Skip to content

KeyStore for Java with certificate hot-reload and PEM file support

License

Notifications You must be signed in to change notification settings

tsaarni/reloading-keystore

Repository files navigation

Reloading KeyStore for Java

Maven Central

Description

This project is a library that implements custom KeyStore with following features:

  • Automatically reload credentials from disk when the underlying files change.
  • Load certificates and private keys directly from .pem files, in addition to .p12 and .jks keystore files.
  • Allow user to set fallback certificate which will be used by server when a client does not send TLS SNI extension (Server Name Indication) or sends unknown servername.

These features can be implemented in relatively few lines of code, without external dependencies and without background threads.

Use this project either as a tutorial on how to implement custom KeyStoreSpi or import the library directly into your application.

Documentation

The code is compatible with JDK 8 and above.

See the implementation description for details and related background discussion about JSSE (Java Secure Socket Extension).

Read the latest API documentation here.

Example

Following example shows how to create a TLS server that reads its server credentials from PEM files. It constructs an instance of custom KeyStore which will have the special capabilities mentioned previously. It is then passed to KeyManager just like the standard KeyStores.

// Create KeyManagerFactory with ReloadingKeyStore, implemented by custom KeyStoreSpi.
// Credentials in the KeyStore are loaded from server.pem and server-key.pem.
// ReloadingKeyStore keeps track of the files for being able to reload them later.
KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
kmf.init(new KeyStoreBuilderParameters(ReloadingKeyStore.Builder.fromPem(
    Paths.get("server.pem"), Paths.get("server-key.pem"))));

// Otherwise continue as with any KeyStore implementation:

// Initialize SSLContext with our KeyManager.
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), null, null);

// Create server socket and start accepting connections.
// Server will query our KeyManager for server credentials every time it
// gets a new connection from clients.
// Credentials will be reloaded automatically when they are updated on disk.
SSLServerSocketFactory ssf = ctx.getServerSocketFactory();
SSLServerSocket socket = (SSLServerSocket) ssf.createServerSocket(
    8443, 1, InetAddress.getByName("localhost"));

try (SSLSocket client = (SSLSocket) socket.accept()) {
    // ...
}

For more code examples, see the test suite here.

About

KeyStore for Java with certificate hot-reload and PEM file support

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages