001/*
002 * Copyright 2012-2020 Ping Identity Corporation
003 * All Rights Reserved.
004 */
005/*
006 * Copyright 2012-2020 Ping Identity Corporation
007 *
008 * Licensed under the Apache License, Version 2.0 (the "License");
009 * you may not use this file except in compliance with the License.
010 * You may obtain a copy of the License at
011 *
012 *    http://www.apache.org/licenses/LICENSE-2.0
013 *
014 * Unless required by applicable law or agreed to in writing, software
015 * distributed under the License is distributed on an "AS IS" BASIS,
016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
017 * See the License for the specific language governing permissions and
018 * limitations under the License.
019 */
020/*
021 * Copyright (C) 2012-2020 Ping Identity Corporation
022 *
023 * This program is free software; you can redistribute it and/or modify
024 * it under the terms of the GNU General Public License (GPLv2 only)
025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
026 * as published by the Free Software Foundation.
027 *
028 * This program is distributed in the hope that it will be useful,
029 * but WITHOUT ANY WARRANTY; without even the implied warranty of
030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
031 * GNU General Public License for more details.
032 *
033 * You should have received a copy of the GNU General Public License
034 * along with this program; if not, see <http://www.gnu.org/licenses>.
035 */
036package com.unboundid.util.ssl;
037
038
039
040import java.security.cert.CertificateException;
041import java.security.cert.X509Certificate;
042import java.util.ArrayList;
043import java.util.Collection;
044import java.util.Collections;
045import java.util.List;
046import javax.net.ssl.X509TrustManager;
047
048import com.unboundid.util.Debug;
049import com.unboundid.util.NotMutable;
050import com.unboundid.util.StaticUtils;
051import com.unboundid.util.ThreadSafety;
052import com.unboundid.util.ThreadSafetyLevel;
053import com.unboundid.util.Validator;
054
055import static com.unboundid.util.ssl.SSLMessages.*;
056
057
058
059/**
060 * This class provides an SSL trust manager that has the ability to delegate the
061 * determination about whether to trust a given certificate to one or more other
062 * trust managers.  It can be configured to use a logical AND (i.e., all
063 * associated trust managers must be satisfied) or a logical OR (i.e., at least
064 * one of the associated trust managers must be satisfied).
065 */
066@NotMutable()
067@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE)
068public final class AggregateTrustManager
069       implements X509TrustManager
070{
071  /**
072   * A pre-allocated empty certificate array.
073   */
074  private static final X509Certificate[] NO_CERTIFICATES =
075       new X509Certificate[0];
076
077
078
079  // Indicates whether to require all of the associated trust managers to accept
080  // a presented certificate, or just to require at least one of them to accept
081  // the certificate.
082  private final boolean requireAllAccepted;
083
084  // The trust managers that will be used to ultimately make the determination.
085  private final List<X509TrustManager> trustManagers;
086
087
088
089  /**
090   * Creates a new aggregate trust manager with the provided information.
091   *
092   * @param  requireAllAccepted  Indicates whether all of the associated trust
093   *                             managers must accept a presented certificate
094   *                             for it to be allowed, or just at least one of
095   *                             them.
096   * @param  trustManagers       The set of trust managers to use to make the
097   *                             determination.  It must not be {@code null} or
098   *                             empty.
099   */
100  public AggregateTrustManager(final boolean requireAllAccepted,
101                               final X509TrustManager ... trustManagers)
102  {
103    this(requireAllAccepted, StaticUtils.toList(trustManagers));
104  }
105
106
107
108  /**
109   * Creates a new aggregate trust manager with the provided information.
110   *
111   * @param  requireAllAccepted  Indicates whether all of the associated trust
112   *                             managers must accept a presented certificate
113   *                             for it to be allowed, or just at least one of
114   *                             them.
115   * @param  trustManagers       The set of trust managers to use to make the
116   *                             determination.  It must not be {@code null} or
117   *                             empty.
118   */
119  public AggregateTrustManager(final boolean requireAllAccepted,
120              final Collection<X509TrustManager > trustManagers)
121  {
122    Validator.ensureNotNull(trustManagers);
123    Validator.ensureFalse(trustManagers.isEmpty(),
124         "The set of associated trust managers must not be empty.");
125
126    this.requireAllAccepted = requireAllAccepted;
127    this.trustManagers =
128         Collections.unmodifiableList(new ArrayList<>(trustManagers));
129  }
130
131
132
133  /**
134   * Indicates whether all of the associated trust managers will be required to
135   * accept a given certificate for it to be considered acceptable.
