssl = ECDHE-ECDSA-AES128-GCM-SHA256 */
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
Support SSL_ prefixed cipher suites in addition to TLS_ prefixed ones. Motivation: Http2SecurityUtil currently lists HTTP/2 ciphers as documented by JSSE docs [1] and the IANA [2] using the TLS_ prefix. In some IBM J9 implementations the SSL_ prefix is used, which is also covered by the JSSE. [1] http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html [2] http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Modifications: Add both variants of the cipher names (prefixed with SSL_ in additon to TLS_) Result: HTTP/2 connections can now be created using the SslProvider.JDK on IBM J9 and potentially other JVMs which use the SSL_ prefix.
2017-03-08 19:55:15 +01:00
Back port HTTP/2 codec from master to 4.1 Motivation: HTTP/2 codec was implemented in master branch. Since, master is not yet stable and will be some time before it gets released, backporting it to 4.1, enables people to use the codec with a stable netty version. Modification: The code has been copied from master branch as is, with minor modifications to suit the `ChannelHandler` API in 4.x. Apart from that change, there are two backward incompatible API changes included, namely, - Added an abstract method: `public abstract Map.Entry<CharSequence, CharSequence> forEachEntry(EntryVisitor<CharSequence> visitor) throws Exception;` to `HttpHeaders` and implemented the same in `DefaultHttpHeaders` as a delegate to the internal `TextHeader` instance. - Added a method: `FullHttpMessage copy(ByteBuf newContent);` in `FullHttpMessage` with the implementations copied from relevant places in the master branch. - Added missing abstract method related to setting/adding short values to `HttpHeaders` Result: HTTP/2 codec can be used with netty 4.1
2015-01-20 01:48:11 +01:00
/* REQUIRED BY HTTP/2 SPEC */
Support SSL_ prefixed cipher suites in addition to TLS_ prefixed ones. Motivation: Http2SecurityUtil currently lists HTTP/2 ciphers as documented by JSSE docs [1] and the IANA [2] using the TLS_ prefix. In some IBM J9 implementations the SSL_ prefix is used, which is also covered by the JSSE. [1] http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html [2] http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Modifications: Add both variants of the cipher names (prefixed with SSL_ in additon to TLS_) Result: HTTP/2 connections can now be created using the SslProvider.JDK on IBM J9 and potentially other JVMs which use the SSL_ prefix.
2017-03-08 19:55:15 +01:00
/* openssl = ECDHE-RSA-AES128-GCM-SHA256 */
Workaround IBM's J9 JVM getSupportedCipherSuites() returning SSL_ prefix cipher names Motivation: IBM's J9 JVM utilizes a custom cipher naming scheme with SSL_ prefix [1] instead of the TLS_ prefix defined by TLS RFCs and the JSSE cihper suite names [2]. IBM's documentation says that the SSL_ prefix are "interchangeable" with cipher names with the TLS_ prefix [1]. To work around this issue we parse the supported cipher list and see an SSL_ prefix we can also add the same cipher with the TLS_ prefix. For more details see a discussion on IBM's forums [3] and IBM's issue tracker [4]. [1] https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/ciphersuites.html [2] http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites [3] https://www.ibm.com/developerworks/community/forums/html/topic?id=9b5a56a9-fa46-4031-b33b-df91e28d77c2 [4] https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=71770 Modifications: - When parsing the supported cipher list to get the supported ciphers and we encounter a SSL_ prefix we should also add a TLS_ prefix cipher. - Remove SSL_ prefix ciphers from Http2SecurityUtil. Result: Work around for IBM JVM's custom naming scheme covers more cases for supported cipher suites.
