下面列出了javax.net.ssl.X509ExtendedKeyManager#chooseServerAlias ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@SuppressWarnings("ConstantConditions")
@Test
public void testKeyManagerProxyChooseServerAlias(@Mocked X509ExtendedKeyManager mockedKeyManager) {
new Expectations() {{
mockedKeyManager.chooseServerAlias("cert", (Principal[]) any, (Socket) any); times = 1;
}};
KeyManagerProxy keyManagerProxy = new KeyManagerProxy(new KeyManager[]{mockedKeyManager});
keyManagerProxy.chooseServerAlias("cert", null, null);
}
private SSLPossession createServerPossession(
ServerHandshakeContext shc, String keyType) {
X509ExtendedKeyManager km = shc.sslContext.getX509KeyManager();
String serverAlias = null;
if (shc.conContext.transport instanceof SSLSocketImpl) {
serverAlias = km.chooseServerAlias(keyType,
null, (SSLSocket)shc.conContext.transport);
} else if (shc.conContext.transport instanceof SSLEngineImpl) {
serverAlias = km.chooseEngineServerAlias(keyType,
null, (SSLEngine)shc.conContext.transport);
}
if (serverAlias == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest("No X.509 cert selected for " + keyType);
}
return null;
}
PrivateKey serverPrivateKey = km.getPrivateKey(serverAlias);
if (serverPrivateKey == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest(
serverAlias + " is not a private key entry");
}
return null;
}
X509Certificate[] serverCerts = km.getCertificateChain(serverAlias);
if ((serverCerts == null) || (serverCerts.length == 0)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest(
serverAlias + " is not a certificate entry");
}
return null;
}
PublicKey serverPublicKey = serverCerts[0].getPublicKey();
if ((!serverPrivateKey.getAlgorithm().equals(keyType))
|| (!serverPublicKey.getAlgorithm().equals(keyType))) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.fine(
serverAlias + " private or public key is not of " +
keyType + " algorithm");
}
return null;
}
// For ECC certs, check whether we support the EC domain
// parameters. If the client sent a SupportedEllipticCurves
// ClientHello extension, check against that too.
if (keyType.equals("EC")) {
if (!(serverPublicKey instanceof ECPublicKey)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning(serverAlias +
" public key is not an instance of ECPublicKey");
}
return null;
}
// For ECC certs, check whether we support the EC domain
// parameters. If the client sent a SupportedEllipticCurves
// ClientHello extension, check against that too.
ECParameterSpec params =
((ECPublicKey)serverPublicKey).getParams();
NamedGroup namedGroup = NamedGroup.valueOf(params);
if ((namedGroup == null) ||
(!SupportedGroups.isSupported(namedGroup)) ||
((shc.clientRequestedNamedGroups != null) &&
!shc.clientRequestedNamedGroups.contains(namedGroup))) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning(
"Unsupported named group (" + namedGroup +
") used in the " + serverAlias + " certificate");
}
return null;
}
}
return new X509Possession(serverPrivateKey, serverCerts);
}
private SSLPossession createServerPossession(
ServerHandshakeContext shc, String keyType) {
X509ExtendedKeyManager km = shc.sslContext.getX509KeyManager();
String serverAlias = null;
if (shc.conContext.transport instanceof SSLSocketImpl) {
serverAlias = km.chooseServerAlias(keyType,
null, (SSLSocket)shc.conContext.transport);
} else if (shc.conContext.transport instanceof SSLEngineImpl) {
serverAlias = km.chooseEngineServerAlias(keyType,
null, (SSLEngine)shc.conContext.transport);
}
if (serverAlias == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest("No X.509 cert selected for " + keyType);
}
return null;
}
PrivateKey serverPrivateKey = km.getPrivateKey(serverAlias);
if (serverPrivateKey == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest(
serverAlias + " is not a private key entry");
}
return null;
}
X509Certificate[] serverCerts = km.getCertificateChain(serverAlias);
if ((serverCerts == null) || (serverCerts.length == 0)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest(
serverAlias + " is not a certificate entry");
}
return null;
}
PublicKey serverPublicKey = serverCerts[0].getPublicKey();
if ((!serverPrivateKey.getAlgorithm().equals(keyType))
|| (!serverPublicKey.getAlgorithm().equals(keyType))) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.fine(
serverAlias + " private or public key is not of " +
keyType + " algorithm");
}
return null;
}
// For TLS 1.2 and prior versions, the public key of a EC cert
// MUST use a curve and point format supported by the client.
// But for TLS 1.3, signature algorithms are negotiated
// independently via the "signature_algorithms" extension.
if (!shc.negotiatedProtocol.useTLS13PlusSpec() &&
keyType.equals("EC")) {
if (!(serverPublicKey instanceof ECPublicKey)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning(serverAlias +
" public key is not an instance of ECPublicKey");
}
return null;
}
// For ECC certs, check whether we support the EC domain
// parameters. If the client sent a supported_groups
// ClientHello extension, check against that too for
// TLS 1.2 and prior versions.
ECParameterSpec params =
((ECPublicKey)serverPublicKey).getParams();
NamedGroup namedGroup = NamedGroup.valueOf(params);
if ((namedGroup == null) ||
(!SupportedGroups.isSupported(namedGroup)) ||
((shc.clientRequestedNamedGroups != null) &&
!shc.clientRequestedNamedGroups.contains(namedGroup))) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning(
"Unsupported named group (" + namedGroup +
") used in the " + serverAlias + " certificate");
}
return null;
}
}
return new X509Possession(serverPrivateKey, serverCerts);
}