3909N/A * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * An implemention of X509KeyManager backed by a KeyStore. 0N/A * The backing KeyStore is inspected when this object is constructed. 0N/A * All key entries containing a PrivateKey and a non-empty chain of 0N/A * X509Certificate are then copied into an internal store. This means 0N/A * that subsequent modifications of the KeyStore have no effect on the 0N/A * X509KeyManagerImpl object. 0N/A * Note that this class assumes that all keys are protected by the same 0N/A * The JSSE handshake code currently calls into this class via 0N/A * chooseClientAlias() and chooseServerAlias() to find the certificates to 0N/A * use. As implemented here, both always return the first alias returned by 0N/A * getClientAliases() and getServerAliases(). In turn, these methods are 0N/A * implemented by calling getAliases(), which performs the actual lookup. 0N/A * Note that this class currently implements no checking of the local 0N/A * certificates. In particular, it is *not* guaranteed that: 0N/A * . the certificates are within their validity period and not revoked 0N/A * . the signatures verify 0N/A * . they form a PKIX compliant chain. 0N/A * . the certificate extensions allow the certificate to be used for 0N/A * the desired purpose. 0N/A * Chains that fail any of these criteria will probably be rejected by 0N/A * The credentials from the KeyStore as 0N/A * Map: String(alias) -> X509Credentials(credentials) 0N/A * Cached server aliases for the case issuers == null. 0N/A * (in the current JSSE implementation, issuers are always null for 0N/A * server certs). See chooseServerAlias() for details. 0N/A * Map: String(keyType) -> String[](alias) 0N/A * Basic container for credentials implemented as an inner class. 0N/A // assert privateKey and certificates != null 0N/A // lazy initialization 0N/A * Returns the certificate chain associated with the given alias. 0N/A * @return the certificate chain (ordered with the user's certificate first 0N/A * and the root certificate authority last) 0N/A * Returns the key associated with the given alias 0N/A * Choose an alias to authenticate the client side of a secure 0N/A * socket given the public key type and the list of 0N/A * certificate issuer authorities recognized by the peer (if any). 0N/A * We currently don't do anything with socket, but 0N/A * someday we might. It might be a useful hint for 0N/A * selecting one of the aliases we get back from 0N/A * getClientAliases(). 0N/A * Choose an alias to authenticate the client side of an 0N/A * <code>SSLEngine</code> connection given the public key type 0N/A * and the list of certificate issuer authorities recognized by 0N/A * the peer (if any). 0N/A * If we ever start using socket as a selection criteria, 0N/A * we'll need to adjust this. 0N/A * Choose an alias to authenticate the server side of a secure 0N/A * socket given the public key type and the list of 0N/A * certificate issuer authorities recognized by the peer (if any). 0N/A * We currently don't do anything with socket, but 0N/A * someday we might. It might be a useful hint for 0N/A * selecting one of the aliases we get back from 0N/A * getServerAliases(). 0N/A // Cache the result (positive and negative lookups) 0N/A * Choose an alias to authenticate the server side of an 0N/A * <code>SSLEngine</code> connection given the public key type 0N/A * and the list of certificate issuer authorities recognized by 0N/A * the peer (if any). 0N/A * If we ever start using socket as a selection criteria, 0N/A * we'll need to adjust this. 0N/A * Get the matching aliases for authenticating the client side of a secure 0N/A * socket given the public key type and the list of 0N/A * certificate issuer authorities recognized by the peer (if any). 0N/A * Get the matching aliases for authenticating the server side of a secure 0N/A * socket given the public key type and the list of 0N/A * certificate issuer authorities recognized by the peer (if any). 0N/A * Get the matching aliases for authenticating the either side of a secure 0N/A * socket given the public key type and the list of 0N/A * certificate issuer authorities recognized by the peer (if any). 0N/A * Issuers comes to us in the form of X500Principal[]. 0N/A // normally, this will never happen but try to recover if it does 0N/A // the algorithm below does not produce duplicates, so avoid Set 0N/A // if possible, check the public key in the issuer cert 0N/A // Check the signature algorithm of the certificate itself. 0N/A // Look for the "withRSA" in "SHA1withRSA", etc. 0N/A // no issuer specified, match all 0N/A * Convert an array of Principals to an array of X500Principals, if 0N/A * possible. Principals that cannot be converted are ignored.