List of usage examples for javax.net.ssl X509TrustManager checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException;
From source file:com.amazon.speech.speechlet.authentication.SpeechletRequestSignatureVerifier.java
/** * Retrieves the certificate from the specified URL and confirms that the certificate is valid. * * @param signingCertificateChainUrl//from ww w.ja va 2s.c o m * the URL to retrieve the certificate chain from * @return the certificate at the specified URL, if the certificate is valid * @throws CertificateException * if the certificate cannot be retrieve or is invalid */ public static X509Certificate retrieveAndVerifyCertificateChain(final String signingCertificateChainUrl) throws CertificateException { try (InputStream in = getAndVerifySigningCertificateChainUrl(signingCertificateChainUrl).openStream()) { CertificateFactory certificateFactory = CertificateFactory.getInstance(Sdk.SIGNATURE_CERTIFICATE_TYPE); @SuppressWarnings("unchecked") Collection<X509Certificate> certificateChain = (Collection<X509Certificate>) certificateFactory .generateCertificates(in); /* * check the before/after dates on the certificate date to confirm that it is valid on * the current date */ X509Certificate signingCertificate = certificateChain.iterator().next(); signingCertificate.checkValidity(); // check the certificate chain TrustManagerFactory trustManagerFactory = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init((KeyStore) null); X509TrustManager x509TrustManager = null; for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) { if (trustManager instanceof X509TrustManager) { x509TrustManager = (X509TrustManager) trustManager; } } if (x509TrustManager == null) { throw new IllegalStateException( "No X509 TrustManager available. Unable to check certificate chain"); } else { x509TrustManager.checkServerTrusted( certificateChain.toArray(new X509Certificate[certificateChain.size()]), Sdk.SIGNATURE_KEY_TYPE); } /* * verify Echo API's hostname is specified as one of subject alternative names on the * signing certificate */ if (!subjectAlernativeNameListContainsEchoSdkDomainName( signingCertificate.getSubjectAlternativeNames())) { throw new CertificateException("The provided certificate is not valid for the Echo SDK"); } return signingCertificate; } catch (KeyStoreException | IOException | NoSuchAlgorithmException ex) { throw new CertificateException("Unable to verify certificate at URL: " + signingCertificateChainUrl, ex); } }
From source file:edu.vt.middleware.ldap.ssl.AggregateTrustManager.java
/** {@inheritDoc} */ public void checkServerTrusted(final X509Certificate[] chain, final String authType) throws CertificateException { if (trustManagers != null) { for (X509TrustManager tm : trustManagers) { if (this.logger.isDebugEnabled()) { this.logger.debug("invoking checkServerTrusted for " + tm); }//from www . j a v a 2 s .c o m tm.checkServerTrusted(chain, authType); } } }
From source file:org.apache.hadoop.security.ssl.ReloadingX509TrustManager.java
@Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { X509TrustManager tm = trustManagerRef.get(); if (tm != null) { tm.checkServerTrusted(chain, authType); } else {//www . ja va 2 s. c o m throw new CertificateException("Unknown server chain certificate: " + chain[0].toString()); } }
From source file:org.apache.directory.studio.connection.core.io.StudioTrustManager.java
/** * {@inheritDoc}// w ww.j a va 2 s . c om */ public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { // check permanent trusted certificates, return on success try { X509TrustManager permanentTrustManager = getPermanentTrustManager(); if (permanentTrustManager != null) { permanentTrustManager.checkServerTrusted(chain, authType); return; } } catch (CertificateException ce) { } // check temporary trusted certificates, return on success try { X509TrustManager sessionTrustManager = getSessionTrustManager(); if (sessionTrustManager != null) { sessionTrustManager.checkServerTrusted(chain, authType); return; } } catch (CertificateException ce) { } // below here no manually trusted certificate (either permanent or temporary) matched List<ICertificateHandler.FailCause> failCauses = new ArrayList<ICertificateHandler.FailCause>(); // perform trust check of JVM trust manager try { jvmTrustManager.checkServerTrusted(chain, authType); } catch (CertificateException ce) { if (ce instanceof CertificateExpiredException) { failCauses.add(FailCause.CertificateExpired); } else if (ce instanceof CertificateNotYetValidException) { failCauses.add(FailCause.CertificateNotYetValid); } else { X500Principal issuerX500Principal = chain[0].getIssuerX500Principal(); X500Principal subjectX500Principal = chain[0].getSubjectX500Principal(); if (issuerX500Principal.equals(subjectX500Principal)) { failCauses.add(FailCause.SelfSignedCertificate); } else { failCauses.add(FailCause.NoValidCertificationPath); } try { chain[0].checkValidity(); } catch (CertificateException ve) { if (ve instanceof CertificateExpiredException) { failCauses.add(FailCause.CertificateExpired); } else if (ve instanceof CertificateNotYetValidException) { failCauses.add(FailCause.CertificateNotYetValid); } } } } // perform host name verification try { BrowserCompatHostnameVerifier hostnameVerifier = new BrowserCompatHostnameVerifier(); hostnameVerifier.verify(host, chain[0]); } catch (SSLException ce) { failCauses.add(FailCause.HostnameVerificationFailed); } if (!failCauses.isEmpty()) { // either trust check or host name verification // ask for confirmation ICertificateHandler ch = ConnectionCorePlugin.getDefault().getCertificateHandler(); ICertificateHandler.TrustLevel trustLevel = ch.verifyTrustLevel(host, chain, failCauses); switch (trustLevel) { case Permanent: ConnectionCorePlugin.getDefault().getPermanentTrustStoreManager().addCertificate(chain[0]); break; case Session: ConnectionCorePlugin.getDefault().getSessionTrustStoreManager().addCertificate(chain[0]); break; case Not: throw new CertificateException(Messages.error__untrusted_certificate); } } }
From source file:com.sonatype.nexus.ssl.plugin.internal.TrustStoreImpl.java
private static TrustManager[] getTrustManagers(final KeyStoreManager keyStoreManager) throws Exception { final X509TrustManager managedTrustManager = getManagedTrustManager(checkNotNull(keyStoreManager)); final TrustManager[] systemTrustManagers = getSystemTrustManagers(); if (systemTrustManagers != null && managedTrustManager != null) { final TrustManager[] trustManagers = new TrustManager[systemTrustManagers.length]; for (int i = 0; i < systemTrustManagers.length; i++) { final TrustManager tm = trustManagers[i] = systemTrustManagers[i]; if (tm instanceof X509TrustManager) { trustManagers[i] = new X509TrustManager() { @Override/*from w ww. j a v a 2s . c om*/ public void checkClientTrusted(final X509Certificate[] chain, final String authType) throws CertificateException { ((X509TrustManager) tm).checkClientTrusted(chain, authType); } @Override public void checkServerTrusted(final X509Certificate[] chain, final String authType) throws CertificateException { try { ((X509TrustManager) tm).checkServerTrusted(chain, authType); } catch (CertificateException e) { try { managedTrustManager.checkServerTrusted(chain, authType); } catch (CertificateException ignore) { throw e; } } } @Override public X509Certificate[] getAcceptedIssuers() { return ((X509TrustManager) tm).getAcceptedIssuers(); } }; } } return trustManagers; } return null; }
From source file:org.hyperic.util.security.DatabaseSSLProviderImpl.java
private X509TrustManager getCustomTrustManager(final X509TrustManager defaultTrustManager, final KeystoreConfig keystoreConfig, final boolean acceptUnverifiedCertificates, final KeyStore trustStore) { return new X509TrustManager() { private final Log log = LogFactory.getLog(X509TrustManager.class); public X509Certificate[] getAcceptedIssuers() { return defaultTrustManager.getAcceptedIssuers(); }/*from www .j a v a 2 s . c o m*/ public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { defaultTrustManager.checkServerTrusted(chain, authType); } catch (CertificateException e) { CertificateExpiredException expiredCertException = getCertExpiredException(e); if (expiredCertException != null) { log.error("Fail the connection because received certificate is expired. " + "Please update the certificate.", expiredCertException); throw new CertificateException(e); } if (acceptUnverifiedCertificates) { log.info("Import the certification. (Received certificate is not trusted by keystore)"); importCertificate(chain); } else { log.warn( "Fail the connection because received certificate is not trusted by keystore: alias=" + keystoreConfig.getAlias() + ", path=" + keystoreConfig.getFilePath()); log.debug( "Fail the connection because received certificate is not trusted by keystore: alias=" + keystoreConfig.getAlias() + ", path=" + keystoreConfig.getFilePath() + ", acceptUnverifiedCertificates=" + acceptUnverifiedCertificates, e); throw new CertificateException(e); } } } private CertificateExpiredException getCertExpiredException(Exception