Class IdentityStore
- java.lang.Object
-
- org.jivesoftware.openfire.keystore.CertificateStore
-
- org.jivesoftware.openfire.keystore.IdentityStore
-
public class IdentityStore extends CertificateStore
A wrapper class for a store of certificates, its metadata (password, location) and related functionality that is used to provide credentials (that represent this Openfire instance), an identity store An identity store should contain private keys, each associated with its certificate chain. Having the root certificate of the Certificate Authority that signed the certificates in this identity store should be in a corresponding trust store, although this is not strictly required. The reasoning here is that when you trust a Certificate Authority to verify your identity, you're likely to trust the same Certificate Authority to verify the identities of others. Note that in Java terminology, an identity store is commonly referred to as a 'key store', while the same name is also used to identify the generic certificate store. To have clear distinction between common denominator and each of the specific types, this implementation uses the terms "certificate store", "identity store" and "trust store".- Author:
- Guus der Kinderen, guus.der.kinderen@gmail.com
-
-
Field Summary
-
Fields inherited from class org.jivesoftware.openfire.keystore.CertificateStore
configuration, PROVIDER, store
-
-
Constructor Summary
Constructors Constructor Description IdentityStore(CertificateStoreConfiguration configuration, boolean createIfAbsent)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addSelfSignedDomainCertificate()
Populates the key store with a self-signed certificate for the domain of this XMPP service.boolean
containsAllIdentityCertificate()
Checks if the store contains a certificate of a particular algorithm that contains at least all of the identities of this server (which includes the XMPP domain name, but also its hostname, and XMPP addresses of components that are currently being hosted).boolean
containsDomainCertificate()
Checks if the store contains a certificate of a particular algorithm that matches the domain of this XMPP service.protected boolean
corresponds(String alias, List<X509Certificate> certificates)
void
ensureDomainCertificate()
Adds a self-signed certificate for the domain of this XMPP service when no certificate for the domain was found.String
generateCSR(String alias)
Creates a Certificate Signing Request based on the private key and certificate identified by the provided alias.protected static KeyPair
generateKeyPair(String algorithm, int keySize)
Returns a new public & private key with the specified algorithm (e.g.protected String
generateUniqueAlias()
Generates an alias that is currently unused in this store.String
installCertificate(String pemCertificates, String pemPrivateKey, String passPhrase)
Imports a certificate and the private key that was used to generate the certificate.void
installCertificate(String alias, String pemCertificates, String pemPrivateKey, String passPhrase)
Imports a certificate and the private key that was used to generate the certificate.void
installCSRReply(String alias, String pemCertificates)
Imports a certificate (and its chain) in this store.static boolean
isForThisDomain(X509Certificate certificate)
Verifies that the subject of the certificate matches the domain of this XMPP service.protected void
removeAllDomainEntries()
Removes all entries that reflect the local domain.String
replaceCertificate(String pemCertificates, String pemPrivateKey, String passPhrase)
Imports a certificate and the private key that was used to generate the certificate, replacing any previously installed entries for the same domain.-
Methods inherited from class org.jivesoftware.openfire.keystore.CertificateStore
backup, delete, getAllCertificates, getConfiguration, getStore, persist, reload
-
-
-
-
Constructor Detail
-
IdentityStore
public IdentityStore(CertificateStoreConfiguration configuration, boolean createIfAbsent) throws CertificateStoreConfigException
- Throws:
CertificateStoreConfigException
-
-
Method Detail
-
generateCSR
public String generateCSR(String alias) throws CertificateStoreConfigException
Creates a Certificate Signing Request based on the private key and certificate identified by the provided alias. When the alias does not identify a private key and/or certificate, this method will throw an exception. The certificate that is identified by the provided alias can be an unsigned certificate, but also a certificate that is already signed. The latter implies that the generated request is a request for certificate renewal. An invocation of this method does not change the state of the underlying store.- Parameters:
alias
- An identifier for a private key / certificate in this store (cannot be null).- Returns:
- A PEM-encoded Certificate Signing Request (never null).
- Throws:
CertificateStoreConfigException
- if there was a problem generating the CSR
-
installCSRReply
public void installCSRReply(String alias, String pemCertificates) throws CertificateStoreConfigException
Imports a certificate (and its chain) in this store. This method will fail when the provided certificate chain:- does not match the domain of this XMPP service.
- is not a proper chain
- Parameters:
alias
- the certificate aliaspemCertificates
- a PEM representation of the certificate or certificate chain (cannot be null or empty).- Throws:
CertificateStoreConfigException
- if there was a problem installing the certificate
-
corresponds
protected boolean corresponds(String alias, List<X509Certificate> certificates) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException
-
replaceCertificate
public String replaceCertificate(String pemCertificates, String pemPrivateKey, String passPhrase) throws CertificateStoreConfigException
Imports a certificate and the private key that was used to generate the certificate, replacing any previously installed entries for the same domain. This method will import the certificate and key in the store using a unique alias. This alias is returned. This method will fail when the provided certificate does not match the domain of this XMPP service.- Parameters:
pemCertificates
- a PEM representation of the certificate or certificate chain (cannot be null or empty).pemPrivateKey
- a PEM representation of the private key (cannot be null or empty).passPhrase
- optional pass phrase (must be present if the private key is encrypted).- Returns:
- The alias that was used (never null).
