1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one or more
3 * contributor license agreements. See the NOTICE file distributed with
4 * this work for additional information regarding copyright ownership.
5 * The ASF licenses this file to You under the Apache License, Version 2.0
6 * (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 package org.apache.commons.net.util;
19
20 import java.security.GeneralSecurityException;
21 import java.security.KeyStore;
22 import java.security.cert.CertificateException;
23 import java.security.cert.X509Certificate;
24
25 import javax.net.ssl.TrustManagerFactory;
26 import javax.net.ssl.X509TrustManager;
27
28 /**
29 * TrustManager utilities for generating TrustManagers.
30 *
31 * @since 3.0
32 */
33 public final class TrustManagerUtils {
34
35 private static class TrustManager implements X509TrustManager {
36
37 private final boolean checkServerValidity;
38
39 TrustManager(final boolean checkServerValidity) {
40 this.checkServerValidity = checkServerValidity;
41 }
42
43 /**
44 * Never generates a CertificateException.
45 */
46 @Override
47 public void checkClientTrusted(final X509Certificate[] certificates, final String authType) {
48 }
49
50 @Override
51 public void checkServerTrusted(final X509Certificate[] certificates, final String authType) throws CertificateException {
52 if (checkServerValidity) {
53 for (final X509Certificate certificate : certificates) {
54 certificate.checkValidity();
55 }
56 }
57 }
58
59 /**
60 * @return an empty array of certificates
61 */
62 @Override
63 public X509Certificate[] getAcceptedIssuers() {
64 return NetConstants.EMPTY_X509_CERTIFICATE_ARRAY;
65 }
66 }
67
68 private static final X509TrustManager ACCEPT_ALL = new TrustManager(false);
69
70 private static final X509TrustManager CHECK_SERVER_VALIDITY = new TrustManager(true);
71
72 /**
73 * Generate a TrustManager that performs no checks.
74 *
75 * @return the TrustManager
76 */
77 public static X509TrustManager getAcceptAllTrustManager() {
78 return ACCEPT_ALL;
79 }
80
81 /**
82 * Return the default TrustManager provided by the JVM.
83 * <p>
84 * This should be the same as the default used by
85 * {@link javax.net.ssl.SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], java.security.SecureRandom) SSLContext#init(KeyManager[],
86 * TrustManager[], SecureRandom)} when the TrustManager parameter is set to {@code null}
87 *
88 * @param keyStore the KeyStore to use, may be {@code null}
89 * @return the default TrustManager
90 * @throws GeneralSecurityException if an error occurs
91 */
92 public static X509TrustManager getDefaultTrustManager(final KeyStore keyStore) throws GeneralSecurityException {
93 final String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
94 final TrustManagerFactory instance = TrustManagerFactory.getInstance(defaultAlgorithm);
95 instance.init(keyStore);
96 return (X509TrustManager) instance.getTrustManagers()[0];
97 }
98
99 /**
100 * Generate a TrustManager that checks server certificates for validity, but otherwise performs no checks.
101 *
102 * @return the validating TrustManager
103 */
104 public static X509TrustManager getValidateServerCertificateTrustManager() {
105 return CHECK_SERVER_VALIDITY;
106 }
107
108 }