Add support to pick the server cert by specified alias

msm1992 · msm1992 · commit 2d373958b1d7 · 2025-11-12T11:27:45.000+05:30
diff --git a/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/config/AliasBasedKeyManager.java b/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/config/AliasBasedKeyManager.java
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2025, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.synapse.transport.nhttp.config;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedKeyManager;
+import javax.net.ssl.X509KeyManager;
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+
+/**
+ * Custom X509KeyManager that selects a specific alias for client and server certificates
+ */
+public class AliasBasedKeyManager extends X509ExtendedKeyManager {
+    private final X509KeyManager keyManager;
+    private final String preferredKeyAlias;
+
+    public AliasBasedKeyManager(X509KeyManager keyManager, String preferredKeyAlias) {
+        this.keyManager = keyManager;
+        this.preferredKeyAlias = preferredKeyAlias;
+    }
+
+    @Override
+    public String[] getClientAliases(String keyType, Principal[] issuers) {
+        return keyManager.getClientAliases(keyType, issuers);
+    }
+
+    @Override
+    public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
+        return keyManager.chooseClientAlias(keyType, issuers, socket);
+    }
+
+    @Override
+    public String[] getServerAliases(String keyType, Principal[] issuers) {
+        return keyManager.getServerAliases(keyType, issuers);
+    }
+
+    @Override
+    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+        String[] aliases = keyManager.getServerAliases(keyType, issuers);
+        if (aliases != null && Arrays.asList(aliases).contains(preferredKeyAlias)) {
+            return preferredKeyAlias;
+        }
+        return keyManager.chooseServerAlias(keyType, issuers, socket);
+    }
+
+    @Override
+    public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine) {
+        return chooseServerAlias(keyType, issuers, (Socket) null);
+    }
+
+    @Override
+    public X509Certificate[] getCertificateChain(String alias) {
+        return keyManager.getCertificateChain(alias);
+    }
+
+    @Override
+    public PrivateKey getPrivateKey(String alias) {
+        return keyManager.getPrivateKey(alias);
+    }
+}
diff --git a/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/config/ServerConnFactoryBuilder.java b/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/config/ServerConnFactoryBuilder.java
@@ -126,6 +126,8 @@ protected SSLContextDetails createSSLContext(
             String type          = getValueOfElementWithLocalName(keyStoreEl,"Type");
             OMElement storePasswordEl = keyStoreEl.getFirstChildWithName(new QName("Password"));
             OMElement keyPasswordEl = keyStoreEl.getFirstChildWithName(new QName("KeyPassword"));
+            OMElement aliasEl = keyStoreEl.getFirstChildWithName(new QName("ServerCertificateAlias"));
+            String requiredAlias = aliasEl != null ? StringUtils.trimToNull(aliasEl.getText()) : null;
             if (storePasswordEl == null) {
                 throw new AxisFault("Cannot proceed because Password element is missing in KeyStore");
             }
@@ -148,7 +150,17 @@ protected SSLContextDetails createSSLContext(
                 KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(
                         KeyManagerFactory.getDefaultAlgorithm());
                 kmfactory.init(keyStore, keyPassword.toCharArray());
-                keymanagers = kmfactory.getKeyManagers();
+                if (requiredAlias != null) {
+                    KeyManager[] keyManagers = kmfactory.getKeyManagers();
+                    for (int i = 0; i < keyManagers.length; i++) {
+                        if (keyManagers[i] instanceof X509KeyManager) {
+                            keyManagers[i] = new AliasBasedKeyManager((X509KeyManager) keyManagers[i], requiredAlias);
+                        }
+                    }
+                    keymanagers = keyManagers;
+                } else {
+                    keymanagers = kmfactory.getKeyManagers();
+                }
                 if (log.isInfoEnabled() && keymanagers != null) {
                     for (KeyManager keymanager: keymanagers) {
                         if (keymanager instanceof X509KeyManager) {
