io.goshawkdb.client

Class Certs

java.lang.Object

io.goshawkdb.client.Certs

public class Certs
extends java.lang.Object

Class for managing the cluster ECDSA certificate and public key, and the client ECDSA certificate and key pair. GoshawkDB only speaks TLSv1.2 on TCP, and only uses ECDSA keys on P256.

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	CIPHER

Constructor Summary

Constructors

Constructor and Description
Certs() Create a new Certs.

Method Summary

Modifier and Type	Method and Description
Certs	addClusterCertificate(java.lang.String alias, byte[] cert) Helper in case the cluster certificate is already loaded is a byte[]
Certs	addClusterCertificate(java.lang.String alias, java.io.InputStream is) Loads a single X.509 certificate from the provided InputStream into the current KeyStore.
Certs	parseClientPEM(java.io.Reader reader) Parse the contents of the provided Reader for an X.509 Certificate with public key, and a PEM Key Pair, and calls setClientCertificateHolder and setClientKeyPair as appropriate.
Certs	setClientCertificateHolder(org.bouncycastle.cert.X509CertificateHolder certHolder) Set the ClientCertificateHolder.
Certs	setClientKeyPair(org.bouncycastle.openssl.PEMKeyPair keyPair) Set the ClientKeyPair.
Certs	setKeyStore(java.security.KeyStore ks) Provided in case you wish to provide your own keystore (for example one that is stored on disk rather than an ephemeral one).

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CIPHER

public static final java.lang.String CIPHER

See Also:

Constant Field Values

Constructor Detail

Certs

public Certs()
      throws java.security.NoSuchProviderException,
             java.security.NoSuchAlgorithmException

Create a new Certs.

Throws:

java.security.NoSuchProviderException - if BouncyCastle can't be found

java.security.NoSuchAlgorithmException - if ECDSA support can't be found

Method Detail

setKeyStore

public Certs setKeyStore(java.security.KeyStore ks)

Provided in case you wish to provide your own keystore (for example one that is stored on disk rather than an ephemeral one). The keystore is only used to hold the cluster certificate, and thus validate the certificate presented by the GoshawkDB node to which you connect (as opposed to the client certificate and key pair. I.e. even if you set a key store, you still need to call setClientCertificateHolder and setClientKeyPair, or parseClientPEM). If you supply your own KeyStore, you must have initialized it yourself.

Parameters:

ks - The KeyStore to use.

Returns:

A new Certs

addClusterCertificate

public Certs addClusterCertificate(java.lang.String alias,
                                   java.io.InputStream is)
                            throws java.security.cert.CertificateException,
                                   java.security.NoSuchAlgorithmException,
                                   java.security.KeyStoreException,
                                   java.io.IOException

Loads a single X.509 certificate from the provided InputStream into the current KeyStore. If no KeyStore has been set, certificates will be loaded into a fresh ephemeral KeyStore. Will always close the InputStream.

Parameters:

alias - The name under which to store the certificate (just pick something sane)

is - The InputStream to read the certificate from.

Returns:

The Certs object for method chaining

Throws:

java.security.cert.CertificateException

java.security.NoSuchAlgorithmException

java.security.KeyStoreException

java.io.IOException

addClusterCertificate

public Certs addClusterCertificate(java.lang.String alias,
                                   byte[] cert)
                            throws java.security.cert.CertificateException,
                                   java.security.NoSuchAlgorithmException,
                                   java.security.KeyStoreException,
                                   java.io.IOException

Helper in case the cluster certificate is already loaded is a byte[]

Parameters:

alias - The name under which to store the certificate (just pick something sane)

cert - The bytes of the certificate

Returns:

The Certs object for method chaining

Throws:

java.security.cert.CertificateException

java.security.NoSuchAlgorithmException

java.security.KeyStoreException

java.io.IOException

setClientCertificateHolder

public Certs setClientCertificateHolder(org.bouncycastle.cert.X509CertificateHolder certHolder)
                                 throws java.security.cert.CertificateException,
                                        java.security.spec.InvalidKeySpecException,
                                        java.security.InvalidKeyException,
                                        java.io.IOException

Set the ClientCertificateHolder. This is the X.509 certificate and public key the client will present to the GoshawkDB node for authentication. The public key must be an ECDSA P256 key. Once the ClientCertificateHolder and the ClientKeyPair are both set, it is verified that they both contain the same public key.

Parameters:

certHolder - The holder for the client certificate and public key

Returns:

The Certs object for method chaining

Throws:

java.security.cert.CertificateException

java.security.spec.InvalidKeySpecException

java.security.InvalidKeyException

java.io.IOException

setClientKeyPair

public Certs setClientKeyPair(org.bouncycastle.openssl.PEMKeyPair keyPair)
                       throws java.security.cert.CertificateException,
                              java.security.spec.InvalidKeySpecException,
                              java.security.InvalidKeyException,
                              java.io.IOException

Set the ClientKeyPair. This must be an ECDSA P256 key pair in PEM format. Once the ClientCertificateHolder and the ClientKeyPair are both set, it is verified that they both contain the same public key.

Parameters:

keyPair - The client public and private key pair

Returns:

The Certs object for method chaining

Throws:

java.security.cert.CertificateException

java.security.spec.InvalidKeySpecException

java.security.InvalidKeyException

java.io.IOException

parseClientPEM

public Certs parseClientPEM(java.io.Reader reader)
                     throws java.security.cert.CertificateException,
                            java.security.spec.InvalidKeySpecException,
                            java.security.InvalidKeyException,
                            java.io.IOException

Parse the contents of the provided Reader for an X.509 Certificate with public key, and a PEM Key Pair, and calls setClientCertificateHolder and setClientKeyPair as appropriate. Only the first X.509 Certificate and the first PEM Key Pair are read, but order within the Reader does not matter. The Reader is always closed.

Parameters:

reader - The reader to read from

Returns:

The Certs object for method chaining

Throws:

java.security.cert.CertificateException

java.security.spec.InvalidKeySpecException

java.security.InvalidKeyException

java.io.IOException