Class SniX509ExtendedKeyManager
- java.lang.Object
-
- javax.net.ssl.X509ExtendedKeyManager
-
- org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager
-
- All Implemented Interfaces:
javax.net.ssl.KeyManager
,javax.net.ssl.X509KeyManager
public class SniX509ExtendedKeyManager extends javax.net.ssl.X509ExtendedKeyManager
A
X509ExtendedKeyManager
that selects a key with an alias retrieved from SNI information, delegating other processing to a nested X509ExtendedKeyManager.Can only be used on server side.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static interface
SniX509ExtendedKeyManager.SniSelector
Selects a certificate based on SNI information.
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
SNI_X509
-
Constructor Summary
Constructors Constructor Description SniX509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager keyManager)
Deprecated.not supported, you must have aSslContextFactory.Server
for this to work.SniX509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager keyManager, SslContextFactory.Server sslContextFactory)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description java.lang.String
chooseClientAlias(java.lang.String[] keyType, java.security.Principal[] issuers, java.net.Socket socket)
java.lang.String
chooseEngineClientAlias(java.lang.String[] keyType, java.security.Principal[] issuers, javax.net.ssl.SSLEngine engine)
java.lang.String
chooseEngineServerAlias(java.lang.String keyType, java.security.Principal[] issuers, javax.net.ssl.SSLEngine engine)
java.lang.String
chooseServerAlias(java.lang.String keyType, java.security.Principal[] issuers, java.net.Socket socket)
protected java.lang.String
chooseServerAlias(java.lang.String keyType, java.security.Principal[] issuers, java.util.Collection<javax.net.ssl.SNIMatcher> matchers, javax.net.ssl.SSLSession session)
java.util.function.UnaryOperator<java.lang.String>
getAliasMapper()
java.security.cert.X509Certificate[]
getCertificateChain(java.lang.String alias)
java.lang.String[]
getClientAliases(java.lang.String keyType, java.security.Principal[] issuers)
java.security.PrivateKey
getPrivateKey(java.lang.String alias)
java.lang.String[]
getServerAliases(java.lang.String keyType, java.security.Principal[] issuers)
void
setAliasMapper(java.util.function.UnaryOperator<java.lang.String> aliasMapper)
Sets a function that transforms the alias into a possibly different alias, invoked when the SNI logic must choose the alias to pick the right certificate.
-
-
-
Field Detail
-
SNI_X509
public static final java.lang.String SNI_X509
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
SniX509ExtendedKeyManager
@Deprecated public SniX509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager keyManager)
Deprecated.not supported, you must have aSslContextFactory.Server
for this to work.
-
SniX509ExtendedKeyManager
public SniX509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager keyManager, SslContextFactory.Server sslContextFactory)
-
-
Method Detail
-
getAliasMapper
public java.util.function.UnaryOperator<java.lang.String> getAliasMapper()
- Returns:
- the function that transforms the alias
- See Also:
setAliasMapper(UnaryOperator)
-
setAliasMapper
public void setAliasMapper(java.util.function.UnaryOperator<java.lang.String> aliasMapper)
Sets a function that transforms the alias into a possibly different alias, invoked when the SNI logic must choose the alias to pick the right certificate.
This function is required when using the
PKIX KeyManagerFactory algorithm
which suffers from bug https://bugs.openjdk.java.net/browse/JDK-8246262, where aliases are returned by the OpenJDK implementation to the application in the formN.0.alias
whereN
is an always increasing number. Such mangled aliases won't match the aliases in the keystore, so that for example SNI matching will always fail.Other implementations such as BouncyCastle have been reported to mangle the alias in a different way, namely
0.alias.N
.This function allows to "unmangle" the alias from the implementation specific mangling back to just
alias
so that SNI matching will work again.- Parameters:
aliasMapper
- the function that transforms the alias
-
chooseClientAlias
public java.lang.String chooseClientAlias(java.lang.String[] keyType, java.security.Principal[] issuers, java.net.Socket socket)
-
chooseEngineClientAlias
public java.lang.String chooseEngineClientAlias(java.lang.String[] keyType, java.security.Principal[] issuers, javax.net.ssl.SSLEngine engine)
- Overrides:
chooseEngineClientAlias
in classjavax.net.ssl.X509ExtendedKeyManager
-
chooseServerAlias
protected java.lang.String chooseServerAlias(java.lang.String keyType, java.security.Principal[] issuers, java.util.Collection<javax.net.ssl.SNIMatcher> matchers, javax.net.ssl.SSLSession session)
-
chooseServerAlias
public java.lang.String chooseServerAlias(java.lang.String keyType, java.security.Principal[] issuers, java.net.Socket socket)
-
chooseEngineServerAlias
public java.lang.String chooseEngineServerAlias(java.lang.String keyType, java.security.Principal[] issuers, javax.net.ssl.SSLEngine engine)
- Overrides:
chooseEngineServerAlias
in classjavax.net.ssl.X509ExtendedKeyManager
-
getCertificateChain
public java.security.cert.X509Certificate[] getCertificateChain(java.lang.String alias)
-
getClientAliases
public java.lang.String[] getClientAliases(java.lang.String keyType, java.security.Principal[] issuers)
-
getPrivateKey
public java.security.PrivateKey getPrivateKey(java.lang.String alias)
-
getServerAliases
public java.lang.String[] getServerAliases(java.lang.String keyType, java.security.Principal[] issuers)
-
-