com.sun.slamd.example
Class JSSERandomClientCertSocketFactory

java.lang.Object
  javax.net.SocketFactory
      javax.net.ssl.SSLSocketFactory
          com.sun.slamd.example.JSSERandomClientCertSocketFactory

All Implemented Interfaces:

javax.net.ssl.KeyManager, javax.net.ssl.TrustManager, javax.net.ssl.X509KeyManager, javax.net.ssl.X509TrustManager, netscape.ldap.LDAPSocketFactory

public class JSSERandomClientCertSocketFactory
extends javax.net.ssl.SSLSocketFactory
implements netscape.ldap.LDAPSocketFactory, javax.net.ssl.X509KeyManager, javax.net.ssl.X509TrustManager

This class provides an implementation of an SSL socket factory that will use JSSE to create an SSL client socket. The first time the server requests a client certificate, one will be chosen at random from the appropriate set of keys in the JSSE JKS-format key store. Subsequent requests will continue to use the same client certificate until the chooseNewClientCert method is called. In addition, this class implements a trust manager so that any SSL certificate presented by the server will be trusted.

Author:

Neil A. Wilson

Constructor Summary

JSSERandomClientCertSocketFactory(java.lang.String keyStoreFile, char[] keyStorePassword)
Creates a new instance of this SSL socket factory.

JSSERandomClientCertSocketFactory(java.lang.String keyStoreFile, char[] keyStorePassword, boolean debugMode)
Creates a new instance of this SSL socket factory.

Method Summary

boolean	alwaysRandom() Indicates whether the client certificate selection will be always taken at random, or if the selection should only be random the first time a certificate is needed or after the chooseNewClientCert method is called.
void	checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType) Determines whether the provided client certificate should be trusted.
void	checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType) Determines whether the provided server certificate should be trusted.
java.lang.String	chooseClientAlias(java.lang.String[] keyTypes, java.security.Principal[] issuers, java.net.Socket socket) Chooses the alias of the client certificate that should be presented to the server.
void	chooseNewClientCert() Indicates that this socket factory should choose a new client certificate at random the next time it must present a certificate to an SSL server.
java.lang.String	chooseServerAlias(java.lang.String keyType, java.security.Principal[] issuers, java.net.Socket socket) Chooses the alias of the server certificate that should be presented to clients.
java.net.Socket	createSocket(java.net.InetAddress host, int port) Creates a new SSL socket connected to the specified host and port.
java.net.Socket	createSocket(java.net.InetAddress host, int port, java.net.InetAddress localAddress, int localPort) Creates a new SSL socket connected to the specified host and port.
java.net.Socket	createSocket(java.net.Socket socket, java.lang.String host, int port, boolean autoClose) Converts the provided socket to an SSL socket using this socket factory.
java.net.Socket	createSocket(java.lang.String host, int port) Creates a new SSL socket connected to the specified host and port.
java.net.Socket	createSocket(java.lang.String host, int port, java.net.InetAddress localHost, int localPort) Creates a new SSL socket connected to the specified host and port.
boolean	disableSessionCaching() Indicates whether session caching has been disabled for SSL sockets created using this socket factory.
java.security.cert.X509Certificate[]	getAcceptedIssuers() Retrieves an array of CA certificates that are trusted for authenticating peers.
java.lang.String[]	getAliases() Retrieves the aliases of the client certificates that are available for use in the key store.
java.security.cert.X509Certificate[]	getCertificateChain(java.lang.String alias) Retrieves the certificate chain for the certificate with the given alias.
java.lang.String[]	getClientAliases(java.lang.String keyType, java.security.Principal[] issuers) Retrieves the aliases of the certificates available for use by clients, in accordance with the provided criteria.
java.lang.String	getCurrentAlias() Retrieves the alias of the client certificate that will be used the next time the client must present a certificate to an SSL server.
java.lang.String[]	getDefaultCipherSuites() Retrieves the set of cipher suites that are enabled by default.
java.security.PrivateKey	getPrivateKey(java.lang.String alias) Retrieves the private key for the certificate with the specified alias.
java.lang.String[]	getServerAliases(java.lang.String keyType, java.security.Principal[] issuers) Retrieves the aliases of the certificates available for use by an SSL server, in accordance with the provided criteria.
java.lang.String[]	getSupportedCipherSuites() Retrieves the set of cipher suites that can be used to create SSL sockets.
java.net.Socket	makeSocket(java.lang.String host, int port) Establishes an SSL socket to the provided host and port that can be used by the LDAP SDK for Java for communicating with an LDAP directory server.
void	setAlwaysRandom(boolean alwaysRandom) Specifies whether the client certificate selection should always be random, or if the selection should only be random the first time a certificate is needed or after the chooseNewClientCert method is called.
void	setCurrentAlias(java.lang.String alias) Specifies the alias of the client certificate that should be used the next time the client must present a certificate to an SSL server.
void	setDisableSessionCaching(boolean disableSessionCaching) Specifies whether session caching should be disabled for SSL sockets created using this socket factory.

