Package org.postgresql.ssl

Class BaseX509KeyManager

  • All Implemented Interfaces:
    javax.net.ssl.KeyManager, javax.net.ssl.X509KeyManager
    Direct Known Subclasses:
    PEMKeyManager, PKCS12KeyManager
    public abstract class BaseX509KeyManager
extends java.lang.Object
implements javax.net.ssl.X509KeyManager

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      java.lang.String chooseClientAlias​(java.lang.String[] keyType, java.security.Principal[] principals, java.net.Socket socket)  
      java.lang.String chooseServerAlias​(java.lang.String s, java.security.Principal[] principals, java.net.Socket socket)  
      java.lang.String[] getClientAliases​(java.lang.String keyType, java.security.Principal[] principals)  
      java.lang.String[] getServerAliases​(java.lang.String s, java.security.Principal[] principals)  
      void throwKeyManagerException()
      getCertificateChain and getPrivateKey cannot throw exceptions, therefore any exception is stored in error and can be raised by this method.
      static void validateKeyFilePermissions​(java.nio.file.Path keyPath)
      Validates that the private key file has secure permissions, matching libpq behavior.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

      • Methods inherited from interface javax.net.ssl.X509KeyManager

        getCertificateChain, getPrivateKey

    • Constructor Detail

      • BaseX509KeyManager

        public BaseX509KeyManager()

    • Method Detail

      • throwKeyManagerException

        public void throwKeyManagerException()
                              throws PSQLException
        getCertificateChain and getPrivateKey cannot throw exceptions, therefore any exception is stored in error and can be raised by this method.
        Throws:
        PSQLException - if any exception is stored in error and can be raised

      • getClientAliases

        public java.lang.String[] getClientAliases​(java.lang.String keyType,
                                           java.security.Principal[] principals)
        Specified by:
        getClientAliases in interface javax.net.ssl.X509KeyManager

      • chooseClientAlias

        public java.lang.String chooseClientAlias​(java.lang.String[] keyType,
                                          java.security.Principal[] principals,
                                          java.net.Socket socket)
        Specified by:
        chooseClientAlias in interface javax.net.ssl.X509KeyManager

      • getServerAliases

        public java.lang.String[] getServerAliases​(java.lang.String s,
                                           java.security.Principal[] principals)
        Specified by:
        getServerAliases in interface javax.net.ssl.X509KeyManager

      • chooseServerAlias

        public java.lang.String chooseServerAlias​(java.lang.String s,
                                          java.security.Principal[] principals,
                                          java.net.Socket socket)
        Specified by:
        chooseServerAlias in interface javax.net.ssl.X509KeyManager

      • validateKeyFilePermissions

        public static void validateKeyFilePermissions​(java.nio.file.Path keyPath)
                                       throws PSQLException
        Validates that the private key file has secure permissions, matching libpq behavior. On POSIX systems, root-owned files are allowed group-read access (up to 0640), since it's common for root to own certs and grant read access via group membership. Files owned by anyone else must be 0600 or stricter. On Windows, ACLs are checked to ensure only the owner and trusted system accounts have access.
        Parameters:
        keyPath - the path to the private key file
        Throws:
        PSQLException - if the file has insecure permissions