Examples with TopologyRegistryTrustManager com.unboundid.ldap.sdk.unboundidds.TopologyRegistryTrustManager used on opensource projects

Example 1 with TopologyRegistryTrustManager

use of com.unboundid.ldap.sdk.unboundidds.TopologyRegistryTrustManager in project ldapsdk by pingidentity.

the class InternalSDKHelper method getPreferredPromptTrustManagerChain.

/**
 * Retrieves an aggregate trust manager that can be used to interactively
 * prompt the user about whether to trust a presented certificate chain as a
 * last resort, but will try other alternatives first, including the
 * JVM-default trust store and, if the tool is run with access to a Ping
 * Identity Directory Server instance, then it will also try to use the
 * server's default trust store and information in the topology registry.
 *
 * @param  expectedAddresses  An optional collection of the addresses that the
 *                            client is expected to use to connect to one of
 *                            the target servers.  This may be {@code null} or
 *                            empty if no expected addresses are available, if
 *                            this trust manager is only expected to be used
 *                            to validate client certificates, or if no server
 *                            address validation should be performed.  If a
 *                            non-empty collection is provided, then the trust
 *                            manager may issue a warning if the certificate
 *                            does not contain any of these addresses.
 *
 * @return  An aggregate trust manager that can be used to interactively
 *          prompt the user about whether to trust a presented certificate
 *          chain as a last resort, but will try other alternatives first.
 */
@InternalUseOnly()
@NotNull()
public static AggregateTrustManager getPreferredPromptTrustManagerChain(@Nullable final Collection<String> expectedAddresses) {
    final List<X509TrustManager> trustManagers = new ArrayList<>(4);
    trustManagers.add(JVMDefaultTrustManager.getInstance());
    final File pingIdentityServerRoot = InternalSDKHelper.getPingIdentityServerRoot();
    if (pingIdentityServerRoot != null) {
        final File serverTrustStore = StaticUtils.constructPath(pingIdentityServerRoot, "config", "truststore");
        if (serverTrustStore.exists()) {
            trustManagers.add(new TrustStoreTrustManager(serverTrustStore));
        }
        final File serverConfigFile = StaticUtils.constructPath(pingIdentityServerRoot, "config", "config.ldif");
        if (serverConfigFile.exists()) {
            trustManagers.add(new TopologyRegistryTrustManager(serverConfigFile, TimeUnit.MINUTES.toMillis(5L)));
        }
    }
    trustManagers.add(new PromptTrustManager(null, true, expectedAddresses, null, null));
    return new AggregateTrustManager(false, trustManagers);
}

Example 2 with TopologyRegistryTrustManager

use of com.unboundid.ldap.sdk.unboundidds.TopologyRegistryTrustManager in project ldapsdk by pingidentity.

the class InternalSDKHelper method selectDefaultNonInteractiveTrustManagers.

/**
 * Selects an appropriate set of default trust managers that may be used for
 * non-interactively determining whether to trust a presented certificate
 * chain.
 *
 * @param  trustManagers  The list to which the selected trust managers will
 *                        be added.  It must not be {@code null}, and it must
 *                        be updatable.
 */
private static void selectDefaultNonInteractiveTrustManagers(@NotNull final List<X509TrustManager> trustManagers) {
    trustManagers.add(JVMDefaultTrustManager.getInstance());
    final File pingIdentityServerRoot = InternalSDKHelper.getPingIdentityServerRoot();
    if (pingIdentityServerRoot != null) {
        // Check to see if a trust store file exists.  If a config/truststore file
        // exists, then we'll use that.  Otherwise, if a config/truststore.pin
        // file exists and either config/truststore.p12 or config/truststore.bcfks
        // exists, then we'll use one of those.
        final File defaultJKSServerTrustStore = StaticUtils.constructPath(pingIdentityServerRoot, "config", "truststore");
        if (defaultJKSServerTrustStore.exists()) {
            trustManagers.add(new TrustStoreTrustManager(defaultJKSServerTrustStore, null, CryptoHelper.KEY_STORE_TYPE_JKS, true));
        } else {
            final File trustStorePINFile = StaticUtils.constructPath(pingIdentityServerRoot, "config", "truststore.pin");
            final File defaultPKCS12TrustStore = StaticUtils.constructPath(pingIdentityServerRoot, "config", "truststore.p12");
            final File defaultBCFKSTrustStore = StaticUtils.constructPath(pingIdentityServerRoot, "config", "truststore.bcfks");
            if (trustStorePINFile.exists() && (defaultPKCS12TrustStore.exists() || defaultBCFKSTrustStore.exists())) {
                try {
                    final char[] trustStorePIN = new PasswordFileReader(false).readPassword(trustStorePINFile);
                    if (defaultPKCS12TrustStore.exists()) {
                        trustManagers.add(new TrustStoreTrustManager(defaultPKCS12TrustStore, trustStorePIN, CryptoHelper.KEY_STORE_TYPE_PKCS_12, true));
                    } else if (defaultBCFKSTrustStore.exists()) {
                        trustManagers.add(new TrustStoreTrustManager(defaultPKCS12TrustStore, trustStorePIN, CryptoHelper.KEY_STORE_TYPE_BCFKS, true));
                    }
                } catch (final Exception e) {
                    Debug.debugException(e);
                }
            }
        }
        final File serverConfigFile = StaticUtils.constructPath(pingIdentityServerRoot, "config", "config.ldif");
        if (serverConfigFile.exists()) {
            trustManagers.add(new TopologyRegistryTrustManager(serverConfigFile, TimeUnit.MINUTES.toMillis(5L)));
        }
    }
}