Package com.verisign.epp.transport

Class EPPTrustManager

java.lang.Object
com.verisign.epp.transport.EPPTrustManager
All Implemented Interfaces:
TrustManager, X509TrustManager
public class EPPTrustManager extends Object implements X509TrustManager
Custom X509TrustManager for EPP that supports configuring the policy for the client and server certificate EKU settings with the setClientEKUs(List) and setServerEKUs(List), respectively. Once initialized, the EPPTrustManager is thread-safe, so it can be embedded into a Singleton.

  • Constructor Details

    • EPPTrustManager

      public EPPTrustManager()
      Default constructor. Ensure to call one of the init methods.

    • EPPTrustManager

      public EPPTrustManager(KeyStore aKeyStore) throws Exception
      Creates the EPPTrustManager instance with a specific Trust Store. Passing a null Trust Store will load the default Trust Store for the JDK (${JAVA_HOME}/lib/security/cacerts).
      Parameters:
      aKeyStore - Trust store to initialize the EPPTrustManager with. Set to null to use the default JDK trust store (${JAVA_HOME}/lib/security/cacerts).
      Throws:
      Exception - Error initializing the EPPTrustManager

    • EPPTrustManager

      public EPPTrustManager(Set<X509Certificate> aTrustedCertificates) throws Exception
      Creates the EPPTrustManager instance with a specific Collection of trusted certificates.
      Parameters:
      aTrustedCertificates - Collection of trusted certificates

    • EPPTrustManager

      public EPPTrustManager(KeyStore aKeyStore, List<String> aClientEKUs, List<String> aServerEKUs) throws Exception
      Creates the EPPTrustManager instance with a specific Trust Store. Passing a null Trust Store will load the default Trust Store for the JDK (${JAVA_HOME}/lib/security/cacerts).
      Parameters:
      aKeyStore - Trust store to initialize the EPPTrustManager with. Set to null to use the default JDK trust store (${JAVA_HOME}/lib/security/cacerts).
      aClientEKUs - Set to a list of EKU Object Identifier (OID) values or null to ignore the EKU extension for the client certificate
      aServerEKUs - Set to a list of EKU Object Identifier (OID) values or null to ignore the EKU extension for the server certificate
      Throws:
      Exception - Error initializing the EPPTrustManager

    • EPPTrustManager

      public EPPTrustManager(Set<X509Certificate> aTrustedCertificates, List<String> aClientEKUs, List<String> aServerEKUs) throws Exception
      Creates the EPPTrustManager instance with a specific Collection of trusted certificates.
      Parameters:
      aTrustedCertificates - Collection of trusted certificates
      aClientEKUs - Set to a list of EKU Object Identifier (OID) values or null to ignore the EKU extension for the client certificate
      aServerEKUs - Set to a list of EKU Object Identifier (OID) values or null to ignore the EKU extension for the server certificate
      Throws:
      Exception - Error initializing the EPPTrustManager

  • Method Details

    • init

      public void init(KeyStore aKeyStore) throws Exception
      Initialize the EPPTrustManager instance with a specific Trust Store. Passing a null Trust Store will load the default Trust Store for the JDK (${JAVA_HOME}/lib/security/cacerts).
      Parameters:
      aKeyStore - Trust store to initialize the EPPTrustManager with. Set to null to use the default JDK trust store (${JAVA_HOME}/lib/security/cacerts).
      Throws:
      Exception - Error initializing the EPPTrustManager

    • init

      public void init(KeyStore aKeyStore, List<String> aClientEKUs, List<String> aServerEKUs) throws Exception
      Initialize the EPPTrustManager instance with a specific Trust Store. Passing a null Trust Store will load the default Trust Store for the JDK (${JAVA_HOME}/lib/security/cacerts).
      Parameters:
      aKeyStore - Trust store to initialize the EPPTrustManager with. Set to null to use the default JDK trust store (${JAVA_HOME}/lib/security/cacerts).
      aClientEKUs - Set to a list of EKU Object Identifier (OID) values or null to ignore the EKU extension for the client certificate
      aServerEKUs - Set to a list of EKU Object Identifier (OID) values or null to ignore the EKU extension for the server certificate
      Throws:
      Exception - Error initializing the EPPTrustManager

    • init

      public void init(Set<X509Certificate> aTrustedCertificates) throws Exception
      Initialize the EPPTrustManager instance with a specific Collection of trusted certificates.
      Parameters:
      aTrustedCertificates - Collection of trusted certificates
      Throws:
      Exception - Error initializing the EPPTrustManager