136   *
137   * @return  {@code true} if all of the associated trust managers will be
138   *          required to accept the provided certificate chain, or
139   *          {@code false} if it will be acceptable for at least one trust
140   *          manager to accept the chain even if one or more others do not.
141   */
142  public boolean requireAllAccepted()
143  {
144    return requireAllAccepted;
145  }
146
147
148
149  /**
150   * Retrieves the set of trust managers that will be used to perform the
151   * validation.
152   *
153   * @return  The set of trust managers that will be used to perform the
154   *          validation.
155   */
156  public List<X509TrustManager> getAssociatedTrustManagers()
157  {
158    return trustManagers;
159  }
160
161
162
163  /**
164   * Checks to determine whether the provided client certificate chain should be
165   * trusted.
166   *
167   * @param  chain     The client certificate chain for which to make the
168   *                   determination.
169   * @param  authType  The authentication type based on the client certificate.
170   *
171   * @throws  CertificateException  If the provided client certificate chain
172   *                                should not be trusted.
173   */
174  @Override()
175  public void checkClientTrusted(final X509Certificate[] chain,
176                                 final String authType)
177         throws CertificateException
178  {
179    ArrayList<String> exceptionMessages = null;
180
181    for (final X509TrustManager m : trustManagers)
182    {
183      try
184      {
185        m.checkClientTrusted(chain, authType);
186
187        if (! requireAllAccepted)
188        {
189          return;
190        }
191      }
192      catch (final CertificateException ce)
193      {
194        Debug.debugException(ce);
195
196        if (requireAllAccepted)
197        {
198          throw ce;
199        }
200        else
201        {
202          if (exceptionMessages == null)
203          {
204            exceptionMessages = new ArrayList<>(trustManagers.size());
205          }
206
207          exceptionMessages.add(ce.getMessage());
208        }
209      }
210    }
211
212    // If we've gotten here and there are one or more exception messages, then
213    // it means that none of the associated trust managers accepted the
214    // certificate.
215    if ((exceptionMessages != null) && (! exceptionMessages.isEmpty()))
216    {
217      if (exceptionMessages.size() == 1)
218      {
219        throw new CertificateException(exceptionMessages.get(0));
220      }
221      else
222      {
223        throw new CertificateException(
224             ERR_AGGREGATE_TRUST_MANAGER_NONE_TRUSTED.get(
225                  SSLUtil.certificateToString(chain[0]),
226                  StaticUtils.concatenateStrings(exceptionMessages)));
227      }
228    }
229  }
230
231
232
233  /**
234   * Checks to determine whether the provided server certificate chain should be
235   * trusted.
236   *
237   * @param  chain     The server certificate chain for which to make the
238   *                   determination.
239   * @param  authType  The key exchange algorithm used.
240   *
241   * @throws  CertificateException  If the provided server certificate chain
242   *                                should not be trusted.
243   */
244  @Override()
245  public void checkServerTrusted(final X509Certificate[] chain,
246                                 final String authType)
247         throws CertificateException
248  {
249    ArrayList<String> exceptionMessages = null;
250
251    for (final X509TrustManager m : trustManagers)
252    {
253      try
254      {
255        m.checkServerTrusted(chain, authType);
256
257        if (! requireAllAccepted)
258        {
259          return;
260        }
261      }
262      catch (final CertificateException ce)
263      {
264        Debug.debugException(ce);
265
266        if (requireAllAccepted)
267        {
268          throw ce;
269        }
270        else
271        {
272          if (exceptionMessages == null)
273          {
274            exceptionMessages = new ArrayList<>(trustManagers.size());
275          }
276
277          exceptionMessages.add(ce.getMessage());
278        }
279      }
280    }
281
282    // If we've gotten here and there are one or more exception messages, then
283    // it means that none of the associated trust managers accepted the
284    // certificate.
285    if ((exceptionMessages != null) && (! exceptionMessages.isEmpty()))
286    {
287      if (exceptionMessages.size() == 1)
288      {
289        throw new CertificateException(exceptionMessages.get(0));
290      }
291      else
292      {
293        throw new CertificateException(
294             ERR_AGGREGATE_TRUST_MANAGER_NONE_TRUSTED.get(
295                  SSLUtil.certificateToString(chain[0]),
296                  StaticUtils.concatenateStrings(exceptionMessages)));
297      }
298    }
299  }
300
301
302
303  /**
304   * Retrieves the accepted issuer certificates for this trust manager.  This
305   * will always return an empty array.
306   *
307   * @return  The accepted issuer certificates for this trust manager.
308   */
309  @Override()
310  public X509Certificate[] getAcceptedIssuers()
311  {
312    return NO_CERTIFICATES;
313  }
314}