001/*
002 * Copyright 2008-2018 Ping Identity Corporation
003 * All Rights Reserved.
004 */
005/*
006 * Copyright (C) 2008-2018 Ping Identity Corporation
007 *
008 * This program is free software; you can redistribute it and/or modify
009 * it under the terms of the GNU General Public License (GPLv2 only)
010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
011 * as published by the Free Software Foundation.
012 *
013 * This program is distributed in the hope that it will be useful,
014 * but WITHOUT ANY WARRANTY; without even the implied warranty of
015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
016 * GNU General Public License for more details.
017 *
018 * You should have received a copy of the GNU General Public License
019 * along with this program; if not, see <http://www.gnu.org/licenses>.
020 */
021package com.unboundid.util.ssl;
022
023
024
025import java.io.Serializable;
026import java.security.cert.CertificateException;
027import java.security.cert.X509Certificate;
028import java.util.Date;
029import javax.net.ssl.X509TrustManager;
030
031import com.unboundid.util.NotMutable;
032import com.unboundid.util.ThreadSafety;
033import com.unboundid.util.ThreadSafetyLevel;
034
035
036
037/**
038 * This class provides an SSL trust manager which will blindly trust any
039 * certificate that is presented to it, although it may optionally reject
040 * certificates that are expired or not yet valid.  It can be convenient for
041 * testing purposes, but it is recommended that production environments use
042 * trust managers that perform stronger validation.
043 */
044@NotMutable()
045@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
046public final class TrustAllTrustManager
047       implements X509TrustManager, Serializable
048{
049  /**
050   * A pre-allocated empty certificate array.
051   */
052  private static final X509Certificate[] NO_CERTIFICATES =
053       new X509Certificate[0];
054
055
056
057  /**
058   * The serial version UID for this serializable class.
059   */
060  private static final long serialVersionUID = -1295254056169520318L;
061
062
063
064  // Indicates whether to automatically trust expired or not-yet-valid
065  // certificates.
066  private final boolean examineValidityDates;
067
068
069
070  /**
071   * Creates a new instance of this trust all trust manager that will trust
072   * any certificate, including certificates that are expired or not yet valid.
073   */
074  public TrustAllTrustManager()
075  {
076    examineValidityDates = false;
077  }
078
079
080
081  /**
082   * Creates a new instance of this trust all trust manager that will trust
083   * any certificate, potentially excluding certificates that are expired or not
084   * yet valid.
085   *
086   * @param  examineValidityDates  Indicates whether to reject certificates if
087   *                               the current time is outside the validity
088   *                               window for the certificate.
089   */
090  public TrustAllTrustManager(final boolean examineValidityDates)
091  {
092    this.examineValidityDates = examineValidityDates;
093  }
094
095
096
097  /**
098   * Indicate whether to reject certificates if the current time is outside the
099   * validity window for the certificate.
100   *
101   * @return  {@code true} if the certificate validity time should be examined
102   *          and certificates should be rejected if they are expired or not
103   *          yet valid, or {@code false} if certificates should be accepted
104   *          even outside of the validity window.
105   */
106  public boolean examineValidityDates()
107  {
108    return examineValidityDates;
109  }
110
111
112
113  /**
114   * Checks to determine whether the provided client certificate chain should be
115   * trusted.  A certificate will only be rejected (by throwing a
116   * {@link CertificateException}) if certificate validity dates should be
117   * examined and the certificate or any of its issuers is outside of the
118   * validity window.
119   *
120   * @param  chain     The client certificate chain for which to make the
121   *                   determination.
122   * @param  authType  The authentication type based on the client certificate.
123   *
124   * @throws  CertificateException  If the provided client certificate chain
125   *                                should not be trusted.
126   */
127  @Override()
128  public void checkClientTrusted(final X509Certificate[] chain,
129                                 final String authType)
130         throws CertificateException
131  {
132    if (examineValidityDates)
133    {
134      final Date currentDate = new Date();
135
136      for (final X509Certificate c : chain)
137      {
138        c.checkValidity(currentDate);
139      }
140    }
141  }
142
143
144
145  /**
146   * Checks to determine whether the provided server certificate chain should be
147   * trusted.  A certificate will only be rejected (by throwing a
148   * {@link CertificateException}) if certificate validity dates should be
149   * examined and the certificate or any of its issuers is outside of the
150   * validity window.
151   *
152   * @param  chain     The server certificate chain for which to make the
153   *                   determination.
154   * @param  authType  The key exchange algorithm used.
155   *
156   * @throws  CertificateException  If the provided server certificate chain
157   *                                should not be trusted.
158   */
159  @Override()
160  public void checkServerTrusted(final X509Certificate[] chain,
161                                 final String authType)
162         throws CertificateException
163  {
164    if (examineValidityDates)
165    {
166      final Date currentDate = new Date();
167
168      for (final X509Certificate c : chain)
169      {
170        c.checkValidity(currentDate);
171      }
172    }
173  }
174
175
176
177  /**
178   * Retrieves the accepted issuer certificates for this trust manager.  This
179   * will always return an empty array.
180   *
181   * @return  The accepted issuer certificates for this trust manager.
182   */
183  @Override()
184  public X509Certificate[] getAcceptedIssuers()
185  {
186    return NO_CERTIFICATES;
187  }
188}