< prev index next >

src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java

Print this page




  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import java.net.Socket;
  29 import java.security.*;
  30 import java.security.cert.*;
  31 import java.util.*;
  32 import java.util.concurrent.locks.ReentrantLock;
  33 import javax.net.ssl.*;
  34 import sun.security.util.AnchorCertificates;
  35 import sun.security.util.HostnameChecker;
  36 import sun.security.validator.*;
  37 
  38 /**
  39  * This class implements the SunJSSE X.509 trust manager using the internal
  40  * validator API in J2SE core. The logic in this class is minimal.<p>
  41  * <p>
  42  * This class supports both the Simple validation algorithm from previous
  43  * JSSE versions and PKIX validation. Currently, it is not possible for the
  44  * application to specify PKIX parameters other than trust anchors. This will
  45  * be fixed in a future release using new APIs. When that happens, it may also
  46  * make sense to separate the Simple and PKIX trust managers into separate
  47  * classes.
  48  *
  49  * @author Andreas Sterbenz
  50  */
  51 final class X509TrustManagerImpl extends X509ExtendedTrustManager
  52         implements X509TrustManager {
  53 
  54     private final String validatorType;
  55 
  56     /**
  57      * The Set of trusted X509Certificates.
  58      */
  59     private final Collection<X509Certificate> trustedCerts;
  60 
  61     private final PKIXBuilderParameters pkixParams;
  62 
  63     // note that we need separate validator for client and server due to
  64     // the different extension checks. They are initialized lazily on demand.
  65     private volatile Validator clientValidator, serverValidator;
  66 
  67     private final ReentrantLock validatorLock = new ReentrantLock();
  68 
  69     X509TrustManagerImpl(String validatorType,
  70             Collection<X509Certificate> trustedCerts) {
  71 
  72         this.validatorType = validatorType;
  73         this.pkixParams = null;
  74 
  75         if (trustedCerts == null) {
  76             trustedCerts = Collections.<X509Certificate>emptySet();
  77         }
  78 
  79         this.trustedCerts = trustedCerts;
  80 
  81         if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
  82             SSLLogger.fine("adding as trusted certificates",
  83                     (Object[])trustedCerts.toArray(new X509Certificate[0]));
  84         }
  85     }
  86 
  87     X509TrustManagerImpl(String validatorType, PKIXBuilderParameters params) {
  88         this.validatorType = validatorType;


 143             SSLEngine engine) throws CertificateException {
 144         checkTrusted(chain, authType, engine, false);
 145     }
 146 
 147     private Validator checkTrustedInit(X509Certificate[] chain,
 148                                         String authType, boolean isClient) {
 149         if (chain == null || chain.length == 0) {
 150             throw new IllegalArgumentException(
 151                 "null or zero-length certificate chain");
 152         }
 153 
 154         if (authType == null || authType.isEmpty()) {
 155             throw new IllegalArgumentException(
 156                 "null or zero-length authentication type");
 157         }
 158 
 159         Validator v = null;
 160         if (isClient) {
 161             v = clientValidator;
 162             if (v == null) {
 163                 validatorLock.lock();
 164                 try {
 165                     v = clientValidator;
 166                     if (v == null) {
 167                         v = getValidator(Validator.VAR_TLS_CLIENT);
 168                         clientValidator = v;
 169                     }
 170                 } finally {
 171                     validatorLock.unlock();
 172                 }
 173             }
 174         } else {
 175             // assume double checked locking with a volatile flag works
 176             // (guaranteed under the new Tiger memory model)
 177             v = serverValidator;
 178             if (v == null) {
 179                 validatorLock.lock();
 180                 try {
 181                     v = serverValidator;
 182                     if (v == null) {
 183                         v = getValidator(Validator.VAR_TLS_SERVER);
 184                         serverValidator = v;
 185                     }
 186                 } finally {
 187                     validatorLock.unlock();
 188                 }
 189             }
 190         }
 191 
 192         return v;
 193     }
 194 
 195     private void checkTrusted(X509Certificate[] chain, String authType,
 196                 Socket socket, boolean isClient) throws CertificateException {
 197         Validator v = checkTrustedInit(chain, authType, isClient);
 198 
 199         X509Certificate[] trustedChain = null;
 200         if ((socket != null) && socket.isConnected() &&
 201                                         (socket instanceof SSLSocket)) {
 202 
 203             SSLSocket sslSocket = (SSLSocket)socket;
 204             SSLSession session = sslSocket.getHandshakeSession();
 205             if (session == null) {
 206                 throw new CertificateException("No handshake session");
 207             }




