Source for gnu.javax.net.ssl.provider.X509TrustManagerFactory

   1: /* X509TrustManagerFactory.java -- X.509 trust manager factory.
   2:    Copyright (C) 2006  Free Software Foundation, Inc.
   3: 
   4: This file is a part of GNU Classpath.
   5: 
   6: GNU Classpath is free software; you can redistribute it and/or modify
   7: it under the terms of the GNU General Public License as published by
   8: the Free Software Foundation; either version 2 of the License, or (at
   9: your option) any later version.
  10: 
  11: GNU Classpath is distributed in the hope that it will be useful, but
  12: WITHOUT ANY WARRANTY; without even the implied warranty of
  13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14: General Public License for more details.
  15: 
  16: You should have received a copy of the GNU General Public License
  17: along with GNU Classpath; if not, write to the Free Software
  18: Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
  19: USA
  20: 
  21: Linking this library statically or dynamically with other modules is
  22: making a combined work based on this library.  Thus, the terms and
  23: conditions of the GNU General Public License cover the whole
  24: combination.
  25: 
  26: As a special exception, the copyright holders of this library give you
  27: permission to link this library with independent modules to produce an
  28: executable, regardless of the license terms of these independent
  29: modules, and to copy and distribute the resulting executable under
  30: terms of your choice, provided that you also meet, for each linked
  31: independent module, the terms and conditions of the license of that
  32: module.  An independent module is a module which is not derived from
  33: or based on this library.  If you modify this library, you may extend
  34: this exception to your version of the library, but you are not
  35: obligated to do so.  If you do not wish to do so, delete this
  36: exception statement from your version.  */
  37: 
  38: 
  39: package gnu.javax.net.ssl.provider;
  40: 
  41: import java.io.FileInputStream;
  42: import java.io.IOException;
  43: 
  44: import java.util.Arrays;
  45: import java.util.Enumeration;
  46: import java.util.HashSet;
  47: import java.util.LinkedList;
  48: 
  49: import java.security.InvalidAlgorithmParameterException;
  50: import java.security.InvalidKeyException;
  51: import java.security.KeyStore;
  52: import java.security.KeyStoreException;
  53: import java.security.NoSuchAlgorithmException;
  54: import java.security.NoSuchProviderException;
  55: import java.security.Security;
  56: import java.security.SignatureException;
  57: import java.security.cert.Certificate;
  58: import java.security.cert.CertificateException;
  59: import java.security.cert.X509Certificate;
  60: 
  61: import javax.net.ssl.ManagerFactoryParameters;
  62: import javax.net.ssl.TrustManager;
  63: import javax.net.ssl.TrustManagerFactorySpi;
  64: import javax.net.ssl.X509TrustManager;
  65: 
  66: import gnu.javax.net.ssl.NullManagerParameters;
  67: import gnu.javax.net.ssl.StaticTrustAnchors;
  68: 
  69: /**
  70:  * This class implements a {@link javax.net.ssl.TrustManagerFactory} engine
  71:  * for the ``JessieX509'' algorithm.
  72:  */
  73: public class X509TrustManagerFactory extends TrustManagerFactorySpi
  74: {
  75: 
  76:   // Constants and fields.
  77:   // -------------------------------------------------------------------------
  78: 
  79:   /**
  80:    * The location of the JSSE key store.
  81:    */
  82:   private static final String JSSE_CERTS = Util.getProperty("java.home")
  83:     + Util.getProperty("file.separator") + "lib"
  84:     + Util.getProperty("file.separator") + "security"
  85:     + Util.getProperty("file.separator") + "jssecerts";
  86: 
  87:   /**
  88:    * The location of the system key store, containing the CA certs.
  89:    */
  90:   private static final String CA_CERTS = Util.getProperty("java.home")
  91:     + Util.getProperty("file.separator") + "lib"
  92:     + Util.getProperty("file.separator") + "security"
  93:     + Util.getProperty("file.separator") + "cacerts";
  94: 
  95:   private Manager current;
  96: 
  97:   // Construtors.
  98:   // -------------------------------------------------------------------------
  99: 
 100:   public X509TrustManagerFactory()
 101:   {
 102:     super();
 103:   }
 104: 
 105:   // Instance methods.
