5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster/**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The contents of this file are subject to the terms
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * of the Common Development and Distribution License
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * (the License). You may not use this file except in
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * compliance with the License.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * You can obtain a copy of the License at
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * opensso/legal/CDDLv1.0.txt
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * See the License for the specific language governing
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * permission and limitations under the License.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * When distributing Covered Code, include this CDDL
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Header Notice in each file and include the License file
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * at opensso/legal/CDDLv1.0.txt.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * If applicable, add the following below the CDDL Header,
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * with the fields enclosed by brackets [] replaced by
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * your own identifying information:
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * $Id: AMX509TrustManager.java,v 1.3 2008/08/21 20:11:13 beomsuk Exp $
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterpackage com.sun.identity.security.keystore;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.io.FileInputStream;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.security.KeyStore;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.security.cert.CertificateException;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.security.cert.X509Certificate;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.security.Provider;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.security.Security;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport javax.net.ssl.TrustManagerFactory;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport javax.net.ssl.X509TrustManager;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport com.sun.identity.shared.configuration.SystemPropertiesManager;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport com.sun.identity.security.SecurityDebug;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster/**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The <code>AMX509TrustManager</code> class implements JSSE X509TrustManager
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * interface. This implementation is the same as JSSE default implementation
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * except it can manage user specified truststore.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterpublic class AMX509TrustManager implements X509TrustManager {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static final String bundleName = "amSecurity";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static final String javahome = System.getProperty("java.home");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static final String seperator = System.getProperty("file.separator", "/");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static StringBuffer defTrustStore = null;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static X509TrustManager sunX509TrustManager;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static TrustManagerFactory tmf = null;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static String trustStore = null;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static String trustStoreType = null;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static KeyStore trustKeyStore = null;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static boolean trustAllServerCerts = false;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster static {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster try {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Construct dir name for default trust store
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // javahome + seperator + "lib" + seperator + "security" +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // seperator + "cacerts";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster defTrustStore = new StringBuffer();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster defTrustStore.append(javahome);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster defTrustStore.append(seperator);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster defTrustStore.append("lib");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster defTrustStore.append(seperator);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster defTrustStore.append("security");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster defTrustStore.append(seperator);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster defTrustStore.append("cacerts");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster trustStoreType = System.getProperty("javax.net.ssl.trustStoreType",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster KeyStore.getDefaultType());
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster trustStore = System.getProperty("javax.net.ssl.trustStore",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster defTrustStore.toString());
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster trustAllServerCerts = Boolean.valueOf(SystemPropertiesManager.get(
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "com.iplanet.am.jssproxy.trustAllServerCerts", "false"))
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster .booleanValue();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster trustKeyStore = KeyStore.getInstance(trustStoreType);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster FileInputStream fis = new FileInputStream(trustStore);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster trustKeyStore.load(fis, null);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster Provider sProviders[] = Security.getProviders();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster String provider = null;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster String algorithm = null;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster for (int i = 0; i < sProviders.length; i++) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster if (sProviders[i].getName().equalsIgnoreCase("IBMJSSE2")) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster provider = "IBMJSSE2";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster algorithm = "IbmX509";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster if (provider == null) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster provider = "SunJSSE";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster algorithm = "SunX509";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster tmf = TrustManagerFactory.getInstance(algorithm, provider);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster tmf.init(trustKeyStore);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster sunX509TrustManager =
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster (X509TrustManager)tmf.getTrustManagers()[0];
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster } catch (Exception e) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster SecurityDebug.debug.error(e.toString());
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster /** create sunX509KeyManager
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * for example:
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Create/load a truststore
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Get instance of a "SunX509" TrustManagerFactory "tmf"
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * init the TrustManagerFactory with the truststore
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public AMX509TrustManager() {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public void checkServerTrusted(X509Certificate[] chain, String authType)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster throws CertificateException {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster if (trustAllServerCerts) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster sunX509TrustManager.checkServerTrusted(chain, authType);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public void checkClientTrusted(X509Certificate[] chain, String authType)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster throws CertificateException {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster sunX509TrustManager.checkClientTrusted(chain, authType);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public X509Certificate[] getAcceptedIssuers() {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster X509Certificate[] certs = null;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster if (sunX509TrustManager != null) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster certs = sunX509TrustManager.getAcceptedIssuers();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return certs;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public KeyStore getKeyStore() {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return trustKeyStore;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster}
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster