Convert X509TrustManager into X509ExtendedTrustManager for Java 7+

Motivation: Since Java 7, X509TrustManager implementation is wrapped by a JDK class called AbstractTrustManagerWrapper, which performs an additional certificate validation for Socket or SSLEngine-backed connections. This makes the TrustManager implementations provided by InsecureTrustManagerFactory and FingerprintTrustManagerFactory not insecure enough, where their certificate validation fails even when it should pass. Modifications: - Add X509TrustManagerWrapper which adapts an X509TrustManager into an X509ExtendedTrustManager - Make SimpleTrustManagerFactory wrap an X509TrustManager with X509TrustManagerWrapper is the provided TrustManager does not extend X509ExtendedTrustManager Result: - InsecureTrustManagerFactory and FingerprintTrustManagerFactory are now insecure as expected. - Fixes #5910
2016-10-12 14:30:32 +09:00 · 2016-10-12 14:30:32 +09:00 · 0b7bf49c16
commit 0b7bf49c16
parent 7e62f9fcdb
2 changed files with 91 additions and 1 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/util/SimpleTrustManagerFactory.java
+++ b/handler/src/main/java/io/netty/handler/ssl/util/SimpleTrustManagerFactory.java
@ -17,11 +17,14 @@
 package io.netty.handler.ssl.util;
 import io.netty.util.concurrent.FastThreadLocal;
 import io.netty.util.internal.PlatformDependent;
 import javax.net.ssl.ManagerFactoryParameters;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.TrustManagerFactorySpi;
 import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509TrustManager;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
@ -98,6 +101,7 @@ public abstract class SimpleTrustManagerFactory extends TrustManagerFactory {
    static final class SimpleTrustManagerFactorySpi extends TrustManagerFactorySpi {
        private SimpleTrustManagerFactory parent;
        private volatile TrustManager[] trustManagers;
        void init(SimpleTrustManagerFactory parent) {
            this.parent = parent;
@ -128,7 +132,20 @@ public abstract class SimpleTrustManagerFactory extends TrustManagerFactory {
        @Override
        protected TrustManager[] engineGetTrustManagers() {
-            return parent.engineGetTrustManagers();
+            TrustManager[] trustManagers = this.trustManagers;
            if (trustManagers == null) {
                trustManagers = parent.engineGetTrustManagers();
                if (PlatformDependent.javaVersion() >= 7) {
                    for (int i = 0; i < trustManagers.length; i++) {
                        final TrustManager tm = trustManagers[i];
                        if (tm instanceof X509TrustManager && !(tm instanceof X509ExtendedTrustManager)) {
                            trustManagers[i] = new X509TrustManagerWrapper((X509TrustManager) tm);
                        }
                    }
                }
                this.trustManagers = trustManagers;
            }
            return trustManagers.clone();
        }
    }
 }
--- a/handler/src/main/java/io/netty/handler/ssl/util/X509TrustManagerWrapper.java
+++ b/handler/src/main/java/io/netty/handler/ssl/util/X509TrustManagerWrapper.java
@ -0,0 +1,73 @@
 /*
 * Copyright 2016 The Netty Project
 *
 * The Netty Project licenses this file to you under the Apache License,
 * version 2.0 (the "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at:
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations
 * under the License.
 */
 package io.netty.handler.ssl.util;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.X509ExtendedTrustManager;
 import javax.net.ssl.X509TrustManager;
 import java.net.Socket;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import static io.netty.util.internal.ObjectUtil.*;
 final class X509TrustManagerWrapper extends X509ExtendedTrustManager {
    private final X509TrustManager delegate;
    X509TrustManagerWrapper(X509TrustManager delegate) {
        this.delegate = checkNotNull(delegate, "delegate");
    }
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String s) throws CertificateException {
        delegate.checkClientTrusted(chain, s);
    }
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String s, Socket socket)
            throws CertificateException {
        delegate.checkClientTrusted(chain, s);
    }
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String s, SSLEngine sslEngine)
            throws CertificateException {
        delegate.checkClientTrusted(chain, s);
    }
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String s) throws CertificateException {
        delegate.checkServerTrusted(chain, s);
    }
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String s, Socket socket)
            throws CertificateException {
        delegate.checkServerTrusted(chain, s);
    }
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String s, SSLEngine sslEngine)
            throws CertificateException {
        delegate.checkServerTrusted(chain, s);
    }
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return delegate.getAcceptedIssuers();
    }
 }