remove unsafe trustmanager and SHA alogirthm
This commit is contained in:
parent
7ef0e83364
commit
3a1adbbcfe
7 changed files with 27 additions and 107 deletions
|
@ -29,10 +29,6 @@ public class CryptUtil {
|
||||||
return encodeHex(b);
|
return encodeHex(b);
|
||||||
}
|
}
|
||||||
|
|
||||||
public static String sha(String plainText) throws NoSuchAlgorithmException {
|
|
||||||
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA.algo, Algo.SHA.prefix);
|
|
||||||
}
|
|
||||||
|
|
||||||
public static String sha256(String plainText) throws NoSuchAlgorithmException {
|
public static String sha256(String plainText) throws NoSuchAlgorithmException {
|
||||||
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA256.algo, Algo.SHA256.prefix);
|
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA256.algo, Algo.SHA256.prefix);
|
||||||
}
|
}
|
||||||
|
@ -53,18 +49,6 @@ public class CryptUtil {
|
||||||
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), salt, Algo.SSHA512.algo, Algo.SSHA512.prefix);
|
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), salt, Algo.SSHA512.algo, Algo.SSHA512.prefix);
|
||||||
}
|
}
|
||||||
|
|
||||||
public static String hmacSHA1(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
|
|
||||||
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset));
|
|
||||||
}
|
|
||||||
|
|
||||||
public static String hmacSHA1(Charset charset, byte[] plainText, String secret) throws InvalidKeyException, NoSuchAlgorithmException {
|
|
||||||
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText, secret.getBytes(charset));
|
|
||||||
}
|
|
||||||
|
|
||||||
public static String hmacSHA1(byte[] plainText, byte[] secret) throws InvalidKeyException, NoSuchAlgorithmException {
|
|
||||||
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText, secret);
|
|
||||||
}
|
|
||||||
|
|
||||||
public static String hmacSHA256(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
|
public static String hmacSHA256(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
|
||||||
return hmac(HMac.HMAC_SHA256, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset));
|
return hmac(HMac.HMAC_SHA256, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset));
|
||||||
}
|
}
|
||||||
|
|
|
@ -197,16 +197,6 @@ public final class SSLFactory {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* A shorter method for using the unsafe trust material
|
|
||||||
*
|
|
||||||
* @see Builder#withTrustingAllCertificatesWithoutValidation()
|
|
||||||
* @return {@link Builder}
|
|
||||||
*/
|
|
||||||
public Builder withUnsafeTrustMaterial() {
|
|
||||||
return withTrustingAllCertificatesWithoutValidation();
|
|
||||||
}
|
|
||||||
|
|
||||||
public Builder withDummyTrustMaterial() {
|
public Builder withDummyTrustMaterial() {
|
||||||
trustManagers.add(TrustManagerUtils.createDummyTrustManager());
|
trustManagers.add(TrustManagerUtils.createDummyTrustManager());
|
||||||
return this;
|
return this;
|
||||||
|
@ -683,11 +673,6 @@ public final class SSLFactory {
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
public Builder withTrustingAllCertificatesWithoutValidation() {
|
|
||||||
trustManagers.add(TrustManagerUtils.createUnsafeTrustManager());
|
|
||||||
return this;
|
|
||||||
}
|
|
||||||
|
|
||||||
public Builder withTrustEnhancer(ChainAndAuthTypeValidator validator) {
|
public Builder withTrustEnhancer(ChainAndAuthTypeValidator validator) {
|
||||||
this.chainAndAuthTypeValidator = validator;
|
this.chainAndAuthTypeValidator = validator;
