Examples with AggregateTrustManager com.unboundid.util.ssl.AggregateTrustManager used on opensource projects

Example 1 with AggregateTrustManager

use of com.unboundid.util.ssl.AggregateTrustManager in project ldapsdk by pingidentity.

the class InternalSDKHelper method getPreferredPromptTrustManagerChain.

/**
 * Retrieves an aggregate trust manager that can be used to interactively
 * prompt the user about whether to trust a presented certificate chain as a
 * last resort, but will try other alternatives first, including the
 * JVM-default trust store and, if the tool is run with access to a Ping
 * Identity Directory Server instance, then it will also try to use the
 * server's default trust store and information in the topology registry.
 *
 * @param  expectedAddresses  An optional collection of the addresses that the
 *                            client is expected to use to connect to one of
 *                            the target servers.  This may be {@code null} or
 *                            empty if no expected addresses are available, if
 *                            this trust manager is only expected to be used
 *                            to validate client certificates, or if no server
 *                            address validation should be performed.  If a
 *                            non-empty collection is provided, then the trust
 *                            manager may issue a warning if the certificate
 *                            does not contain any of these addresses.
 *
 * @return  An aggregate trust manager that can be used to interactively
 *          prompt the user about whether to trust a presented certificate
 *          chain as a last resort, but will try other alternatives first.
 */
@InternalUseOnly()
@NotNull()
public static AggregateTrustManager getPreferredPromptTrustManagerChain(@Nullable final Collection<String> expectedAddresses) {
    final List<X509TrustManager> trustManagers = new ArrayList<>(4);
    trustManagers.add(JVMDefaultTrustManager.getInstance());
    final File pingIdentityServerRoot = InternalSDKHelper.getPingIdentityServerRoot();
    if (pingIdentityServerRoot != null) {
        final File serverTrustStore = StaticUtils.constructPath(pingIdentityServerRoot, "config", "truststore");
        if (serverTrustStore.exists()) {
            trustManagers.add(new TrustStoreTrustManager(serverTrustStore));
        }
        final File serverConfigFile = StaticUtils.constructPath(pingIdentityServerRoot, "config", "config.ldif");
        if (serverConfigFile.exists()) {
            trustManagers.add(new TopologyRegistryTrustManager(serverConfigFile, TimeUnit.MINUTES.toMillis(5L)));
        }
    }
    trustManagers.add(new PromptTrustManager(null, true, expectedAddresses, null, null));
    return new AggregateTrustManager(false, trustManagers);
}

Example 2 with AggregateTrustManager

use of com.unboundid.util.ssl.AggregateTrustManager in project ldapsdk by pingidentity.

the class MultiServerLDAPCommandLineTool method createSSLUtil.

/**
 * Creates the SSLUtil instance to use for secure communication.
 *
 * @param  serverIndex  The zero-based index of the server to which the
 *                      connection should be established.
 *
 * @return  The SSLUtil instance to use for secure communication, or
 *          {@code null} if secure communication is not needed.
 *
 * @throws  LDAPException  If a problem occurs while creating the SSLUtil
 *                         instance.
 */
@Nullable()
public final SSLUtil createSSLUtil(final int serverIndex) throws LDAPException {
    if (useSSL[serverIndex].isPresent() || useStartTLS[serverIndex].isPresent()) {
        KeyManager keyManager = null;
        if (keyStorePath[serverIndex].isPresent()) {
            char[] pw = null;
            if (keyStorePassword[serverIndex].isPresent()) {
                pw = keyStorePassword[serverIndex].getValue().toCharArray();
            } else if (keyStorePasswordFile[serverIndex].isPresent()) {
                try {
                    pw = getPasswordFileReader().readPassword(keyStorePasswordFile[serverIndex].getValue());
                } catch (final Exception e) {
                    Debug.debugException(e);
                    throw new LDAPException(ResultCode.LOCAL_ERROR, ERR_LDAP_TOOL_CANNOT_READ_KEY_STORE_PASSWORD.get(StaticUtils.getExceptionMessage(e)), e);
                }
            }
            try {
                keyManager = new KeyStoreKeyManager(keyStorePath[serverIndex].getValue(), pw, keyStoreFormat[serverIndex].getValue(), certificateNickname[serverIndex].getValue(), true);
            } catch (final Exception e) {
                Debug.debugException(e);
                throw new LDAPException(ResultCode.LOCAL_ERROR, ERR_LDAP_TOOL_CANNOT_CREATE_KEY_MANAGER.get(StaticUtils.getExceptionMessage(e)), e);
            }
        }
        TrustManager tm;
        if (trustAll[serverIndex].isPresent()) {
            tm = new TrustAllTrustManager(false);
        } else if (trustStorePath[serverIndex].isPresent()) {
            char[] pw = null;
            if (trustStorePassword[serverIndex].isPresent()) {
                pw = trustStorePassword[serverIndex].getValue().toCharArray();
            } else if (trustStorePasswordFile[serverIndex].isPresent()) {
                try {
                    pw = getPasswordFileReader().readPassword(trustStorePasswordFile[serverIndex].getValue());
                } catch (final Exception e) {
                    Debug.debugException(e);
                    throw new LDAPException(ResultCode.LOCAL_ERROR, ERR_LDAP_TOOL_CANNOT_READ_TRUST_STORE_PASSWORD.get(StaticUtils.getExceptionMessage(e)), e);
                }
            }
            final TrustStoreTrustManager trustStoreTrustManager = new TrustStoreTrustManager(trustStorePath[serverIndex].getValue(), pw, trustStoreFormat[serverIndex].getValue(), true);
            if (defaultTrust[serverIndex].isPresent()) {
                tm = InternalSDKHelper.getPreferredNonInteractiveTrustManagerChain(trustStoreTrustManager);
            } else {
                tm = trustStoreTrustManager;
            }
        } else if (defaultTrust[serverIndex].isPresent()) {
            tm = InternalSDKHelper.getPreferredNonInteractiveTrustManagerChain();
        } else {
            tm = promptTrustManager.get();
            if (tm == null) {
                final AggregateTrustManager atm = InternalSDKHelper.getPreferredPromptTrustManagerChain(null);
                if (promptTrustManager.compareAndSet(null, atm)) {
                    tm = atm;
                } else {
                    tm = promptTrustManager.get();
                }
            }
        }
        return new SSLUtil(keyManager, tm);
    } else {
        return null;
    }
}

