1 package com.sslexplorer.boot; 2 3 import java.io.File ; 4 import java.io.FileInputStream ; 5 import java.security.KeyStore ; 6 import java.security.KeyStoreException ; 7 import java.security.cert.CertPath ; 8 import java.security.cert.CertPathValidator ; 9 import java.security.cert.CertPathValidatorResult ; 10 import java.security.cert.Certificate ; 11 import java.security.cert.CertificateException ; 12 import java.security.cert.CertificateFactory ; 13 import java.security.cert.PKIXCertPathValidatorResult ; 14 import java.security.cert.PKIXParameters ; 15 import java.security.cert.TrustAnchor ; 16 import java.security.cert.X509Certificate ; 17 import java.util.Arrays ; 18 import java.util.Enumeration ; 19 20 import javax.net.ssl.TrustManager; 21 import javax.net.ssl.X509TrustManager; 22 23 import org.apache.commons.logging.Log; 24 import org.apache.commons.logging.LogFactory; 25 26 public class SSLTrustManager implements X509TrustManager { 27 28 private static Log log = LogFactory.getLog(SSLTrustManager.class); 29 private static SSLTrustManager instance; 30 private KeyStore trustcacerts; 31 32 33 public SSLTrustManager() { 34 String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar); 35 try { 36 FileInputStream is = new FileInputStream (filename); 37 trustcacerts = KeyStore.getInstance(KeyStore.getDefaultType()); 38 String password = "changeit"; 39 trustcacerts.load(is, password.toCharArray()); 40 41 } catch (Exception e) { 42 log.error("Failed to load trusted cacerts keystore from " + filename); 43 } 44 } 45 46 public static SSLTrustManager getInstance() { 47 return instance == null ? instance = new SSLTrustManager() : instance; 48 } 49 50 public static TrustManager[] getTrustManagerArray() { 51 return new TrustManager[] { getInstance() }; 52 } 53 54 public void checkClientTrusted(X509Certificate [] chain, String authType) throws CertificateException { 55 throw new CertificateException ("Client certs are not trusted by the custom SSL trust manager."); 56 } 57 58 public void checkServerTrusted(X509Certificate [] chain, String authType) throws CertificateException { 59 62 if(!ContextHolder.getContext().getConfig().retrievePropertyBoolean(new ContextKey("ssl.strictSSLTrustMode"))) 63 return; 64 65 try { 66 KeyStoreManager km = KeyStoreManager.getInstance(KeyStoreManager.TRUSTED_SERVER_CERTIFICATES_KEY_STORE); 67 68 if (!km.isKeyStoreEmpty()) { 69 KeyStore trusted = km.getKeyStore(); 70 71 for (Enumeration e = trusted.aliases(); e.hasMoreElements();) { 72 String alias = (String ) e.nextElement(); 73 Certificate c = trusted.getCertificate(alias); 74 75 try { 76 chain[0].verify(c.getPublicKey()); 77 return; 78 } catch (Exception ex) { 79 80 } 81 } 82 83 for (int i = 0; i < chain.length; i++) { 84 if (trusted.getCertificateAlias(chain[i]) != null) { 85 return; 86 } 87 } 88 } 89 90 91 } catch (KeyStoreException e) { 92 log.error("Unexpected keystore exception", e); 93 } 94 95 99 100 if (trustcacerts == null) { 101 if (log.isInfoEnabled()) 102 log.info("Cannot validate from cacerts as the keystore failed to load."); 103 } else { 104 try { 105 CertificateFactory certFact = CertificateFactory.getInstance("X.509"); 106 CertPath path = certFact.generateCertPath(Arrays.asList(chain)); 107 PKIXParameters params = new PKIXParameters (trustcacerts); 108 params.setRevocationEnabled(false); 109 CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType()); 110 CertPathValidatorResult result = certPathValidator.validate(path, params); 111 PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult ) result; 112 TrustAnchor ta = pkixResult.getTrustAnchor(); 113 X509Certificate cert = ta.getTrustedCert(); 114 return; 115 } catch (Exception e) { 116 if (log.isInfoEnabled()) 117 log.info("Failed to validate certificate path", e); 118 } 119 } 120 121 throw new CertificateException ("Certificate chain is not trusted"); 122 } 123 124 public X509Certificate [] getAcceptedIssuers() { 125 return null; 126 } 127 } 128 | Popular Tags |