Class SniX509ExtendedKeyManager

  • All Implemented Interfaces:
    KeyManager, X509KeyManager

    public class SniX509ExtendedKeyManager
    extends X509ExtendedKeyManager
    The Eclipse Jetty and Apache Felix Http Jetty packages are no longer supported.

    A X509ExtendedKeyManager that selects a key with an alias retrieved from SNI information, delegating other processing to a nested X509ExtendedKeyManager.

    Can only be used on server side.

    • Method Detail

      • setAliasMapper

        public void setAliasMapper​(UnaryOperator<String> aliasMapper)

        Sets a function that transforms the alias into a possibly different alias, invoked when the SNI logic must choose the alias to pick the right certificate.

        This function is required when using the PKIX KeyManagerFactory algorithm which suffers from bug, where aliases are returned by the OpenJDK implementation to the application in the form N.0.alias where N is an always increasing number. Such mangled aliases won't match the aliases in the keystore, so that for example SNI matching will always fail.

        Other implementations such as BouncyCastle have been reported to mangle the alias in a different way, namely 0.alias.N.

        This function allows to "unmangle" the alias from the implementation specific mangling back to just alias so that SNI matching will work again.

        aliasMapper - the function that transforms the alias
      • getClientAliases

        public String[] getClientAliases​(String keyType,
                                         Principal[] issuers)
      • getServerAliases

        public String[] getServerAliases​(String keyType,
                                         Principal[] issuers)