Source code

001/*
002 * Copyright 2008-2024 Ping Identity Corporation
003 * All Rights Reserved.
004 */
005/*
006 * Copyright 2008-2024 Ping Identity Corporation
007 *
008 * Licensed under the Apache License, Version 2.0 (the "License");
009 * you may not use this file except in compliance with the License.
010 * You may obtain a copy of the License at
011 *
012 *    http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing, software
015 * distributed under the License is distributed on an "AS IS" BASIS,
016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
017 * See the License for the specific language governing permissions and
018 * limitations under the License.
019 */
020/*
021 * Copyright (C) 2008-2024 Ping Identity Corporation
022 *
023 * This program is free software; you can redistribute it and/or modify
024 * it under the terms of the GNU General Public License (GPLv2 only)
025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
026 * as published by the Free Software Foundation.
027 *
028 * This program is distributed in the hope that it will be useful,
029 * but WITHOUT ANY WARRANTY; without even the implied warranty of
030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
031 * GNU General Public License for more details.
032 *
033 * You should have received a copy of the GNU General Public License
034 * along with this program; if not, see <http://www.gnu.org/licenses>.
035 */
036package com.unboundid.util.ssl;
037
038
039
040import java.io.Serializable;
041import java.security.cert.CertificateException;
042import java.security.cert.X509Certificate;
043import java.util.Date;
044import javax.net.ssl.X509TrustManager;
045
046import com.unboundid.util.NotMutable;
047import com.unboundid.util.NotNull;
048import com.unboundid.util.ThreadSafety;
049import com.unboundid.util.ThreadSafetyLevel;
050
051
052
053/**
054 * This class provides an SSL trust manager which will blindly trust any
055 * certificate that is presented to it, although it may optionally reject
056 * certificates that are expired or not yet valid.  It can be convenient for
057 * testing purposes, but it is recommended that production environments use
058 * trust managers that perform stronger validation.
059 */
060@NotMutable()
061@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
062public final class TrustAllTrustManager
063       implements X509TrustManager, Serializable
064{
065  /**
066   * A pre-allocated empty certificate array.
067   */
068  @NotNull private static final X509Certificate[] NO_CERTIFICATES =
069       new X509Certificate[0];
070
071
072
073  /**
074   * The serial version UID for this serializable class.
075   */
076  private static final long serialVersionUID = -1295254056169520318L;
077
078
079
080  // Indicates whether to automatically trust expired or not-yet-valid
081  // certificates.
082  private final boolean examineValidityDates;
083
084
085
086  /**
087   * Creates a new instance of this trust all trust manager that will trust
088   * any certificate, including certificates that are expired or not yet valid.
089   */
090  public TrustAllTrustManager()
091  {
092    examineValidityDates = false;
093  }
094
095
096
097  /**
098   * Creates a new instance of this trust all trust manager that will trust
099   * any certificate, potentially excluding certificates that are expired or not
100   * yet valid.
101   *
102   * @param  examineValidityDates  Indicates whether to reject certificates if
103   *                               the current time is outside the validity
104   *                               window for the certificate.
105   */
106  public TrustAllTrustManager(final boolean examineValidityDates)
107  {
108    this.examineValidityDates = examineValidityDates;
109  }
110
111
112
113  /**
114   * Indicate whether to reject certificates if the current time is outside the
115   * validity window for the certificate.
116   *
117   * @return  {@code true} if the certificate validity time should be examined
118   *          and certificates should be rejected if they are expired or not
119   *          yet valid, or {@code false} if certificates should be accepted
120   *          even outside of the validity window.
121   */
122  public boolean examineValidityDates()
123  {
124    return examineValidityDates;
125  }
126
127
128
129  /**
130   * Checks to determine whether the provided client certificate chain should be
131   * trusted.  A certificate will only be rejected (by throwing a
132   * {@link CertificateException}) if certificate validity dates should be
133   * examined and the certificate or any of its issuers is outside of the
134   * validity window.
135   *
136   * @param  chain     The client certificate chain for which to make the
137   *                   determination.
138   * @param  authType  The authentication type based on the client certificate.
139   *
140   * @throws  CertificateException  If the provided client certificate chain
141   *                                should not be trusted.
142   */
143  @Override()
144  public void checkClientTrusted(@NotNull final X509Certificate[] chain,
145                                 @NotNull final String authType)
146         throws CertificateException
147  {
148    if (examineValidityDates)
149    {
150      final Date currentDate = new Date();
151
152      for (final X509Certificate c : chain)
153      {
154        c.checkValidity(currentDate);
155      }
156    }
157  }
158
159
160
161  /**
162   * Checks to determine whether the provided server certificate chain should be
163   * trusted.  A certificate will only be rejected (by throwing a
164   * {@link CertificateException}) if certificate validity dates should be
165   * examined and the certificate or any of its issuers is outside of the
166   * validity window.
167   *
168   * @param  chain     The server certificate chain for which to make the
169   *                   determination.
170   * @param  authType  The key exchange algorithm used.
171   *
172   * @throws  CertificateException  If the provided server certificate chain
173   *                                should not be trusted.
174   */
175  @Override()
176  public void checkServerTrusted(@NotNull final X509Certificate[] chain,
177                                 @NotNull final String authType)
178         throws CertificateException
179  {
180    if (examineValidityDates)
181    {
182      final Date currentDate = new Date();
183
184      for (final X509Certificate c : chain)
185      {
186        c.checkValidity(currentDate);
187      }
188    }
189  }
190
191
192
193  /**
194   * Retrieves the accepted issuer certificates for this trust manager.  This
195   * will always return an empty array.
196   *
197   * @return  The accepted issuer certificates for this trust manager.
198   */
199  @Override()
200  @NotNull()
201  public X509Certificate[] getAcceptedIssuers()
202  {
203    return NO_CERTIFICATES;
204  }
205}