Example 6 with X509TrustManager
use of javax.net.ssl.X509TrustManager in project okhttp by square.
the class OkHttpClient method systemDefaultTrustManager.
private X509TrustManager systemDefaultTrustManager() {
try {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
}
return (X509TrustManager) trustManagers[0];
} catch (GeneralSecurityException e) {
// The system has no TLS. Just give up.
throw new AssertionError();
}
}
Also used :
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
GeneralSecurityException(java.security.GeneralSecurityException)
TrustManager(javax.net.ssl.TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
Example 7 with X509TrustManager
use of javax.net.ssl.X509TrustManager in project okhttp by square.
the class CustomCipherSuites method defaultTrustManager.
/** Returns a trust manager that trusts the VM's default certificate authorities. */
private X509TrustManager defaultTrustManager() throws GeneralSecurityException {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
}
return (X509TrustManager) trustManagers[0];
}
Also used :
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
TrustManager(javax.net.ssl.TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
Example 8 with X509TrustManager
use of javax.net.ssl.X509TrustManager in project okhttp by square.
the class AndroidPlatform method trustManager.
@Override
public X509TrustManager trustManager(SSLSocketFactory sslSocketFactory) {
Object context = readFieldOrNull(sslSocketFactory, sslParametersClass, "sslParameters");
if (context == null) {
// must be loaded by the SSLSocketFactory's class loader.
try {
Class<?> gmsSslParametersClass = Class.forName("com.google.android.gms.org.conscrypt.SSLParametersImpl", false, sslSocketFactory.getClass().getClassLoader());
context = readFieldOrNull(sslSocketFactory, gmsSslParametersClass, "sslParameters");
} catch (ClassNotFoundException e) {
return super.trustManager(sslSocketFactory);
}
}
X509TrustManager x509TrustManager = readFieldOrNull(context, X509TrustManager.class, "x509TrustManager");
if (x509TrustManager != null)
return x509TrustManager;
return readFieldOrNull(context, X509TrustManager.class, "trustManager");
}
Also used :
X509TrustManager(javax.net.ssl.X509TrustManager)
Example 9 with X509TrustManager
use of javax.net.ssl.X509TrustManager in project okhttp by square.
the class URLConnectionTest method connectViaHttpsReusingConnectionsDifferentFactories.
@Test
public void connectViaHttpsReusingConnectionsDifferentFactories() throws Exception {
server.useHttps(sslClient.socketFactory, false);
server.enqueue(new MockResponse().setBody("this response comes via HTTPS"));
server.enqueue(new MockResponse().setBody("another response via HTTPS"));
// install a custom SSL socket factory so the server can be authorized
urlFactory.setClient(urlFactory.client().newBuilder().sslSocketFactory(sslClient.socketFactory, sslClient.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).build());
HttpURLConnection connection1 = urlFactory.open(server.url("/").url());
assertContent("this response comes via HTTPS", connection1);
SSLContext sslContext2 = SSLContext.getInstance("TLS");
sslContext2.init(null, null, null);
SSLSocketFactory sslSocketFactory2 = sslContext2.getSocketFactory();
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
X509TrustManager trustManager = (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
urlFactory.setClient(urlFactory.client().newBuilder().sslSocketFactory(sslSocketFactory2, trustManager).build());
HttpURLConnection connection2 = urlFactory.open(server.url("/").url());
try {
readAscii(connection2.getInputStream(), Integer.MAX_VALUE);
fail("without an SSL socket factory, the connection should fail");
} catch (SSLException expected) {
}
}
Also used :
MockResponse(okhttp3.mockwebserver.MockResponse)
HttpURLConnection(java.net.HttpURLConnection)
OkHttpURLConnection(okhttp3.internal.huc.OkHttpURLConnection)
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
SSLContext(javax.net.ssl.SSLContext)
SSLSocketFactory(javax.net.ssl.SSLSocketFactory)
SSLException(javax.net.ssl.SSLException)
Test(org.junit.Test)
Example 10 with X509TrustManager
use of javax.net.ssl.X509TrustManager in project okhttp by square.
the class CustomTrust method trustManagerForCertificates.
/**
* Returns a trust manager that trusts {@code certificates} and none other. HTTPS services whose
* certificates have not been signed by these certificates will fail with a {@code
* SSLHandshakeException}.
*
* <p>This can be used to replace the host platform's built-in trusted certificates with a custom
* set. This is useful in development where certificate authority-trusted certificates aren't
* available. Or in production, to avoid reliance on third-party certificate authorities.
*
* <p>See also {@link CertificatePinner}, which can limit trusted certificates while still using
* the host platform's built-in trust store.
*
* <h3>Warning: Customizing Trusted Certificates is Dangerous!</h3>
*
* <p>Relying on your own trusted certificates limits your server team's ability to update their
* TLS certificates. By installing a specific set of trusted certificates, you take on additional
* operational complexity and limit your ability to migrate between certificate authorities. Do
* not use custom trusted certificates in production without the blessing of your server's TLS
* administrator.
*/
private X509TrustManager trustManagerForCertificates(InputStream in) throws GeneralSecurityException {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(in);
if (certificates.isEmpty()) {
throw new IllegalArgumentException("expected non-empty set of trusted certificates");
}
// Put the certificates a key store.
// Any password will work.
char[] password = "password".toCharArray();
KeyStore keyStore = newEmptyKeyStore(password);
int index = 0;
for (Certificate certificate : certificates) {
String certificateAlias = Integer.toString(index++);
keyStore.setCertificateEntry(certificateAlias, certificate);
}
// Use it to build an X509 trust manager.
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
}
return (X509TrustManager) trustManagers[0];
}
Also used :
CertificateFactory(java.security.cert.CertificateFactory)
KeyStore(java.security.KeyStore)
KeyManagerFactory(javax.net.ssl.KeyManagerFactory)
TrustManager(javax.net.ssl.TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
Certificate(java.security.cert.Certificate)
Aggregations
X509TrustManager (javax.net.ssl.X509TrustManager)183
TrustManager (javax.net.ssl.TrustManager)114
X509Certificate (java.security.cert.X509Certificate)96
SSLContext (javax.net.ssl.SSLContext)88
CertificateException (java.security.cert.CertificateException)54
IOException (java.io.IOException)50
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)45
SecureRandom (java.security.SecureRandom)44
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)32
KeyManagementException (java.security.KeyManagementException)28
Test (org.junit.Test)21
HostnameVerifier (javax.net.ssl.HostnameVerifier)19
SSLSocketFactory (javax.net.ssl.SSLSocketFactory)19
KeyStore (java.security.KeyStore)17
GeneralSecurityException (java.security.GeneralSecurityException)15
SSLSession (javax.net.ssl.SSLSession)15
KeyStoreException (java.security.KeyStoreException)14
SSLException (javax.net.ssl.SSLException)14
URL (java.net.URL)11
OkHttpClient (okhttp3.OkHttpClient)10
