remove unsafe trustmanager and SHA alogirthm

This commit is contained in:
Jörg Prante 2022-10-22 12:58:31 +02:00
parent 7ef0e83364
commit 3a1adbbcfe
7 changed files with 27 additions and 107 deletions

View file

@ -29,10 +29,6 @@ public class CryptUtil {
return encodeHex(b);
}
public static String sha(String plainText) throws NoSuchAlgorithmException {
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA.algo, Algo.SHA.prefix);
}
public static String sha256(String plainText) throws NoSuchAlgorithmException {
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA256.algo, Algo.SHA256.prefix);
}
@ -53,18 +49,6 @@ public class CryptUtil {
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), salt, Algo.SSHA512.algo, Algo.SSHA512.prefix);
}
public static String hmacSHA1(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset));
}
public static String hmacSHA1(Charset charset, byte[] plainText, String secret) throws InvalidKeyException, NoSuchAlgorithmException {
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText, secret.getBytes(charset));
}
public static String hmacSHA1(byte[] plainText, byte[] secret) throws InvalidKeyException, NoSuchAlgorithmException {
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText, secret);
}
public static String hmacSHA256(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
return hmac(HMac.HMAC_SHA256, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset));
}

View file

@ -197,16 +197,6 @@ public final class SSLFactory {
);
}
/**
* A shorter method for using the unsafe trust material
*
* @see Builder#withTrustingAllCertificatesWithoutValidation()
* @return {@link Builder}
*/
public Builder withUnsafeTrustMaterial() {
return withTrustingAllCertificatesWithoutValidation();
}
public Builder withDummyTrustMaterial() {
trustManagers.add(TrustManagerUtils.createDummyTrustManager());
return this;
@ -683,11 +673,6 @@ public final class SSLFactory {
return this;
}
public Builder withTrustingAllCertificatesWithoutValidation() {
trustManagers.add(TrustManagerUtils.createUnsafeTrustManager());
return this;
}
public Builder withTrustEnhancer(ChainAndAuthTypeValidator validator) {
this.chainAndAuthTypeValidator = validator;
return this;

View file

@ -6,7 +6,6 @@ import org.xbib.net.security.ssl.exception.GenericIOException;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
@ -34,21 +33,15 @@ class CertificateExtractorUtils {
private static CertificateExtractorUtils instance;
private final SSLFactory sslFactory;
private final SSLSocketFactory unsafeSslSocketFactory;
private final SSLSocketFactory sslSocketFactory;
private final SSLSocketFactory certificateCapturingSslSocketFactory;
private final List<X509Certificate> certificatesCollector;
private CertificateExtractorUtils() {
certificatesCollector = new ArrayList<>();
X509ExtendedTrustManager certificateCapturingTrustManager = TrustManagerUtils.createCertificateCapturingTrustManager(certificatesCollector);
sslFactory = SSLFactory.builder()
.withTrustMaterial(certificateCapturingTrustManager)
.build();
sslFactory = SSLFactory.builder().build();
certificateCapturingSslSocketFactory = sslFactory.getSslSocketFactory();
unsafeSslSocketFactory = SSLSocketUtils.createUnsafeSslSocketFactory();
sslSocketFactory = SSLSocketUtils.createSslSocketFactory(sslFactory.getSslContext(), sslFactory.getSslParameters());
}
static CertificateExtractorUtils getInstance() {
@ -127,7 +120,7 @@ class CertificateExtractorUtils {
URL url = uri.toURL();
URLConnection connection = url.openConnection();
if (connection instanceof HttpsURLConnection) {
((HttpsURLConnection) connection).setSSLSocketFactory(unsafeSslSocketFactory);
((HttpsURLConnection) connection).setSSLSocketFactory(sslSocketFactory);
}
InputStream inputStream = connection.getInputStream();

View file

@ -31,15 +31,12 @@ public final class SSLContextUtils {
return createSslContext(keyManagers, trustManagers, secureRandom, DEFAULT_SSL_CONTEXT_ALGORITHM, (Provider) null);
}
public static SSLContext createSslContext(
List<? extends X509KeyManager> keyManagers,
public static SSLContext createSslContext( List<? extends X509KeyManager> keyManagers,
List<? extends X509TrustManager> trustManagers,
SecureRandom secureRandom,
String sslContextAlgorithm,
Provider securityProvider) {
return createSslContext(
!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
return createSslContext(!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
!trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null,
secureRandom,
sslContextAlgorithm,
@ -54,9 +51,7 @@ public final class SSLContextUtils {
SecureRandom secureRandom,
String sslContextAlgorithm,
String securityProviderName) {
return createSslContext(
!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
return createSslContext(!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
!trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null,
secureRandom,
sslContextAlgorithm,
@ -65,16 +60,13 @@ public final class SSLContextUtils {
);
}
public static SSLContext createSslContext(
X509KeyManager keyManager,
public static SSLContext createSslContext(X509KeyManager keyManager,
X509TrustManager trustManager,
SecureRandom secureRandom,
String sslContextAlgorithm,
String securityProviderName,
Provider securityProvider) {
return createSslContext(
keyManager != null ? KeyManagerUtils.toArray(keyManager) : null,
return createSslContext(keyManager != null ? KeyManagerUtils.toArray(keyManager) : null,
trustManager != null ? TrustManagerUtils.toArray(trustManager) : null,
secureRandom,
sslContextAlgorithm,
@ -83,14 +75,12 @@ public final class SSLContextUtils {
);
}
private static SSLContext createSslContext(
X509ExtendedKeyManager[] keyManagers,
private static SSLContext createSslContext(X509ExtendedKeyManager[] keyManagers,
X509ExtendedTrustManager[] trustManagers,
SecureRandom secureRandom,
String sslContextAlgorithm,
String securityProviderName,
Provider securityProvider) {
try {
SSLContext sslContext;
if (nonNull(securityProvider)) {
@ -100,12 +90,10 @@ public final class SSLContextUtils {
} else {
sslContext = SSLContext.getInstance(sslContextAlgorithm);
}
sslContext.init(keyManagers, trustManagers, secureRandom);
return sslContext;
} catch (NoSuchAlgorithmException | KeyManagementException | NoSuchProviderException e) {
throw new GenericSSLContextException(e);
}
}
}