2017-07-04 19:27:25 +02:00
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
Back port HTTP/2 codec from master to 4.1 Motivation: HTTP/2 codec was implemented in master branch. Since, master is not yet stable and will be some time before it gets released, backporting it to 4.1, enables people to use the codec with a stable netty version. Modification: The code has been copied from master branch as is, with minor modifications to suit the `ChannelHandler` API in 4.x. Apart from that change, there are two backward incompatible API changes included, namely, - Added an abstract method: `public abstract Map.Entry<CharSequence, CharSequence> forEachEntry(EntryVisitor<CharSequence> visitor) throws Exception;` to `HttpHeaders` and implemented the same in `DefaultHttpHeaders` as a delegate to the internal `TextHeader` instance. - Added a method: `FullHttpMessage copy(ByteBuf newContent);` in `FullHttpMessage` with the implementations copied from relevant places in the master branch. - Added missing abstract method related to setting/adding short values to `HttpHeaders` Result: HTTP/2 codec can be used with netty 4.1
2015-01-20 01:48:11 +01:00
/* REQUIRED BY HTTP/2 SPEC */
Support SSL_ prefixed cipher suites in addition to TLS_ prefixed ones. Motivation: Http2SecurityUtil currently lists HTTP/2 ciphers as documented by JSSE docs [1] and the IANA [2] using the TLS_ prefix. In some IBM J9 implementations the SSL_ prefix is used, which is also covered by the JSSE. [1] http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html [2] http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Modifications: Add both variants of the cipher names (prefixed with SSL_ in additon to TLS_) Result: HTTP/2 connections can now be created using the SslProvider.JDK on IBM J9 and potentially other JVMs which use the SSL_ prefix.
2017-03-08 19:55:15 +01:00
));
Back port HTTP/2 codec from master to 4.1 Motivation: HTTP/2 codec was implemented in master branch. Since, master is not yet stable and will be some time before it gets released, backporting it to 4.1, enables people to use the codec with a stable netty version. Modification: The code has been copied from master branch as is, with minor modifications to suit the `ChannelHandler` API in 4.x. Apart from that change, there are two backward incompatible API changes included, namely, - Added an abstract method: `public abstract Map.Entry<CharSequence, CharSequence> forEachEntry(EntryVisitor<CharSequence> visitor) throws Exception;` to `HttpHeaders` and implemented the same in `DefaultHttpHeaders` as a delegate to the internal `TextHeader` instance. - Added a method: `FullHttpMessage copy(ByteBuf newContent);` in `FullHttpMessage` with the implementations copied from relevant places in the master branch. - Added missing abstract method related to setting/adding short values to `HttpHeaders` Result: HTTP/2 codec can be used with netty 4.1
2015-01-20 01:48:11 +01:00
static {
Update Http2SecurityUtil cipher suites Motivation: Mozilla's Server Side cipher suite recommendations have been updated [1]. [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility Modifications: - Update Http2SecurityUtil to exclude older ciphers. - Remove support for DHE ciphersuites because they are now Intermediate and BoringSSL dropped support for these ciphers [2] [2] https://boringssl.googlesource.com/boringssl/+/7e06de5d2d1b53c57c0c81e8d6ba4122b64cf626 Result: Updated default ciphers for HTTP/2.
2017-06-28 03:21:02 +02:00
CIPHERS = Collections.unmodifiableList(new ArrayList<String>(CIPHERS_JAVA_MOZILLA_MODERN_SECURITY));
Back port HTTP/2 codec from master to 4.1 Motivation: HTTP/2 codec was implemented in master branch. Since, master is not yet stable and will be some time before it gets released, backporting it to 4.1, enables people to use the codec with a stable netty version. Modification: The code has been copied from master branch as is, with minor modifications to suit the `ChannelHandler` API in 4.x. Apart from that change, there are two backward incompatible API changes included, namely, - Added an abstract method: `public abstract Map.Entry<CharSequence, CharSequence> forEachEntry(EntryVisitor<CharSequence> visitor) throws Exception;` to `HttpHeaders` and implemented the same in `DefaultHttpHeaders` as a delegate to the internal `TextHeader` instance. - Added a method: `FullHttpMessage copy(ByteBuf newContent);` in `FullHttpMessage` with the implementations copied from relevant places in the master branch. - Added missing abstract method related to setting/adding short values to `HttpHeaders` Result: HTTP/2 codec can be used with netty 4.1
2015-01-20 01:48:11 +01:00
}
private Http2SecurityUtil() { }
}
Reference in New Issue Copy Permalink