d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * CDDL HEADER START
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * The contents of this file are subject to the terms of the
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * Common Development and Distribution License, Version 1.0 only
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * (the "License"). You may not use this file except in compliance
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * with the License.
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * or http://forgerock.org/license/CDDLv1.0.html.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * See the License for the specific language governing permissions
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * and limitations under the License.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * When distributing Covered Code, include this CDDL HEADER in each
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * file and include the License file at legal-notices/CDDLv1_0.txt.
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * If applicable, add the following below this CDDL HEADER, with the
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * fields enclosed by brackets "[]" replaced with your own identifying
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * information:
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * Portions Copyright [yyyy] [name of copyright owner]
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * CDDL HEADER END
97317d0198c63cd222791699b303f1521aa90d50jvergara * Copyright 2008-2009 Sun Microsystems, Inc.
bbb04c8de51236de8b1b699de9371384612b4e5fdugan * Portions Copyright 2009 Parametric Technology Corporation (PTC)
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * This class is in charge of checking whether the certificates that are
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * presented are trusted or not.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * This implementation tries to check also that the subject DN of the
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * certificate corresponds to the host passed using the setHostName method.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * The constructor tries to use a default TrustManager from the system and if
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * it cannot be retrieved this class will only accept the certificates
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * explicitly accepted by the user (and specified by calling acceptCertificate).
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * NOTE: this class is not aimed to be used when we have connections in paralel.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffpublic class ApplicationKeyManager implements X509KeyManager
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff Logger.getLogger(ApplicationKeyManager.class.getName());
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * The default keyManager.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * The default constructor.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * @param keystore The keystore to use for this keymanager.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * @param password The keystore password to use for this keymanager.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff public ApplicationKeyManager(KeyStore keystore, char[] password)
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara System.getProperty("org.opends.admin.keymanageralgo");
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara System.getProperty("org.opends.admin.keymanagerprovider");
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan //Handle IBM specific cases if the user did not specify a algorithm and/or
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan //provider.
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan if(userSpecifiedAlgo == null && Platform.isVendor("IBM"))
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan if(userSpecifiedProvider == null && Platform.isVendor("IBM"))
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // Have some fallbacks to choose the provider and algorith of the key
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // manager. First see if the user wanted to use something specific,
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // then try with the SunJSSE provider and SunX509 algorithm. Finally,
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // fallback to the default algorithm of the JVM.
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara for (int i=0; i<preferredProvider.length && keyManager == null; i++)
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara kmf = KeyManagerFactory.getInstance(algo, provider);
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara * Iterate over the returned keymanagers, look for an instance
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara * of X509KeyManager. If found, use that as our "default" key
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // Nothing to do. Maybe we should avoid this and be strict, but we are
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // in a best effor mode.
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara LOG.log(Level.WARNING, "Error with the algorithm", e);
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // Nothing to do. Maybe we should avoid this and be strict, but we are
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // in a best effor mode..
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara LOG.log(Level.WARNING, "Error with the keystore", e);
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // Nothing to do. Maybe we should avoid this and be strict, but we are
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // in a best effor mode.
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // Nothing to do. Maybe we should avoid this and be strict, but we are
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara // in a best effor mode.
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara LOG.log(Level.WARNING, "Error with the provider", e);
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * Choose an alias to authenticate the client side of a secure
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * socket given the public key type and the list of certificate
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * issuer authorities recognized by the peer (if any).
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param keyType
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the key algorithm type name(s), ordered with the
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * most-preferred key type first.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param issuers
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the list of acceptable CA issuer subject names or null
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * if it does not matter which issuers are used.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param socket
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the socket to be used for this connection. This
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * parameter can be null, in which case this method will
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * return the most generic alias to use.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @return the alias name for the desired key, or null if there are
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * no matches.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff public String chooseClientAlias(String[] keyType, Principal[] issuers,
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara return keyManager.chooseClientAlias(keyType, issuers, socket);
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * Choose an alias to authenticate the client side of a secure
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * socket given the public key type and the list of certificate
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * issuer authorities recognized by the peer (if any).
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param keyType
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the key algorithm type name(s), ordered with the
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * most-preferred key type first.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param issuers
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the list of acceptable CA issuer subject names or null
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * if it does not matter which issuers are used.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param socket
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the socket to be used for this connection. This
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * parameter can be null, in which case this method will
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * return the most generic alias to use.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @return the alias name for the desired key, or null if there are
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * no matches.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff public String chooseServerAlias(String keyType, Principal[] issuers,
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara return keyManager.chooseServerAlias(keyType, issuers, socket);
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * Returns the certificate chain associated with the given alias.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param alias
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the alias name
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @return the certificate chain (ordered with the user's
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * certificate first and the root certificate authority
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * last), or null if the alias can't be found.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff public X509Certificate[] getCertificateChain(String alias)
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * Get the matching aliases for authenticating the server side of a
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * secure socket given the public key type and the list of
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * certificate issuer authorities recognized by the peer (if any).
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param keyType
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the key algorithm type name
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param issuers
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the list of acceptable CA issuer subject names or null
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * if it does not matter which issuers are used.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @return an array of the matching alias names, or null if there
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * were no matches.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff public String[] getClientAliases(String keyType, Principal[] issuers)
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara return keyManager.getClientAliases(keyType, issuers);
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * Returns the key associated with the given alias.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param alias
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the alias name
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @return the requested key, or null if the alias can't be found.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * Get the matching aliases for authenticating the server side of a
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * secure socket given the public key type and the list of
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * certificate issuer authorities recognized by the peer (if any).
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param keyType
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the key algorithm type name
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @param issuers
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * the list of acceptable CA issuer subject names or null
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * if it does not matter which issuers are used.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * @return an array of the matching alias names, or null if there
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff * were no matches.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff public String[] getServerAliases(String keyType, Principal[] issuers)