Class SniX509ExtendedKeyManager

  • All Implemented Interfaces:
    javax.net.ssl.KeyManager, javax.net.ssl.X509KeyManager

    public class SniX509ExtendedKeyManager
    extends javax.net.ssl.X509ExtendedKeyManager

    A X509ExtendedKeyManager that selects a key with an alias retrieved from SNI information, delegating other processing to a nested X509ExtendedKeyManager.

    Can only be used on server side.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String SNI_X509  
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      java.lang.String chooseClientAlias​(java.lang.String[] keyType, java.security.Principal[] issuers, java.net.Socket socket)  
      java.lang.String chooseEngineClientAlias​(java.lang.String[] keyType, java.security.Principal[] issuers, javax.net.ssl.SSLEngine engine)  
      java.lang.String chooseEngineServerAlias​(java.lang.String keyType, java.security.Principal[] issuers, javax.net.ssl.SSLEngine engine)  
      java.lang.String chooseServerAlias​(java.lang.String keyType, java.security.Principal[] issuers, java.net.Socket socket)  
      protected java.lang.String chooseServerAlias​(java.lang.String keyType, java.security.Principal[] issuers, java.util.Collection<javax.net.ssl.SNIMatcher> matchers, javax.net.ssl.SSLSession session)  
      java.util.function.UnaryOperator<java.lang.String> getAliasMapper()  
      java.security.cert.X509Certificate[] getCertificateChain​(java.lang.String alias)  
      java.lang.String[] getClientAliases​(java.lang.String keyType, java.security.Principal[] issuers)  
      java.security.PrivateKey getPrivateKey​(java.lang.String alias)  
      java.lang.String[] getServerAliases​(java.lang.String keyType, java.security.Principal[] issuers)  
      void setAliasMapper​(java.util.function.UnaryOperator<java.lang.String> aliasMapper)
      Sets a function that transforms the alias into a possibly different alias, invoked when the SNI logic must choose the alias to pick the right certificate.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • SniX509ExtendedKeyManager

        @Deprecated
        public SniX509ExtendedKeyManager​(javax.net.ssl.X509ExtendedKeyManager keyManager)
        Deprecated.
        not supported, you must have a SslContextFactory.Server for this to work.
      • SniX509ExtendedKeyManager

        public SniX509ExtendedKeyManager​(javax.net.ssl.X509ExtendedKeyManager keyManager,
                                         SslContextFactory.Server sslContextFactory)
    • Method Detail

      • getAliasMapper

        public java.util.function.UnaryOperator<java.lang.String> getAliasMapper()
        Returns:
        the function that transforms the alias
        See Also:
        setAliasMapper(UnaryOperator)
      • setAliasMapper

        public void setAliasMapper​(java.util.function.UnaryOperator<java.lang.String> aliasMapper)

        Sets a function that transforms the alias into a possibly different alias, invoked when the SNI logic must choose the alias to pick the right certificate.

        This function is required when using the PKIX KeyManagerFactory algorithm which suffers from bug https://bugs.openjdk.java.net/browse/JDK-8246262, where aliases are returned by the OpenJDK implementation to the application in the form N.0.alias where N is an always increasing number. Such mangled aliases won't match the aliases in the keystore, so that for example SNI matching will always fail.

        Other implementations such as BouncyCastle have been reported to mangle the alias in a different way, namely 0.alias.N.

        This function allows to "unmangle" the alias from the implementation specific mangling back to just alias so that SNI matching will work again.

        Parameters:
        aliasMapper - the function that transforms the alias
      • chooseClientAlias

        public java.lang.String chooseClientAlias​(java.lang.String[] keyType,
                                                  java.security.Principal[] issuers,
                                                  java.net.Socket socket)
      • chooseEngineClientAlias

        public java.lang.String chooseEngineClientAlias​(java.lang.String[] keyType,
                                                        java.security.Principal[] issuers,
                                                        javax.net.ssl.SSLEngine engine)
        Overrides:
        chooseEngineClientAlias in class javax.net.ssl.X509ExtendedKeyManager
      • chooseServerAlias

        protected java.lang.String chooseServerAlias​(java.lang.String keyType,
                                                     java.security.Principal[] issuers,
                                                     java.util.Collection<javax.net.ssl.SNIMatcher> matchers,
                                                     javax.net.ssl.SSLSession session)
      • chooseServerAlias

        public java.lang.String chooseServerAlias​(java.lang.String keyType,
                                                  java.security.Principal[] issuers,
                                                  java.net.Socket socket)
      • chooseEngineServerAlias

        public java.lang.String chooseEngineServerAlias​(java.lang.String keyType,
                                                        java.security.Principal[] issuers,
                                                        javax.net.ssl.SSLEngine engine)
        Overrides:
        chooseEngineServerAlias in class javax.net.ssl.X509ExtendedKeyManager
      • getCertificateChain

        public java.security.cert.X509Certificate[] getCertificateChain​(java.lang.String alias)
      • getClientAliases

        public java.lang.String[] getClientAliases​(java.lang.String keyType,
                                                   java.security.Principal[] issuers)
      • getPrivateKey

        public java.security.PrivateKey getPrivateKey​(java.lang.String alias)
      • getServerAliases

        public java.lang.String[] getServerAliases​(java.lang.String keyType,
                                                   java.security.Principal[] issuers)