Methods inherited from class javax.net.ssl.SSLSocketFactory

getDefault

Methods inherited from class javax.net.SocketFactory

createSocket

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JSSERandomClientCertSocketFactory

public JSSERandomClientCertSocketFactory(java.lang.String keyStoreFile,
                                         char[] keyStorePassword)
                                  throws netscape.ldap.LDAPException

Creates a new instance of this SSL socket factory.

Parameters:

keyStoreFile - The path to the JKS-format JSSE keystore containing the client certificates to use in the authentication process.

keyStorePassword - The password needed to access the information in the keystore, formatted as a character array.

Throws:

netscape.ldap.LDAPException - If a problem occurs while initializing this socket factory.

JSSERandomClientCertSocketFactory

public JSSERandomClientCertSocketFactory(java.lang.String keyStoreFile,
                                         char[] keyStorePassword,
                                         boolean debugMode)
                                  throws netscape.ldap.LDAPException

Creates a new instance of this SSL socket factory.

Parameters:

keyStoreFile - The path to the JKS-format JSSE keystore containing the client certificates to use in the authentication process.

keyStorePassword - The password needed to access the information in the keystore, formatted as a character array.

debugMode - Indicates whether this socket factory will operate in debug mode.

Throws:

netscape.ldap.LDAPException - If a problem occurs while initializing this socket factory.

Method Detail

getCurrentAlias

public java.lang.String getCurrentAlias()

Retrieves the alias of the client certificate that will be used the next time the client must present a certificate to an SSL server.

Returns:

The alias of the client certificate that will be used the next time the client must present a certificate to an SSL server, or null if the next certificate will be chosen at random.

setCurrentAlias

public void setCurrentAlias(java.lang.String alias)

Specifies the alias of the client certificate that should be used the next time the client must present a certificate to an SSL server. This selection will remain in effect until the chooseNewClientCert method is called (in which case the next certificate will be chosen at random) or the setCurrentAlias method is called again to choose a different alias. Note that no error checking is performed, so if the specified alias does not exist in the keystore, then attempts to use that certificate will fail. Also note that this will override the setting of the alwaysRandom flag, so this certificate will always be used until the chooseNewClientCert method is called, at which point the alwaysRandom flag will again be honored.

Parameters:

alias - The alias of the client certificate that should be used the next time the client must present a certificate to an SSL server. A value of null indicates that the next selection should be random.

getAliases

public java.lang.String[] getAliases()

Retrieves the aliases of the client certificates that are available for use in the key store.

Returns:

The aliases of the client certificates that are available for use in the key store.

chooseNewClientCert

public void chooseNewClientCert()

Indicates that this socket factory should choose a new client certificate at random the next time it must present a certificate to an SSL server.

alwaysRandom

public boolean alwaysRandom()

Indicates whether the client certificate selection will be always taken at random, or if the selection should only be random the first time a certificate is needed or after the chooseNewClientCert method is called.

Returns:

true if the client certificate selection will always be random, or false if not.

setAlwaysRandom

public void setAlwaysRandom(boolean alwaysRandom)

Specifies whether the client certificate selection should always be random, or if the selection should only be random the first time a certificate is needed or after the chooseNewClientCert method is called.

Parameters:

alwaysRandom - Specifies whether the client certificate selection should always be random.

disableSessionCaching

public boolean disableSessionCaching()

Indicates whether session caching has been disabled for SSL sockets created using this socket factory.

