public class SslContextUtil extends Object
SSLContext.
This utility converts between the informations used by the javax SSL
implementation and the plain credentials used by scandium. It offers reading
KeyStores, extracting credentials, and creating KeyManager and TrustManager
from the KeyStores or extracted credentials. Java SSLContext is able to
maintain different key-certificate pairs for different key and signing
algorithms. The californium-scandium concentrates on embedded client and
therefore supports only one key-signing algorithm. This utility therefore
helps, to select the right credentials or create a javax security classes for
javax SSL implementation from that selected credentials.
The utility provides a configurable mapping of URI endings with key store
type, enable to use different KeyStore implementations and formats. The URI
ending is defined as the part starting with the last "." after all "/"
separator. e.g.: "cert/keyStore.p12" has ending ".p12", and
"cert/keyStore.p12/test" has no ending. The currently pre-configured mapping
contains:
".jks" to "JKS" ".bks" to "BKS" ".p12" to "PKCS12" "*" to system defaultThe utility provides also a configurable input stream factory of URI schemes. Currently only
CLASSPATH_SCHEME is pre-configured to load key stores
from the classpath. If the scheme of the URI has no configured input stream
factory, the URI is loaded with URL.URL(String).
Note: currently this class provides a class access based API. Depending on
the usage, this may change to instance access based API. It is not intended,
that the configuration is changed during usage, this may cause race
conditions!| Modifier and Type | Class and Description |
|---|---|
static class |
SslContextUtil.Credentials
Credentials.
|
static interface |
SslContextUtil.InputStreamFactory
Scheme specific input stream factory.
|
| Modifier and Type | Field and Description |
|---|---|
static String |
BKS_ENDING
Ending for key stores with type
BKS_TYPE. |
static String |
BKS_TYPE
Key store type BKS.
|
static String |
CLASSPATH_PROTOCOL
Deprecated.
use CLASSPATH_SCHEME instead!
|
static String |
CLASSPATH_SCHEME
Scheme for key store URI.
|
static String |
DEFAULT_ENDING
Label to provide default key store type.
|
static String |
DEFAULT_SSL_PROTOCOL
Default protocol used for
createSSLContext(String, PrivateKey, X509Certificate[], Certificate[]). |
static String |
JKS_ENDING
Ending for key stores with type
JKS_TYPE. |
static String |
JKS_TYPE
Key store type JKS.
|
static String |
PARAMETER_SEPARATOR
Separator for parameters.
|
static String |
PKCS12_ENDING
Ending for key stores with type
PKCS12_TYPE. |
static String |
PKCS12_TYPE
Key store type PKCS12.
|
| Constructor and Description |
|---|
SslContextUtil() |
| Modifier and Type | Method and Description |
|---|---|
static X509Certificate[] |
asX509Certificates(Certificate[] certificates)
Return certificates as x509 certificates.
|
static SslContextUtil.InputStreamFactory |
configure(String scheme,
SslContextUtil.InputStreamFactory streamFactory)
Configure input stream factory for URI scheme.
|
static String |
configure(String ending,
String keyStoreType)
Configure key store types for URI endings.
|
static void |
configureDefaults()
Configure defaults.
|
static KeyManager[] |
createKeyManager(String alias,
PrivateKey privateKey,
X509Certificate[] chain)
Create key manager from private key and certificate path.
|
static SSLContext |
createSSLContext(String alias,
PrivateKey privateKey,
X509Certificate[] chain,
Certificate[] trusts)
Create SSLContext with provided credentials and trusts.
|
static SSLContext |
createSSLContext(String alias,
PrivateKey privateKey,
X509Certificate[] chain,
Certificate[] trusts,
String protocol)
Create SSLContext with provided credentials and trusts.
|
static TrustManager[] |
createTrustManager(String alias,
Certificate[] trusts)
Create trust manager from trusted certificates.
|
static X509Certificate[] |
loadCertificateChain(String keyStoreUri,
String alias,
char[] storePassword)
Load certificate chain from key store.
|
static SslContextUtil.Credentials |
loadCredentials(String credentials)
Load credentials from key store.
|
static SslContextUtil.Credentials |
loadCredentials(String keyStoreUri,
String alias,
char[] storePassword,
char[] keyPassword)
Load credentials from key store.
