1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.util.ssl;
20
21 import java.net.Socket;
22 import java.security.Principal;
23 import java.security.PrivateKey;
24 import java.security.cert.X509Certificate;
25 import java.util.Arrays;
26 import java.util.Collection;
27
28 import javax.net.ssl.SNIMatcher;
29 import javax.net.ssl.SSLEngine;
30 import javax.net.ssl.SSLSession;
31 import javax.net.ssl.SSLSocket;
32 import javax.net.ssl.X509ExtendedKeyManager;
33
34 import org.eclipse.jetty.util.log.Log;
35 import org.eclipse.jetty.util.log.Logger;
36
37
38
39
40
41
42 public class SniX509ExtendedKeyManager extends X509ExtendedKeyManager
43 {
44 public static final String SNI_X509 = "org.eclipse.jetty.util.ssl.snix509";
45 private static final String NO_MATCHERS = "no_matchers";
46 private static final Logger LOG = Log.getLogger(SniX509ExtendedKeyManager.class);
47
48 private final X509ExtendedKeyManager _delegate;
49
50 public SniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager)
51 {
52 _delegate = keyManager;
53 }
54
55 @Override
56 public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
57 {
58 return _delegate.chooseClientAlias(keyType,issuers,socket);
59 }
60
61 @Override
62 public String chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine)
63 {
64 return _delegate.chooseEngineClientAlias(keyType,issuers,engine);
65 }
66
67 protected String chooseServerAlias(String keyType, Principal[] issuers, Collection<SNIMatcher> matchers, SSLSession session)
68 {
69
70 String[] aliases = _delegate.getServerAliases(keyType,issuers);
71 if (aliases==null || aliases.length==0)
72 return null;
73
74
75 String host=null;
76 X509 x509=null;
77 if (matchers!=null)
78 {
79 for (SNIMatcher m : matchers)
80 {
81 if (m instanceof SslContextFactory.AliasSNIMatcher)
82 {
83 SslContextFactory.AliasSNIMatcher matcher = (SslContextFactory.AliasSNIMatcher)m;
84 host=matcher.getHost();
85 x509=matcher.getX509();
86 break;
87 }
88 }
89 }
90
91 if (LOG.isDebugEnabled())
92 LOG.debug("Matched {} with {} from {}",host,x509,Arrays.asList(aliases));
93
94
95 if (x509!=null)
96 {
97 for (String a:aliases)
98 {
99 if (a.equals(x509.getAlias()))
100 {
101 session.putValue(SNI_X509,x509);
102 return a;
103 }
104 }
105 return null;
106 }
107 return NO_MATCHERS;
108 }
109
110 @Override
111 public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
112 {
113 SSLSocket sslSocket = (SSLSocket)socket;
114
115 String alias = chooseServerAlias(keyType,issuers,sslSocket.getSSLParameters().getSNIMatchers(),sslSocket.getHandshakeSession());
116 if (alias==NO_MATCHERS)
117 alias=_delegate.chooseServerAlias(keyType,issuers,socket);
118 if (LOG.isDebugEnabled())
119 LOG.debug("Chose alias {}/{} on {}",alias,keyType,socket);
120 return alias;
121 }
122
123 @Override
124 public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
125 {
126 String alias = chooseServerAlias(keyType,issuers,engine.getSSLParameters().getSNIMatchers(),engine.getHandshakeSession());
127 if (alias==NO_MATCHERS)
128 alias=_delegate.chooseEngineServerAlias(keyType,issuers,engine);
129 if (LOG.isDebugEnabled())
130 LOG.debug("Chose alias {}/{} on {}",alias,keyType,engine);
131 return alias;
132 }
133
134 @Override
135 public X509Certificate[] getCertificateChain(String alias)
136 {
137 return _delegate.getCertificateChain(alias);
138 }
139
140 @Override
141 public String[] getClientAliases(String keyType, Principal[] issuers)
142 {
143 return _delegate.getClientAliases(keyType,issuers);
144 }
145
146 @Override
147 public PrivateKey getPrivateKey(String alias)
148 {
149 return _delegate.getPrivateKey(alias);
150 }
151
152 @Override
153 public String[] getServerAliases(String keyType, Principal[] issuers)
154 {
155 return _delegate.getServerAliases(keyType,issuers);
156 }
157 }