001    /*
002     * Copyright 2008-2016 UnboundID Corp.
003     * All Rights Reserved.
004     */
005    /*
006     * Copyright (C) 2008-2016 UnboundID Corp.
007     *
008     * This program is free software; you can redistribute it and/or modify
009     * it under the terms of the GNU General Public License (GPLv2 only)
010     * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
011     * as published by the Free Software Foundation.
012     *
013     * This program is distributed in the hope that it will be useful,
014     * but WITHOUT ANY WARRANTY; without even the implied warranty of
015     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
016     * GNU General Public License for more details.
017     *
018     * You should have received a copy of the GNU General Public License
019     * along with this program; if not, see <http://www.gnu.org/licenses>.
020     */
021    package com.unboundid.util.ssl;
022    
023    
024    
025    import java.io.Serializable;
026    import java.security.cert.CertificateException;
027    import java.security.cert.X509Certificate;
028    import java.util.Date;
029    import javax.net.ssl.X509TrustManager;
030    
031    
032    
033    
034    /**
035     * This class provides an SSL trust manager which will blindly trust any
036     * certificate that is presented to it, although it may optionally reject
037     * certificates that are expired or not yet valid.  It can be convenient for
038     * testing purposes, but it is recommended that production environments use
039     * trust managers that perform stronger validation.
040     */
041    public final class TrustAllTrustManager
042           implements X509TrustManager, Serializable
043    {
044      /**
045       * The serial version UID for this serializable class.
046       */
047      private static final long serialVersionUID = -1295254056169520318L;
048    
049    
050    
051      // Indicates whether to automatically trust expired or not-yet-valid
052      // certificates.
053      private final boolean examineValidityDates;
054    
055    
056    
057      /**
058       * Creates a new instance of this trust all trust manager that will trust
059       * any certificate, including certificates that are expired or not yet valid.
060       */
061      public TrustAllTrustManager()
062      {
063        examineValidityDates = false;
064      }
065    
066    
067    
068      /**
069       * Creates a new instance of this trust all trust manager that will trust
070       * any certificate, potentially excluding certificates that are expired or not
071       * yet valid.
072       *
073       * @param  examineValidityDates  Indicates whether to reject certificates if
074       *                               the current time is outside the validity
075       *                               window for the certificate.
076       */
077      public TrustAllTrustManager(final boolean examineValidityDates)
078      {
079        this.examineValidityDates = examineValidityDates;
080      }
081    
082    
083    
084      /**
085       * Indicate whether to reject certificates if the current time is outside the
086       * validity window for the certificate.
087       *
088       * @return  {@code true} if the certificate validity time should be examined
089       *          and certificates should be rejected if they are expired or not
090       *          yet valid, or {@code false} if certificates should be accepted
091       *          even outside of the validity window.
092       */
093      public boolean examineValidityDates()
094      {
095        return examineValidityDates;
096      }
097    
098    
099    
100      /**
101       * Checks to determine whether the provided client certificate chain should be
102       * trusted.  A certificate will only be rejected (by throwing a
103       * {@code CertificateException}) if certificate validity dates should be
104       * examined and the certificate or any of its issuers is outside of the
105       * validity window.
106       *
107       * @param  chain     The client certificate chain for which to make the
108       *                   determination.
109       * @param  authType  The authentication type based on the client certificate.
110       *
111       * @throws  CertificateException  If the provided client certificate chain
112       *                                should not be trusted.
113       */
114      public void checkClientTrusted(final X509Certificate[] chain,
115                                     final String authType)
116             throws CertificateException
117      {
118        if (examineValidityDates)
119        {
120          final Date currentDate = new Date();
121    
122          for (final X509Certificate c : chain)
123          {
124            c.checkValidity(currentDate);
125          }
126        }
127      }
128    
129    
130    
131      /**
132       * Checks to determine whether the provided server certificate chain should be
133       * trusted.  A certificate will only be rejected (by throwing a
134       * {@code CertificateException}) if certificate validity dates should be
135       * examined and the certificate or any of its issuers is outside of the
136       * validity window.
137       *
138       * @param  chain     The server certificate chain for which to make the
139       *                   determination.
140       * @param  authType  The key exchange algorithm used.
141       *
142       * @throws  CertificateException  If the provided server certificate chain
143       *                                should not be trusted.
144       */
145      public void checkServerTrusted(final X509Certificate[] chain,
146                                     final String authType)
147             throws CertificateException
148      {
149        if (examineValidityDates)
150        {
151          final Date currentDate = new Date();
152    
153          for (final X509Certificate c : chain)
154          {
155            c.checkValidity(currentDate);
156          }
157        }
158      }
159    
160    
161    
162      /**
163       * Retrieves the accepted issuer certificates for this trust manager.  This
164       * will always return an empty array.
165       *
166       * @return  The accepted issuer certificates for this trust manager.
167       */
168      public X509Certificate[] getAcceptedIssuers()
169      {
170        return new X509Certificate[0];
171      }
172    }