remove unsafe trustmanager and SHA alogirthm

This commit is contained in:
Jörg Prante 2022-10-22 12:58:31 +02:00
parent 7ef0e83364
commit 3a1adbbcfe
7 changed files with 27 additions and 107 deletions

View file

@ -29,10 +29,6 @@ public class CryptUtil {
return encodeHex(b); return encodeHex(b);
} }
public static String sha(String plainText) throws NoSuchAlgorithmException {
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA.algo, Algo.SHA.prefix);
}
public static String sha256(String plainText) throws NoSuchAlgorithmException { public static String sha256(String plainText) throws NoSuchAlgorithmException {
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA256.algo, Algo.SHA256.prefix); return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), null, Algo.SHA256.algo, Algo.SHA256.prefix);
} }
@ -53,18 +49,6 @@ public class CryptUtil {
return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), salt, Algo.SSHA512.algo, Algo.SSHA512.prefix); return digest(Codec.BASE64, plainText.getBytes(StandardCharsets.UTF_8), salt, Algo.SSHA512.algo, Algo.SSHA512.prefix);
} }
public static String hmacSHA1(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset));
}
public static String hmacSHA1(Charset charset, byte[] plainText, String secret) throws InvalidKeyException, NoSuchAlgorithmException {
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText, secret.getBytes(charset));
}
public static String hmacSHA1(byte[] plainText, byte[] secret) throws InvalidKeyException, NoSuchAlgorithmException {
return hmac(HMac.HMAC_SHA1, Codec.BASE64, plainText, secret);
}
public static String hmacSHA256(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException { public static String hmacSHA256(Charset charset, String plainText, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
return hmac(HMac.HMAC_SHA256, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset)); return hmac(HMac.HMAC_SHA256, Codec.BASE64, plainText.getBytes(charset), secret.getBytes(charset));
} }

View file

@ -197,16 +197,6 @@ public final class SSLFactory {
); );
} }
/**
* A shorter method for using the unsafe trust material
*
* @see Builder#withTrustingAllCertificatesWithoutValidation()
* @return {@link Builder}
*/
public Builder withUnsafeTrustMaterial() {
return withTrustingAllCertificatesWithoutValidation();
}
public Builder withDummyTrustMaterial() { public Builder withDummyTrustMaterial() {
trustManagers.add(TrustManagerUtils.createDummyTrustManager()); trustManagers.add(TrustManagerUtils.createDummyTrustManager());
return this; return this;
@ -683,11 +673,6 @@ public final class SSLFactory {
return this; return this;
} }
public Builder withTrustingAllCertificatesWithoutValidation() {
trustManagers.add(TrustManagerUtils.createUnsafeTrustManager());
return this;
}
public Builder withTrustEnhancer(ChainAndAuthTypeValidator validator) { public Builder withTrustEnhancer(ChainAndAuthTypeValidator validator) {
this.chainAndAuthTypeValidator = validator; this.chainAndAuthTypeValidator = validator;
return this; return this;

