001/*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017
018package org.apache.commons.net.util;
019
020import java.security.GeneralSecurityException;
021import java.security.KeyStore;
022import java.security.cert.CertificateException;
023import java.security.cert.X509Certificate;
024
025import javax.net.ssl.TrustManagerFactory;
026import javax.net.ssl.X509TrustManager;
027
028/**
029 * TrustManager utilities for generating TrustManagers.
030 *
031 * @since 3.0
032 */
033public final class TrustManagerUtils
034{
035    private static final X509Certificate[] EMPTY_X509CERTIFICATE_ARRAY = new X509Certificate[]{};
036
037    private static class TrustManager implements X509TrustManager {
038
039        private final boolean checkServerValidity;
040
041        TrustManager(boolean checkServerValidity) {
042            this.checkServerValidity = checkServerValidity;
043        }
044
045        /**
046         * Never generates a CertificateException.
047         */
048        @Override
049        public void checkClientTrusted(X509Certificate[] certificates, String authType)
050        {
051            return;
052        }
053
054        @Override
055        public void checkServerTrusted(X509Certificate[] certificates, String authType)
056            throws CertificateException
057        {
058            if (checkServerValidity) {
059                for (X509Certificate certificate : certificates)
060                {
061                    certificate.checkValidity();
062                }
063            }
064        }
065
066        /**
067         * @return an empty array of certificates
068         */
069        @Override
070        public X509Certificate[] getAcceptedIssuers()
071        {
072            return EMPTY_X509CERTIFICATE_ARRAY;
073        }
074    }
075
076    private static final X509TrustManager ACCEPT_ALL=new TrustManager(false);
077
078    private static final X509TrustManager CHECK_SERVER_VALIDITY=new TrustManager(true);
079
080    /**
081     * Generate a TrustManager that performs no checks.
082     *
083     * @return the TrustManager
084     */
085    public static X509TrustManager getAcceptAllTrustManager(){
086        return ACCEPT_ALL;
087    }
088
089    /**
090     * Generate a TrustManager that checks server certificates for validity,
091     * but otherwise performs no checks.
092     *
093     * @return the validating TrustManager
094     */
095    public static X509TrustManager getValidateServerCertificateTrustManager(){
096        return CHECK_SERVER_VALIDITY;
097    }
098
099    /**
100     * Return the default TrustManager provided by the JVM.
101     * <p>
102     * This should be the same as the default used by
103     *  {@link javax.net.ssl.SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], java.security.SecureRandom)
104     * SSLContext#init(KeyManager[], TrustManager[], SecureRandom)}
105     * when the TrustManager parameter is set to {@code null}
106     * @param keyStore the KeyStore to use, may be {@code null}
107     * @return the default TrustManager
108     * @throws GeneralSecurityException if an error occurs
109     */
110    public static X509TrustManager getDefaultTrustManager(KeyStore keyStore) throws GeneralSecurityException {
111        String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
112        TrustManagerFactory instance = TrustManagerFactory.getInstance(defaultAlgorithm);
113        instance.init(keyStore);
114        return (X509TrustManager) instance.getTrustManagers()[0];
115    }
116
117}