Returns:

true if session caching has been disabled, or false if not.

setDisableSessionCaching

public void setDisableSessionCaching(boolean disableSessionCaching)

Specifies whether session caching should be disabled for SSL sockets created using this socket factory.

Parameters:

disableSessionCaching - Indicates whether session caching should be disabled for SSL sockets created using this socket factory.

chooseClientAlias

public java.lang.String chooseClientAlias(java.lang.String[] keyTypes,
                                          java.security.Principal[] issuers,
                                          java.net.Socket socket)

Chooses the alias of the client certificate that should be presented to the server.

Specified by:

chooseClientAlias in interface javax.net.ssl.X509KeyManager

Parameters:

keyTypes - The key type algorithm name(s) to use in making the selection.

issuers - The set of accepted issuers to use in making the selection.

socket - The socket to use in making the selection.

Returns:

The alias of the client certificate that should be presented to the server.

getClientAliases

public java.lang.String[] getClientAliases(java.lang.String keyType,
                                           java.security.Principal[] issuers)

Retrieves the aliases of the certificates available for use by clients, in accordance with the provided criteria.

Specified by:

getClientAliases in interface javax.net.ssl.X509KeyManager

Parameters:

keyType - The key type algorithm name of certificates to include in the set of aliases returned.

issuers - The set of accepted issuers of certificates to include in the set of aliases returned.

Returns:

The aliases of the certificates available for use by clients, in accordance with the provided criteria.

chooseServerAlias

public java.lang.String chooseServerAlias(java.lang.String keyType,
                                          java.security.Principal[] issuers,
                                          java.net.Socket socket)

Chooses the alias of the server certificate that should be presented to clients.

Specified by:

chooseServerAlias in interface javax.net.ssl.X509KeyManager

Parameters:

keyType - The key type algorithm name to use in making the selection.

issuers - The set of accepted issuers to use in making the selection.

socket - The socket to use in making the selection.

Returns:

The alias of the server certificate that should be presented to clients.

getServerAliases

public java.lang.String[] getServerAliases(java.lang.String keyType,
                                           java.security.Principal[] issuers)

Retrieves the aliases of the certificates available for use by an SSL server, in accordance with the provided criteria.

Specified by:

getServerAliases in interface javax.net.ssl.X509KeyManager

Parameters:

keyType - The key type algorithm name of certificates to include in the set of aliases returned.

issuers - The set of accepted issuers of certificates to include in the set of aliases returned.

Returns:

The aliases of the certificates available for use by an SSL server, in accordance with the provided criteria.

getPrivateKey

public java.security.PrivateKey getPrivateKey(java.lang.String alias)

Retrieves the private key for the certificate with the specified alias.

Specified by:

getPrivateKey in interface javax.net.ssl.X509KeyManager

Parameters:

alias - The alias of the certificate for which to retrieve the private key.

Returns:

The private key of the requested certificate, or null if the specified certificate cannot be found.

getCertificateChain

public java.security.cert.X509Certificate[] getCertificateChain(java.lang.String alias)

Retrieves the certificate chain for the certificate with the given alias. The chain will be returned in order, with the specified certificate first and the root issuer last.

Specified by:

getCertificateChain in interface javax.net.ssl.X509KeyManager

Parameters:

alias - The alias of the certificate for which to retrieve the certificate chain.

Returns:

The certificate chain for the certificate with the given alias, or null if the specified certificate cannot be found.

checkClientTrusted

public void checkClientTrusted(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType)

Determines whether the provided client certificate should be trusted. In this case, the certificate will always be trusted.

Specified by:

checkClientTrusted in interface javax.net.ssl.X509TrustManager

Parameters:

chain - The peer certificate chain.

authType - The authentication type based on the client certificate.

checkServerTrusted

public void checkServerTrusted(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType)

Determines whether the provided server certificate should be trusted. In this case, the certificate will always be trusted.

Specified by:

checkServerTrusted in interface javax.net.ssl.X509TrustManager

Parameters:

chain - The peer certificate chain.

authType - The authentication type based on the server certificate.

getAcceptedIssuers

public java.security.cert.X509Certificate[] getAcceptedIssuers()

Retrieves an array of CA certificates that are trusted for authenticating peers.