 106:   // -------------------------------------------------------------------------
 107: 
 108:   protected TrustManager[] engineGetTrustManagers()
 109:   {
 110:     if (current == null)
 111:       {
 112:         throw new IllegalStateException("not initialized");
 113:       }
 114:     return new TrustManager[] { current };
 115:   }
 116: 
 117:   protected void engineInit(ManagerFactoryParameters params)
 118:     throws InvalidAlgorithmParameterException
 119:   {
 120:     if (params instanceof StaticTrustAnchors)
 121:       {
 122:         current = new Manager(((StaticTrustAnchors) params).getCertificates());
 123:       }
 124:     else if (params instanceof NullManagerParameters)
 125:       {
 126:         current = new Manager(new X509Certificate[0]);
 127:       }
 128:     else
 129:       {
 130:         throw new InvalidAlgorithmParameterException();
 131:       }
 132:   }
 133: 
 134:   protected void engineInit(KeyStore store) throws KeyStoreException
 135:   {
 136:     if (store == null)
 137:       {
 138:         String s = Util.getProperty("javax.net.ssl.trustStoreType");
 139:         if (s == null)
 140:           s = KeyStore.getDefaultType();
 141:         store = KeyStore.getInstance(s);
 142:         try
 143:           {
 144:             s = Util.getProperty("javax.net.ssl.trustStore");
 145:             FileInputStream in = null;
 146:             if (s == null)
 147:               {
 148:                 try
 149:                   {
 150:                     in = new FileInputStream(JSSE_CERTS);
 151:                   }
 152:                 catch (IOException e)
 153:                   {
 154:                     in = new FileInputStream(CA_CERTS);
 155:                   }
 156:               }
 157:             else
 158:               {
 159:                 in = new FileInputStream(s);
 160:               }
 161:             String p = Util.getProperty("javax.net.ssl.trustStorePassword");
 162:             store.load(in, p != null ? p.toCharArray() : null);
 163:           }
 164:         catch (IOException ioe)
 165:           {
 166:             throw new KeyStoreException(ioe.toString());
 167:           }
 168:         catch (CertificateException ce)
 169:           {
 170:             throw new KeyStoreException(ce.toString());
 171:           }
 172:         catch (NoSuchAlgorithmException nsae)
 173:           {
 174:             throw new KeyStoreException(nsae.toString());
 175:           }
 176:       }
 177: 
 178:     LinkedList l = new LinkedList();
 179:     Enumeration aliases = store.aliases();
 180:     while (aliases.hasMoreElements())
 181:       {
 182:         String alias = (String) aliases.nextElement();
 183:         if (!store.isCertificateEntry(alias))
 184:           continue;
 185:         Certificate c = store.getCertificate(alias);
 186:         if (!(c instanceof X509Certificate))
 187:           continue;
 188:         l.add(c);
 189:       }
 190:     current = this.new Manager((X509Certificate[])
 191:                                l.toArray(new X509Certificate[l.size()]));
 192:   }
 193: 
 194:   // Inner class.
 195:   // -------------------------------------------------------------------------
 196: 
 197:   /**
 198:    * The actual manager implementation returned.
 199:    */
 200:   private class Manager implements X509TrustManager
 201:   {
 202: 
 203:     // Fields.
 204:     // -----------------------------------------------------------------------
 205: 
 206:     private final X509Certificate[] trusted;
 207: 
 208:     // Constructor.
 209:     // -----------------------------------------------------------------------
 210: 
 211:     Manager(X509Certificate[] trusted)
 212:     {
 213:       this.trusted = trusted;
 214:     }
 215: 
 216:     // Instance methodns.
 217:     // -----------------------------------------------------------------------
 218: 
 219:     public void checkClientTrusted(X509Certificate[] chain, String authType)
 220:       throws CertificateException
 221:     {
 222:       checkTrusted(chain, authType);
 223:     }
 224: 
 225:     public void checkServerTrusted(X509Certificate[] chain, String authType)
 226:       throws CertificateException
 227:     {
 228:       checkTrusted(chain, authType);
 229:     }
 230: 
 231:     public X509Certificate[] getAcceptedIssuers()
 232:     {
 233:       if (trusted == null)
 234:         return new X509Certificate[0];
 235:       return (X509Certificate[]) trusted.clone();
 236:     }
 237: 
 238:     // Own methods.
 239:     // -----------------------------------------------------------------------
 240: 
 241:     private void checkTrusted(X509Certificate[] chain, String authType)
 242:       throws CertificateException
 243:     {
 244:       // NOTE: this is not a full-featured path validation algorithm.
 245:       //
 246:       // Step 0: check if the target is valid now.
 247:       chain[0].checkValidity();
 248: 
 249:       // Step 1: verify that the chain is complete and valid.
 250:       for (int i = 1; i < chain.length; i++)
 251:         {
 252:           chain[i].checkValidity();
 253:           try
 254:             {
 255:               chain[i-1].verify(chain[i].getPublicKey());
 256:             }
 257:           catch (NoSuchAlgorithmException nsae)
 258:             {
 259:               throw new CertificateException(nsae.toString());
 260:             }
 261:           catch (NoSuchProviderException nspe)
 262:             {
 263:               throw new CertificateException(nspe.toString());
 264:             }
 265:           catch (InvalidKeyException ike)
 266:             {
 267:               throw new CertificateException(ike.toString());
 268:             }
 269:           catch (SignatureException se)
 270:             {
 271:               throw new CertificateException(se.toString());
 272:             }
 273:         }
 274: 
 275:       // Step 2: verify that the root of the chain was issued by a trust anchor.
 276:       if (trusted == null || trusted.length == 0)
 277:         throw new CertificateException("no trust anchors");
 278:       for (int i = 0; i < trusted.length; i++)
 279:         {
 280:           try
 281:             {
 282:               trusted[i].checkValidity();
 283:               chain[chain.length-1].verify(trusted[i].getPublicKey());
 284:               return;
 285:             }
 286:           catch (Exception e)
 287:             {
 288:             }
 289:           //catch (CertificateException ce) { }
 290:           //catch (NoSuchAlgorithmException nsae) { }
 291:           //catch (NoSuchProviderException nspe) { }
 292:           //catch (InvalidKeyException ike) { }
 293:           //catch (SignatureException se) { }
 294:         }
 295:       throw new CertificateException();
 296:     }
 297:   }
 298: }