Last active
February 27, 2023 13:03
-
-
Save lenosi/fa489b384d49e5943101a085f27e368a to your computer and use it in GitHub Desktop.
Custom implementation of the javax.net.ssl.X509TrustManager interface, which is responsible for verifying the authenticity of SSL/TLS certificates in Java applications. The CertificateValidityX509TrustManager class provides a custom implementation of the checkClientTrusted and checkServerTrusted method, which is called by the TLS infrastructure …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import javax.net.ssl.X509TrustManager; | |
import java.security.cert.CertificateException; | |
import java.security.cert.CertificateExpiredException; | |
import java.security.cert.X509Certificate; | |
/** | |
* A custom implementation of the javax.net.ssl.X509TrustManager interface that includes a check for certificate validity. | |
* This implementation can be used to deny expired certificates and protect against attacks that rely on exploiting | |
* certificate validity periods. | |
*/ | |
public class CertificateValidityX509TrustManager implements X509TrustManager { | |
private final X509TrustManager impl; | |
/** | |
* Constructs a CertificateValidityX509TrustManager instance using an existing X509TrustManager instance. | |
* | |
* @param impl The underlying X509TrustManager to delegate certificate verification to. | |
*/ | |
public CertificateValidityX509TrustManager(X509TrustManager impl) { | |
this.impl = impl; | |
} | |
/** | |
* Verifies the authenticity of the client's SSL/TLS certificate and checks its validity period. | |
* | |
* @param x509Certificates The array of client certificates to be verified. | |
* @param s The string representation of the SSL/TLS protocol used. | |
* @throws CertificateException if the certificate verification fails, or if any of the certificates have expired or | |
* are not yet valid. | |
*/ | |
@Override | |
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { | |
impl.checkClientTrusted(x509Certificates, s); | |
checkCertificateValidity(x509Certificates); | |
} | |
/** | |
* Verifies the authenticity of the server's SSL/TLS certificate and checks its validity period. | |
* | |
* @param x509Certificates The array of server certificates to be verified. | |
* @param s The string representation of the SSL/TLS protocol used. | |
* @throws CertificateException if the certificate verification fails, or if any of the certificates have expired or | |
* are not yet valid. | |
*/ | |
@Override | |
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { | |
impl.checkServerTrusted(x509Certificates, s); | |
checkCertificateValidity(x509Certificates); | |
} | |
/** | |
* Returns an array of the trusted root certificates that the underlying X509TrustManager implementation accepts. | |
* | |
* @return The array of the trusted root certificates. | |
*/ | |
@Override | |
public X509Certificate[] getAcceptedIssuers() { | |
return impl.getAcceptedIssuers(); | |
} | |
/** | |
* Checks the validity period of each certificate in the input array. | |
* | |
* @param x509Certificates The array of certificates to be checked. | |
* @throws CertificateExpiredException if any of the certificates have expired. | |
* @throws CertificateException if any of the certificates are not yet valid. | |
*/ | |
private void checkCertificateValidity(X509Certificate[] x509Certificates) throws CertificateException { | |
long currentTimeMillis = System.currentTimeMillis(); | |
for (X509Certificate cert : x509Certificates) { | |
if (currentTimeMillis > cert.getNotAfter().getTime()) { | |
throw new CertificateExpiredException("Certificate expired on " + cert.getNotAfter()); | |
} else if (currentTimeMillis < cert.getNotBefore().getTime()) { | |
throw new CertificateExpiredException("Certificate will not be valid until " + cert.getNotBefore()); | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment