001/*
002 * Copyright 2008-2014 UnboundID Corp.
003 * All Rights Reserved.
004 */
005/*
006 * Copyright (C) 2008-2014 UnboundID Corp.
007 *
008 * This program is free software; you can redistribute it and/or modify
009 * it under the terms of the GNU General Public License (GPLv2 only)
010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
011 * as published by the Free Software Foundation.
012 *
013 * This program is distributed in the hope that it will be useful,
014 * but WITHOUT ANY WARRANTY; without even the implied warranty of
015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
016 * GNU General Public License for more details.
017 *
018 * You should have received a copy of the GNU General Public License
019 * along with this program; if not, see <http://www.gnu.org/licenses>.
020 */
021package com.unboundid.util.ssl;
022
023
024
025import java.io.Serializable;
026import java.security.cert.CertificateException;
027import java.security.cert.X509Certificate;
028import java.util.Date;
029import javax.net.ssl.X509TrustManager;
030
031import com.unboundid.util.NotMutable;
032import com.unboundid.util.ThreadSafety;
033import com.unboundid.util.ThreadSafetyLevel;
034
035
036
037/**
038 * This class provides an SSL trust manager which will blindly trust any
039 * certificate that is presented to it, although it may optionally reject
040 * certificates that are expired or not yet valid.  It can be convenient for
041 * testing purposes, but it is recommended that production environments use
042 * trust managers that perform stronger validation.
043 */
044@NotMutable()
045@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
046public final class TrustAllTrustManager
047       implements X509TrustManager, Serializable
048{
049  /**
050   * The serial version UID for this serializable class.
051   */
052  private static final long serialVersionUID = -1295254056169520318L;
053
054
055
056  // Indicates whether to automatically trust expired or not-yet-valid
057  // certificates.
058  private final boolean examineValidityDates;
059
060
061
062  /**
063   * Creates a new instance of this trust all trust manager that will trust
064   * any certificate, including certificates that are expired or not yet valid.
065   */
066  public TrustAllTrustManager()
067  {
068    examineValidityDates = false;
069  }
070
071
072
073  /**
074   * Creates a new instance of this trust all trust manager that will trust
075   * any certificate, potentially excluding certificates that are expired or not
076   * yet valid.
077   *
078   * @param  examineValidityDates  Indicates whether to reject certificates if
079   *                               the current time is outside the validity
080   *                               window for the certificate.
081   */
082  public TrustAllTrustManager(final boolean examineValidityDates)
083  {
084    this.examineValidityDates = examineValidityDates;
085  }
086
087
088
089  /**
090   * Indicate whether to reject certificates if the current time is outside the
091   * validity window for the certificate.
092   *
093   * @return  {@code true} if the certificate validity time should be examined
094   *          and certificates should be rejected if they are expired or not
095   *          yet valid, or {@code false} if certificates should be accepted
096   *          even outside of the validity window.
097   */
098  public boolean examineValidityDates()
099  {
100    return examineValidityDates;
101  }
102
103
104
105  /**
106   * Checks to determine whether the provided client certificate chain should be
107   * trusted.  A certificate will only be rejected (by throwing a
108   * {@link CertificateException}) if certificate validity dates should be
109   * examined and the certificate or any of its issuers is outside of the
110   * validity window.
111   *
112   * @param  chain     The client certificate chain for which to make the
113   *                   determination.
114   * @param  authType  The authentication type based on the client certificate.
115   *
116   * @throws  CertificateException  If the provided client certificate chain
117   *                                should not be trusted.
118   */
119  public void checkClientTrusted(final X509Certificate[] chain,
120                                 final String authType)
121         throws CertificateException
122  {
123    if (examineValidityDates)
124    {
125      final Date currentDate = new Date();
126
127      for (final X509Certificate c : chain)
128      {
129        c.checkValidity(currentDate);
130      }
131    }
132  }
133
134
135
136  /**
137   * Checks to determine whether the provided server certificate chain should be
138   * trusted.  A certificate will only be rejected (by throwing a
139   * {@link CertificateException}) if certificate validity dates should be
140   * examined and the certificate or any of its issuers is outside of the
141   * validity window.
142   *
143   * @param  chain     The server certificate chain for which to make the
144   *                   determination.
145   * @param  authType  The key exchange algorithm used.
146   *
147   * @throws  CertificateException  If the provided server certificate chain
148   *                                should not be trusted.
149   */
150  public void checkServerTrusted(final X509Certificate[] chain,
151                                 final String authType)
152         throws CertificateException
153  {
154    if (examineValidityDates)
155    {
156      final Date currentDate = new Date();
157
158      for (final X509Certificate c : chain)
159      {
160        c.checkValidity(currentDate);
161      }
162    }
163  }
164
165
166
167  /**
168   * Retrieves the accepted issuer certificates for this trust manager.  This
169   * will always return an empty array.
170   *
171   * @return  The accepted issuer certificates for this trust manager.
172   */
173  public X509Certificate[] getAcceptedIssuers()
174  {
175    return new X509Certificate[0];
176  }
177}