TLSInfo.java

package com.intrbiz.bergamot.crypto.util;

import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509TrustManager;

import org.apache.log4j.Logger;

/**
 * Information about the TLS aspects of the connection
 */
public class TLSInfo
{
    protected String host;

    protected int port;

    protected String protocol;

    protected String cipher;

    protected Principal principal;

    protected X509Certificate[] certificateChain;
    
    protected CertInfo[] certificateInfo;
    
    protected boolean validCertificate;
    
    protected CertificateException certificateValidationError;

    protected TLSInfo()
    {
        super();
    }

    public String getHost()
    {
        return host;
    }

    public int getPort()
    {
        return port;
    }

    public String getProtocol()
    {
        return protocol;
    }

    public String getCipher()
    {
        return cipher;
    }

    public Principal getPrincipal()
    {
        return principal;
    }

    public X509Certificate[] getCertificateChain()
    {
        return certificateChain;
    }

    public CertInfo[] getCertificateInfo()
    {
        return certificateInfo;
    }

    public X509Certificate getServerCertificate()
    {
        return this.certificateChain[0];
    }
    
    public CertInfo getServerCertInfo()
    {
        return this.certificateInfo[0];
    }
    
    public boolean isValidCertificate()
    {
        return validCertificate;
    }

    public CertificateException getCertificateValidationError()
    {
        return certificateValidationError;
    }

    public String toString()
    {
        return "tls-info {\n" +
                "protocol: " + this.protocol + "\n" +
                "cipher: " + this.cipher + "\n" +
                "host: " + this.host + "\n" +
                "port: " + this.port + "\n" +
                "cert: " + this.certificateInfo[0] + "\n" + 
                "valid: " + this.validCertificate + (this.certificateValidationError != null ? " (" + this.certificateValidationError.getMessage() + ")" : "") + "\n" +
               "}";
    }
    
    public static TLSInfo fromSSLEngine(SSLEngine engine)
    {
        return fromSSLSession(engine.getSession());
    }
    
    public static TLSInfo fromSSLSession(SSLSession session)
    {
        TLSInfo info = new TLSInfo();
        info.host = session.getPeerHost();
        info.port = session.getPeerPort();
        info.protocol = session.getProtocol();
        info.cipher = session.getCipherSuite();
        try
        {
            info.principal = session.getPeerPrincipal();
            // the cert chain
            Certificate[] certChain = session.getPeerCertificates();
            info.certificateChain = new X509Certificate[certChain.length];
            info.certificateInfo = new CertInfo[certChain.length];
            for (int i = 0 ; i < certChain.length; i++)
            {
                info.certificateChain[i] = (X509Certificate) certChain[i];
                info.certificateInfo[i] = CertInfo.fromX509Certificate(info.certificateChain[i]);
            }
            // validate the the cert chain with the Mozilla Trust Store
            try
            {
                info.validCertificate = false;
                X509TrustManager mozillaTrustStore = BergamotTrustManager.getMozillaTrustStore();
                mozillaTrustStore.checkServerTrusted(info.certificateChain, TLSConstants.getCipherInfo(info.getCipher()).getAuth());
                info.validCertificate = true;
            }
            catch (CertificateException e)
            {
                info.certificateValidationError = e;
            }
        }
        catch (Exception e)
        {
            Logger.getLogger(TLSInfo.class).error("Failed to build certificate info", e);
        }
        return info;
    }
}