    • init

      public void init(Set<X509Certificate> aTrustedCertificates, List<String> aClientEKUs, List<String> aServerEKUs) throws Exception
      Initialize the EPPTrustManager instance with a specific Collection of trusted certificates.
      Parameters:
      aTrustedCertificates - Collection of trusted certificates
      aClientEKUs - Set to a list of EKU Object Identifier (OID) values or null to ignore the EKU extension for the client certificate
      aServerEKUs - Set to a list of EKU Object Identifier (OID) values or null to ignore the EKU extension for the server certificate
      Throws:
      Exception - Error initializing the EPPTrustManager

    • checkClientTrusted

      public void checkClientTrusted(X509Certificate[] aChain, String aAuthType) throws CertificateException
      Given the partial or complete certificate chain provided by the peer, build a certificate path to a trusted root and return if it can be validated and is trusted for client SSL authentication based on the authentication type. The authentication type is determined by the actual certificate used. For instance, if RSAPublicKey is used, the authType should be "RSA". Checking is case-sensitive.
      This implementation will only perform PKIX validation and will not validation the Extended Key Usage (EKU) settings.
      Specified by:
      checkClientTrusted in interface X509TrustManager
      Parameters:
      aChain - the peer certificate chain
      aAuthType - the authentication type based on the client certificate
      Throws:
      CertificateException - if the certificate chain is not trusted by this TrustManager.

    • checkServerTrusted

      public void checkServerTrusted(X509Certificate[] aChain, String aAuthType) throws CertificateException
      Given the partial or complete certificate chain provided by the peer, build a certificate path to a trusted root and return if it can be validated and is trusted for server SSL authentication based on the authentication type. The authentication type is the key exchange algorithm portion of the cipher suites represented as a String, such as "RSA", "DHE_DSS". Note: for some exportable cipher suites, the key exchange algorithm is determined at run time during the handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5, the authType should be RSA_EXPORT when an ephemeral RSA key is used for the key exchange, and RSA when the key from the server certificate is used. Checking is case-sensitive.
      Specified by:
      checkServerTrusted in interface X509TrustManager
      Parameters:
      aChain - the peer certificate chain
      aAuthType - the key exchange algorithm used
      Throws:
      CertificateException - if the certificate chain is not trusted by this TrustManager.

    • getAcceptedIssuers

      public X509Certificate[] getAcceptedIssuers()
      Return an array of certificate authority certificates which are trusted for authenticating peers.
      Specified by:
      getAcceptedIssuers in interface X509TrustManager
      Returns:
      a non-null (possibly empty) array of acceptable CA issuer certificates.

    • getTrustedCerts

      public Set<X509Certificate> getTrustedCerts()
      Gets the list of trusted certificates.
      Returns:
      the trusted certificates

    • getTrustAnchors

      public Set<TrustAnchor> getTrustAnchors()
      Gets the list of trust anchors, which should match the trusted certificates.
      Returns:
      the trust anchors

    • getPkixParamsTemplate

      public PKIXBuilderParameters getPkixParamsTemplate()
      Gets the PKIX parameters template that can be cloned and customized, but it must be synchronized since its not thread safe.
      Returns:
      the PKIX parameters template

    • getTrustedSubjects

      public Map<X500Principal,List<PublicKey>> getTrustedSubjects()
      Gets the map of trusted principals and their associated public keys.
      Returns:
      Map of the trusted principals and their associated public keys

    • getClientEKUs

      public List<String> getClientEKUs()
      Gets the list of trusted X.509 Extended Key Usage (EKU) values, where at least one of the values must exist in the client certificate. A null value means that the EKU values in the client certificate will be ignored. These values are The values are integer values, as defined in the PKIX Extended Key Purpose registry.
      Returns:
      the trust client EKU values or null to ignore the EKU settings

    • setClientEKUs

      public void setClientEKUs(List<String> aClientEKUs)
      Sets the list of trusted X.509 Extended Key Usage (EKU) values, where at least one of the values must exist in the client certificate. A null value means that the EKU values in the client certificate will be ignored. These values are The values are integer values, as defined in the PKIX Extended Key Purpose registry.
      Parameters:
      aClientEKUs - Set to a list of EKU Object Identifier (OID) values or null to ignore the EKU extension

    • getServerEKUs

      public List<String> getServerEKUs()
      Gets the list of trusted X.509 Extended Key Usage (EKU) values, where at least one of the values must exist in the server certificate. A null value means that the EKU values in the server certificate will be ignored. These values are The values are integer values, as defined in the PKIX Extended Key Purpose registry.
      Returns:
      the trust server EKU values or null to ignore the EKU settings

    • setServerEKUs

      public void setServerEKUs(List<String> aServerEKUs)
      Sets the list of trusted X.509 Extended Key Usage (EKU) values, where at least one of the values must exist in the server certificate. A null value means that the EKU values in the server certificate will be ignored. These values are The values are integer values, as defined in the PKIX Extended Key Purpose registry.
      Parameters:
      aServerEKUs - Set to a list of EKU Object Identifier (OID) values or null to ignore the EKU extension