Alternative providers for key/trust stores

Updated the KeyStoreKeyManager and TrustStoreTrustManager classes to make it possible to use alternative security providers when accessing key store files. It is also possible to indicate whether non-FIPS 140-2-compliant key stores may be accessed in applications running in FIPS-compliant mode.
pingidentity · Apr 5, 2024 · a31d7e3 · a31d7e3
1 parent 47164c5
commit a31d7e3
Show file tree

Hide file tree

Showing 7 changed files with 2,206 additions and 41 deletions.
diff --git a/docs/release-notes.html b/docs/release-notes.html
@@ -30,6 +30,14 @@ <h3>Version 7.0.1</h3>
                   <br><br>
                 </li>
 
+                <li>
+                  Updated the KeyStoreKeyManager and TrustStoreTrustManager classes to make it
+                  possible to use alternative security providers when accessing key store files.  It
+                  is also possible to indicate whether non-FIPS 140-2-compliant key stores may be
+                  accessed in applications running in FIPS-compliant mode.
+                  <br><br>
+                </li>
+
                 <li>
                   Fixed an issue in which the parallel-update tool would buffer data written to the
                   reject file.  This could prevent information from appearing in that file until

diff --git a/src/com/unboundid/util/ssl/KeyStoreKeyManager.java b/src/com/unboundid/util/ssl/KeyStoreKeyManager.java
@@ -58,7 +58,6 @@
 import com.unboundid.util.StaticUtils;
 import com.unboundid.util.ThreadSafety;
 import com.unboundid.util.ThreadSafetyLevel;
-import com.unboundid.util.Validator;
 
 import static com.unboundid.util.ssl.SSLMessages.*;
 
@@ -276,27 +275,15 @@ public KeyStoreKeyManager(@NotNull final String keyStoreFile,
                             final boolean validateKeyStore)
          throws KeyStoreException
   {
-    super(
-         getKeyManagers(keyStoreFile, keyStorePIN, keyStoreFormat,
-              certificateAlias, validateKeyStore),
-          certificateAlias);
-
-    this.keyStoreFile     = keyStoreFile;
-
-    if (keyStoreFormat == null)
-    {
-      this.keyStoreFormat = CryptoHelper.getDefaultKeyStoreType();
-    }
-    else
-    {
-      this.keyStoreFormat = keyStoreFormat;
-    }
+    this(createProperties(keyStoreFile, keyStorePIN, keyStoreFormat,
+         certificateAlias, validateKeyStore));
   }
 
 
 
