Merge pull request #33355 from vespa-engine/mortent/ssl-ctx-multiple-ids

Support ssl context with multiple key/cert pairs
vespa-engine · Feb 19, 2025 · 47a9e40 · 47a9e40
2 parents eb400fd + 31b4812
commit 47a9e40
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
@@ -68,9 +68,22 @@ public SslContextBuilder withKeyStore(PrivateKey privateKey, X509Certificate cer
     }
 
     public SslContextBuilder withKeyStore(PrivateKey privateKey, List<X509Certificate> certificates) {
-        char[] pwd = new char[0];
-        this.keyStoreSupplier = () -> KeyStoreBuilder.withType(KeyStoreType.JKS).withKeyEntry("default", privateKey, certificates).build();
-        this.keyStorePassword = pwd;
+        return withKeyStore(List.of(new X509CertificateWithKey(certificates, privateKey)));
+    }
+
+    public SslContextBuilder withKeyStore(List<X509CertificateWithKey> clientCertificatesAndKeys) {
+        if (clientCertificatesAndKeys.isEmpty()) {
+            throw new IllegalArgumentException("clientCertificatesAndKeys cannot be empty");
+        }
+        this.keyStoreSupplier = () -> {
+            KeyStoreBuilder keyStore = KeyStoreBuilder.withType(KeyStoreType.JKS);
+            for (int i = 0; i < clientCertificatesAndKeys.size(); i++) {
+                X509CertificateWithKey certWithKey = clientCertificatesAndKeys.get(i);
+                keyStore = keyStore.withKeyEntry("key"+i, certWithKey.privateKey(), certWithKey.certificate());
+            }
+            return keyStore.build();
+        };
+        this.keyStorePassword = new char[0];
         return this;
     }