wildfly-security · rsearls · May 20, 2024
@@ -80,6 +80,10 @@
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-ssh-util</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron-ssl-builder</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.jboss.logging</groupId>
             <artifactId>jboss-logging-annotations</artifactId>

@@ -125,7 +125,7 @@
 import org.wildfly.security.sasl.util.SecurityProviderSaslClientFactory;
 import org.wildfly.security.sasl.util.ServerNameSaslClientFactory;
 import org.wildfly.security.ssl.SSLConnection;
-import org.wildfly.security.ssl.SSLUtils;
+import org.wildfly.security.ssl.builder.SSLUtils;
 import org.wildfly.security.x500.TrustedAuthority;
 
 /**

@@ -127,7 +127,7 @@
 import org.wildfly.security.sasl.util.ServiceLoaderSaslClientFactory;
 import org.wildfly.security.ssl.CipherSuiteSelector;
 import org.wildfly.security.ssl.ProtocolSelector;
-import org.wildfly.security.ssl.SSLContextBuilder;
+import org.wildfly.security.ssl.builder.SSLContextBuilder;
 import org.wildfly.security.ssl.X509RevocationTrustManager;
 import org.wildfly.security.ssh.util.SshUtil;
 

@@ -21,7 +21,7 @@
 
 import org.junit.Test;
 import org.wildfly.security.SecurityFactory;
-import org.wildfly.security.ssl.SSLContextBuilder;
+import org.wildfly.security.ssl.builder.SSLContextBuilder;
 
 /**
  * @author <a href="mailto:[email protected]">Ondrej Lukas</a>

@@ -432,7 +432,9 @@
                             ${project.basedir}/sasl/otp/src/main/java/;
                             ${project.basedir}/sasl/plain/src/main/java/;
                             ${project.basedir}/sasl/scram/src/main/java/;
-                            ${project.basedir}/ssl/src/main/java/;
+                            ${project.basedir}/ssl/base/src/main/java/;
+                            ${project.basedir}/ssl/deprecated/src/main/java/;
+                            ${project.basedir}/ssl/builder/src/main/java/;
                             ${project.basedir}/tests/base/src/main/java/;
                             ${project.basedir}/tests/common/src/main/java/;
                             ${project.basedir}/tool/src/main/java/;
@@ -907,6 +909,16 @@
                 <artifactId>wildfly-elytron-ssl</artifactId>
                 <version>${project.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wildfly.security</groupId>
+                <artifactId>wildfly-elytron-ssl-deprecated</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.wildfly.security</groupId>
+                <artifactId>wildfly-elytron-ssl-builder</artifactId>
+                <version>${project.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.wildfly.security</groupId>
                 <artifactId>wildfly-elytron-ssh-util</artifactId>
@@ -1553,7 +1565,9 @@
         <module>sasl/otp</module>
         <module>sasl/plain</module>
         <module>sasl/scram</module>
-        <module>ssl</module>
+        <module>ssl/base</module>
+        <module>ssl/deprecated</module>
+        <module>ssl/builder</module>
         <module>ssh/util</module>
         <module>tool</module>
         <module>util</module>

@@ -60,6 +60,10 @@
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-ssl</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron-ssl-builder</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-util</artifactId>

@@ -42,7 +42,7 @@
 import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
 import org.wildfly.security.auth.callback.TrustedAuthoritiesCallback;
 import org.wildfly.security.evidence.X509PeerCertificateChainEvidence;
-import org.wildfly.security.ssl.SSLUtils;
+import org.wildfly.security.ssl.builder.SSLUtils;
 import org.wildfly.security.x500.TrustedAuthority;
 import org.wildfly.security.x500.TrustedAuthority.CertificateTrustedAuthority;
 

@@ -25,6 +25,7 @@
         <groupId>org.wildfly.security</groupId>
         <artifactId>wildfly-elytron-parent</artifactId>
         <version>2.5.3.CR1-SNAPSHOT</version>
+        <relativePath>../../pom.xml</relativePath>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

@@ -39,7 +39,7 @@ public abstract class CipherSuiteSelector {
 
     final CipherSuiteSelector prev;
 
-    CipherSuiteSelector(final CipherSuiteSelector prev) {
+    public CipherSuiteSelector(final CipherSuiteSelector prev) {
         this.prev = prev;
     }
 

