Registering multiple keystores in JVM [duplicate]

by

Raz’s answer was a great start, but wasn’t quite flexible enough to meet my needs. The MultiStoreKeyManager explicitly checks the custom KeyManager and then falls back to the jvm KeyManager if an operation fails. I actually want to check jvm certs first; the best solution should be able to handle either case. Additionally, the answer fails to provide a working TrustManager.

I’ve written a couple more flexible classes, CompositeX509KeyManager and CompositeX509TrustManager, which add support for any number of keystores in an arbitrary order.

CompositeX509KeyManager

package com.mycompany.ssl;

import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.List;

import javax.annotation.Nullable;
import javax.net.ssl.X509KeyManager;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;

/**
 * Represents an ordered list of {@link X509KeyManager}s with most-preferred managers first.
 *
 * This is necessary because of the fine-print on {@link SSLContext#init}:
 *     Only the first instance of a particular key and/or trust manager implementation type in the
 *     array is used. (For example, only the first javax.net.ssl.X509KeyManager in the array will be used.)
 *
 * @author codyaray
 * @since 4/22/2013
 * @see http://stackoverflow.com/questions/1793979/registering-multiple-keystores-in-jvm
 */
public class CompositeX509KeyManager implements X509KeyManager {

  private final List keyManagers;

  /**
   * Creates a new {@link CompositeX509KeyManager}.
   *
   * @param keyManagers the X509 key managers, ordered with the most-preferred managers first.
   */
  public CompositeX509KeyManager(List keyManagers) {
    this.keyManagers = ImmutableList.copyOf(keyManagers);
  }

  /**
   * Chooses the first non-null client alias returned from the delegate
   * {@link X509TrustManagers}, or {@code null} if there are no matches.
   */
  @Override
  public @Nullable String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
    for (X509KeyManager keyManager : keyManagers) {
      String alias = keyManager.chooseClientAlias(keyType, issuers, socket);
      if (alias != null) {
        return alias;
      }
    }
    return null;
  }

  /**
   * Chooses the first non-null server alias returned from the delegate
   * {@link X509TrustManagers}, or {@code null} if there are no matches.
   */
  @Override
  public @Nullable String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
    for (X509KeyManager keyManager : keyManagers) {
      String alias = keyManager.chooseServerAlias(keyType, issuers, socket);
      if (alias != null) {
        return alias;
      }
    }
    return null;
  }

  /**
   * Returns the first non-null private key associated with the
   * given alias, or {@code null} if the alias can't be found.
   */
  @Override
  public @Nullable PrivateKey getPrivateKey(String alias) {
    for (X509KeyManager keyManager : keyManagers) {
      PrivateKey privateKey = keyManager.getPrivateKey(alias);
      if (privateKey != null) {
        return privateKey;
      }
    }
    return null;
  }

  /**
   * Returns the first non-null certificate chain associated with the
   * given alias, or {@code null} if the alias can't be found.
   */
  @Override
  public @Nullable X509Certificate[] getCertificateChain(String alias) {
    for (X509KeyManager keyManager : keyManagers) {
      X509Certificate[] chain = keyManager.getCertificateChain(alias);
      if (chain != null && chain.length > 0) {
        return chain;
      }
    }
    return null;
  }

  /**
   * Get all matching aliases for authenticating the client side of a
   * secure socket, or {@code null} if there are no matches.
   */
  @Override
  public @Nullable String[] getClientAliases(String keyType, Principal[] issuers) {
    ImmutableList.Builder aliases = ImmutableList.builder();
    for (X509KeyManager keyManager : keyManagers) {
      aliases.add(keyManager.getClientAliases(keyType, issuers));
    }
    return emptyToNull(Iterables.toArray(aliases.build(), String.class));
  }

  /**
   * Get all matching aliases for authenticating the server side of a
   * secure socket, or {@code null} if there are no matches.
   */
  @Override
  public @Nullable String[] getServerAliases(String keyType, Principal[] issuers) {
    ImmutableList.Builder aliases = ImmutableList.builder();
    for (X509KeyManager keyManager : keyManagers) {
      aliases.add(keyManager.getServerAliases(keyType, issuers));
    }
    return emptyToNull(Iterables.toArray(aliases.build(), String.class));
  }

  @Nullable
  private static <T> T[] emptyToNull(T[] arr) {
    return (arr.length == 0) ? null : arr;
  }

}

CompositeX509TrustManager

package com.mycompany.ssl;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;

import javax.net.ssl.X509TrustManager;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;

/**
 * Represents an ordered list of {@link X509TrustManager}s with additive trust. If any one of the
 * composed managers trusts a certificate chain, then it is trusted by the composite manager.
 *
 * This is necessary because of the fine-print on {@link SSLContext#init}:
 *     Only the first instance of a particular key and/or trust manager implementation type in the
 *     array is used. (For example, only the first javax.net.ssl.X509KeyManager in the array will be used.)
 *
 * @author codyaray
 * @since 4/22/2013
 * @see http://stackoverflow.com/questions/1793979/registering-multiple-keystores-in-jvm
 */
public class CompositeX509TrustManager implements X509TrustManager {

  private final List trustManagers;

  public CompositeX509TrustManager(List trustManagers) {
    this.trustManagers = ImmutableList.copyOf(trustManagers);
  }

  @Override
  public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    for (X509TrustManager trustManager : trustManagers) {
      try {
        trustManager.checkClientTrusted(chain, authType);
        return; // someone trusts them. success!
      } catch (CertificateException e) {
        // maybe someone else will trust them
      }
    }
    throw new CertificateException("None of the TrustManagers trust this certificate chain");
  }

  @Override
  public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    for (X509TrustManager trustManager : trustManagers) {
      try {
        trustManager.checkServerTrusted(chain, authType);
        return; // someone trusts them. success!
      } catch (CertificateException e) {
        // maybe someone else will trust them
      }
    }
    throw new CertificateException("None of the TrustManagers trust this certificate chain");
  }

  @Override
  public X509Certificate[] getAcceptedIssuers() {
    ImmutableList.Builder certificates = ImmutableList.builder();
    for (X509TrustManager trustManager : trustManagers) {
      certificates.add(trustManager.getAcceptedIssuers());
    }
    return Iterables.toArray(certificates.build(), X509Certificate.class);
  }

}

Usage

For the standard case of one keystore + jvm keystore, you can wire it up like this. Iā€™m using Guava again, but in a Guicey wrapper this time:

@Provides @Singleton
SSLContext provideSSLContext(KeyStore keystore, char[] password) {
  String defaultAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
  X509KeyManager customKeyManager = getKeyManager("SunX509", keystore, password);
  X509KeyManager jvmKeyManager = getKeyManager(defaultAlgorithm, null, null);
  X509TrustManager customTrustManager = getTrustManager("SunX509", keystore);
  X509TrustManager jvmTrustManager = getTrustManager(defaultAlgorithm, null);

  KeyManager[] keyManagers = { new CompositeX509KeyManager(ImmutableList.of(jvmKeyManager, customKeyManager)) };
  TrustManager[] trustManagers = { new CompositeX509TrustManager(ImmutableList.of(jvmTrustManager, customTrustManager)) };

  SSLContext context = SSLContext.getInstance("SSL");
  context.init(keyManagers, trustManagers, null);
  return context;
}

private X509KeyManager getKeyManager(String algorithm, KeyStore keystore, char[] password) {
  KeyManagerFactory factory = KeyManagerFactory.getInstance(algorithm);
  factory.init(keystore, password);
  return Iterables.getFirst(Iterables.filter(
      Arrays.asList(factory.getKeyManagers()), X509KeyManager.class), null);
}

private X509TrustManager getTrustManager(String algorithm, KeyStore keystore) {
  TrustManagerFactory factory = TrustManagerFactory.getInstance(algorithm);
  factory.init(keystore);
  return Iterables.getFirst(Iterables.filter(
      Arrays.asList(factory.getTrustManagers()), X509TrustManager.class), null); 
}

I extracted this from my blog post about this problem which has a bit more detail, motivation, etc. All the code is there though, so its standalone. šŸ™‚

More Related Contents:

  1. How can I use different certificates on specific connections?
  2. Why does SSL handshake give ‘Could not generate DH keypair’ exception?
  3. Java client certificates over HTTPS/SSL
  4. javax.net.ssl.SSLException: Received fatal alert: protocol_version
  5. limiting java ssl debug logging
  6. java – path to trustStore – set property doesn’t work?
  7. Keystore type: which one to use?
  8. Why does Java’s SSLSocket send a version 2 client hello?
  9. How to override the cipherlist sent to the server by Android when using HttpsURLConnection?
  10. SSLContext initialization
  11. How to use .key and .crt file in java that generated by openssl?
  12. Setting multiple truststore on the same JVM
  13. Java 256-bit AES Password-Based Encryption
  14. How to see JIT-compiled code in JVM?
  15. Running jmap getting Unable to open socket file
  16. How to fix java.lang.UnsupportedClassVersionError: Unsupported major.minor version
  17. Given final block not properly padded
  18. What is in Java object header?
  19. SQL Server JDBC Error on Java 8: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption
  20. JVM option -Xss – What does it do exactly?
  21. When does the main thread stop in Java?
  22. When will JVM use intrinsics
  23. Caused by: java.security.UnrecoverableKeyException: Cannot recover key
  24. Properly closing SSLSocket
  25. How to set timezone to UTC in Apache Spark?
  26. Java’s “os.name” for Windows 10?
  27. Is it possible to use sun.misc.Unsafe to call C functions without JNI?
  28. How do I use the JAVA_OPTS environment variable?
  29. effect of changing String using reflection
  30. Encrypt with Node.js Crypto module and decrypt with Java (in Android app)

Leave a Comment