remove unsafe trustmanager and SHA alogirthm
This commit is contained in:
parent
7ef0e83364
commit
3a1adbbcfe
7 changed files with 27 additions and 107 deletions
|
@ -29,10 +29,6 @@ public class CryptUtil {
|
|||
return encodeHex(b);
|
||||
}
|
||||
|
||||
public static String sha(String plainText) throws NoSuchAlgorithmException {
|
||||
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA.algo, Algo.SHA.prefix);
|
||||
}
|
||||
|
||||
public static String sha256(String plainText) throws NoSuchAlgorithmException {
|
||||
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA256.algo, Algo.SHA256.prefix);
|
||||
}
|
||||
|
@ -53,18 +49,6 @@ public class CryptUtil {
|
|||
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), salt, Algo.SSHA512.algo, Algo.SSHA512.prefix);
|
||||
}
|
||||
|
||||
public static String hmacSHA1(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
|
||||
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset));
|
||||
}
|
||||
|
||||
public static String hmacSHA1(Charset charset, byte[] plainText, String secret) throws InvalidKeyException, NoSuchAlgorithmException {
|
||||
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText, secret.getBytes(charset));
|
||||
}
|
||||
|
||||
public static String hmacSHA1(byte[] plainText, byte[] secret) throws InvalidKeyException, NoSuchAlgorithmException {
|
||||
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText, secret);
|
||||
}
|
||||
|
||||
public static String hmacSHA256(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
|
||||
return hmac(HMac.HMAC_SHA256, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset));
|
||||
}
|
||||
|
|
|
@ -197,16 +197,6 @@ public final class SSLFactory {
|
|||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* A shorter method for using the unsafe trust material
|
||||
*
|
||||
* @see Builder#withTrustingAllCertificatesWithoutValidation()
|
||||
* @return {@link Builder}
|
||||
*/
|
||||
public Builder withUnsafeTrustMaterial() {
|
||||
return withTrustingAllCertificatesWithoutValidation();
|
||||
}
|
||||
|
||||
public Builder withDummyTrustMaterial() {
|
||||
trustManagers.add(TrustManagerUtils.createDummyTrustManager());
|
||||
return this;
|
||||
|
@ -683,11 +673,6 @@ public final class SSLFactory {
|
|||
return this;
|
||||
}
|
||||
|
||||
public Builder withTrustingAllCertificatesWithoutValidation() {
|
||||
trustManagers.add(TrustManagerUtils.createUnsafeTrustManager());
|
||||
return this;
|
||||
}
|
||||
|
||||
public Builder withTrustEnhancer(ChainAndAuthTypeValidator validator) {
|
||||
this.chainAndAuthTypeValidator = validator;
|
||||
return this;
|
||||
|
|
|
@ -6,7 +6,6 @@ import org.xbib.net.security.ssl.exception.GenericIOException;
|
|||
|
||||
import javax.net.ssl.HttpsURLConnection;
|
||||
import javax.net.ssl.SSLSocketFactory;
|
||||
import javax.net.ssl.X509ExtendedTrustManager;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.net.URI;
|
||||
|
@ -34,21 +33,15 @@ class CertificateExtractorUtils {
|
|||
private static CertificateExtractorUtils instance;
|
||||
|
||||
private final SSLFactory sslFactory;
|
||||
private final SSLSocketFactory unsafeSslSocketFactory;
|
||||
private final SSLSocketFactory sslSocketFactory;
|
||||
private final SSLSocketFactory certificateCapturingSslSocketFactory;
|
||||
private final List<X509Certificate> certificatesCollector;
|
||||
|
||||
private CertificateExtractorUtils() {
|
||||
certificatesCollector = new ArrayList<>();
|
||||
|
||||
X509ExtendedTrustManager certificateCapturingTrustManager = TrustManagerUtils.createCertificateCapturingTrustManager(certificatesCollector);
|
||||
|
||||
sslFactory = SSLFactory.builder()
|
||||
.withTrustMaterial(certificateCapturingTrustManager)
|
||||
.build();
|
||||
|
||||
sslFactory = SSLFactory.builder().build();
|
||||
certificateCapturingSslSocketFactory = sslFactory.getSslSocketFactory();
|
||||
unsafeSslSocketFactory = SSLSocketUtils.createUnsafeSslSocketFactory();
|
||||
sslSocketFactory = SSLSocketUtils.createSslSocketFactory(sslFactory.getSslContext(), sslFactory.getSslParameters());
|
||||
}
|
||||
|
||||
static CertificateExtractorUtils getInstance() {
|
||||
|