View file

@ -6,7 +6,6 @@ import org.xbib.net.security.ssl.exception.GenericIOException;
import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.net.URI; import java.net.URI;
@ -34,21 +33,15 @@ class CertificateExtractorUtils {
private static CertificateExtractorUtils instance; private static CertificateExtractorUtils instance;
private final SSLFactory sslFactory; private final SSLFactory sslFactory;
private final SSLSocketFactory unsafeSslSocketFactory; private final SSLSocketFactory sslSocketFactory;
private final SSLSocketFactory certificateCapturingSslSocketFactory; private final SSLSocketFactory certificateCapturingSslSocketFactory;
private final List<X509Certificate> certificatesCollector; private final List<X509Certificate> certificatesCollector;
private CertificateExtractorUtils() { private CertificateExtractorUtils() {
certificatesCollector = new ArrayList<>(); certificatesCollector = new ArrayList<>();
sslFactory = SSLFactory.builder().build();
X509ExtendedTrustManager certificateCapturingTrustManager = TrustManagerUtils.createCertificateCapturingTrustManager(certificatesCollector);
sslFactory = SSLFactory.builder()
.withTrustMaterial(certificateCapturingTrustManager)
.build();
certificateCapturingSslSocketFactory = sslFactory.getSslSocketFactory(); certificateCapturingSslSocketFactory = sslFactory.getSslSocketFactory();
unsafeSslSocketFactory = SSLSocketUtils.createUnsafeSslSocketFactory(); sslSocketFactory = SSLSocketUtils.createSslSocketFactory(sslFactory.getSslContext(), sslFactory.getSslParameters());
} }
static CertificateExtractorUtils getInstance() { static CertificateExtractorUtils getInstance() {
@ -127,7 +120,7 @@ class CertificateExtractorUtils {
URL url = uri.toURL(); URL url = uri.toURL();
URLConnection connection = url.openConnection(); URLConnection connection = url.openConnection();
if (connection instanceof HttpsURLConnection) { if (connection instanceof HttpsURLConnection) {
((HttpsURLConnection) connection).setSSLSocketFactory(unsafeSslSocketFactory); ((HttpsURLConnection) connection).setSSLSocketFactory(sslSocketFactory);
} }
InputStream inputStream = connection.getInputStream(); InputStream inputStream = connection.getInputStream();

View file

@ -31,15 +31,12 @@ public final class SSLContextUtils {
return createSslContext(keyManagers, trustManagers, secureRandom, DEFAULT_SSL_CONTEXT_ALGORITHM, (Provider) null); return createSslContext(keyManagers, trustManagers, secureRandom, DEFAULT_SSL_CONTEXT_ALGORITHM, (Provider) null);
} }
public static SSLContext createSslContext( public static SSLContext createSslContext( List<? extends X509KeyManager> keyManagers,
List<? extends X509KeyManager> keyManagers,
List<? extends X509TrustManager> trustManagers, List<? extends X509TrustManager> trustManagers,
SecureRandom secureRandom, SecureRandom secureRandom,
String sslContextAlgorithm, String sslContextAlgorithm,
Provider securityProvider) { Provider securityProvider) {
return createSslContext(!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
return createSslContext(
!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
!trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null, !trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null,
secureRandom, secureRandom,
sslContextAlgorithm, sslContextAlgorithm,
@ -54,9 +51,7 @@ public final class SSLContextUtils {
SecureRandom secureRandom, SecureRandom secureRandom,
String sslContextAlgorithm, String sslContextAlgorithm,
String securityProviderName) { String securityProviderName) {
return createSslContext(!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
return createSslContext(
!keyManagers.isEmpty() ? KeyManagerUtils.combine(keyManagers) : null,
!trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null, !trustManagers.isEmpty() ? TrustManagerUtils.combine(trustManagers) : null,
secureRandom, secureRandom,
sslContextAlgorithm, sslContextAlgorithm,
@ -65,16 +60,13 @@ public final class SSLContextUtils {
); );
} }
public static SSLContext createSslContext( public static SSLContext createSslContext(X509KeyManager keyManager,
X509KeyManager keyManager,
X509TrustManager trustManager, X509TrustManager trustManager,
SecureRandom secureRandom, SecureRandom secureRandom,
String sslContextAlgorithm, String sslContextAlgorithm,
String securityProviderName, String securityProviderName,
Provider securityProvider) { Provider securityProvider) {
return createSslContext(keyManager != null ? KeyManagerUtils.toArray(keyManager) : null,
return createSslContext(
keyManager != null ? KeyManagerUtils.toArray(keyManager) : null,
trustManager != null ? TrustManagerUtils.toArray(trustManager) : null, trustManager != null ? TrustManagerUtils.toArray(trustManager) : null,
secureRandom, secureRandom,
sslContextAlgorithm, sslContextAlgorithm,
@ -83,14 +75,12 @@ public final class SSLContextUtils {
); );
} }
private static SSLContext createSslContext( private static SSLContext createSslContext(X509ExtendedKeyManager[] keyManagers,
X509ExtendedKeyManager[] keyManagers,
X509ExtendedTrustManager[] trustManagers, X509ExtendedTrustManager[] trustManagers,
SecureRandom secureRandom, SecureRandom secureRandom,
String sslContextAlgorithm, String sslContextAlgorithm,
String securityProviderName, String securityProviderName,
Provider securityProvider) { Provider securityProvider) {
try { try {
SSLContext sslContext; SSLContext sslContext;
if (nonNull(securityProvider)) { if (nonNull(securityProvider)) {
@ -100,12 +90,10 @@ public final class SSLContextUtils {
} else { } else {
sslContext = SSLContext.getInstance(sslContextAlgorithm); sslContext = SSLContext.getInstance(sslContextAlgorithm);
} }
sslContext.init(keyManagers, trustManagers, secureRandom); sslContext.init(keyManagers, trustManagers, secureRandom);
return sslContext; return sslContext;
} catch (NoSuchAlgorithmException | KeyManagementException | NoSuchProviderException e) { } catch (NoSuchAlgorithmException | KeyManagementException | NoSuchProviderException e) {
throw new GenericSSLContextException(e); throw new GenericSSLContextException(e);
} }
} }
} }

