Registering multiple keystores in JVM
I have two applications running in the same java virtual machine, and both use different keystores and truststores.
A viable option would be use a single keystore an
-
Raz's answer was a great start, but wasn't quite flexible enough to meet my needs. The MultiStoreKeyManager explicitly checks the custom KeyManager and then falls back to the jvm KeyManager if an operation fails. I actually want to check jvm certs first; the best solution should be able to handle either case. Additionally, the answer fails to provide a working TrustManager.
I've written a couple more flexible classes, CompositeX509KeyManager and CompositeX509TrustManager, which add support for any number of keystores in an arbitrary order.
CompositeX509KeyManager
package com.mycompany.ssl; import java.net.Socket; import java.security.Principal; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.util.List; import javax.annotation.Nullable; import javax.net.ssl.X509KeyManager; import com.google.common.collect.ImmutableList; import com.google.common.collect.Iterables; /** * Represents an ordered list of {@link X509KeyManager}s with most-preferred managers first. * * This is necessary because of the fine-print on {@link SSLContext#init}: * Only the first instance of a particular key and/or trust manager implementation type in the * array is used. (For example, only the first javax.net.ssl.X509KeyManager in the array will be used.) * * @author codyaray * @since 4/22/2013 * @see http://stackoverflow.com/questions/1793979/registering-multiple-keystores-in-jvm */ public class CompositeX509KeyManager implements X509KeyManager { private final List keyManagers; /** * Creates a new {@link CompositeX509KeyManager}. * * @param keyManagers the X509 key managers, ordered with the most-preferred managers first. */ public CompositeX509KeyManager(List keyManagers) { this.keyManagers = ImmutableList.copyOf(keyManagers); } /** * Chooses the first non-null client alias returned from the delegate * {@link X509TrustManagers}, or {@code null} if there are no matches. */ @Override public @Nullable String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) { for (X509KeyManager keyManager : keyManagers) { String alias = keyManager.chooseClientAlias(keyType, issuers, socket); if (alias != null) { return alias; } } return null; } /** * Chooses the first non-null server alias returned from the delegate * {@link X509TrustManagers}, or {@code null} if there are no matches. */ @Override public @Nullable String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) { for (X509KeyManager keyManager : keyManagers) { String alias = keyManager.chooseServerAlias(keyType, issuers, socket); if (alias != null) { return alias; } } return null; } /** * Returns the first non-null private key associated with the * given alias, or {@code null} if the alias can't be found. */ @Override public @Nullable PrivateKey getPrivateKey(String alias) { for (X509KeyManager keyManager : keyManagers) { PrivateKey privateKey = keyManager.getPrivateKey(alias); if (privateKey != null) { return privateKey; } } return null; } /** * Returns the first non-null certificate chain associated with the * given alias, or {@code null} if the alias can't be found. */ @Override public @Nullable X509Certificate[] getCertificateChain(String alias) { for (X509KeyManager keyManager : keyManagers) { X509Certificate[] chain = keyManager.getCertificateChain(alias); if (chain != null && chain.length > 0) { return chain; } } return null; } /** * Get all matching aliases for authenticating the client side of a * secure socket, or {@code null} if there are no matches. */ @Override public @Nullable String[] getClientAliases(String keyType, Principal[] issuers) { ImmutableList.Builder aliases = ImmutableList.builder(); for (X509KeyManager keyManager : keyManagers) { aliases.add(keyManager.getClientAliases(keyType, issuers)); } return emptyToNull(Iterables.toArray(aliases.build(), String.class)); } /** * Get all matching aliases for authenticating the server side of a * secure socket, or {@code null} if there are no matches. */ @Override public @Nullable String[] getServerAliases(String keyType, Principal[] issuers) { ImmutableList.Builder aliases = ImmutableList.builder(); for (X509KeyManager keyManager : keyManagers) { aliases.add(keyManager.getServerAliases(keyType, issuers)); } return emptyToNull(Iterables.toArray(aliases.build(), String.class)); } @Nullable private staticT[] emptyToNull(T[] arr) { return (arr.length == 0) ? null : arr; } } CompositeX509TrustManager
package com.mycompany.ssl; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.List; import javax.net.ssl.X509TrustManager; import com.google.common.collect.ImmutableList; import com.google.common.collect.Iterables; /** * Represents an ordered list of {@link X509TrustManager}s with additive trust. If any one of the * composed managers trusts a certificate chain, then it is trusted by the composite manager. * * This is necessary because of the fine-print on {@link SSLContext#init}: * Only the first instance of a particular key and/or trust manager implementation type in the * array is used. (For example, only the first javax.net.ssl.X509KeyManager in the array will be used.) * * @author codyaray * @since 4/22/2013 * @see http://stackoverflow.com/questions/1793979/registering-multiple-keystores-in-jvm */ public class CompositeX509TrustManager implements X509TrustManager { private final List trustManagers; public CompositeX509TrustManager(List trustManagers) { this.trustManagers = ImmutableList.copyOf(trustManagers); } @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { for (X509TrustManager trustManager : trustManagers) { try { trustManager.checkClientTrusted(chain, authType); return; // someone trusts them. success! } catch (CertificateException e) { // maybe someone else will trust them } } throw new CertificateException("None of the TrustManagers trust this certificate chain"); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { for (X509TrustManager trustManager : trustManagers) { try { trustManager.checkServerTrusted(chain, authType); return; // someone trusts them. success! } catch (CertificateException e) { // maybe someone else will trust them } } throw new CertificateException("None of the TrustManagers trust this certificate chain"); } @Override public X509Certificate[] getAcceptedIssuers() { ImmutableList.Builder certificates = ImmutableList.builder(); for (X509TrustManager trustManager : trustManagers) { certificates.add(trustManager.getAcceptedIssuers()); } return Iterables.toArray(certificates.build(), X509Certificate.class); } }Usage
For the standard case of one keystore + jvm keystore, you can wire it up like this. I’m using Guava again, but in a Guicey wrapper this time:
@Provides @Singleton SSLContext provideSSLContext(KeyStore keystore, char[] password) { String defaultAlgorithm = KeyManagerFactory.getDefaultAlgorithm(); X509KeyManager customKeyManager = getKeyManager("SunX509", keystore, password); X509KeyManager jvmKeyManager = getKeyManager(defaultAlgorithm, null, null); X509TrustManager customTrustManager = getTrustManager("SunX509", keystore); X509TrustManager jvmTrustManager = getTrustManager(defaultAlgorithm, null); KeyManager[] keyManagers = { new CompositeX509KeyManager(ImmutableList.of(jvmKeyManager, customKeyManager)) }; TrustManager[] trustManagers = { new CompositeX509TrustManager(ImmutableList.of(jvmTrustManager, customTrustManager)) }; SSLContext context = SSLContext.getInstance("SSL"); context.init(keyManagers, trustManagers, null); return context; } private X509KeyManager getKeyManager(String algorithm, KeyStore keystore, char[] password) { KeyManagerFactory factory = KeyManagerFactory.getInstance(algorithm); factory.init(keystore, password); return Iterables.getFirst(Iterables.filter( Arrays.asList(factory.getKeyManagers()), X509KeyManager.class), null); } private X509TrustManager getTrustManager(String algorithm, KeyStore keystore) { TrustManagerFactory factory = TrustManagerFactory.getInstance(algorithm); factory.init(keystore); return Iterables.getFirst(Iterables.filter( Arrays.asList(factory.getTrustManagers()), X509TrustManager.class), null); }I extracted this from my blog post about this problem which has a bit more detail, motivation, etc. All the code is there though, so its standalone. :)
加载中...
- 热议问题