Skip to content
/ reloading-keystore Public

KeyStore for Java with certificate hot-reload and PEM file support

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tsaarni/reloading-keystore

BranchesTags

Repository files navigation

Reloading KeyStore for Java

Maven Central

Description

This project is a library that implements custom KeyStore with following features:

  • Automatically reload credentials from disk when the underlying files change.
  • Load certificates and private keys directly from .pem files, in addition to .p12 and .jks keystore files.
  • Allow user to set fallback certificate which will be used by server when a client does not send TLS SNI extension (Server Name Indication) or sends unknown servername.

These features can be implemented in relatively few lines of code, without external dependencies and without background threads.

Use this project either as a tutorial on how to implement custom KeyStoreSpi or import the library directly into your application.

Documentation

The code is compatible with JDK 8 and above.

See the implementation description for details and related background discussion about JSSE (Java Secure Socket Extension).

Read the latest API documentation here.

Example

Following example shows how to create a TLS server that reads its server credentials from PEM files. It constructs an instance of custom KeyStore which will have the special capabilities mentioned previously. It is then passed to KeyManager just like the standard KeyStores.

// Create KeyManagerFactory with ReloadingKeyStore, implemented by custom KeyStoreSpi.
// Credentials in the KeyStore are loaded from server.pem and server-key.pem.
// ReloadingKeyStore keeps track of the files for being able to reload them later.
KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
kmf.init(new KeyStoreBuilderParameters(ReloadingKeyStore.Builder.fromPem(
    Paths.get("server.pem"), Paths.get("server-key.pem"))));

// Otherwise continue as with any KeyStore implementation:

// Initialize SSLContext with our KeyManager.
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), null, null);

// Create server socket and start accepting connections.
// Server will query our KeyManager for server credentials every time it
// gets a new connection from clients.
// Credentials will be reloaded automatically when they are updated on disk.
SSLServerSocketFactory ssf = ctx.getServerSocketFactory();
SSLServerSocket socket = (SSLServerSocket) ssf.createServerSocket(
    8443, 1, InetAddress.getByName("localhost"));

try (SSLSocket client = (SSLSocket) socket.accept()) {
    // ...
}

For more code examples, see the test suite here.

About

KeyStore for Java with certificate hot-reload and PEM file support

Topics

java tls certificates x509 keystore

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Jul 13, 2022

Packages

No packages published

Contributors 2

  •  
  •  

Languages