View file

@ -1,6 +1,5 @@
package org.xbib.net.security.ssl.util; package org.xbib.net.security.ssl.util;
import org.xbib.net.security.ssl.SSLFactory;
import org.xbib.net.security.ssl.socket.CompositeSSLServerSocketFactory; import org.xbib.net.security.ssl.socket.CompositeSSLServerSocketFactory;
import org.xbib.net.security.ssl.socket.CompositeSSLSocketFactory; import org.xbib.net.security.ssl.socket.CompositeSSLSocketFactory;
@ -21,13 +20,6 @@ public final class SSLSocketUtils {
return new CompositeSSLSocketFactory(sslSocketFactory, sslParameters); return new CompositeSSLSocketFactory(sslSocketFactory, sslParameters);
} }
public static SSLSocketFactory createUnsafeSslSocketFactory() {
return SSLFactory.builder()
.withUnsafeTrustMaterial()
.build()
.getSslSocketFactory();
}
public static SSLServerSocketFactory createSslServerSocketFactory(SSLContext sslContext, SSLParameters sslParameters) { public static SSLServerSocketFactory createSslServerSocketFactory(SSLContext sslContext, SSLParameters sslParameters) {
return new CompositeSSLServerSocketFactory(sslContext.getServerSocketFactory(), sslParameters); return new CompositeSSLServerSocketFactory(sslContext.getServerSocketFactory(), sslParameters);
} }

View file

@ -10,7 +10,6 @@ import org.xbib.net.security.ssl.trustmanager.DummyX509ExtendedTrustManager;
import org.xbib.net.security.ssl.trustmanager.EnhanceableX509ExtendedTrustManager; import org.xbib.net.security.ssl.trustmanager.EnhanceableX509ExtendedTrustManager;
import org.xbib.net.security.ssl.trustmanager.HotSwappableX509ExtendedTrustManager; import org.xbib.net.security.ssl.trustmanager.HotSwappableX509ExtendedTrustManager;
import org.xbib.net.security.ssl.trustmanager.TrustManagerFactoryWrapper; import org.xbib.net.security.ssl.trustmanager.TrustManagerFactoryWrapper;
import org.xbib.net.security.ssl.trustmanager.UnsafeX509ExtendedTrustManager;
import org.xbib.net.security.ssl.trustmanager.X509TrustManagerWrapper; import org.xbib.net.security.ssl.trustmanager.X509TrustManagerWrapper;
import javax.net.ssl.ManagerFactoryParameters; import javax.net.ssl.ManagerFactoryParameters;
@ -156,18 +155,10 @@ public final class TrustManagerUtils {
} }
} }
public static X509ExtendedTrustManager createUnsafeTrustManager() {
return UnsafeX509ExtendedTrustManager.getInstance();
}
public static X509ExtendedTrustManager createDummyTrustManager() { public static X509ExtendedTrustManager createDummyTrustManager() {
return DummyX509ExtendedTrustManager.getInstance(); return DummyX509ExtendedTrustManager.getInstance();
} }
public static X509ExtendedTrustManager createCertificateCapturingTrustManager(List<X509Certificate> certificatesCollector) {
return createCertificateCapturingTrustManager(TrustManagerUtils.createUnsafeTrustManager(), certificatesCollector);
}
public static X509ExtendedTrustManager createCertificateCapturingTrustManager(X509TrustManager baseTrustManager, List<X509Certificate> certificatesCollector) { public static X509ExtendedTrustManager createCertificateCapturingTrustManager(X509TrustManager baseTrustManager, List<X509Certificate> certificatesCollector) {
return new CertificateCapturingX509ExtendedTrustManager(wrapIfNeeded(baseTrustManager), certificatesCollector); return new CertificateCapturingX509ExtendedTrustManager(wrapIfNeeded(baseTrustManager), certificatesCollector);
} }
@ -328,42 +319,29 @@ public final class TrustManagerUtils {
public X509ExtendedTrustManager build() { public X509ExtendedTrustManager build() {
ValidationUtils.requireNotEmpty(trustManagers, () -> new GenericTrustManagerException(EMPTY_TRUST_MANAGER_EXCEPTION)); ValidationUtils.requireNotEmpty(trustManagers, () -> new GenericTrustManagerException(EMPTY_TRUST_MANAGER_EXCEPTION));
X509ExtendedTrustManager baseTrustManager; X509ExtendedTrustManager baseTrustManager;
if (trustManagers.size() == 1) {
Optional<X509ExtendedTrustManager> unsafeTrustManager = trustManagers.stream() baseTrustManager = trustManagers.get(0);
.filter(UnsafeX509ExtendedTrustManager.class::isInstance)
.findAny();
if (unsafeTrustManager.isPresent()) {
baseTrustManager = unsafeTrustManager.get();
} else { } else {
if (trustManagers.size() == 1) { baseTrustManager = trustManagers.stream()
baseTrustManager = trustManagers.get(0); .map(TrustManagerUtils::unwrapIfPossible)
} else { .flatMap(Collection::stream)
baseTrustManager = trustManagers.stream() .filter(trustManager -> trustManager.getAcceptedIssuers().length > 0)
.map(TrustManagerUtils::unwrapIfPossible) .collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new));
.flatMap(Collection::stream) }
.filter(trustManager -> trustManager.getAcceptedIssuers().length > 0) if (chainAndAuthTypeValidator != null
.collect(Collectors.collectingAndThen(Collectors.toList(), CompositeX509ExtendedTrustManager::new)); || chainAndAuthTypeWithSocketValidator != null
} || chainAndAuthTypeWithSSLEngineValidator != null) {
baseTrustManager = TrustManagerUtils.createEnhanceableTrustManager(
if (chainAndAuthTypeValidator != null baseTrustManager,
|| chainAndAuthTypeWithSocketValidator != null chainAndAuthTypeValidator,
|| chainAndAuthTypeWithSSLEngineValidator != null) { chainAndAuthTypeWithSocketValidator,
baseTrustManager = TrustManagerUtils.createEnhanceableTrustManager( chainAndAuthTypeWithSSLEngineValidator
baseTrustManager, );
chainAndAuthTypeValidator,
chainAndAuthTypeWithSocketValidator,
chainAndAuthTypeWithSSLEngineValidator
);
}
} }
if (swappableTrustManagerEnabled) { if (swappableTrustManagerEnabled) {
baseTrustManager = TrustManagerUtils.createSwappableTrustManager(baseTrustManager); baseTrustManager = TrustManagerUtils.createSwappableTrustManager(baseTrustManager);
} }
return baseTrustManager; return baseTrustManager;
} }
} }