--- /dev/null
+/*\r
+\r
+ Derby - Class org.apache.derby.impl.drda.NaiveTrustManager\r
+\r
+ Licensed to the Apache Software Foundation (ASF) under one or more\r
+ contributor license agreements. See the NOTICE file distributed with\r
+ this work for additional information regarding copyright ownership.\r
+ The ASF licenses this file to You under the Apache License, Version 2.0\r
+ (the "License"); you may not use this file except in compliance with\r
+ the License. You may obtain a copy of the License at\r
+\r
+ http://www.apache.org/licenses/LICENSE-2.0\r
+\r
+ Unless required by applicable law or agreed to in writing, software\r
+ distributed under the License is distributed on an "AS IS" BASIS,\r
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ See the License for the specific language governing permissions and\r
+ limitations under the License.\r
+\r
+*/\r
+\r
+package org.apache.derby.impl.drda;\r
+\r
+import java.io.FileInputStream;\r
+import javax.net.SocketFactory;\r
+import javax.net.ssl.SSLContext;\r
+import javax.net.ssl.TrustManager;\r
+import javax.net.ssl.X509TrustManager;\r
+import javax.net.ssl.KeyManagerFactory;\r
+import java.security.KeyStore;\r
+import java.security.cert.X509Certificate;\r
+import java.security.cert.CertificateException;\r
+import org.apache.derby.iapi.services.property.PropertyUtil;\r
+\r
+\r
+/**\r
+ * This is a naive trust manager we use when we don't want server\r
+ * authentication. Any certificate will be accepted. \r
+ **/\r
+public class NaiveTrustManager\r
+ implements X509TrustManager\r
+{\r
+ \r
+ /**\r
+ * We don't want more than one instence of this TrustManager\r
+ */\r
+ private NaiveTrustManager()\r
+ {\r
+ }\r
+\r
+ static private TrustManager[] thisManager = null;\r
+\r
+ /** \r
+ * Generate a socket factory with this trust manager. Derby\r
+ * Utility routine which is not part of the X509TrustManager\r
+ * interface.\r
+ **/\r
+ public static SocketFactory getSocketFactory()\r
+ throws java.security.NoSuchAlgorithmException,\r
+ java.security.KeyManagementException,\r
+ java.security.NoSuchProviderException,\r
+ java.security.KeyStoreException,\r
+ java.security.UnrecoverableKeyException,\r
+ java.security.cert.CertificateException,\r
+ java.io.IOException\r
+ {\r
+ if (thisManager == null) {\r
+ thisManager = new TrustManager [] {new NaiveTrustManager()};\r
+ }\r
+\r
+ SSLContext ctx = SSLContext.getInstance("SSL");\r
+ \r
+ if (ctx.getProvider().getName().equals("SunJSSE") &&\r
+ (PropertyUtil.getSystemProperty("javax.net.ssl.keyStore") != null) &&\r
+ (PropertyUtil.getSystemProperty("javax.net.ssl.keyStorePassword") != null)) {\r
+ \r
+ // SunJSSE does not give you a working default keystore\r
+ // when using your own trust manager. Since a keystore is\r
+ // needed on the client when the server does\r
+ // peerAuthentication, we have to provide one working the\r
+ // same way as the default one.\r
+\r
+ String keyStore = \r
+ PropertyUtil.getSystemProperty("javax.net.ssl.keyStore");\r
+ String keyStorePassword =\r
+ PropertyUtil.getSystemProperty("javax.net.ssl.keyStorePassword");\r
+ \r
+ KeyStore ks = KeyStore.getInstance("JKS");\r
+ ks.load(new FileInputStream(keyStore),\r
+ keyStorePassword.toCharArray());\r
+ \r
+ KeyManagerFactory kmf = \r
+ KeyManagerFactory.getInstance("SunX509", "SunJSSE");\r
+ kmf.init(ks, keyStorePassword.toCharArray());\r
+\r
+ ctx.init(kmf.getKeyManagers(),\r
+ thisManager,\r
+ null); // Use default random source\r
+ } else {\r
+ ctx.init(null, // Use default key manager\r
+ thisManager,\r
+ null); // Use default random source\r
+ }\r
+\r
+ return ctx.getSocketFactory();\r
+ }\r
+ \r
+ /** \r
+ * Checks wether the we trust the client. Since this trust manager\r
+ * is just for the Derby clients, this routine is actually never\r
+ * called, but need to be here when we implement X509TrustManager.\r
+ * @param chain The client's certificate chain\r
+ * @param authType authorization type (e.g. "RSA" or "DHE_DSS")\r
+ **/\r
+ public void checkClientTrusted(X509Certificate[] chain, \r
+ String authType)\r
+ throws CertificateException\r
+ {\r
+ // Reject all attemtpts to trust a client. We should never end\r
+ // up here.\r
+ throw new CertificateException();\r
+ }\r
+ \r
+ /** \r
+ * Checks wether the we trust the server, which we allways will.\r
+ * @param chain The server's certificate chain\r
+ * @param authType authorization type (e.g. "RSA" or "DHE_DSS")\r
+ **/\r
+ public void checkServerTrusted(X509Certificate[] chain, \r
+ String authType)\r
+ throws CertificateException\r
+ {\r
+ // Do nothing. We trust everyone.\r
+ }\r
+ \r
+ /**\r
+ * Return an array of certificate authority certificates which are\r
+ * trusted for authenticating peers. Not relevant for this trust\r
+ * manager.\r
+ */\r
+ public X509Certificate[] getAcceptedIssuers()\r
+ {\r
+ return new X509Certificate[0];\r
+ }\r
+ \r
+}\r