From 3a1adbbcfe799f1f7a9364822e3cffcb625dfe61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Prante?= Date: Sat, 22 Oct 2022 12:58:31 +0200 Subject: [PATCH] remove unsafe trustmanager and SHA alogirthm --- .../xbib/net/security/cookie/CryptUtil.java | 16 ------ .../org/xbib/net/security/ssl/SSLFactory.java | 15 ----- .../ssl/util/CertificateExtractorUtils.java | 15 ++--- .../security/ssl/util/SSLContextUtils.java | 24 ++------ .../net/security/ssl/util/SSLSocketUtils.java | 8 --- .../security/ssl/util/TrustManagerUtils.java | 56 ++++++------------- .../UnsafeX509ExtendedTrustManager.java | 0 7 files changed, 27 insertions(+), 107 deletions(-) rename net-security/src/{main => test}/java/org/xbib/net/security/ssl/trustmanager/UnsafeX509ExtendedTrustManager.java (100%) diff --git a/net-security/src/main/java/org/xbib/net/security/cookie/CryptUtil.java b/net-security/src/main/java/org/xbib/net/security/cookie/CryptUtil.java index 4ac82db..b7d4f1a 100644 --- a/net-security/src/main/java/org/xbib/net/security/cookie/CryptUtil.java +++ b/net-security/src/main/java/org/xbib/net/security/cookie/CryptUtil.java @@ -29,10 +29,6 @@ public class CryptUtil { return encodeHex(b); } - public static String sha(String plainText) throws NoSuchAlgorithmException { - return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA.algo, Algo.SHA.prefix); - } - public static String sha256(String plainText) throws NoSuchAlgorithmException { return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA256.algo, Algo.SHA256.prefix); } @@ -53,18 +49,6 @@ public class CryptUtil { return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), salt, Algo.SSHA512.algo, Algo.SSHA512.prefix); } - public static String hmacSHA1(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException { - return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset)); - } - - public static String hmacSHA1(Charset charset, byte[] plainText, String secret) throws InvalidKeyException, NoSuchAlgorithmException { - return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText, secret.getBytes(charset)); - } - - public static String hmacSHA1(byte[] plainText, byte[] secret) throws InvalidKeyException, NoSuchAlgorithmException { - return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText, secret); - } - public static String hmacSHA256(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException { return hmac(HMac.HMAC_SHA256, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset)); } diff --git a/net-security/src/main/java/org/xbib/net/security/ssl/SSLFactory.java b/net-security/src/main/java/org/xbib/net/security/ssl/SSLFactory.java index 9c62997..695674f 100644 --- a/net-security/src/main/java/org/xbib/net/security/ssl/SSLFactory.java +++ b/net-security/src/main/java/org/xbib/net/security/ssl/SSLFactory.java @@ -197,16 +197,6 @@ public final class SSLFactory { ); } - /** - * A shorter method for using the unsafe trust material - * - * @see Builder#withTrustingAllCertificatesWithoutValidation() - * @return {@link Builder} - */ - public Builder withUnsafeTrustMaterial() { - return withTrustingAllCertificatesWithoutValidation(); - } - public Builder withDummyTrustMaterial() { trustManagers.add(TrustManagerUtils.createDummyTrustManager()); return this; @@ -683,11 +673,6 @@ public final class SSLFactory { return this; } - public Builder withTrustingAllCertificatesWithoutValidation() { - trustManagers.add(TrustManagerUtils.createUnsafeTrustManager()); - return this; - } - public Builder withTrustEnhancer(ChainAndAuthTypeValidator validator) { this.chainAndAuthTypeValidator = validator; return this; diff --git a/net-security/src/main/java/org/xbib/net/security/ssl/util/CertificateExtractorUtils.java b/net-security/src/main/java/org/xbib/net/security/ssl/util/CertificateExtractorUtils.java index e602aa9..702dd23 100644 --- a/net-security/src/main/java/org/xbib/net/security/ssl/util/CertificateExtractorUtils.java +++ b/net-security/src/main/java/org/xbib/net/security/ssl/util/CertificateExtractorUtils.java @@ -6,7 +6,6 @@ import org.xbib.net.security.ssl.exception.GenericIOException; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.X509ExtendedTrustManager; import java.io.IOException; import java.io.InputStream; import java.net.URI; @@ -34,21 +33,15 @@ class CertificateExtractorUtils { private static CertificateExtractorUtils instance; private final SSLFactory sslFactory; - private final SSLSocketFactory unsafeSslSocketFactory; + private final SSLSocketFactory sslSocketFactory; private final SSLSocketFactory certificateCapturingSslSocketFactory; private final List certificatesCollector; private