< prev index next >

src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java

Print this page




  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import java.io.*;
  29 import java.lang.ref.WeakReference;
  30 import java.security.*;
  31 import java.security.cert.*;
  32 import java.util.*;
  33 import java.util.concurrent.locks.ReentrantLock;
  34 import sun.security.action.*;
  35 import sun.security.validator.TrustStoreUtil;
  36 
  37 /**
  38  * Collection of static utility methods to manage the default trusted KeyStores
  39  * effectively.
  40  */
  41 final class TrustStoreManager {
  42 
  43     // A singleton service to manage the default trusted KeyStores effectively.
  44     private static final TrustAnchorManager tam = new TrustAnchorManager();
  45 
  46     // Restrict instantiation of this class.
  47     private TrustStoreManager() {
  48         // empty
  49     }
  50 
  51     /**
  52      * Return an unmodifiable set of all trusted X509Certificates contained
  53      * in the default trusted KeyStore.


 228      *
 229      * This class can be used to provide singleton services to access default
 230      * trust KeyStore more effectively.
 231      */
 232     private static final class TrustAnchorManager {
 233         // Last trust store descriptor.
 234         private TrustStoreDescriptor descriptor;
 235 
 236         // The key store used for the trust anchors.
 237         //
 238         // Use weak reference so that the heavy loaded KeyStore object can
 239         // be atomically cleared, and reloaded if needed.
 240         private WeakReference<KeyStore> ksRef;
 241 
 242         // The trusted X.509 certificates in the key store.
 243         //
 244         // Use weak reference so that the heavy loaded certificates collection
 245         // objects can be atomically cleared, and reloaded if needed.
 246         private WeakReference<Set<X509Certificate>> csRef;
 247 
 248         private final ReentrantLock tamLock = new ReentrantLock();
 249 
 250         private TrustAnchorManager() {
 251             this.descriptor = null;
 252             this.ksRef = new WeakReference<>(null);
 253             this.csRef = new WeakReference<>(null);
 254         }
 255 
 256         /**
 257          * Get the default trusted KeyStore with the specified descriptor.
 258          *
 259          * @return null if the underlying KeyStore is not available.
 260          */
 261         KeyStore getKeyStore(
 262                 TrustStoreDescriptor descriptor) throws Exception {
 263 
 264             TrustStoreDescriptor temporaryDesc = this.descriptor;
 265             KeyStore ks = ksRef.get();
 266             if ((ks != null) && descriptor.equals(temporaryDesc)) {
 267                 return ks;
 268             }
 269 
 270             tamLock.lock();
 271             try {
 272                 // double check
 273                 ks = ksRef.get();
 274                 if ((ks != null) && descriptor.equals(temporaryDesc)) {
 275                     return ks;
 276                 }
 277 
 278                 // Reload a new key store.
 279                 if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
 280                     SSLLogger.fine("Reload the trust store");
 281                 }
 282 
 283                 ks = loadKeyStore(descriptor);
 284                 this.descriptor = descriptor;
 285                 this.ksRef = new WeakReference<>(ks);
 286             } finally {
 287                 tamLock.unlock();
 288             }
 289 




 290             return ks;
 291         }
 292 
 293         /**
 294          * Get trusted certificates in the default trusted KeyStore with
 295          * the specified descriptor.
 296          *
 297          * @return empty collection if the underlying KeyStore is not available.
 298          */
 299         Set<X509Certificate> getTrustedCerts(
 300                 TrustStoreDescriptor descriptor) throws Exception {
 301 
 302             KeyStore ks = null;
 303             TrustStoreDescriptor temporaryDesc = this.descriptor;
 304             Set<X509Certificate> certs = csRef.get();
 305             if ((certs != null) && descriptor.equals(temporaryDesc)) {
 306                 return certs;
 307             }
 308 
 309             tamLock.lock();
 310             try {
 311                 // double check
 312                 temporaryDesc = this.descriptor;
 313                 certs = csRef.get();
 314                 if (certs != null) {
 315                     if (descriptor.equals(temporaryDesc)) {
 316                         return certs;
 317                     } else {
 318                         // Use the new descriptor.
 319                         this.descriptor = descriptor;
 320                     }
 321                 } else {
 322                     // Try to use the cached store at first.
 323                     if (descriptor.equals(temporaryDesc)) {
 324                         ks = ksRef.get();
 325                     } else {
 326                         // Use the new descriptor.
 327                         this.descriptor = descriptor;
 328                     }
 329                 }
 330 
 331                 // Reload the trust store if needed.
 332                 if (ks == null) {
 333                     if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
 334                         SSLLogger.fine("Reload the trust store");
 335                     }
 336                     ks = loadKeyStore(descriptor);
 337                     this.ksRef = new WeakReference<>(ks);
 338                 }

 339 
 340                 // Reload trust certs from the key store.

