001/* 002 * Copyright 2012-2017 UnboundID Corp. 003 * All Rights Reserved. 004 */ 005/* 006 * Copyright (C) 2012-2017 UnboundID Corp. 007 * 008 * This program is free software; you can redistribute it and/or modify 009 * it under the terms of the GNU General Public License (GPLv2 only) 010 * or the terms of the GNU Lesser General Public License (LGPLv2.1 only) 011 * as published by the Free Software Foundation. 012 * 013 * This program is distributed in the hope that it will be useful, 014 * but WITHOUT ANY WARRANTY; without even the implied warranty of 015 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 016 * GNU General Public License for more details. 017 * 018 * You should have received a copy of the GNU General Public License 019 * along with this program; if not, see <http://www.gnu.org/licenses>. 020 */ 021package com.unboundid.util.ssl; 022 023 024 025import java.security.cert.CertificateException; 026import java.security.cert.X509Certificate; 027import java.util.Date; 028import javax.net.ssl.X509TrustManager; 029import javax.security.auth.x500.X500Principal; 030 031import com.unboundid.util.NotMutable; 032import com.unboundid.util.ThreadSafety; 033import com.unboundid.util.ThreadSafetyLevel; 034 035import static com.unboundid.util.ssl.SSLMessages.*; 036 037 038 039/** 040 * This class provides an SSL trust manager that merely checks to see whether 041 * a presented certificate is currently within its validity time window (i.e., 042 * the current time is not earlier than the certificate's notBefore timestamp 043 * and not later than the certificate's notAfter timestamp). 044 * <BR><BR> 045 * Note that no other elements of the certificate are examined, so it is 046 * strongly recommended that this trust manager be used in an 047 * {@link AggregateTrustManager} in conjunction with other trust managers that 048 * perform other forms of validation. 049 */ 050@NotMutable() 051@ThreadSafety(level=ThreadSafetyLevel.COMPLETELY_THREADSAFE) 052public final class ValidityDateTrustManager 053 implements X509TrustManager 054{ 055 /** 056 * A pre-allocated empty certificate array. 057 */ 058 private static final X509Certificate[] NO_CERTIFICATES = 059 new X509Certificate[0]; 060 061 062 063 /** 064 * Creates a new validity date trust manager. 065 */ 066 public ValidityDateTrustManager() 067 { 068 // No implementation is required. 069 } 070 071 072 073 /** 074 * Checks to determine whether the provided client certificate chain should be 075 * trusted. 076 * 077 * @param chain The client certificate chain for which to make the 078 * determination. 079 * @param authType The authentication type based on the client certificate. 080 * 081 * @throws CertificateException If the provided client certificate chain 082 * should not be trusted. 083 */ 084 public void checkClientTrusted(final X509Certificate[] chain, 085 final String authType) 086 throws CertificateException 087 { 088 checkCertificateValidity(chain[0]); 089 } 090 091 092 093 /** 094 * Checks to determine whether the provided server certificate chain should be 095 * trusted. 096 * 097 * @param chain The server certificate chain for which to make the 098 * determination. 099 * @param authType The key exchange algorithm used. 100 * 101 * @throws CertificateException If the provided server certificate chain 102 * should not be trusted. 103 */ 104 public void checkServerTrusted(final X509Certificate[] chain, 105 final String authType) 106 throws CertificateException 107 { 108 checkCertificateValidity(chain[0]); 109 } 110 111 112 113 /** 114 * Checks the provided certificate to determine whether the current time is 115 * within the certificate's validity window. 116 * 117 * @param c The certificate to be checked. 118 * 119 * @throws CertificateException If the presented certificate is outside the 120 * validity window. 121 */ 122 private static void checkCertificateValidity(final X509Certificate c) 123 throws CertificateException 124 { 125 final Date currentTime = new Date(); 126 final Date notBefore = c.getNotBefore(); 127 final Date notAfter = c.getNotAfter(); 128 129 if (currentTime.before(notBefore)) 130 { 131 throw new CertificateException(ERR_VALIDITY_TOO_EARLY.get( 132 c.getSubjectX500Principal().getName(X500Principal.RFC2253), 133 String.valueOf(notBefore))); 134 } 135 136 if (currentTime.after(c.getNotAfter())) 137 { 138 throw new CertificateException(ERR_VALIDITY_TOO_LATE.get( 139 c.getSubjectX500Principal().getName(X500Principal.RFC2253), 140 String.valueOf(notAfter))); 141 } 142 } 143 144 145 146 /** 147 * Retrieves the accepted issuer certificates for this trust manager. This 148 * will always return an empty array. 149 * 150 * @return The accepted issuer certificates for this trust manager. 151 */ 152 public X509Certificate[] getAcceptedIssuers() 153 { 154 return NO_CERTIFICATES; 155 } 156}