org.postgresql.ssl.jdbc4.LazyKeyManager Maven / Gradle / Ivy
package org.postgresql.ssl.jdbc4;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.Socket;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Collection;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.net.ssl.X509KeyManager;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.x500.X500Principal;
import org.postgresql.util.GT;
import org.postgresql.util.PSQLException;
import org.postgresql.util.PSQLState;
/**
* A Key manager that only loads the keys, if necessary.
*
*/
public class LazyKeyManager implements X509KeyManager {
private X509Certificate[] cert = null;
private PrivateKey key = null;
private String certfile;
private String keyfile;
private CallbackHandler cbh;
private boolean defaultfile;
private PSQLException error = null;
/**
* Constructor. certfile and keyfile can be null, in that case no
* certificate is presented to the server.
* @param certfile
* @param keyfile
* @param cbh
* @param defaultfile
*/
public LazyKeyManager(String certfile, String keyfile, CallbackHandler cbh, boolean defaultfile) {
this.certfile = certfile;
this.keyfile = keyfile;
this.cbh = cbh;
this.defaultfile = defaultfile;
}
/**
* getCertificateChain and getPrivateKey cannot throw exeptions,
* therefore any exception is stored in this.error and can be raised
* by this method
* @throws PSQLException
*/
public void throwKeyManagerException() throws PSQLException
{
if (error!=null) throw error;
}
public String chooseClientAlias(String[] keyType, Principal[] issuers,
Socket socket) {
if (certfile==null)
{
return null;
} else {
if (issuers==null || issuers.length==0)
{ //Postgres 8.4 and earlier do not send the list of accepted certificate authorities
//to the client. See BUG #5468. We only hope, that our certificate will be accepted.
return "user";
} else { //Sending a wrong certificate makes the connection rejected, even, if clientcert=0 in pg_hba.conf.
//therefore we only send our certificate, if the issuer is listed in issuers
X509Certificate[] certchain = getCertificateChain("user");
if (certchain==null)
{
return null;
} else {
X500Principal ourissuer = certchain[certchain.length-1].getIssuerX500Principal();
boolean found = false;
for (int i=0; i
© 2015 - 2025 Weber Informatics LLC | Privacy Policy