java.lang.Object

javax.net.ssl.X509ExtendedTrustManager

io.grpc.xds.internal.security.trust.XdsX509TrustManager

All Implemented Interfaces:: TrustManager, X509TrustManager

final class XdsX509TrustManager extends X509ExtendedTrustManager implements X509TrustManager

Extension of X509ExtendedTrustManager that implements verification of SANs (subject-alternate-names) against the list in CertificateValidationContext.

Field Summary

Fields

Modifier and Type

Field

Description

private static final int

ALT_DNS_NAME

private static final int

ALT_IPA_NAME

private static final int

ALT_URI_NAME

private final CertificateValidationContext

certContext

private final X509ExtendedTrustManager

delegate
Constructor Summary

Constructors

Constructor

Description

XdsX509TrustManager(CertificateValidationContext certContext, X509ExtendedTrustManager delegate)
Method Summary

Modifier and Type

Method

Description

void

checkClientTrusted(X509Certificate[] chain, String authType)

void

checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)

void

checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine)

void

checkServerTrusted(X509Certificate[] chain, String authType)

void

checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)

void

checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine)

X509Certificate[]

getAcceptedIssuers()

private static boolean

verifyDnsNameContains(String altNameFromCert, String sanToVerifySubstring, boolean ignoreCase)

private static boolean

verifyDnsNameExact(String altNameFromCert, String sanToVerifyExact, boolean ignoreCase)

private static boolean

verifyDnsNameInPattern(String altNameFromCert, StringMatcher sanToVerifyMatcher)

private static boolean

verifyDnsNameInSanList(String altNameFromCert, List<StringMatcher> verifySanList)

private static boolean

verifyDnsNamePrefix(String altNameFromCert, String sanToVerifyPrefix, boolean ignoreCase)

private static boolean

verifyDnsNameSafeRegex(String altNameFromCert, RegexMatcher sanToVerifySafeRegex)

private static boolean

verifyDnsNameSuffix(String altNameFromCert, String sanToVerifySuffix, boolean ignoreCase)

private static boolean

verifyOneSanInList(List<?> entry, List<StringMatcher> verifySanList)

(package private) void

verifySubjectAltNameInChain(X509Certificate[] peerCertChain)

Verifies SANs in the peer cert chain against verify_subject_alt_name in the certContext.

private static void

verifySubjectAltNameInLeaf(X509Certificate cert, List<StringMatcher> verifyList)

Methods inherited from class Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details
- ALT_DNS_NAME
  private static final int ALT_DNS_NAME
  
  See Also:
  
  Constant Field Values
- ALT_URI_NAME
  private static final int ALT_URI_NAME
  
  See Also:
  
  Constant Field Values
- ALT_IPA_NAME
  private static final int ALT_IPA_NAME
  
  See Also:
  
  Constant Field Values
- delegate
  
  private final X509ExtendedTrustManager delegate
- certContext
  
  private final CertificateValidationContext certContext
Constructor Details
- XdsX509TrustManager
  
  XdsX509TrustManager(@Nullable CertificateValidationContext certContext, X509ExtendedTrustManager delegate)
Method Details
- verifyDnsNameInPattern
  
  private static boolean verifyDnsNameInPattern(String altNameFromCert, StringMatcher sanToVerifyMatcher)
- verifyDnsNameSafeRegex
  
  private static boolean verifyDnsNameSafeRegex(String altNameFromCert, RegexMatcher sanToVerifySafeRegex)
- verifyDnsNamePrefix
  
  private static boolean verifyDnsNamePrefix(String altNameFromCert, String sanToVerifyPrefix, boolean ignoreCase)
- verifyDnsNameSuffix
  
  private static boolean verifyDnsNameSuffix(String altNameFromCert, String sanToVerifySuffix, boolean ignoreCase)
- verifyDnsNameContains
  
  private static boolean verifyDnsNameContains(String altNameFromCert, String sanToVerifySubstring, boolean ignoreCase)
- verifyDnsNameExact
  
  private static boolean verifyDnsNameExact(String altNameFromCert, String sanToVerifyExact, boolean ignoreCase)
- verifyDnsNameInSanList
  
  private static boolean verifyDnsNameInSanList(String altNameFromCert, List<StringMatcher> verifySanList)
- verifyOneSanInList
  
  private static boolean verifyOneSanInList(List<?> entry, List<StringMatcher> verifySanList) throws CertificateParsingException
  
  Throws:
  
  CertificateParsingException
- verifySubjectAltNameInLeaf
  
  private static void verifySubjectAltNameInLeaf(X509Certificate cert, List<StringMatcher> verifyList) throws CertificateException
  
  Throws:
  
  CertificateException
- verifySubjectAltNameInChain
  
  void verifySubjectAltNameInChain(X509Certificate[] peerCertChain) throws CertificateException
  
  Verifies SANs in the peer cert chain against verify_subject_alt_name in the certContext. This is called from various check*Trusted methods.
  
  Throws:
  
  CertificateException
- checkClientTrusted
  
  public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException
  
  Specified by:
  
  checkClientTrusted in class X509ExtendedTrustManager
  
  Throws:
  
  CertificateException
- checkClientTrusted
  
  public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException
  
  Specified by:
  
  checkClientTrusted in class X509ExtendedTrustManager
  
  Throws:
  
  CertificateException
- checkClientTrusted
  
  public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException
  
  Specified by:
  
  checkClientTrusted in interface X509TrustManager
  
  Throws:
  
  CertificateException
- checkServerTrusted
  
  public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException
  
  Specified by:
  
  checkServerTrusted in class X509ExtendedTrustManager
  
  Throws:
  
  CertificateException
- checkServerTrusted
  
  public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine) throws CertificateException
  
  Specified by:
  
  checkServerTrusted in class X509ExtendedTrustManager
  
  Throws:
  
  CertificateException
- checkServerTrusted
  
  public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException
  
  Specified by:
  
  checkServerTrusted in interface X509TrustManager
  
  Throws:
  
  CertificateException
- getAcceptedIssuers
  
  public X509Certificate[] getAcceptedIssuers()
  
  Specified by:
  
  getAcceptedIssuers in interface X509TrustManager

Class XdsX509TrustManager

Field Summary

Constructor Summary

Method Summary

Methods inherited from class Object

Field Details

ALT_DNS_NAME

ALT_URI_NAME

ALT_IPA_NAME

delegate

certContext

Constructor Details

XdsX509TrustManager

Method Details

verifyDnsNameInPattern

verifyDnsNameSafeRegex

verifyDnsNamePrefix

verifyDnsNameSuffix

verifyDnsNameContains

verifyDnsNameExact

verifyDnsNameInSanList

verifyOneSanInList

verifySubjectAltNameInLeaf

verifySubjectAltNameInChain

checkClientTrusted

checkClientTrusted

checkClientTrusted

checkServerTrusted

checkServerTrusted

checkServerTrusted

getAcceptedIssuers