001/* 002 * Copyright 2008-2020 Ping Identity Corporation 003 * All Rights Reserved. 004 */ 005/* 006 * Copyright 2008-2020 Ping Identity Corporation 007 * 008 * Licensed under the Apache License, Version 2.0 (the "License"); 009 * you may not use this file except in compliance with the License. 010 * You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, software 015 * distributed under the License is distributed on an "AS IS" BASIS, 016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 017 * See the License for the specific language governing permissions and 018 * limitations under the License. 019 */ 020/* 021 * Copyright (C) 2008-2020 Ping Identity Corporation 022 * 023 * This program is free software; you can redistribute it and/or modify 024 * it under the terms of the GNU General Public License (GPLv2 only) 025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only) 026 * as published by the Free Software Foundation. 027 * 028 * This program is distributed in the hope that it will be useful, 029 * but WITHOUT ANY WARRANTY; without even the implied warranty of 030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 031 * GNU General Public License for more details. 032 * 033 * You should have received a copy of the GNU General Public License 034 * along with this program; if not, see <http://www.gnu.org/licenses>. 035 */ 036package com.unboundid.util.ssl; 037 038 039 040import java.io.Serializable; 041import java.security.cert.CertificateException; 042import java.security.cert.X509Certificate; 043import java.util.Date; 044import javax.net.ssl.X509TrustManager; 045 046import com.unboundid.util.NotMutable; 047import com.unboundid.util.ThreadSafety; 048import com.unboundid.util.ThreadSafetyLevel; 049 050 051 052/** 053 * This class provides an SSL trust manager which will blindly trust any 054 * certificate that is presented to it, although it may optionally reject 055 * certificates that are expired or not yet valid. It can be convenient for 056 * testing purposes, but it is recommended that production environments use 057 * trust managers that perform stronger validation. 058 */ 059@NotMutable() 060@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE) 061public final class TrustAllTrustManager 062 implements X509TrustManager, Serializable 063{ 064 /** 065 * A pre-allocated empty certificate array. 066 */ 067 private static final X509Certificate[] NO_CERTIFICATES = 068 new X509Certificate[0]; 069 070 071 072 /** 073 * The serial version UID for this serializable class. 074 */ 075 private static final long serialVersionUID = -1295254056169520318L; 076 077 078 079 // Indicates whether to automatically trust expired or not-yet-valid 080 // certificates. 081 private final boolean examineValidityDates; 082 083 084 085 /** 086 * Creates a new instance of this trust all trust manager that will trust 087 * any certificate, including certificates that are expired or not yet valid. 088 */ 089 public TrustAllTrustManager() 090 { 091 examineValidityDates = false; 092 } 093 094 095 096 /** 097 * Creates a new instance of this trust all trust manager that will trust 098 * any certificate, potentially excluding certificates that are expired or not 099 * yet valid. 100 * 101 * @param examineValidityDates Indicates whether to reject certificates if 102 * the current time is outside the validity 103 * window for the certificate. 104 */ 105 public TrustAllTrustManager(final boolean examineValidityDates) 106 { 107 this.examineValidityDates = examineValidityDates; 108 } 109 110 111 112 /** 113 * Indicate whether to reject certificates if the current time is outside the 114 * validity window for the certificate. 115 * 116 * @return {@code true} if the certificate validity time should be examined 117 * and certificates should be rejected if they are expired or not 118 * yet valid, or {@code false} if certificates should be accepted 119 * even outside of the validity window. 120 */ 121 public boolean examineValidityDates() 122 { 123 return examineValidityDates; 124 } 125 126 127 128 /** 129 * Checks to determine whether the provided client certificate chain should be 130 * trusted. A certificate will only be rejected (by throwing a 131 * {@link CertificateException}) if certificate validity dates should be 132 * examined and the certificate or any of its issuers is outside of the 133 * validity window. 134 * 135 * @param chain The client certificate chain for which to make the 136 * determination. 137 * @param authType The authentication type based on the client certificate. 138 * 139 * @throws CertificateException If the provided client certificate chain 140 * should not be trusted. 141 */ 142 @Override() 143 public void checkClientTrusted(final X509Certificate[] chain, 144 final String authType) 145 throws CertificateException 146 { 147 if (examineValidityDates) 148 { 149 final Date currentDate = new Date(); 150 151 for (final X509Certificate c : chain) 152 { 153 c.checkValidity(currentDate); 154 } 155 } 156 } 157 158 159 160 /** 161 * Checks to determine whether the provided server certificate chain should be 162 * trusted. A certificate will only be rejected (by throwing a 163 * {@link CertificateException}) if certificate validity dates should be 164 * examined and the certificate or any of its issuers is outside of the 165 * validity window. 166 * 167 * @param chain The server certificate chain for which to make the 168 * determination. 169 * @param authType The key exchange algorithm used. 170 * 171 * @throws CertificateException If the provided server certificate chain 172 * should not be trusted. 173 */ 174 @Override() 175 public void checkServerTrusted(final X509Certificate[] chain, 176 final String authType) 177 throws CertificateException 178 { 179 if (examineValidityDates) 180 { 181 final Date currentDate = new Date(); 182 183 for (final X509Certificate c : chain) 184 { 185 c.checkValidity(currentDate); 186 } 187 } 188 } 189 190 191 192 /** 193 * Retrieves the accepted issuer certificates for this trust manager. This 194 * will always return an empty array. 195 * 196 * @return The accepted issuer certificates for this trust manager. 197 */ 198 @Override() 199 public X509Certificate[] getAcceptedIssuers() 200 { 201 return NO_CERTIFICATES; 202 } 203}