CompositeX509ExtendedKeyManager.java

  1. /*
  2.  * Copyright 2019-2021 the original author or authors.
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *      https://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  */

  17. package nl.altindag.ssl.keymanager;

  19. import javax.net.ssl.SSLEngine;
  20. import javax.net.ssl.X509ExtendedKeyManager;
  21. import java.net.InetSocketAddress;
  22. import java.net.Socket;
  23. import java.net.URI;
  24. import java.security.Principal;
  25. import java.security.PrivateKey;
  26. import java.security.cert.X509Certificate;
  27. import java.util.ArrayList;
  28. import java.util.Arrays;
  29. import java.util.Collections;
  30. import java.util.HashMap;
  31. import java.util.List;
  32. import java.util.Map;
  33. import java.util.Optional;

  35. /**
  36.  * Represents an ordered list of {@link X509ExtendedKeyManager} with most-preferred managers first.
  37.  *
  38.  * This is necessary because of the fine-print on {@link javax.net.ssl.SSLContext#init}:
  39.  * Only the first instance of a particular key and/or key manager implementation type in the
  40.  * array is used. (For example, only the first javax.net.ssl.X509KeyManager in the array will be used.)
  41.  * The KeyManager can be build from one or more of any combination provided within the {@link nl.altindag.ssl.util.KeyManagerUtils.KeyManagerBuilder KeyManagerUtils.KeyManagerBuilder}.
  42.  * <br><br>
  43.  * This includes:
  44.  * <pre>
  45.  *     - Any amount of custom KeyManagers
  46.  *     - Any amount of custom Identities
  47.  * </pre>
  48.  *
  49.  * <p>
  50.  * <strong>NOTE:</strong>
  51.  * Please don't use this class directly as it is part of the internal API. Class name and methods can be changed any time.
  52.  * Instead use the {@link nl.altindag.ssl.util.KeyManagerUtils KeyManagerUtils} which provides the same functionality
  53.  * while it has a stable API because it is part of the public API.
  54.  * </p>
  55.  *
  56.  * @see <a href="http://stackoverflow.com/questions/1793979/registering-multiple-keystores-in-jvm">
  57.  *     http://stackoverflow.com/questions/1793979/registering-multiple-keystores-in-jvm
  58.  *     </a>
  59.  * @see <a href="http://codyaray.com/2013/04/java-ssl-with-multiple-keystores">
  60.  *     http://codyaray.com/2013/04/java-ssl-with-multiple-keystores
  61.  *     </a>
  62.  *
  63.  * @author Cody Ray
  64.  * @author Hakan Altinda
  65.  */
  66. public final class CompositeX509ExtendedKeyManager extends X509ExtendedKeyManager {

  68.     private final List<X509ExtendedKeyManager> keyManagers;
  69.     private final Map<String, List<URI>> preferredClientAliasToHost;

  71.     /**
  72.      * Creates a new {@link CompositeX509ExtendedKeyManager}.
  73.      *
  74.      * @param keyManagers the {@link X509ExtendedKeyManager}, ordered with the most-preferred managers first.
  75.      */
  76.     public CompositeX509ExtendedKeyManager(List<? extends X509ExtendedKeyManager> keyManagers) {
  77.         this(keyManagers, Collections.emptyMap());
  78.     }

  80.     /**
  81.      * Creates a new {@link CompositeX509ExtendedKeyManager}.
  82.      *
  83.      * @param keyManagers                the {@link X509ExtendedKeyManager}, ordered with the most-preferred managers first.
  84.      * @param preferredClientAliasToHost the preferred client alias to be used for the given host
  85.      */
  86.     public CompositeX509ExtendedKeyManager(List<? extends X509ExtendedKeyManager> keyManagers,
  87.                                            Map<String, List<URI>> preferredClientAliasToHost) {
  88.         this.keyManagers = Collections.unmodifiableList(keyManagers);
  89.         this.preferredClientAliasToHost = new HashMap<>(preferredClientAliasToHost);
  90.     }

  92.     /**
  93.      * Chooses the first non-null client alias returned from the delegate
  94.      * {@link X509ExtendedKeyManager}, or {@code null} if there are no matches.
  95.      */
  96.     @Override
  97.     public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
  98.         Optional<String> preferredAlias = Optional.empty();
  99.         if (!preferredClientAliasToHost.isEmpty() && socket != null && socket.getRemoteSocketAddress() instanceof InetSocketAddress) {
  100.             InetSocketAddress address = (InetSocketAddress) socket.getRemoteSocketAddress();
  101.             preferredAlias = getPreferredClientAlias(address.getHostName(), address.getPort());
  102.         }

  104.         for (X509ExtendedKeyManager keyManager : keyManagers) {
  105.             String alias = keyManager.chooseClientAlias(keyType, issuers, socket);
  106.             if (alias != null) {
  107.                 if (preferredAlias.isPresent()) {
  108.                     if (preferredAlias.get().equals(alias)) {
  109.                         return alias;
  110.                     }
  111.                 } else {
  112.                     return alias;
  113.                 }
  114.             }
  115.         }
  116.         return null;
  117.     }

