001/* 002 * Copyright 2012-2020 Ping Identity Corporation 003 * All Rights Reserved. 004 */ 005/* 006 * Copyright 2012-2020 Ping Identity Corporation 007 * 008 * Licensed under the Apache License, Version 2.0 (the "License"); 009 * you may not use this file except in compliance with the License. 010 * You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, software 015 * distributed under the License is distributed on an "AS IS" BASIS, 016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 017 * See the License for the specific language governing permissions and 018 * limitations under the License. 019 */ 020/* 021 * Copyright (C) 2012-2020 Ping Identity Corporation 022 * 023 * This program is free software; you can redistribute it and/or modify 024 * it under the terms of the GNU General Public License (GPLv2 only) 025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only) 026 * as published by the Free Software Foundation. 027 * 028 * This program is distributed in the hope that it will be useful, 029 * but WITHOUT ANY WARRANTY; without even the implied warranty of 030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 031 * GNU General Public License for more details. 032 * 033 * You should have received a copy of the GNU General Public License 034 * along with this program; if not, see <http://www.gnu.org/licenses>. 035 */ 036package com.unboundid.util.ssl; 037 038 039 040import java.security.cert.CertificateException; 041import java.security.cert.X509Certificate; 042import java.util.ArrayList; 043import java.util.Collection; 044import java.util.Collections; 045import java.util.List; 046import javax.net.ssl.X509TrustManager; 047 048import com.unboundid.util.Debug; 049import com.unboundid.util.NotMutable; 050import com.unboundid.util.StaticUtils; 051import com.unboundid.util.ThreadSafety; 052import com.unboundid.util.ThreadSafetyLevel; 053import com.unboundid.util.Validator; 054 055import static com.unboundid.util.ssl.SSLMessages.*; 056 057 058 059/** 060 * This class provides an SSL trust manager that has the ability to delegate the 061 * determination about whether to trust a given certificate to one or more other 062 * trust managers. It can be configured to use a logical AND (i.e., all 063 * associated trust managers must be satisfied) or a logical OR (i.e., at least 064 * one of the associated trust managers must be satisfied). 065 */ 066@NotMutable() 067@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE) 068public final class AggregateTrustManager 069 implements X509TrustManager 070{ 071 /** 072 * A pre-allocated empty certificate array. 073 */ 074 private static final X509Certificate[] NO_CERTIFICATES = 075 new X509Certificate[0]; 076 077 078 079 // Indicates whether to require all of the associated trust managers to accept 080 // a presented certificate, or just to require at least one of them to accept 081 // the certificate. 082 private final boolean requireAllAccepted; 083 084 // The trust managers that will be used to ultimately make the determination. 085 private final List<X509TrustManager> trustManagers; 086 087 088 089 /** 090 * Creates a new aggregate trust manager with the provided information. 091 * 092 * @param requireAllAccepted Indicates whether all of the associated trust 093 * managers must accept a presented certificate 094 * for it to be allowed, or just at least one of 095 * them. 096 * @param trustManagers The set of trust managers to use to make the 097 * determination. It must not be {@code null} or 098 * empty. 099 */ 100 public AggregateTrustManager(final boolean requireAllAccepted, 101 final X509TrustManager ... trustManagers) 102 { 103 this(requireAllAccepted, StaticUtils.toList(trustManagers)); 104 } 105 106 107 108 /** 109 * Creates a new aggregate trust manager with the provided information. 110 * 111 * @param requireAllAccepted Indicates whether all of the associated trust 112 * managers must accept a presented certificate 113 * for it to be allowed, or just at least one of 114 * them. 115 * @param trustManagers The set of trust managers to use to make the 116 * determination. It must not be {@code null} or 117 * empty. 118 */ 119 public AggregateTrustManager(final boolean requireAllAccepted, 120 final Collection<X509TrustManager > trustManagers) 121 { 122 Validator.ensureNotNull(trustManagers); 123 Validator.ensureFalse(trustManagers.isEmpty(), 124 "The set of associated trust managers must not be empty."); 125 126 this.requireAllAccepted = requireAllAccepted; 127 this.trustManagers = 128 Collections.unmodifiableList(new ArrayList<>(trustManagers)); 129 } 130 131 132 133 /** 134 * Indicates whether all of the associated trust managers will be required to 135 * accept a given certificate for it to be considered acceptable. 