forked from grpc/grpc-java
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ConfigurableX509TrustManager.java
134 lines (117 loc) · 4.73 KB
/
ConfigurableX509TrustManager.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
/*
* Copyright 2020 The gRPC Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.grpc.netty;
import io.grpc.netty.TlsOptions.VerificationAuthType;
import java.net.Socket;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
public class ConfigurableX509TrustManager extends X509ExtendedTrustManager {
private TlsOptions tlsOptions;
public ConfigurableX509TrustManager(TlsOptions tlsOptions) {
this.tlsOptions = tlsOptions;
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket)
throws CertificateException {
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine)
throws CertificateException {
checkTrusted(x509Certificates, s, sslEngine, false);
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s)
throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket)
throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine)
throws CertificateException {
checkTrusted(x509Certificates, s, sslEngine, true);
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s)
throws CertificateException {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
private void checkTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine,
boolean isClient) throws CertificateException {
VerificationAuthType authType = this.tlsOptions.getVerificationAuthType();
if (authType == VerificationAuthType.CertificateAndHostNameVerification
|| authType == VerificationAuthType.CertificateVerification) {
if (x509Certificates == null || x509Certificates.length == 0) {
throw new CertificateException(
"Client side requires certificate but got null or empty certificates");
}
KeyStore ks;
try {
ks = this.tlsOptions.getTrustedCerts();
} catch (Exception e) {
throw new CertificateException("Function getTrustedCerts fails, error: " + e.getMessage());
}
X509ExtendedTrustManager delegateManager = null;
try {
final TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
TrustManager[] tms = tmf.getTrustManagers();
// Iterate over the returned trust managers, looking for an instance of X509TrustManager.
// If found, use that as the delegate trust manager.
for (int i = 0; i < tms.length; i++) {
if (tms[i] instanceof X509ExtendedTrustManager) {
delegateManager = (X509ExtendedTrustManager) tms[i];
break;
}
}
if (delegateManager == null) {
throw new CertificateException(
"Instance delegateX509TrustManager is null. Failed to initialize");
}
} catch (Exception e) {
throw new CertificateException("Failed to initialize delegateX509TrustManager, error: "
+ e.getMessage());
}
if (isClient) {
String algorithm = authType == VerificationAuthType.CertificateAndHostNameVerification
? "HTTPS" : "";
SSLParameters sslParams = sslEngine.getSSLParameters();
sslParams.setEndpointIdentificationAlgorithm(algorithm);
sslEngine.setSSLParameters(sslParams);
delegateManager.checkServerTrusted(x509Certificates, s, sslEngine);
} else {
delegateManager.checkClientTrusted(x509Certificates, s, sslEngine);
}
}
// Perform custom check
try {
this.tlsOptions.verifyPeerCertificate(x509Certificates, s, sslEngine);
} catch (Exception e) {
throw new CertificateException("Custom authorization check fails, error: " + e.getMessage());
}
}
}