CertificateExtractorUtils() { certificatesCollector = new ArrayList<>(); - - X509ExtendedTrustManager certificateCapturingTrustManager = TrustManagerUtils.createCertificateCapturingTrustManager(certificatesCollector); - - sslFactory = SSLFactory.builder() - .withTrustMaterial(certificateCapturingTrustManager) - .build(); - + sslFactory = SSLFactory.builder().build(); certificateCapturingSslSocketFactory = sslFactory.getSslSocketFactory(); - unsafeSslSocketFactory = SSLSocketUtils.createUnsafeSslSocketFactory(); + sslSocketFactory = SSLSocketUtils.createSslSocketFactory(sslFactory.getSslContext(), sslFactory.getSslParameters()); } static CertificateExtractorUtils getInstance() { @@ -127,7 +120,7 @@ class CertificateExtractorUtils { URL url = uri.toURL(); URLConnection connection = url.openConnection(); if (connection instanceof HttpsURLConnection) { - ((HttpsURLConnection) connection).setSSLSocketFactory(unsafeSslSocketFactory); + ((HttpsURLConnection) connection).setSSLSocketFactory(sslSocketFactory); } InputStream inputStream = connection.getInputStream(); diff --git a/net-security/src/main/java/org/xbib/net/security/ssl/util/SSLContextUtils.java b/net-security/src/main/java/org/xbib/net/security/ssl/util/SSLContextUtils.java index 84811e7..486bf11 100644 --- a/net-security/src/main/java/org/xbib/net/security/ssl/util/SSLContextUtils.java +++ b/net-security/src/main/java/org/xbib/net/security/ssl/util/SSLContextUtils.java @@ -31,15 +31,12 @@ public final class SSLContextUtils { return createSslContext(keyManagers, trustManagers, secureRandom, DEFAULT_SSL_CONTEXT_ALGORITHM, (Provider) null); } - public static SSLContext createSslContext( - List keyManagers, + public static SSLContext createSslContext( List keyManagers, List trustManagers, SecureRandom secureRandom, String sslContextAlgorithm, Provider securityProvider) { - - return createSslContext( - !keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null, + return createSslContext(!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null, !trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null, secureRandom, sslContextAlgorithm, @@ -54,9 +51,7 @@ public final class SSLContextUtils { SecureRandom secureRandom, String sslContextAlgorithm, String securityProviderName) { - - return createSslContext( - !keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null, + return createSslContext(!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null, !trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null, secureRandom, sslContextAlgorithm, @@ -65,16 +60,13 @@ public final class SSLContextUtils { ); } - public static SSLContext createSslContext( - X509KeyManager keyManager, + public static SSLContext createSslContext(X509KeyManager keyManager, X509TrustManager trustManager, SecureRandom secureRandom, String sslContextAlgorithm, String securityProviderName, Provider securityProvider) { - - return createSslContext( - keyManager != null ? KeyManagerUtils.toArray(keyManager) : null, + return createSslContext(keyManager != null ? KeyManagerUtils.toArray(keyManager) : null, trustManager != null ? TrustManagerUtils.toArray(trustManager) : null, secureRandom, sslContextAlgorithm, @@ -83,14 +75,12 @@ public final class SSLContextUtils { ); } - private static SSLContext createSslContext( - X509ExtendedKeyManager[] keyManagers, + private static SSLContext createSslContext(X509ExtendedKeyManager[] keyManagers, X509ExtendedTrustManager[] trustManagers, SecureRandom secureRandom, String sslContextAlgorithm, String securityProviderName, Provider securityProvider) { - try { SSLContext sslContext; if (nonNull(securityProvider)) { @@ -100,12 +90,10 @@ public final class SSLContextUtils { } else { sslContext = SSLContext.getInstance(sslContextAlgorithm); } - sslContext.init(keyManagers, trustManagers, secureRandom); return sslContext; } catch (NoSuchAlgorithmException | KeyManagementException | NoSuchProviderException e) { throw new GenericSSLContextException(e); } } - } diff --git a/net-security/src/main/java/org/xbib/net/security/ssl/util/SSLSocketUtils.java b/net-security/src/main/java/org/xbib/net/security/ssl/util/SSLSocketUtils.java index c9e1aa5..d3f962e 100644 --- a/net-security/src/main/java/org/xbib/net/security/ssl/util/SSLSocketUtils.java +++ b/net-security/src/main/java/org/xbib/net/security/ssl/util/SSLSocketUtils.java @@ -1,6 +1,5 @@ package org.xbib.net.security.ssl.util; -import org.xbib.net.security.ssl.SSLFactory; import org.xbib.net.security.ssl.socket.CompositeSSLServerSocketFactory; import org.xbib.net.security.ssl.socket.CompositeSSLSocketFactory; @@ -21,13 +20,6 @@ public final class SSLSocketUtils { return new