Package com.perforce.p4java.impl.mapbased.rpc.func.client

Class ClientTrust

  • public class ClientTrust
extends java.lang.Object
    Handle the client trust and fingerprint for Perforce SSL connections.

    This also include methods to assist in validating a certificate path. We trust all certificates but save the certificates for later checking with methods in this class.

    • Field Detail

      • HEX_CHARS

        public static final char[] HEX_CHARS

      • FINGERPRINT_USER_NAME

        public static final java.lang.String FINGERPRINT_USER_NAME
        See Also:
        Constant Field Values

      • FINGERPRINT_REPLACEMENT_USER_NAME

        public static final java.lang.String FINGERPRINT_REPLACEMENT_USER_NAME
        See Also:
        Constant Field Values

      • CLIENT_TRUST_MESSAGES

        public static final java.lang.String CLIENT_TRUST_MESSAGES
        See Also:
        Constant Field Values

      • CLIENT_TRUST_WARNING_NOT_ESTABLISHED

        public static final java.lang.String CLIENT_TRUST_WARNING_NOT_ESTABLISHED
        See Also:
        Constant Field Values

      • CLIENT_TRUST_WARNING_NEW_CONNECTION

        public static final java.lang.String CLIENT_TRUST_WARNING_NEW_CONNECTION
        See Also:
        Constant Field Values

      • CLIENT_TRUST_WARNING_NEW_KEY

        public static final java.lang.String CLIENT_TRUST_WARNING_NEW_KEY
        See Also:
        Constant Field Values

      • CLIENT_TRUST_EXCEPTION_NEW_CONNECTION

        public static final java.lang.String CLIENT_TRUST_EXCEPTION_NEW_CONNECTION
        See Also:
        Constant Field Values

      • CLIENT_TRUST_EXCEPTION_NEW_KEY

        public static final java.lang.String CLIENT_TRUST_EXCEPTION_NEW_KEY
        See Also:
        Constant Field Values

      • CLIENT_TRUST_ADD_EXCEPTION_NEW_CONNECTION

        public static final java.lang.String CLIENT_TRUST_ADD_EXCEPTION_NEW_CONNECTION
        See Also:
        Constant Field Values

      • CLIENT_TRUST_ADD_EXCEPTION_NEW_KEY

        public static final java.lang.String CLIENT_TRUST_ADD_EXCEPTION_NEW_KEY
        See Also:
        Constant Field Values

      • CLIENT_TRUST_ADDED

        public static final java.lang.String CLIENT_TRUST_ADDED
        See Also:
        Constant Field Values

      • CLIENT_TRUST_REMOVED

        public static final java.lang.String CLIENT_TRUST_REMOVED
        See Also:
        Constant Field Values

      • CLIENT_TRUST_ALREADY_ESTABLISHED

        public static final java.lang.String CLIENT_TRUST_ALREADY_ESTABLISHED
        See Also:
        Constant Field Values

      • CLIENT_TRUST_INSTALL_EXCEPTION

        public static final java.lang.String CLIENT_TRUST_INSTALL_EXCEPTION
        See Also:
        Constant Field Values

      • CLIENT_TRUST_UNINSTALL_EXCEPTION

        public static final java.lang.String CLIENT_TRUST_UNINSTALL_EXCEPTION
        See Also:
        Constant Field Values

      • SSL_CLIENT_TRUST_BADDATE

        public static final java.lang.String SSL_CLIENT_TRUST_BADDATE
        See Also:
        Constant Field Values

      • SSL_CLIENT_TRUST_BADHOST

        public static final java.lang.String SSL_CLIENT_TRUST_BADHOST
        See Also:
        Constant Field Values

    • Constructor Detail

      • ClientTrust

        public ClientTrust​(RpcServer rpcServer)
        Instantiates a new client trust.
        Parameters:
        rpcServer - the rpc server

    • Method Detail

      • installFingerprint

        public void installFingerprint​(java.lang.String serverIpPort,
                               java.lang.String fingerprintUser,
                               java.lang.String fingerprint)
                        throws TrustException
        Install the fingerprint for the specified server IP and port
        Parameters:
        serverIpPort - the serverIpPort
        fingerprintUser - the fingerprintUser
        fingerprint - the fingerprint
        Throws:
        TrustException - the trust exception

      • removeFingerprint

        public void removeFingerprint​(java.lang.String serverIpPort,
                              java.lang.String fingerprintUser)
                       throws TrustException
        Removes the fingerprint for the specified server IP and port
        Parameters:
        serverIpPort - the serverIpPort
        fingerprintUser - the fingerprintUser
        Throws:
        TrustException - the trust exception