e) { while (e != null) { if (e instanceof CertificateExpiredException) { return (CertificateExpiredException) e; } e = (Exception) e.getCause(); } return null; } public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { defaultTrustManager.checkClientTrusted(chain, authType); } private void importCertificate(X509Certificate[] chain) throws CertificateException { FileOutputStream keyStoreFileOutputStream = null; boolean hasLock = false; final boolean debug = log.isDebugEnabled(); final StopWatch watch = new StopWatch(); try { for (X509Certificate cert : chain) { String[] cnValues = AbstractVerifier.getCNs(cert); String alias; if (cnValues != null && cnValues.length > 0) { alias = cnValues[0]; } else { alias = "UnknownCN"; } alias += "-ts=" + System.currentTimeMillis(); trustStore.setCertificateEntry(alias, cert); } KEYSTORE_WRITER_LOCK.lockInterruptibly(); hasLock = true; keyStoreFileOutputStream = new FileOutputStream(keystoreConfig.getFilePath()); trustStore.store(keyStoreFileOutputStream, keystoreConfig.getFilePassword().toCharArray()); } catch (FileNotFoundException e) { // Can't find the keystore in the path log.error("Can't find the keystore in " + keystoreConfig.getFilePath() + ". Error message:" + e.getMessage(), e); } catch (NoSuchAlgorithmException e) { log.error("The algorithm is not supported. Error message:" + e.getMessage(), e); } catch (Exception e) { // expect KeyStoreException, IOException log.error("Exception when trying to import certificate: " + e.getMessage(), e); } finally { close(keyStoreFileOutputStream); keyStoreFileOutputStream = null; if (hasLock) { KEYSTORE_WRITER_LOCK.unlock(); } if (debug) log.debug("importCert: " + watch); } } private void close(FileOutputStream keyStoreFileOutputStream) { if (keyStoreFileOutputStream != null) { try { keyStoreFileOutputStream.close(); } catch (IOException e) { log.error(e, e); } } } }; }
From source file:net.java.sip.communicator.impl.certificate.CertificateServiceImpl.java
public X509TrustManager getTrustManager(final Iterable<String> identitiesToTest, final CertificateMatcher clientVerifier, final CertificateMatcher serverVerifier) throws GeneralSecurityException { // obtain the default X509 trust manager X509TrustManager defaultTm = null; TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); //workaround for https://bugs.openjdk.java.net/browse/JDK-6672015 KeyStore ks = null;//from ww w .j a va 2 s .c om String tsType = System.getProperty("javax.net.ssl.trustStoreType", null); if ("Windows-ROOT".equals(tsType)) { try { ks = KeyStore.getInstance(tsType); ks.load(null, null); int numEntries = keyStoreAppendIndex(ks); logger.info( "Using Windows-ROOT. Aliases sucessfully renamed on " + numEntries + " root certificates."); } catch (Exception e) { logger.error("Could not rename Windows-ROOT aliases", e); } } tmFactory.init(ks); for (TrustManager m : tmFactory.getTrustManagers()) { if (m instanceof X509TrustManager) { defaultTm = (X509TrustManager) m; break; } } if (defaultTm == null) throw new GeneralSecurityException("No default X509 trust manager found"); final X509TrustManager tm = defaultTm; return new X509TrustManager() { private boolean serverCheck; public X509Certificate[] getAcceptedIssuers() { return tm.getAcceptedIssuers(); } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { serverCheck = true; checkCertTrusted(chain, authType); } public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { serverCheck = false; checkCertTrusted(chain, authType); } private void checkCertTrusted(X509Certificate[] chain, String authType) throws CertificateException { // check and default configurations for property // if missing default is null - false String defaultAlwaysTrustMode = CertificateVerificationActivator.getResources() .getSettingsString(CertificateService.PNAME_ALWAYS_TRUST); if (config.getBoolean(PNAME_ALWAYS_TRUST, Boolean.parseBoolean(defaultAlwaysTrustMode))) return; try { // check the certificate itself (issuer, validity) try { chain = tryBuildChain(chain); } catch (Exception e) { } // don't care and take the chain as is if (serverCheck) tm.checkServerTrusted(chain, authType); else tm.checkClientTrusted(chain, authType); if (identitiesToTest == null || !identitiesToTest.iterator().hasNext()) return; else if (serverCheck) serverVerifier.verify(identitiesToTest, chain[0]); else clientVerifier.verify(identitiesToTest, chain[0]); // ok, globally valid cert } catch (CertificateException e) { String thumbprint = getThumbprint(chain[0], THUMBPRINT_HASH_ALGORITHM); String message = null; List<String> propNames = new LinkedList<String>(); List<String> storedCerts = new LinkedList<String>(); String appName = R.getSettingsString("service.gui.APPLICATION_NAME"); if (identitiesToTest == null || !identitiesToTest.iterator().hasNext()) { String propName = PNAME_CERT_TRUST_PREFIX + ".server." + thumbprint; propNames.add(propName); message = R.getI18NString("service.gui." + "CERT_DIALOG_DESCRIPTION_TXT_NOHOST", new String[] { appName }); // get the thumbprints from the permanent allowances String hashes = config.getString(propName); if (hashes != null) for (String h : hashes.split(",")) storedCerts.add(h); // get the thumbprints from the session allowances List<String> sessionCerts = sessionAllowedCertificates.get(propName); if (sessionCerts != null) storedCerts.addAll(sessionCerts); } else { if (serverCheck) { message = R.getI18NString("service.gui." + "CERT_DIALOG_DESCRIPTION_TXT", new String[] { appName, identitiesToTest.toString() }); } else { message = R.getI18NString("service.gui." + "CERT_DIALOG_PEER_DESCRIPTION_TXT", new String[] { appName, identitiesToTest.toString() }); } for (String identity : identitiesToTest) { String propName = PNAME_CERT_TRUST_PREFIX + ".param." + identity; propNames.add(propName); // get the thumbprints from the permanent allowances String hashes = config.getString(propName); if (hashes != null) for (String h : hashes.split(",")) storedCerts.add(h); // get the thumbprints from the session allowances List<String> sessionCerts = sessionAllowedCertificates.get(propName); if (sessionCerts != null) storedCerts.addAll(sessionCerts); } } if (!storedCerts.contains(thumbprint)) { switch (verify(chain, message)) { case DO_NOT_TRUST: logger.info("Untrusted certificate", e); throw new CertificateException("The peer provided certificate with Subject <" + chain[0].getSubjectDN() + "> is not trusted", e); case TRUST_ALWAYS: for (String propName : propNames) { String current = config.getString(propName); String newValue = thumbprint; if (current != null) newValue += "," + current; config.setProperty(propName, newValue); } break; case TRUST_THIS_SESSION_ONLY: for (String propName : propNames) getSessionCertEntry(propName).add(thumbprint); break; } } // ok, we've seen this certificate before } } private X509Certificate[] tryBuildChain(X509Certificate[] chain) throws IOException, URISyntaxException, CertificateException { // Only try to build chains for servers that send only their // own cert, but no issuer. This also matches self signed (will // be ignored later) and Root-CA signed certs. In this case we // throw the Root-CA away after the lookup if (chain.length != 1) return chain; // ignore self signed certs if (chain[0].getIssuerDN().equals(chain[0].getSubjectDN())) return chain; // prepare for the newly created chain List<X509Certificate> newChain = new ArrayList<X509Certificate>(chain.length + 4); for (X509Certificate cert : chain) { newChain.add(cert); } // search from the topmost certificate upwards CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); X509Certificate current = chain[chain.length - 1]; boolean foundParent; int chainLookupCount = 0; do { foundParent = false; // extract the url(s) where the parent certificate can be // found byte[] aiaBytes = current.getExtensionValue(Extension.authorityInfoAccess.getId()); if (aiaBytes == null) break; AuthorityInformationAccess aia = AuthorityInformationAccess .getInstance(X509ExtensionUtil.fromExtensionValue(aiaBytes)); // the AIA may contain different URLs and types, try all // of them for (AccessDescription ad : aia.getAccessDescriptions()) { // we are only interested in the issuer certificate, // not in OCSP urls the like if (!ad.getAccessMethod().equals(AccessDescription.id_ad_caIssuers)) continue; GeneralName gn = ad.getAccessLocation(); if (!(gn.getTagNo() == GeneralName.uniformResourceIdentifier && gn.getName() instanceof DERIA5String)) continue; URI uri = new URI(((DERIA5String) gn.getName()).getString()); // only http(s) urls; LDAP is taken care of in the // default implementation if (!