Specified by:

getAcceptedIssuers in interface javax.net.ssl.X509TrustManager

Returns:

An empty array, because we don't care about any list of CAs.

makeSocket

public java.net.Socket makeSocket(java.lang.String host,
                                  int port)
                           throws netscape.ldap.LDAPException

Establishes an SSL socket to the provided host and port that can be used by the LDAP SDK for Java for communicating with an LDAP directory server.

Specified by:

makeSocket in interface netscape.ldap.LDAPSocketFactory

Parameters:

host - The address of the server to which the connection is to be established.

port - The port number of the server to which the connection is to be established.

Returns:

The SSL socket that may be used for communicating with the directory server.

Throws:

netscape.ldap.LDAPException - If a problem occurs while trying to establish the connection.

createSocket

public java.net.Socket createSocket(java.lang.String host,
                                    int port)
                             throws java.io.IOException

Creates a new SSL socket connected to the specified host and port.

Specified by:

createSocket in class javax.net.SocketFactory

Parameters:

host - The address of the system to which the SSL socket should be connected.

port - The port on the target system to which the SSL socket should be connected.

Returns:

The created SSL socket.

Throws:

java.io.IOException - If a problem occurs while creating the SSL socket.

createSocket

public java.net.Socket createSocket(java.lang.String host,
                                    int port,
                                    java.net.InetAddress localHost,
                                    int localPort)
                             throws java.io.IOException

Creates a new SSL socket connected to the specified host and port.

Specified by:

createSocket in class javax.net.SocketFactory

Parameters:

host - The address of the system to which the SSL socket should be connected.

port - The port on the target system to which the SSL socket should be connected.

localHost - The address on the local system from which the socket should originate.

localPort - The port on the local system from which the socket should originate.

Returns:

The created SSL socket.

Throws:

java.io.IOException - If a problem occurs while creating the SSL socket.

createSocket

public java.net.Socket createSocket(java.net.InetAddress host,
                                    int port)
                             throws java.io.IOException

Creates a new SSL socket connected to the specified host and port.

Specified by:

createSocket in class javax.net.SocketFactory

Parameters:

host - The address of the system to which the SSL socket should be connected.

port - The port on the target system to which the SSL socket should be connected.

Returns:

The created SSL socket.

Throws:

java.io.IOException - If a problem occurs while creating the SSL socket.

createSocket

public java.net.Socket createSocket(java.net.InetAddress host,
                                    int port,
                                    java.net.InetAddress localAddress,
                                    int localPort)
                             throws java.io.IOException

Creates a new SSL socket connected to the specified host and port.

Specified by:

createSocket in class javax.net.SocketFactory

Parameters:

host - The address of the system to which the SSL socket should be connected.

port - The port on the target system to which the SSL socket should be connected.

localAddress - The address on the local system from which the socket should originate.

localPort - The port on the local system from which the socket should originate.

Returns:

The created SSL socket.

Throws:

java.io.IOException - If a problem occurs while creating the SSL socket.

createSocket

public java.net.Socket createSocket(java.net.Socket socket,
                                    java.lang.String host,
                                    int port,
                                    boolean autoClose)
                             throws java.io.IOException

Converts the provided socket to an SSL socket using this socket factory.

Specified by:

createSocket in class javax.net.ssl.SSLSocketFactory

Parameters:

socket - The socket to convert to an SSL socket.

host - The host to which the socket is connected.

port - The port to which the socket is connected.

autoClose - Indicates whether the underlying socket should be closed when the returned SSL socket is closed.

Returns:

The created SSL socket.

Throws:

java.io.IOException - If a problem occurs while creating the SSL socket.

getDefaultCipherSuites

public java.lang.String[] getDefaultCipherSuites()

Retrieves the set of cipher suites that are enabled by default.

Specified by:

getDefaultCipherSuites in class javax.net.ssl.SSLSocketFactory

Returns:

The set of cipher suites that are enabled by default.

getSupportedCipherSuites

public java.lang.String[] getSupportedCipherSuites()

Retrieves the set of cipher suites that can be used to create SSL sockets.

Specified by:

getSupportedCipherSuites in class javax.net.ssl.SSLSocketFactory

Returns:

The set of cipher suites that can be used to create SSL sockets.