All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.bouncycastle.jsse.provider.ImportX509TrustManager_5 Maven / Gradle / Ivy

The newest version!
package org.bouncycastle.jsse.provider;

import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;

import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509TrustManager;

import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jsse.BCX509ExtendedTrustManager;
import org.bouncycastle.jsse.java.security.BCAlgorithmConstraints;
import org.bouncycastle.tls.TlsUtils;

class ImportX509TrustManager_5
    extends BCX509ExtendedTrustManager
    implements ImportX509TrustManager
{
    final boolean isInFipsMode;
    final JcaJceHelper helper;
    final X509TrustManager x509TrustManager;

    ImportX509TrustManager_5(boolean isInFipsMode, JcaJceHelper helper, X509TrustManager x509TrustManager)
    {
        this.isInFipsMode = isInFipsMode;
        this.helper = helper;
        this.x509TrustManager = x509TrustManager;
    }

    public X509TrustManager unwrap()
    {
        return x509TrustManager;
    }

    public void checkClientTrusted(X509Certificate[] chain, String authType)
        throws CertificateException
    {
        x509TrustManager.checkClientTrusted(copyChain(chain), authType);
        checkAdditionalTrust(chain, authType, null, false);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
        throws CertificateException
    {
        x509TrustManager.checkClientTrusted(copyChain(chain), authType);
        checkAdditionalTrust(chain, authType, TransportData.from(socket), false);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
        throws CertificateException
    {
        x509TrustManager.checkClientTrusted(copyChain(chain), authType);
        checkAdditionalTrust(chain, authType, TransportData.from(engine), false);
    }

    public void checkServerTrusted(X509Certificate[] chain, String authType)
        throws CertificateException
    {
        x509TrustManager.checkServerTrusted(copyChain(chain), authType);
        checkAdditionalTrust(chain, authType, null, true);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
        throws CertificateException
    {
        x509TrustManager.checkServerTrusted(copyChain(chain), authType);
        checkAdditionalTrust(chain, authType, TransportData.from(socket), true);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
        throws CertificateException
    {
        x509TrustManager.checkServerTrusted(copyChain(chain), authType);
        checkAdditionalTrust(chain, authType, TransportData.from(engine), true);
    }

    public X509Certificate[] getAcceptedIssuers()
    {
        return x509TrustManager.getAcceptedIssuers();
    }

    private void checkAdditionalTrust(X509Certificate[] chain, String authType, TransportData transportData,
        boolean checkServerTrusted) throws CertificateException
    {
        checkAlgorithmConstraints(chain, authType, transportData, checkServerTrusted);

        ProvX509TrustManager.checkExtendedTrust(chain, transportData, checkServerTrusted);
    }

    private void checkAlgorithmConstraints(X509Certificate[] chain, String authType, TransportData transportData,
        boolean checkServerTrusted) throws CertificateException
    {
        BCAlgorithmConstraints algorithmConstraints = TransportData.getAlgorithmConstraints(transportData, false);
        Set trustedCerts = getTrustedCerts();

        KeyPurposeId ekuOID = ProvX509TrustManager.getRequiredExtendedKeyUsage(checkServerTrusted);
        int kuBit = ProvX509TrustManager.getRequiredKeyUsage(checkServerTrusted, authType); 

        try
        {
            ProvAlgorithmChecker.checkChain(isInFipsMode, helper, algorithmConstraints, trustedCerts, chain, ekuOID, kuBit);
        }
        catch (GeneralSecurityException e)
        {
            throw new CertificateException("Certificates do not conform to algorithm constraints", e);
        }
    }

    private Set getTrustedCerts()
    {
        X509Certificate[] issuers = getAcceptedIssuers();
        if (TlsUtils.isNullOrEmpty(issuers))
        {
            return Collections.emptySet();
        }

        Set trustedCerts = new HashSet();
        for (int i = 0; i < issuers.length; ++i)
        {
            X509Certificate issuer = issuers[i];
            if (null != issuer)
            {
                trustedCerts.add(issuer);
            }
        }
        return Collections.unmodifiableSet(trustedCerts);
    }

    private static X509Certificate[] checkChain(X509Certificate[] chain)
    {
        if (TlsUtils.isNullOrEmpty(chain))
        {
            throw new IllegalArgumentException("'chain' must be a chain of at least one certificate");
        }

        return chain;
    }

    private static X509Certificate[] copyChain(X509Certificate[] chain)
    {
        return checkChain(chain).clone();
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy