Custom implementation of the javax.net.ssl.X509TrustManager interface, which is responsible for verifying the authenticity of SSL/TLS certificates in Java applications. The CertificateValidityX509TrustManager class provides a custom implementation of the checkClientTrusted and checkServerTrusted method, which is called by the TLS infrastructure …

CertificateValidityX509TrustManager.java

import javax.net.ssl.X509TrustManager;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;

/**
 * A custom implementation of the javax.net.ssl.X509TrustManager interface that includes a check for certificate validity.
 * This implementation can be used to deny expired certificates and protect against attacks that rely on exploiting 
 * certificate validity periods.
 */
public class CertificateValidityX509TrustManager implements X509TrustManager {

    private final X509TrustManager impl;

    /**
     * Constructs a CertificateValidityX509TrustManager instance using an existing X509TrustManager instance.
     *
     * @param impl The underlying X509TrustManager to delegate certificate verification to.
     */
    public CertificateValidityX509TrustManager(X509TrustManager impl) {
        this.impl = impl;
    }

    /**
     * Verifies the authenticity of the client's SSL/TLS certificate and checks its validity period.
     *
     * @param x509Certificates The array of client certificates to be verified.
     * @param s The string representation of the SSL/TLS protocol used.
     * @throws CertificateException if the certificate verification fails, or if any of the certificates have expired or 
     * are not yet valid.
     */
    @Override
    public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
        impl.checkClientTrusted(x509Certificates, s);
        checkCertificateValidity(x509Certificates);
    }

    /**
     * Verifies the authenticity of the server's SSL/TLS certificate and checks its validity period.
     *
     * @param x509Certificates The array of server certificates to be verified.
     * @param s The string representation of the SSL/TLS protocol used.
     * @throws CertificateException if the certificate verification fails, or if any of the certificates have expired or 
     * are not yet valid.
     */
    @Override
    public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
        impl.checkServerTrusted(x509Certificates, s);
        checkCertificateValidity(x509Certificates);
    }

    /**
     * Returns an array of the trusted root certificates that the underlying X509TrustManager implementation accepts.
     *
     * @return The array of the trusted root certificates.
     */
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return impl.getAcceptedIssuers();
    }

    /**
     * Checks the validity period of each certificate in the input array.
     *
     * @param x509Certificates The array of certificates to be checked.
     * @throws CertificateExpiredException if any of the certificates have expired.
     * @throws CertificateException if any of the certificates are not yet valid.
     */
    private void checkCertificateValidity(X509Certificate[] x509Certificates) throws CertificateException {
        long currentTimeMillis = System.currentTimeMillis();
        for (X509Certificate cert : x509Certificates) {
            if (currentTimeMillis > cert.getNotAfter().getTime()) {
                throw new CertificateExpiredException("Certificate expired on " + cert.getNotAfter());
            } else if (currentTimeMillis < cert.getNotBefore().getTime()) {
                throw new CertificateExpiredException("Certificate will not be valid until " + cert.getNotBefore());
            }
        }
    }
}