Motivation: We should not use the InternalThreadLocalMap where access may be done from outside the EventLoop as this may create a lot of memory usage while not be reused anyway. Modifications: Not use InternalThreadLocalMap in places where the code-path will likely be executed from outside the EventLoop. Result: Less memory bloat.
218 lines
8.2 KiB
Java
218 lines
8.2 KiB
Java
/*
|
|
* Copyright 2014 The Netty Project
|
|
*
|
|
* The Netty Project licenses this file to you under the Apache License,
|
|
* version 2.0 (the "License"); you may not use this file except in compliance
|
|
* with the License. You may obtain a copy of the License at:
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
* License for the specific language governing permissions and limitations
|
|
* under the License.
|
|
*/
|
|
|
|
package io.netty.handler.ssl.util;
|
|
|
|
import io.netty.buffer.ByteBufUtil;
|
|
import io.netty.buffer.Unpooled;
|
|
import io.netty.util.internal.EmptyArrays;
|
|
import io.netty.util.concurrent.FastThreadLocal;
|
|
|
|
import javax.net.ssl.ManagerFactoryParameters;
|
|
import javax.net.ssl.TrustManager;
|
|
import javax.net.ssl.TrustManagerFactory;
|
|
import javax.net.ssl.X509TrustManager;
|
|
import java.security.KeyStore;
|
|
import java.security.MessageDigest;
|
|
import java.security.NoSuchAlgorithmException;
|
|
import java.security.cert.CertificateEncodingException;
|
|
import java.security.cert.CertificateException;
|
|
import java.security.cert.X509Certificate;
|
|
import java.util.ArrayList;
|
|
import java.util.Arrays;
|
|
import java.util.List;
|
|
import java.util.regex.Pattern;
|
|
|
|
/**
|
|
* An {@link TrustManagerFactory} that trusts an X.509 certificate whose SHA1 checksum matches.
|
|
* <p>
|
|
* <strong>NOTE:</strong> It is recommended to verify certificates and their chain to prevent
|
|
* <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man-in-the-middle attacks</a>.
|
|
* This {@link TrustManagerFactory} will <strong>only</strong> verify that the fingerprint of certificates match one
|
|
* of the given fingerprints. This procedure is called
|
|
* <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning">certificate pinning</a> and
|
|
* is an effective protection. For maximum security one should verify that the whole certificate chain is as expected.
|
|
* It is worth mentioning that certain firewalls, proxies or other appliances found in corporate environments,
|
|
* actually perform Man-in-the-middle attacks and thus present a different certificate fingerprint.
|
|
* </p>
|
|
* <p>
|
|
* The SHA1 checksum of an X.509 certificate is calculated from its DER encoded format. You can get the fingerprint of
|
|
* an X.509 certificate using the {@code openssl} command. For example:
|
|
*
|
|
* <pre>
|
|
* $ openssl x509 -fingerprint -sha1 -in my_certificate.crt
|
|
* SHA1 Fingerprint=4E:85:10:55:BC:7B:12:08:D1:EA:0A:12:C9:72:EE:F3:AA:B2:C7:CB
|
|
* -----BEGIN CERTIFICATE-----
|
|
* MIIBqjCCAROgAwIBAgIJALiT3Nvp0kvmMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNV
|
|
* BAMTC2V4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMFoYDzk5OTkxMjMxMjM1OTU5
|
|
* WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
|
|
* gYkCgYEAnadvODG0QCiHhaFZlLHtr5gLIkDQS8ErZ//KfqeCHTC/KJsl3xYFk0zG
|
|
* aCv2FcmkOlokm77qV8qOW2DZdND7WuYzX6nLVuLb+GYxZ7b45iMAbAajvGh8jc9U
|
|
* o07fUIahGqTDAIAGCWsoLUOQ9nMzO/8GRHcXJAeQ2MGY2VpCcv0CAwEAATANBgkq
|
|
* hkiG9w0BAQUFAAOBgQBpRCnmjmNM0D7yrpkUJpBTNiqinhKLbeOvPWm+YmdInUUs
|
|
* LoMu0mZ1IANemLwqbwJJ76fknngeB+YuVAj46SurvVCV6ekwHcbgpW1u063IRwKk
|
|
* tQhOBO0HQxldUS4+4MYv/kuvnKkbjfgh5qfWw89Kx4kD+cycpP4yPtgDGk8ZMA==
|
|
* -----END CERTIFICATE-----
|
|
* </pre>
|
|
* </p>
|
|
*/
|
|
public final class FingerprintTrustManagerFactory extends SimpleTrustManagerFactory {
|
|
|
|
private static final Pattern FINGERPRINT_PATTERN = Pattern.compile("^[0-9a-fA-F:]+$");
|
|
private static final Pattern FINGERPRINT_STRIP_PATTERN = Pattern.compile(":");
|
|
private static final int SHA1_BYTE_LEN = 20;
|
|
private static final int SHA1_HEX_LEN = SHA1_BYTE_LEN * 2;
|
|
|
|
private static final FastThreadLocal<MessageDigest> tlmd = new FastThreadLocal<MessageDigest>() {
|
|
@Override
|
|
protected MessageDigest initialValue() {
|
|
try {
|
|
return MessageDigest.getInstance("SHA1");
|
|
} catch (NoSuchAlgorithmException e) {
|
|
// All Java implementation must have SHA1 digest algorithm.
