Back to index...
/*
 * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
package sun.security.ssl;
import java.io.*;
import java.lang.ref.WeakReference;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import sun.security.action.*;
import sun.security.validator.TrustStoreUtil;
/**
 * Collection of static utility methods to manage the default trusted KeyStores
 * effectively.
 */
final class TrustStoreManager {
    // A singleton service to manage the default trusted KeyStores effectively.
    private static final TrustAnchorManager tam = new TrustAnchorManager();
    // Restrict instantiation of this class.
    private TrustStoreManager() {
        // empty
    }
    /**
     * Return an unmodifiable set of all trusted X509Certificates contained
     * in the default trusted KeyStore.
     */
    public static Set<X509Certificate> getTrustedCerts() throws Exception {
        return tam.getTrustedCerts(TrustStoreDescriptor.createInstance());
    }
    /**
     * Return an instance of the default trusted KeyStore.
     */
    public static KeyStore getTrustedKeyStore() throws Exception {
        return tam.getKeyStore(TrustStoreDescriptor.createInstance());
    }
    /**
     * A descriptor of the default trusted KeyStore.
     *
     * The preference of the default trusted KeyStore is:
     *    javax.net.ssl.trustStore
     *    jssecacerts
     *    cacerts
     */
    private static final class TrustStoreDescriptor {
        private static final String fileSep = File.separator;
        private static final String defaultStorePath =
                GetPropertyAction.privilegedGetProperty("java.home") +
                fileSep + "lib" + fileSep + "security";
        private static final String defaultStore =
                defaultStorePath + fileSep + "cacerts";
        private static final String jsseDefaultStore =
                defaultStorePath + fileSep + "jssecacerts";
        // the trust store name
        private final String storeName;
        // the trust store type, JKS/PKCS12
        private final String storeType;
        // the provider of the trust store
        private final String storeProvider;
        // the password used for the trust store
        private final String storePassword;
        // the File object of the trust store
        private final File storeFile;
        // the last modified time of the store
        private final long lastModified;
        private TrustStoreDescriptor(String storeName, String storeType,
                String storeProvider, String storePassword,
                File storeFile, long lastModified) {
            this.storeName = storeName;
            this.storeType = storeType;
            this.storeProvider = storeProvider;
            this.storePassword = storePassword;
            this.storeFile = storeFile;
            this.lastModified = lastModified;
            if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
                SSLLogger.fine(
                    "trustStore is: " + storeName + "\n" +
                    "trustStore type is: " + storeType + "\n" +
                    "trustStore provider is: " + storeProvider + "\n" +
                    "the last modified time is: " + (new Date(lastModified)));
            }
        }
        /**
         * Create an instance of TrustStoreDescriptor for the default
         * trusted KeyStore.
         */
        @SuppressWarnings("Convert2Lambda")
        static TrustStoreDescriptor createInstance() {
             return AccessController.doPrivileged(
                    new PrivilegedAction<TrustStoreDescriptor>() {
                @Override
                public TrustStoreDescriptor run() {
                    // Get the system properties for trust store.
                    String storePropName = System.getProperty(
                            "javax.net.ssl.trustStore", jsseDefaultStore);
                    String storePropType = System.getProperty(
                            "javax.net.ssl.trustStoreType",
                            KeyStore.getDefaultType());
                    String storePropProvider = System.getProperty(
                            "javax.net.ssl.trustStoreProvider", "");
                    String storePropPassword = System.getProperty(
                            "javax.net.ssl.trustStorePassword", "");
                    String temporaryName = "";
                    File temporaryFile = null;
                    long temporaryTime = 0L;
                    if (!"NONE".equals(storePropName)) {
                        String[] fileNames =
                                new String[] {storePropName, defaultStore};
                        for (String fileName : fileNames) {
                            File f = new File(fileName);
                            if (f.isFile() && f.canRead()) {
                                temporaryName = fileName;;
                                temporaryFile = f;
                                temporaryTime = f.lastModified();
                                break;
                            }
                            // Not break, the file is inaccessible.
                            if (SSLLogger.isOn &&
                                    SSLLogger.isOn("trustmanager")) {
                                SSLLogger.fine(
                                        "Inaccessible trust store: " +
                                        storePropName);
                            }
                        }
                    } else {
                        temporaryName = storePropName;
                    }
                    return new TrustStoreDescriptor(
                            temporaryName, storePropType, storePropProvider,
                            storePropPassword, temporaryFile, temporaryTime);
                }
            });
        }
        @Override
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (obj instanceof TrustStoreDescriptor) {
                TrustStoreDescriptor that = (TrustStoreDescriptor)obj;
                return ((this.lastModified == that.lastModified) &&
                    Objects.equals(this.storeName, that.storeName) &&
                    Objects.equals(this.storeType, that.storeType) &&
                    Objects.equals(this.storeProvider, that.storeProvider));
            }
            return false;
        }
        // Please be careful if computing security-sensitive attributes'
        // hash code.  For example the storePassword should not be computed.
