001/* 002 * Copyright 2012-2018 Ping Identity Corporation 003 * All Rights Reserved. 004 */ 005/* 006 * Copyright (C) 2012-2018 Ping Identity Corporation 007 * 008 * This program is free software; you can redistribute it and/or modify 009 * it under the terms of the GNU General Public License (GPLv2 only) 010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only) 011 * as published by the Free Software Foundation. 012 * 013 * This program is distributed in the hope that it will be useful, 014 * but WITHOUT ANY WARRANTY; without even the implied warranty of 015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 016 * GNU General Public License for more details. 017 * 018 * You should have received a copy of the GNU General Public License 019 * along with this program; if not, see <http://www.gnu.org/licenses>. 020 */ 021package com.unboundid.util.ssl; 022 023 024 025import java.security.cert.CertificateException; 026import java.security.cert.X509Certificate; 027import java.util.Date; 028import javax.net.ssl.X509TrustManager; 029import javax.security.auth.x500.X500Principal; 030 031import com.unboundid.util.NotMutable; 032import com.unboundid.util.ThreadSafety; 033import com.unboundid.util.ThreadSafetyLevel; 034 035import static com.unboundid.util.ssl.SSLMessages.*; 036 037 038 039/** 040 * This class provides an SSL trust manager that merely checks to see whether 041 * a presented certificate is currently within its validity time window (i.e., 042 * the current time is not earlier than the certificate's notBefore timestamp 043 * and not later than the certificate's notAfter timestamp). 044 * <BR><BR> 045 * Note that no other elements of the certificate are examined, so it is 046 * strongly recommended that this trust manager be used in an 047 * {@link AggregateTrustManager} in conjunction with other trust managers that 048 * perform other forms of validation. 049 */ 050@NotMutable() 051@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE) 052public final class ValidityDateTrustManager 053 implements X509TrustManager 054{ 055 /** 056 * A pre-allocated empty certificate array. 057 */ 058 private static final X509Certificate[] NO_CERTIFICATES = 059 new X509Certificate[0]; 060 061 062 063 /** 064 * Creates a new validity date trust manager. 065 */ 066 public ValidityDateTrustManager() 067 { 068 // No implementation is required. 069 } 070 071 072 073 /** 074 * Checks to determine whether the provided client certificate chain should be 075 * trusted. 076 * 077 * @param chain The client certificate chain for which to make the 078 * determination. 079 * @param authType The authentication type based on the client certificate. 080 * 081 * @throws CertificateException If the provided client certificate chain 082 * should not be trusted. 083 */ 084 @Override() 085 public void checkClientTrusted(final X509Certificate[] chain, 086 final String authType) 087 throws CertificateException 088 { 089 checkCertificateValidity(chain[0]); 090 } 091 092 093 094 /** 095 * Checks to determine whether the provided server certificate chain should be 096 * trusted. 097 * 098 * @param chain The server certificate chain for which to make the 099 * determination. 100 * @param authType The key exchange algorithm used. 101 * 102 * @throws CertificateException If the provided server certificate chain 103 * should not be trusted. 104 */ 105 @Override() 106 public void checkServerTrusted(final X509Certificate[] chain, 107 final String authType) 108 throws CertificateException 109 { 110 checkCertificateValidity(chain[0]); 111 } 112 113 114 115 /** 116 * Checks the provided certificate to determine whether the current time is 117 * within the certificate's validity window. 118 * 119 * @param c The certificate to be checked. 120 * 121 * @throws CertificateException If the presented certificate is outside the 122 * validity window. 123 */ 124 private static void checkCertificateValidity(final X509Certificate c) 125 throws CertificateException 126 { 127 final Date currentTime = new Date(); 128 final Date notBefore = c.getNotBefore(); 129 final Date notAfter = c.getNotAfter(); 130 131 if (currentTime.before(notBefore)) 132 { 133 throw new CertificateException(ERR_VALIDITY_TOO_EARLY.get( 134 c.getSubjectX500Principal().getName(X500Principal.RFC2253), 135 String.valueOf(notBefore))); 136 } 137 138 if (currentTime.after(c.getNotAfter())) 139 { 140 throw new CertificateException(ERR_VALIDITY_TOO_LATE.get( 141 c.getSubjectX500Principal().getName(X500Principal.RFC2253), 142 String.valueOf(notAfter))); 143 } 144 } 145 146 147 148 /** 149 * Retrieves the accepted issuer certificates for this trust manager. This 150 * will always return an empty array. 151 * 152 * @return The accepted issuer certificates for this trust manager. 153 */ 154 @Override() 155 public X509Certificate[] getAcceptedIssuers() 156 { 157 return NO_CERTIFICATES; 158 } 159}