136 * 137 * @return {@code true} if all of the associated trust managers will be 138 * required to accept the provided certificate chain, or 139 * {@code false} if it will be acceptable for at least one trust 140 * manager to accept the chain even if one or more others do not. 141 */ 142 public boolean requireAllAccepted() 143 { 144 return requireAllAccepted; 145 } 146 147 148 149 /** 150 * Retrieves the set of trust managers that will be used to perform the 151 * validation. 152 * 153 * @return The set of trust managers that will be used to perform the 154 * validation. 155 */ 156 public List<X509TrustManager> getAssociatedTrustManagers() 157 { 158 return trustManagers; 159 } 160 161 162 163 /** 164 * Checks to determine whether the provided client certificate chain should be 165 * trusted. 166 * 167 * @param chain The client certificate chain for which to make the 168 * determination. 169 * @param authType The authentication type based on the client certificate. 170 * 171 * @throws CertificateException If the provided client certificate chain 172 * should not be trusted. 173 */ 174 @Override() 175 public void checkClientTrusted(final X509Certificate[] chain, 176 final String authType) 177 throws CertificateException 178 { 179 ArrayList<String> exceptionMessages = null; 180 181 for (final X509TrustManager m : trustManagers) 182 { 183 try 184 { 185 m.checkClientTrusted(chain, authType); 186 187 if (! requireAllAccepted) 188 { 189 return; 190 } 191 } 192 catch (final CertificateException ce) 193 { 194 Debug.debugException(ce); 195 196 if (requireAllAccepted) 197 { 198 throw ce; 199 } 200 else 201 { 202 if (exceptionMessages == null) 203 { 204 exceptionMessages = new ArrayList<>(trustManagers.size()); 205 } 206 207 exceptionMessages.add(ce.getMessage()); 208 } 209 } 210 } 211 212 // If we've gotten here and there are one or more exception messages, then 213 // it means that none of the associated trust managers accepted the 214 // certificate. 215 if ((exceptionMessages != null) && (! exceptionMessages.isEmpty())) 216 { 217 if (exceptionMessages.size() == 1) 218 { 219 throw new CertificateException(exceptionMessages.get(0)); 220 } 221 else 222 { 223 throw new CertificateException( 224 ERR_AGGREGATE_TRUST_MANAGER_NONE_TRUSTED.get( 225 SSLUtil.certificateToString(chain[0]), 226 StaticUtils.concatenateStrings(exceptionMessages))); 227 } 228 } 229 } 230 231 232 233 /** 234 * Checks to determine whether the provided server certificate chain should be 235 * trusted. 236 * 237 * @param chain The server certificate chain for which to make the 238 * determination. 239 * @param authType The key exchange algorithm used. 240 * 241 * @throws CertificateException If the provided server certificate chain 242 * should not be trusted. 243 */ 244 @Override() 245 public void checkServerTrusted(final X509Certificate[] chain, 246 final String authType) 247 throws CertificateException 248 { 249 ArrayList<String> exceptionMessages = null; 250 251 for (final X509TrustManager m : trustManagers) 252 { 253 try 254 { 255 m.checkServerTrusted(chain, authType); 256 257 if (! requireAllAccepted) 258 { 259 return; 260 } 261 } 262 catch (final CertificateException ce) 263 { 264 Debug.debugException(ce); 265 266 if (requireAllAccepted) 267 { 268 throw ce; 269 } 270 else 271 { 272 if (exceptionMessages == null) 273 { 274 exceptionMessages = new ArrayList<>(trustManagers.size()); 275 } 276 277 exceptionMessages.add(ce.getMessage()); 278 } 279 } 280 } 281 282 // If we've gotten here and there are one or more exception messages, then 283 // it means that none of the associated trust managers accepted the 284 // certificate. 285 if ((exceptionMessages != null) && (! exceptionMessages.isEmpty())) 286 { 287 if (exceptionMessages.size() == 1) 288 { 289 throw new CertificateException(exceptionMessages.get(0)); 290 } 291 else 292 { 293 throw new CertificateException( 294 ERR_AGGREGATE_TRUST_MANAGER_NONE_TRUSTED.get( 295 SSLUtil.certificateToString(chain[0]), 296 StaticUtils.concatenateStrings(exceptionMessages))); 297 } 298 } 299 } 300 301 302 303 /** 304 * Retrieves the accepted issuer certificates for this trust manager. This 305 * will always return an empty array. 306 * 307 * @return The accepted issuer certificates for this trust manager. 308 */ 309 @Override() 310 public X509Certificate[] getAcceptedIssuers() 311 { 312 return NO_CERTIFICATES; 313 } 314}