        @Override
        public int hashCode() {
            int result = 17;
            if (storeName != null && !storeName.isEmpty()) {
                result = 31 * result + storeName.hashCode();
            }
            if (storeType != null && !storeType.isEmpty()) {
                result = 31 * result + storeType.hashCode();
            }
            if (storeProvider != null && !storeProvider.isEmpty()) {
                result = 31 * result + storeProvider.hashCode();
            }
            if (storeFile != null) {
                result = 31 * result + storeFile.hashCode();
            }
            if (lastModified != 0L) {
                result = (int)(31 * result + lastModified);
            }
            return result;
        }
    }
    /**
     * The trust anchors manager used to expedite the performance.
     *
     * This class can be used to provide singleton services to access default
     * trust KeyStore more effectively.
     */
    private static final class TrustAnchorManager {
        // Last trust store descriptor.
        private TrustStoreDescriptor descriptor;
        // The key store used for the trust anchors.
        //
        // Use weak reference so that the heavy loaded KeyStore object can
        // be atomically cleared, and reloaded if needed.
        private WeakReference<KeyStore> ksRef;
        // The trusted X.509 certificates in the key store.
        //
        // Use weak reference so that the heavy loaded certificates collection
        // objects can be atomically cleared, and reloaded if needed.
        private WeakReference<Set<X509Certificate>> csRef;
        private TrustAnchorManager() {
            this.descriptor = null;
            this.ksRef = new WeakReference<>(null);
            this.csRef = new WeakReference<>(null);
        }
        /**
         * Get the default trusted KeyStore with the specified descriptor.
         *
         * @return null if the underlying KeyStore is not available.
         */
        synchronized KeyStore getKeyStore(
                TrustStoreDescriptor descriptor) throws Exception {
            TrustStoreDescriptor temporaryDesc = this.descriptor;
            KeyStore ks = ksRef.get();
            if ((ks != null) && descriptor.equals(temporaryDesc)) {
                return ks;
            }
            // Reload a new key store.
            if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
                SSLLogger.fine("Reload the trust store");
            }
            ks = loadKeyStore(descriptor);
            this.descriptor = descriptor;
            this.ksRef = new WeakReference<>(ks);
            return ks;
        }
        /**
         * Get trusted certificates in the default trusted KeyStore with
         * the specified descriptor.
         *
         * @return empty collection if the underlying KeyStore is not available.
         */
        synchronized Set<X509Certificate> getTrustedCerts(
                TrustStoreDescriptor descriptor) throws Exception {
            KeyStore ks = null;
            TrustStoreDescriptor temporaryDesc = this.descriptor;
            Set<X509Certificate> certs = csRef.get();
            if (certs != null) {
                if (descriptor.equals(temporaryDesc)) {
                    return certs;
                } else {
                    // Use the new descriptor.
                    this.descriptor = descriptor;
                }
            } else {
                // Try to use the cached store at first.
                if (descriptor.equals(temporaryDesc)) {
                    ks = ksRef.get();
                } else {
                    // Use the new descriptor.
                    this.descriptor = descriptor;
                }
            }
            // Reload the trust store if needed.
            if (ks == null) {
                if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
                    SSLLogger.fine("Reload the trust store");
                }
                ks = loadKeyStore(descriptor);
            }
            // Reload trust certs from the key store.
            if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
                SSLLogger.fine("Reload trust certs");
            }
            certs = loadTrustedCerts(ks);
            if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
                SSLLogger.fine("Reloaded " + certs.size() + " trust certs");
            }
            // Note that as ks is a local variable, it is not
            // necessary to add it to the ksRef weak reference.
            this.csRef = new WeakReference<>(certs);
            return certs;
        }
        /**
         * Load the the KeyStore as described in the specified descriptor.
         */
        private static KeyStore loadKeyStore(
                TrustStoreDescriptor descriptor) throws Exception {
            if (!"NONE".equals(descriptor.storeName) &&
                    descriptor.storeFile == null) {
                // No file available, no KeyStore available.
                if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
                    SSLLogger.fine("No available key store");
                }
                return null;
            }
            KeyStore ks;
            if (descriptor.storeProvider.isEmpty()) {
                ks = KeyStore.getInstance(descriptor.storeType);
            } else {
                ks = KeyStore.getInstance(
                        descriptor.storeType, descriptor.storeProvider);
            }
            char[] password = null;
            if (!descriptor.storePassword.isEmpty()) {
                password = descriptor.storePassword.toCharArray();
            }
            if (!"NONE".equals(descriptor.storeName)) {
                try (FileInputStream fis = AccessController.doPrivileged(
                        new OpenFileInputStreamAction(descriptor.storeFile))) {
                    ks.load(fis, password);
                } catch (FileNotFoundException fnfe) {
                    // No file available, no KeyStore available.
                    if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
                        SSLLogger.fine(
                            "Not available key store: " + descriptor.storeName);
                    }
                    return null;
                }
            } else {
                ks.load(null, password);
            }
            return ks;
        }
        /**
         * Load trusted certificates from the specified KeyStore.
         */
        private static Set<X509Certificate> loadTrustedCerts(KeyStore ks) {
            if (ks == null) {
                return Collections.<X509Certificate>emptySet();
            }
            return TrustStoreUtil.getTrustedCerts(ks);
        }
    }
}
Back to index...