private void init() {
if (myTrustedCerts != null) {
return;
}
Collection trustedCerts = new ArrayList();
// load trusted certs from files.
for (int i = 0; i < myServerCertFiles.length; i++) {
X509Certificate cert = loadCertificate(myServerCertFiles[i]);
if (cert != null) {
trustedCerts.add(cert);
}
}
X509TrustManager[] trustManagers = getDefaultTrustManagers();
for (int i = 0; trustManagers != null && i < trustManagers.length; i++) {
X509TrustManager trustManager = trustManagers[i];
X509Certificate[] acceptedCerts = trustManager.getAcceptedIssuers();
for (int c = 0; acceptedCerts != null && c < acceptedCerts.length; c++) {
X509Certificate cert = acceptedCerts[c];
trustedCerts.add(cert);
}
}
myTrustedCerts =
(X509Certificate[]) trustedCerts.toArray(new X509Certificate[trustedCerts.size()]);
}
@Override
public X509Certificate[] getAcceptedIssuers() {
final ArrayList<X509Certificate> list = new ArrayList<X509Certificate>();
for (X509TrustManager tm : x509TrustManagers)
list.addAll(Arrays.asList(tm.getAcceptedIssuers()));
return list.toArray(new X509Certificate[list.size()]);
}
public RippleTrustManager(KeyStore localKeyStore) {
try {
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
defaultTrustManager = findX509TrustManager(tmf);
if (defaultTrustManager == null) {
throw new IllegalStateException("not found X509TrustManager");
}
localTrustManager = new LocalStoreX509TrustManager(localKeyStore);
ArrayList<X509Certificate> allIssuers = new ArrayList<X509Certificate>();
for (X509Certificate cert : defaultTrustManager.getAcceptedIssuers()) {
allIssuers.add(cert);
}
for (X509Certificate cert : localTrustManager.getAcceptedIssuers()) {
allIssuers.add(cert);
}
acceptedIssuers = allIssuers.toArray(new X509Certificate[allIssuers.size()]);
} catch (GeneralSecurityException e) {
throw new RuntimeException(e);
}
}
public void checkCertTrusted(
X509Certificate[] chain, String authType, boolean isServer, boolean interactive)
throws CertificateException {
LOGGER.log(Level.FINE, "checkCertTrusted(" + chain + ", " + authType + ", " + isServer + ")");
try {
LOGGER.log(Level.FINE, "checkCertTrusted: trying appTrustManager");
if (isServer) appTrustManager.checkServerTrusted(chain, authType);
else appTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException ae) {
LOGGER.log(Level.FINER, "checkCertTrusted: appTrustManager failed", ae);
// if the cert is stored in our appTrustManager, we ignore expiredness
if (isExpiredException(ae)) {
LOGGER.log(Level.INFO, "checkCertTrusted: accepting expired certificate from keystore");
return;
}
if (isCertKnown(chain[0])) {
LOGGER.log(Level.INFO, "checkCertTrusted: accepting cert already stored in keystore");
return;
}
try {
if (defaultTrustManager == null) throw ae;
LOGGER.log(Level.FINE, "checkCertTrusted: trying defaultTrustManager");
if (isServer) defaultTrustManager.checkServerTrusted(chain, authType);
else defaultTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException e) {
e.printStackTrace();
if (interactive) {
interactCert(chain, authType, e);
} else {
throw e;
}
}
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
X509Certificate ret[] = null;
X509Certificate customAcceptedIssuers[] =
(mCustomTrustManager != null)
? mCustomTrustManager.getAcceptedIssuers()
: new X509Certificate[0];
X509Certificate sysAcceptedIssuers[] =
(mSysTrustManager != null)
? mSysTrustManager.getAcceptedIssuers()
: new X509Certificate[0];
if (customAcceptedIssuers == null) {
customAcceptedIssuers = new X509Certificate[0];
}
if (sysAcceptedIssuers == null) {
sysAcceptedIssuers = new X509Certificate[0];
}
int size = customAcceptedIssuers.length + sysAcceptedIssuers.length;
if (size > 0) {
ret = new X509Certificate[size];
System.arraycopy(sysAcceptedIssuers, 0, ret, 0, sysAcceptedIssuers.length);
System.arraycopy(
customAcceptedIssuers, 0, ret, sysAcceptedIssuers.length, customAcceptedIssuers.length);
}
return ret;
}
public void checkCertTrusted(X509Certificate[] chain, String authType, boolean isServer)
throws CertificateException {
Log.d(TAG, "checkCertTrusted(" + chain + ", " + authType + ", " + isServer + ")");
try {
Log.d(TAG, "checkCertTrusted: trying appTrustManager");
if (isServer) appTrustManager.checkServerTrusted(chain, authType);
else appTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException ae) {
// if the cert is stored in our appTrustManager, we ignore expiredness
ae.printStackTrace();
if (isExpiredException(ae)) {
Log.i(TAG, "checkCertTrusted: accepting expired certificate from keystore");
return;
}
if (isCertKnown(chain[0])) {
Log.i(TAG, "checkCertTrusted: accepting cert already stored in keystore");
return;
}
try {
Log.d(TAG, "checkCertTrusted: trying defaultTrustManager");
if (isServer) defaultTrustManager.checkServerTrusted(chain, authType);
else defaultTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException e) {
e.printStackTrace();
interact(chain, authType, e);
}
}
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
try {
defaultTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException ce) {
localTrustManager.checkClientTrusted(chain, authType);
}
}
/*
* Loop over the trustmanagers until we find one that accepts our server
*/
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
for (X509TrustManager tm : x509TrustManagers) {
try {
tm.checkServerTrusted(chain, authType);
return;
} catch (CertificateException e) {
// ignore
}
}
throw new CertificateException();
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
try {
if (mCustomTrustManager != null) {
mCustomTrustManager.checkServerTrusted(chain, authType);
}
} catch (CertificateException e) {
if (mSysTrustManager != null) {
mSysTrustManager.checkServerTrusted(chain, authType);
}
}
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
if (!trust.get()) {
throw new CertificateException("Server certificate not trusted.");
}
tm.checkServerTrusted(chain, authType);
}
/*
* Delegate to the default trust manager.