@ -127,7 +120,7 @@ class CertificateExtractorUtils {
|
|||
URL url = uri.toURL();
|
||||
URLConnection connection = url.openConnection();
|
||||
if (connection instanceof HttpsURLConnection) {
|
||||
((HttpsURLConnection) connection).setSSLSocketFactory(unsafeSslSocketFactory);
|
||||
((HttpsURLConnection) connection).setSSLSocketFactory(sslSocketFactory);
|
||||
}
|
||||
|
||||
InputStream inputStream = connection.getInputStream();
|
||||
|
|
|
@ -31,15 +31,12 @@ public final class SSLContextUtils {
|
|||
return createSslContext(keyManagers, trustManagers, secureRandom, DEFAULT_SSL_CONTEXT_ALGORITHM, (Provider) null);
|
||||
}
|
||||
|
||||
public static SSLContext createSslContext(
|
||||
List<? extends X509KeyManager> keyManagers,
|
||||
public static SSLContext createSslContext( List<? extends X509KeyManager> keyManagers,
|
||||
List<? extends X509TrustManager> trustManagers,
|
||||
SecureRandom secureRandom,
|
||||
String sslContextAlgorithm,
|
||||
Provider securityProvider) {
|
||||
|
||||
return createSslContext(
|
||||
!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
|
||||
return createSslContext(!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
|
||||
!trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null,
|
||||
secureRandom,
|
||||
sslContextAlgorithm,
|
||||
|
@ -54,9 +51,7 @@ public final class SSLContextUtils {
|
|||
SecureRandom secureRandom,
|
||||
String sslContextAlgorithm,
|
||||
String securityProviderName) {
|
||||
|
||||
return createSslContext(
|
||||
!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
|
||||
return createSslContext(!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
|
||||
!trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null,
|
||||
secureRandom,
|
||||
sslContextAlgorithm,
|
||||
|
@ -65,16 +60,13 @@ public final class SSLContextUtils {
|
|||
);
|
||||
}
|
||||
|
||||
public static SSLContext createSslContext(
|
||||
X509KeyManager keyManager,
|
||||
public static SSLContext createSslContext(X509KeyManager keyManager,
|
||||
X509TrustManager trustManager,
|
||||
SecureRandom secureRandom,
|
||||
String sslContextAlgorithm,
|
||||
String securityProviderName,
|
||||
Provider securityProvider) {
|
||||
|
||||
return createSslContext(
|
||||
keyManager != null ? KeyManagerUtils.toArray(keyManager) : null,
|
||||
return createSslContext(keyManager != null ? KeyManagerUtils.toArray(keyManager) : null,
|
||||
trustManager != null ? TrustManagerUtils.toArray(trustManager) : null,
|
||||
secureRandom,
|
||||
sslContextAlgorithm,
|
||||
|
@ -83,14 +75,12 @@ public final class SSLContextUtils {
|
|||
);
|
||||
}
|
||||
|
||||
private static SSLContext createSslContext(
|
||||
X509ExtendedKeyManager[] keyManagers,
|
||||
private static SSLContext createSslContext(X509ExtendedKeyManager[] keyManagers,
|
||||
X509ExtendedTrustManager[] trustManagers,
|
||||
SecureRandom secureRandom,
|
||||
String sslContextAlgorithm,
|
||||
String securityProviderName,
|
||||
Provider securityProvider) {
|
||||
|
||||
try {
|
||||
SSLContext sslContext;
|
||||
if (nonNull(securityProvider)) {
|
||||
|
@ -100,12 +90,10 @@ public final class SSLContextUtils {
|
|||
} else {
|
||||
sslContext = SSLContext.getInstance(sslContextAlgorithm);
|
||||
}
|
||||
|
||||
sslContext.init(keyManagers, trustManagers, secureRandom);
|
||||
return sslContext;
|
||||
} catch (NoSuchAlgorithmException | KeyManagementException | NoSuchProviderException e) {
|
||||
throw new GenericSSLContextException(e);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
package org.xbib.net.security.ssl.util;
|
||||
|
||||
import org.xbib.net.security.ssl.SSLFactory;
|
||||
import org.xbib.net.security.ssl.socket.CompositeSSLServerSocketFactory;
|
||||
import org.xbib.net.security.ssl.socket.CompositeSSLSocketFactory;
|
||||
|
||||
|
@ -21,13 +20,6 @@ public final class SSLSocketUtils {
|
|||
return new CompositeSSLSocketFactory(sslSocketFactory, sslParameters);
|
||||
}
|
||||
|
||||
public static SSLSocketFactory createUnsafeSslSocketFactory() {
|
||||
return SSLFactory.builder()
|
||||
.withUnsafeTrustMaterial()
|
||||
.build()
|
||||
.getSslSocketFactory();
|
||||
}
|
||||
|
||||
