eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager

All Implemented Interfaces:: TrustManager, X509TrustManager

public class SSLTrustManager extends Object implements X509TrustManager

Implementation of TrustManager which uses a configured X509CertChainValidator to validate certificates.

Note that if the client's certificate is not trusted the server will send an alert and close the connection. Unfortunately, TLS is build in such a way, that in the same time, the client might still be busy with sending the rest of handshake data (the client's certificate is sent first, then other records). This alone would be no problem but Java SSL implementation, when trustmanager throws an exception, first closes the input half of the socket and only then sends the alert. All this is done without waiting for the client to finish sending its portion of handshake data. This can cause a race condition: client will try to send data on a closed channel of the socket, before it receives an alert about its certificate. The only known solution is to introduce a sleep before throwing an exception by checkClientTrusted(). But it is hard to provide a good value, and what is more this timeout is obviously slowing the invalid connection dropping, what might be used to perform DoS attacs. Therefore there is no solution implemented.

Author:: K. Benedyczak

Field Summary

Fields

Modifier and Type

Field

Description

protected X509CertChainValidator

validator
Constructor Summary

Constructors

Constructor

Description

SSLTrustManager(X509CertChainValidator validator)
Method Summary

Modifier and Type

Method

Description

void

checkClientTrusted(X509Certificate[] chain, String authType)

protected void

checkIfTrusted(X509Certificate[] certChain)

void

checkServerTrusted(X509Certificate[] chain, String authType)

X509Certificate[]

getAcceptedIssuers()

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details
- validator
  
  protected X509CertChainValidator validator
Constructor Details
- SSLTrustManager
  
  public SSLTrustManager(X509CertChainValidator validator)
Method Details
- checkClientTrusted
  
  public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException
  
  Specified by:
  
  checkClientTrusted in interface X509TrustManager
  
  Throws:
  
  CertificateException
- checkServerTrusted
  
  public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException
  
  Specified by:
  
  checkServerTrusted in interface X509TrustManager
  
  Throws:
  
  CertificateException
- checkIfTrusted
  
  protected void checkIfTrusted(X509Certificate[] certChain) throws CertificateException
  
  Throws:
  
  CertificateException
- getAcceptedIssuers
  
  public X509Certificate[] getAcceptedIssuers()
  
  Specified by:
  
  getAcceptedIssuers in interface X509TrustManager

Class SSLTrustManager

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Details

validator

Constructor Details

SSLTrustManager

Method Details

checkClientTrusted

checkServerTrusted

checkIfTrusted

getAcceptedIssuers