001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 018package org.apache.commons.net.util; 019 020import java.security.GeneralSecurityException; 021import java.security.KeyStore; 022import java.security.cert.CertificateException; 023import java.security.cert.X509Certificate; 024 025import javax.net.ssl.TrustManagerFactory; 026import javax.net.ssl.X509TrustManager; 027 028/** 029 * TrustManager utilities for generating TrustManagers. 030 * 031 * @since 3.0 032 */ 033public final class TrustManagerUtils { 034 035 private static class TrustManager implements X509TrustManager { 036 037 private final boolean checkServerValidity; 038 039 TrustManager(final boolean checkServerValidity) { 040 this.checkServerValidity = checkServerValidity; 041 } 042 043 /** 044 * Never generates a CertificateException. 045 */ 046 @Override 047 public void checkClientTrusted(final X509Certificate[] certificates, final String authType) { 048 } 049 050 @Override 051 public void checkServerTrusted(final X509Certificate[] certificates, final String authType) throws CertificateException { 052 if (checkServerValidity) { 053 for (final X509Certificate certificate : certificates) { 054 certificate.checkValidity(); 055 } 056 } 057 } 058 059 /** 060 * @return an empty array of certificates 061 */ 062 @Override 063 public X509Certificate[] getAcceptedIssuers() { 064 return NetConstants.EMPTY_X509_CERTIFICATE_ARRAY; 065 } 066 } 067 068 private static final X509TrustManager ACCEPT_ALL = new TrustManager(false); 069 070 private static final X509TrustManager CHECK_SERVER_VALIDITY = new TrustManager(true); 071 072 /** 073 * Generate a TrustManager that performs no checks. 074 * 075 * @return the TrustManager 076 */ 077 public static X509TrustManager getAcceptAllTrustManager() { 078 return ACCEPT_ALL; 079 } 080 081 /** 082 * Return the default TrustManager provided by the JVM. 083 * <p> 084 * This should be the same as the default used by 085 * {@link javax.net.ssl.SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], java.security.SecureRandom) SSLContext#init(KeyManager[], 086 * TrustManager[], SecureRandom)} when the TrustManager parameter is set to {@code null} 087 * 088 * @param keyStore the KeyStore to use, may be {@code null} 089 * @return the default TrustManager 090 * @throws GeneralSecurityException if an error occurs 091 */ 092 public static X509TrustManager getDefaultTrustManager(final KeyStore keyStore) throws GeneralSecurityException { 093 final String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); 094 final TrustManagerFactory instance = TrustManagerFactory.getInstance(defaultAlgorithm); 095 instance.init(keyStore); 096 return (X509TrustManager) instance.getTrustManagers()[0]; 097 } 098 099 /** 100 * Generate a TrustManager that checks server certificates for validity, but otherwise performs no checks. 101 * 102 * @return the validating TrustManager 103 */ 104 public static X509TrustManager getValidateServerCertificateTrustManager() { 105 return CHECK_SERVER_VALIDITY; 106 } 107 108}