public static SSLServerSocketFactory createSslServerSocketFactory(SSLContext sslContext, SSLParameters sslParameters) {
|
||||
return new CompositeSSLServerSocketFactory(sslContext.getServerSocketFactory(), sslParameters);
|
||||
}
|
||||
|
|
|
@ -10,7 +10,6 @@ import org.xbib.net.security.ssl.trustmanager.DummyX509ExtendedTrustManager;
|
|||
import org.xbib.net.security.ssl.trustmanager.EnhanceableX509ExtendedTrustManager;
|
||||
import org.xbib.net.security.ssl.trustmanager.HotSwappableX509ExtendedTrustManager;
|
||||
import org.xbib.net.security.ssl.trustmanager.TrustManagerFactoryWrapper;
|
||||
import org.xbib.net.security.ssl.trustmanager.UnsafeX509ExtendedTrustManager;
|
||||
import org.xbib.net.security.ssl.trustmanager.X509TrustManagerWrapper;
|
||||
|
||||
import javax.net.ssl.ManagerFactoryParameters;
|
||||
|
@ -156,18 +155,10 @@ public final class TrustManagerUtils {
|
|||
}
|
||||
}
|
||||
|
||||
public static X509ExtendedTrustManager createUnsafeTrustManager() {
|
||||
return UnsafeX509ExtendedTrustManager.getInstance();
|
||||
}
|
||||
|
||||
public static X509ExtendedTrustManager createDummyTrustManager() {
|
||||
return DummyX509ExtendedTrustManager.getInstance();
|
||||
}
|
||||
|
||||
public static X509ExtendedTrustManager createCertificateCapturingTrustManager(List<X509Certificate> certificatesCollector) {
|
||||
return createCertificateCapturingTrustManager(TrustManagerUtils.createUnsafeTrustManager(), certificatesCollector);
|
||||
}
|
||||
|
||||
public static X509ExtendedTrustManager createCertificateCapturingTrustManager(X509TrustManager baseTrustManager, List<X509Certificate> certificatesCollector) {
|
||||
return new CertificateCapturingX509ExtendedTrustManager(wrapIfNeeded(baseTrustManager), certificatesCollector);
|
||||
}
|
||||
|
@ -328,42 +319,29 @@ public final class TrustManagerUtils {
|
|||
|
||||
public X509ExtendedTrustManager build() {
|
||||
ValidationUtils.requireNotEmpty(trustManagers, () -> new GenericTrustManagerException(EMPTY_TRUST_MANAGER_EXCEPTION));
|
||||
|
||||
X509ExtendedTrustManager baseTrustManager;
|
||||
|
||||
Optional<X509ExtendedTrustManager> unsafeTrustManager = trustManagers.stream()
|
||||
.filter(UnsafeX509ExtendedTrustManager.class::isInstance)
|
||||
.findAny();
|
||||
|
||||
if (unsafeTrustManager.isPresent()) {
|
||||
baseTrustManager = unsafeTrustManager.get();
|
||||
if (trustManagers.size() == 1) {
|
||||
baseTrustManager = trustManagers.get(0);
|
||||
} else {
|
||||
if (trustManagers.size() == 1) {
|
||||
baseTrustManager = trustManagers.get(0);
|
||||
} else {
|
||||
baseTrustManager = trustManagers.stream()
|
||||
.map(TrustManagerUtils::unwrapIfPossible)
|
||||
.flatMap(Collection::stream)
|
||||
.filter(trustManager -> trustManager.getAcceptedIssuers().length > 0)
|
||||
.collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new));
|
||||
}
|
||||
|
||||
if (chainAndAuthTypeValidator != null
|
||||
|| chainAndAuthTypeWithSocketValidator != null
|
||||
|| chainAndAuthTypeWithSSLEngineValidator != null) {
|
||||
baseTrustManager = TrustManagerUtils.createEnhanceableTrustManager(
|
||||
baseTrustManager,
|
||||
chainAndAuthTypeValidator,
|
||||
chainAndAuthTypeWithSocketValidator,
|
||||
chainAndAuthTypeWithSSLEngineValidator
|
||||
);
|
||||
}
|
||||
baseTrustManager = trustManagers.stream()
|
||||
.map(TrustManagerUtils::unwrapIfPossible)
|
||||
.flatMap(Collection::stream)
|
||||
.filter(trustManager -> trustManager.getAcceptedIssuers().length > 0)
|
||||
.collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new));
|
||||
}
|
||||
if (chainAndAuthTypeValidator != null
|
||||
|| chainAndAuthTypeWithSocketValidator != null
|
||||
|| chainAndAuthTypeWithSSLEngineValidator != null) {
|
||||
baseTrustManager = TrustManagerUtils.createEnhanceableTrustManager(
|
||||
baseTrustManager,
|
||||
chainAndAuthTypeValidator,
|
||||
chainAndAuthTypeWithSocketValidator,
|
||||
chainAndAuthTypeWithSSLEngineValidator
|
||||
);
|
||||
}
|
||||
|
||||
if (swappableTrustManagerEnabled) {
|
||||
baseTrustManager = TrustManagerUtils.createSwappableTrustManager(baseTrustManager);
|
||||
}
|
||||
|
||||
return baseTrustManager;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue