eu.emi.security.authn.x509.helpers.ssl
Class SSLTrustManager

java.lang.Object
  extended by eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager
All Implemented Interfaces:
TrustManager, X509TrustManager

public class SSLTrustManager
extends Object
implements X509TrustManager

Implementation of TrustManager which uses a configured X509CertChainValidator to validate certificates.

Note that if the client's certificate is not trusted the server will send an alert and close the connection. Unfortunately, TLS is build in such a way, that in the same time, the client might still be busy with sending the rest of handshake data (the client's certificate is sent first, then other records). This alone would be no problem but Java SSL implementation, when trustmanager throws an exception, first closes the input half of the socket and only then sends the alert. All this is done without waiting for the client to finish sending its portion of handshake data. This can cause a race condition: client will try to send data on a closed channel of the socket, before it receives an alert about its certificate. The only known solution is to introduce a sleep before throwing an exception by checkClientTrusted(). But it is hard to provide a good value, and what is more this timeout is obviously slowing the invalid connection dropping, what might be used to perform DoS attacs. Therefore there is no solution implemented.

Author:
K. Benedyczak

Field Summary
protected  X509CertChainValidator validator
           
 
Constructor Summary
SSLTrustManager(X509CertChainValidator validator)
           
 
Method Summary
 void checkClientTrusted(X509Certificate[] chain, String authType)
          
protected  void checkIfTrusted(X509Certificate[] certChain)
           
 void checkServerTrusted(X509Certificate[] chain, String authType)
          
 X509Certificate[] getAcceptedIssuers()
          
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

validator

protected X509CertChainValidator validator
Constructor Detail

SSLTrustManager

public SSLTrustManager(X509CertChainValidator validator)
Method Detail

checkClientTrusted

public void checkClientTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException

Specified by:
checkClientTrusted in interface X509TrustManager
Throws:
CertificateException

checkServerTrusted

public void checkServerTrusted(X509Certificate[] chain,
                               String authType)
                        throws CertificateException

Specified by:
checkServerTrusted in interface X509TrustManager
Throws:
CertificateException

checkIfTrusted

protected void checkIfTrusted(X509Certificate[] certChain)
                       throws CertificateException
Throws:
CertificateException

getAcceptedIssuers

public X509Certificate[] getAcceptedIssuers()

Specified by:
getAcceptedIssuers in interface X509TrustManager


Copyright © 2012-2013 European Middleware Initiative. All Rights Reserved.