001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * https://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 018package org.apache.commons.net.util; 019 020import java.security.GeneralSecurityException; 021import java.security.KeyStore; 022import java.security.cert.CertificateException; 023import java.security.cert.X509Certificate; 024 025import javax.net.ssl.TrustManagerFactory; 026import javax.net.ssl.X509TrustManager; 027 028/** 029 * TrustManager utilities for generating TrustManagers. 030 * 031 * @since 3.0 032 */ 033public final class TrustManagerUtils { 034 035 private static final class TrustManager implements X509TrustManager { 036 037 private final boolean checkServerValidity; 038 039 TrustManager(final boolean checkServerValidity) { 040 this.checkServerValidity = checkServerValidity; 041 } 042 043 /** 044 * Never generates a CertificateException. 045 */ 046 @Override 047 public void checkClientTrusted(final X509Certificate[] certificates, final String authType) { 048 // empty 049 } 050 051 @Override 052 public void checkServerTrusted(final X509Certificate[] certificates, final String authType) throws CertificateException { 053 if (checkServerValidity) { 054 for (final X509Certificate certificate : certificates) { 055 certificate.checkValidity(); 056 } 057 } 058 } 059 060 /** 061 * @return an empty array of certificates 062 */ 063 @Override 064 public X509Certificate[] getAcceptedIssuers() { 065 return NetConstants.EMPTY_X509_CERTIFICATE_ARRAY; 066 } 067 } 068 069 private static final X509TrustManager ACCEPT_ALL = new TrustManager(false); 070 071 private static final X509TrustManager CHECK_SERVER_VALIDITY = new TrustManager(true); 072 073 /** 074 * Generate a TrustManager that performs no checks. 075 * 076 * @return the TrustManager 077 */ 078 public static X509TrustManager getAcceptAllTrustManager() { 079 return ACCEPT_ALL; 080 } 081 082 /** 083 * Return the default TrustManager provided by the JVM. 084 * <p> 085 * This should be the same as the default used by 086 * {@link javax.net.ssl.SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], java.security.SecureRandom) SSLContext#init(KeyManager[], 087 * TrustManager[], SecureRandom)} when the TrustManager parameter is set to {@code null} 088 * </p> 089 * 090 * @param keyStore the KeyStore to use, may be {@code null} 091 * @return the default TrustManager 092 * @throws GeneralSecurityException if an error occurs 093 */ 094 public static X509TrustManager getDefaultTrustManager(final KeyStore keyStore) throws GeneralSecurityException { 095 final String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); 096 final TrustManagerFactory instance = TrustManagerFactory.getInstance(defaultAlgorithm); 097 instance.init(keyStore); 098 return (X509TrustManager) instance.getTrustManagers()[0]; 099 } 100 101 /** 102 * Generate a TrustManager that checks server certificates for validity, but otherwise performs no checks. 103 * 104 * @return the validating TrustManager 105 */ 106 public static X509TrustManager getValidateServerCertificateTrustManager() { 107 return CHECK_SERVER_VALIDITY; 108 } 109 110 /** 111 * Depreacted. 112 * 113 * @deprecated Will be removed in 2.0. 114 */ 115 @Deprecated 116 public TrustManagerUtils() { 117 // empty 118 } 119 120}