@@ -0,0 +1,169 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2014 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.wildfly.security.ssl;
+
+import static org.jboss.logging.Logger.Level.WARN;
+
+import java.security.NoSuchAlgorithmException;
+
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLProtocolException;
+
+import org.jboss.logging.BasicLogger;
+import org.jboss.logging.Logger;
+import org.jboss.logging.annotations.Cause;
+import org.jboss.logging.annotations.LogMessage;
+import org.jboss.logging.annotations.Message;
+import org.jboss.logging.annotations.MessageLogger;
+import org.jboss.logging.annotations.ValidIdRange;
+import org.jboss.logging.annotations.ValidIdRanges;
+
+/**
+ * Log messages and exceptions for Elytron.
+ *
+ * @author <a href="mailto:[email protected]">David M. Lloyd</a>
+ * @author <a href="mailto:[email protected]">Darran Lofthouse</a>
+ */
+@MessageLogger(projectCode = "ELY", length = 5)
+@ValidIdRanges({
+    @ValidIdRange(min = 1066, max = 1077),
+    @ValidIdRange(min = 4001, max = 4031),
+    @ValidIdRange(min = 5015, max = 5017),
+    @ValidIdRange(min = 15000, max = 15999)
+})
+public interface ElytronMessages extends BasicLogger {
+
+    ElytronMessages log = Logger.getMessageLogger(ElytronMessages.class, "org.wildfly.security");
+    ElytronMessages tls = Logger.getMessageLogger(ElytronMessages.class, "org.wildfly.security.tls");
+
+    @LogMessage(level = WARN)
+    @Message(id = 1066, value = "Invalid string count for mechanism database entry \"%s\"")
+    void warnInvalidStringCountForMechanismDatabaseEntry(String name);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1067, value = "Invalid key exchange \"%s\" for mechanism database entry \"%s\"")
+    void warnInvalidKeyExchangeForMechanismDatabaseEntry(String value, String name);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1068, value = "Invalid authentication \"%s\" for mechanism database entry \"%s\"")
+    void warnInvalidAuthenticationForMechanismDatabaseEntry(String value, String name);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1069, value = "Invalid encryption \"%s\" for mechanism database entry \"%s\"")
+    void warnInvalidEncryptionForMechanismDatabaseEntry(String value, String name);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1070, value = "Invalid digest \"%s\" for mechanism database entry \"%s\"")
+    void warnInvalidDigestForMechanismDatabaseEntry(String value, String name);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1071, value = "Invalid protocol \"%s\" for mechanism database entry \"%s\"")
+    void warnInvalidProtocolForMechanismDatabaseEntry(String value, String name);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1072, value = "Invalid level \"%s\" for mechanism database entry \"%s\"")
+    void warnInvalidLevelForMechanismDatabaseEntry(String value, String name);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1073, value = "Invalid strength bits \"%s\" for mechanism database entry \"%s\"")
+    void warnInvalidStrengthBitsForMechanismDatabaseEntry(String value, String name);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1074, value = "Invalid algorithm bits \"%s\" for mechanism database entry \"%s\"")
+    void warnInvalidAlgorithmBitsForMechanismDatabaseEntry(String value, String name);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1075, value = "Invalid duplicate mechanism database entry \"%s\"")
+    void warnInvalidDuplicateMechanismDatabaseEntry(String name);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1076, value = "Invalid duplicate OpenSSL-style alias \"%s\" for mechanism database entry \"%s\" (original is \"%s\")")
+    void warnInvalidDuplicateOpenSslStyleAliasForMechanismDatabaseEntry(String alias, String name, String originalName);
+
+    @LogMessage(level = WARN)
+    @Message(id = 1077, value = "Invalid alias \"%s\" for missing mechanism database entry \"%s\"")
+    void warnInvalidAliasForMissingMechanismDatabaseEntry(String value, String name);
+
+    @Message(id = 4001, value = "No algorithm found matching TLS/SSL protocol selection criteria")
+    NoSuchAlgorithmException noAlgorithmForSslProtocol();
+
+    @Message(id = 4005, value = "No default trust manager available")
+    NoSuchAlgorithmException noDefaultTrustManager();
+
+    @Message(id = 4008, value = "Initial SSL/TLS data is not a handshake record")
+    SSLHandshakeException notHandshakeRecord();
+
+    @Message(id = 4009, value = "Initial SSL/TLS handshake record is invalid")
+    SSLHandshakeException invalidHandshakeRecord();
+
+    @Message(id = 4010, value = "Initial SSL/TLS handshake spans multiple records")
+    SSLHandshakeException multiRecordSSLHandshake();
+
+    @Message(id = 4011, value = "Expected \"client hello\" record")
+    SSLHandshakeException expectedClientHello();
+
+    @Message(id = 4012, value = "Unsupported SSL/TLS record")
+    SSLHandshakeException unsupportedSslRecord();
+
+    @Message(id = 4013, value = "Invalid TLS extension data")
+    SSLProtocolException invalidTlsExt();
+
+    @Message(id = 4014, value = "Not enough data in record to fill declared item size")
+    SSLProtocolException notEnoughData();
+
+    @Message(id = 4015, value = "Empty host name in SNI record data")
+    SSLProtocolException emptyHostNameSni();
+
+    @Message(id = 4016, value = "Duplicated SNI server name of type %d")
+    SSLProtocolException duplicatedSniServerName(int type);
+
+    @Message(id = 4017, value = "Unknown authentication name \"%s\"")
+    IllegalArgumentException unknownAuthenticationName(String name);
+
+    @Message(id = 4018, value = "Unknown encryption name \"%s\"")
+    IllegalArgumentException unknownEncryptionName(String name);
+
+    @Message(id = 4019, value = "Unknown key exchange name \"%s\"")
+    IllegalArgumentException unknownKeyExchangeName(String name);
+
+    @Message(id = 4026, value = "Could not create trust manager [%s]")
+    IllegalStateException sslErrorCreatingTrustManager(String name, @Cause Throwable cause);
+
+    @Message(id = 4029, value = "Default context cannot be null")
+    IllegalStateException defaultContextCannotBeNull();
+
+    @Message(id = 4030, value = "No context for SSL connection")
+    SSLException noSNIContextForSslConnection(); // TODO Compare with noContextForSslConnection.
+
+    @Message(id = 4031, value = "TrustManagerFactory algorithm [%s] does not support certificate revocation")
+    IllegalStateException sslErrorCreatingRevocationTrustManager(String name, @Cause Throwable cause);
+
+    @Message(id = 5015, value = "Unexpected character U+%04x at offset %d of mechanism selection string \"%s\"")
+    IllegalArgumentException mechSelectorUnexpectedChar(int codePoint, long offset, String string);
+
+    @Message(id = 5016, value = "Unrecognized token \"%s\" in mechanism selection string \"%s\"")
+    IllegalArgumentException mechSelectorUnknownToken(String word, String string);
+
+    @Message(id = 5017, value = "Token \"%s\" not allowed at offset %d of mechanism selection string \"%s\"")
+    IllegalArgumentException mechSelectorTokenNotAllowed(String token, long offset, String string);
+
+    @Message(id = 15000, value = "Unknown cipher suite name '%s' in names string '%s'")
+    IllegalArgumentException unknownCipherSuiteName(String name, String string);
+}
@@ -34,7 +34,7 @@
 import java.util.Map;
 import java.util.regex.Pattern;
 
