public class ClientTrust
extends java.lang.Object
This also include methods to assist in validating a certificate path. We trust all certificates but save the certificates for later checking with methods in this class.
Constructor and Description |
---|
ClientTrust(RpcServer rpcServer)
Instantiates a new client trust.
|
Modifier and Type | Method and Description |
---|---|
static java.lang.String |
convert2Hex(byte[] data)
Convert a byte array to a hexadecimal string
|
boolean |
fingerprintExists(java.lang.String serverKey,
java.lang.String fingerprintUser)
Check if the fingerprint exists for the specified server IP and port
|
boolean |
fingerprintMatches(java.lang.String serverKey,
java.lang.String fingerprintUser,
java.lang.String fingerprint)
Check if the fingerprint for the specified server IP and port matches the
one in trust file.
|
static java.lang.String |
generateFingerprint(java.security.PublicKey publicKey)
Generate fingerprint from public key using MessageDigest.
|
static java.lang.String |
generateFingerprint(java.security.cert.X509Certificate certificate)
Generate fingerprint from a certificate using MessageDigest.
|
static javax.net.ssl.X509TrustManager |
getDefaultX509TrustManager()
Get the system default trust manager
X509TrustManager |
PerforceMessages |
getMessages()
Gets the messages.
|
static java.util.Set<java.security.cert.TrustAnchor> |
getTrustedCAs()
Gets the root CAs in the trust store, either the default truststore or as
specified by javax.net.ssl.trustStore/javax.net.ssl.trustStorePassword.
|
static java.util.Set<java.security.cert.TrustAnchor> |
getTrustedCAs(boolean refreshCache)
Gets the root CAs from the trust store, either the default truststore or as
specified by javax.net.ssl.trustStore/javax.net.ssl.trustStorePassword.
|
void |
installFingerprint(java.lang.String serverIpPort,
java.lang.String fingerprintUser,
java.lang.String fingerprint)
Install the fingerprint for the specified server IP and port
|
void |
removeFingerprint(java.lang.String serverIpPort,
java.lang.String fingerprintUser)
Removes the fingerprint for the specified server IP and port
|
static void |
validateServerChain(java.security.cert.X509Certificate[] certs,
java.lang.String refName)
Check the certificate chain.
|
static void |
verifyCertificateDates(java.security.cert.X509Certificate cert)
Check the certificate Not Before and Not After dates
|
static void |
verifyCertificateSubject(java.security.cert.X509Certificate cert,
java.lang.String hostName)
Verify the request's hostname to that in the certificate.
|
public static final java.lang.String DIGEST_TYPE
public static final char[] HEX_CHARS
public static final java.lang.String FINGERPRINT_USER_NAME
public static final java.lang.String FINGERPRINT_REPLACEMENT_USER_NAME
public static final java.lang.String CLIENT_TRUST_MESSAGES
public static final java.lang.String CLIENT_TRUST_WARNING_NOT_ESTABLISHED
public static final java.lang.String CLIENT_TRUST_WARNING_NEW_CONNECTION
public static final java.lang.String CLIENT_TRUST_WARNING_NEW_KEY
public static final java.lang.String CLIENT_TRUST_EXCEPTION_NEW_CONNECTION
public static final java.lang.String CLIENT_TRUST_EXCEPTION_NEW_KEY
public static final java.lang.String CLIENT_TRUST_ADD_EXCEPTION_NEW_CONNECTION
public static final java.lang.String CLIENT_TRUST_ADD_EXCEPTION_NEW_KEY
public static final java.lang.String CLIENT_TRUST_ADDED
public static final java.lang.String CLIENT_TRUST_REMOVED
public static final java.lang.String CLIENT_TRUST_ALREADY_ESTABLISHED
public static final java.lang.String CLIENT_TRUST_INSTALL_EXCEPTION
public static final java.lang.String CLIENT_TRUST_UNINSTALL_EXCEPTION
public static final java.lang.String SSL_CLIENT_TRUST_BADDATE
public static final java.lang.String SSL_CLIENT_TRUST_BADHOST
public ClientTrust(RpcServer rpcServer)
rpcServer
- the rpc serverpublic void installFingerprint(java.lang.String serverIpPort, java.lang.String fingerprintUser, java.lang.String fingerprint) throws TrustException
serverIpPort
- the serverIpPortfingerprintUser
- the fingerprintUserfingerprint
- the fingerprintTrustException
- the trust exceptionpublic void removeFingerprint(java.lang.String serverIpPort, java.lang.String fingerprintUser) throws TrustException
serverIpPort
- the serverIpPortfingerprintUser
- the fingerprintUserTrustException
- the trust exceptionpublic boolean fingerprintExists(java.lang.String serverKey, java.lang.String fingerprintUser)
serverKey
- the serverIpPort or serverHostNamefingerprintUser
- the fingerprintUserpublic boolean fingerprintMatches(java.lang.String serverKey, java.lang.String fingerprintUser, java.lang.String fingerprint)
serverKey
- the serverIpPort or serverHostNamefingerprintUser
- the fingerprintUserfingerprint
- the fingerprintpublic static java.lang.String generateFingerprint(java.security.PublicKey publicKey) throws java.security.NoSuchAlgorithmException
publicKey
- the public keyjava.security.NoSuchAlgorithmException
- the no such algorithm exceptionpublic static java.lang.String generateFingerprint(java.security.cert.X509Certificate certificate) throws java.security.NoSuchAlgorithmException, java.security.cert.CertificateEncodingException
certificate
- the certificatejava.security.NoSuchAlgorithmException
- the no such algorithm exceptionjava.security.cert.CertificateEncodingException
- the certificate encoding exceptionpublic static java.lang.String convert2Hex(byte[] data)
data
- the datapublic PerforceMessages getMessages()
public static java.util.Set<java.security.cert.TrustAnchor> getTrustedCAs() throws java.security.NoSuchAlgorithmException, java.security.KeyStoreException, java.security.InvalidAlgorithmParameterException
java.security.NoSuchAlgorithmException
- on errorjava.security.KeyStoreException
- on errorjava.security.InvalidAlgorithmParameterException
- on errorpublic static java.util.Set<java.security.cert.TrustAnchor> getTrustedCAs(boolean refreshCache) throws java.security.NoSuchAlgorithmException, java.security.KeyStoreException, java.security.InvalidAlgorithmParameterException
refreshCache
- force retrieve from truststorejava.security.NoSuchAlgorithmException
- on errorjava.security.KeyStoreException
- on errorjava.security.InvalidAlgorithmParameterException
- on errorpublic static javax.net.ssl.X509TrustManager getDefaultX509TrustManager() throws java.security.NoSuchAlgorithmException, java.security.KeyStoreException
X509TrustManager
java.security.NoSuchAlgorithmException
- on errrorjava.security.KeyStoreException
- on errorpublic static void validateServerChain(java.security.cert.X509Certificate[] certs, java.lang.String refName) throws java.security.cert.CertificateException
certs
- the certificates from p4d handshake.refName
- refNamejava.security.cert.CertificateException
- if the validation failspublic static void verifyCertificateDates(java.security.cert.X509Certificate cert) throws java.security.cert.CertificateException
cert
- certjava.security.cert.CertificateException
- on errorpublic static void verifyCertificateSubject(java.security.cert.X509Certificate cert, java.lang.String hostName) throws java.security.cert.CertificateParsingException, java.security.cert.CertificateException, java.net.UnknownHostException
cert
- certificatehostName
- Host namejava.security.cert.CertificateParsingException
- on errorjava.security.cert.CertificateException
- on errorjava.net.UnknownHostException
- Could not find IP Address for Given Host name