|
static KeyManager[] |
loadKeyManager(String keyStoreUri,
String alias,
char[] storePassword,
char[] keyPassword)
Load KeyManager from key store.
|
static Certificate[] |
loadTrustedCertificates(String trust)
Load trusted certificates from key store.
|
static Certificate[] |
loadTrustedCertificates(String keyStoreUri,
String aliasPattern,
char[] storePassword)
Load trusted certificates from key store.
|
static TrustManager[] |
loadTrustManager(String keyStoreUri,
String aliasPattern,
char[] storePassword)
Load TrustManager from key store.
|
public static final String CLASSPATH_SCHEME
public static final String CLASSPATH_PROTOCOL
public static final String PARAMETER_SEPARATOR
public static final String JKS_ENDING
JKS_TYPE.public static final String BKS_ENDING
BKS_TYPE.public static final String PKCS12_ENDING
PKCS12_TYPE.public static final String DEFAULT_ENDING
public static final String JKS_TYPE
public static final String BKS_TYPE
public static final String PKCS12_TYPE
public static final String DEFAULT_SSL_PROTOCOL
createSSLContext(String, PrivateKey, X509Certificate[], Certificate[]).public static Certificate[] loadTrustedCertificates(String trust) throws IOException, GeneralSecurityException
trust - trust definition keystore#hexstorepwd#aliaspattern. If no
aliaspattern should be used, just leave it blank
keystore#hexstorepwd#IOException - if key store could not be loaded.GeneralSecurityException - if security setup failed.IllegalArgumentException - if trust doesn't match
keystore#hexstorepwd#aliaspattern or no matching trusts are
foundNullPointerException - if trust is null.PARAMETER_SEPARATORpublic static SslContextUtil.Credentials loadCredentials(String credentials) throws IOException, GeneralSecurityException
credentials - credentials definition
keystore#hexstorepwd#hexkeypwd#alias.IOException - if key store could not be loaded.GeneralSecurityException - if security setup failed.IllegalArgumentException - if keys doesn't match
keystore#hexstorepwd#hexkeypwd#alias or no matching trusts
are foundNullPointerException - if credentials is null.PARAMETER_SEPARATORpublic static TrustManager[] loadTrustManager(String keyStoreUri, String aliasPattern, char[] storePassword) throws IOException, GeneralSecurityException
keyStoreUri - key store URI. Supports configurable URI scheme based
input streams and URI ending based key store type.aliasPattern - regular expression for aliases to load only specific
certificates for the TrustManager. null to load all
certificates.storePassword - password for key store.IOException - if key store could not be loaded.GeneralSecurityException - if security setup failed.IllegalArgumentException - if no matching trusts are foundNullPointerException - if keyStoreUri or storePassword is null.public static KeyManager[] loadKeyManager(String keyStoreUri, String alias, char[] storePassword, char[] keyPassword) throws IOException, GeneralSecurityException
keyStoreUri - key store URI. Supports configurable URI scheme based
input streams and URI ending based key store type.alias - alias to load only specific credentials into the KeyManager.