CompositeSSLSocketFactory(sslSocketFactory, sslParameters); } - public static SSLSocketFactory createUnsafeSslSocketFactory() { - return SSLFactory.builder() - .withUnsafeTrustMaterial() - .build() - .getSslSocketFactory(); - } - public static SSLServerSocketFactory createSslServerSocketFactory(SSLContext sslContext, SSLParameters sslParameters) { return new CompositeSSLServerSocketFactory(sslContext.getServerSocketFactory(), sslParameters); } diff --git a/net-security/src/main/java/org/xbib/net/security/ssl/util/TrustManagerUtils.java b/net-security/src/main/java/org/xbib/net/security/ssl/util/TrustManagerUtils.java index e387bcd..9e746e1 100644 --- a/net-security/src/main/java/org/xbib/net/security/ssl/util/TrustManagerUtils.java +++ b/net-security/src/main/java/org/xbib/net/security/ssl/util/TrustManagerUtils.java @@ -10,7 +10,6 @@ import org.xbib.net.security.ssl.trustmanager.DummyX509ExtendedTrustManager; import org.xbib.net.security.ssl.trustmanager.EnhanceableX509ExtendedTrustManager; import org.xbib.net.security.ssl.trustmanager.HotSwappableX509ExtendedTrustManager; import org.xbib.net.security.ssl.trustmanager.TrustManagerFactoryWrapper; -import org.xbib.net.security.ssl.trustmanager.UnsafeX509ExtendedTrustManager; import org.xbib.net.security.ssl.trustmanager.X509TrustManagerWrapper; import javax.net.ssl.ManagerFactoryParameters; @@ -156,18 +155,10 @@ public final class TrustManagerUtils { } } - public static X509ExtendedTrustManager createUnsafeTrustManager() { - return UnsafeX509ExtendedTrustManager.getInstance(); - } - public static X509ExtendedTrustManager createDummyTrustManager() { return DummyX509ExtendedTrustManager.getInstance(); } - public static X509ExtendedTrustManager createCertificateCapturingTrustManager(List certificatesCollector) { - return createCertificateCapturingTrustManager(TrustManagerUtils.createUnsafeTrustManager(), certificatesCollector); - } - public static X509ExtendedTrustManager createCertificateCapturingTrustManager(X509TrustManager baseTrustManager, List certificatesCollector) { return new CertificateCapturingX509ExtendedTrustManager(wrapIfNeeded(baseTrustManager), certificatesCollector); } @@ -328,42 +319,29 @@ public final class TrustManagerUtils { public X509ExtendedTrustManager build() { ValidationUtils.requireNotEmpty(trustManagers, () -> new GenericTrustManagerException(EMPTY_TRUST_MANAGER_EXCEPTION)); - X509ExtendedTrustManager baseTrustManager; - - Optional unsafeTrustManager = trustManagers.stream() - .filter(UnsafeX509ExtendedTrustManager.class::isInstance) - .findAny(); - - if (unsafeTrustManager.isPresent()) { - baseTrustManager = unsafeTrustManager.get(); + if (trustManagers.size() == 1) { + baseTrustManager = trustManagers.get(0); } else { - if (trustManagers.size() == 1) { - baseTrustManager = trustManagers.get(0); - } else { - baseTrustManager = trustManagers.stream() - .map(TrustManagerUtils::unwrapIfPossible) - .flatMap(Collection::stream) - .filter(trustManager -> trustManager.getAcceptedIssuers().length > 0) - .collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new)); - } - - if (chainAndAuthTypeValidator != null - || chainAndAuthTypeWithSocketValidator != null - || chainAndAuthTypeWithSSLEngineValidator != null) { - baseTrustManager = TrustManagerUtils.createEnhanceableTrustManager( - baseTrustManager, - chainAndAuthTypeValidator, - chainAndAuthTypeWithSocketValidator, - chainAndAuthTypeWithSSLEngineValidator - ); - } + baseTrustManager = trustManagers.stream() + .map(TrustManagerUtils::unwrapIfPossible) + .flatMap(Collection::stream) + .filter(trustManager -> trustManager.getAcceptedIssuers().length > 0) + .collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new)); + } + if (chainAndAuthTypeValidator != null + || chainAndAuthTypeWithSocketValidator != null + || chainAndAuthTypeWithSSLEngineValidator != null) { + baseTrustManager = TrustManagerUtils.createEnhanceableTrustManager( + baseTrustManager, + chainAndAuthTypeValidator, + chainAndAuthTypeWithSocketValidator, + chainAndAuthTypeWithSSLEngineValidator + ); } - if (swappableTrustManagerEnabled) { baseTrustManager = TrustManagerUtils.createSwappableTrustManager(baseTrustManager); } - return baseTrustManager; } } diff --git a/net-security/src/main/java/org/xbib/net/security/ssl/trustmanager/UnsafeX509ExtendedTrustManager.java b/net-security/src/test/java/org/xbib/net/security/ssl/trustmanager/UnsafeX509ExtendedTrustManager.java similarity index 100% rename from net-security/src/main/java/org/xbib/net/security/ssl/trustmanager/UnsafeX509ExtendedTrustManager.java rename to net-security/src/test/java/org/xbib/net/security/ssl/trustmanager/UnsafeX509ExtendedTrustManager.java