001 /* 002 * Copyright 2008-2015 UnboundID Corp. 003 * All Rights Reserved. 004 */ 005 /* 006 * Copyright (C) 2008-2015 UnboundID Corp. 007 * 008 * This program is free software; you can redistribute it and/or modify 009 * it under the terms of the GNU General Public License (GPLv2 only) 010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only) 011 * as published by the Free Software Foundation. 012 * 013 * This program is distributed in the hope that it will be useful, 014 * but WITHOUT ANY WARRANTY; without even the implied warranty of 015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 016 * GNU General Public License for more details. 017 * 018 * You should have received a copy of the GNU General Public License 019 * along with this program; if not, see <http://www.gnu.org/licenses>. 020 */ 021 package com.unboundid.util.ssl; 022 023 024 025 import java.io.Serializable; 026 import java.security.cert.CertificateException; 027 import java.security.cert.X509Certificate; 028 import java.util.Date; 029 import javax.net.ssl.X509TrustManager; 030 031 032 033 034 /** 035 * This class provides an SSL trust manager which will blindly trust any 036 * certificate that is presented to it, although it may optionally reject 037 * certificates that are expired or not yet valid. It can be convenient for 038 * testing purposes, but it is recommended that production environments use 039 * trust managers that perform stronger validation. 040 */ 041 public final class TrustAllTrustManager 042 implements X509TrustManager, Serializable 043 { 044 /** 045 * The serial version UID for this serializable class. 046 */ 047 private static final long serialVersionUID = -1295254056169520318L; 048 049 050 051 // Indicates whether to automatically trust expired or not-yet-valid 052 // certificates. 053 private final boolean examineValidityDates; 054 055 056 057 /** 058 * Creates a new instance of this trust all trust manager that will trust 059 * any certificate, including certificates that are expired or not yet valid. 060 */ 061 public TrustAllTrustManager() 062 { 063 examineValidityDates = false; 064 } 065 066 067 068 /** 069 * Creates a new instance of this trust all trust manager that will trust 070 * any certificate, potentially excluding certificates that are expired or not 071 * yet valid. 072 * 073 * @param examineValidityDates Indicates whether to reject certificates if 074 * the current time is outside the validity 075 * window for the certificate. 076 */ 077 public TrustAllTrustManager(final boolean examineValidityDates) 078 { 079 this.examineValidityDates = examineValidityDates; 080 } 081 082 083 084 /** 085 * Indicate whether to reject certificates if the current time is outside the 086 * validity window for the certificate. 087 * 088 * @return {@code true} if the certificate validity time should be examined 089 * and certificates should be rejected if they are expired or not 090 * yet valid, or {@code false} if certificates should be accepted 091 * even outside of the validity window. 092 */ 093 public boolean examineValidityDates() 094 { 095 return examineValidityDates; 096 } 097 098 099 100 /** 101 * Checks to determine whether the provided client certificate chain should be 102 * trusted. A certificate will only be rejected (by throwing a 103 * {@code CertificateException}) if certificate validity dates should be 104 * examined and the certificate or any of its issuers is outside of the 105 * validity window. 106 * 107 * @param chain The client certificate chain for which to make the 108 * determination. 109 * @param authType The authentication type based on the client certificate. 110 * 111 * @throws CertificateException If the provided client certificate chain 112 * should not be trusted. 113 */ 114 public void checkClientTrusted(final X509Certificate[] chain, 115 final String authType) 116 throws CertificateException 117 { 118 if (examineValidityDates) 119 { 120 final Date currentDate = new Date(); 121 122 for (final X509Certificate c : chain) 123 { 124 c.checkValidity(currentDate); 125 } 126 } 127 } 128 129 130 131 /** 132 * Checks to determine whether the provided server certificate chain should be 133 * trusted. A certificate will only be rejected (by throwing a 134 * {@code CertificateException}) if certificate validity dates should be 135 * examined and the certificate or any of its issuers is outside of the 136 * validity window. 137 * 138 * @param chain The server certificate chain for which to make the 139 * determination. 140 * @param authType The key exchange algorithm used. 141 * 142 * @throws CertificateException If the provided server certificate chain 143 * should not be trusted. 144 */ 145 public void checkServerTrusted(final X509Certificate[] chain, 146 final String authType) 147 throws CertificateException 148 { 149 if (examineValidityDates) 150 { 151 final Date currentDate = new Date(); 152 153 for (final X509Certificate c : chain) 154 { 155 c.checkValidity(currentDate); 156 } 157 } 158 } 159 160 161 162 /** 163 * Retrieves the accepted issuer certificates for this trust manager. This 164 * will always return an empty array. 165 * 166 * @return The accepted issuer certificates for this trust manager. 167 */ 168 public X509Certificate[] getAcceptedIssuers() 169 { 170 return new X509Certificate[0]; 171 } 172 }