OCSPTrustManager.java
/*
* GovWay - A customizable API Gateway
* https://govway.org
*
* Copyright (c) 2005-2024 Link.it srl (https://link.it).
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3, as published by
* the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package org.openspcoop2.utils.transport.http;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.openspcoop2.utils.certificate.KeyStore;
import org.openspcoop2.utils.certificate.KeystoreType;
/**
* OCSPTrustManager
*
* @author Poli Andrea (apoli@link.it)
* @author $Author$
* @version $Rev$, $Date$
*/
public class OCSPTrustManager implements X509TrustManager {
private IOCSPValidator ocspValidator;
private X509TrustManager tm;
private X509Certificate[] chain;
private boolean trustAll;
public X509Certificate[] getPeerCertificates() {
return this.chain;
}
public OCSPTrustManager(X509TrustManager tm, IOCSPValidator ocspValidator) {
this.tm = tm;
this.ocspValidator = ocspValidator;
this.trustAll = tm instanceof SSLTrustAllManager;
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return this.tm.getAcceptedIssuers();
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.tm.checkClientTrusted(chain, authType);
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
this.tm.checkServerTrusted(chain, authType);
if(chain!=null && chain.length>0) {
if(this.trustAll) {
// non ho usato un truststore, ne genero uno con i certificati server ritornati dal server, che ho accettato
// il truststore serve per porte generare la richiesta OCSP
if(this.ocspValidator.getTrustStore()==null) {
try {
java.security.KeyStore ks = java.security.KeyStore.getInstance(KeystoreType.JKS.getNome());
ks.load(null, null);
KeyStore trustStore = new KeyStore(ks);
int index = 0;
for (X509Certificate x509Certificate : chain) {
trustStore.putCertificate("cert-"+index, x509Certificate, false);
index++;
}
// java.util.Enumeration<String> en = trustStore.aliases();
// while (en.hasMoreElements()) {
// String alias = (String) en.nextElement();
// System.out.println(alias);
// }
this.ocspValidator.setTrustStore(trustStore);
}catch(Throwable t) {
throw new CertificateException(t.getMessage(),t);
}
}
}
try {
// valido il certificato principale nell'OCSP (la validazione a catena avviene all'interno del motore se abilitato a partire dal certificato principale)
this.ocspValidator.valid(chain[0]);
}catch(Throwable t) {
throw new CertificateException(t.getMessage(),t);
}
}
}
public static TrustManager[] wrap(TrustManager[] tmArray, IOCSPValidator ocspValidator) {
if(tmArray!=null && tmArray.length>0) {
for (int i = 0; i < tmArray.length; i++) {
TrustManager tm = tmArray[i];
if(tm!=null && tm instanceof X509TrustManager) {
// wrap
// clono perche' nel caso di SSLTrustAll si tratta di una istanza statica
TrustManager[] cloned = new TrustManager[tmArray.length];
for (int j = 0; j < tmArray.length; j++) {
if(j == i) {
cloned[j] = new OCSPTrustManager((X509TrustManager)tm, ocspValidator);
}
else {
cloned[j] = tmArray[j];
}
}
return cloned;
}
}
}
return tmArray;
}
public static OCSPTrustManager read(TrustManager[] tmArray) {
if(tmArray!=null && tmArray.length>0) {
for (int i = 0; i < tmArray.length; i++) {
TrustManager tm = tmArray[i];
if(tm!=null && tm instanceof OCSPTrustManager) {
return (OCSPTrustManager) tm;
}
}
}
return null;
}
}