Package com.browserup.bup.mitm

Class TrustSource

  • public class TrustSource
extends java.lang.Object
    A source of trusted root certificate authorities. Provides static methods to obtain default trust sources: Custom TrustSources can be built by starting with empty(), then calling the various add() methods to add PEM-encoded files and Strings, KeyStores, and X509Certificates to the TrustSource. For example:

    TrustSource customTrustSource = TrustSource.empty() .add(myX509Certificate) .add(pemFileContainingMyCA) .add(javaKeyStore);

    Note: This class is immutable, so calls to add() will return a new instance, rather than modifying the existing instance.

    • Constructor Summary

      Constructors 
      Modifier Constructor Description
      protected TrustSource()
      Creates a TrustSource that contains no trusted certificates.
      protected TrustSource​(java.security.cert.X509Certificate... trustedCAs)
      Creates a TrustSource that considers only the specified certificates as "trusted".

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      TrustSource add​(TrustSource trustSource)
      Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus the trusted CAs in the specified TrustSource.
      TrustSource add​(java.io.File trustedCAPemFile)
      Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more CAs contained in the PEM-encoded File.
      TrustSource add​(java.lang.String trustedPemEncodedCAs)
      Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more CAs contained in the PEM-encoded String.
      TrustSource add​(java.security.cert.X509Certificate... trustedCertificates)
      Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more additional trusted X509Certificates.
      TrustSource add​(java.security.KeyStore trustStore)
      Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus all trusted certificate entries from the specified trustStore.
      static TrustSource builtinTrustSource()
      Returns a TrustSource containing only the builtin trusted CAs and does not include the JVM's trusted CAs.
      static TrustSource defaultTrustSource()
      Returns a TrustSource containing the default trusted CAs.
      static TrustSource empty()
      Returns a TrustSource that contains no trusted CAs.
      java.security.cert.X509Certificate[] getTrustedCAs()
      Returns the X509 certificates considered "trusted" by this TrustSource.
      static TrustSource javaTrustSource()
      Returns a TrustSource containing the default CAs trusted by this JVM.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • TrustSource

        protected TrustSource()
        Creates a TrustSource that contains no trusted certificates. For public use, see empty().

      • TrustSource

        protected TrustSource​(java.security.cert.X509Certificate... trustedCAs)
        Creates a TrustSource that considers only the specified certificates as "trusted". For public use, use empty() followed by add(X509Certificate...).
        Parameters:
        trustedCAs - root CAs to trust

    • Method Detail

      • getTrustedCAs

        public java.security.cert.X509Certificate[] getTrustedCAs()
        Returns the X509 certificates considered "trusted" by this TrustSource. This method will not return null, but may return an empty array.
        Returns:
        X509Certificate[]

      • empty

        public static TrustSource empty()
        Returns a TrustSource that contains no trusted CAs. Can be used in conjunction with the add() methods to build a TrustSource containing custom CAs from a variety of sources (PEM files, KeyStores, etc.).
        Returns:
        TrustSource

      • defaultTrustSource

        public static TrustSource defaultTrustSource()
        Returns a TrustSource containing the default trusted CAs. By default, contains both the JVM's trusted CAs and the built-in trusted CAs (Firefox's trusted CAs).
        Returns:
        TrustSource

      • builtinTrustSource

        public static TrustSource builtinTrustSource()
        Returns a TrustSource containing only the builtin trusted CAs and does not include the JVM's trusted CAs. See TrustUtil.getBuiltinTrustedCAs().
        Returns:
        TrustSource

      • add

        public TrustSource add​(java.lang.String trustedPemEncodedCAs)
        Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more CAs contained in the PEM-encoded String. The String may contain multiple certificates and may contain comments or other non-PEM-encoded text, as long as the PEM-encoded certificates are delimited by appropriate BEGIN_CERTIFICATE and END_CERTIFICATE text blocks.
        Parameters:
        trustedPemEncodedCAs - String containing PEM-encoded certificates to trust
        Returns:
        a new TrustSource containing this TrustSource's trusted CAs plus the CAs in the specified String

      • add

        public TrustSource add​(java.security.cert.X509Certificate... trustedCertificates)
        Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more additional trusted X509Certificates. If trustedCertificates is null or empty, returns this same TrustSource.
        Parameters:
        trustedCertificates - X509Certificates of CAs to trust
        Returns:
        a new TrustSource containing this TrustSource's trusted CAs plus the specified CAs

      • add

        public TrustSource add​(java.security.KeyStore trustStore)
        Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus all trusted certificate entries from the specified trustStore. This method will only add trusted certificate entries from the specified KeyStore (i.e. entries of type KeyStore.TrustedCertificateEntry; private keys will be ignored. The trustStore may be in JKS or PKCS12 format.
        Parameters:
        trustStore - keystore containing trusted certificate entries
        Returns:
        a new TrustSource containing this TrustSource's trusted CAs plus trusted certificate entries from the keystore

      • add

        public TrustSource add​(java.io.File trustedCAPemFile)
        Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more CAs contained in the PEM-encoded File. The File may contain multiple certificates and may contain comments or other non-PEM-encoded text, as long as the PEM-encoded certificates are delimited by appropriate BEGIN_CERTIFICATE and END_CERTIFICATE text blocks. The file may contain UTF-8 characters, but the PEM-encoded certificate data itself must be US-ASCII.
        Parameters:
        trustedCAPemFile - File containing PEM-encoded certificates
        Returns:
        a new TrustSource containing this TrustSource's trusted CAs plus the CAs in the specified String

      • add

        public TrustSource add​(TrustSource trustSource)
        Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus the trusted CAs in the specified TrustSource.
        Parameters:
        trustSource - TrustSource to combine with this TrustSource
        Returns:
        a new TrustSource containing both TrustSources' trusted CAs