Add mutable x509 trust manager

Add a x509 trust manager where certificates can be updated while the manager is in use.
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-02-12 12:57:05 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-02-19 17:00:32 +0100
commit: a0a9406a7c298ab8be4cf556e1a7b441e1eeffa7 (patch)
tree: bfde52fee7b786642c1046541e0fa287ca65cf69 /security-utils/src/main/java/com/yahoo
parent: fe8263404bd40d0e605853d10c9a20e91471a205 (diff)
1 files changed, 70 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java b/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java
new file mode 100644
index 00000000000..ed424480d26
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/tls/MutableX509TrustManager.java
@@ -0,0 +1,70 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.tls;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.net.Socket;
+import java.security.KeyStore;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/**
+ * A {@link X509ExtendedTrustManager} which can be updated with new CA certificates while in use.
+ *
+ * @author bjorncs
+ */
+public class MutableX509TrustManager extends X509ExtendedTrustManager {
+
+    private volatile X509ExtendedTrustManager currentManager;
+
+    public MutableX509TrustManager(KeyStore truststore) {
+        this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(truststore);
+    }
+
+    public MutableX509TrustManager() {
+        this.currentManager = TrustManagerUtils.createDefaultX509TrustManager();
+    }
+
+    public void updateTruststore(KeyStore truststore) {
+        this.currentManager = TrustManagerUtils.createDefaultX509TrustManager(truststore);
+    }
+
+    public void useDefaultTruststore() {
+        this.currentManager = TrustManagerUtils.createDefaultX509TrustManager();
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        currentManager.checkClientTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        currentManager.checkServerTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        currentManager.checkClientTrusted(chain, authType, socket);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        currentManager.checkServerTrusted(chain, authType, socket);
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException {
+        currentManager.checkClientTrusted(chain, authType, sslEngine);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException {
+        currentManager.checkServerTrusted(chain, authType, sslEngine);
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return currentManager.getAcceptedIssuers();
+    }
+}
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-02-12 12:57:05 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-02-19 17:00:32 +0100
commit	a0a9406a7c298ab8be4cf556e1a7b441e1eeffa7 (patch)
tree	bfde52fee7b786642c1046541e0fa287ca65cf69 /security-utils/src/main/java/com/yahoo
parent	fe8263404bd40d0e605853d10c9a20e91471a205 (diff)