/* * The contents of this file are subject to the "END USER LICENSE AGREEMENT FOR F5 * Software Development Kit for iControl"; you may not use this file except in * compliance with the License. The License is included in the iControl * Software Development Kit. * * Software distributed under the License is distributed on an "AS IS" * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See * the License for the specific language governing rights and limitations * under the License. * * The Original Code is iControl Code and related documentation * distributed by F5. * * Portions created by F5 are Copyright (C) 1996-2004 F5 Networks * Inc. All Rights Reserved. iControl (TM) is a registered trademark of * F5 Networks, Inc. * * Alternatively, the contents of this file may be used under the terms * of the GNU General Public License (the "GPL"), in which case the * provisions of GPL are applicable instead of those above. If you wish * to allow use of your version of this file only under the terms of the * GPL and not to allow others to use your version of this file under the * License, indicate your decision by deleting the provisions above and * replace them with the notice and other provisions required by the GPL. * If you do not delete the provisions above, a recipient may use your * version of this file under either the License or the GPL. * * This code has been slightly tweaked from that implementation described * above. Comments are mostly mine (tvf) and are more notes of what I * understand of it. * * The lisence in question is compatible with the BSD style license under which * fedd is released. -- tvf */ package net.deterlab.isi; import java.security.AccessController; import java.security.InvalidAlgorithmParameterException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.PrivilegedAction; import java.security.Security; import java.security.cert.X509Certificate; import javax.net.ssl.ManagerFactoryParameters; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactorySpi; import javax.net.ssl.X509TrustManager; import java.math.BigInteger; import java.util.Date; import java.security.Principal; import java.security.PublicKey; import java.util.Set; import java.util.TreeSet; import java.io.File; import java.io.IOException; import java.io.PrintStream; public final class XTrustProvider extends java.security.Provider { private final static String NAME = "XTrustJSSE"; private final static String INFO = "XTrust JSSE Provider (implements trust factory with " + "truststore validation disabled)"; private final static double VERSION = 1.0D; private static PrintStream log = null; /** * Constructor */ public XTrustProvider() { super(NAME, VERSION, INFO); AccessController.doPrivileged(new PrivilegedAction() { public Object run() { put("TrustManagerFactory." + TrustManagerFactoryImpl.getAlgorithm(), TrustManagerFactoryImpl.class.getName()); return null; } }); } /** * Install this null provider as an SSL truststore validator. */ public static void install() { if(Security.getProvider(NAME) == null) { Security.insertProviderAt(new XTrustProvider(), 2); Security.setProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactoryImpl.getAlgorithm()); } } /** * The TrustManager implementation. */ public final static class TrustManagerFactoryImpl extends TrustManagerFactorySpi { public TrustManagerFactoryImpl() { } public static String getAlgorithm() { return "XTrust509"; } protected void engineInit(KeyStore keystore) throws KeyStoreException { } protected void engineInit(ManagerFactoryParameters mgrparams) throws InvalidAlgorithmParameterException { throw new InvalidAlgorithmParameterException( XTrustProvider.NAME + " does not use ManagerFactoryParameters"); } /** * The getAcceptedIssuers method below needs to return an empty array of * X509Certificates, but to do that we need a concrete X509Certificate * Class. This is a null implementation of that bastract class so we * can return an empty array of them. Java's funny sometimes. */ public static class NullX509Certificate extends X509Certificate { public NullX509Certificate() { super(); } public byte[] getEncoded() { return new byte[0]; } public PublicKey getPublicKey() { return null; } public String toString() { return "Where'd you get this??? " + "Dummy class for allocating a null array"; } public void verify(PublicKey key) { } public void verify(PublicKey key, String prov) { } public void checkValidity() { } public void checkValidity(Date d) { } public int getBasicConstraints() { return 0; } public Principal getIssuerDN() { return null; } public boolean[] getIssuerUniqueID() { return new boolean[0]; } public boolean[] getKeyUsage() { return new boolean[0]; } public Date getNotAfter() { return null; } public Date getNotBefore() { return null; } public BigInteger getSerialNumber() { return null; } public String getSigAlgName() { return null;} public String getSigAlgOID() { return null;} public byte[] getSigAlgParams() { return new byte[0]; } public byte[] getSignature() { return new byte[0]; } public Principal getSubjectDN() { return null; } public boolean[] getSubjectUniqueID() { return new boolean[0]; } public byte[] getTBSCertificate() { return new byte[0]; } public int getVersion() { return 0;} public Set getCriticalExtensionOIDs() { return new TreeSet(); } public byte[] getExtensionValue(String o) { return null; } public Set getNonCriticalExtensionOIDs() { return new TreeSet(); } public boolean hasUnsupportedCriticalExtension() { return true; } } /** * This is some fairly aggressive inlining to return a TrustManager that * accepts all chains (it throws no exceptions out of the check * functions) and returns no trusted issuers. */ protected TrustManager[] engineGetTrustManagers() { return new TrustManager[] { new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return new NullX509Certificate[0]; } public void checkClientTrusted(X509Certificate[] certs, String authType) { } public void checkServerTrusted(X509Certificate[] certs, String authType) { } }}; } } }