View file

@ -1,6 +1,5 @@
package org.xbib.net.security.ssl.util;
import org.xbib.net.security.ssl.SSLFactory;
import org.xbib.net.security.ssl.socket.CompositeSSLServerSocketFactory;
import org.xbib.net.security.ssl.socket.CompositeSSLSocketFactory;
@ -21,13 +20,6 @@ public final class SSLSocketUtils {
return new CompositeSSLSocketFactory(sslSocketFactory, sslParameters);
}
public static SSLSocketFactory createUnsafeSslSocketFactory() {
return SSLFactory.builder()
.withUnsafeTrustMaterial()
.build()
.getSslSocketFactory();
}
public static SSLServerSocketFactory createSslServerSocketFactory(SSLContext sslContext, SSLParameters sslParameters) {
return new CompositeSSLServerSocketFactory(sslContext.getServerSocketFactory(), sslParameters);
}

View file

@ -10,7 +10,6 @@ import org.xbib.net.security.ssl.trustmanager.DummyX509ExtendedTrustManager;
import org.xbib.net.security.ssl.trustmanager.EnhanceableX509ExtendedTrustManager;
import org.xbib.net.security.ssl.trustmanager.HotSwappableX509ExtendedTrustManager;
import org.xbib.net.security.ssl.trustmanager.TrustManagerFactoryWrapper;
import org.xbib.net.security.ssl.trustmanager.UnsafeX509ExtendedTrustManager;
import org.xbib.net.security.ssl.trustmanager.X509TrustManagerWrapper;
import javax.net.ssl.ManagerFactoryParameters;
@ -156,18 +155,10 @@ public final class TrustManagerUtils {
}
}
public static X509ExtendedTrustManager createUnsafeTrustManager() {
return UnsafeX509ExtendedTrustManager.getInstance();
}
public static X509ExtendedTrustManager createDummyTrustManager() {
return DummyX509ExtendedTrustManager.getInstance();
}
public static X509ExtendedTrustManager createCertificateCapturingTrustManager(List<X509Certificate> certificatesCollector) {
return createCertificateCapturingTrustManager(TrustManagerUtils.createUnsafeTrustManager(), certificatesCollector);
}
public static X509ExtendedTrustManager createCertificateCapturingTrustManager(X509TrustManager baseTrustManager, List<X509Certificate> certificatesCollector) {
return new CertificateCapturingX509ExtendedTrustManager(wrapIfNeeded(baseTrustManager), certificatesCollector);
}
@ -328,42 +319,29 @@ public final class TrustManagerUtils {
public X509ExtendedTrustManager build() {
ValidationUtils.requireNotEmpty(trustManagers, () -> new GenericTrustManagerException(EMPTY_TRUST_MANAGER_EXCEPTION));
X509ExtendedTrustManager baseTrustManager;
Optional<X509ExtendedTrustManager> unsafeTrustManager = trustManagers.stream()
.filter(UnsafeX509ExtendedTrustManager.class::isInstance)
.findAny();
if (unsafeTrustManager.isPresent()) {
baseTrustManager = unsafeTrustManager.get();
if (trustManagers.size() == 1) {
baseTrustManager = trustManagers.get(0);
} else {
if (trustManagers.size() == 1) {
baseTrustManager = trustManagers.get(0);
} else {
baseTrustManager = trustManagers.stream()
.map(TrustManagerUtils::unwrapIfPossible)
.flatMap(Collection::stream)
.filter(trustManager -> trustManager.getAcceptedIssuers().length > 0)
.collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new));
}
if (chainAndAuthTypeValidator != null
|| chainAndAuthTypeWithSocketValidator != null
|| chainAndAuthTypeWithSSLEngineValidator != null) {
baseTrustManager = TrustManagerUtils.createEnhanceableTrustManager(
baseTrustManager,
chainAndAuthTypeValidator,
chainAndAuthTypeWithSocketValidator,
chainAndAuthTypeWithSSLEngineValidator
);
}
baseTrustManager = trustManagers.stream()
.map(TrustManagerUtils::unwrapIfPossible)
.flatMap(Collection::stream)
.filter(trustManager -> trustManager.getAcceptedIssuers().length > 0)
.collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new));
}
if (chainAndAuthTypeValidator != null
|| chainAndAuthTypeWithSocketValidator != null
|| chainAndAuthTypeWithSSLEngineValidator != null) {
baseTrustManager = TrustManagerUtils.createEnhanceableTrustManager(
baseTrustManager,
chainAndAuthTypeValidator,
chainAndAuthTypeWithSocketValidator,
chainAndAuthTypeWithSSLEngineValidator
);
}
if (swappableTrustManagerEnabled) {
baseTrustManager = TrustManagerUtils.createSwappableTrustManager(baseTrustManager);
}
return baseTrustManager;
}
}