jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SniX509ExtendedKeyManager.java - jetty - Git at Google

 //
 //  ========================================================================
 //  Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd.
 //  ------------------------------------------------------------------------
 //  All rights reserved. This program and the accompanying materials
 //  are made available under the terms of the Eclipse Public License v1.0
 //  and Apache License v2.0 which accompanies this distribution.
 //
 //      The Eclipse Public License is available at
 //      http://www.eclipse.org/legal/epl-v10.html
 //
 //      The Apache License v2.0 is available at
 //      http://www.opensource.org/licenses/apache2.0.php
 //
 //  You may elect to redistribute this code under either of these licenses.
 //  ========================================================================
 //

 package org.eclipse.jetty.util.ssl;

 import java.net.Socket;
 import java.security.Principal;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collection;

 import javax.net.ssl.SNIMatcher;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.X509ExtendedKeyManager;

 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.log.Logger;

 /**
  * <p>A {@link X509ExtendedKeyManager} that selects a key with an alias
  * retrieved from SNI information, delegating other processing to a nested X509ExtendedKeyManager.</p>
  * <p>Can only be used on server side.</p>
  */
 public class SniX509ExtendedKeyManager extends X509ExtendedKeyManager
 {
     public static final String SNI_X509 = "org.eclipse.jetty.util.ssl.snix509";
     private static final String NO_MATCHERS = "no_matchers";
     private static final Logger LOG = Log.getLogger(SniX509ExtendedKeyManager.class);

     private final X509ExtendedKeyManager _delegate;

     public SniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager)
     {
         _delegate = keyManager;
     }

     @Override
     public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
     {
         return _delegate.chooseClientAlias(keyType,issuers,socket);
     }

     @Override
     public String chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine)
     {
         return _delegate.chooseEngineClientAlias(keyType,issuers,engine);
     }

     protected String chooseServerAlias(String keyType, Principal[] issuers, Collection<SNIMatcher> matchers, SSLSession session)
     {
         // Look for the aliases that are suitable for the keytype and issuers
         String[] aliases = _delegate.getServerAliases(keyType,issuers);
         if (aliases==null || aliases.length==0)
             return null;

         // Look for the SNI information.
         String host=null;
         X509 x509=null;
         if (matchers!=null)
         {
             for (SNIMatcher m : matchers)
             {
                 if (m instanceof SslContextFactory.AliasSNIMatcher)
                 {
                     SslContextFactory.AliasSNIMatcher matcher = (SslContextFactory.AliasSNIMatcher)m;
                     host=matcher.getHost();
                     x509=matcher.getX509();
                     break;
                 }
             }
         }

         if (LOG.isDebugEnabled())
             LOG.debug("Matched {} with {} from {}",host,x509,Arrays.asList(aliases));

         // Check if the SNI selected alias is allowable
         if (x509!=null)
         {
             for (String a:aliases)
             {
                 if (a.equals(x509.getAlias()))
                 {
                     session.putValue(SNI_X509,x509);
                     return a;
                 }
             }
             return null;
         }
         return NO_MATCHERS;
     }

     @Override
     public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
     {
         SSLSocket sslSocket = (SSLSocket)socket;

         String alias = chooseServerAlias(keyType,issuers,sslSocket.getSSLParameters().getSNIMatchers(),sslSocket.getHandshakeSession());
         if (alias==NO_MATCHERS)
             alias=_delegate.chooseServerAlias(keyType,issuers,socket);
         if (LOG.isDebugEnabled())
             LOG.debug("Chose alias {}/{} on {}",alias,keyType,socket);
         return alias;
     }

     @Override
     public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
     {
         String alias = chooseServerAlias(keyType,issuers,engine.getSSLParameters().getSNIMatchers(),engine.getHandshakeSession());
         if (alias==NO_MATCHERS)
             alias=_delegate.chooseEngineServerAlias(keyType,issuers,engine);
         if (LOG.isDebugEnabled())
             LOG.debug("Chose alias {}/{} on {}",alias,keyType,engine);
         return alias;
     }

     @Override
     public X509Certificate[] getCertificateChain(String alias)
     {
         return _delegate.getCertificateChain(alias);
     }

     @Override
     public String[] getClientAliases(String keyType, Principal[] issuers)
     {
         return _delegate.getClientAliases(keyType,issuers);
     }

     @Override
     public PrivateKey getPrivateKey(String alias)
     {
         return _delegate.getPrivateKey(alias);
     }