  119.     /**
  120.      * Chooses the first non-null client alias returned from the delegate
  121.      * {@link X509ExtendedKeyManager}, or {@code null} if there are no matches.
  122.      */
  123.     @Override
  124.     public String chooseEngineClientAlias(String[] keyTypes, Principal[] issuers, SSLEngine sslEngine) {
  125.         Optional<String> preferredAlias = Optional.empty();
  126.         if (!preferredClientAliasToHost.isEmpty() && sslEngine != null) {
  127.             preferredAlias = getPreferredClientAlias(sslEngine.getPeerHost(), sslEngine.getPeerPort());
  128.         }

  130.         for (X509ExtendedKeyManager keyManager : keyManagers) {
  131.             String alias = keyManager.chooseEngineClientAlias(keyTypes, issuers, sslEngine);
  132.             if (alias != null) {
  133.                 if (preferredAlias.isPresent()) {
  134.                     if (preferredAlias.get().equals(alias)) {
  135.                         return alias;
  136.                     }
  137.                 } else {
  138.                     return alias;
  139.                 }
  140.             }
  141.         }
  142.         return null;
  143.     }

  145.     private Optional<String> getPreferredClientAlias(String peerHost, int peerPort) {
  146.         return preferredClientAliasToHost.entrySet().stream()
  147.                 .filter(entry -> entry.getValue().stream().anyMatch(uri -> uri.getHost().equals(peerHost)))
  148.                 .filter(entry -> entry.getValue().stream().anyMatch(uri -> uri.getPort() == peerPort))
  149.                 .findFirst()
  150.                 .map(Map.Entry::getKey);
  151.     }

  153.     /**
  154.      * Chooses the first non-null server alias returned from the delegate
  155.      * {@link X509ExtendedKeyManager}, or {@code null} if there are no matches.
  156.      */
  157.     @Override
  158.     public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
  159.         for (X509ExtendedKeyManager keyManager : keyManagers) {
  160.             String alias = keyManager.chooseServerAlias(keyType, issuers, socket);
  161.             if (alias != null) {
  162.                 return alias;
  163.             }
  164.         }
  165.         return null;
  166.     }

  168.     /**
  169.      * Chooses the first non-null server alias returned from the delegate
  170.      * {@link X509ExtendedKeyManager}, or {@code null} if there are no matches.
  171.      */
  172.     @Override
  173.     public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine sslEngine) {
  174.         for (X509ExtendedKeyManager keyManager : keyManagers) {
  175.             String alias = keyManager.chooseEngineServerAlias(keyType, issuers, sslEngine);
  176.             if (alias != null) {
  177.                 return alias;
  178.             }
  179.         }
  180.         return null;
  181.     }

  183.     /**
  184.      * Returns the first non-null private key associated with the
  185.      * given alias, or {@code null} if the alias can't be found.
  186.      */
  187.     @Override
  188.     public PrivateKey getPrivateKey(String alias) {
  189.         for (X509ExtendedKeyManager keyManager : keyManagers) {
  190.             PrivateKey privateKey = keyManager.getPrivateKey(alias);
  191.             if (privateKey != null) {
  192.                 return privateKey;
  193.             }
  194.         }
  195.         return null;
  196.     }

  198.     /**
  199.      * Returns the first non-null certificate chain associated with the
  200.      * given alias, or {@code null} if the alias can't be found.
  201.      */
  202.     @Override
  203.     public X509Certificate[] getCertificateChain(String alias) {
  204.         for (X509ExtendedKeyManager keyManager : keyManagers) {
  205.             X509Certificate[] chain = keyManager.getCertificateChain(alias);
  206.             if (chain != null && chain.length > 0) {
  207.                 return chain;
  208.             }
  209.         }
  210.         return null;
  211.     }

  213.     /**
  214.      * Get all matching aliases for authenticating the client side of a
  215.      * secure socket, or {@code null} if there are no matches.
  216.      */
  217.     @Override
  218.     public String[] getClientAliases(String keyType, Principal[] issuers) {
  219.         List<String> clientAliases = new ArrayList<>();
  220.         for (X509ExtendedKeyManager keyManager : keyManagers) {
  221.             Optional.ofNullable(keyManager.getClientAliases(keyType, issuers))
  222.                     .ifPresent(aliases -> clientAliases.addAll(Arrays.asList(aliases)));
  223.         }
  224.         return emptyToNull(clientAliases.toArray(new String[]{}));
  225.     }

  227.     /**
  228.      * Get all matching aliases for authenticating the server side of a
  229.      * secure socket, or {@code null} if there are no matches.
  230.      */
  231.     @Override
  232.     public String[] getServerAliases(String keyType, Principal[] issuers) {
  233.         List<String> serverAliases = new ArrayList<>();
  234.         for (X509ExtendedKeyManager keyManager : keyManagers) {
  235.             Optional.ofNullable(keyManager.getServerAliases(keyType, issuers))
  236.                     .ifPresent(aliases -> serverAliases.addAll(Arrays.asList(aliases)));
  237.         }
  238.         return emptyToNull(serverAliases.toArray(new String[]{}));
  239.     }

  241.     private <T> T[] emptyToNull(T[] arr) {
  242.         return (arr.length == 0) ? null : arr;
  243.     }

  245.     public int size() {
  246.         return keyManagers.size();
  247.     }

  249.     public List<X509ExtendedKeyManager> getKeyManagers() {
  250.         return keyManagers;
  251.     }

  253.     public Map<String, List<URI>> getPreferredClientAliasToHosts() {
  254.         return preferredClientAliasToHost;
  255.     }

  257. }
Created with JaCoCo 0.8.6.202009150832