bael-9167 - Using Different Certificates on Specific Connections in Java (#18646)

* bael-9167 - ready for review

* bael-9167 review 1

* fixing newlines

* related to !18657

https://team.baeldung.com/browse/JAVA-47895

Author: ulisseslima

core-java-modules/core-java-networking-6/pom.xml

@@ -65,6 +65,12 @@
             <artifactId>commons-net</artifactId>
             <version>${commons-net.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.wiremock</groupId>
+            <artifactId>wiremock</artifactId>
+            <version>${wiremock.version}</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -82,6 +88,7 @@
         <okhttp.version>4.12.0</okhttp.version>
         <webflux.version>3.4.3</webflux.version>
         <commons-net.version>3.8.0</commons-net.version>
+        <wiremock.version>3.13.0</wiremock.version>
     </properties>
 
-</project>
+</project>

core-java-modules/core-java-networking-6/src/main/java/com/baeldung/multiplecerts/CertUtils.java

@@ -0,0 +1,55 @@
+package com.baeldung.multiplecerts;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.util.stream.Stream;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509TrustManager;
+
+public class CertUtils {
+
+    private CertUtils() {
+    }
+
+    private static KeyStore loadKeyStore(Path path, String password) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
+        KeyStore store = KeyStore.getInstance(path.toFile(), password.toCharArray());
+        try (InputStream stream = Files.newInputStream(path)) {
+            store.load(stream, password.toCharArray());
+        }
+        return store;
+    }
+
+    public static X509KeyManager loadKeyManager(Path path, String password) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
+        KeyStore store = loadKeyStore(path, password);
+
+        KeyManagerFactory factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        factory.init(store, password.toCharArray());
+
+        return (X509KeyManager) Stream.of(factory.getKeyManagers())
+            .filter(X509KeyManager.class::isInstance)
+            .findAny()
+            .orElseThrow(() -> new IllegalStateException("no appropriate manager found"));
+    }
+
+    public static X509TrustManager loadTrustManager(Path path, String password) throws IOException, NoSuchAlgorithmException, CertificateException, KeyStoreException {
+        KeyStore store = loadKeyStore(path, password);
+
+        TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        factory.init(store);
+
+        return (X509TrustManager) Stream.of(factory.getTrustManagers())
+            .filter(X509TrustManager.class::isInstance)
+            .findAny()
+            .orElseThrow(() -> new IllegalStateException("no appropriate manager found"));
+    }
+}

core-java-modules/core-java-networking-6/src/main/java/com/baeldung/multiplecerts/RoutingKeyManager.java

@@ -0,0 +1,99 @@
+package com.baeldung.multiplecerts;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.X509ExtendedKeyManager;
+import javax.net.ssl.X509KeyManager;
+
+public class RoutingKeyManager extends X509ExtendedKeyManager {
+
+    private final Map<String, X509KeyManager> hostMap = new HashMap<>();
+
+    public void put(String host, X509KeyManager manager) {
+        hostMap.put(host, manager);
+    }
+
+    private X509KeyManager select(String host) {
+        X509KeyManager manager = hostMap.get(host);
+        if (manager == null)
+            throw new IllegalArgumentException("key manager not found for " + host);
+
+        return manager;
+    }
+
+    @Override
+    public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
+        if (socket instanceof SSLSocket sslSocket) {
+            String host = host(socket, sslSocket);
+            return select(host).chooseClientAlias(keyType, issuers, socket);
+        }
+
+        throw new UnsupportedOperationException("unsupported socket");
+    }
+
+    @Override
+    public String chooseEngineClientAlias(String[] keyType, Principal[] issuers, SSLEngine engine) {
+        String host = engine.getPeerHost();
+        return select(host).chooseClientAlias(keyType, issuers, (Socket) null);
+    }
+
+    @Override
+    public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine) {
+        String host = engine.getPeerHost();
+        return select(host).chooseServerAlias(keyType, issuers, (Socket) null);
+    }
+
+    @Override
+    public X509Certificate[] getCertificateChain(String alias) {
+        return select(alias).getCertificateChain(alias);
+    }
+
+    @Override
+    public PrivateKey getPrivateKey(String alias) {
+        return select(alias).getPrivateKey(alias);
+    }
+
+    @Override
+    public String[] getClientAliases(String keyType, Principal[] issuers) {
+        List<String> aliases = new ArrayList<>();
+
+        hostMap.forEach((host, km) -> aliases.addAll(Arrays.asList(km.getClientAliases(keyType, issuers))));
+        return aliases.toArray(new String[] {});
+    }
+
+    @Override
+    public String[] getServerAliases(String keyType, Principal[] issuers) {
+        List<String> list = new ArrayList<>();
+
+        hostMap.forEach((host, km) -> list.addAll(Arrays.asList(km.getServerAliases(keyType, issuers))));
+        return list.toArray(new String[] {});
+    }
+
+    @Override
+    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+        if (socket instanceof SSLSocket sslSocket) {
+            String host = host(socket, sslSocket);
+            return select(host).chooseServerAlias(keyType, issuers, socket);
+        }
+
+        throw new UnsupportedOperationException("unsupported socket");
+    }
+
+    private String host(Socket socket, SSLSocket sslSocket) {
+        SSLSession session = sslSocket.getHandshakeSession();
+        return session != null ? session.getPeerHost()
+            : socket.getInetAddress()
+                .getHostName();
+    }
+}

