Package eu.emi.security.authn.x509.helpers.ssl

Class SSLTrustManager

  • All Implemented Interfaces:
    javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager
    public class SSLTrustManager
extends java.lang.Object
implements javax.net.ssl.X509TrustManager
    Implementation of TrustManager which uses a configured X509CertChainValidator to validate certificates.

    Note that if the client's certificate is not trusted the server will send an alert and close the connection. Unfortunately, TLS is build in such a way, that in the same time, the client might still be busy with sending the rest of handshake data (the client's certificate is sent first, then other records). This alone would be no problem but Java SSL implementation, when trustmanager throws an exception, first closes the input half of the socket and only then sends the alert. All this is done without waiting for the client to finish sending its portion of handshake data. This can cause a race condition: client will try to send data on a closed channel of the socket, before it receives an alert about its certificate. The only known solution is to introduce a sleep before throwing an exception by checkClientTrusted(). But it is hard to provide a good value, and what is more this timeout is obviously slowing the invalid connection dropping, what might be used to perform DoS attacs. Therefore there is no solution implemented.

    Author:
    K. Benedyczak

    • Method Detail

      • checkClientTrusted

        public void checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType)
                        throws java.security.cert.CertificateException
        Specified by:
        checkClientTrusted in interface javax.net.ssl.X509TrustManager
        Throws:
        java.security.cert.CertificateException

      • checkServerTrusted

        public void checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType)
                        throws java.security.cert.CertificateException
        Specified by:
        checkServerTrusted in interface javax.net.ssl.X509TrustManager
        Throws:
        java.security.cert.CertificateException

      • checkIfTrusted

        protected void checkIfTrusted​(java.security.cert.X509Certificate[] certChain)
                       throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException

      • getAcceptedIssuers

        public java.security.cert.X509Certificate[] getAcceptedIssuers()
        Specified by:
        getAcceptedIssuers in interface javax.net.ssl.X509TrustManager