|
||||||
return this;
|
return this;
|
||||||
|
|
|
@ -6,7 +6,6 @@ import org.xbib.net.security.ssl.exception.GenericIOException;
|
||||||
|
|
||||||
import javax.net.ssl.HttpsURLConnection;
|
import javax.net.ssl.HttpsURLConnection;
|
||||||
import javax.net.ssl.SSLSocketFactory;
|
import javax.net.ssl.SSLSocketFactory;
|
||||||
import javax.net.ssl.X509ExtendedTrustManager;
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
|
@ -34,21 +33,15 @@ class CertificateExtractorUtils {
|
||||||
private static CertificateExtractorUtils instance;
|
private static CertificateExtractorUtils instance;
|
||||||
|
|
||||||
private final SSLFactory sslFactory;
|
private final SSLFactory sslFactory;
|
||||||
private final SSLSocketFactory unsafeSslSocketFactory;
|
private final SSLSocketFactory sslSocketFactory;
|
||||||
private final SSLSocketFactory certificateCapturingSslSocketFactory;
|
private final SSLSocketFactory certificateCapturingSslSocketFactory;
|
||||||
private final List<X509Certificate> certificatesCollector;
|
private final List<X509Certificate> certificatesCollector;
|
||||||
|
|
||||||
private CertificateExtractorUtils() {
|
private CertificateExtractorUtils() {
|
||||||
certificatesCollector = new ArrayList<>();
|
certificatesCollector = new ArrayList<>();
|
||||||
|
sslFactory = SSLFactory.builder().build();
|
||||||
X509ExtendedTrustManager certificateCapturingTrustManager = TrustManagerUtils.createCertificateCapturingTrustManager(certificatesCollector);
|
|
||||||
|
|
||||||
sslFactory = SSLFactory.builder()
|
|
||||||
.withTrustMaterial(certificateCapturingTrustManager)
|
|
||||||
.build();
|
|
||||||
|
|
||||||
certificateCapturingSslSocketFactory = sslFactory.getSslSocketFactory();
|
certificateCapturingSslSocketFactory = sslFactory.getSslSocketFactory();
|
||||||
unsafeSslSocketFactory = SSLSocketUtils.createUnsafeSslSocketFactory();
|
sslSocketFactory = SSLSocketUtils.createSslSocketFactory(sslFactory.getSslContext(), sslFactory.getSslParameters());
|
||||||
}
|
}
|
||||||
|
|
||||||
static CertificateExtractorUtils getInstance() {
|
static CertificateExtractorUtils getInstance() {
|
||||||
|
@ -127,7 +120,7 @@ class CertificateExtractorUtils {
|
||||||
URL url = uri.toURL();
|
URL url = uri.toURL();
|
||||||
URLConnection connection = url.openConnection();
|
URLConnection connection = url.openConnection();
|
||||||
if (connection instanceof HttpsURLConnection) {
|
if (connection instanceof HttpsURLConnection) {
|
||||||
((HttpsURLConnection) connection).setSSLSocketFactory(unsafeSslSocketFactory);
|
((HttpsURLConnection) connection).setSSLSocketFactory(sslSocketFactory);
|
||||||
}
|
}
|
||||||
|
|
||||||
InputStream inputStream = connection.getInputStream();
|
InputStream inputStream = connection.getInputStream();
|
||||||
|
|
|
@ -31,15 +31,12 @@ public final class SSLContextUtils {
|
||||||
return createSslContext(keyManagers, trustManagers, secureRandom, DEFAULT_SSL_CONTEXT_ALGORITHM, (Provider) null);
|
return createSslContext(keyManagers, trustManagers, secureRandom, DEFAULT_SSL_CONTEXT_ALGORITHM, (Provider) null);
|
||||||
}
|
}
|
||||||
|
|
||||||
public static SSLContext createSslContext(
|
public static SSLContext createSslContext( List<? extends X509KeyManager> keyManagers,
|
||||||
List<? extends X509KeyManager> keyManagers,
|
|
||||||
List<? extends X509TrustManager> trustManagers,
|
List<? extends X509TrustManager> trustManagers,
|
||||||
SecureRandom secureRandom,
|
SecureRandom secureRandom,
|
||||||
String sslContextAlgorithm,
