eu.emi.security.authn.x509.helpers.ssl

Class SSLTrustManager

java.lang.Object

eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager

All Implemented Interfaces:

TrustManager, X509TrustManager

public class SSLTrustManager
extends Object
implements X509TrustManager

Implementation of TrustManager which uses a configured X509CertChainValidator to validate certificates.

Note that if the client's certificate is not trusted the server will send an alert and close the connection. Unfortunately, TLS is build in such a way, that in the same time, the client might still be busy with sending the rest of handshake data (the client's certificate is sent first, then other records). This alone would be no problem but Java SSL implementation, when trustmanager throws an exception, first closes the input half of the socket and only then sends the alert. All this is done without waiting for the client to finish sending its portion of handshake data. This can cause a race condition: client will try to send data on a closed channel of the socket, before it receives an alert about its certificate. The only known solution is to introduce a sleep before throwing an exception by checkClientTrusted(). But it is hard to provide a good value, and what is more this timeout is obviously slowing the invalid connection dropping, what might be used to perform DoS attacs. Therefore there is no solution implemented.

Author:

K. Benedyczak

Field Summary

Fields

Modifier and Type	Field and Description
protected X509CertChainValidator	validator

Constructor Summary

Constructors

Constructor and Description
SSLTrustManager(X509CertChainValidator validator)

Method Summary

Modifier and Type	Method and Description
void	checkClientTrusted(X509Certificate[] chain, String authType)
protected void	checkIfTrusted(X509Certificate[] certChain)
void	checkServerTrusted(X509Certificate[] chain, String authType)
X509Certificate[]	getAcceptedIssuers()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

validator

protected X509CertChainValidator validator

Constructor Detail

SSLTrustManager

public SSLTrustManager(X509CertChainValidator validator)

Method Detail

checkClientTrusted

public void checkClientTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException

Specified by:

checkClientTrusted in interface X509TrustManager

Throws:

CertificateException

checkServerTrusted

public void checkServerTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException

Specified by:

checkServerTrusted in interface X509TrustManager

Throws:

CertificateException

checkIfTrusted

protected void checkIfTrusted(X509Certificate[] certChain)
                       throws CertificateException

Throws:

CertificateException

getAcceptedIssuers

public X509Certificate[] getAcceptedIssuers()

Specified by:

getAcceptedIssuers in interface X509TrustManager