KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > com > sslexplorer > boot > SSLTrustManager


1 package com.sslexplorer.boot;
2
3 import java.io.File JavaDoc;
4 import java.io.FileInputStream JavaDoc;
5 import java.security.KeyStore JavaDoc;
6 import java.security.KeyStoreException JavaDoc;
7 import java.security.cert.CertPath JavaDoc;
8 import java.security.cert.CertPathValidator JavaDoc;
9 import java.security.cert.CertPathValidatorResult JavaDoc;
10 import java.security.cert.Certificate JavaDoc;
11 import java.security.cert.CertificateException JavaDoc;
12 import java.security.cert.CertificateFactory JavaDoc;
13 import java.security.cert.PKIXCertPathValidatorResult JavaDoc;
14 import java.security.cert.PKIXParameters JavaDoc;
15 import java.security.cert.TrustAnchor JavaDoc;
16 import java.security.cert.X509Certificate JavaDoc;
17 import java.util.Arrays JavaDoc;
18 import java.util.Enumeration JavaDoc;
19
20 import javax.net.ssl.TrustManager;
21 import javax.net.ssl.X509TrustManager;
22
23 import org.apache.commons.logging.Log;
24 import org.apache.commons.logging.LogFactory;
25
26 public class SSLTrustManager implements X509TrustManager {
27
28     private static Log log = LogFactory.getLog(SSLTrustManager.class);
29     private static SSLTrustManager instance;
30     private KeyStore JavaDoc trustcacerts;
31     
32  
33     public SSLTrustManager() {
34         String JavaDoc filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
35         try {
36             FileInputStream JavaDoc is = new FileInputStream JavaDoc(filename);
37             trustcacerts = KeyStore.getInstance(KeyStore.getDefaultType());
38             String JavaDoc password = "changeit";
39             trustcacerts.load(is, password.toCharArray());
40
41         } catch (Exception JavaDoc e) {
42             log.error("Failed to load trusted cacerts keystore from " + filename);
43         }
44     }
45     
46     public static SSLTrustManager getInstance() {
47         return instance == null ? instance = new SSLTrustManager() : instance;
48     }
49     
50     public static TrustManager[] getTrustManagerArray() {
51         return new TrustManager[] { getInstance() };
52     }
53
54     public void checkClientTrusted(X509Certificate JavaDoc[] chain, String JavaDoc authType) throws CertificateException JavaDoc {
55         throw new CertificateException JavaDoc("Client certs are not trusted by the custom SSL trust manager.");
56     }
57
58     public void checkServerTrusted(X509Certificate JavaDoc[] chain, String JavaDoc authType) throws CertificateException JavaDoc {
59         /**
60          * This looks for the certificate in our own trust store.
61          */

62         if(!ContextHolder.getContext().getConfig().retrievePropertyBoolean(new ContextKey("ssl.strictSSLTrustMode")))
63             return;
64         
65         try {
66             KeyStoreManager km = KeyStoreManager.getInstance(KeyStoreManager.TRUSTED_SERVER_CERTIFICATES_KEY_STORE);
67
68             if (!km.isKeyStoreEmpty()) {
69                 KeyStore JavaDoc trusted = km.getKeyStore();
70
71                 for (Enumeration JavaDoc e = trusted.aliases(); e.hasMoreElements();) {
72                     String JavaDoc alias = (String JavaDoc) e.nextElement();
73                     Certificate JavaDoc c = trusted.getCertificate(alias);
74
75                     try {
76                         chain[0].verify(c.getPublicKey());
77                         return;
78                     } catch (Exception JavaDoc ex) {
79
80                     }
81                 }
82
83                 for (int i = 0; i < chain.length; i++) {
84                     if (trusted.getCertificateAlias(chain[i]) != null) {
85                         return;
86                     }
87                 }
88             }
89
90
91         } catch (KeyStoreException JavaDoc e) {
92             log.error("Unexpected keystore exception", e);
93         }
94
95         /**
96          * If we got this far then the certificate was not in our trust store so
97          * lets check the java cacerts store.
98          */

99
100         if (trustcacerts == null) {
101             if (log.isInfoEnabled())
102                 log.info("Cannot validate from cacerts as the keystore failed to load.");
103         } else {
104             try {
105                 CertificateFactory JavaDoc certFact = CertificateFactory.getInstance("X.509");
106                 CertPath JavaDoc path = certFact.generateCertPath(Arrays.asList(chain));
107                 PKIXParameters JavaDoc params = new PKIXParameters JavaDoc(trustcacerts);
108                 params.setRevocationEnabled(false);
109                 CertPathValidator JavaDoc certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
110                 CertPathValidatorResult JavaDoc result = certPathValidator.validate(path, params);
111                 PKIXCertPathValidatorResult JavaDoc pkixResult = (PKIXCertPathValidatorResult JavaDoc) result;
112                 TrustAnchor JavaDoc ta = pkixResult.getTrustAnchor();
113                 X509Certificate JavaDoc cert = ta.getTrustedCert();
114                 return;
115             } catch (Exception JavaDoc e) {
116                 if (log.isInfoEnabled())
117                     log.info("Failed to validate certificate path", e);
118             }
119         }
120
121         throw new CertificateException JavaDoc("Certificate chain is not trusted");
122     }
123
124     public X509Certificate JavaDoc[] getAcceptedIssuers() {
125         return null;
126     }
127 }
128
Popular Tags