View Javadoc

1   //
2   //  ========================================================================
3   //  Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd.
4   //  ------------------------------------------------------------------------
5   //  All rights reserved. This program and the accompanying materials
6   //  are made available under the terms of the Eclipse Public License v1.0
7   //  and Apache License v2.0 which accompanies this distribution.
8   //
9   //      The Eclipse Public License is available at
10  //      http://www.eclipse.org/legal/epl-v10.html
11  //
12  //      The Apache License v2.0 is available at
13  //      http://www.opensource.org/licenses/apache2.0.php
14  //
15  //  You may elect to redistribute this code under either of these licenses.
16  //  ========================================================================
17  //
18  
19  package org.eclipse.jetty.util.ssl;
20  
21  import java.net.Socket;
22  import java.security.Principal;
23  import java.security.PrivateKey;
24  import java.security.cert.X509Certificate;
25  import java.util.Arrays;
26  import java.util.Collection;
27  
28  import javax.net.ssl.SNIMatcher;
29  import javax.net.ssl.SSLEngine;
30  import javax.net.ssl.SSLSession;
31  import javax.net.ssl.SSLSocket;
32  import javax.net.ssl.X509ExtendedKeyManager;
33  
34  import org.eclipse.jetty.util.log.Log;
35  import org.eclipse.jetty.util.log.Logger;
36  
37  /**
38   * <p>A {@link X509ExtendedKeyManager} that selects a key with an alias
39   * retrieved from SNI information, delegating other processing to a nested X509ExtendedKeyManager.</p>
40   * <p>Can only be used on server side.</p>
41   */
42  public class SniX509ExtendedKeyManager extends X509ExtendedKeyManager
43  {
44      public static final String SNI_X509 = "org.eclipse.jetty.util.ssl.snix509";
45      private static final String NO_MATCHERS = "no_matchers";
46      private static final Logger LOG = Log.getLogger(SniX509ExtendedKeyManager.class);
47  
48      private final X509ExtendedKeyManager _delegate;
49  
50      public SniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager)
51      {
52          _delegate = keyManager;
53      }
54  
55      @Override
56      public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
57      {
58          return _delegate.chooseClientAlias(keyType,issuers,socket);
59      }
60  
61      @Override
62      public String chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine)
63      {
64          return _delegate.chooseEngineClientAlias(keyType,issuers,engine);
65      }
66  
67      protected String chooseServerAlias(String keyType, Principal[] issuers, Collection<SNIMatcher> matchers, SSLSession session)
68      {
69          // Look for the aliases that are suitable for the keytype and issuers
70          String[] aliases = _delegate.getServerAliases(keyType,issuers);
71          if (aliases==null || aliases.length==0)
72              return null;
73  
74          // Look for the SNI information.
75          String host=null;
76          X509 x509=null;
77          if (matchers!=null)
78          {
79              for (SNIMatcher m : matchers)
80              {
81                  if (m instanceof SslContextFactory.AliasSNIMatcher)
82                  {
83                      SslContextFactory.AliasSNIMatcher matcher = (SslContextFactory.AliasSNIMatcher)m;
84                      host=matcher.getHost();
85                      x509=matcher.getX509();
86                      break;
87                  }
88              }
89          }
90  
91          if (LOG.isDebugEnabled())
92              LOG.debug("Matched {} with {} from {}",host,x509,Arrays.asList(aliases));
93  
94          // Check if the SNI selected alias is allowable
95          if (x509!=null)
96          {
97              for (String a:aliases)
98              {
99                  if (a.equals(x509.getAlias()))
100                 {
101                     session.putValue(SNI_X509,x509);
102                     return a;
103                 }
104             }
105             return null;
106         }
107         return NO_MATCHERS;
108     }
109 
110     @Override
111     public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
112     {
113         SSLSocket sslSocket = (SSLSocket)socket;
114 
115         String alias = chooseServerAlias(keyType,issuers,sslSocket.getSSLParameters().getSNIMatchers(),sslSocket.getHandshakeSession());
116         if (alias==NO_MATCHERS)
117             alias=_delegate.chooseServerAlias(keyType,issuers,socket);
118         if (LOG.isDebugEnabled())
119             LOG.debug("Chose alias {}/{} on {}",alias,keyType,socket);
120         return alias;
121     }
122 
123     @Override
124     public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
125     {
126         String alias = chooseServerAlias(keyType,issuers,engine.getSSLParameters().getSNIMatchers(),engine.getHandshakeSession());
127         if (alias==NO_MATCHERS)
128             alias=_delegate.chooseEngineServerAlias(keyType,issuers,engine);
129         if (LOG.isDebugEnabled())
130             LOG.debug("Chose alias {}/{} on {}",alias,keyType,engine);
131         return alias;
132     }
133 
134     @Override
135     public X509Certificate[] getCertificateChain(String alias)
136     {
137         return _delegate.getCertificateChain(alias);
138     }
139 
140     @Override
141     public String[] getClientAliases(String keyType, Principal[] issuers)
142     {
143         return _delegate.getClientAliases(keyType,issuers);
144     }
145 
146     @Override
147     public PrivateKey getPrivateKey(String alias)
148     {
149         return _delegate.getPrivateKey(alias);
150     }
151 
152     @Override
153     public String[] getServerAliases(String keyType, Principal[] issuers)
154     {
155         return _delegate.getServerAliases(keyType,issuers);
156     }
157 }