mlaccetti/DefaultTrustManager.java

## DefaultTrustManager.java
package laccetti.server.security;

import lombok.extern.slf4j.Slf4j;
import org.jsslutils.sslcontext.X509TrustManagerWrapper;

import javax.net.ssl.X509TrustManager;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.StringTokenizer;

/**
 * Wildcard Trust
 */
@Slf4j
public class DefaultTrustManager implements X509TrustManagerWrapper {
  private final String[] hostNamePatterns;

  public DefaultTrustManager(final String[] hostNamePatterns) {
    this.hostNamePatterns = hostNamePatterns;
  }

  @Override
  public X509TrustManager wrapTrustManager(final X509TrustManager trustManager) {
    return new X509TrustManager() {
      /**
       * {@inheritDoc}
       */
      public void checkClientTrusted(final X509Certificate[] chain, final String authType) throws CertificateException {
        log.trace("Validating client certificate.");
        verifyHostName(chain);
      }

      /**
       * {@inheritDoc}
       */
      public void checkServerTrusted(final X509Certificate[] chain, final String authType) throws CertificateException {
        log.trace("Validating server certificate.");
        verifyHostName(chain);
      }

      /**
       * {@inheritDoc}
       */
      public X509Certificate[] getAcceptedIssuers() {
        log.debug("Getting accepted issuers.");
        return trustManager.getAcceptedIssuers();
      }

      /**
       * Checks whether a host name matches the provided pattern. It accepts
       * the use of wildcards in the pattern, e.g. {@code *.example.com}.
       *
       * @param hostName The host name.
       * @param pattern  The host name pattern, which may contain wild cards.
       * @return {@code true} if the host name matched the pattern, otherwise
       * {@code false}.
       */
      private boolean hostNameMatchesPattern(final String hostName, final String pattern) {
        final String[] nameElements = hostName.split("\\.");
        final String[] patternElements = pattern.split("\\.");

        boolean hostMatch = nameElements.length == patternElements.length;
        for (int i = 0; i < nameElements.length && hostMatch; i++) {
          final String ne = nameElements[i];
          final String pe = patternElements[i];
          if (!pe.equals("*")) {
            hostMatch = ne.equalsIgnoreCase(pe);
          }
        }
        return hostMatch;
      }

      private void verifyHostName(final X509Certificate[] chain) {
        try {
          // TODO: NPE if root DN.
          final List<String> hostnames = getNamesFromCertificate(chain[0]);
          if (hostnames == null || hostnames.size() == 0) {
            log.warn("No hostname(s) found in X509Certificate.");
            throw new GeneralSecurityException("No hostname(s) found in X509Certificate.");
          }

          log.trace("Verifying hostnames: {}", hostnames);
          boolean matched = false;
          for (final String hostNamePattern : hostNamePatterns) {
            for (final String hostname : hostnames) {
              log.trace("Matching hostname {} against pattern {}", hostname, hostNamePattern);
              if (hostNameMatchesPattern(hostname, hostNamePattern)) {
                log.trace("Hostname matched.");
                matched = true;
              }
            }
          }

          if (!matched) {
            throw new CertificateException("The host name contained in the certificate chain subject DN could not be matched against the expected wildcards.'");
          }
        } catch (final Throwable t) {
          log.warn("Error parsing subject dn: " + chain[0].getSubjectX500Principal(), t);
        }
      }

      private List<String> getNamesFromCertificate(final X509Certificate cert) {
        final List<String> cnList = new ArrayList<>(5);
        final String subjectPrincipal = cert.getSubjectX500Principal().toString();
        final StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
        while (st.hasMoreTokens()) {
          final String tok = st.nextToken();
          final int x = tok.indexOf("CN=");
          if (x >= 0) {
            cnList.add(tok.substring(x + 3).trim());
          }
        }

        if (!cnList.isEmpty()) {
          return cnList;
        }

        return null;
      }
    };
  }
}

## SslContext.java
package laccetti.server.security;

import lombok.extern.slf4j.Slf4j;
import org.jsslutils.sslcontext.PKIXSSLContextFactory;
import org.jsslutils.sslcontext.SSLContextFactory;
import org.springframework.stereotype.Component;

import javax.annotation.PostConstruct;
import javax.net.ssl.SSLContext;
import java.security.GeneralSecurityException;

/**
 * Trust wildcards for Guggle - automatically wires the trust manager into the SSL context after Spring is done loading
 */
@Component
@Slf4j
public class SslContext {
  @PostConstruct
  public void init() throws GeneralSecurityException, SSLContextFactory.SSLContextFactoryException {
    log.debug("Setting SSL context.");
    final PKIXSSLContextFactory sslContextFactory = new PKIXSSLContextFactory();
    sslContextFactory.setTrustManagerWrapper(new DefaultTrustManager(new String[]{"*.google.com", "*.googleapis.com", "*.storage.googleapis.com"}));
    final SSLContext sslContext = sslContextFactory.buildSSLContext();
    SSLContext.setDefault(sslContext);
  }
}
	package laccetti.server.security;

	import lombok.extern.slf4j.Slf4j;
	import org.jsslutils.sslcontext.X509TrustManagerWrapper;

	import javax.net.ssl.X509TrustManager;
	import java.security.GeneralSecurityException;
	import java.security.cert.CertificateException;
	import java.security.cert.X509Certificate;
	import java.util.ArrayList;
	import java.util.List;
	import java.util.StringTokenizer;

