diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-12 12:57:05 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-02-19 17:00:32 +0100 |
commit | a0a9406a7c298ab8be4cf556e1a7b441e1eeffa7 (patch) | |
tree | bfde52fee7b786642c1046541e0fa287ca65cf69 /security-utils/src/main/java/com/yahoo | |
parent | fe8263404bd40d0e605853d10c9a20e91471a205 (diff) |
Add mutable x509 trust manager
Add a x509 trust manager where certificates can be updated while the manager is in use.
Diffstat (limited to 'security-utils/src/main/java/com/yahoo')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java new file mode 100644 index 00000000000..ed424480d26 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java @@ -0,0 +1,70 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security.tls; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.X509ExtendedTrustManager; +import java.net.Socket; +import java.security.KeyStore; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; + +/** + * A {@link X509ExtendedTrustManager} which can be updated with new CA certificates while in use. + * + * @author bjorncs + */ +public class MutableX509TrustManager extends X509ExtendedTrustManager { + + private volatile X509ExtendedTrustManager currentManager; + + public MutableX509TrustManager(KeyStore truststore) { + this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(truststore); + } + + public MutableX509TrustManager() { + this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(); + } + + public void updateTruststore(KeyStore truststore) { + this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(truststore); + } + + public void useDefaultTruststore() { + this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { + currentManager.checkClientTrusted(chain, authType); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { + currentManager.checkServerTrusted(chain, authType); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { + currentManager.checkClientTrusted(chain, authType, socket); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { + currentManager.checkServerTrusted(chain, authType, socket); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException { + currentManager.checkClientTrusted(chain, authType, sslEngine); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException { + currentManager.checkServerTrusted(chain, authType, sslEngine); + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + return currentManager.getAcceptedIssuers(); + } +} |