Package ghidra.net

Class DefaultKeyManagerFactory

java.lang.Object
ghidra.net.DefaultKeyManagerFactory
public class DefaultKeyManagerFactory extends Object
DefaultKeyManagerFactory provides access to the default application key manager associated with the preferred keystore file specified by the KEYSTORE_PATH_PROPERTY system property or set with setDefaultKeyStore(String, boolean).

NOTE: Since SslRMIClientSocketFactory and SSLServerSocketFactory employ a static cache of a default SSLSocketFactory, with its default SSLContext, we must utilize a wrapped implementation of the associated X509ExtendedKeyManager so that an updated keystore is used by the existing default SSLSocketFactory.

  • Field Details

    • KEYSTORE_PATH_PROPERTY

      public static final String KEYSTORE_PATH_PROPERTY
      Keystore path system property or user preference. Setting the system property will take precedence over the user preference.
      See Also:

    • KEYSTORE_PASSWORD_PROPERTY

      public static final String KEYSTORE_PASSWORD_PROPERTY
      Password system property may be set. If set, this password will be used when accessing the keystore before attempting to use customPasswordProvider if it has been set.
      See Also:

    • DEFAULT_PASSWORD

      public static final String DEFAULT_PASSWORD
      See Also:

  • Constructor Details

    • DefaultKeyManagerFactory

      public DefaultKeyManagerFactory()

  • Method Details

    • setDefaultKeyStore

      public static boolean setDefaultKeyStore(String path, boolean savePreference)
      Set default user keystore file path (e.g., certificate file with private key). This method will have no effect if the keystore had been set via the system property and an error will be displayed. Otherwise, the keystore will be updated and the key manager re-initialized. The user preference will be updated unless a failure occurred while attempting to open the keystore. This change will take immediate effect for the current executing application, however, it may still be superseded by a system property setting when running the application in the future. See getKeyStore().
      Parameters:
      path - keystore file path or null to clear current key store and preference.
      savePreference - if true will be saved as user preference
      Returns:
      true if successful else false if error occured (see log).

    • usingGeneratedSelfSignedCertificate

      public static boolean usingGeneratedSelfSignedCertificate()
      Determine if active key manager is utilizing a generated self-signed certificate.
      Returns:
      true if using self-signed certificate.

    • setDefaultIdentity

      public static void setDefaultIdentity(X500Principal identity)
      Set the default self-signed principal identity to be used during initialization if no keystore defined. Current application key manager will be invalidated. (NOTE: this is intended for server use only when client will not be performing CA validation).
      Parameters:
      identity - if not null and a KeyStore path has not be set, this identity will be used to generate a self-signed certificate and private key

    • addSubjectAlternativeName

      public static void addSubjectAlternativeName(String subjectAltName)
      Add the optional self-signed subject alternative name to be used during initialization if no keystore defined. Current application key manager will be invalidated. (NOTE: this is intended for server use only when client will not be performing CA validation).
      Parameters:
      subjectAltName - name to be added to the current list of alternative subject names. A null value will clear all names currently set. name will be used to generate a self-signed certificate and private key

    • initialize

      public static boolean initialize()
      Initialize key manager if needed. Doing this explicitly independent of an SSL connection allows application to bail before initiating connection. This will get handshake failure if user forgets keystore password or other keystore problem.
      Returns:
      true if key manager initialized, otherwise false

    • invalidateKeyManager

      public static void invalidateKeyManager()
      Invalidate the existing default key manager.

    • getPreferredKeyStore

      public static String getPreferredKeyStore()
      If the system property ghidra.keystore takes precedence in establishing the keystore. If using a GUI and the system property has not been set, the user preference with the same name will be used.
      Returns:
      active keystore path or null if currently not running with a keystore or one has not been set.

    • getKeyStore

      public static String getKeyStore()
      Get the default/preferred key store path.
      Returns:
      default key store path or null if not set

    • getKeyManager

      public static X509ExtendedKeyManager getKeyManager()
      Get the lazy default key manager associated with the preferred key store.
      Returns:
      default key manager or null if not initialized

    • getSignedToken

      public static SignedToken getSignedToken(Principal[] authorities, byte[] token) throws NoSuchAlgorithmException, SignatureException, CertificateException
      Sign the supplied token byte array using an installed certificate from one of the specified authorities
      Parameters:
      authorities - trusted certificate authorities used to constrain client certificate (may be null or empty array if CA constraint does not matter).
      token - token byte array
      Returns:
      signed token object
      Throws:
      NoSuchAlgorithmException - algorithm associated within signing certificate not found
      SignatureException - failed to generate SignedToken
      CertificateException - error associated with signing certificate

    • isMySignature

      public static boolean isMySignature(Principal[] authorities, byte[] token, byte[] signature) throws NoSuchAlgorithmException, SignatureException, CertificateException
      Verify that the specified sigBytes reflect my signature of the specified token.
      Parameters:
      authorities - trusted certificate authorities used to constrain client certificate (may be null or empty array if CA constraint does not matter).
      token - byte array token
      signature - token signature
      Returns:
      true if signature is my signature
      Throws:
      NoSuchAlgorithmException - algorithym associated within signing certificate not found
      SignatureException - failed to generate SignedToken
      CertificateException - error associated with signing certificate