ads/util/ApplicationKeyManager.java

d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff/*
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * CDDL HEADER START
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff *
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * The contents of this file are subject to the terms of the
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * Common Development and Distribution License, Version 1.0 only
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * (the "License").  You may not use this file except in compliance
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * with the License.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff *
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * or http://forgerock.org/license/CDDLv1.0.html.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * See the License for the specific language governing permissions
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * and limitations under the License.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff *
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * When distributing Covered Code, include this CDDL HEADER in each
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * file and include the License file at legal-notices/CDDLv1_0.txt.
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * If applicable, add the following below this CDDL HEADER, with the
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * fields enclosed by brackets "[]" replaced with your own identifying
8cf870d281dc8c242f083d14dfef05f24aa5fceeJnRouvignac * information:
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff *      Portions Copyright [yyyy] [name of copyright owner]
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff *
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * CDDL HEADER END
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff *
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff *
97317d0198c63cd222791699b303f1521aa90d50jvergara *      Copyright 2008-2009 Sun Microsystems, Inc.
bbb04c8de51236de8b1b699de9371384612b4e5fdugan *      Portions Copyright 2009 Parametric Technology Corporation (PTC)
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff */
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffpackage org.opends.admin.ads.util;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport java.net.Socket;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport java.security.KeyStore;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport java.security.KeyStoreException;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport java.security.NoSuchAlgorithmException;
572b87f0e259dec17a573f5b2072bcddb11215b6jvergaraimport java.security.NoSuchProviderException;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport java.security.Principal;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport java.security.PrivateKey;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport java.security.UnrecoverableKeyException;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport java.security.cert.X509Certificate;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport java.util.logging.Level;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport java.util.logging.Logger;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport javax.net.ssl.KeyManager;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport javax.net.ssl.KeyManagerFactory;
572b87f0e259dec17a573f5b2072bcddb11215b6jvergaraimport javax.net.ssl.TrustManagerFactory;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffimport javax.net.ssl.X509KeyManager;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0duganimport org.opends.server.util.Platform;
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff/**
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * This class is in charge of checking whether the certificates that are
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * presented are trusted or not.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * This implementation tries to check also that the subject DN of the
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * certificate corresponds to the host passed using the setHostName method.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff *
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * The constructor tries to use a default TrustManager from the system and if
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * it cannot be retrieved this class will only accept the certificates
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * explicitly accepted by the user (and specified by calling acceptCertificate).
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff *
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff * NOTE: this class is not aimed to be used when we have connections in paralel.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff */
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoffpublic class ApplicationKeyManager implements X509KeyManager
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff{
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  static private final Logger LOG =
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff    Logger.getLogger(ApplicationKeyManager.class.getName());
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  /**
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   * The default keyManager.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   */
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara  private X509KeyManager keyManager = null ;
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  /**
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   * The default constructor.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   * @param keystore The keystore to use for this keymanager.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   * @param password The keystore password to use for this keymanager.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   */
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  public ApplicationKeyManager(KeyStore keystore, char[] password)
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  {
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff    KeyManagerFactory kmf = null;
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    String userSpecifiedAlgo =
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      System.getProperty("org.opends.admin.keymanageralgo");
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    String userSpecifiedProvider =
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      System.getProperty("org.opends.admin.keymanagerprovider");
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan    //Handle IBM specific cases if the user did not specify a algorithm and/or
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan    //provider.
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan    if(userSpecifiedAlgo == null && Platform.isVendor("IBM"))
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan      userSpecifiedAlgo = "IbmX509";
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan    if(userSpecifiedProvider == null && Platform.isVendor("IBM"))
1c66c14312d0775754d63e0bed0fe2f96ab91388jvergara      userSpecifiedProvider = "IBMJSSE2";
2e960a8d1ac8e947ffcb76419a68fa2f61e262e0dugan
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    // Have some fallbacks to choose the provider and algorith of the key
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    // manager.  First see if the user wanted to use something specific,
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    // then try with the SunJSSE provider and SunX509 algorithm. Finally,
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    // fallback to the default algorithm of the JVM.
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    String[] preferredProvider =
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        userSpecifiedProvider,
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        "SunJSSE",
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        null,
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        null
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    };
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    String[] preferredAlgo =
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        userSpecifiedAlgo,
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        "SunX509",
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        "SunX509",
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        TrustManagerFactory.getDefaultAlgorithm()
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    };
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    for (int i=0; i<preferredProvider.length && keyManager == null; i++)
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara    {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      String provider = preferredProvider[i];
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      String algo = preferredAlgo[i];
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      if (algo == null)
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        continue;
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      }
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      try
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff      {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        if (provider != null)
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff        {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara          kmf = KeyManagerFactory.getInstance(algo, provider);
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        }
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        else
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara          kmf = KeyManagerFactory.getInstance(algo);
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        }
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        kmf.init(keystore, password);
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        KeyManager kms[] = kmf.getKeyManagers();
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        /*
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara         * Iterate over the returned keymanagers, look for an instance
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara         * of X509KeyManager. If found, use that as our "default" key
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara         * manager.
