下面列出了javax.net.ssl.X509TrustManager#checkClientTrusted ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@Override
public void checkClientTrusted(X509Certificate[] certs,
String authType) throws CertificateException {
boolean trust = false;
for (X509TrustManager tm : tms) {
try {
tm.checkClientTrusted(certs, authType);
trust = true;
} catch (CertificateException ex) {
// Ignore
}
}
if (!trust) {
throw new CertificateException();
}
}
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType)
throws CertificateException {
CertificateException lastError = null;
for (final X509TrustManager manager : managers) {
try {
manager.checkClientTrusted(chain, authType);
return;
} catch (final CertificateException e) {
lastError = e;
}
}
if (lastError != null) {
throw lastError;
}
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException
{
for (X509TrustManager trustManager : _trustManagers)
{
try
{
trustManager.checkClientTrusted(chain, authType);
// this trustManager check succeeded, no need to check another one
return;
}
catch (CertificateException ex)
{
// do nothing, try another one in a loop
}
}
// no trustManager call succeeded, throw an exception
throw new CertificateException();
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
for(X509TrustManager tm : startClientTms) {
try {
tm.checkClientTrusted(chain, authType);
return; // first found
} catch(CertificateException e) {
; // proceed
}
}
// last try
if (finalClientTm == null) {
throw new CertificateException("Cannot validate client certificate (no delegated trust managers for client check)");
}
finalClientTm.checkClientTrusted(chain, authType);
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
CertificateException lastError = null;
for (X509TrustManager trustManager : children) {
try {
trustManager.checkClientTrusted(chain, authType);
return;
} catch (CertificateException ex) {
lastError = ex;
}
}
if (lastError != null) {
throw lastError;
}
}
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType) throws CertificateException
{
if (trustManagers.isEmpty()) {
throw new CertificateException("No trust managers installed!");
}
CertificateException ce = null;
for (X509TrustManager trustManager : trustManagers) {
try {
trustManager.checkClientTrusted(chain, authType);
return;
}
catch (CertificateException trustCe) {
ce = trustCe;
}
}
throw ce;
}
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType) throws CertificateException {
for (X509TrustManager mgr: trustManagers) {
try {
mgr.checkClientTrusted(chain, authType);
return;
} catch (@SuppressWarnings("unused") final Exception e) {
}
}
throw new CertificateException(String.format("client not trusted for chain = %s, authType = %s, accepted issuers = %s", Arrays.asList(chain), authType, Arrays.asList(getAcceptedIssuers())));
}
@Override
public void checkClientTrusted(X509Certificate[] clientCertificates, String authType) throws CertificateException {
for (TrustManager trustManager : trustManagers) {
try {
X509TrustManager x509TrustManager = (X509TrustManager) trustManager;
x509TrustManager.checkClientTrusted(clientCertificates, authType);
return;
}
catch(CertificateException ex) {
//Ignore and move on to the next trust manager
}
}
throw new CertificateException("Certificate is not trusted by any of the trust managers");
}
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType) throws CertificateException {
for (final X509TrustManager trustManager : trustManagers) {
try {
trustManager.checkClientTrusted(chain, authType);
return;
} catch (final CertificateException e) {
LOGGER.debug(e.getMessage(), e);
}
}
throw new CertificateException("None of the TrustManagers trust this certificate chain");
}
/**
* Determine if client certificate is to be trusted.
*
* @param x509Chain The certificate chain
* @param authNType The key exchange algorithm being used
* @throws CertificateException If the trustManager cannot be found
*/
public synchronized void checkClientTrusted( X509Certificate[] x509Chain, String authNType ) throws CertificateException
{
// For each certificate in the chain, check validity:
for ( X509TrustManager trustMgr : getTrustManagers( x509Chain ) )
{
trustMgr.checkClientTrusted( x509Chain, authNType );
}
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
X509TrustManager tm = trustManagerRef.get();
if (tm != null) {
tm.checkClientTrusted(chain, authType);
} else {
throw new CertificateException("Unknown client chain certificate: " +
chain[0].toString());
}
}
@Override
public void checkClientTrusted(X509Certificate[] certificates, String authType) throws CertificateException {
CertificateException catchException = null;
for (X509TrustManager tm : trustManagers) {
try {
tm.checkClientTrusted(certificates, authType);
return;
} catch (CertificateException e) {
catchException = e;
}
}
throw catchException;
}
@Test
public void testUseOfExpiredTrustAnchorAllowed() throws Exception
{
// https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-
assumeThat("IBMJSSE2 trust factory (IbmX509) validates the entire chain, including trusted certificates.",
getJvmVendor(),
is(not(equalTo(IBM))));
final Path keyStoreFile = createTrustStoreWithExpiredCertificate();
Map<String, Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, NAME);
attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
FileTrustStore<?> trustStore = createFileTrustStore(attributes);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
final boolean condition = trustManagers[0] instanceof X509TrustManager;
assertTrue("Unexpected trust manager type", condition);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
KeyStore clientStore = getInitializedKeyStore(keyStoreFile.toFile().getAbsolutePath(),
TLS_RESOURCE.getSecret(),
TLS_RESOURCE.getKeyStoreType());
String alias = clientStore.aliases().nextElement();
X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
trustManager.checkClientTrusted(new X509Certificate[]{certificate}, "NULL");
}
@Test
public void testUseOfExpiredTrustAnchorDenied() throws Exception
{
final KeyCertificatePair keyCertPair = createExpiredCertificate();
final Path certificatePath = TLS_RESOURCE.saveCertificateAsPem(keyCertPair.getCertificate());
Map<String, Object> attributes = new HashMap<>();
attributes.put(NonJavaTrustStore.NAME, NAME);
attributes.put(NonJavaTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
attributes.put(NonJavaTrustStore.CERTIFICATES_URL, certificatePath.toFile().getAbsolutePath());
attributes.put(NonJavaTrustStore.TYPE, NON_JAVA_TRUST_STORE);
TrustStore<?> trustStore = createTestTrustStore(attributes);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
final boolean condition = trustManagers[0] instanceof X509TrustManager;
assertTrue("Unexpected trust manager type", condition);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
try
{
trustManager.checkClientTrusted(new X509Certificate[]{keyCertPair.getCertificate()}, "NULL");
fail("Exception not thrown");
}
catch (CertificateException e)
{
if (e instanceof CertificateExpiredException || "Certificate expired".equals(e.getMessage()))
{
// IBMJSSE2 does not throw CertificateExpiredException, it throws a CertificateException
// PASS
}
else
{
throw e;
}
}
}
/**
* {@inheritDoc}
*/
@Override
public void checkClientTrusted(X509Certificate[] chain,
String authType)
throws CertificateException {
passChainToListeners(chain);
CertificateException first=null;
for (X509TrustManager mgr : managers) {
try {
mgr.checkClientTrusted(chain, authType);
if (!matchAll) {
return;
}
}
catch (CertificateException e) {
if (matchAll) {
throw e;
}
else {
first=e;
}
}
}
if (first != null) {
throw first;
}
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
X509TrustManager tm = trustManagerRef.get();
if (tm != null) {
tm.checkClientTrusted(chain, authType);
} else {
throw new CertificateException("Unknown client chain certificate: " +
chain[0].toString());
}
}
/**
* Verify that the Server and Client TrustManagers will trust each other.
