java.lang.Object
- javax.net.ssl.X509ExtendedTrustManager
- - io.grpc.xds.internal.security.trust.XdsX509TrustManager

All Implemented Interfaces:

javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager
```
final class XdsX509TrustManager
extends javax.net.ssl.X509ExtendedTrustManager
implements javax.net.ssl.X509TrustManager
```
Extension of X509ExtendedTrustManager that implements verification of SANs (subject-alternate-names) against the list in CertificateValidationContext.

Field Summary

Fields
Modifier and Type	Field	Description
`private static int`	`ALT_DNS_NAME`
`private static int`	`ALT_IPA_NAME`
`private static int`	`ALT_URI_NAME`
`private CertificateValidationContext`	`certContext`
`private javax.net.ssl.X509ExtendedTrustManager`	`delegate`

Constructor Summary

Constructors
Constructor Description

XdsX509TrustManager(CertificateValidationContext certContext, javax.net.ssl.X509ExtendedTrustManager delegate)

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`void`	`checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType)`
`void`	`checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket)`
`void`	`checkClientTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine sslEngine)`
`void`	`checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType)`
`void`	`checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, java.net.Socket socket)`
`void`	`checkServerTrusted(java.security.cert.X509Certificate[] chain, java.lang.String authType, javax.net.ssl.SSLEngine sslEngine)`
`java.security.cert.X509Certificate[]`	`getAcceptedIssuers()`
`private static boolean`	`verifyDnsNameContains(java.lang.String altNameFromCert, java.lang.String sanToVerifySubstring, boolean ignoreCase)`
`private static boolean`	`verifyDnsNameExact(java.lang.String altNameFromCert, java.lang.String sanToVerifyExact, boolean ignoreCase)`
`private static boolean`	`verifyDnsNameInPattern(java.lang.String altNameFromCert, StringMatcher sanToVerifyMatcher)`
`private static boolean`	`verifyDnsNameInSanList(java.lang.String altNameFromCert, java.util.List<StringMatcher> verifySanList)`
`private static boolean`	`verifyDnsNamePrefix(java.lang.String altNameFromCert, java.lang.String sanToVerifyPrefix, boolean ignoreCase)`
`private static boolean`	`verifyDnsNameSafeRegex(java.lang.String altNameFromCert, RegexMatcher sanToVerifySafeRegex)`
`private static boolean`	`verifyDnsNameSuffix(java.lang.String altNameFromCert, java.lang.String sanToVerifySuffix, boolean ignoreCase)`
`private static boolean`	`verifyOneSanInList(java.util.List<?> entry, java.util.List<StringMatcher> verifySanList)`
`(package private) void`	`verifySubjectAltNameInChain(java.security.cert.X509Certificate[] peerCertChain)`	Verifies SANs in the peer cert chain against verify_subject_alt_name in the certContext.
`private static void`	`verifySubjectAltNameInLeaf(java.security.cert.X509Certificate cert, java.util.List<StringMatcher> verifyList)`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ALT_DNS_NAME
```
private static final int ALT_DNS_NAME
```
See Also:

Constant Field Values

ALT_URI_NAME
```
private static final int ALT_URI_NAME
```
See Also:

Constant Field Values

ALT_IPA_NAME
```
private static final int ALT_IPA_NAME
```
See Also:

Constant Field Values

delegate

private final javax.net.ssl.X509ExtendedTrustManager delegate

certContext

private final CertificateValidationContext certContext

Constructor Detail

XdsX509TrustManager

XdsX509TrustManager(@Nullable
                    CertificateValidationContext certContext,
                    javax.net.ssl.X509ExtendedTrustManager delegate)

Method Detail

verifyDnsNameInPattern

private static boolean verifyDnsNameInPattern(java.lang.String altNameFromCert,
                                              StringMatcher sanToVerifyMatcher)

verifyDnsNameSafeRegex

private static boolean verifyDnsNameSafeRegex(java.lang.String altNameFromCert,
                                              RegexMatcher sanToVerifySafeRegex)

verifyDnsNamePrefix

private static boolean verifyDnsNamePrefix(java.lang.String altNameFromCert,
                                           java.lang.String sanToVerifyPrefix,
                                           boolean ignoreCase)

verifyDnsNameSuffix

private static boolean verifyDnsNameSuffix(java.lang.String altNameFromCert,
                                           java.lang.String sanToVerifySuffix,
                                           boolean ignoreCase)

verifyDnsNameContains

private static boolean verifyDnsNameContains(java.lang.String altNameFromCert,
                                             java.lang.String sanToVerifySubstring,
                                             boolean ignoreCase)

verifyDnsNameExact

private static boolean verifyDnsNameExact(java.lang.String altNameFromCert,
                                          java.lang.String sanToVerifyExact,
                                          boolean ignoreCase)

verifyDnsNameInSanList

private static boolean verifyDnsNameInSanList(java.lang.String altNameFromCert,
                                              java.util.List<StringMatcher> verifySanList)

verifyOneSanInList

private static boolean verifyOneSanInList(java.util.List<?> entry,
                                          java.util.List<StringMatcher> verifySanList)
                                   throws java.security.cert.CertificateParsingException

Throws:: java.security.cert.CertificateParsingException

verifySubjectAltNameInLeaf

private static void verifySubjectAltNameInLeaf(java.security.cert.X509Certificate cert,
                                               java.util.List<StringMatcher> verifyList)
                                        throws java.security.cert.CertificateException

Throws:: java.security.cert.CertificateException

verifySubjectAltNameInChain
```
void verifySubjectAltNameInChain(java.security.cert.X509Certificate[] peerCertChain)
                          throws java.security.cert.CertificateException
```
Verifies SANs in the peer cert chain against verify_subject_alt_name in the certContext. This is called from various check*Trusted methods.

Throws:

java.security.cert.CertificateException

checkClientTrusted

public void checkClientTrusted(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType,
                               java.net.Socket socket)
                        throws java.security.cert.CertificateException

Specified by:: checkClientTrusted in class javax.net.ssl.X509ExtendedTrustManager
Throws:: java.security.cert.CertificateException

checkClientTrusted

public void checkClientTrusted(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType,
                               javax.net.ssl.SSLEngine sslEngine)
                        throws java.security.cert.CertificateException

Specified by:: checkClientTrusted in class javax.net.ssl.X509ExtendedTrustManager
Throws:: java.security.cert.CertificateException

checkClientTrusted

public void checkClientTrusted(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType)
                        throws java.security.cert.CertificateException

Specified by:: checkClientTrusted in interface javax.net.ssl.X509TrustManager
Throws:: java.security.cert.CertificateException

checkServerTrusted

public void checkServerTrusted(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType,
                               java.net.Socket socket)
                        throws java.security.cert.CertificateException

Specified by:: checkServerTrusted in class javax.net.ssl.X509ExtendedTrustManager
Throws:: java.security.cert.CertificateException

checkServerTrusted

public void checkServerTrusted(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType,
                               javax.net.ssl.SSLEngine sslEngine)
                        throws java.security.cert.CertificateException

Specified by:: checkServerTrusted in class javax.net.ssl.X509ExtendedTrustManager
Throws:: java.security.cert.CertificateException

checkServerTrusted

public void checkServerTrusted(java.security.cert.X509Certificate[] chain,
                               java.lang.String authType)
                        throws java.security.cert.CertificateException

Specified by:: checkServerTrusted in interface javax.net.ssl.X509TrustManager
Throws:: java.security.cert.CertificateException

getAcceptedIssuers
```
public java.security.cert.X509Certificate[] getAcceptedIssuers()
```
Specified by:

getAcceptedIssuers in interface javax.net.ssl.X509TrustManager

Class XdsX509TrustManager

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

ALT_DNS_NAME

ALT_URI_NAME

ALT_IPA_NAME

delegate

certContext

Constructor Detail

XdsX509TrustManager

Method Detail

verifyDnsNameInPattern

verifyDnsNameSafeRegex

verifyDnsNamePrefix

verifyDnsNameSuffix

verifyDnsNameContains

verifyDnsNameExact

verifyDnsNameInSanList

verifyOneSanInList

verifySubjectAltNameInLeaf

verifySubjectAltNameInChain

checkClientTrusted

checkClientTrusted

checkClientTrusted

checkServerTrusted

checkServerTrusted

checkServerTrusted

getAcceptedIssuers