/*
 * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package javax.net.ssl;

import java.security.PrivateKey;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.net.Socket;

Instances of this interface manage which X509 certificate-based key pairs are used to authenticate the local side of a secure socket.

During secure socket negotiations, implementations call methods in this interface to:

  • determine the set of aliases that are available for negotiations based on the criteria presented,
  • select the best alias based on the criteria presented, and
  • obtain the corresponding key material for given aliases.

Note: the X509ExtendedKeyManager should be used in favor of this class.

Since:1.4
/** * Instances of this interface manage which X509 certificate-based * key pairs are used to authenticate the local side of a secure * socket. * <P> * During secure socket negotiations, implementations * call methods in this interface to: * <UL> * <LI> determine the set of aliases that are available for negotiations * based on the criteria presented, * <LI> select the <i> best alias</i> based on * the criteria presented, and * <LI> obtain the corresponding key material for given aliases. * </UL> * <P> * Note: the X509ExtendedKeyManager should be used in favor of this * class. * * @since 1.4 */
public interface X509KeyManager extends KeyManager {
Get the matching aliases for authenticating the client side of a secure socket given the public key type and the list of certificate issuer authorities recognized by the peer (if any).
Params:
  • keyType – the key algorithm type name
  • issuers – the list of acceptable CA issuer subject names, or null if it does not matter which issuers are used.
Returns:an array of the matching alias names, or null if there were no matches.
/** * Get the matching aliases for authenticating the client side of a secure * socket given the public key type and the list of * certificate issuer authorities recognized by the peer (if any). * * @param keyType the key algorithm type name * @param issuers the list of acceptable CA issuer subject names, * or null if it does not matter which issuers are used. * @return an array of the matching alias names, or null if there * were no matches. */
public String[] getClientAliases(String keyType, Principal[] issuers);
Choose an alias to authenticate the client side of a secure socket given the public key type and the list of certificate issuer authorities recognized by the peer (if any).
Params:
  • keyType – the key algorithm type name(s), ordered with the most-preferred key type first.
  • issuers – the list of acceptable CA issuer subject names or null if it does not matter which issuers are used.
  • socket – the socket to be used for this connection. This parameter can be null, which indicates that implementations are free to select an alias applicable to any socket.
Returns:the alias name for the desired key, or null if there are no matches.
/** * Choose an alias to authenticate the client side of a secure * socket given the public key type and the list of * certificate issuer authorities recognized by the peer (if any). * * @param keyType the key algorithm type name(s), ordered * with the most-preferred key type first. * @param issuers the list of acceptable CA issuer subject names * or null if it does not matter which issuers are used. * @param socket the socket to be used for this connection. This * parameter can be null, which indicates that * implementations are free to select an alias applicable * to any socket. * @return the alias name for the desired key, or null if there * are no matches. */
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket);
Get the matching aliases for authenticating the server side of a secure socket given the public key type and the list of certificate issuer authorities recognized by the peer (if any).
Params:
  • keyType – the key algorithm type name
  • issuers – the list of acceptable CA issuer subject names or null if it does not matter which issuers are used.
Returns:an array of the matching alias names, or null if there were no matches.
/** * Get the matching aliases for authenticating the server side of a secure * socket given the public key type and the list of * certificate issuer authorities recognized by the peer (if any). * * @param keyType the key algorithm type name * @param issuers the list of acceptable CA issuer subject names * or null if it does not matter which issuers are used. * @return an array of the matching alias names, or null * if there were no matches. */
public String[] getServerAliases(String keyType, Principal[] issuers);
Choose an alias to authenticate the server side of a secure socket given the public key type and the list of certificate issuer authorities recognized by the peer (if any).
Params:
  • keyType – the key algorithm type name.
  • issuers – the list of acceptable CA issuer subject names or null if it does not matter which issuers are used.
  • socket – the socket to be used for this connection. This parameter can be null, which indicates that implementations are free to select an alias applicable to any socket.
Returns:the alias name for the desired key, or null if there are no matches.
/** * Choose an alias to authenticate the server side of a secure * socket given the public key type and the list of * certificate issuer authorities recognized by the peer (if any). * * @param keyType the key algorithm type name. * @param issuers the list of acceptable CA issuer subject names * or null if it does not matter which issuers are used. * @param socket the socket to be used for this connection. This * parameter can be null, which indicates that * implementations are free to select an alias applicable * to any socket. * @return the alias name for the desired key, or null if there * are no matches. */
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket);
Returns the certificate chain associated with the given alias.
Params:
  • alias – the alias name
Returns:the certificate chain (ordered with the user's certificate first and the root certificate authority last), or null if the alias can't be found.
/** * Returns the certificate chain associated with the given alias. * * @param alias the alias name * @return the certificate chain (ordered with the user's certificate first * and the root certificate authority last), or null * if the alias can't be found. */
public X509Certificate[] getCertificateChain(String alias);
Returns the key associated with the given alias.
Params:
  • alias – the alias name
Returns:the requested key, or null if the alias can't be found.
/** * Returns the key associated with the given alias. * * @param alias the alias name * @return the requested key, or null if the alias can't be found. */
public PrivateKey getPrivateKey(String alias); }