*/
@Test
public void testServerAndClientTrustManagers() throws Exception {
// first setup the keystores
KeyStoreManager serverKeyStoreManager = createKeyStoreManager(new MemKeyStoreStorageManager());
serverKeyStoreManager.generateAndStoreKeyPair("Server Side", "dev", "codeSoft", "AnyTown", "state", "US");
KeyStoreManager clientKeyStoreManager = createKeyStoreManager(new MemKeyStoreStorageManager());
clientKeyStoreManager.generateAndStoreKeyPair("Client Side", "dev", "codeSoft", "AnyTown", "state", "US");
// now grab the cert from the client and stick it in the server
Certificate clientCertificate = serverKeyStoreManager.getCertificate();
serverKeyStoreManager.importTrustCertificate(clientCertificate, "client-side");
//TODO: the server cert needs to be imported on the client side, we need to figure out how to deal with this.
Certificate serverCertificate = serverKeyStoreManager.getCertificate();
clientKeyStoreManager.importTrustCertificate(serverCertificate, "server-side");
X509TrustManager serverTrustManager = (X509TrustManager) serverKeyStoreManager.getTrustManagers()[0];
X509TrustManager clientTrustManager = (X509TrustManager) clientKeyStoreManager.getTrustManagers()[0];
// verify the server trusts the client
serverTrustManager.checkClientTrusted(new X509Certificate[]{(X509Certificate) clientCertificate}, "TLS");
// verify the client trusts the server
clientTrustManager.checkServerTrusted(new X509Certificate[]{(X509Certificate) serverCertificate}, "TLS");
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
for (X509TrustManager trustManager : trustManagers) {
try {
trustManager.checkClientTrusted(chain, authType);
return; // someone trusts them. success!
} catch (CertificateException e) {
// maybe someone else will trust them
}
}
throw new CertificateException("None of the TrustManagers trust this certificate chain");
}
/**
* Determine if client certificate is to be trusted.
*
* @param x509Chain
* @param authNType
* @throws CertificateException
*/
public synchronized void checkClientTrusted( final X509Certificate[] x509Chain,
final String authNType ) throws CertificateException
{
// For each certificate in the chain, check validity:
for ( final X509TrustManager trustMgr : getTrustManagers( x509Chain ) )
{
trustMgr.checkClientTrusted( x509Chain, authNType );
}
}
@Test
public void testUseOfExpiredTrustAnchorDenied() throws Exception
{
final Path keyStoreFile = createTrustStoreWithExpiredCertificate();
Map<String, Object> attributes = new HashMap<>();
attributes.put(FileTrustStore.NAME, NAME);
attributes.put(FileTrustStore.TRUST_ANCHOR_VALIDITY_ENFORCED, true);
attributes.put(FileTrustStore.STORE_URL, keyStoreFile.toFile().getAbsolutePath());
attributes.put(FileTrustStore.PASSWORD, TLS_RESOURCE.getSecret());
attributes.put(FileTrustStore.TRUST_STORE_TYPE, TLS_RESOURCE.getKeyStoreType());
final TrustStore<?> trustStore = createFileTrustStore(attributes);
TrustManager[] trustManagers = trustStore.getTrustManagers();
assertNotNull(trustManagers);
assertEquals("Unexpected number of trust managers", 1, trustManagers.length);
final boolean condition = trustManagers[0] instanceof X509TrustManager;
assertTrue("Unexpected trust manager type", condition);
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
KeyStore clientStore = getInitializedKeyStore(keyStoreFile.toFile().getAbsolutePath(),
TLS_RESOURCE.getSecret(),
TLS_RESOURCE.getKeyStoreType());
String alias = clientStore.aliases().nextElement();
X509Certificate certificate = (X509Certificate) clientStore.getCertificate(alias);
try
{
trustManager.checkClientTrusted(new X509Certificate[]{certificate}, "NULL");
fail("Exception not thrown");
}
catch (CertificateException e)
{
if (e instanceof CertificateExpiredException || "Certificate expired".equals(e.getMessage()))
{
// IBMJSSE2 does not throw CertificateExpiredException, it throws a CertificateException
// ignore
}
else
{
throw e;
}
}
}