Example 3 with AggregateTrustManager

use of com.unboundid.util.ssl.AggregateTrustManager in project ldapsdk by pingidentity.

the class LDAPCommandLineTool method createSSLUtil.

/**
 * Creates the SSLUtil instance to use for secure communication.
 *
 * @param  force  Indicates whether to create the SSLUtil object even if
 *                neither the "--useSSL" nor the "--useStartTLS" argument was
 *                provided.  The key store and/or trust store paths must still
 *                have been provided.  This may be useful for tools that
 *                accept SSL-based communication but do not themselves intend
 *                to perform SSL-based communication as an LDAP client.
 *
 * @return  The SSLUtil instance to use for secure communication, or
 *          {@code null} if secure communication is not needed.
 *
 * @throws  LDAPException  If a problem occurs while creating the SSLUtil
 *                         instance.
 */
@Nullable()
public SSLUtil createSSLUtil(final boolean force) throws LDAPException {
    if (force || useSSL.isPresent() || useStartTLS.isPresent()) {
        KeyManager keyManager = null;
        if (keyStorePath.isPresent()) {
            char[] pw = null;
            if (keyStorePassword.isPresent()) {
                pw = keyStorePassword.getValue().toCharArray();
            } else if (keyStorePasswordFile.isPresent()) {
                try {
                    pw = getPasswordFileReader().readPassword(keyStorePasswordFile.getValue());
                } catch (final Exception e) {
                    Debug.debugException(e);
                    throw new LDAPException(ResultCode.LOCAL_ERROR, ERR_LDAP_TOOL_CANNOT_READ_KEY_STORE_PASSWORD.get(StaticUtils.getExceptionMessage(e)), e);
                }
            } else if (promptForKeyStorePassword.isPresent()) {
                getOut().print(INFO_LDAP_TOOL_ENTER_KEY_STORE_PASSWORD.get());
                pw = StaticUtils.toUTF8String(PasswordReader.readPassword()).toCharArray();
                getOut().println();
            }
            try {
                if (keyStoreFormat.isPresent() && keyStoreFormat.getValue().equalsIgnoreCase("PKCS11")) {
                    keyManager = new PKCS11KeyManager(null, new File(keyStorePath.getValue()), null, pw, certificateNickname.getValue());
                } else {
                    keyManager = new KeyStoreKeyManager(keyStorePath.getValue(), pw, keyStoreFormat.getValue(), certificateNickname.getValue(), true);
                }
            } catch (final Exception e) {
                Debug.debugException(e);
                throw new LDAPException(ResultCode.LOCAL_ERROR, ERR_LDAP_TOOL_CANNOT_CREATE_KEY_MANAGER.get(StaticUtils.getExceptionMessage(e)), e);
            }
        }
        final TrustManager tm;
        if (trustAll.isPresent()) {
            tm = new TrustAllTrustManager(false);
        } else if (trustStorePath.isPresent()) {
            char[] pw = null;
            if (trustStorePassword.isPresent()) {
                pw = trustStorePassword.getValue().toCharArray();
            } else if (trustStorePasswordFile.isPresent()) {
                try {
                    pw = getPasswordFileReader().readPassword(trustStorePasswordFile.getValue());
                } catch (final Exception e) {
                    Debug.debugException(e);
                    throw new LDAPException(ResultCode.LOCAL_ERROR, ERR_LDAP_TOOL_CANNOT_READ_TRUST_STORE_PASSWORD.get(StaticUtils.getExceptionMessage(e)), e);
                }
            } else if (promptForTrustStorePassword.isPresent()) {
                getOut().print(INFO_LDAP_TOOL_ENTER_TRUST_STORE_PASSWORD.get());
                pw = StaticUtils.toUTF8String(PasswordReader.readPassword()).toCharArray();
                getOut().println();
            }
            final TrustStoreTrustManager trustStoreTrustManager = new TrustStoreTrustManager(trustStorePath.getValue(), pw, trustStoreFormat.getValue(), true);
            if (defaultTrust.isPresent()) {
                tm = InternalSDKHelper.getPreferredNonInteractiveTrustManagerChain(trustStoreTrustManager);
            } else {
                tm = trustStoreTrustManager;
            }
        } else if (defaultTrust.isPresent()) {
            tm = InternalSDKHelper.getPreferredNonInteractiveTrustManagerChain();
        } else if (promptTrustManager.get() != null) {
            tm = promptTrustManager.get();
        } else {
            final ArrayList<String> expectedAddresses = new ArrayList<>(5);
            if (useSSL.isPresent() || useStartTLS.isPresent()) {
                expectedAddresses.addAll(host.getValues());
            }
            final AggregateTrustManager atm = InternalSDKHelper.getPreferredPromptTrustManagerChain(expectedAddresses);
            if (promptTrustManager.compareAndSet(null, atm)) {
                tm = atm;
            } else {
                tm = promptTrustManager.get();
            }
        }
        return new SSLUtil(keyManager, tm);
    } else {
        return null;
    }
}