  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import java.net.Socket;
  29 import java.security.*;
  30 import java.security.cert.*;
  31 import java.util.*;

  32 import javax.net.ssl.*;
  33 import sun.security.util.AnchorCertificates;
  34 import sun.security.util.HostnameChecker;
  35 import sun.security.validator.*;
  36 
  37 /**
  38  * This class implements the SunJSSE X.509 trust manager using the internal
  39  * validator API in J2SE core. The logic in this class is minimal.<p>
  40  * <p>
  41  * This class supports both the Simple validation algorithm from previous
  42  * JSSE versions and PKIX validation. Currently, it is not possible for the
  43  * application to specify PKIX parameters other than trust anchors. This will
  44  * be fixed in a future release using new APIs. When that happens, it may also
  45  * make sense to separate the Simple and PKIX trust managers into separate
  46  * classes.
  47  *
  48  * @author Andreas Sterbenz
  49  */
  50 final class X509TrustManagerImpl extends X509ExtendedTrustManager
  51         implements X509TrustManager {
  52 
  53     private final String validatorType;
  54 
  55     /**
  56      * The Set of trusted X509Certificates.
  57      */
  58     private final Collection<X509Certificate> trustedCerts;
  59 
  60     private final PKIXBuilderParameters pkixParams;
  61 
  62     // note that we need separate validator for client and server due to
  63     // the different extension checks. They are initialized lazily on demand.
  64     private volatile Validator clientValidator, serverValidator;
  65 


  66     X509TrustManagerImpl(String validatorType,
  67             Collection<X509Certificate> trustedCerts) {
  68 
  69         this.validatorType = validatorType;
  70         this.pkixParams = null;
  71 
  72         if (trustedCerts == null) {
  73             trustedCerts = Collections.<X509Certificate>emptySet();
  74         }
  75 
  76         this.trustedCerts = trustedCerts;
  77 
  78         if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
  79             SSLLogger.fine("adding as trusted certificates",
  80                     (Object[])trustedCerts.toArray(new X509Certificate[0]));
  81         }
  82     }
  83 
  84     X509TrustManagerImpl(String validatorType, PKIXBuilderParameters params) {
  85         this.validatorType = validatorType;


 140             SSLEngine engine) throws CertificateException {
 141         checkTrusted(chain, authType, engine, false);
 142     }
 143 
 144     private Validator checkTrustedInit(X509Certificate[] chain,
 145                                         String authType, boolean isClient) {
 146         if (chain == null || chain.length == 0) {
 147             throw new IllegalArgumentException(
 148                 "null or zero-length certificate chain");
 149         }
 150 
 151         if (authType == null || authType.isEmpty()) {
 152             throw new IllegalArgumentException(
 153                 "null or zero-length authentication type");
 154         }
 155 
 156         Validator v = null;
 157         if (isClient) {
 158             v = clientValidator;
 159             if (v == null) {
 160                 synchronized (this) {

 161                     v = clientValidator;
 162                     if (v == null) {
 163                         v = getValidator(Validator.VAR_TLS_CLIENT);
 164                         clientValidator = v;
 165                     }


 166                 }
 167             }
 168         } else {
 169             // assume double checked locking with a volatile flag works
 170             // (guaranteed under the new Tiger memory model)
 171             v = serverValidator;
 172             if (v == null) {
 173                 synchronized (this) {

 174                     v = serverValidator;
 175                     if (v == null) {
 176                         v = getValidator(Validator.VAR_TLS_SERVER);
 177                         serverValidator = v;
 178                     }


 179                 }
 180             }
 181         }
 182 
 183         return v;
 184     }
 185 
 186     private void checkTrusted(X509Certificate[] chain, String authType,
 187                 Socket socket, boolean isClient) throws CertificateException {
 188         Validator v = checkTrustedInit(chain, authType, isClient);
 189 
 190         X509Certificate[] trustedChain = null;
 191         if ((socket != null) && socket.isConnected() &&
 192                                         (socket instanceof SSLSocket)) {
 193 
 194             SSLSocket sslSocket = (SSLSocket)socket;
 195             SSLSession session = sslSocket.getHandshakeSession();
 196             if (session == null) {
 197                 throw new CertificateException("No handshake session");
 198             }


< prev index next >