Java Code Examples for javax.net.ssl.X509ExtendedKeyManager#chooseServerAlias()

The following examples show how to use javax.net.ssl.X509ExtendedKeyManager#chooseServerAlias() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: KeyManagerProxyTest.java    From athenz with Apache License 2.0 5 votes vote down vote up
@SuppressWarnings("ConstantConditions")
@Test
public void testKeyManagerProxyChooseServerAlias(@Mocked X509ExtendedKeyManager mockedKeyManager) {
    new Expectations() {{
        mockedKeyManager.chooseServerAlias("cert", (Principal[]) any, (Socket) any); times = 1;
    }};

    KeyManagerProxy keyManagerProxy = new KeyManagerProxy(new KeyManager[]{mockedKeyManager});

    keyManagerProxy.chooseServerAlias("cert", null, null);
}
 
Example 2
Source File: X509Authentication.java    From openjsse with GNU General Public License v2.0 4 votes vote down vote up
private SSLPossession createServerPossession(
        ServerHandshakeContext shc, String keyType) {
    X509ExtendedKeyManager km = shc.sslContext.getX509KeyManager();
    String serverAlias = null;
    if (shc.conContext.transport instanceof SSLSocketImpl) {
        serverAlias = km.chooseServerAlias(keyType,
                null, (SSLSocket)shc.conContext.transport);
    } else if (shc.conContext.transport instanceof SSLEngineImpl) {
        serverAlias = km.chooseEngineServerAlias(keyType,
                null, (SSLEngine)shc.conContext.transport);
    }

    if (serverAlias == null) {
        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
            SSLLogger.finest("No X.509 cert selected for " + keyType);
        }
        return null;
    }

    PrivateKey serverPrivateKey = km.getPrivateKey(serverAlias);
    if (serverPrivateKey == null) {
        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
            SSLLogger.finest(
                    serverAlias + " is not a private key entry");
        }
        return null;
    }

    X509Certificate[] serverCerts = km.getCertificateChain(serverAlias);
    if ((serverCerts == null) || (serverCerts.length == 0)) {
        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
            SSLLogger.finest(
                    serverAlias + " is not a certificate entry");
        }
        return null;
    }

    PublicKey serverPublicKey = serverCerts[0].getPublicKey();
    if ((!serverPrivateKey.getAlgorithm().equals(keyType))
            || (!serverPublicKey.getAlgorithm().equals(keyType))) {
        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
            SSLLogger.fine(
                    serverAlias + " private or public key is not of " +
                    keyType + " algorithm");
        }
        return null;
    }

    // For ECC certs, check whether we support the EC domain
    // parameters.  If the client sent a SupportedEllipticCurves
    // ClientHello extension, check against that too.
    if (keyType.equals("EC")) {
        if (!(serverPublicKey instanceof ECPublicKey)) {
            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                SSLLogger.warning(serverAlias +
                    " public key is not an instance of ECPublicKey");
            }
            return null;
        }

        // For ECC certs, check whether we support the EC domain
        // parameters. If the client sent a SupportedEllipticCurves
        // ClientHello extension, check against that too.
        ECParameterSpec params =
                ((ECPublicKey)serverPublicKey).getParams();
        NamedGroup namedGroup = NamedGroup.valueOf(params);
        if ((namedGroup == null) ||
                (!SupportedGroups.isSupported(namedGroup)) ||
                ((shc.clientRequestedNamedGroups != null) &&
                !shc.clientRequestedNamedGroups.contains(namedGroup))) {

            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                SSLLogger.warning(
                    "Unsupported named group (" + namedGroup +
                    ") used in the " + serverAlias + " certificate");
            }

            return null;
        }
    }

    return new X509Possession(serverPrivateKey, serverCerts);
}
 
Example 3
Source File: X509Authentication.java    From Bytecoder with Apache License 2.0 4 votes vote down vote up
private SSLPossession createServerPossession(
        ServerHandshakeContext shc, String keyType) {
    X509ExtendedKeyManager km = shc.sslContext.getX509KeyManager();
    String serverAlias = null;
    if (shc.conContext.transport instanceof SSLSocketImpl) {
        serverAlias = km.chooseServerAlias(keyType,
                null, (SSLSocket)shc.conContext.transport);
    } else if (shc.conContext.transport instanceof SSLEngineImpl) {
        serverAlias = km.chooseEngineServerAlias(keyType,
                null, (SSLEngine)shc.conContext.transport);
    }

    if (serverAlias == null) {
        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
            SSLLogger.finest("No X.509 cert selected for " + keyType);
        }
        return null;
    }

    PrivateKey serverPrivateKey = km.getPrivateKey(serverAlias);
    if (serverPrivateKey == null) {
        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
            SSLLogger.finest(
                    serverAlias + " is not a private key entry");
        }
        return null;
    }

    X509Certificate[] serverCerts = km.getCertificateChain(serverAlias);
    if ((serverCerts == null) || (serverCerts.length == 0)) {
        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
            SSLLogger.finest(
                    serverAlias + " is not a certificate entry");
        }
        return null;
    }

    PublicKey serverPublicKey = serverCerts[0].getPublicKey();
    if ((!serverPrivateKey.getAlgorithm().equals(keyType))
            || (!serverPublicKey.getAlgorithm().equals(keyType))) {
        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
            SSLLogger.fine(
                    serverAlias + " private or public key is not of " +
                    keyType + " algorithm");
        }
        return null;
    }

    // For TLS 1.2 and prior versions, the public key of a EC cert
    // MUST use a curve and point format supported by the client.
    // But for TLS 1.3, signature algorithms are negotiated
    // independently via the "signature_algorithms" extension.
    if (!shc.negotiatedProtocol.useTLS13PlusSpec() &&
            keyType.equals("EC")) {
        if (!(serverPublicKey instanceof ECPublicKey)) {
            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                SSLLogger.warning(serverAlias +
                    " public key is not an instance of ECPublicKey");
            }
            return null;
        }

        // For ECC certs, check whether we support the EC domain
        // parameters.  If the client sent a supported_groups
        // ClientHello extension, check against that too for
        // TLS 1.2 and prior versions.
        ECParameterSpec params =
                ((ECPublicKey)serverPublicKey).getParams();
        NamedGroup namedGroup = NamedGroup.valueOf(params);
        if ((namedGroup == null) ||
                (!SupportedGroups.isSupported(namedGroup)) ||
                ((shc.clientRequestedNamedGroups != null) &&
                !shc.clientRequestedNamedGroups.contains(namedGroup))) {

            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                SSLLogger.warning(
                    "Unsupported named group (" + namedGroup +
                    ") used in the " + serverAlias + " certificate");
            }

            return null;
        }
    }

    return new X509Possession(serverPrivateKey, serverCerts);
}