 341                 if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
 342                     SSLLogger.fine("Reload trust certs");
 343                 }


 344 
 345                 certs = loadTrustedCerts(ks);
 346                 if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
 347                     SSLLogger.fine("Reloaded " + certs.size() + " trust certs");
 348                 }
 349 
 350                 this.csRef = new WeakReference<>(certs);
 351             } finally {
 352                 tamLock.unlock();
 353             }




 354 
 355             return certs;
 356         }
 357 
 358         /**
 359          * Load the KeyStore as described in the specified descriptor.
 360          */
 361         private static KeyStore loadKeyStore(
 362                 TrustStoreDescriptor descriptor) throws Exception {
 363             if (!"NONE".equals(descriptor.storeName) &&
 364                     descriptor.storeFile == null) {
 365 
 366                 // No file available, no KeyStore available.
 367                 if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
 368                     SSLLogger.fine("No available key store");
 369                 }
 370 
 371                 return null;
 372             }
 373 




  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import java.io.*;
  29 import java.lang.ref.WeakReference;
  30 import java.security.*;
  31 import java.security.cert.*;
  32 import java.util.*;

  33 import sun.security.action.*;
  34 import sun.security.validator.TrustStoreUtil;
  35 
  36 /**
  37  * Collection of static utility methods to manage the default trusted KeyStores
  38  * effectively.
  39  */
  40 final class TrustStoreManager {
  41 
  42     // A singleton service to manage the default trusted KeyStores effectively.
  43     private static final TrustAnchorManager tam = new TrustAnchorManager();
  44 
  45     // Restrict instantiation of this class.
  46     private TrustStoreManager() {
  47         // empty
  48     }
  49 
  50     /**
  51      * Return an unmodifiable set of all trusted X509Certificates contained
  52      * in the default trusted KeyStore.


 227      *
 228      * This class can be used to provide singleton services to access default
 229      * trust KeyStore more effectively.
 230      */
 231     private static final class TrustAnchorManager {
 232         // Last trust store descriptor.
 233         private TrustStoreDescriptor descriptor;
 234 
 235         // The key store used for the trust anchors.
 236         //
 237         // Use weak reference so that the heavy loaded KeyStore object can
 238         // be atomically cleared, and reloaded if needed.
 239         private WeakReference<KeyStore> ksRef;
 240 
 241         // The trusted X.509 certificates in the key store.
 242         //
 243         // Use weak reference so that the heavy loaded certificates collection
 244         // objects can be atomically cleared, and reloaded if needed.
 245         private WeakReference<Set<X509Certificate>> csRef;
 246 


 247         private TrustAnchorManager() {
 248             this.descriptor = null;
 249             this.ksRef = new WeakReference<>(null);
 250             this.csRef = new WeakReference<>(null);
 251         }
 252 
 253         /**
 254          * Get the default trusted KeyStore with the specified descriptor.
 255          *
 256          * @return null if the underlying KeyStore is not available.
 257          */
 258         synchronized KeyStore getKeyStore(
 259                 TrustStoreDescriptor descriptor) throws Exception {
 260 
 261             TrustStoreDescriptor temporaryDesc = this.descriptor;
 262             KeyStore ks = ksRef.get();
 263             if ((ks != null) && descriptor.equals(temporaryDesc)) {
 264                 return ks;
 265             }
 266 
 267             // Reload a new key store.
 268             if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
 269                 SSLLogger.fine("Reload the trust store");















 270             }
 271 
 272             ks = loadKeyStore(descriptor);
 273             this.descriptor = descriptor;
 274             this.ksRef = new WeakReference<>(ks);
 275 
 276             return ks;
 277         }
 278 
 279         /**
 280          * Get trusted certificates in the default trusted KeyStore with
 281          * the specified descriptor.
 282          *
 283          * @return empty collection if the underlying KeyStore is not available.
 284          */
 285         synchronized Set<X509Certificate> getTrustedCerts(
 286                 TrustStoreDescriptor descriptor) throws Exception {
 287 
 288             KeyStore ks = null;
 289             TrustStoreDescriptor temporaryDesc = this.descriptor;
 290             Set<X509Certificate> certs = csRef.get();
 291             if (certs != null) {
 292                 if (descriptor.equals(temporaryDesc)) {
 293                     return certs;













 294                 } else {
 295                     // Use the new descriptor.
 296                     this.descriptor = descriptor;





 297                 }
 298             } else {
 299                 // Try to use the cached store at first.
 300                 if (descriptor.equals(temporaryDesc)) {
 301                     ks = ksRef.get();
 302                 } else {
 303                     // Use the new descriptor.
 304                     this.descriptor = descriptor;

 305                 }
 306             }
 307 
 308             // Reload the trust store if needed.
 309             if (ks == null) {
 310                 if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
 311                     SSLLogger.fine("Reload the trust store");
 312                 }
 313                 ks = loadKeyStore(descriptor);
 314             }
 315 
 316             // Reload trust certs from the key store.
 317             if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
 318                 SSLLogger.fine("Reload trust certs");
 319             }
 320 
 321             certs = loadTrustedCerts(ks);
 322             if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
 323                 SSLLogger.fine("Reloaded " + certs.size() + " trust certs");
 324             }
 325 
 326             // Note that as ks is a local variable, it is not
 327             // necessary to add it to the ksRef weak reference.
 328             this.csRef = new WeakReference<>(certs);
 329 
 330             return certs;
 331         }
 332 
 333         /**
 334          * Load the KeyStore as described in the specified descriptor.
 335          */
 336         private static KeyStore loadKeyStore(
 337                 TrustStoreDescriptor descriptor) throws Exception {
 338             if (!"NONE".equals(descriptor.storeName) &&
 339                     descriptor.storeFile == null) {
 340 
 341                 // No file available, no KeyStore available.
 342                 if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
 343                     SSLLogger.fine("No available key store");
 344                 }
 345 
 346                 return null;
 347             }
 348 


< prev index next >