juneau-rest/juneau-rest-client/src/main/java/org/apache/juneau/rest/client/SimpleX509TrustManager.java

// ***************************************************************************************************************************
// * Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements.  See the NOTICE file *
// * distributed with this work for additional information regarding copyright ownership.  The ASF licenses this file        *
// * to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance            *
// * with the License.  You may obtain a copy of the License at                                                              *
// *                                                                                                                         *
// *  http://www.apache.org/licenses/LICENSE-2.0                                                                             *
// *                                                                                                                         *
// * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an  *
// * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the License for the        *
// * specific language governing permissions and limitations under the License.                                              *
// ***************************************************************************************************************************
package org.apache.juneau.rest.client;

import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

/**
 * A trust manager that optionally allows for self-signed certificates.
 */
public final class SimpleX509TrustManager implements X509TrustManager {

	private X509TrustManager baseTrustManager;  // The JRE-provided trust manager used to validate certificates presented by a server.

	/**
	 * Constructor.
	 *
	 * @param lax If <jk>true</jk>, allow self-signed and expired certificates.
	 * @throws KeyStoreException Generic keystore exception.
	 * @throws NoSuchAlgorithmException Unknown cryptographic algorithm.
	 */
	public SimpleX509TrustManager(boolean lax) throws KeyStoreException, NoSuchAlgorithmException {
		if (! lax) {
			// Find the JRE-provided X509 trust manager.
			KeyStore ks = KeyStore.getInstance("jks");
			TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
			factory.init(ks);
			for (TrustManager tm : factory.getTrustManagers()) {
				if (tm instanceof X509TrustManager) {
					baseTrustManager = (X509TrustManager)tm; // Take the first X509TrustManager we find
					return;
				}
			}
			throw new IllegalStateException("Couldn't find JRE's X509TrustManager");
		}
	}

	@Override /* X509TrustManager */
	public X509Certificate[] getAcceptedIssuers() {
		return baseTrustManager == null ? new X509Certificate[0] : baseTrustManager.getAcceptedIssuers();
	}

	@Override /* X509TrustManager */
	public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
		if (baseTrustManager != null)
			baseTrustManager.checkClientTrusted(chain, authType);
	}

	@Override /* X509TrustManager */
	public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
		if (baseTrustManager != null)
			baseTrustManager.checkServerTrusted(chain, authType);
	}
}