001/* 002 * Copyright 2012-2020 Ping Identity Corporation 003 * All Rights Reserved. 004 */ 005/* 006 * Copyright 2012-2020 Ping Identity Corporation 007 * 008 * Licensed under the Apache License, Version 2.0 (the "License"); 009 * you may not use this file except in compliance with the License. 010 * You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, software 015 * distributed under the License is distributed on an "AS IS" BASIS, 016 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 017 * See the License for the specific language governing permissions and 018 * limitations under the License. 019 */ 020/* 021 * Copyright (C) 2012-2020 Ping Identity Corporation 022 * 023 * This program is free software; you can redistribute it and/or modify 024 * it under the terms of the GNU General Public License (GPLv2 only) 025 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only) 026 * as published by the Free Software Foundation. 027 * 028 * This program is distributed in the hope that it will be useful, 029 * but WITHOUT ANY WARRANTY; without even the implied warranty of 030 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 031 * GNU General Public License for more details. 032 * 033 * You should have received a copy of the GNU General Public License 034 * along with this program; if not, see <http://www.gnu.org/licenses>. 035 */ 036package com.unboundid.util.ssl; 037 038 039 040import java.security.cert.CertificateException; 041import java.security.cert.X509Certificate; 042import java.util.Date; 043import javax.net.ssl.X509TrustManager; 044import javax.security.auth.x500.X500Principal; 045 046import com.unboundid.util.NotMutable; 047import com.unboundid.util.ThreadSafety; 048import com.unboundid.util.ThreadSafetyLevel; 049 050import static com.unboundid.util.ssl.SSLMessages.*; 051 052 053 054/** 055 * This class provides an SSL trust manager that merely checks to see whether 056 * a presented certificate is currently within its validity time window (i.e., 057 * the current time is not earlier than the certificate's notBefore timestamp 058 * and not later than the certificate's notAfter timestamp). 059 * <BR><BR> 060 * Note that no other elements of the certificate are examined, so it is 061 * strongly recommended that this trust manager be used in an 062 * {@link AggregateTrustManager} in conjunction with other trust managers that 063 * perform other forms of validation. 064 */ 065@NotMutable() 066@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE) 067public final class ValidityDateTrustManager 068 implements X509TrustManager 069{ 070 /** 071 * A pre-allocated empty certificate array. 072 */ 073 private static final X509Certificate[] NO_CERTIFICATES = 074 new X509Certificate[0]; 075 076 077 078 /** 079 * Creates a new validity date trust manager. 080 */ 081 public ValidityDateTrustManager() 082 { 083 // No implementation is required. 084 } 085 086 087 088 /** 089 * Checks to determine whether the provided client certificate chain should be 090 * trusted. 091 * 092 * @param chain The client certificate chain for which to make the 093 * determination. 094 * @param authType The authentication type based on the client certificate. 095 * 096 * @throws CertificateException If the provided client certificate chain 097 * should not be trusted. 098 */ 099 @Override() 100 public void checkClientTrusted(final X509Certificate[] chain, 101 final String authType) 102 throws CertificateException 103 { 104 checkCertificateValidity(chain[0]); 105 } 106 107 108 109 /** 110 * Checks to determine whether the provided server certificate chain should be 111 * trusted. 112 * 113 * @param chain The server certificate chain for which to make the 114 * determination. 115 * @param authType The key exchange algorithm used. 116 * 117 * @throws CertificateException If the provided server certificate chain 118 * should not be trusted. 119 */ 120 @Override() 121 public void checkServerTrusted(final X509Certificate[] chain, 122 final String authType) 123 throws CertificateException 124 { 125 checkCertificateValidity(chain[0]); 126 } 127 128 129 130 /** 131 * Checks the provided certificate to determine whether the current time is 132 * within the certificate's validity window. 133 * 134 * @param c The certificate to be checked. 135 * 136 * @throws CertificateException If the presented certificate is outside the 137 * validity window. 138 */ 139 private static void checkCertificateValidity(final X509Certificate c) 140 throws CertificateException 141 { 142 final Date currentTime = new Date(); 143 final Date notBefore = c.getNotBefore(); 144 final Date notAfter = c.getNotAfter(); 145 146 if (currentTime.before(notBefore)) 147 { 148 throw new CertificateException(ERR_VALIDITY_TOO_EARLY.get( 149 c.getSubjectX500Principal().getName(X500Principal.RFC2253), 150 String.valueOf(notBefore))); 151 } 152 153 if (currentTime.after(c.getNotAfter())) 154 { 155 throw new CertificateException(ERR_VALIDITY_TOO_LATE.get( 156 c.getSubjectX500Principal().getName(X500Principal.RFC2253), 157 String.valueOf(notAfter))); 158 } 159 } 160 161 162 163 /** 164 * Retrieves the accepted issuer certificates for this trust manager. This 165 * will always return an empty array. 166 * 167 * @return The accepted issuer certificates for this trust manager. 168 */ 169 @Override() 170 public X509Certificate[] getAcceptedIssuers() 171 { 172 return NO_CERTIFICATES; 173 } 174}