     @Override
     public String[] getServerAliases(String keyType, Principal[] issuers)
     {
         return _delegate.getServerAliases(keyType,issuers);
     }
 }
	//
	// ========================================================================
	// Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd.
	// ------------------------------------------------------------------------
	// All rights reserved. This program and the accompanying materials
	// are made available under the terms of the Eclipse Public License v1.0
	// and Apache License v2.0 which accompanies this distribution.
	//
	// The Eclipse Public License is available at
	// http://www.eclipse.org/legal/epl-v10.html
	//
	// The Apache License v2.0 is available at
	// http://www.opensource.org/licenses/apache2.0.php
	//
	// You may elect to redistribute this code under either of these licenses.
	// ========================================================================
	//

	package org.eclipse.jetty.util.ssl;

	import java.net.Socket;
	import java.security.Principal;
	import java.security.PrivateKey;
	import java.security.cert.X509Certificate;
	import java.util.Arrays;
	import java.util.Collection;

	import javax.net.ssl.SNIMatcher;
	import javax.net.ssl.SSLEngine;
	import javax.net.ssl.SSLSession;
	import javax.net.ssl.SSLSocket;
	import javax.net.ssl.X509ExtendedKeyManager;

	import org.eclipse.jetty.util.log.Log;
	import org.eclipse.jetty.util.log.Logger;

	/**
	* <p>A {@link X509ExtendedKeyManager} that selects a key with an alias
	* retrieved from SNI information, delegating other processing to a nested X509ExtendedKeyManager.</p>
	* <p>Can only be used on server side.</p>
	*/
	public class SniX509ExtendedKeyManager extends X509ExtendedKeyManager
	{
	public static final String SNI_X509 = "org.eclipse.jetty.util.ssl.snix509";
	private static final String NO_MATCHERS = "no_matchers";
	private static final Logger LOG = Log.getLogger(SniX509ExtendedKeyManager.class);

	private final X509ExtendedKeyManager _delegate;

	public SniX509ExtendedKeyManager(X509ExtendedKeyManager keyManager)
	{
	_delegate = keyManager;
	}

	@Override
	public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
	{
	return _delegate.chooseClientAlias(keyType,issuers,socket);
	}

	@Override
	public String chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine)
	{
	return _delegate.chooseEngineClientAlias(keyType,issuers,engine);
	}

	protected String chooseServerAlias(String keyType, Principal[] issuers, Collection<SNIMatcher> matchers, SSLSession session)
	{
	// Look for the aliases that are suitable for the keytype and issuers
	String[] aliases = _delegate.getServerAliases(keyType,issuers);
	if (aliases==null \|\| aliases.length==0)
	return null;

	// Look for the SNI information.
	String host=null;
	X509 x509=null;
	if (matchers!=null)
	{
	for (SNIMatcher m : matchers)
	{
	if (m instanceof SslContextFactory.AliasSNIMatcher)
	{
	SslContextFactory.AliasSNIMatcher matcher = (SslContextFactory.AliasSNIMatcher)m;
	host=matcher.getHost();
	x509=matcher.getX509();
	break;
	}
	}
	}

	if (LOG.isDebugEnabled())
	LOG.debug("Matched {} with {} from {}",host,x509,Arrays.asList(aliases));

	// Check if the SNI selected alias is allowable
	if (x509!=null)
	{
	for (String a:aliases)
	{
	if (a.equals(x509.getAlias()))
	{
	session.putValue(SNI_X509,x509);
	return a;
	}
	}
	return null;
	}
	return NO_MATCHERS;
	}

	@Override
	public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
	{
	SSLSocket sslSocket = (SSLSocket)socket;

	String alias = chooseServerAlias(keyType,issuers,sslSocket.getSSLParameters().getSNIMatchers(),sslSocket.getHandshakeSession());
	if (alias==NO_MATCHERS)
	alias=_delegate.chooseServerAlias(keyType,issuers,socket);
	if (LOG.isDebugEnabled())
	LOG.debug("Chose alias {}/{} on {}",alias,keyType,socket);
	return alias;
	}

	@Override
	public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
	{
	String alias = chooseServerAlias(keyType,issuers,engine.getSSLParameters().getSNIMatchers(),engine.getHandshakeSession());
	if (alias==NO_MATCHERS)
	alias=_delegate.chooseEngineServerAlias(keyType,issuers,engine);
	if (LOG.isDebugEnabled())
	LOG.debug("Chose alias {}/{} on {}",alias,keyType,engine);
	return alias;
	}

	@Override
	public X509Certificate[] getCertificateChain(String alias)
	{
	return _delegate.getCertificateChain(alias);
	}

	@Override
	public String[] getClientAliases(String keyType, Principal[] issuers)
	{
	return _delegate.getClientAliases(keyType,issuers);
	}

	@Override
	public PrivateKey getPrivateKey(String alias)
	{
	return _delegate.getPrivateKey(alias);
	}

	@Override
	public String[] getServerAliases(String keyType, Principal[] issuers)
	{
	return _delegate.getServerAliases(keyType,issuers);
	}
	}