Package ghidra.net

Class DefaultTrustManagerFactory

java.lang.Object

ghidra.net.DefaultTrustManagerFactory

public class DefaultTrustManagerFactory
extends Object

DefaultTrustManagerFactory provides the ability to establish acceptable certificate authorities to be used with the default SSLContext as established by DefaultSSLContextInitializer.

The default behavior is for no trust authority to be established, in which case SSL peers will not be authenticated. If CA certificates have been set, all SSL connections which leverage this factory will perform peer authentication. If an error occurs while reading the CA certs file, all peer authentication will fail based upon the inability to choose a suitable client/server certificate.

The application X.509 CA certificates file may be in the standard form (*.pem, *.crt, *.cer, *.der) or may be in a Java JKS form (*.jks). The path to this file may be established in one of two ways using the absolute file path:

1. setting the system property ghidra.cacerts (takes precedence)
2. setting the user preference ghidra.cacerts

The application may choose to set the file path automatically based upon the presence of a cacerts file at a predetermined location.

NOTE: Since SslRMIClientSocketFactory and SSLServerSocketFactory employ a static cache of a default SSLSocketFactory, with its default SSLContext, we must utilize a wrapped implementation of the associated X509TrustManager so that any changes are used by the existing default SSLSocketFactory.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	GHIDRA_CACERTS_PATH_PROPERTY	The X509 cacerts file to be used when authenticating remote certificates is identified by either a system property or user preference ghidra.cacerts.

Method Summary

Modifier and Type	Method	Description
static X500Principal[]	getTrustedIssuers()	Returns a list of trusted issuers (i.e., CA certificates) as established by the DefaultTrustManagerFactory.
static TrustManager[]	getTrustManagers()	Get trust manager after performing any necessary initialization.
static void	validateClient(X509Certificate[] certChain, String authType)	Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

GHIDRA_CACERTS_PATH_PROPERTY

public static final String GHIDRA_CACERTS_PATH_PROPERTY

The X509 cacerts file to be used when authenticating remote certificates is identified by either a system property or user preference ghidra.cacerts. The system property takes precedence.

See Also:

• Constant Field Values

Method Details

getTrustManagers

public static TrustManager[] getTrustManagers()

Get trust manager after performing any necessary initialization.

Returns:

trust managers

getTrustedIssuers

public static X500Principal[] getTrustedIssuers()
                                         throws CertificateException

Returns a list of trusted issuers (i.e., CA certificates) as established by the DefaultTrustManagerFactory.

Returns:

array of trusted Certificate Authorities

Throws:

CertificateException - if failed to properly initialize trust manager due to CA certificate error(s).

validateClient

public static void validateClient(X509Certificate[] certChain,
 String authType)
                           throws CertificateException

Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.

Parameters:

certChain - X509 certificate chain

authType - authentication type (i.e., "RSA")

Throws:

CertificateException - if certificate validation fails