1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one or more
3 * contributor license agreements. See the NOTICE file distributed with
4 * this work for additional information regarding copyright ownership.
5 * The ASF licenses this file to You under the Apache License, Version 2.0
6 * (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 *
9 * https://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 package org.apache.commons.net.util;
19
20 import java.security.GeneralSecurityException;
21 import java.security.KeyStore;
22 import java.security.cert.CertificateException;
23 import java.security.cert.X509Certificate;
24
25 import javax.net.ssl.TrustManagerFactory;
26 import javax.net.ssl.X509TrustManager;
27
28 /**
29 * TrustManager utilities for generating TrustManagers.
30 *
31 * @since 3.0
32 */
33 public final class TrustManagerUtils {
34
35 private static final class TrustManager implements X509TrustManager {
36
37 private final boolean checkServerValidity;
38
39 TrustManager(final boolean checkServerValidity) {
40 this.checkServerValidity = checkServerValidity;
41 }
42
43 /**
44 * Never generates a CertificateException.
45 */
46 @Override
47 public void checkClientTrusted(final X509Certificate[] certificates, final String authType) {
48 // empty
49 }
50
51 @Override
52 public void checkServerTrusted(final X509Certificate[] certificates, final String authType) throws CertificateException {
53 if (checkServerValidity) {
54 for (final X509Certificate certificate : certificates) {
55 certificate.checkValidity();
56 }
57 }
58 }
59
60 /**
61 * @return an empty array of certificates
62 */
63 @Override
64 public X509Certificate[] getAcceptedIssuers() {
65 return NetConstants.EMPTY_X509_CERTIFICATE_ARRAY;
66 }
67 }
68
69 private static final X509TrustManager ACCEPT_ALL = new TrustManager(false);
70
71 private static final X509TrustManager CHECK_SERVER_VALIDITY = new TrustManager(true);
72
73 /**
74 * Generate a TrustManager that performs no checks.
75 *
76 * @return the TrustManager
77 */
78 public static X509TrustManager getAcceptAllTrustManager() {
79 return ACCEPT_ALL;
80 }
81
82 /**
83 * Return the default TrustManager provided by the JVM.
84 * <p>
85 * This should be the same as the default used by
86 * {@link javax.net.ssl.SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], java.security.SecureRandom) SSLContext#init(KeyManager[],
87 * TrustManager[], SecureRandom)} when the TrustManager parameter is set to {@code null}
88 * </p>
89 *
90 * @param keyStore the KeyStore to use, may be {@code null}
91 * @return the default TrustManager
92 * @throws GeneralSecurityException if an error occurs
93 */
94 public static X509TrustManager getDefaultTrustManager(final KeyStore keyStore) throws GeneralSecurityException {
95 final String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
96 final TrustManagerFactory instance = TrustManagerFactory.getInstance(defaultAlgorithm);
97 instance.init(keyStore);
98 return (X509TrustManager) instance.getTrustManagers()[0];
99 }
100
101 /**
102 * Generate a TrustManager that checks server certificates for validity, but otherwise performs no checks.
103 *
104 * @return the validating TrustManager
105 */
106 public static X509TrustManager getValidateServerCertificateTrustManager() {
107 return CHECK_SERVER_VALIDITY;
108 }
109
110 /**
111 * Depreacted.
112 *
113 * @deprecated Will be removed in 2.0.
114 */
115 @Deprecated
116 public TrustManagerUtils() {
117 // empty
118 }
119
120 }