(uri.getScheme().equalsIgnoreCase("http") || uri.getScheme().equals("https"))) continue; X509Certificate cert = null; // try to get cert from cache first to avoid consecutive // (slow) http lookups AiaCacheEntry cache = aiaCache.get(uri); if (cache != null && cache.cacheDate.after(new Date())) { cert = cache.cert; } else { // download if no cache entry or if it is expired if (logger.isDebugEnabled()) logger.debug("Downloading parent certificate for <" + current.getSubjectDN() + "> from <" + uri + ">"); try { InputStream is = HttpUtils.openURLConnection(uri.toString()).getContent(); cert = (X509Certificate) certFactory.generateCertificate(is); } catch (Exception e) { logger.debug("Could not download from <" + uri + ">"); } // cache for 10mins aiaCache.put(uri, new AiaCacheEntry(new Date(new Date().getTime() + 10 * 60 * 1000), cert)); } if (cert != null) { if (!cert.getIssuerDN().equals(cert.getSubjectDN())) { newChain.add(cert); foundParent = true; current = cert; break; // an AD was valid, ignore others } else logger.debug("Parent is self-signed, ignoring"); } } chainLookupCount++; } while (foundParent && chainLookupCount < 10); chain = newChain.toArray(chain); return chain; } }; }
From source file:com.irccloud.android.NetworkConnection.java
@SuppressWarnings("deprecation") public NetworkConnection() { String version;/*from ww w. j a v a2 s . com*/ String network_type = null; try { version = "/" + IRCCloudApplication.getInstance().getPackageManager().getPackageInfo( IRCCloudApplication.getInstance().getApplicationContext().getPackageName(), 0).versionName; } catch (Exception e) { version = ""; } try { ConnectivityManager cm = (ConnectivityManager) IRCCloudApplication.getInstance() .getSystemService(Context.CONNECTIVITY_SERVICE); NetworkInfo ni = cm.getActiveNetworkInfo(); if (ni != null) network_type = ni.getTypeName(); } catch (Exception e) { } try { config = new JSONObject(PreferenceManager .getDefaultSharedPreferences(IRCCloudApplication.getInstance().getApplicationContext()) .getString("config", "{}")); } catch (JSONException e) { e.printStackTrace(); config = new JSONObject(); } useragent = "IRCCloud" + version + " (" + android.os.Build.MODEL + "; " + Locale.getDefault().getCountry().toLowerCase() + "; " + "Android " + android.os.Build.VERSION.RELEASE; WindowManager wm = (WindowManager) IRCCloudApplication.getInstance() .getSystemService(Context.WINDOW_SERVICE); useragent += "; " + wm.getDefaultDisplay().getWidth() + "x" + wm.getDefaultDisplay().getHeight(); if (network_type != null) useragent += "; " + network_type; useragent += ")"; WifiManager wfm = (WifiManager) IRCCloudApplication.getInstance().getApplicationContext() .getSystemService(Context.WIFI_SERVICE); wifiLock = wfm.createWifiLock(TAG); kms = new X509ExtendedKeyManager[1]; kms[0] = new X509ExtendedKeyManager() { @Override public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) { return SSLAuthAlias; } @Override public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) { throw new UnsupportedOperationException(); } @Override public X509Certificate[] getCertificateChain(String alias) { return SSLAuthCertificateChain; } @Override public String[] getClientAliases(String keyType, Principal[] issuers) { throw new UnsupportedOperationException(); } @Override public String[] getServerAliases(String keyType, Principal[] issuers) { throw new UnsupportedOperationException(); } @Override public PrivateKey getPrivateKey(String alias) { return SSLAuthKey; } }; tms = new TrustManager[1]; tms[0] = new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { throw new CertificateException("Not implemented"); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509"); trustManagerFactory.init((KeyStore) null); for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) { if (trustManager instanceof X509TrustManager) { X509TrustManager x509TrustManager = (X509TrustManager) trustManager; x509TrustManager.checkServerTrusted(chain, authType); } } } catch (KeyStoreException e) { throw new CertificateException(e); } catch (NoSuchAlgorithmException e) { throw new CertificateException(e); } if (BuildConfig.SSL_FPS != null && BuildConfig.SSL_FPS.length > 0) { try { MessageDigest md = MessageDigest.getInstance("SHA-1"); byte[] sha1 = md.digest(chain[0].getEncoded()); // http://stackoverflow.com/questions/9655181/convert-from-byte-array-to-hex-string-in-java final char[] hexArray = "0123456789ABCDEF".toCharArray(); char[] hexChars = new char[sha1.length * 2]; for (int j = 0; j < sha1.length; j++) { int v = sha1[j] & 0xFF; hexChars[j * 2] = hexArray[v >>> 4]; hexChars[j * 2 + 1] = hexArray[v & 0x0F]; } String hexCharsStr = new String(hexChars); boolean matched = false; for (String fp : BuildConfig.SSL_FPS) { if (fp.equals(hexCharsStr)) { matched = true; break; } } if (!matched) throw new CertificateException("Incorrect CN in cert chain"); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } } } @Override public X509Certificate[] getAcceptedIssuers() { return null; } }; WebSocketClient.setTrustManagers(tms); }