001/*
002 * Copyright 2008-2020 Ping Identity Corporation
003 * All Rights Reserved.
004 */
005/*
006 * Copyright 2008-2020 Ping Identity Corporation
007 *
008 * Licensed under the Apache License, Version 2.0 (the "License");
009 * you may not use this file except in compliance with the License.
010 * You may obtain a copy of the License at
011 *
012 *    http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing, software
015 * distributed under the License is distributed on an "AS IS" BASIS,
016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
017 * See the License for the specific language governing permissions and
018 * limitations under the License.
019 */
020/*
021 * Copyright (C) 2008-2020 Ping Identity Corporation
022 *
023 * This program is free software; you can redistribute it and/or modify
024 * it under the terms of the GNU General Public License (GPLv2 only)
025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
026 * as published by the Free Software Foundation.
027 *
028 * This program is distributed in the hope that it will be useful,
029 * but WITHOUT ANY WARRANTY; without even the implied warranty of
030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
031 * GNU General Public License for more details.
032 *
033 * You should have received a copy of the GNU General Public License
034 * along with this program; if not, see <http://www.gnu.org/licenses>.
035 */
036package com.unboundid.util.ssl;
037
038
039
040import java.io.Serializable;
041import java.security.cert.CertificateException;
042import java.security.cert.X509Certificate;
043import java.util.Date;
044import javax.net.ssl.X509TrustManager;
045
046import com.unboundid.util.NotMutable;
047import com.unboundid.util.ThreadSafety;
048import com.unboundid.util.ThreadSafetyLevel;
049
050
051
052/**
053 * This class provides an SSL trust manager which will blindly trust any
054 * certificate that is presented to it, although it may optionally reject
055 * certificates that are expired or not yet valid.  It can be convenient for
056 * testing purposes, but it is recommended that production environments use
057 * trust managers that perform stronger validation.
058 */
059@NotMutable()
060@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
061public final class TrustAllTrustManager
062       implements X509TrustManager, Serializable
063{
064  /**
065   * A pre-allocated empty certificate array.
066   */
067  private static final X509Certificate[] NO_CERTIFICATES =
068       new X509Certificate[0];
069
070
071
072  /**
073   * The serial version UID for this serializable class.
074   */
075  private static final long serialVersionUID = -1295254056169520318L;
076
077
078
079  // Indicates whether to automatically trust expired or not-yet-valid
080  // certificates.
081  private final boolean examineValidityDates;
082
083
084
085  /**
086   * Creates a new instance of this trust all trust manager that will trust
087   * any certificate, including certificates that are expired or not yet valid.
088   */
089  public TrustAllTrustManager()
090  {
091    examineValidityDates = false;
092  }
093
094
095
096  /**
097   * Creates a new instance of this trust all trust manager that will trust
098   * any certificate, potentially excluding certificates that are expired or not
099   * yet valid.
100   *
101   * @param  examineValidityDates  Indicates whether to reject certificates if
102   *                               the current time is outside the validity
103   *                               window for the certificate.
104   */
105  public TrustAllTrustManager(final boolean examineValidityDates)
106  {
107    this.examineValidityDates = examineValidityDates;
108  }
109
110
111
112  /**
113   * Indicate whether to reject certificates if the current time is outside the
114   * validity window for the certificate.
115   *
116   * @return  {@code true} if the certificate validity time should be examined
117   *          and certificates should be rejected if they are expired or not
118   *          yet valid, or {@code false} if certificates should be accepted
119   *          even outside of the validity window.
120   */
121  public boolean examineValidityDates()
122  {
123    return examineValidityDates;
124  }
125
126
127
128  /**
129   * Checks to determine whether the provided client certificate chain should be
130   * trusted.  A certificate will only be rejected (by throwing a
131   * {@link CertificateException}) if certificate validity dates should be
132   * examined and the certificate or any of its issuers is outside of the
133   * validity window.
134   *
135   * @param  chain     The client certificate chain for which to make the
136   *                   determination.
137   * @param  authType  The authentication type based on the client certificate.
138   *
139   * @throws  CertificateException  If the provided client certificate chain
140   *                                should not be trusted.
141   */
142  @Override()
143  public void checkClientTrusted(final X509Certificate[] chain,
144                                 final String authType)
145         throws CertificateException
146  {
147    if (examineValidityDates)
148    {
149      final Date currentDate = new Date();
150
151      for (final X509Certificate c : chain)
152      {
153        c.checkValidity(currentDate);
154      }
155    }
156  }
157
158
159
160  /**
161   * Checks to determine whether the provided server certificate chain should be
162   * trusted.  A certificate will only be rejected (by throwing a
163   * {@link CertificateException}) if certificate validity dates should be
164   * examined and the certificate or any of its issuers is outside of the
165   * validity window.
166   *
167   * @param  chain     The server certificate chain for which to make the
168   *                   determination.
169   * @param  authType  The key exchange algorithm used.
170   *
171   * @throws  CertificateException  If the provided server certificate chain
172   *                                should not be trusted.
173   */
174  @Override()
175  public void checkServerTrusted(final X509Certificate[] chain,
176                                 final String authType)
177         throws CertificateException
178  {
179    if (examineValidityDates)
180    {
181      final Date currentDate = new Date();
182
183      for (final X509Certificate c : chain)
184      {
185        c.checkValidity(currentDate);
186      }
187    }
188  }
189
190
191
192  /**
193   * Retrieves the accepted issuer certificates for this trust manager.  This
194   * will always return an empty array.
195   *
196   * @return  The accepted issuer certificates for this trust manager.
197   */
198  @Override()
199  public X509Certificate[] getAcceptedIssuers()
200  {
201    return NO_CERTIFICATES;
202  }
203}