131
132 @Override
133 public void checkClientTrusted(X509Certificate[] chain, String authType,
134 SSLEngine engine) throws CertificateException {
135 checkTrusted(chain, authType, engine, true);
136 }
137
138 @Override
139 public void checkServerTrusted(X509Certificate[] chain, String authType,
140 SSLEngine engine) throws CertificateException {
141 checkTrusted(chain, authType, engine, false);
142 }
143
144 private Validator checkTrustedInit(X509Certificate[] chain,
145 String authType, boolean isClient) {
146 if (chain == null || chain.length == 0) {
147 throw new IllegalArgumentException(
148 "null or zero-length certificate chain");
149 }
150
151 if (authType == null || authType.length() == 0) {
152 throw new IllegalArgumentException(
153 "null or zero-length authentication type");
154 }
155
156 Validator v = null;
157 if (isClient) {
158 v = clientValidator;
159 if (v == null) {
160 synchronized (this) {
161 v = clientValidator;
162 if (v == null) {
163 v = getValidator(Validator.VAR_TLS_CLIENT);
164 clientValidator = v;
165 }
166 }
167 }
168 } else {
169 // assume double checked locking with a volatile flag works
170 // (guaranteed under the new Tiger memory model)
171 v = serverValidator;
212 constraints = new SSLAlgorithmConstraints(sslSocket, false);
213 }
214
215 // Grab any stapled OCSP responses for use in validation
216 List<byte[]> responseList = Collections.emptyList();
217 if (!isClient && isExtSession) {
218 responseList =
219 ((ExtendedSSLSession)session).getStatusResponses();
220 }
221 trustedChain = validate(v, chain, responseList,
222 constraints, isClient ? null : authType);
223
224 // check if EE certificate chains to a public root CA (as
225 // pre-installed in cacerts)
226 boolean chainsToPublicCA = AnchorCertificates.contains(
227 trustedChain[trustedChain.length-1]);
228
229 // check endpoint identity
230 String identityAlg = sslSocket.getSSLParameters().
231 getEndpointIdentificationAlgorithm();
232 if (identityAlg != null && identityAlg.length() != 0) {
233 checkIdentity(session, trustedChain[0], identityAlg, isClient,
234 getRequestedServerNames(socket), chainsToPublicCA);
235 }
236 } else {
237 trustedChain = validate(v, chain, Collections.emptyList(),
238 null, isClient ? null : authType);
239 }
240
241 if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
242 SSLLogger.fine("Found trusted certificate",
243 trustedChain[trustedChain.length - 1]);
244 }
245 }
246
247 private void checkTrusted(X509Certificate[] chain, String authType,
248 SSLEngine engine, boolean isClient) throws CertificateException {
249 Validator v = checkTrustedInit(chain, authType, isClient);
250
251 X509Certificate[] trustedChain = null;
252 if (engine != null) {
270 constraints = new SSLAlgorithmConstraints(engine, false);
271 }
272
273 // Grab any stapled OCSP responses for use in validation
274 List<byte[]> responseList = Collections.emptyList();
275 if (!isClient && isExtSession) {
276 responseList =
277 ((ExtendedSSLSession)session).getStatusResponses();
278 }
279 trustedChain = validate(v, chain, responseList,
280 constraints, isClient ? null : authType);
281
282 // check if EE certificate chains to a public root CA (as
283 // pre-installed in cacerts)
284 boolean chainsToPublicCA = AnchorCertificates.contains(
285 trustedChain[trustedChain.length-1]);
