001    /*
002     * Copyright 2012-2016 UnboundID Corp.
003     * All Rights Reserved.
004     */
005    /*
006     * Copyright (C) 2012-2016 UnboundID Corp.
007     *
008     * This program is free software; you can redistribute it and/or modify
009     * it under the terms of the GNU General Public License (GPLv2 only)
010     * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
011     * as published by the Free Software Foundation.
012     *
013     * This program is distributed in the hope that it will be useful,
014     * but WITHOUT ANY WARRANTY; without even the implied warranty of
015     * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
016     * GNU General Public License for more details.
017     *
018     * You should have received a copy of the GNU General Public License
019     * along with this program; if not, see <http://www.gnu.org/licenses>.
020     */
021    package com.unboundid.util.ssl;
022    
023    
024    
025    import java.security.cert.CertificateException;
026    import java.security.cert.X509Certificate;
027    import java.util.Date;
028    import javax.net.ssl.X509TrustManager;
029    import javax.security.auth.x500.X500Principal;
030    
031    import com.unboundid.util.NotMutable;
032    import com.unboundid.util.ThreadSafety;
033    import com.unboundid.util.ThreadSafetyLevel;
034    
035    import static com.unboundid.util.ssl.SSLMessages.*;
036    
037    
038    
039    /**
040     * This class provides an SSL trust manager that merely checks to see whether
041     * a presented certificate is currently within its validity time window (i.e.,
042     * the current time is not earlier than the certificate's notBefore timestamp
043     * and not later than the certificate's notAfter timestamp).
044     * <BR><BR>
045     * Note that no other elements of the certificate are examined, so it is
046     * strongly recommended that this trust manager be used in an
047     * {@link AggregateTrustManager} in conjunction with other trust managers that
048     * perform other forms of validation.
049     */
050    @NotMutable()
051    @ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
052    public final class ValidityDateTrustManager
053           implements X509TrustManager
054    {
055      /**
056       * A pre-allocated empty certificate array.
057       */
058      private static final X509Certificate[] NO_CERTIFICATES =
059           new X509Certificate[0];
060    
061    
062    
063      /**
064       * Creates a new validity date trust manager.
065       */
066      public ValidityDateTrustManager()
067      {
068        // No implementation is required.
069      }
070    
071    
072    
073      /**
074       * Checks to determine whether the provided client certificate chain should be
075       * trusted.
076       *
077       * @param  chain     The client certificate chain for which to make the
078       *                   determination.
079       * @param  authType  The authentication type based on the client certificate.
080       *
081       * @throws  CertificateException  If the provided client certificate chain
082       *                                should not be trusted.
083       */
084      public void checkClientTrusted(final X509Certificate[] chain,
085                                     final String authType)
086             throws CertificateException
087      {
088        checkCertificateValidity(chain[0]);
089      }
090    
091    
092    
093      /**
094       * Checks to determine whether the provided server certificate chain should be
095       * trusted.
096       *
097       * @param  chain     The server certificate chain for which to make the
098       *                   determination.
099       * @param  authType  The key exchange algorithm used.
100       *
101       * @throws  CertificateException  If the provided server certificate chain
102       *                                should not be trusted.
103       */
104      public void checkServerTrusted(final X509Certificate[] chain,
105                                     final String authType)
106             throws CertificateException
107      {
108        checkCertificateValidity(chain[0]);
109      }
110    
111    
112    
113      /**
114       * Checks the provided certificate to determine whether the current time is
115       * within the certificate's validity window.
116       *
117       * @param  c  The certificate to be checked.
118       *
119       * @throws  CertificateException  If the presented certificate is outside the
120       *                                validity window.
121       */
122      private static void checkCertificateValidity(final X509Certificate c)
123             throws CertificateException
124      {
125        final Date currentTime = new Date();
126        final Date notBefore   = c.getNotBefore();
127        final Date notAfter    = c.getNotAfter();
128    
129        if (currentTime.before(notBefore))
130        {
131          throw new CertificateException(ERR_VALIDITY_TOO_EARLY.get(
132               c.getSubjectX500Principal().getName(X500Principal.RFC2253),
133               String.valueOf(notBefore)));
134        }
135    
136        if (currentTime.after(c.getNotAfter()))
137        {
138          throw new CertificateException(ERR_VALIDITY_TOO_LATE.get(
139               c.getSubjectX500Principal().getName(X500Principal.RFC2253),
140               String.valueOf(notAfter)));
141        }
142      }
143    
144    
145    
146      /**
147       * Retrieves the accepted issuer certificates for this trust manager.  This
148       * will always return an empty array.
149       *
150       * @return  The accepted issuer certificates for this trust manager.
151       */
152      public X509Certificate[] getAcceptedIssuers()
153      {
154        return NO_CERTIFICATES;
155      }
156    }