001/*
002 * Copyright 2012-2014 UnboundID Corp.
003 * All Rights Reserved.
004 */
005/*
006 * Copyright (C) 2012-2014 UnboundID Corp.
007 *
008 * This program is free software; you can redistribute it and/or modify
009 * it under the terms of the GNU General Public License (GPLv2 only)
010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
011 * as published by the Free Software Foundation.
012 *
013 * This program is distributed in the hope that it will be useful,
014 * but WITHOUT ANY WARRANTY; without even the implied warranty of
015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
016 * GNU General Public License for more details.
017 *
018 * You should have received a copy of the GNU General Public License
019 * along with this program; if not, see <http://www.gnu.org/licenses>.
020 */
021package com.unboundid.util.ssl;
022
023
024
025import java.security.cert.CertificateException;
026import java.security.cert.X509Certificate;
027import java.util.Date;
028import javax.net.ssl.X509TrustManager;
029import javax.security.auth.x500.X500Principal;
030
031import com.unboundid.util.NotMutable;
032import com.unboundid.util.ThreadSafety;
033import com.unboundid.util.ThreadSafetyLevel;
034
035import static com.unboundid.util.ssl.SSLMessages.*;
036
037
038
039/**
040 * This class provides an SSL trust manager that merely checks to see whether
041 * a presented certificate is currently within its validity time window (i.e.,
042 * the current time is not earlier than the certificate's notBefore timestamp
043 * and not later than the certificate's notAfter timestamp).
044 * <BR><BR>
045 * Note that no other elements of the certificate are examined, so it is
046 * strongly recommended that this trust manager be used in an
047 * {@link AggregateTrustManager} in conjunction with other trust managers that
048 * perform other forms of validation.
049 */
050@NotMutable()
051@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
052public final class ValidityDateTrustManager
053       implements X509TrustManager
054{
055  /**
056   * A pre-allocated empty certificate array.
057   */
058  private static final X509Certificate[] NO_CERTIFICATES =
059       new X509Certificate[0];
060
061
062
063  /**
064   * Creates a new validity date trust manager.
065   */
066  public ValidityDateTrustManager()
067  {
068    // No implementation is required.
069  }
070
071
072
073  /**
074   * Checks to determine whether the provided client certificate chain should be
075   * trusted.
076   *
077   * @param  chain     The client certificate chain for which to make the
078   *                   determination.
079   * @param  authType  The authentication type based on the client certificate.
080   *
081   * @throws  CertificateException  If the provided client certificate chain
082   *                                should not be trusted.
083   */
084  public void checkClientTrusted(final X509Certificate[] chain,
085                                 final String authType)
086         throws CertificateException
087  {
088    checkCertificateValidity(chain[0]);
089  }
090
091
092
093  /**
094   * Checks to determine whether the provided server certificate chain should be
095   * trusted.
096   *
097   * @param  chain     The server certificate chain for which to make the
098   *                   determination.
099   * @param  authType  The key exchange algorithm used.
100   *
101   * @throws  CertificateException  If the provided server certificate chain
102   *                                should not be trusted.
103   */
104  public void checkServerTrusted(final X509Certificate[] chain,
105                                 final String authType)
106         throws CertificateException
107  {
108    checkCertificateValidity(chain[0]);
109  }
110
111
112
113  /**
114   * Checks the provided certificate to determine whether the current time is
115   * within the certificate's validity window.
116   *
117   * @param  c  The certificate to be checked.
118   *
119   * @throws  CertificateException  If the presented certificate is outside the
120   *                                validity window.
121   */
122  private static void checkCertificateValidity(final X509Certificate c)
123         throws CertificateException
124  {
125    final Date currentTime = new Date();
126    final Date notBefore   = c.getNotBefore();
127    final Date notAfter    = c.getNotAfter();
128
129    if (currentTime.before(notBefore))
130    {
131      throw new CertificateException(ERR_VALIDITY_TOO_EARLY.get(
132           c.getSubjectX500Principal().getName(X500Principal.RFC2253),
133           String.valueOf(notBefore)));
134    }
135
136    if (currentTime.after(c.getNotAfter()))
137    {
138      throw new CertificateException(ERR_VALIDITY_TOO_LATE.get(
139           c.getSubjectX500Principal().getName(X500Principal.RFC2253),
140           String.valueOf(notAfter)));
141    }
142  }
143
144
145
146  /**
147   * Retrieves the accepted issuer certificates for this trust manager.  This
148   * will always return an empty array.
149   *
150   * @return  The accepted issuer certificates for this trust manager.
151   */
152  public X509Certificate[] getAcceptedIssuers()
153  {
154    return NO_CERTIFICATES;
155  }
156}