org.postgresql.ssl

Class BaseX509KeyManager

java.lang.Object

org.postgresql.ssl.BaseX509KeyManager

All Implemented Interfaces:

javax.net.ssl.KeyManager, javax.net.ssl.X509KeyManager

Direct Known Subclasses:

PEMKeyManager, PKCS12KeyManager

public abstract class BaseX509KeyManager
extends java.lang.Object
implements javax.net.ssl.X509KeyManager

Field Summary

Fields

Modifier and Type	Field and Description
protected PSQLException	error

Constructor Summary

Constructors

Constructor and Description
BaseX509KeyManager()

Method Summary

Modifier and Type	Method and Description
java.lang.String	chooseClientAlias(java.lang.String[] keyType, java.security.Principal[] principals, java.net.Socket socket)
java.lang.String	chooseServerAlias(java.lang.String s, java.security.Principal[] principals, java.net.Socket socket)
java.lang.String[]	getClientAliases(java.lang.String keyType, java.security.Principal[] principals)
java.lang.String[]	getServerAliases(java.lang.String s, java.security.Principal[] principals)
void	throwKeyManagerException() getCertificateChain and getPrivateKey cannot throw exceptions, therefore any exception is stored in error and can be raised by this method.
static void	validateKeyFilePermissions(java.nio.file.Path keyPath) Validates that the private key file has secure permissions, matching libpq behavior.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface javax.net.ssl.X509KeyManager

getCertificateChain, getPrivateKey

Field Detail

error

protected PSQLException error

Constructor Detail

BaseX509KeyManager

public BaseX509KeyManager()

Method Detail

throwKeyManagerException

public void throwKeyManagerException()
                              throws PSQLException

getCertificateChain and getPrivateKey cannot throw exceptions, therefore any exception is stored in error and can be raised by this method.

Throws:

PSQLException - if any exception is stored in error and can be raised

getClientAliases

public java.lang.String[] getClientAliases(java.lang.String keyType,
                                           java.security.Principal[] principals)

Specified by:

getClientAliases in interface javax.net.ssl.X509KeyManager

chooseClientAlias

public java.lang.String chooseClientAlias(java.lang.String[] keyType,
                                          java.security.Principal[] principals,
                                          java.net.Socket socket)

Specified by:

chooseClientAlias in interface javax.net.ssl.X509KeyManager

getServerAliases

public java.lang.String[] getServerAliases(java.lang.String s,
                                           java.security.Principal[] principals)

Specified by:

getServerAliases in interface javax.net.ssl.X509KeyManager

chooseServerAlias

public java.lang.String chooseServerAlias(java.lang.String s,
                                          java.security.Principal[] principals,
                                          java.net.Socket socket)

Specified by:

chooseServerAlias in interface javax.net.ssl.X509KeyManager

validateKeyFilePermissions

public static void validateKeyFilePermissions(java.nio.file.Path keyPath)
                                       throws PSQLException

Validates that the private key file has secure permissions, matching libpq behavior. On POSIX systems, root-owned files are allowed group-read access (up to 0640), since it's common for root to own certs and grant read access via group membership. Files owned by anyone else must be 0600 or stricter. On Windows, ACLs are checked to ensure only the owner and trusted system accounts have access.

Parameters:

keyPath - the path to the private key file

Throws:

PSQLException - if the file has insecure permissions