286
287 // check endpoint identity
288 String identityAlg = engine.getSSLParameters().
289 getEndpointIdentificationAlgorithm();
290 if (identityAlg != null && identityAlg.length() != 0) {
291 checkIdentity(session, trustedChain[0], identityAlg, isClient,
292 getRequestedServerNames(engine), chainsToPublicCA);
293 }
294 } else {
295 trustedChain = validate(v, chain, Collections.emptyList(),
296 null, isClient ? null : authType);
297 }
298
299 if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
300 SSLLogger.fine("Found trusted certificate",
301 trustedChain[trustedChain.length - 1]);
302 }
303 }
304
305 private Validator getValidator(String variant) {
306 Validator v;
307 if (pkixParams == null) {
308 v = Validator.getInstance(validatorType, variant, trustedCerts);
309 } else {
310 v = Validator.getInstance(validatorType, variant, pkixParams);
431 }
432
433 if (!identifiable) {
434 checkIdentity(peerHost, cert, algorithm, chainsToPublicCA);
435 }
436 }
437
438 /*
439 * Identify the peer by its certificate and hostname.
440 *
441 * Lifted from sun.net.www.protocol.https.HttpsClient.
442 */
443 static void checkIdentity(String hostname, X509Certificate cert,
444 String algorithm) throws CertificateException {
445 checkIdentity(hostname, cert, algorithm, false);
446 }
447
448 private static void checkIdentity(String hostname, X509Certificate cert,
449 String algorithm, boolean chainsToPublicCA)
450 throws CertificateException {
451 if (algorithm != null && algorithm.length() != 0) {
452 // if IPv6 strip off the "[]"
453 if ((hostname != null) && hostname.startsWith("[") &&
454 hostname.endsWith("]")) {
455 hostname = hostname.substring(1, hostname.length() - 1);
456 }
457
458 if (algorithm.equalsIgnoreCase("HTTPS")) {
459 HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(
460 hostname, cert, chainsToPublicCA);
461 } else if (algorithm.equalsIgnoreCase("LDAP") ||
462 algorithm.equalsIgnoreCase("LDAPS")) {
463 HostnameChecker.getInstance(HostnameChecker.TYPE_LDAP).match(
464 hostname, cert, chainsToPublicCA);
465 } else {
466 throw new CertificateException(
467 "Unknown identification algorithm: " + algorithm);
468 }
469 }
470 }
471 }
|
131
132 @Override
133 public void checkClientTrusted(X509Certificate[] chain, String authType,
134 SSLEngine engine) throws CertificateException {
135 checkTrusted(chain, authType, engine, true);
136 }
137
138 @Override
139 public void checkServerTrusted(X509Certificate[] chain, String authType,
140 SSLEngine engine) throws CertificateException {
141 checkTrusted(chain, authType, engine, false);
142 }
143
144 private Validator checkTrustedInit(X509Certificate[] chain,
145 String authType, boolean isClient) {
146 if (chain == null || chain.length == 0) {
147 throw new IllegalArgumentException(
148 "null or zero-length certificate chain");
149 }
150
151 if (authType == null || authType.isEmpty()) {
152 throw new IllegalArgumentException(
153 "null or zero-length authentication type");
154 }
155
156 Validator v = null;
157 if (isClient) {
158 v = clientValidator;
159 if (v == null) {
160 synchronized (this) {
161 v = clientValidator;
162 if (v == null) {
163 v = getValidator(Validator.VAR_TLS_CLIENT);
164 clientValidator = v;
165 }
166 }
167 }
168 } else {
169 // assume double checked locking with a volatile flag works
170 // (guaranteed under the new Tiger memory model)
171 v = serverValidator;
212 constraints = new SSLAlgorithmConstraints(sslSocket, false);
213 }
214
215 // Grab any stapled OCSP responses for use in validation
216 List<byte[]> responseList = Collections.emptyList();
217 if (!isClient && isExtSession) {
218 responseList =
219 ((ExtendedSSLSession)session).getStatusResponses();
220 }
221 trustedChain = validate(v, chain, responseList,
222 constraints, isClient ? null : authType);
223
224 // check if EE certificate chains to a public root CA (as
225 // pre-installed in cacerts)
226 boolean chainsToPublicCA = AnchorCertificates.contains(
227 trustedChain[trustedChain.length-1]);