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara         */
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        for (int j = 0; j < kms.length; j++)
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara          if (kms[i] instanceof X509KeyManager)
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara          {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara            keyManager = (X509KeyManager) kms[j];
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara            break;
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara          }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff        }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff      }
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      catch (NoSuchAlgorithmException e)
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        // Nothing to do. Maybe we should avoid this and be strict, but we are
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        // in a best effor mode.
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        LOG.log(Level.WARNING, "Error with the algorithm", e);
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      }
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      catch (KeyStoreException e)
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        // Nothing to do. Maybe we should avoid this and be strict, but we are
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        // in a best effor mode..
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        LOG.log(Level.WARNING, "Error with the keystore", e);
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      }
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      catch (UnrecoverableKeyException e)
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        // Nothing to do. Maybe we should avoid this and be strict, but we are
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        // in a best effor mode.
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        LOG.log(Level.WARNING, "Error with the key", e);
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      }
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      catch (NoSuchProviderException e)
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      {
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        // Nothing to do. Maybe we should avoid this and be strict, but we are
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        // in a best effor mode.
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara        LOG.log(Level.WARNING, "Error with the provider", e);
572b87f0e259dec17a573f5b2072bcddb11215b6jvergara      }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff    }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  /**
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * Choose an alias to authenticate the client side of a secure
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * socket given the public key type and the list of certificate
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * issuer authorities recognized by the peer (if any).
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param keyType
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the key algorithm type name(s), ordered with the
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          most-preferred key type first.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param issuers
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the list of acceptable CA issuer subject names or null
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          if it does not matter which issuers are used.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param socket
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the socket to be used for this connection. This
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          parameter can be null, in which case this method will
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          return the most generic alias to use.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @return the alias name for the desired key, or null if there are
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *         no matches.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   */
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  public String chooseClientAlias(String[] keyType, Principal[] issuers,
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff      Socket socket)
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara    if (keyManager != null)
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara      return keyManager.chooseClientAlias(keyType, issuers, socket);
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    else
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff      return null ;
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  /**
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * Choose an alias to authenticate the client side of a secure
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * socket given the public key type and the list of certificate
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * issuer authorities recognized by the peer (if any).
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param keyType
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the key algorithm type name(s), ordered with the
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          most-preferred key type first.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param issuers
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the list of acceptable CA issuer subject names or null
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          if it does not matter which issuers are used.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param socket
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the socket to be used for this connection. This
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          parameter can be null, in which case this method will
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          return the most generic alias to use.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @return the alias name for the desired key, or null if there are
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *         no matches.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   */
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  public String chooseServerAlias(String keyType, Principal[] issuers,
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff      Socket socket)
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara    if (keyManager != null)
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara      return keyManager.chooseServerAlias(keyType, issuers, socket);
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    else
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff      return null;
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  /**
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * Returns the certificate chain associated with the given alias.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param alias
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the alias name
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @return the certificate chain (ordered with the user's
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *         certificate first and the root certificate authority
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *         last), or null if the alias can't be found.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   */
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  public X509Certificate[] getCertificateChain(String alias)
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara    if (keyManager != null)
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara      return keyManager.getCertificateChain(alias);
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    else
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff      return null;
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  /**
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * Get the matching aliases for authenticating the server side of a
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * secure socket given the public key type and the list of
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * certificate issuer authorities recognized by the peer (if any).
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param keyType
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the key algorithm type name
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param issuers
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the list of acceptable CA issuer subject names or null
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          if it does not matter which issuers are used.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @return an array of the matching alias names, or null if there
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *         were no matches.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   */
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  public String[] getClientAliases(String keyType, Principal[] issuers)
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara    if (keyManager != null)
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara      return keyManager.getClientAliases(keyType, issuers);
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    else
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff      return null;
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  /**
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * Returns the key associated with the given alias.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param alias
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the alias name
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @return the requested key, or null if the alias can't be found.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   */
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  public PrivateKey getPrivateKey(String alias)
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara    if (keyManager != null)
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara      return keyManager.getPrivateKey(alias);
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    else
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff      return null;
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  /**
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * Get the matching aliases for authenticating the server side of a
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * secure socket given the public key type and the list of
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * certificate issuer authorities recognized by the peer (if any).
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param keyType
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the key algorithm type name
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @param issuers
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          the list of acceptable CA issuer subject names or null
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *          if it does not matter which issuers are used.
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   * @return an array of the matching alias names, or null if there
ed9df96e07833a7ef8bfc0586dcbd202f438866clutoff   *         were no matches.
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff   */
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  public String[] getServerAliases(String keyType, Principal[] issuers)
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara    if (keyManager != null)
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
89f9ddc86ec4c35dec341d1754007a4a94071796jvergara      return keyManager.getServerAliases(keyType, issuers);
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    else
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    {
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff      return null;
b3261930de27cc0ce754348e4a4d01c993cf9b25lutoff    }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff  }
d28eb5336ef4966d76fcd8e7db319ecde6a80b62lutoff}