Package io.grpc.util
Class AdvancedTlsX509KeyManager
- java.lang.Object
-
- javax.net.ssl.X509ExtendedKeyManager
-
- io.grpc.util.AdvancedTlsX509KeyManager
-
- All Implemented Interfaces:
KeyManager,X509KeyManager
public final class AdvancedTlsX509KeyManager extends X509ExtendedKeyManager
AdvancedTlsX509KeyManager is anX509ExtendedKeyManagerthat allows users to configure advanced TLS features, such as private key and certificate chain reloading.The alias increments on every credential load (e.g.
"key-1","key-2", ...), so the same alias always maps to the same key material. The previous alias is retained for one rotation to allow in-progress handshakes to complete, ensuring alias-to-key-material consistency across credential reloads.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static interfaceAdvancedTlsX509KeyManager.CloseableMainly used to avoid throwing IO Exceptions in java.io.Closeable.
-
Constructor Summary
Constructors Constructor Description AdvancedTlsX509KeyManager()
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description StringchooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)StringchooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine)StringchooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)StringchooseServerAlias(String keyType, Principal[] issuers, Socket socket)X509Certificate[]getCertificateChain(String alias)String[]getClientAliases(String keyType, Principal[] issuers)PrivateKeygetPrivateKey(String alias)String[]getServerAliases(String keyType, Principal[] issuers)voidupdateIdentityCredentials(File certFile, File keyFile)Updates certificate chains and the private key from the local file paths.AdvancedTlsX509KeyManager.CloseableupdateIdentityCredentials(File certFile, File keyFile, long period, TimeUnit unit, ScheduledExecutorService executor)Schedules aScheduledExecutorServiceto read certificate chains and private key from the local file paths periodically, and update the cached identity credentials if they are both updated.voidupdateIdentityCredentials(X509Certificate[] certs, PrivateKey key)Updates the current cached private key and cert chains.voidupdateIdentityCredentials(PrivateKey key, X509Certificate[] certs)Deprecated.voidupdateIdentityCredentialsFromFile(File keyFile, File certFile)Deprecated.UseupdateIdentityCredentials(File, File)instead.AdvancedTlsX509KeyManager.CloseableupdateIdentityCredentialsFromFile(File keyFile, File certFile, long period, TimeUnit unit, ScheduledExecutorService executor)Deprecated.
-
-
-
Method Detail
-
getPrivateKey
public PrivateKey getPrivateKey(String alias)
-
getCertificateChain
public X509Certificate[] getCertificateChain(String alias)
-
chooseClientAlias
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
-
chooseEngineClientAlias
public String chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine)
- Overrides:
chooseEngineClientAliasin classX509ExtendedKeyManager
-
chooseServerAlias
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
-
chooseEngineServerAlias
public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
- Overrides:
chooseEngineServerAliasin classX509ExtendedKeyManager
-
updateIdentityCredentials
@Deprecated @InlineMe(replacement="this.updateIdentityCredentials(certs, key)") @ExperimentalApi("https://github.com/grpc/grpc-java/issues/8024") public void updateIdentityCredentials(PrivateKey key, X509Certificate[] certs)
Deprecated.Updates the current cached private key and cert chains.- Parameters:
key- the private key that is going to be usedcerts- the certificate chain that is going to be used
-
updateIdentityCredentials
public void updateIdentityCredentials(X509Certificate[] certs, PrivateKey key)
Updates the current cached private key and cert chains.- Parameters:
certs- the certificate chain that is going to be usedkey- the private key that is going to be used
-
updateIdentityCredentials
public AdvancedTlsX509KeyManager.Closeable updateIdentityCredentials(File certFile, File keyFile, long period, TimeUnit unit, ScheduledExecutorService executor) throws IOException, GeneralSecurityException
Schedules aScheduledExecutorServiceto read certificate chains and private key from the local file paths periodically, and update the cached identity credentials if they are both updated. You must close the returned Closeable before calling this method again or other update methods (updateIdentityCredentials(java.security.PrivateKey, java.security.cert.X509Certificate[]),updateIdentityCredentials(File, File)). Before scheduling the task, the method synchronously executesreadAndUpdateonce. The minimum refresh period of 1 minute is enforced.- Parameters:
certFile- the file on disk holding the certificate chainkeyFile- the file on disk holding the private keyperiod- the period between successive read-and-update executionsunit- the time unit of the initialDelay and period parametersexecutor- the executor service we use to read and update the credentials- Returns:
- an object that caller should close when the file refreshes are not needed
- Throws:
IOExceptionGeneralSecurityException
-
updateIdentityCredentials
public void updateIdentityCredentials(File certFile, File keyFile) throws IOException, GeneralSecurityException
Updates certificate chains and the private key from the local file paths.- Parameters:
certFile- the file on disk holding the certificate chainkeyFile- the file on disk holding the private key- Throws:
IOExceptionGeneralSecurityException
-
updateIdentityCredentialsFromFile
@Deprecated @InlineMe(replacement="this.updateIdentityCredentials(certFile, keyFile)") @ExperimentalApi("https://github.com/grpc/grpc-java/issues/8024") public void updateIdentityCredentialsFromFile(File keyFile, File certFile) throws IOException, GeneralSecurityException
Deprecated.UseupdateIdentityCredentials(File, File)instead.Updates the private key and certificate chains from the local file paths.- Parameters:
keyFile- the file on disk holding the private keycertFile- the file on disk holding the certificate chain- Throws:
IOExceptionGeneralSecurityException
-
updateIdentityCredentialsFromFile
@Deprecated @InlineMe(replacement="this.updateIdentityCredentials(certFile, keyFile, period, unit, executor)") @ExperimentalApi("https://github.com/grpc/grpc-java/issues/8024") public AdvancedTlsX509KeyManager.Closeable updateIdentityCredentialsFromFile(File keyFile, File certFile, long period, TimeUnit unit, ScheduledExecutorService executor) throws IOException, GeneralSecurityException
Deprecated.Schedules aScheduledExecutorServiceto read private key and certificate chains from the local file paths periodically, and update the cached identity credentials if they are both updated. You must close the returned Closeable before calling this method again or other update methods (updateIdentityCredentials(java.security.PrivateKey, java.security.cert.X509Certificate[]),updateIdentityCredentials(File, File)). Before scheduling the task, the method synchronously executesreadAndUpdateonce. The minimum refresh period of 1 minute is enforced.- Parameters:
keyFile- the file on disk holding the private keycertFile- the file on disk holding the certificate chainperiod- the period between successive read-and-update executionsunit- the time unit of the initialDelay and period parametersexecutor- the executor service we use to read and update the credentials- Returns:
- an object that caller should close when the file refreshes are not needed
- Throws:
IOExceptionGeneralSecurityException
-
-