001    /*
002     * Copyright 2008-2015 UnboundID Corp.
003     * All Rights Reserved.
004     */
005    /*
006     * Copyright (C) 2008-2015 UnboundID Corp.
007     *
008     * This program is free software; you can redistribute it and/or modify
009     * it under the terms of the GNU General Public License (GPLv2 only)
010     * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
011     * as published by the Free Software Foundation.
012     *
013     * This program is distributed in the hope that it will be useful,
014     * but WITHOUT ANY WARRANTY; without even the implied warranty of
015     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
016     * GNU General Public License for more details.
017     *
018     * You should have received a copy of the GNU General Public License
019     * along with this program; if not, see <http://www.gnu.org/licenses>.
020     */
021    package com.unboundid.util.ssl;
022    
023    
024    
025    import java.io.Serializable;
026    import java.security.cert.CertificateException;
027    import java.security.cert.X509Certificate;
028    import java.util.Date;
029    import javax.net.ssl.X509TrustManager;
030    
031    import com.unboundid.util.NotMutable;
032    import com.unboundid.util.ThreadSafety;
033    import com.unboundid.util.ThreadSafetyLevel;
034    
035    
036    
037    /**
038     * This class provides an SSL trust manager which will blindly trust any
039     * certificate that is presented to it, although it may optionally reject
040     * certificates that are expired or not yet valid.  It can be convenient for
041     * testing purposes, but it is recommended that production environments use
042     * trust managers that perform stronger validation.
043     */
044    @NotMutable()
045    @ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
046    public final class TrustAllTrustManager
047           implements X509TrustManager, Serializable
048    {
049      /**
050       * The serial version UID for this serializable class.
051       */
052      private static final long serialVersionUID = -1295254056169520318L;
053    
054    
055    
056      // Indicates whether to automatically trust expired or not-yet-valid
057      // certificates.
058      private final boolean examineValidityDates;
059    
060    
061    
062      /**
063       * Creates a new instance of this trust all trust manager that will trust
064       * any certificate, including certificates that are expired or not yet valid.
065       */
066      public TrustAllTrustManager()
067      {
068        examineValidityDates = false;
069      }
070    
071    
072    
073      /**
074       * Creates a new instance of this trust all trust manager that will trust
075       * any certificate, potentially excluding certificates that are expired or not
076       * yet valid.
077       *
078       * @param  examineValidityDates  Indicates whether to reject certificates if
079       *                               the current time is outside the validity
080       *                               window for the certificate.
081       */
082      public TrustAllTrustManager(final boolean examineValidityDates)
083      {
084        this.examineValidityDates = examineValidityDates;
085      }
086    
087    
088    
089      /**
090       * Indicate whether to reject certificates if the current time is outside the
091       * validity window for the certificate.
092       *
093       * @return  {@code true} if the certificate validity time should be examined
094       *          and certificates should be rejected if they are expired or not
095       *          yet valid, or {@code false} if certificates should be accepted
096       *          even outside of the validity window.
097       */
098      public boolean examineValidityDates()
099      {
100        return examineValidityDates;
101      }
102    
103    
104    
105      /**
106       * Checks to determine whether the provided client certificate chain should be
107       * trusted.  A certificate will only be rejected (by throwing a
108       * {@link CertificateException}) if certificate validity dates should be
109       * examined and the certificate or any of its issuers is outside of the
110       * validity window.
111       *
112       * @param  chain     The client certificate chain for which to make the
113       *                   determination.
114       * @param  authType  The authentication type based on the client certificate.
115       *
116       * @throws  CertificateException  If the provided client certificate chain
117       *                                should not be trusted.
118       */
119      public void checkClientTrusted(final X509Certificate[] chain,
120                                     final String authType)
121             throws CertificateException
122      {
123        if (examineValidityDates)
124        {
125          final Date currentDate = new Date();
126    
127          for (final X509Certificate c : chain)
128          {
129            c.checkValidity(currentDate);
130          }
131        }
132      }
133    
134    
135    
136      /**
137       * Checks to determine whether the provided server certificate chain should be
138       * trusted.  A certificate will only be rejected (by throwing a
139       * {@link CertificateException}) if certificate validity dates should be
140       * examined and the certificate or any of its issuers is outside of the
141       * validity window.
142       *
143       * @param  chain     The server certificate chain for which to make the
144       *                   determination.
145       * @param  authType  The key exchange algorithm used.
146       *
147       * @throws  CertificateException  If the provided server certificate chain
148       *                                should not be trusted.
149       */
150      public void checkServerTrusted(final X509Certificate[] chain,
151                                     final String authType)
152             throws CertificateException
153      {
154        if (examineValidityDates)
155        {
156          final Date currentDate = new Date();
157    
158          for (final X509Certificate c : chain)
159          {
160            c.checkValidity(currentDate);
161          }
162        }
163      }
164    
165    
166    
167      /**
168       * Retrieves the accepted issuer certificates for this trust manager.  This
169       * will always return an empty array.
170       *
171       * @return  The accepted issuer certificates for this trust manager.
172       */
173      public X509Certificate[] getAcceptedIssuers()
174      {
175        return new X509Certificate[0];
176      }
177    }