Class BaseX509KeyManager

java.lang.Object

org.postgresql.ssl.BaseX509KeyManager

All Implemented Interfaces:

KeyManager, X509KeyManager

Direct Known Subclasses:

PEMKeyManager, PKCS12KeyManager

public abstract class BaseX509KeyManager
extends Object
implements X509KeyManager

Field Summary

Fields

Modifier and Type	Field	Description
protected PSQLException	error

Constructor Summary

Constructors

Constructor	Description
BaseX509KeyManager()

Method Summary

Modifier and Type	Method	Description
String	chooseClientAlias(String[] keyType, Principal[] principals, Socket socket)
String	chooseServerAlias(String s, Principal[] principals, Socket socket)
String[]	getClientAliases(String keyType, Principal[] principals)
String[]	getServerAliases(String s, Principal[] principals)
void	throwKeyManagerException()	getCertificateChain and getPrivateKey cannot throw exceptions, therefore any exception is stored in error and can be raised by this method.
static void	validateKeyFilePermissions(Path keyPath)	Validates that the private key file has secure permissions, matching libpq behavior.

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface X509KeyManager

getCertificateChain, getPrivateKey

Field Details

error

protected PSQLException error

Constructor Details

BaseX509KeyManager

public BaseX509KeyManager()

Method Details

throwKeyManagerException

public void throwKeyManagerException()
                              throws PSQLException

getCertificateChain and getPrivateKey cannot throw exceptions, therefore any exception is stored in error and can be raised by this method.

Throws:

PSQLException - if any exception is stored in error and can be raised

getClientAliases

public String[] getClientAliases(String keyType,
 Principal[] principals)

Specified by:

getClientAliases in interface X509KeyManager

chooseClientAlias

public String chooseClientAlias(String[] keyType,
 Principal[] principals,
 Socket socket)

Specified by:

chooseClientAlias in interface X509KeyManager

getServerAliases

public String[] getServerAliases(String s,
 Principal[] principals)

Specified by:

getServerAliases in interface X509KeyManager

chooseServerAlias

public String chooseServerAlias(String s,
 Principal[] principals,
 Socket socket)

Specified by:

chooseServerAlias in interface X509KeyManager

validateKeyFilePermissions

public static void validateKeyFilePermissions(Path keyPath)
                                       throws PSQLException

Validates that the private key file has secure permissions, matching libpq behavior. On POSIX systems, root-owned files are allowed group-read access (up to 0640), since it's common for root to own certs and grant read access via group membership. Files owned by anyone else must be 0600 or stricter. On Windows, ACLs are checked to ensure only the owner and trusted system accounts have access.

Parameters:

keyPath - the path to the private key file

Throws:

PSQLException - if the file has insecure permissions