001/* 002 * Copyright 2008-2014 UnboundID Corp. 003 * All Rights Reserved. 004 */ 005/* 006 * Copyright (C) 2008-2014 UnboundID Corp. 007 * 008 * This program is free software; you can redistribute it and/or modify 009 * it under the terms of the GNU General Public License (GPLv2 only) 010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only) 011 * as published by the Free Software Foundation. 012 * 013 * This program is distributed in the hope that it will be useful, 014 * but WITHOUT ANY WARRANTY; without even the implied warranty of 015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 016 * GNU General Public License for more details. 017 * 018 * You should have received a copy of the GNU General Public License 019 * along with this program; if not, see <http://www.gnu.org/licenses>. 020 */ 021package com.unboundid.util.ssl; 022 023 024 025import java.io.Serializable; 026import java.security.cert.CertificateException; 027import java.security.cert.X509Certificate; 028import java.util.Date; 029import javax.net.ssl.X509TrustManager; 030 031import com.unboundid.util.NotMutable; 032import com.unboundid.util.ThreadSafety; 033import com.unboundid.util.ThreadSafetyLevel; 034 035 036 037/** 038 * This class provides an SSL trust manager which will blindly trust any 039 * certificate that is presented to it, although it may optionally reject 040 * certificates that are expired or not yet valid. It can be convenient for 041 * testing purposes, but it is recommended that production environments use 042 * trust managers that perform stronger validation. 043 */ 044@NotMutable() 045@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE) 046public final class TrustAllTrustManager 047 implements X509TrustManager, Serializable 048{ 049 /** 050 * The serial version UID for this serializable class. 051 */ 052 private static final long serialVersionUID = -1295254056169520318L; 053 054 055 056 // Indicates whether to automatically trust expired or not-yet-valid 057 // certificates. 058 private final boolean examineValidityDates; 059 060 061 062 /** 063 * Creates a new instance of this trust all trust manager that will trust 064 * any certificate, including certificates that are expired or not yet valid. 065 */ 066 public TrustAllTrustManager() 067 { 068 examineValidityDates = false; 069 } 070 071 072 073 /** 074 * Creates a new instance of this trust all trust manager that will trust 075 * any certificate, potentially excluding certificates that are expired or not 076 * yet valid. 077 * 078 * @param examineValidityDates Indicates whether to reject certificates if 079 * the current time is outside the validity 080 * window for the certificate. 081 */ 082 public TrustAllTrustManager(final boolean examineValidityDates) 083 { 084 this.examineValidityDates = examineValidityDates; 085 } 086 087 088 089 /** 090 * Indicate whether to reject certificates if the current time is outside the 091 * validity window for the certificate. 092 * 093 * @return {@code true} if the certificate validity time should be examined 094 * and certificates should be rejected if they are expired or not 095 * yet valid, or {@code false} if certificates should be accepted 096 * even outside of the validity window. 097 */ 098 public boolean examineValidityDates() 099 { 100 return examineValidityDates; 101 } 102 103 104 105 /** 106 * Checks to determine whether the provided client certificate chain should be 107 * trusted. A certificate will only be rejected (by throwing a 108 * {@link CertificateException}) if certificate validity dates should be 109 * examined and the certificate or any of its issuers is outside of the 110 * validity window. 111 * 112 * @param chain The client certificate chain for which to make the 113 * determination. 114 * @param authType The authentication type based on the client certificate. 115 * 116 * @throws CertificateException If the provided client certificate chain 117 * should not be trusted. 118 */ 119 public void checkClientTrusted(final X509Certificate[] chain, 120 final String authType) 121 throws CertificateException 122 { 123 if (examineValidityDates) 124 { 125 final Date currentDate = new Date(); 126 127 for (final X509Certificate c : chain) 128 { 129 c.checkValidity(currentDate); 130 } 131 } 132 } 133 134 135 136 /** 137 * Checks to determine whether the provided server certificate chain should be 138 * trusted. A certificate will only be rejected (by throwing a 139 * {@link CertificateException}) if certificate validity dates should be 140 * examined and the certificate or any of its issuers is outside of the 141 * validity window. 142 * 143 * @param chain The server certificate chain for which to make the 144 * determination. 145 * @param authType The key exchange algorithm used. 146 * 147 * @throws CertificateException If the provided server certificate chain 148 * should not be trusted. 149 */ 150 public void checkServerTrusted(final X509Certificate[] chain, 151 final String authType) 152 throws CertificateException 153 { 154 if (examineValidityDates) 155 { 156 final Date currentDate = new Date(); 157 158 for (final X509Certificate c : chain) 159 { 160 c.checkValidity(currentDate); 161 } 162 } 163 } 164 165 166 167 /** 168 * Retrieves the accepted issuer certificates for this trust manager. This 169 * will always return an empty array. 170 * 171 * @return The accepted issuer certificates for this trust manager. 172 */ 173 public X509Certificate[] getAcceptedIssuers() 174 { 175 return new X509Certificate[0]; 176 } 177}