Examples of com.intel.mtwilson.tls.TrustFirstCertificateTlsPolicy

• com.intel.mtwilson.tls.TrustFirstCertificateTlsPolicy
  This trust policy must be initialized with the server that is being checked and its associated server-specific keystore. If the keystore does not already have a trusted certificate for this server, the server's certificate is saved and considered trusted. User should verify the fingerprint before sending any data. This class is suitable for use when a keystore only contains certificates relevant to a single server - using this class with the same keystore for all connections is insecure because all new certificates will be accepted. It checks the repository for the trusted certificate every time it is used - if you want to cache the repository information (eg. to avoid a database hit on each SSL connection), then you need to provide an in-memory repository that contains just the cached certificates (query the database once and put the results in an ArrayCertificateRepository and provide that to the policy object). @author jbuhacoff

        String ucName = tlsPolicyName.toUpperCase();
        if( ucName.equals("TRUST_CA_VERIFY_HOSTNAME") ) {
            return new TrustCaAndVerifyHostnameTlsPolicy(new KeystoreCertificateRepository(tlsKeystore));
        }
        if( ucName.equals("TRUST_FIRST_CERTIFICATE") ) {
            return new TrustFirstCertificateTlsPolicy(new KeystoreCertificateRepository(tlsKeystore));
        }
        if( ucName.equals("TRUST_KNOWN_CERTIFICATE") ) {
            return new TrustKnownCertificateTlsPolicy(new KeystoreCertificateRepository(tlsKeystore));
        }
        if( ucName.equals("INSECURE") ) {

            else if( requireTrustedCertificate && !verifyHostname ) {
                // two choices: trust first certificate or trust known certificate;  we choose trust first certificate as a usability default
                // furthermore we assume that the api client keystore is a server-specific keystore (it's a client configured for a specific mt wilson server)
                // that either has a server instance ssl cert or a cluster ssl cert.  either should work.
                log.warn("Using TLS Policy TRUST_FIRST_CERTIFICATE");
                return new TrustFirstCertificateTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
            }
            else { // !requireTrustedCertificate && (verifyHostname || !verifyHostname)
                log.warn("Using TLS Policy TRUST_FIRST_INSECURE");
                return new InsecureTlsPolicy();
            }
        }
        else if( tlsPolicyName.equals("TRUST_CA_VERIFY_HOSTNAME") ) {
            log.info("TLS Policy: TRUST_CA_VERIFY_HOSTNAME");
            return new TrustCaAndVerifyHostnameTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
        }
        else if( tlsPolicyName.equals("TRUST_FIRST_CERTIFICATE") ) {
            log.info("TLS Policy: TRUST_FIRST_CERTIFICATE");
            return new TrustFirstCertificateTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
        }
        else if( tlsPolicyName.equals("TRUST_KNOWN_CERTIFICATE") ) {
            log.info("TLS Policy: TRUST_KNOWN_CERTIFICATE");
            return new TrustKnownCertificateTlsPolicy(new KeystoreCertificateRepository(sslKeystore));
        }