|
String sslContextAlgorithm,
|
||||||
Provider securityProvider) {
|
Provider securityProvider) {
|
||||||
|
return createSslContext(!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
|
||||||
return createSslContext(
|
|
||||||
!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
|
|
||||||
!trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null,
|
!trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null,
|
||||||
secureRandom,
|
secureRandom,
|
||||||
sslContextAlgorithm,
|
sslContextAlgorithm,
|
||||||
|
@ -54,9 +51,7 @@ public final class SSLContextUtils {
|
||||||
SecureRandom secureRandom,
|
SecureRandom secureRandom,
|
||||||
String sslContextAlgorithm,
|
String sslContextAlgorithm,
|
||||||
String securityProviderName) {
|
String securityProviderName) {
|
||||||
|
return createSslContext(!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
|
||||||
return createSslContext(
|
|
||||||
!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
|
|
||||||
!trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null,
|
!trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null,
|
||||||
secureRandom,
|
secureRandom,
|
||||||
sslContextAlgorithm,
|
sslContextAlgorithm,
|
||||||
|
@ -65,16 +60,13 @@ public final class SSLContextUtils {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
public static SSLContext createSslContext(
|
public static SSLContext createSslContext(X509KeyManager keyManager,
|
||||||
X509KeyManager keyManager,
|
|
||||||
X509TrustManager trustManager,
|
X509TrustManager trustManager,
|
||||||
SecureRandom secureRandom,
|
SecureRandom secureRandom,
|
||||||
String sslContextAlgorithm,
|
String sslContextAlgorithm,
|
||||||
String securityProviderName,
|
String securityProviderName,
|
||||||
Provider securityProvider) {
|
Provider securityProvider) {
|
||||||
|
return createSslContext(keyManager != null ? KeyManagerUtils.toArray(keyManager) : null,
|
||||||
return createSslContext(
|
|
||||||
keyManager != null ? KeyManagerUtils.toArray(keyManager) : null,
|
|
||||||
trustManager != null ? TrustManagerUtils.toArray(trustManager) : null,
|
trustManager != null ? TrustManagerUtils.toArray(trustManager) : null,
|
||||||
secureRandom,
|
secureRandom,
|
||||||
sslContextAlgorithm,
|
sslContextAlgorithm,
|
||||||
|
@ -83,14 +75,12 @@ public final class SSLContextUtils {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
private static SSLContext createSslContext(
|
private static SSLContext createSslContext(X509ExtendedKeyManager[] keyManagers,
|
||||||
X509ExtendedKeyManager[] keyManagers,
|
|
||||||
X509ExtendedTrustManager[] trustManagers,
|
X509ExtendedTrustManager[] trustManagers,
|
||||||
SecureRandom secureRandom,
|
SecureRandom secureRandom,
|
||||||
String sslContextAlgorithm,
|
String sslContextAlgorithm,
|
||||||
String securityProviderName,
|
String securityProviderName,
|
||||||
Provider securityProvider) {
|
Provider securityProvider) {
|
||||||
|
|
||||||
try {
|
try {
|
||||||
SSLContext sslContext;
|
SSLContext sslContext;
|
||||||
if (nonNull(securityProvider)) {
|
if (nonNull(securityProvider)) {
|
||||||
|
@ -100,12 +90,10 @@ public final class SSLContextUtils {
|
||||||
} else {
|
} else {
|
||||||
sslContext = SSLContext.getInstance(sslContextAlgorithm);
|
sslContext = SSLContext.getInstance(sslContextAlgorithm);
|
||||||
}
|
}
|
||||||
|
|
||||||
sslContext.init(keyManagers, trustManagers, secureRandom);
|
sslContext.init(keyManagers, trustManagers, secureRandom);
|
||||||
return sslContext;
|
return sslContext;
|
||||||
} catch (NoSuchAlgorithmException | KeyManagementException | NoSuchProviderException e) {
|
} catch (NoSuchAlgorithmException | KeyManagementException | NoSuchProviderException e) {
|
||||||
throw new GenericSSLContextException(e);
|
throw new GenericSSLContextException(e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
package org.xbib.net.security.ssl.util;
|
package org.xbib.net.security.ssl.util;
|
||||||
|
|
||||||
import org.xbib.net.security.ssl.SSLFactory;
|
|
||||||
import org.xbib.net.security.ssl.socket.CompositeSSLServerSocketFactory;
|
import org.xbib.net.security.ssl.socket.CompositeSSLServerSocketFactory;
|
||||||
import org.xbib.net.security.ssl.socket.CompositeSSLSocketFactory;
|
import org.xbib.net.security.ssl.socket.CompositeSSLSocketFactory;
|
||||||
|
|
||||||
|
@ -21,13 +20,6 @@ public final class SSLSocketUtils {
|
||||||
return new CompositeSSLSocketFactory(sslSocketFactory, sslParameters);
|
return new CompositeSSLSocketFactory(sslSocketFactory, sslParameters);
|
||||||
}
|
}
|
||||||
|
|
||||||
public static SSLSocketFactory createUnsafeSslSocketFactory() {
|
|
||||||
return SSLFactory.builder()
|
|
||||||
.withUnsafeTrustMaterial()
|
|
||||||
.build()
|
|
||||||
.getSslSocketFactory();
|
|
||||||
}
|
|
||||||
|
|
||||||
public static SSLServerSocketFactory createSslServerSocketFactory(SSLContext sslContext, SSLParameters sslParameters) {
|
public static SSLServerSocketFactory createSslServerSocketFactory(SSLContext sslContext, SSLParameters sslParameters) {
|
||||||
return new CompositeSSLServerSocketFactory(sslContext.getServerSocketFactory(), sslParameters);
|
return new CompositeSSLServerSocketFactory(sslContext.getServerSocketFactory(), sslParameters);
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,7 +10,6 @@ import org.xbib.net.security.ssl.trustmanager.DummyX509ExtendedTrustManager;
|
||||||
import org.xbib.net.security.ssl.trustmanager.EnhanceableX509ExtendedTrustManager;
|
import org.xbib.net.security.ssl.trustmanager.EnhanceableX509ExtendedTrustManager;
|
||||||
import org.xbib.net.security.ssl.trustmanager.HotSwappableX509ExtendedTrustManager;
|
import org.xbib.net.security.ssl.trustmanager.HotSwappableX509ExtendedTrustManager;
|
||||||
import org.xbib.net.security.ssl.trustmanager.TrustManagerFactoryWrapper;
|
import org.xbib.net.security.ssl.trustmanager.TrustManagerFactoryWrapper;
|
||||||
import org.xbib.net.security.ssl.trustmanager.UnsafeX509ExtendedTrustManager;
|
|
||||||
import org.xbib.net.security.ssl.trustmanager.X509TrustManagerWrapper;
|
import org.xbib.net.security.ssl.trustmanager.X509TrustManagerWrapper;
|
||||||
|
|
||||||
import javax.net.ssl.ManagerFactoryParameters;
|
import javax.net.ssl.ManagerFactoryParameters;
|
||||||
|
@ -156,18 +155,10 @@ public final class TrustManagerUtils {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public static X509ExtendedTrustManager createUnsafeTrustManager() {
|
|
||||||
return UnsafeX509ExtendedTrustManager.getInstance();
|
|
||||||
}
|
|
||||||
|
|
||||||
public static X509ExtendedTrustManager createDummyTrustManager() {
|
public static X509ExtendedTrustManager createDummyTrustManager() {
|
||||||
return DummyX509ExtendedTrustManager.getInstance();
|
return DummyX509ExtendedTrustManager.getInstance();
|
||||||
}
|
}
|
||||||
|
|
||||||
public static X509ExtendedTrustManager createCertificateCapturingTrustManager(List<X509Certificate> certificatesCollector) {
|
|
||||||
return createCertificateCapturingTrustManager(TrustManagerUtils.createUnsafeTrustManager(), certificatesCollector);
|
|
||||||
}
|
|
||||||
|
|
||||||
public static X509ExtendedTrustManager createCertificateCapturingTrustManager(X509TrustManager baseTrustManager, List<X509Certificate> certificatesCollector) {
|
public static X509ExtendedTrustManager createCertificateCapturingTrustManager(X509TrustManager baseTrustManager, List<X509Certificate> certificatesCollector) {
|
||||||
return new CertificateCapturingX509ExtendedTrustManager(wrapIfNeeded(baseTrustManager), certificatesCollector);
|
return new CertificateCapturingX509ExtendedTrustManager(wrapIfNeeded(baseTrustManager), certificatesCollector);
|
||||||
}
|
}
|
||||||
|
@ -328,42 +319,29 @@ public final class TrustManagerUtils {
|
||||||
|
|
||||||
public X509ExtendedTrustManager build() {
|
public X509ExtendedTrustManager build() {
|
||||||
ValidationUtils.requireNotEmpty(trustManagers, () -> new GenericTrustManagerException(EMPTY_TRUST_MANAGER_EXCEPTION));
|
ValidationUtils.requireNotEmpty(trustManagers, () -> new GenericTrustManagerException(EMPTY_TRUST_MANAGER_EXCEPTION));
|
||||||
|
|
||||||
X509ExtendedTrustManager baseTrustManager;
|
X509ExtendedTrustManager baseTrustManager;
|
||||||
|
if (trustManagers.size() == 1) {
|
||||||
Optional<X509ExtendedTrustManager> unsafeTrustManager = trustManagers.stream()
|
baseTrustManager = trustManagers.get(0);
|
||||||
.filter(UnsafeX509ExtendedTrustManager.class::isInstance)
|
|
||||||
.findAny();
|
|
||||||
|
|
||||||
if (unsafeTrustManager.isPresent()) {
|
|
||||||
baseTrustManager = unsafeTrustManager.get();
|
|
||||||
} else {
|
} else {
|
||||||
if (trustManagers.size() == 1) {
|
baseTrustManager = trustManagers.stream()
|
||||||
baseTrustManager = trustManagers.get(0);
|
.map(TrustManagerUtils::unwrapIfPossible)
|
||||||
} else {
|
.flatMap(Collection::stream)
|
||||||
baseTrustManager = trustManagers.stream()
|
.filter(trustManager -> trustManager.getAcceptedIssuers().length > 0)
|
||||||
.map(TrustManagerUtils::unwrapIfPossible)
|
.collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new));
|
||||||
.flatMap(Collection::stream)
|
}
|
||||||
.filter(trustManager -> trustManager.getAcceptedIssuers().length > 0)
|
if (chainAndAuthTypeValidator != null
|
||||||
.collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new));
|
|| chainAndAuthTypeWithSocketValidator != null
|
||||||
}
|
|| chainAndAuthTypeWithSSLEngineValidator != null) {
|
||||||
|
baseTrustManager = TrustManagerUtils.createEnhanceableTrustManager(
|
||||||
if (chainAndAuthTypeValidator != null
|
baseTrustManager,
|
||||||
|| chainAndAuthTypeWithSocketValidator != null
|
chainAndAuthTypeValidator,
|
||||||
|| chainAndAuthTypeWithSSLEngineValidator != null) {
|
chainAndAuthTypeWithSocketValidator,
|
||||||
baseTrustManager = TrustManagerUtils.createEnhanceableTrustManager(
|
chainAndAuthTypeWithSSLEngineValidator
|
||||||
baseTrustManager,
|
);
|
||||||
chainAndAuthTypeValidator,
|
|
||||||
chainAndAuthTypeWithSocketValidator,
|
|
||||||
chainAndAuthTypeWithSSLEngineValidator
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (swappableTrustManagerEnabled) {
|
if (swappableTrustManagerEnabled) {
|
||||||
baseTrustManager = TrustManagerUtils.createSwappableTrustManager(baseTrustManager);
|
baseTrustManager = TrustManagerUtils.createSwappableTrustManager(baseTrustManager);
|
||||||
}
|
}
|
||||||
|
|
||||||
return baseTrustManager;
|
return baseTrustManager;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue