001 /*
002 * Copyright 2008-2014 UnboundID Corp.
003 * All Rights Reserved.
004 */
005 /*
006 * Copyright (C) 2008-2014 UnboundID Corp.
007 *
008 * This program is free software; you can redistribute it and/or modify
009 * it under the terms of the GNU General Public License (GPLv2 only)
010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
011 * as published by the Free Software Foundation.
012 *
013 * This program is distributed in the hope that it will be useful,
014 * but WITHOUT ANY WARRANTY; without even the implied warranty of
015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
016 * GNU General Public License for more details.
017 *
018 * You should have received a copy of the GNU General Public License
019 * along with this program; if not, see <http://www.gnu.org/licenses>.
020 */
021 package com.unboundid.util.ssl;
022
023
024
025 import java.io.Serializable;
026 import java.security.cert.CertificateException;
027 import java.security.cert.X509Certificate;
028 import java.util.Date;
029 import javax.net.ssl.X509TrustManager;
030
031 import com.unboundid.util.NotMutable;
032 import com.unboundid.util.ThreadSafety;
033 import com.unboundid.util.ThreadSafetyLevel;
034
035
036
037 /**
038 * This class provides an SSL trust manager which will blindly trust any
039 * certificate that is presented to it, although it may optionally reject
040 * certificates that are expired or not yet valid. It can be convenient for
041 * testing purposes, but it is recommended that production environments use
042 * trust managers that perform stronger validation.
043 */
044 @NotMutable()
045 @ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
046 public final class TrustAllTrustManager
047 implements X509TrustManager, Serializable
048 {
049 /**
050 * The serial version UID for this serializable class.
051 */
052 private static final long serialVersionUID = -1295254056169520318L;
053
054
055
056 // Indicates whether to automatically trust expired or not-yet-valid
057 // certificates.
058 private final boolean examineValidityDates;
059
060
061
062 /**
063 * Creates a new instance of this trust all trust manager that will trust
064 * any certificate, including certificates that are expired or not yet valid.
065 */
066 public TrustAllTrustManager()
067 {
068 examineValidityDates = false;
069 }
070
071
072
073 /**
074 * Creates a new instance of this trust all trust manager that will trust
075 * any certificate, potentially excluding certificates that are expired or not
076 * yet valid.
077 *
078 * @param examineValidityDates Indicates whether to reject certificates if
079 * the current time is outside the validity
080 * window for the certificate.
081 */
082 public TrustAllTrustManager(final boolean examineValidityDates)
083 {
084 this.examineValidityDates = examineValidityDates;
085 }
086
087
088
089 /**
090 * Indicate whether to reject certificates if the current time is outside the
091 * validity window for the certificate.
092 *
093 * @return {@code true} if the certificate validity time should be examined
094 * and certificates should be rejected if they are expired or not
095 * yet valid, or {@code false} if certificates should be accepted
096 * even outside of the validity window.
097 */
098 public boolean examineValidityDates()
099 {
100 return examineValidityDates;
101 }
102
103
104
105 /**
106 * Checks to determine whether the provided client certificate chain should be
107 * trusted. A certificate will only be rejected (by throwing a
108 * {@link CertificateException}) if certificate validity dates should be
109 * examined and the certificate or any of its issuers is outside of the
110 * validity window.
111 *
112 * @param chain The client certificate chain for which to make the
113 * determination.
114 * @param authType The authentication type based on the client certificate.
115 *
116 * @throws CertificateException If the provided client certificate chain
117 * should not be trusted.
118 */
119 public void checkClientTrusted(final X509Certificate[] chain,
120 final String authType)
121 throws CertificateException
122 {
123 if (examineValidityDates)
124 {
125 final Date currentDate = new Date();
126
127 for (final X509Certificate c : chain)
128 {
129 c.checkValidity(currentDate);
130 }
131 }
132 }
133
134
135
136 /**
137 * Checks to determine whether the provided server certificate chain should be
138 * trusted. A certificate will only be rejected (by throwing a
139 * {@link CertificateException}) if certificate validity dates should be
140 * examined and the certificate or any of its issuers is outside of the
141 * validity window.
142 *
143 * @param chain The server certificate chain for which to make the
144 * determination.
145 * @param authType The key exchange algorithm used.
146 *
147 * @throws CertificateException If the provided server certificate chain
148 * should not be trusted.
149 */
150 public void checkServerTrusted(final X509Certificate[] chain,
151 final String authType)
152 throws CertificateException
153 {
154 if (examineValidityDates)
155 {
156 final Date currentDate = new Date();
157
158 for (final X509Certificate c : chain)
159 {
160 c.checkValidity(currentDate);
161 }
162 }
163 }
164
165
166
167 /**
168 * Retrieves the accepted issuer certificates for this trust manager. This
169 * will always return an empty array.
170 *
171 * @return The accepted issuer certificates for this trust manager.
172 */
173 public X509Certificate[] getAcceptedIssuers()
174 {
175 return new X509Certificate[0];
176 }
177 }