-class MechanismDatabase {
+public class MechanismDatabase {
     private static final MechanismDatabase INSTANCE = new MechanismDatabase("MechanismDatabase.properties");
     private static final MechanismDatabase TLS13_INSTANCE = new MechanismDatabase("TLS13MechanismDatabase.properties", true);
 
@@ -43,19 +43,19 @@ class MechanismDatabase {
     private final Entry[][] algorithmsById;
     private final boolean isTLS13;
 
-    static MechanismDatabase getInstance() {
+    public static MechanismDatabase getInstance() {
         return INSTANCE;
     }
 
-    static MechanismDatabase getTLS13Instance() {
+    public static MechanismDatabase getTLS13Instance() {
         return TLS13_INSTANCE;
     }
 
-    MechanismDatabase(String databaseFileName) {
+    public MechanismDatabase(String databaseFileName) {
         this(databaseFileName, false);
     }
 
-    MechanismDatabase(String databaseFileName, boolean isTLS13) {
+    public MechanismDatabase(String databaseFileName, boolean isTLS13) {
         this.isTLS13 = isTLS13;
         // load and initialize database properties
         final LinkedProperties properties = new LinkedProperties();
@@ -263,7 +263,7 @@ Entry getCipherSuiteOpenSSLName(final String cipherSuite) {
         return entriesByOSSLName.get(cipherSuite);
     }
 
-    Entry getCipherSuiteById(final int byte1, final int byte2) {
+    public Entry getCipherSuiteById(final int byte1, final int byte2) {
         if (byte1 < 0 || byte1 > 255 || byte2 < 0 || byte2 > 255) {
             return null;
         }
@@ -278,7 +278,7 @@ boolean isTLS13() {
         return isTLS13;
     }
 
-    static final class Entry {
+    public  static final class Entry {
         private final String name;
         private final List<String> openSslNames;
         private final List<String> aliases;
@@ -293,7 +293,7 @@ static final class Entry {
         private final int strengthBits;
         private final int algorithmBits;
 
-        Entry(final String name, final List<String> openSslNames, final List<String> aliases, final KeyAgreement keyAgreement, final Authentication authentication, final Encryption encryption, final Digest digest, final Protocol protocol, final boolean export, final SecurityLevel level, final boolean fips, final int strengthBits, final int algorithmBits) {
+        public Entry(final String name, final List<String> openSslNames, final List<String> aliases, final KeyAgreement keyAgreement, final Authentication authentication, final Encryption encryption, final Digest digest, final Protocol protocol, final boolean export, final SecurityLevel level, final boolean fips, final int strengthBits, final int algorithmBits) {
             this.name = name;
             this.openSslNames = openSslNames;
             this.aliases = aliases;

@@ -36,7 +36,7 @@ public abstract class ProtocolSelector {
 
     final ProtocolSelector prev;
 
-    ProtocolSelector(final ProtocolSelector prev) {
+    public ProtocolSelector(final ProtocolSelector prev) {
         this.prev = prev;
     }
 

@@ -51,7 +51,7 @@
  * Instances of this class acts as an explorer of the network data of an
  * SSL/TLS connection.
  */
-final class SSLExplorer {
+public final class SSLExplorer {
 
     // Private constructor prevents construction outside this class.
     private SSLExplorer() {