1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one or more
3 * contributor license agreements. See the NOTICE file distributed with
4 * this work for additional information regarding copyright ownership.
5 * The ASF licenses this file to You under the Apache License, Version 2.0
6 * (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 package org.apache.tomcat.util.net.jsse;
19
20 import java.net.Socket;
21 import java.security.Principal;
22 import java.security.PrivateKey;
23 import java.security.cert.X509Certificate;
24 import javax.net.ssl.X509KeyManager;
25
26 /**
27 * X509KeyManager which allows selection of a specific keypair and certificate
28 * chain (identified by their keystore alias name) to be used by the server to
29 * authenticate itself to SSL clients.
30 *
31 * @author Jan Luehe
32 */
33 public final class JSSEKeyManager implements X509KeyManager {
34
35 private X509KeyManager delegate;
36 private String serverKeyAlias;
37
38 /**
39 * Constructor.
40 *
41 * @param mgr The X509KeyManager used as a delegate
42 * @param serverKeyAlias The alias name of the server's keypair and
43 * supporting certificate chain
44 */
45 public JSSEKeyManager(X509KeyManager mgr, String serverKeyAlias) {
46 this.delegate = mgr;
47 this.serverKeyAlias = serverKeyAlias;
48 }
49
50 /**
51 * Choose an alias to authenticate the client side of a secure socket,
52 * given the public key type and the list of certificate issuer authorities
53 * recognized by the peer (if any).
54 *
55 * @param keyType The key algorithm type name(s), ordered with the
56 * most-preferred key type first
57 * @param issuers The list of acceptable CA issuer subject names, or null
58 * if it does not matter which issuers are used
59 * @param socket The socket to be used for this connection. This parameter
60 * can be null, in which case this method will return the most generic
61 * alias to use
62 *
63 * @return The alias name for the desired key, or null if there are no
64 * matches
65 */
66 public String chooseClientAlias(String[] keyType, Principal[] issuers,
67 Socket socket) {
68 return delegate.chooseClientAlias(keyType, issuers, socket);
69 }
70
71 /**
72 * Returns this key manager's server key alias that was provided in the
73 * constructor.
74 *
75 * @param keyType The key algorithm type name (ignored)
76 * @param issuers The list of acceptable CA issuer subject names, or null
77 * if it does not matter which issuers are used (ignored)
78 * @param socket The socket to be used for this connection. This parameter
79 * can be null, in which case this method will return the most generic
80 * alias to use (ignored)
81 *
82 * @return Alias name for the desired key
83 */
84 public String chooseServerAlias(String keyType, Principal[] issuers,
85 Socket socket) {
86 return serverKeyAlias;
87 }
88
89 /**
90 * Returns the certificate chain associated with the given alias.
91 *
92 * @param alias The alias name
93 *
94 * @return Certificate chain (ordered with the user's certificate first
95 * and the root certificate authority last), or null if the alias can't be
96 * found
97 */
98 public X509Certificate[] getCertificateChain(String alias) {
99 return delegate.getCertificateChain(alias);
100 }
101
102 /**
103 * Get the matching aliases for authenticating the client side of a secure
104 * socket, given the public key type and the list of certificate issuer
105 * authorities recognized by the peer (if any).
106 *
107 * @param keyType The key algorithm type name
108 * @param issuers The list of acceptable CA issuer subject names, or null
109 * if it does not matter which issuers are used
110 *
111 * @return Array of the matching alias names, or null if there were no
112 * matches
113 */
114 public String[] getClientAliases(String keyType, Principal[] issuers) {
115 return delegate.getClientAliases(keyType, issuers);
116 }
117
118 /**
119 * Get the matching aliases for authenticating the server side of a secure
120 * socket, given the public key type and the list of certificate issuer
121 * authorities recognized by the peer (if any).
122 *
123 * @param keyType The key algorithm type name
124 * @param issuers The list of acceptable CA issuer subject names, or null
125 * if it does not matter which issuers are used
126 *
127 * @return Array of the matching alias names, or null if there were no
128 * matches
129 */
130 public String[] getServerAliases(String keyType, Principal[] issuers) {
131 return delegate.getServerAliases(keyType, issuers);
132 }
133
134 /**
135 * Returns the key associated with the given alias.
136 *
137 * @param alias The alias name
138 *
139 * @return The requested key, or null if the alias can't be found
140 */
141 public PrivateKey getPrivateKey(String alias) {
142 return delegate.getPrivateKey(alias);
143 }
144 }