Updated the KeyManager to support keystores with both wildcard certs and top-level domains certs using underscore prefix

pborissow · pborissow · commit 6bcb90ff8241 · 2024-06-16T10:25:24.000-04:00
diff --git a/src/javaxt/express/KeyManager.java b/src/javaxt/express/KeyManager.java
@@ -11,75 +11,122 @@
 //**  KeyManager
 //******************************************************************************
 /**
- *   Custom implementation of a X509KeyManager. This class is required to
- *   support keystores with multiple SSL certificates. By default, the standard
- *   Java X509KeyManager and the SunX509 implementation will pick the first
- *   aliases it finds for which there is a private key and a key of the right
- *   type for the chosen cipher suite (typically RSA). Instead, this class
- *   relies on a map of hostnames and their corresponding IP addresses. When a
- *   new SSL request is made, it checks the incoming IP address and finds the
- *   corresponding hostname. Then, it tries to find an alias in the keystore
- *   that corresponds to the hostname.
+ *   Custom implementation of a X509KeyManager. This class is used to support
+ *   keystores with multiple SSL certificates. By default, the standard Java
+ *   X509KeyManager and the SunX509 implementation will pick the first alias
+ *   it finds for which there is a private key and a key type that matches
+ *   the chosen cipher suite (typically RSA).
+ *
+ *   Instead, this class tries to find an alias in the keystore that best
+ *   matches the requested hostname found in the SSL handshake. This assumes
+ *   that the keystore aliases contain hostnames (e.g. "www.acme.com") or top
+ *   level domain names (e.g. "acme.com").
+ *
+ *   In addition, this class requires a mapping of aliases/hostnames to IP
+ *   addresses on the host server. This is required for the chooseServerAlias()
+ *   method which is called early in the SSL handshake process (well before
+ *   the hostname is known). When the chooseServerAlias() method is called, all
+ *   we have is a IP address to identify the alias so a hashmap is used to tie
+ *   a domain name to an IP address.
  *
  ******************************************************************************/
 
 public class KeyManager extends X509ExtendedKeyManager { //implements X509KeyManager
     private KeyStore keyStore;
     private char[] password;
-    private String alias;
     private java.util.HashMap<InetAddress, String> aliases;
 
-    public KeyManager(KeyStore keystore, char[] password, String alias) {
-        if (alias==null) throw new IllegalArgumentException("Alias is null.");
-        this.keyStore = keystore;
-        this.password = password;
-        this.alias = alias;
-    }
 
+  //**************************************************************************
+  //** Constructor
+  //**************************************************************************
     public KeyManager(KeyStore keystore, char[] password, java.util.HashMap<InetAddress, String> aliases) {
         if (aliases==null || aliases.isEmpty()) throw new IllegalArgumentException("Hosts is null or empty.");
         this.keyStore = keystore;
         this.password = password;
         this.aliases = aliases;
     }
 
+
+  //**************************************************************************
+  //** chooseEngineServerAlias
+  //**************************************************************************
+  /** Returns an alias in the keystore that best matches the requested
+   *  hostname found in the SSL handshake
+   *  @param keyType Not used
+   *  @param issuers Not used
+   *  @param engine SSLEngine with a handshake session
+   */
     public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine) {
-        if (alias!=null) return alias;
-        else{
-            try{
-
-              //Get hostname from SSL handshake
-                ExtendedSSLSession session = (ExtendedSSLSession) engine.getHandshakeSession();
-                String hostname = null;
-                for (SNIServerName name : session.getRequestedServerNames()) {
-                    if (name.getType() == StandardConstants.SNI_HOST_NAME) {
-                        hostname = ((SNIHostName) name).getAsciiName();
-                        break;
-                    }
+        try{
+
+          //Get hostname from SSL handshake (www.acme.com)
+            String hostname = null;
+            ExtendedSSLSession session = (ExtendedSSLSession) engine.getHandshakeSession();
+            for (SNIServerName name : session.getRequestedServerNames()) {
+                if (name.getType() == StandardConstants.SNI_HOST_NAME) {
+                    hostname = ((SNIHostName) name).getAsciiName();
+                    break;
                 }
+            }
+            if (hostname==null) return null;
+            else hostname = hostname.toLowerCase();
 