|
|
throw new Error(e);
|
|
}
|
|
}
|
|
};
|
|
|
|
private final TrustManager tm = new X509TrustManager() {
|
|
|
|
@Override
|
|
public void checkClientTrusted(X509Certificate[] chain, String s) throws CertificateException {
|
|
checkTrusted("client", chain);
|
|
}
|
|
|
|
@Override
|
|
public void checkServerTrusted(X509Certificate[] chain, String s) throws CertificateException {
|
|
checkTrusted("server", chain);
|
|
}
|
|
|
|
private void checkTrusted(String type, X509Certificate[] chain) throws CertificateException {
|
|
X509Certificate cert = chain[0];
|
|
byte[] fingerprint = fingerprint(cert);
|
|
boolean found = false;
|
|
for (byte[] allowedFingerprint: fingerprints) {
|
|
if (Arrays.equals(fingerprint, allowedFingerprint)) {
|
|
found = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!found) {
|
|
throw new CertificateException(
|
|
type + " certificate with unknown fingerprint: " + cert.getSubjectDN());
|
|
}
|
|
}
|
|
|
|
private byte[] fingerprint(X509Certificate cert) throws CertificateEncodingException {
|
|
MessageDigest md = tlmd.get();
|
|
md.reset();
|
|
return md.digest(cert.getEncoded());
|
|
}
|
|
|
|
@Override
|
|
public X509Certificate[] getAcceptedIssuers() {
|
|
return EmptyArrays.EMPTY_X509_CERTIFICATES;
|
|
}
|
|
};
|
|
|
|
private final byte[][] fingerprints;
|
|
|
|
/**
|
|
* Creates a new instance.
|
|
*
|
|
* @param fingerprints a list of SHA1 fingerprints in heaxdecimal form
|
|
*/
|
|
public FingerprintTrustManagerFactory(Iterable<String> fingerprints) {
|
|
this(toFingerprintArray(fingerprints));
|
|
}
|
|
|
|
/**
|
|
* Creates a new instance.
|
|
*
|
|
* @param fingerprints a list of SHA1 fingerprints in heaxdecimal form
|
|
*/
|
|
public FingerprintTrustManagerFactory(String... fingerprints) {
|
|
this(toFingerprintArray(Arrays.asList(fingerprints)));
|
|
}
|
|
|
|
/**
|
|
* Creates a new instance.
|
|
*
|
|
* @param fingerprints a list of SHA1 fingerprints
|
|
*/
|
|
public FingerprintTrustManagerFactory(byte[]... fingerprints) {
|
|
if (fingerprints == null) {
|
|
throw new NullPointerException("fingerprints");
|
|
}
|
|
|
|
List<byte[]> list = new ArrayList<byte[]>(fingerprints.length);
|
|
for (byte[] f: fingerprints) {
|
|
if (f == null) {
|
|
break;
|
|
}
|
|
if (f.length != SHA1_BYTE_LEN) {
|
|
throw new IllegalArgumentException("malformed fingerprint: " +
|
|
ByteBufUtil.hexDump(Unpooled.wrappedBuffer(f)) + " (expected: SHA1)");
|
|
}
|
|
list.add(f.clone());
|
|
}
|
|
|
|
this.fingerprints = list.toArray(new byte[list.size()][]);
|
|
}
|
|
|
|
private static byte[][] toFingerprintArray(Iterable<String> fingerprints) {
|
|
if (fingerprints == null) {
|
|
throw new NullPointerException("fingerprints");
|
|
}
|
|
|
|
List<byte[]> list = new ArrayList<byte[]>();
|
|
for (String f: fingerprints) {
|
|
if (f == null) {
|
|
break;
|
|
}
|
|
|
|
if (!FINGERPRINT_PATTERN.matcher(f).matches()) {
|
|
throw new IllegalArgumentException("malformed fingerprint: " + f);
|
|
}
|
|
f = FINGERPRINT_STRIP_PATTERN.matcher(f).replaceAll("");
|
|
if (f.length() != SHA1_HEX_LEN) {
|
|
throw new IllegalArgumentException("malformed fingerprint: " + f + " (expected: SHA1)");
|
|
}
|
|
|
|
byte[] farr = new byte[SHA1_BYTE_LEN];
|
|
for (int i = 0; i < farr.length; i ++) {
|
|
int strIdx = i << 1;
|
|
farr[i] = (byte) Integer.parseInt(f.substring(strIdx, strIdx + 2), 16);
|
|
}
|
|
list.add(farr);
|
|
}
|
|
|
|
return list.toArray(new byte[list.size()][]);
|
|
}
|
|
|
|
@Override
|
|
protected void engineInit(KeyStore keyStore) throws Exception { }
|
|
|
|
@Override
|
|
protected void engineInit(ManagerFactoryParameters managerFactoryParameters) throws Exception { }
|
|
|
|
@Override
|
|
protected TrustManager[] engineGetTrustManagers() {
|
|
return new TrustManager[] { tm };
|
|
}
|
|
}
|