Package org.eclipse.jetty.util.ssl

Class SniX509ExtendedKeyManager

java.lang.Object

javax.net.ssl.X509ExtendedKeyManager

org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager

All Implemented Interfaces:

KeyManager, X509KeyManager

public class SniX509ExtendedKeyManager
extends X509ExtendedKeyManager

A X509ExtendedKeyManager that selects a key with an alias retrieved from SNI information, delegating other processing to a nested X509ExtendedKeyManager.

Can only be used on server side.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static interface	SniX509ExtendedKeyManager.SniSelector	Selects a certificate based on SNI information.

Constructor Summary

Constructors

Constructor	Description
SniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager, SslContextFactory.Server sslContextFactory)

Method Summary

Modifier and Type	Method	Description
String	chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
String	chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine)
String	chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
String	chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
protected String	chooseServerAlias(String keyType, Principal[] issuers, Collection<SNIMatcher> matchers, SSLSession session)
UnaryOperator<String>	getAliasMapper()
X509Certificate[]	getCertificateChain(String alias)
String[]	getClientAliases(String keyType, Principal[] issuers)
PrivateKey	getPrivateKey(String alias)
String[]	getServerAliases(String keyType, Principal[] issuers)
void	setAliasMapper(UnaryOperator<String> aliasMapper)	Sets a function that transforms the alias into a possibly different alias, invoked when the SNI logic must choose the alias to pick the right certificate.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

SniX509ExtendedKeyManager

public SniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager,
 SslContextFactory.Server sslContextFactory)

Method Details

getAliasMapper

public UnaryOperator<String> getAliasMapper()

Returns:

the function that transforms the alias

See Also:

• setAliasMapper(UnaryOperator)

setAliasMapper

public void setAliasMapper(UnaryOperator<String> aliasMapper)

Sets a function that transforms the alias into a possibly different alias, invoked when the SNI logic must choose the alias to pick the right certificate.

This function is required when using the PKIX KeyManagerFactory algorithm which suffers from bug https://bugs.openjdk.java.net/browse/JDK-8246262, where aliases are returned by the OpenJDK implementation to the application in the form N.0.alias where N is an always increasing number. Such mangled aliases won't match the aliases in the keystore, so that for example SNI matching will always fail.

Other implementations such as BouncyCastle have been reported to mangle the alias in a different way, namely 0.alias.N.

This function allows to "unmangle" the alias from the implementation specific mangling back to just alias so that SNI matching will work again.

Parameters:

aliasMapper - the function that transforms the alias

chooseClientAlias

public String chooseClientAlias(String[] keyType,
 Principal[] issuers,
 Socket socket)

chooseEngineClientAlias

public String chooseEngineClientAlias(String[] keyType,
 Principal[] issuers,
 SSLEngine engine)

Overrides:

chooseEngineClientAlias in class X509ExtendedKeyManager

chooseServerAlias

protected String chooseServerAlias(String keyType,
 Principal[] issuers,
 Collection<SNIMatcher> matchers,
 SSLSession session)

chooseServerAlias

public String chooseServerAlias(String keyType,
 Principal[] issuers,
 Socket socket)

chooseEngineServerAlias

public String chooseEngineServerAlias(String keyType,
 Principal[] issuers,
 SSLEngine engine)

Overrides:

chooseEngineServerAlias in class X509ExtendedKeyManager

getCertificateChain

public X509Certificate[] getCertificateChain(String alias)

getClientAliases

public String[] getClientAliases(String keyType,
 Principal[] issuers)

getPrivateKey

public PrivateKey getPrivateKey(String alias)

getServerAliases

public String[] getServerAliases(String keyType,
 Principal[] issuers)