Class XdsX509TrustManager
java.lang.Object
javax.net.ssl.X509ExtendedTrustManager
io.grpc.xds.internal.security.trust.XdsX509TrustManager
- All Implemented Interfaces:
TrustManager
,X509TrustManager
Extension of
X509ExtendedTrustManager
that implements verification of
SANs (subject-alternate-names) against the list in CertificateValidationContext.-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate static final int
private static final int
private static final int
private final CertificateValidationContext
private final X509ExtendedTrustManager
-
Constructor Summary
ConstructorsConstructorDescriptionXdsX509TrustManager
(CertificateValidationContext certContext, X509ExtendedTrustManager delegate) -
Method Summary
Modifier and TypeMethodDescriptionvoid
checkClientTrusted
(X509Certificate[] chain, String authType) void
checkClientTrusted
(X509Certificate[] chain, String authType, Socket socket) void
checkClientTrusted
(X509Certificate[] chain, String authType, SSLEngine sslEngine) void
checkServerTrusted
(X509Certificate[] chain, String authType) void
checkServerTrusted
(X509Certificate[] chain, String authType, Socket socket) void
checkServerTrusted
(X509Certificate[] chain, String authType, SSLEngine sslEngine) private static boolean
verifyDnsNameContains
(String altNameFromCert, String sanToVerifySubstring, boolean ignoreCase) private static boolean
verifyDnsNameExact
(String altNameFromCert, String sanToVerifyExact, boolean ignoreCase) private static boolean
verifyDnsNameInPattern
(String altNameFromCert, StringMatcher sanToVerifyMatcher) private static boolean
verifyDnsNameInSanList
(String altNameFromCert, List<StringMatcher> verifySanList) private static boolean
verifyDnsNamePrefix
(String altNameFromCert, String sanToVerifyPrefix, boolean ignoreCase) private static boolean
verifyDnsNameSafeRegex
(String altNameFromCert, RegexMatcher sanToVerifySafeRegex) private static boolean
verifyDnsNameSuffix
(String altNameFromCert, String sanToVerifySuffix, boolean ignoreCase) private static boolean
verifyOneSanInList
(List<?> entry, List<StringMatcher> verifySanList) (package private) void
verifySubjectAltNameInChain
(X509Certificate[] peerCertChain) Verifies SANs in the peer cert chain against verify_subject_alt_name in the certContext.private static void
verifySubjectAltNameInLeaf
(X509Certificate cert, List<StringMatcher> verifyList)
-
Field Details
-
ALT_DNS_NAME
private static final int ALT_DNS_NAME- See Also:
-
ALT_URI_NAME
private static final int ALT_URI_NAME- See Also:
-
ALT_IPA_NAME
private static final int ALT_IPA_NAME- See Also:
-
delegate
-
certContext
-
-
Constructor Details
-
XdsX509TrustManager
XdsX509TrustManager(@Nullable CertificateValidationContext certContext, X509ExtendedTrustManager delegate)
-
-
Method Details
-
verifyDnsNameInPattern
private static boolean verifyDnsNameInPattern(String altNameFromCert, StringMatcher sanToVerifyMatcher) -
verifyDnsNameSafeRegex
private static boolean verifyDnsNameSafeRegex(String altNameFromCert, RegexMatcher sanToVerifySafeRegex) -
verifyDnsNamePrefix
-
verifyDnsNameSuffix
-
verifyDnsNameContains
-
verifyDnsNameExact
-
verifyDnsNameInSanList
private static boolean verifyDnsNameInSanList(String altNameFromCert, List<StringMatcher> verifySanList) -
verifyOneSanInList
private static boolean verifyOneSanInList(List<?> entry, List<StringMatcher> verifySanList) throws CertificateParsingException - Throws:
CertificateParsingException
-
verifySubjectAltNameInLeaf
private static void verifySubjectAltNameInLeaf(X509Certificate cert, List<StringMatcher> verifyList) throws CertificateException - Throws:
CertificateException
-
verifySubjectAltNameInChain
Verifies SANs in the peer cert chain against verify_subject_alt_name in the certContext. This is called from various check*Trusted methods.- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkClientTrusted
in classX509ExtendedTrustManager
- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException - Specified by:
checkClientTrusted
in classX509ExtendedTrustManager
- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException - Specified by:
checkClientTrusted
in interfaceX509TrustManager
- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkServerTrusted
in classX509ExtendedTrustManager
- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException - Specified by:
checkServerTrusted
in classX509ExtendedTrustManager
- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException - Specified by:
checkServerTrusted
in interfaceX509TrustManager
- Throws:
CertificateException
-
getAcceptedIssuers
- Specified by:
getAcceptedIssuers
in interfaceX509TrustManager
-