org.forgerock.opendj.ldap

Class TrustManagers

java.lang.Object

org.forgerock.opendj.ldap.TrustManagers

public final class TrustManagers
extends Object

This class contains methods for creating common types of trust manager.

Method Summary

Modifier and Type	Method and Description
static X509TrustManager	checkHostName(String hostName, X509TrustManager trustManager) Wraps the provided X509TrustManager by adding additional validation which rejects certificate chains whose subject alternative names do not match the specified host name or IP address.
static X509TrustManager	checkUsingTrustStore(String file) Creates a new X509TrustManager which will use the named trust store file to determine whether to trust a certificate.
static X509TrustManager	checkUsingTrustStore(String file, char[] password, String format) Creates a new X509TrustManager which will use the named trust store file to determine whether to trust a certificate.
static X509TrustManager	checkValidityDates(X509TrustManager trustManager) Wraps the provided X509TrustManager by adding additional validation which rejects certificate chains containing certificates which have expired or are not yet valid.
static X509TrustManager	distrustAll() Returns an X509TrustManager which does not trust any certificates.
static X509TrustManager	trustAll() Returns an X509TrustManager which trusts all certificates.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

checkHostName

public static X509TrustManager checkHostName(String hostName,
                                             X509TrustManager trustManager)

Wraps the provided X509TrustManager by adding additional validation which rejects certificate chains whose subject alternative names do not match the specified host name or IP address. The check may fall back to checking a hostname in the left-most CN of the subjectDN for backwards compatibility. If the hostName is an IP address, only the ipAddresses field of the subject alternative name will be checked. Similarly if hostName is not an IP address, only the dnsNames of the subject alternative name will be checked. Host names can be matched using wild cards, for example *.example.com. If a critical subject alternative name doesn't match, verification will not fall back to checking the subjectDN and will fail. If a critical subject alternative name doesn't match and it contains other kinds of general names that cannot be checked verification will also fail.

Parameters:

hostName - The IP address or hostname used to connect to the LDAP server which will be matched against the subject alternative name and possibly the subjectDN as described above.

trustManager - The trust manager to be wrapped.

Returns:

The wrapped trust manager.

Throws:

NullPointerException - If trustManager or hostName was null.

checkUsingTrustStore

public static X509TrustManager checkUsingTrustStore(String file)
                                             throws GeneralSecurityException,
                                                    IOException

Creates a new X509TrustManager which will use the named trust store file to determine whether to trust a certificate. It will use the default trust store format for the JVM (e.g. JKS) and will not use a password to open the trust store.

Parameters:

file - The trust store file name.

Returns:

A new X509TrustManager which will use the named trust store file to determine whether to trust a certificate.

Throws:

GeneralSecurityException - If the trust store could not be loaded, perhaps due to incorrect format, or missing algorithms.

IOException - If the trust store file could not be found or could not be read.

NullPointerException - If file was null.

checkUsingTrustStore

public static X509TrustManager checkUsingTrustStore(String file,
                                                    char[] password,
                                                    String format)
                                             throws GeneralSecurityException,
                                                    IOException

Creates a new X509TrustManager which will use the named trust store file to determine whether to trust a certificate. It will use the provided trust store format and password.

Parameters:

file - The trust store file name.

password - The trust store password, which may be null.

format - The trust store format, which may be null to indicate that the default trust store format for the JVM (e.g. JKS) should be used.

Returns:

A new X509TrustManager which will use the named trust store file to determine whether to trust a certificate.

Throws:

GeneralSecurityException - If the trust store could not be loaded, perhaps due to incorrect format, or missing algorithms.

IOException - If the trust store file could not be found or could not be read.

NullPointerException - If file was null.

checkValidityDates

public static X509TrustManager checkValidityDates(X509TrustManager trustManager)

Wraps the provided X509TrustManager by adding additional validation which rejects certificate chains containing certificates which have expired or are not yet valid.

Parameters:

trustManager - The trust manager to be wrapped.

Returns:

The wrapped trust manager.

Throws:

NullPointerException - If trustManager was null.

distrustAll

public static X509TrustManager distrustAll()

Returns an X509TrustManager which does not trust any certificates.

Returns:

An X509TrustManager which does not trust any certificates.

trustAll

public static X509TrustManager trustAll()

Returns an X509TrustManager which trusts all certificates.

Returns:

An X509TrustManager which trusts all certificates.