Class XdsX509TrustManager
- java.lang.Object
-
- javax.net.ssl.X509ExtendedTrustManager
-
- io.grpc.xds.internal.security.trust.XdsX509TrustManager
-
- All Implemented Interfaces:
javax.net.ssl.TrustManager
,javax.net.ssl.X509TrustManager
final class XdsX509TrustManager extends javax.net.ssl.X509ExtendedTrustManager implements javax.net.ssl.X509TrustManager
Extension ofX509ExtendedTrustManager
that implements verification of SANs (subject-alternate-names) against the list in CertificateValidationContext.
-
-
Field Summary
Fields Modifier and Type Field Description private static int
ALT_DNS_NAME
private static int
ALT_IPA_NAME
private static int
ALT_URI_NAME
private CertificateValidationContext
certContext
private javax.net.ssl.X509ExtendedTrustManager
delegate
-
Constructor Summary
Constructors Constructor Description XdsX509TrustManager(CertificateValidationContext certContext, javax.net.ssl.X509ExtendedTrustManager delegate)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType)
void
checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket)
void
checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine sslEngine)
void
checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType)
void
checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket)
void
checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine sslEngine)
java.security.cert.X509Certificate[]
getAcceptedIssuers()
private static boolean
verifyDnsNameContains(java.lang.String altNameFromCert, java.lang.String sanToVerifySubstring, boolean ignoreCase)
private static boolean
verifyDnsNameExact(java.lang.String altNameFromCert, java.lang.String sanToVerifyExact, boolean ignoreCase)
private static boolean
verifyDnsNameInPattern(java.lang.String altNameFromCert, StringMatcher sanToVerifyMatcher)
private static boolean
verifyDnsNameInSanList(java.lang.String altNameFromCert, java.util.List<StringMatcher> verifySanList)
private static boolean
verifyDnsNamePrefix(java.lang.String altNameFromCert, java.lang.String sanToVerifyPrefix, boolean ignoreCase)
private static boolean
verifyDnsNameSafeRegex(java.lang.String altNameFromCert, RegexMatcher sanToVerifySafeRegex)
private static boolean
verifyDnsNameSuffix(java.lang.String altNameFromCert, java.lang.String sanToVerifySuffix, boolean ignoreCase)
private static boolean
verifyOneSanInList(java.util.List<?> entry, java.util.List<StringMatcher> verifySanList)
(package private) void
verifySubjectAltNameInChain(java.security.cert.X509Certificate[] peerCertChain)
Verifies SANs in the peer cert chain against verify_subject_alt_name in the certContext.private static void
verifySubjectAltNameInLeaf(java.security.cert.X509Certificate cert, java.util.List<StringMatcher> verifyList)
-
-
-
Field Detail
-
ALT_DNS_NAME
private static final int ALT_DNS_NAME
- See Also:
- Constant Field Values
-
ALT_URI_NAME
private static final int ALT_URI_NAME
- See Also:
- Constant Field Values
-
ALT_IPA_NAME
private static final int ALT_IPA_NAME
- See Also:
- Constant Field Values
-
delegate
private final javax.net.ssl.X509ExtendedTrustManager delegate
-
certContext
private final CertificateValidationContext certContext
-
-
Constructor Detail
-
XdsX509TrustManager
XdsX509TrustManager(@Nullable CertificateValidationContext certContext, javax.net.ssl.X509ExtendedTrustManager delegate)
-
-
Method Detail
-
verifyDnsNameInPattern
private static boolean verifyDnsNameInPattern(java.lang.String altNameFromCert, StringMatcher sanToVerifyMatcher)
-
verifyDnsNameSafeRegex
private static boolean verifyDnsNameSafeRegex(java.lang.String altNameFromCert, RegexMatcher sanToVerifySafeRegex)
-
verifyDnsNamePrefix
private static boolean verifyDnsNamePrefix(java.lang.String altNameFromCert, java.lang.String sanToVerifyPrefix, boolean ignoreCase)
-
verifyDnsNameSuffix
private static boolean verifyDnsNameSuffix(java.lang.String altNameFromCert, java.lang.String sanToVerifySuffix, boolean ignoreCase)
-
verifyDnsNameContains
private static boolean verifyDnsNameContains(java.lang.String altNameFromCert, java.lang.String sanToVerifySubstring, boolean ignoreCase)
-
verifyDnsNameExact
private static boolean verifyDnsNameExact(java.lang.String altNameFromCert, java.lang.String sanToVerifyExact, boolean ignoreCase)
-
verifyDnsNameInSanList
private static boolean verifyDnsNameInSanList(java.lang.String altNameFromCert, java.util.List<StringMatcher> verifySanList)
-
verifyOneSanInList
private static boolean verifyOneSanInList(java.util.List<?> entry, java.util.List<StringMatcher> verifySanList) throws java.security.cert.CertificateParsingException
- Throws:
java.security.cert.CertificateParsingException
-
verifySubjectAltNameInLeaf
private static void verifySubjectAltNameInLeaf(java.security.cert.X509Certificate cert, java.util.List<StringMatcher> verifyList) throws java.security.cert.CertificateException
- Throws:
java.security.cert.CertificateException
-
verifySubjectAltNameInChain
void verifySubjectAltNameInChain(java.security.cert.X509Certificate[] peerCertChain) throws java.security.cert.CertificateException
Verifies SANs in the peer cert chain against verify_subject_alt_name in the certContext. This is called from various check*Trusted methods.- Throws:
java.security.cert.CertificateException
-
checkClientTrusted
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket) throws java.security.cert.CertificateException
- Specified by:
checkClientTrusted
in classjavax.net.ssl.X509ExtendedTrustManager
- Throws:
java.security.cert.CertificateException
-
checkClientTrusted
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine sslEngine) throws java.security.cert.CertificateException
- Specified by:
checkClientTrusted
in classjavax.net.ssl.X509ExtendedTrustManager
- Throws:
java.security.cert.CertificateException
-
checkClientTrusted
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType) throws java.security.cert.CertificateException
- Specified by:
checkClientTrusted
in interfacejavax.net.ssl.X509TrustManager
- Throws:
java.security.cert.CertificateException
-
checkServerTrusted
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket) throws java.security.cert.CertificateException
- Specified by:
checkServerTrusted
in classjavax.net.ssl.X509ExtendedTrustManager
- Throws:
java.security.cert.CertificateException
-
checkServerTrusted
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine sslEngine) throws java.security.cert.CertificateException
- Specified by:
checkServerTrusted
in classjavax.net.ssl.X509ExtendedTrustManager
- Throws:
java.security.cert.CertificateException
-
checkServerTrusted
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType) throws java.security.cert.CertificateException
- Specified by:
checkServerTrusted
in interfacejavax.net.ssl.X509TrustManager
- Throws:
java.security.cert.CertificateException
-
getAcceptedIssuers
public java.security.cert.X509Certificate[] getAcceptedIssuers()
- Specified by:
getAcceptedIssuers
in interfacejavax.net.ssl.X509TrustManager
-
-