--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/java.base/share/classes/javax/net/ssl/X509KeyManager.java	Tue Sep 12 19:03:39 2017 +0200
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package javax.net.ssl;
+
+import java.security.PrivateKey;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.net.Socket;
+
+/**
+ * Instances of this interface manage which X509 certificate-based
+ * key pairs are used to authenticate the local side of a secure
+ * socket.
+ * <P>
+ * During secure socket negotiations, implementations
+ * call methods in this interface to:
+ * <UL>
+ * <LI> determine the set of aliases that are available for negotiations
+ *      based on the criteria presented,
+ * <LI> select the <i> best alias</i> based on
+ *      the criteria presented, and
+ * <LI> obtain the corresponding key material for given aliases.
+ * </UL>
+ * <P>
+ * Note: the X509ExtendedKeyManager should be used in favor of this
+ * class.
+ *
+ * @since 1.4
+ */
+public interface X509KeyManager extends KeyManager {
+    /**
+     * Get the matching aliases for authenticating the client side of a secure
+     * socket given the public key type and the list of
+     * certificate issuer authorities recognized by the peer (if any).
+     *
+     * @param keyType the key algorithm type name
+     * @param issuers the list of acceptable CA issuer subject names,
+     *          or null if it does not matter which issuers are used.
+     * @return an array of the matching alias names, or null if there
+     *          were no matches.
+     */
+    public String[] getClientAliases(String keyType, Principal[] issuers);
+
+    /**
+     * Choose an alias to authenticate the client side of a secure
+     * socket given the public key type and the list of
+     * certificate issuer authorities recognized by the peer (if any).
+     *
+     * @param keyType the key algorithm type name(s), ordered
+     *          with the most-preferred key type first.
+     * @param issuers the list of acceptable CA issuer subject names
+     *           or null if it does not matter which issuers are used.
+     * @param socket the socket to be used for this connection.  This
+     *          parameter can be null, which indicates that
+     *          implementations are free to select an alias applicable
+     *          to any socket.
+     * @return the alias name for the desired key, or null if there
+     *          are no matches.
+     */
+    public String chooseClientAlias(String[] keyType, Principal[] issuers,
+        Socket socket);
+
+    /**
+     * Get the matching aliases for authenticating the server side of a secure
+     * socket given the public key type and the list of
+     * certificate issuer authorities recognized by the peer (if any).
+     *
+     * @param keyType the key algorithm type name
+     * @param issuers the list of acceptable CA issuer subject names
+     *          or null if it does not matter which issuers are used.
+     * @return an array of the matching alias names, or null
+     *          if there were no matches.
+     */
+    public String[] getServerAliases(String keyType, Principal[] issuers);
+
+    /**
+     * Choose an alias to authenticate the server side of a secure
+     * socket given the public key type and the list of
+     * certificate issuer authorities recognized by the peer (if any).
+     *
+     * @param keyType the key algorithm type name.
+     * @param issuers the list of acceptable CA issuer subject names
+     *          or null if it does not matter which issuers are used.
+     * @param socket the socket to be used for this connection.  This
+     *          parameter can be null, which indicates that
+     *          implementations are free to select an alias applicable
+     *          to any socket.
+     * @return the alias name for the desired key, or null if there
+     *          are no matches.
+     */
+    public String chooseServerAlias(String keyType, Principal[] issuers,
+        Socket socket);
+
+    /**
+     * Returns the certificate chain associated with the given alias.
+     *
+     * @param alias the alias name
+     * @return the certificate chain (ordered with the user's certificate first
+     *          and the root certificate authority last), or null
+     *          if the alias can't be found.
+     */
+    public X509Certificate[] getCertificateChain(String alias);
+
+    /**
+     * Returns the key associated with the given alias.
+     *
+     * @param alias the alias name
+     * @return the requested key, or null if the alias can't be found.
+     */
+    public PrivateKey getPrivateKey(String alias);
+}