   /**
-   * Retrieves the set of key managers that will be wrapped by this key manager.
+   * Creates a set of key store key manager properties with the provided
+   * information.
    *
    * @param  keyStoreFile      The path to the key store file to use.  It must
    *                           not be {@code null}.
@@ -320,35 +307,91 @@ public KeyStoreKeyManager(@NotNull final String keyStoreFile,
    *                           store contains at least one valid private key
    *                           entry.
    *
+   * @return  The key store key manager properties object that was created from
+   *          the provided information.
+   */
+  @NotNull()
+  private static KeyStoreKeyManagerProperties createProperties(
+               @NotNull final String keyStoreFile,
+               @Nullable final char[] keyStorePIN,
+               @Nullable final String keyStoreFormat,
+               @Nullable final String certificateAlias,
+               final boolean validateKeyStore)
+  {
+    final KeyStoreKeyManagerProperties properties =
+         new KeyStoreKeyManagerProperties(keyStoreFile);
+    properties.setKeyStorePIN(keyStorePIN);
+    properties.setKeyStoreFormat(keyStoreFormat);
+    properties.setCertificateAlias(certificateAlias);
+    properties.setValidateKeyStore(validateKeyStore);
+    return properties;
+  }
+
+
+
+  /**
+   * Creates a new instance of this key store key manager that provides the
+   * ability to retrieve certificates from the specified key store file.
+   *
+   * @param  properties  The properties to use to create this key manager.  It
+   *                     must not be {@code null}.
+   *
+   * @throws  KeyStoreException  If a problem occurs while initializing this key
+   *                             manager, or if validation fails.
+   */
+  public KeyStoreKeyManager(
+              @NotNull final KeyStoreKeyManagerProperties properties)
+         throws KeyStoreException
+  {
+    super(getKeyManagers(properties), properties.getCertificateAlias());
+
+    keyStoreFile = properties.getKeyStorePath();
+
+    final String keyStoreType = properties.getKeyStoreFormat();
+    if (keyStoreType == null)
+    {
+      keyStoreFormat = CryptoHelper.getDefaultKeyStoreType();
+    }
+    else
+    {
+      keyStoreFormat = keyStoreType;
+    }
+  }
+
+
+
+  /**
+   * Retrieves the set of key managers that will be wrapped by this key manager.
+   *
+   * @param  properties  The properties to use to create the key managers.  It
+   *                     must not be {@code null}.
+   *
    * @return  The set of key managers that will be wrapped by this key manager.
    *
    * @throws  KeyStoreException  If a problem occurs while initializing this key
    *                             manager, or if validation fails.
    */
   @NotNull()
   private static KeyManager[] getKeyManagers(
-                                   @NotNull final String keyStoreFile,
-                                   @Nullable final char[] keyStorePIN,
-                                   @Nullable final String keyStoreFormat,
-                                   @Nullable final String certificateAlias,
-                                   final boolean validateKeyStore)
+               @NotNull final KeyStoreKeyManagerProperties properties)
           throws KeyStoreException
   {
-    Validator.ensureNotNull(keyStoreFile);
-
-    String type = keyStoreFormat;
+    String type = properties.getKeyStoreFormat();
     if (type == null)
     {
       type = CryptoHelper.getDefaultKeyStoreType();
     }
 
-    final File f = new File(keyStoreFile);
+    final String keyStorePath = properties.getKeyStorePath();
+    final File f = new File(keyStorePath);
     if (! f.exists())
     {
-      throw new KeyStoreException(ERR_KEYSTORE_NO_SUCH_FILE.get(keyStoreFile));
+      throw new KeyStoreException(ERR_KEYSTORE_NO_SUCH_FILE.get(keyStorePath));
     }
 
-    final KeyStore ks = CryptoHelper.getKeyStore(type);
+    final char[] keyStorePIN = properties.getKeyStorePIN();
+    final KeyStore ks = CryptoHelper.getKeyStore(type,
+         properties.getProvider(), properties.allowNonFIPSInFIPSMode());
     FileInputStream inputStream = null;
     try
     {
@@ -360,7 +403,7 @@ private static KeyManager[] getKeyManagers(
       Debug.debugException(e);
 
       throw new KeyStoreException(
-           ERR_KEYSTORE_CANNOT_LOAD.get(keyStoreFile, type, String.valueOf(e)),
+           ERR_KEYSTORE_CANNOT_LOAD.get(keyStorePath, type, String.valueOf(e)),
            e);
     }
     finally
@@ -378,9 +421,9 @@ private static KeyManager[] getKeyManagers(
       }
     }
 
-    if (validateKeyStore)
+    if (properties.validateKeyStore())
     {
-      validateKeyStore(ks, f, keyStorePIN, certificateAlias);
+      validateKeyStore(ks, f, keyStorePIN, properties.getCertificateAlias());
     }
 
     try
@@ -394,8 +437,8 @@ private static KeyManager[] getKeyManagers(
       Debug.debugException(e);
 
       throw new KeyStoreException(
-           ERR_KEYSTORE_CANNOT_GET_KEY_MANAGERS.get(keyStoreFile,
-                keyStoreFormat, StaticUtils.getExceptionMessage(e)),
+           ERR_KEYSTORE_CANNOT_GET_KEY_MANAGERS.get(keyStorePath, type,
+                StaticUtils.getExceptionMessage(e)),
            e);
     }
   }