Class SpiffeTrustManagerFactory

java.lang.Object
javax.net.ssl.TrustManagerFactorySpi
io.spiffe.provider.SpiffeTrustManagerFactory
public class SpiffeTrustManagerFactory extends TrustManagerFactorySpi
Implementation of a TrustManagerFactory to create a SpiffeTrustManager backed by a DefaultX509Source that is maintained via the Workload API.

The Java Security API will call engineGetTrustManagers() to get an instance of a TrustManager. This TrustManager instance gets injected an DefaultX509Source, which implements BundleSource and keeps bundles updated. The TrustManager also gets a Supplier of a Set of accepted SPIFFE IDs used to validate the SPIFFE ID from the SVIDs presented by a peer during the secure socket handshake.

See Also:

  • Constructor Details

    • SpiffeTrustManagerFactory

      public SpiffeTrustManagerFactory()

  • Method Details

    • engineGetTrustManagers

      public TrustManager[] engineGetTrustManagers()
      Creates a TrustManager initialized with the DefaultX509Source instance that is handled by the X509SourceManager, and with and a supplier of accepted SPIFFE IDs. that reads the Set of SpiffeId from the System Property 'ssl.spiffe.accept'.

      If the System property 'ssl.spiffe.acceptAll' is defined as 'true', the TrustManager is configure to accept any SPIFFE ID presented by a peer.

      Specified by:
      engineGetTrustManagers in class TrustManagerFactorySpi
      Returns:
      an instance of a TrustManager wrapped in an array. The actual type returned is SpiffeTrustManager
      Throws:
      SpiffeProviderException - in case there is an error setting up the X.509 source

    • engineGetTrustManagers

      public TrustManager[] engineGetTrustManagers(@NonNull @NonNull io.spiffe.bundle.BundleSource<io.spiffe.bundle.x509bundle.X509Bundle> x509BundleSource)
      Creates a TrustManager initialized with the BundleSource to provide X.509 bundles, and with and a supplier of accepted SPIFFE IDs. that reads the set from the System Property 'ssl.spiffe.accept'.

      If the System property 'ssl.spiffe.acceptAll' is defined as 'true', the TrustManager is configure to accept any SPIFFE ID presented by a peer.

      Parameters:
      x509BundleSource - a source of X.509 bundles
      Returns:
      an instance of a TrustManager wrapped in an array. The actual type returned is SpiffeTrustManager

    • engineGetTrustManagersAcceptAnySpiffeId

      public TrustManager[] engineGetTrustManagersAcceptAnySpiffeId(@NonNull @NonNull io.spiffe.bundle.BundleSource<io.spiffe.bundle.x509bundle.X509Bundle> x509BundleSource)
      Creates a TrustManager initialized with a BundleSource to provide the X.509 bundles. The TrustManager is configured to accept any SPIFFE ID.
      Parameters:
      x509BundleSource - a source of X.509 bundles
      Returns:
      an instance of a TrustManager wrapped in an array. The actual type returned is SpiffeTrustManager

    • engineGetTrustManagers

      public TrustManager[] engineGetTrustManagers(@NonNull @NonNull io.spiffe.bundle.BundleSource<io.spiffe.bundle.x509bundle.X509Bundle> x509BundleSource, @NonNull @NonNull Supplier<Set<io.spiffe.spiffeid.SpiffeId>> acceptedSpiffeIdsSupplier)
      Creates a TrustManager initialized with a BundleSource to provide X.509 bundles, and a supplier of accepted SPIFFE IDs.
      Parameters:
      x509BundleSource - a BundleSource to provide the X.509-Bundles
      acceptedSpiffeIdsSupplier - a Supplier to provide a set of SPIFFE IDs that are accepted
      Returns:
      an instance of a TrustManager wrapped in an array. The actual type returned is SpiffeTrustManager

    • engineInit

      protected void engineInit(KeyStore keyStore)
      Specified by:
      engineInit in class TrustManagerFactorySpi

    • engineInit

      protected void engineInit(ManagerFactoryParameters managerFactoryParameters)
      Specified by:
      engineInit in class TrustManagerFactorySpi