001/* 002 * Copyright 2008-2018 Ping Identity Corporation 003 * All Rights Reserved. 004 */ 005/* 006 * Copyright (C) 2008-2018 Ping Identity Corporation 007 * 008 * This program is free software; you can redistribute it and/or modify 009 * it under the terms of the GNU General Public License (GPLv2 only) 010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only) 011 * as published by the Free Software Foundation. 012 * 013 * This program is distributed in the hope that it will be useful, 014 * but WITHOUT ANY WARRANTY; without even the implied warranty of 015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 016 * GNU General Public License for more details. 017 * 018 * You should have received a copy of the GNU General Public License 019 * along with this program; if not, see <http://www.gnu.org/licenses>. 020 */ 021package com.unboundid.util.ssl; 022 023 024 025import java.io.Serializable; 026import java.security.cert.CertificateException; 027import java.security.cert.X509Certificate; 028import java.util.Date; 029import javax.net.ssl.X509TrustManager; 030 031import com.unboundid.util.NotMutable; 032import com.unboundid.util.ThreadSafety; 033import com.unboundid.util.ThreadSafetyLevel; 034 035 036 037/** 038 * This class provides an SSL trust manager which will blindly trust any 039 * certificate that is presented to it, although it may optionally reject 040 * certificates that are expired or not yet valid. It can be convenient for 041 * testing purposes, but it is recommended that production environments use 042 * trust managers that perform stronger validation. 043 */ 044@NotMutable() 045@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE) 046public final class TrustAllTrustManager 047 implements X509TrustManager, Serializable 048{ 049 /** 050 * A pre-allocated empty certificate array. 051 */ 052 private static final X509Certificate[] NO_CERTIFICATES = 053 new X509Certificate[0]; 054 055 056 057 /** 058 * The serial version UID for this serializable class. 059 */ 060 private static final long serialVersionUID = -1295254056169520318L; 061 062 063 064 // Indicates whether to automatically trust expired or not-yet-valid 065 // certificates. 066 private final boolean examineValidityDates; 067 068 069 070 /** 071 * Creates a new instance of this trust all trust manager that will trust 072 * any certificate, including certificates that are expired or not yet valid. 073 */ 074 public TrustAllTrustManager() 075 { 076 examineValidityDates = false; 077 } 078 079 080 081 /** 082 * Creates a new instance of this trust all trust manager that will trust 083 * any certificate, potentially excluding certificates that are expired or not 084 * yet valid. 085 * 086 * @param examineValidityDates Indicates whether to reject certificates if 087 * the current time is outside the validity 088 * window for the certificate. 089 */ 090 public TrustAllTrustManager(final boolean examineValidityDates) 091 { 092 this.examineValidityDates = examineValidityDates; 093 } 094 095 096 097 /** 098 * Indicate whether to reject certificates if the current time is outside the 099 * validity window for the certificate. 100 * 101 * @return {@code true} if the certificate validity time should be examined 102 * and certificates should be rejected if they are expired or not 103 * yet valid, or {@code false} if certificates should be accepted 104 * even outside of the validity window. 105 */ 106 public boolean examineValidityDates() 107 { 108 return examineValidityDates; 109 } 110 111 112 113 /** 114 * Checks to determine whether the provided client certificate chain should be 115 * trusted. A certificate will only be rejected (by throwing a 116 * {@link CertificateException}) if certificate validity dates should be 117 * examined and the certificate or any of its issuers is outside of the 118 * validity window. 119 * 120 * @param chain The client certificate chain for which to make the 121 * determination. 122 * @param authType The authentication type based on the client certificate. 123 * 124 * @throws CertificateException If the provided client certificate chain 125 * should not be trusted. 126 */ 127 @Override() 128 public void checkClientTrusted(final X509Certificate[] chain, 129 final String authType) 130 throws CertificateException 131 { 132 if (examineValidityDates) 133 { 134 final Date currentDate = new Date(); 135 136 for (final X509Certificate c : chain) 137 { 138 c.checkValidity(currentDate); 139 } 140 } 141 } 142 143 144 145 /** 146 * Checks to determine whether the provided server certificate chain should be 147 * trusted. A certificate will only be rejected (by throwing a 148 * {@link CertificateException}) if certificate validity dates should be 149 * examined and the certificate or any of its issuers is outside of the 150 * validity window. 151 * 152 * @param chain The server certificate chain for which to make the 153 * determination. 154 * @param authType The key exchange algorithm used. 155 * 156 * @throws CertificateException If the provided server certificate chain 157 * should not be trusted. 158 */ 159 @Override() 160 public void checkServerTrusted(final X509Certificate[] chain, 161 final String authType) 162 throws CertificateException 163 { 164 if (examineValidityDates) 165 { 166 final Date currentDate = new Date(); 167 168 for (final X509Certificate c : chain) 169 { 170 c.checkValidity(currentDate); 171 } 172 } 173 } 174 175 176 177 /** 178 * Retrieves the accepted issuer certificates for this trust manager. This 179 * will always return an empty array. 180 * 181 * @return The accepted issuer certificates for this trust manager. 182 */ 183 @Override() 184 public X509Certificate[] getAcceptedIssuers() 185 { 186 return NO_CERTIFICATES; 187 } 188}