001/*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017
018package org.apache.commons.net.util;
019
020import java.security.GeneralSecurityException;
021import java.security.KeyStore;
022import java.security.cert.CertificateException;
023import java.security.cert.X509Certificate;
024
025import javax.net.ssl.TrustManagerFactory;
026import javax.net.ssl.X509TrustManager;
027
028/**
029 * TrustManager utilities for generating TrustManagers.
030 *
031 * @since 3.0
032 */
033public final class TrustManagerUtils
034{
035    private static class TrustManager implements X509TrustManager {
036
037        private final boolean checkServerValidity;
038
039        TrustManager(final boolean checkServerValidity) {
040            this.checkServerValidity = checkServerValidity;
041        }
042
043        /**
044         * Never generates a CertificateException.
045         */
046        @Override
047        public void checkClientTrusted(final X509Certificate[] certificates, final String authType)
048        {
049        }
050
051        @Override
052        public void checkServerTrusted(final X509Certificate[] certificates, final String authType)
053            throws CertificateException
054        {
055            if (checkServerValidity) {
056                for (final X509Certificate certificate : certificates)
057                {
058                    certificate.checkValidity();
059                }
060            }
061        }
062
063        /**
064         * @return an empty array of certificates
065         */
066        @Override
067        public X509Certificate[] getAcceptedIssuers()
068        {
069            return NetConstants.EMPTY_X509_CERTIFICATE_ARRAY;
070        }
071    }
072
073    private static final X509TrustManager ACCEPT_ALL=new TrustManager(false);
074
075    private static final X509TrustManager CHECK_SERVER_VALIDITY=new TrustManager(true);
076
077    /**
078     * Generate a TrustManager that performs no checks.
079     *
080     * @return the TrustManager
081     */
082    public static X509TrustManager getAcceptAllTrustManager(){
083        return ACCEPT_ALL;
084    }
085
086    /**
087     * Generate a TrustManager that checks server certificates for validity,
088     * but otherwise performs no checks.
089     *
090     * @return the validating TrustManager
091     */
092    public static X509TrustManager getValidateServerCertificateTrustManager(){
093        return CHECK_SERVER_VALIDITY;
094    }
095
096    /**
097     * Return the default TrustManager provided by the JVM.
098     * <p>
099     * This should be the same as the default used by
100     *  {@link javax.net.ssl.SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], java.security.SecureRandom)
101     * SSLContext#init(KeyManager[], TrustManager[], SecureRandom)}
102     * when the TrustManager parameter is set to {@code null}
103     * @param keyStore the KeyStore to use, may be {@code null}
104     * @return the default TrustManager
105     * @throws GeneralSecurityException if an error occurs
106     */
107    public static X509TrustManager getDefaultTrustManager(final KeyStore keyStore) throws GeneralSecurityException {
108        final String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
109        final TrustManagerFactory instance = TrustManagerFactory.getInstance(defaultAlgorithm);
110        instance.init(keyStore);
111        return (X509TrustManager) instance.getTrustManagers()[0];
112    }
113
114}