*/
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
try {
pkixTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException excep) {
// do any special handling here, or rethrow exception.
}
}
/** @see javax.net.ssl.X509TrustManager#checkServerTrusted(X509Certificate[],String authType) */
public void checkServerTrusted(X509Certificate[] certificates, String authType)
throws CertificateException {
if ((certificates != null) && (certificates.length == 1)) {
certificates[0].checkValidity();
} else {
standardTrustManager.checkServerTrusted(certificates, authType);
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
if (defaultManager == null) {
return new X509Certificate[0];
} else {
return defaultManager.getAcceptedIssuers();
}
}
/*
* Delegate to the default trust manager.
*/
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
try {
pkixTrustManager.checkClientTrusted(chain, authType);
} catch (CertificateException excep) {
Logger.error(this.getClass(), excep.getMessage());
Logger.debug(this.getClass(), excep.getMessage(), excep);
}
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
try {
trustManager.checkServerTrusted(chain, authType);
} catch (CertificateException e) {
exception = e;
}
}
public void checkServerTrusted(X509Certificate ax509certificate[], String s)
throws CertificateException {
if (ax509certificate != null && ax509certificate.length == 1) {
ax509certificate[0].checkValidity();
return;
} else {
a.checkServerTrusted(ax509certificate, s);
return;
}
}
private boolean checkServerTrustedByDefault(X509Certificate[] certs, String algorithm) {
X509TrustManager[] trustManagers = getDefaultTrustManagers();
if (trustManagers == null) {
return false;
}
for (int i = 0; i < trustManagers.length; i++) {
X509TrustManager trustManager = trustManagers[i];
boolean trusted = true;
try {
trustManager.checkServerTrusted(certs, algorithm);
} catch (CertificateException e) {
trusted = false;
}
if (trusted) {
return true;
}
}
return false;
}
/*
* Delegate to the default trust manager.
*/
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
try {
pkixTrustManager.checkServerTrusted(chain, authType);
} catch (CertificateException excep) {
/*
* Possibly pop up a dialog box asking whether to trust the
* cert chain.
*/
}
}
protected void checkCertifacteTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
// Fail if we don't have a default manager
if (defaultManager == null) {
final String msg =
String.format(
"No trust manager in %s. Can't trust any certificates.", getClass().getName());
throw new CertificateException(msg);
} else {
// Otherwise, check the certificate chain with the default manager
defaultManager.checkClientTrusted(chain, authType);
}
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
try {
tm.checkServerTrusted(chain, authType);
} catch (CertificateException e) {
Object[] answer = {"Proceed", "Exit"};
int ret =
JOptionPane.showOptionDialog(
null,
e.getCause().getLocalizedMessage() + "\n" + "Continue connecting to this host?",
"Confirm certificate exception?",
JOptionPane.YES_NO_OPTION,
JOptionPane.WARNING_MESSAGE,
null,
answer,
answer[0]);
if (ret == JOptionPane.NO_OPTION) System.exit(1);
} catch (java.lang.Exception e) {
throw new Exception(e.toString());
}
}
/**
* @return
* @param trustManager der Trustmanager mit den Zertifikaten.
*/
private static GenericIterator init(X509TrustManager trustManager) {
try {
X509Certificate[] list = trustManager.getAcceptedIssuers();
List<CertObject> al = new ArrayList<CertObject>();
for (int i = 0; i < list.length; ++i) {
al.add(new CertObject(list[i]));
}
if (trustManager == Application.getSSLFactory().getTrustManager()) {
// System-Zertifikat noch hinzufuegen
al.add(new CertObject(Application.getSSLFactory().getSystemCertificate()));
}
Collections.sort(al);
return PseudoIterator.fromArray(al.toArray(new CertObject[al.size()]));
} catch (Exception e) {
Logger.error("error while loading certificate list", e);
try {
return PseudoIterator.fromArray(new GenericObject[] {});
} catch (Exception e2) {
Logger.error("error while loading dummy list, useless", e2);
return null;
}
}
}
public X509Certificate[] getAcceptedIssuers() {
LOGGER.log(Level.FINE, "getAcceptedIssuers()");
return defaultTrustManager.getAcceptedIssuers();
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return tm.getAcceptedIssuers();
}
/**
* @see com.innovaturelabs.net.ssl.X509TrustManager#checkClientTrusted(X509Certificate[],String
* authType)
*/
public void checkClientTrusted(X509Certificate[] certificates, String authType)
throws CertificateException {
standardTrustManager.checkClientTrusted(certificates, authType);
}
/*
* Delegate to the default trust manager.
*/
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
final X509TrustManager defaultX509TrustManager = x509TrustManagers.get(0);
defaultX509TrustManager.checkClientTrusted(chain, authType);
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
tm.checkClientTrusted(chain, authType);
}
private void checkSystemTrust(X509Certificate[] chain, String authType)
throws CertificateException {
for (TrustManager systemTrustManager : systemTrustManagers) {
((X509TrustManager) systemTrustManager).checkServerTrusted(chain, authType);
}
}
/*
* Merely pass this through.
*/
public X509Certificate[] getAcceptedIssuers() {
return pkixTrustManager.getAcceptedIssuers();
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return trustManager.getAcceptedIssuers();
}