 
-                String[] arr = hostname.split("\\.");
-                hostname = arr[arr.length-2] + "." + arr[arr.length-1];
+          //Get top-level domain name (acme.com)
+            String[] arr = hostname.split("\\.");
+            String domainName = arr[arr.length-2] + "." + arr[arr.length-1];
 
-                //System.out.println("hostname: " + hostname);
-                //System.out.println(InetAddress.getByName(hostname));
-                //System.out.println(aliases.get(InetAddress.getByName(hostname)));
 
 
-                return aliases.get(InetAddress.getByName(hostname));
-            }
-            catch(Exception e){
-                return null;
+          //Special case for keystores with wildcard certs and top-level domain
+          //certs. When creating aliases for wildcard certs, I use the top-level
+          //domain name as the alias (e.g. "acme.com" alias for a "*.acme.com"
+          //wildcard cert). However, in some cases we also want a cert for the
+          //top-level domain (e.g. "acme.com"). So for top-level domain certs,
+          //I use an underscore prefix (e.g. "_acme.com" alias for a "acme.com"
+          //cert). The following code will search for an alias with an
+          //underscore prefix whenever a top-level domain name is requested.
+            if (domainName.equals(hostname)){
+                java.util.Enumeration enumeration = keyStore.aliases();
+                while (enumeration.hasMoreElements()) {
+                    String alias = (String) enumeration.nextElement();
+                    if (alias.equals("_"+domainName)) return alias;
+                }
             }
+
+
+
+          //Return the alias associated with the IP address of the top-level
+          //domain name.
+            return aliases.get(InetAddress.getByName(domainName));
+
+        }
+        catch(Exception e){
+            return null;
         }
     }
 
+
+  //**************************************************************************
+  //** chooseEngineServerAlias
+  //**************************************************************************
+  /** Returns an alias that best matches the given HTTP socket.
+   *  @param keyType Not used
+   *  @param issuers Not used
+   *  @param socket HTTP socket
+   */
     public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
-        if (alias!=null) return alias;
-        else return aliases.get(socket.getLocalAddress());
+        //System.out.println("chooseServerAlias: " + socket.getLocalAddress());
+        return aliases.get(socket.getLocalAddress());
     }
 
+
+  //**************************************************************************
+  //** getPrivateKey
+  //**************************************************************************
+  /** Returns the private key from the keystore for a given alias.
+   */
     public PrivateKey getPrivateKey(String alias) {
         try {
             return (PrivateKey) keyStore.getKey(alias, password);
@@ -89,6 +136,12 @@ public PrivateKey getPrivateKey(String alias) {
         }
     }
 
+
+  //**************************************************************************
+  //** getPrivateKey
+  //**************************************************************************
+  /** Returns the x509 certificate chain from the keystore for a given alias.
+   */
     public X509Certificate[] getCertificateChain(String alias) {
         try {
             java.security.cert.Certificate[] certs = keyStore.getCertificateChain(alias);
@@ -105,18 +158,18 @@ public X509Certificate[] getCertificateChain(String alias) {
     }
 
     public String[] getServerAliases(String keyType, Principal[] issuers) {
-        throw new UnsupportedOperationException("Method getServerAliases() not yet implemented.");
+        throw new UnsupportedOperationException("Method getServerAliases() not implemented.");
     }
 
     public String[] getClientAliases(String keyType, Principal[] issuers) {
-        throw new UnsupportedOperationException("Method getClientAliases() not yet implemented.");
+        throw new UnsupportedOperationException("Method getClientAliases() not implemented.");
     }
 
     public String chooseClientAlias(String keyTypes[], Principal[] issuers, Socket socket) {
-        throw new UnsupportedOperationException("Method chooseClientAlias() not yet implemented.");
+        throw new UnsupportedOperationException("Method chooseClientAlias() not implemented.");
     }
 
     public String chooseEngineClientAlias(String[] strings, Principal[] prncpls, SSLEngine ssle) {
-        throw new UnsupportedOperationException("Method chooseEngineClientAlias() not yet implemented.");
+        throw new UnsupportedOperationException("Method chooseEngineClientAlias() not implemented.");
     }
 }