228
229 // check endpoint identity
230 String identityAlg = sslSocket.getSSLParameters().
231 getEndpointIdentificationAlgorithm();
232 if (identityAlg != null && !identityAlg.isEmpty()) {
233 checkIdentity(session, trustedChain[0], identityAlg, isClient,
234 getRequestedServerNames(socket), chainsToPublicCA);
235 }
236 } else {
237 trustedChain = validate(v, chain, Collections.emptyList(),
238 null, isClient ? null : authType);
239 }
240
241 if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
242 SSLLogger.fine("Found trusted certificate",
243 trustedChain[trustedChain.length - 1]);
244 }
245 }
246
247 private void checkTrusted(X509Certificate[] chain, String authType,
248 SSLEngine engine, boolean isClient) throws CertificateException {
249 Validator v = checkTrustedInit(chain, authType, isClient);
250
251 X509Certificate[] trustedChain = null;
252 if (engine != null) {
270 constraints = new SSLAlgorithmConstraints(engine, false);
271 }
272
273 // Grab any stapled OCSP responses for use in validation
274 List<byte[]> responseList = Collections.emptyList();
275 if (!isClient && isExtSession) {
276 responseList =
277 ((ExtendedSSLSession)session).getStatusResponses();
278 }
279 trustedChain = validate(v, chain, responseList,
280 constraints, isClient ? null : authType);
281
282 // check if EE certificate chains to a public root CA (as
283 // pre-installed in cacerts)
284 boolean chainsToPublicCA = AnchorCertificates.contains(
285 trustedChain[trustedChain.length-1]);
286
287 // check endpoint identity
288 String identityAlg = engine.getSSLParameters().
289 getEndpointIdentificationAlgorithm();
290 if (identityAlg != null && !identityAlg.isEmpty()) {
291 checkIdentity(session, trustedChain[0], identityAlg, isClient,
292 getRequestedServerNames(engine), chainsToPublicCA);
293 }
294 } else {
295 trustedChain = validate(v, chain, Collections.emptyList(),
296 null, isClient ? null : authType);
297 }
298
299 if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
300 SSLLogger.fine("Found trusted certificate",
301 trustedChain[trustedChain.length - 1]);
302 }
303 }
304
305 private Validator getValidator(String variant) {
306 Validator v;
307 if (pkixParams == null) {
308 v = Validator.getInstance(validatorType, variant, trustedCerts);
309 } else {
310 v = Validator.getInstance(validatorType, variant, pkixParams);
431 }
432
433 if (!identifiable) {
434 checkIdentity(peerHost, cert, algorithm, chainsToPublicCA);
435 }
436 }
437
438 /*
439 * Identify the peer by its certificate and hostname.
440 *
441 * Lifted from sun.net.www.protocol.https.HttpsClient.
442 */
443 static void checkIdentity(String hostname, X509Certificate cert,
444 String algorithm) throws CertificateException {
445 checkIdentity(hostname, cert, algorithm, false);
446 }
447
448 private static void checkIdentity(String hostname, X509Certificate cert,
449 String algorithm, boolean chainsToPublicCA)
450 throws CertificateException {
451 if (algorithm != null && !algorithm.isEmpty()) {
452 // if IPv6 strip off the "[]"
453 if ((hostname != null) && hostname.startsWith("[") &&
454 hostname.endsWith("]")) {
455 hostname = hostname.substring(1, hostname.length() - 1);
456 }
457
458 if (algorithm.equalsIgnoreCase("HTTPS")) {
459 HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(
460 hostname, cert, chainsToPublicCA);
461 } else if (algorithm.equalsIgnoreCase("LDAP") ||
462 algorithm.equalsIgnoreCase("LDAPS")) {
463 HostnameChecker.getInstance(HostnameChecker.TYPE_LDAP).match(
464 hostname, cert, chainsToPublicCA);
465 } else {
466 throw new CertificateException(
467 "Unknown identification algorithm: " + algorithm);
468 }
469 }
470 }
471 }
|