Package org.eclipse.jetty.util.ssl

Class SniX509ExtendedKeyManager

java.lang.Object

javax.net.ssl.X509ExtendedKeyManager

org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager

All Implemented Interfaces:

javax.net.ssl.KeyManager, javax.net.ssl.X509KeyManager

public class SniX509ExtendedKeyManager
extends javax.net.ssl.X509ExtendedKeyManager

A X509ExtendedKeyManager that selects a key with an alias retrieved from SNI information, delegating other processing to a nested X509ExtendedKeyManager.

Can only be used on server side.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static interface	SniX509ExtendedKeyManager.SniSelector	Selects a certificate based on SNI information.

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	SNI_X509

Constructor Summary

Constructors

Constructor	Description
SniX509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager keyManager)	Deprecated. not supported, you must have a SslContextFactory.Server for this to work.
SniX509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager keyManager, SslContextFactory.Server sslContextFactory)

Method Summary

Modifier and Type	Method	Description
java.lang.String	chooseClientAlias(java.lang.String[] keyType, java.security.Principal[] issuers, java.net.Socket socket)
java.lang.String	chooseEngineClientAlias(java.lang.String[] keyType, java.security.Principal[] issuers, javax.net.ssl.SSLEngine engine)
java.lang.String	chooseEngineServerAlias(java.lang.String keyType, java.security.Principal[] issuers, javax.net.ssl.SSLEngine engine)
java.lang.String	chooseServerAlias(java.lang.String keyType, java.security.Principal[] issuers, java.net.Socket socket)
protected java.lang.String	chooseServerAlias(java.lang.String keyType, java.security.Principal[] issuers, java.util.Collection<javax.net.ssl.SNIMatcher> matchers, javax.net.ssl.SSLSession session)
java.util.function.UnaryOperator<java.lang.String>	getAliasMapper()
java.security.cert.X509Certificate[]	getCertificateChain(java.lang.String alias)
java.lang.String[]	getClientAliases(java.lang.String keyType, java.security.Principal[] issuers)
java.security.PrivateKey	getPrivateKey(java.lang.String alias)
java.lang.String[]	getServerAliases(java.lang.String keyType, java.security.Principal[] issuers)
void	setAliasMapper(java.util.function.UnaryOperator<java.lang.String> aliasMapper)	Sets a function that transforms the alias into a possibly different alias, invoked when the SNI logic must choose the alias to pick the right certificate.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SNI_X509

public static final java.lang.String SNI_X509

See Also:

Constant Field Values

Constructor Detail

SniX509ExtendedKeyManager

@Deprecated
public SniX509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager keyManager)

Deprecated.

not supported, you must have a SslContextFactory.Server for this to work.

SniX509ExtendedKeyManager

public SniX509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager keyManager,
                                 SslContextFactory.Server sslContextFactory)

Method Detail

getAliasMapper

public java.util.function.UnaryOperator<java.lang.String> getAliasMapper()

Returns:

the function that transforms the alias

See Also:

setAliasMapper(UnaryOperator)

setAliasMapper

public void setAliasMapper(java.util.function.UnaryOperator<java.lang.String> aliasMapper)

Sets a function that transforms the alias into a possibly different alias, invoked when the SNI logic must choose the alias to pick the right certificate.

This function is required when using the PKIX KeyManagerFactory algorithm which suffers from bug https://bugs.openjdk.java.net/browse/JDK-8246262, where aliases are returned by the OpenJDK implementation to the application in the form N.0.alias where N is an always increasing number. Such mangled aliases won't match the aliases in the keystore, so that for example SNI matching will always fail.

Other implementations such as BouncyCastle have been reported to mangle the alias in a different way, namely 0.alias.N.

This function allows to "unmangle" the alias from the implementation specific mangling back to just alias so that SNI matching will work again.

Parameters:

aliasMapper - the function that transforms the alias

chooseClientAlias

public java.lang.String chooseClientAlias(java.lang.String[] keyType,
                                          java.security.Principal[] issuers,
                                          java.net.Socket socket)

chooseEngineClientAlias

public java.lang.String chooseEngineClientAlias(java.lang.String[] keyType,
                                                java.security.Principal[] issuers,
                                                javax.net.ssl.SSLEngine engine)

Overrides:

chooseEngineClientAlias in class javax.net.ssl.X509ExtendedKeyManager

chooseServerAlias

protected java.lang.String chooseServerAlias(java.lang.String keyType,
                                             java.security.Principal[] issuers,
                                             java.util.Collection<javax.net.ssl.SNIMatcher> matchers,
                                             javax.net.ssl.SSLSession session)

chooseServerAlias

public java.lang.String chooseServerAlias(java.lang.String keyType,
                                          java.security.Principal[] issuers,
                                          java.net.Socket socket)

chooseEngineServerAlias

public java.lang.String chooseEngineServerAlias(java.lang.String keyType,
                                                java.security.Principal[] issuers,
                                                javax.net.ssl.SSLEngine engine)

Overrides:

chooseEngineServerAlias in class javax.net.ssl.X509ExtendedKeyManager

getCertificateChain

public java.security.cert.X509Certificate[] getCertificateChain(java.lang.String alias)

getClientAliases

public java.lang.String[] getClientAliases(java.lang.String keyType,
                                           java.security.Principal[] issuers)

getPrivateKey

public java.security.PrivateKey getPrivateKey(java.lang.String alias)

getServerAliases

public java.lang.String[] getServerAliases(java.lang.String keyType,
                                           java.security.Principal[] issuers)