	/**
	* Wildcard Trust
	*/
	@Slf4j
	public class DefaultTrustManager implements X509TrustManagerWrapper {
	private final String[] hostNamePatterns;

	public DefaultTrustManager(final String[] hostNamePatterns) {
	this.hostNamePatterns = hostNamePatterns;
	}

	@Override
	public X509TrustManager wrapTrustManager(final X509TrustManager trustManager) {
	return new X509TrustManager() {
	/**
	* {@inheritDoc}
	*/
	public void checkClientTrusted(final X509Certificate[] chain, final String authType) throws CertificateException {
	log.trace("Validating client certificate.");
	verifyHostName(chain);
	}

	/**
	* {@inheritDoc}
	*/
	public void checkServerTrusted(final X509Certificate[] chain, final String authType) throws CertificateException {
	log.trace("Validating server certificate.");
	verifyHostName(chain);
	}

	/**
	* {@inheritDoc}
	*/
	public X509Certificate[] getAcceptedIssuers() {
	log.debug("Getting accepted issuers.");
	return trustManager.getAcceptedIssuers();
	}

	/**
	* Checks whether a host name matches the provided pattern. It accepts
	* the use of wildcards in the pattern, e.g. {@code *.example.com}.
	*
	* @param hostName The host name.
	* @param pattern The host name pattern, which may contain wild cards.
	* @return {@code true} if the host name matched the pattern, otherwise
	* {@code false}.
	*/
	private boolean hostNameMatchesPattern(final String hostName, final String pattern) {
	final String[] nameElements = hostName.split("\\.");
	final String[] patternElements = pattern.split("\\.");

	boolean hostMatch = nameElements.length == patternElements.length;
	for (int i = 0; i < nameElements.length && hostMatch; i++) {
	final String ne = nameElements[i];
	final String pe = patternElements[i];
	if (!pe.equals("*")) {
	hostMatch = ne.equalsIgnoreCase(pe);
	}
	}
	return hostMatch;
	}

	private void verifyHostName(final X509Certificate[] chain) {
	try {
	// TODO: NPE if root DN.
	final List<String> hostnames = getNamesFromCertificate(chain[0]);
	if (hostnames == null \|\| hostnames.size() == 0) {
	log.warn("No hostname(s) found in X509Certificate.");
	throw new GeneralSecurityException("No hostname(s) found in X509Certificate.");
	}

	log.trace("Verifying hostnames: {}", hostnames);
	boolean matched = false;
	for (final String hostNamePattern : hostNamePatterns) {
	for (final String hostname : hostnames) {
	log.trace("Matching hostname {} against pattern {}", hostname, hostNamePattern);
	if (hostNameMatchesPattern(hostname, hostNamePattern)) {
	log.trace("Hostname matched.");
	matched = true;
	}
	}
	}

	if (!matched) {
	throw new CertificateException("The host name contained in the certificate chain subject DN could not be matched against the expected wildcards.'");
	}
	} catch (final Throwable t) {
	log.warn("Error parsing subject dn: " + chain[0].getSubjectX500Principal(), t);
	}
	}

	private List<String> getNamesFromCertificate(final X509Certificate cert) {
	final List<String> cnList = new ArrayList<>(5);
	final String subjectPrincipal = cert.getSubjectX500Principal().toString();
	final StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
	while (st.hasMoreTokens()) {
	final String tok = st.nextToken();
	final int x = tok.indexOf("CN=");
	if (x >= 0) {
	cnList.add(tok.substring(x + 3).trim());
	}
	}

	if (!cnList.isEmpty()) {
	return cnList;
	}

	return null;
	}
	};
	}
	}
	package laccetti.server.security;

	import lombok.extern.slf4j.Slf4j;
	import org.jsslutils.sslcontext.PKIXSSLContextFactory;
	import org.jsslutils.sslcontext.SSLContextFactory;
	import org.springframework.stereotype.Component;

	import javax.annotation.PostConstruct;
	import javax.net.ssl.SSLContext;
	import java.security.GeneralSecurityException;

	/**
	* Trust wildcards for Guggle - automatically wires the trust manager into the SSL context after Spring is done loading
	*/
	@Component
	@Slf4j
	public class SslContext {
	@PostConstruct
	public void init() throws GeneralSecurityException, SSLContextFactory.SSLContextFactoryException {
	log.debug("Setting SSL context.");
	final PKIXSSLContextFactory sslContextFactory = new PKIXSSLContextFactory();
	sslContextFactory.setTrustManagerWrapper(new DefaultTrustManager(new String[]{".google.com", ".googleapis.com", "*.storage.googleapis.com"}));
	final SSLContext sslContext = sslContextFactory.buildSSLContext();
	SSLContext.setDefault(sslContext);
	}
	}