      • fingerprintExists

        public boolean fingerprintExists​(java.lang.String serverKey,
                                 java.lang.String fingerprintUser)
        Check if the fingerprint exists for the specified server IP and port
        Parameters:
        serverKey - the serverIpPort or serverHostName
        fingerprintUser - the fingerprintUser
        Returns:
        true, if successful

      • fingerprintMatches

        public boolean fingerprintMatches​(java.lang.String serverKey,
                                  java.lang.String fingerprintUser,
                                  java.lang.String fingerprint)
        Check if the fingerprint for the specified server IP and port matches the one in trust file.
        Parameters:
        serverKey - the serverIpPort or serverHostName
        fingerprintUser - the fingerprintUser
        fingerprint - the fingerprint
        Returns:
        true, if successful

      • generateFingerprint

        public static java.lang.String generateFingerprint​(java.security.PublicKey publicKey)
                                            throws java.security.NoSuchAlgorithmException
        Generate fingerprint from public key using MessageDigest.
        Parameters:
        publicKey - the public key
        Returns:
        the string
        Throws:
        java.security.NoSuchAlgorithmException - the no such algorithm exception

      • generateFingerprint

        public static java.lang.String generateFingerprint​(java.security.cert.X509Certificate certificate)
                                            throws java.security.NoSuchAlgorithmException,
                                                   java.security.cert.CertificateEncodingException
        Generate fingerprint from a certificate using MessageDigest.
        Parameters:
        certificate - the certificate
        Returns:
        the string
        Throws:
        java.security.NoSuchAlgorithmException - the no such algorithm exception
        java.security.cert.CertificateEncodingException - the certificate encoding exception

      • convert2Hex

        public static java.lang.String convert2Hex​(byte[] data)
        Convert a byte array to a hexadecimal string
        Parameters:
        data - the data
        Returns:
        the string

      • getMessages

        public PerforceMessages getMessages()
        Gets the messages.
        Returns:
        the messages

      • getTrustedCAs

        public static java.util.Set<java.security.cert.TrustAnchor> getTrustedCAs()
                                                                   throws java.security.NoSuchAlgorithmException,
                                                                          java.security.KeyStoreException,
                                                                          java.security.InvalidAlgorithmParameterException
        Gets the root CAs in the trust store, either the default truststore or as specified by javax.net.ssl.trustStore/javax.net.ssl.trustStorePassword. root CAs are cached.
        Returns:
        root CAs
        Throws:
        java.security.NoSuchAlgorithmException - on error
        java.security.KeyStoreException - on error
        java.security.InvalidAlgorithmParameterException - on error

      • getTrustedCAs

        public static java.util.Set<java.security.cert.TrustAnchor> getTrustedCAs​(boolean refreshCache)
                                                                   throws java.security.NoSuchAlgorithmException,
                                                                          java.security.KeyStoreException,
                                                                          java.security.InvalidAlgorithmParameterException
        Gets the root CAs from the trust store, either the default truststore or as specified by javax.net.ssl.trustStore/javax.net.ssl.trustStorePassword.
        Parameters:
        refreshCache - force retrieve from truststore
        Returns:
        root CAs
        Throws:
        java.security.NoSuchAlgorithmException - on error
        java.security.KeyStoreException - on error
        java.security.InvalidAlgorithmParameterException - on error

      • getDefaultX509TrustManager

        public static javax.net.ssl.X509TrustManager getDefaultX509TrustManager()
                                                                 throws java.security.NoSuchAlgorithmException,
                                                                        java.security.KeyStoreException
        Get the system default trust manager X509TrustManager
        Returns:
        trust manager
        Throws:
        java.security.NoSuchAlgorithmException - on errror
        java.security.KeyStoreException - on error

      • validateServerChain

        public static void validateServerChain​(java.security.cert.X509Certificate[] certs,
                                       java.lang.String refName)
                                throws java.security.cert.CertificateException
        Check the certificate chain.
        Parameters:
        certs - the certificates from p4d handshake.
        refName - refName
        Throws:
        java.security.cert.CertificateException - if the validation fails

      • verifyCertificateDates

        public static void verifyCertificateDates​(java.security.cert.X509Certificate cert)
                                   throws java.security.cert.CertificateException
        Check the certificate Not Before and Not After dates
        Parameters:
        cert - cert
        Throws:
        java.security.cert.CertificateException - on error

      • verifyCertificateSubject

        public static void verifyCertificateSubject​(java.security.cert.X509Certificate cert,
                                            java.lang.String hostName)
                                     throws java.security.cert.CertificateParsingException,
                                            java.security.cert.CertificateException,
                                            java.net.UnknownHostException
        Verify the request's hostname to that in the certificate.
        Parameters:
        cert - certificate
        hostName - Host name
        Throws:
        java.security.cert.CertificateParsingException - on error
        java.security.cert.CertificateException - on error
        java.net.UnknownHostException - Could not find IP Address for Given Host name