core-java-modules/core-java-networking-6/src/main/java/com/baeldung/multiplecerts/RoutingSslContextBuilder.java

@@ -0,0 +1,41 @@
+package com.baeldung.multiplecerts;
+
+import java.io.IOException;
+import java.nio.file.Paths;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+
+public class RoutingSslContextBuilder {
+
+    private final RoutingKeyManager routingKeyManager;
+    private final RoutingTrustManager routingTrustManager;
+
+    public RoutingSslContextBuilder() {
+        routingKeyManager = new RoutingKeyManager();
+        routingTrustManager = new RoutingTrustManager();
+    }
+
+    public static RoutingSslContextBuilder create() {
+        return new RoutingSslContextBuilder();
+    }
+
+    public RoutingSslContextBuilder trust(String host, String certsDir, String password) throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
+        routingTrustManager.put(host, CertUtils.loadTrustManager(Paths.get(certsDir, "trust." + host + ".p12"), password));
+        routingKeyManager.put(host, CertUtils.loadKeyManager(Paths.get(certsDir, "client." + host + ".p12"), password));
+        return this;
+    }
+
+    public SSLContext build() throws NoSuchAlgorithmException, KeyManagementException {
+        SSLContext context = SSLContext.getInstance("TLS");
+        context.init(new KeyManager[] { routingKeyManager }, new TrustManager[] { routingTrustManager }, null);
+
+        return context;
+    }
+}

core-java-modules/core-java-networking-6/src/main/java/com/baeldung/multiplecerts/RoutingTrustManager.java

@@ -0,0 +1,83 @@
+package com.baeldung.multiplecerts;
+
+import java.net.Socket;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.X509ExtendedTrustManager;
+import javax.net.ssl.X509TrustManager;
+
+public class RoutingTrustManager extends X509ExtendedTrustManager {
+
+    private final Map<String, X509TrustManager> hostMap = new HashMap<>();
+
+    public void put(String host, X509TrustManager manager) {
+        hostMap.put(host, manager);
+    }
+
+    private X509TrustManager select(String host) {
+        X509TrustManager manager = hostMap.get(host);
+        if (manager == null)
+            throw new IllegalArgumentException("trust manager not found for " + host);
+
+        return manager;
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        String host = host(socket);
+        select(host).checkServerTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+        String host = engine.getPeerHost();
+        select(host).checkServerTrusted(chain, authType);
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        List<X509Certificate> list = new ArrayList<>();
+
+        hostMap.forEach((host, km) -> list.addAll(Arrays.asList(km.getAcceptedIssuers())));
+        return list.toArray(new X509Certificate[] {});
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        String host = host(socket);
+        select(host).checkClientTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+        String host = engine.getPeerHost();
+        select(host).checkClientTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        throw new UnsupportedOperationException("socket is required");
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType) {
+        throw new UnsupportedOperationException("socket is required");
+    }
+
+    private String host(Socket socket) {
+        if (socket instanceof SSLSocket sslSocket) {
+            SSLSession session = sslSocket.getHandshakeSession();
+            return session != null ? session.getPeerHost() : null;
+        }
+        return null;
+    }
+}