001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 018package org.apache.commons.net.util; 019 020import java.security.GeneralSecurityException; 021import java.security.KeyStore; 022import java.security.cert.CertificateException; 023import java.security.cert.X509Certificate; 024 025import javax.net.ssl.TrustManagerFactory; 026import javax.net.ssl.X509TrustManager; 027 028/** 029 * TrustManager utilities for generating TrustManagers. 030 * 031 * @since 3.0 032 */ 033public final class TrustManagerUtils { 034 035 private static final class TrustManager implements X509TrustManager { 036 037 private final boolean checkServerValidity; 038 039 TrustManager(final boolean checkServerValidity) { 040 this.checkServerValidity = checkServerValidity; 041 } 042 043 /** 044 * Never generates a CertificateException. 045 */ 046 @Override 047 public void checkClientTrusted(final X509Certificate[] certificates, final String authType) { 048 // empty 049 } 050 051 @Override 052 public void checkServerTrusted(final X509Certificate[] certificates, final String authType) throws CertificateException { 053 if (checkServerValidity) { 054 for (final X509Certificate certificate : certificates) { 055 certificate.checkValidity(); 056 } 057 } 058 } 059 060 /** 061 * @return an empty array of certificates 062 */ 063 @Override 064 public X509Certificate[] getAcceptedIssuers() { 065 return NetConstants.EMPTY_X509_CERTIFICATE_ARRAY; 066 } 067 } 068 069 private static final X509TrustManager ACCEPT_ALL = new TrustManager(false); 070 071 private static final X509TrustManager CHECK_SERVER_VALIDITY = new TrustManager(true); 072 073 /** 074 * Generate a TrustManager that performs no checks. 075 * 076 * @return the TrustManager 077 */ 078 public static X509TrustManager getAcceptAllTrustManager() { 079 return ACCEPT_ALL; 080 } 081 082 /** 083 * Return the default TrustManager provided by the JVM. 084 * <p> 085 * This should be the same as the default used by 086 * {@link javax.net.ssl.SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], java.security.SecureRandom) SSLContext#init(KeyManager[], 087 * TrustManager[], SecureRandom)} when the TrustManager parameter is set to {@code null} 088 * 089 * @param keyStore the KeyStore to use, may be {@code null} 090 * @return the default TrustManager 091 * @throws GeneralSecurityException if an error occurs 092 */ 093 public static X509TrustManager getDefaultTrustManager(final KeyStore keyStore) throws GeneralSecurityException { 094 final String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); 095 final TrustManagerFactory instance = TrustManagerFactory.getInstance(defaultAlgorithm); 096 instance.init(keyStore); 097 return (X509TrustManager) instance.getTrustManagers()[0]; 098 } 099 100 /** 101 * Generate a TrustManager that checks server certificates for validity, but otherwise performs no checks. 102 * 103 * @return the validating TrustManager 104 */ 105 public static X509TrustManager getValidateServerCertificateTrustManager() { 106 return CHECK_SERVER_VALIDITY; 107 } 108 109 /** 110 * Depreacted. 111 * 112 * @deprecated Will be removed in 2.0. 113 */ 114 @Deprecated 115 public TrustManagerUtils() { 116 // empty 117 } 118 119}