- Throws:
CertificateStoreConfigException
- if there was a problem replacing the certificate
-
installCertificate
public String installCertificate(String pemCertificates, String pemPrivateKey, String passPhrase) throws CertificateStoreConfigException
Imports a certificate and the private key that was used to generate the certificate. This method will import the certificate and key in the store using a unique alias. This alias is returned. This method will fail when the provided certificate does not match the domain of this XMPP service.- Parameters:
pemCertificates
- a PEM representation of the certificate or certificate chain (cannot be null or empty).pemPrivateKey
- a PEM representation of the private key (cannot be null or empty).passPhrase
- optional pass phrase (must be present if the private key is encrypted).- Returns:
- The alias that was used (never null).
- Throws:
CertificateStoreConfigException
- if there was a problem installing the certificate
-
installCertificate
public void installCertificate(String alias, String pemCertificates, String pemPrivateKey, String passPhrase) throws CertificateStoreConfigException
Imports a certificate and the private key that was used to generate the certificate. This method will fail when the provided certificate does not match the domain of this XMPP service, or when the provided alias refers to an existing entry.- Parameters:
alias
- the name (key) under which the certificate is to be stored in the store (cannot be null or empty).pemCertificates
- a PEM representation of the certificate or certificate chain (cannot be null or empty).pemPrivateKey
- a PEM representation of the private key (cannot be null or empty).passPhrase
- optional pass phrase (must be present if the private key is encrypted).- Throws:
CertificateStoreConfigException
- if there was a problem installing the certificate
-
ensureDomainCertificate
public void ensureDomainCertificate() throws CertificateStoreConfigException
Adds a self-signed certificate for the domain of this XMPP service when no certificate for the domain was found.- Throws:
CertificateStoreConfigException
- if there was a problem creating the certificate
-
containsDomainCertificate
public boolean containsDomainCertificate() throws CertificateStoreConfigException
Checks if the store contains a certificate of a particular algorithm that matches the domain of this XMPP service. This method will not distinguish between self-signed and non-self-signed certificates.- Returns:
true
if the store contains a certificate of a particular algorithm that matches the domain of this XMPP service, otherwisefalse
- Throws:
CertificateStoreConfigException
- if there was a problem creating the certificate
-
containsAllIdentityCertificate
public boolean containsAllIdentityCertificate() throws CertificateStoreConfigException
Checks if the store contains a certificate of a particular algorithm that contains at least all of the identities of this server (which includes the XMPP domain name, but also its hostname, and XMPP addresses of components that are currently being hosted). This method will not distinguish between self-signed and non-self-signed certificates.- Returns:
true
if the store contains a certificate of a particular algorithm that contains at least all of the identities of this server, otherwisefalse
- Throws:
CertificateStoreConfigException
- if there was a problem accessing the certificates
-
addSelfSignedDomainCertificate
public void addSelfSignedDomainCertificate() throws CertificateStoreConfigException
Populates the key store with a self-signed certificate for the domain of this XMPP service.- Throws:
CertificateStoreConfigException
- if a self-signed certificate could not be created
-
generateKeyPair
protected static KeyPair generateKeyPair(String algorithm, int keySize) throws GeneralSecurityException
Returns a new public & private key with the specified algorithm (e.g. DSA, RSA, etc.).- Parameters:
algorithm
- DSA, RSA, etc.keySize
- the desired key size. This is an algorithm-specific metric, such as modulus length, specified in number of bits.- Returns:
- a new public & private key with the specified algorithm (e.g. DSA, RSA, etc.).
- Throws:
GeneralSecurityException
- if the supplied algorithm does not have a key-pair generator
-
isForThisDomain
public static boolean isForThisDomain(X509Certificate certificate)
Verifies that the subject of the certificate matches the domain of this XMPP service.- Parameters:
certificate
- The certificate to verify (cannot be null)- Returns:
- true when the certificate subject is this domain, otherwise false.
-
generateUniqueAlias
protected String generateUniqueAlias() throws CertificateStoreConfigException
Generates an alias that is currently unused in this store.- Returns:
- An alias (never null).
- Throws:
CertificateStoreConfigException
- if a unique alias could not be generated
-
removeAllDomainEntries
protected void removeAllDomainEntries() throws KeyStoreException
Removes all entries that reflect the local domain. This method iterates over all entries, and removes those that match the domain of this server. Note that the changes are not persisted by this method (as it is expected to be used in tandem with an insert.- Throws:
KeyStoreException
- if the key store could not be updated
-
-