Class XdsX509TrustManager

  • All Implemented Interfaces:
    javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager

    final class XdsX509TrustManager
    extends javax.net.ssl.X509ExtendedTrustManager
    implements javax.net.ssl.X509TrustManager
    Extension of X509ExtendedTrustManager that implements verification of SANs (subject-alternate-names) against the list in CertificateValidationContext.
    • Constructor Detail

      • XdsX509TrustManager

        XdsX509TrustManager​(@Nullable
                            CertificateValidationContext certContext,
                            javax.net.ssl.X509ExtendedTrustManager delegate)
    • Method Detail

      • verifyDnsNameInPattern

        private static boolean verifyDnsNameInPattern​(java.lang.String altNameFromCert,
                                                      StringMatcher sanToVerifyMatcher)
      • verifyDnsNameSafeRegex

        private static boolean verifyDnsNameSafeRegex​(java.lang.String altNameFromCert,
                                                      RegexMatcher sanToVerifySafeRegex)
      • verifyDnsNamePrefix

        private static boolean verifyDnsNamePrefix​(java.lang.String altNameFromCert,
                                                   java.lang.String sanToVerifyPrefix,
                                                   boolean ignoreCase)
      • verifyDnsNameSuffix

        private static boolean verifyDnsNameSuffix​(java.lang.String altNameFromCert,
                                                   java.lang.String sanToVerifySuffix,
                                                   boolean ignoreCase)
      • verifyDnsNameContains

        private static boolean verifyDnsNameContains​(java.lang.String altNameFromCert,
                                                     java.lang.String sanToVerifySubstring,
                                                     boolean ignoreCase)
      • verifyDnsNameExact

        private static boolean verifyDnsNameExact​(java.lang.String altNameFromCert,
                                                  java.lang.String sanToVerifyExact,
                                                  boolean ignoreCase)
      • verifyDnsNameInSanList

        private static boolean verifyDnsNameInSanList​(java.lang.String altNameFromCert,
                                                      java.util.List<StringMatcher> verifySanList)
      • verifyOneSanInList

        private static boolean verifyOneSanInList​(java.util.List<?> entry,
                                                  java.util.List<StringMatcher> verifySanList)
                                           throws java.security.cert.CertificateParsingException
        Throws:
        java.security.cert.CertificateParsingException
      • verifySubjectAltNameInLeaf

        private static void verifySubjectAltNameInLeaf​(java.security.cert.X509Certificate cert,
                                                       java.util.List<StringMatcher> verifyList)
                                                throws java.security.cert.CertificateException
        Throws:
        java.security.cert.CertificateException
      • verifySubjectAltNameInChain

        void verifySubjectAltNameInChain​(java.security.cert.X509Certificate[] peerCertChain)
                                  throws java.security.cert.CertificateException
        Verifies SANs in the peer cert chain against verify_subject_alt_name in the certContext. This is called from various check*Trusted methods.
        Throws:
        java.security.cert.CertificateException
      • checkClientTrusted

        public void checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       java.net.Socket socket)
                                throws java.security.cert.CertificateException
        Specified by:
        checkClientTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkClientTrusted

        public void checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       javax.net.ssl.SSLEngine sslEngine)
                                throws java.security.cert.CertificateException
        Specified by:
        checkClientTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkClientTrusted

        public void checkClientTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType)
                                throws java.security.cert.CertificateException
        Specified by:
        checkClientTrusted in interface javax.net.ssl.X509TrustManager
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public void checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       java.net.Socket socket)
                                throws java.security.cert.CertificateException
        Specified by:
        checkServerTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public void checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType,
                                       javax.net.ssl.SSLEngine sslEngine)
                                throws java.security.cert.CertificateException
        Specified by:
        checkServerTrusted in class javax.net.ssl.X509ExtendedTrustManager
        Throws:
        java.security.cert.CertificateException
      • checkServerTrusted

        public void checkServerTrusted​(java.security.cert.X509Certificate[] chain,
                                       java.lang.String authType)
                                throws java.security.cert.CertificateException
        Specified by:
        checkServerTrusted in interface javax.net.ssl.X509TrustManager
        Throws:
        java.security.cert.CertificateException
      • getAcceptedIssuers

        public java.security.cert.X509Certificate[] getAcceptedIssuers()
        Specified by:
        getAcceptedIssuers in interface javax.net.ssl.X509TrustManager