null to load all credentials into the KeyManager.storePassword - password for key store.keyPassword - password for private key.IOException - if key store could not be loaded.GeneralSecurityException - if security setup failed.IllegalArgumentException - if no matching credentials are foundNullPointerException - if keyStoreUri, storePassword, or
keyPassword is null.public static Certificate[] loadTrustedCertificates(String keyStoreUri, String aliasPattern, char[] storePassword) throws IOException, GeneralSecurityException
keyStoreUri - key store URI. Supports configurable URI scheme based
input streams and URI ending based key store type.aliasPattern - regular expression for aliases to load only specific
certificates for trusting. null to load all certificates.storePassword - password for key store.IOException - if key store could not be loaded.GeneralSecurityException - if security setup failed.IllegalArgumentException - if no matching certificates are foundNullPointerException - if keyStoreUri or storePassword is null.public static SslContextUtil.Credentials loadCredentials(String keyStoreUri, String alias, char[] storePassword, char[] keyPassword) throws IOException, GeneralSecurityException
keyStoreUri - key store URI. Supports configurable URI scheme based
input streams and URI ending based key store type.alias - alias to load specific credentials.storePassword - password for key store.keyPassword - password for private key.IOException - if key store could not be loaded.GeneralSecurityException - if security setup failed.IllegalArgumentException - if alias is empty, or no matching
credentials are found.NullPointerException - if keyStoreUri, storePassword, keyPassword,
or alias is null.public static X509Certificate[] loadCertificateChain(String keyStoreUri, String alias, char[] storePassword) throws IOException, GeneralSecurityException
keyStoreUri - key store URI. Supports configurable URI scheme based
input streams and URI ending based key store type.alias - alias to load the certificate chain.storePassword - password for key store.IOException - if key store could not be loaded.GeneralSecurityException - if security setup failed.IllegalArgumentException - if alias is empty, or no matching
certificate chain is found.NullPointerException - if keyStoreUri, storePassword, or alias is
null.public static void configureDefaults()
".jks" to "JKS" ".bks" to "BKS" ".p12" to "PKCS12" "*" to system defaultInput stream factory:
CLASSPATH_SCHEME to classpath loader.public static String configure(String ending, String keyStoreType)
ending - URI ending. If DEFAULT_ENDING is used, the key
store default type is configured. Ending is converted to lower
case before added to the KEY_STORE_TYPES.keyStoreType - key store type.null, if no key store
type was configured beforeNullPointerException - if ending or key store type is null.IllegalArgumentException - if ending doesn't start with "." and
isn't DEFAULT_ENDING, or key store type is empty.public static SslContextUtil.InputStreamFactory configure(String scheme, SslContextUtil.InputStreamFactory streamFactory)
scheme - URI scheme. Scheme is converted to lower case before added
to the INPUT_STREAM_FACTORIES.streamFactory - input stream factory to read key stores access with
this URI scheme.null,
if not stream factory was previously configured.NullPointerException - if scheme or stream factory is null.IllegalArgumentException - if scheme doesn't end with "://".public static X509Certificate[] asX509Certificates(Certificate[] certificates)
certificates - to checkIllegalArgumentException - if null, a empty array is provided or a
none x509 certificate was found or a array entry was null.public static SSLContext createSSLContext(String alias, PrivateKey privateKey, X509Certificate[] chain, Certificate[] trusts) throws GeneralSecurityException
DEFAULT_SSL_PROTOCOL.alias - alias to be used in KeyManager. Used for identification
according the X509ExtendedKeyManager API to select the
credentials matching the provided key. Though the create
KeyManager currently only supports on set of credentials, the
alias is only used to select that. If null, it's
replaced by a default "californium".privateKey - private keychain - certificate trust chain related to private key.trusts - trusted certificates.GeneralSecurityException - if security setup failed.NullPointerException - if private key, or the chain, or the trusts is
null.IllegalArgumentException - if the chain or trusts is empty.public static SSLContext createSSLContext(String alias, PrivateKey privateKey, X509Certificate[] chain, Certificate[] trusts, String protocol) throws GeneralSecurityException
alias - alias to be used in KeyManager. Used for identification
according the X509ExtendedKeyManager API to select the
credentials matching the provided key. Though the create
KeyManager currently only supports on set of credentials, the
alias is only used to select that. If null, it's
replaced by a default "californium".privateKey - private keychain - certificate trust chain related to private key.trusts - trusted certificates.protocol - specific protocol for SSLContext. See SSLContext.getInstance(String).GeneralSecurityException - if security setup failed.NullPointerException - if private key, or the chain, or the trusts is
null.IllegalArgumentException - if the chain or trusts is empty.public static KeyManager[] createKeyManager(String alias, PrivateKey privateKey, X509Certificate[] chain) throws GeneralSecurityException
KeyStore to use KeyManagerFactory.alias - alias to be used for key storeprivateKey - private keychain - certificate chain.GeneralSecurityException - if security setup failed.NullPointerException - if private key or the chain is
null.IllegalArgumentException - if the chain is empty.public static TrustManager[] createTrustManager(String alias, Certificate[] trusts) throws GeneralSecurityException
KeyStore to use TrustManagerFactory.alias - alias to be used for key store.trusts - trusted certificatesGeneralSecurityException - if security setup failed.NullPointerException - if trusted certificates is null.IllegalArgumentException - if trusted certificates is empty.Copyright © 2019 Eclipse Foundation. All rights reserved.