andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
af614e4d6e
netty5/handler/src/main/java/io/netty/handler/ssl/OpenSslX509TrustManagerWrapper.java
Norman Maurer ee207f4bc6 Make validation tools more happy by not have TrustManager impl just accept (#9041) 
Motivation:

Seems like some analyzer / validation tools scan code to detect if it may produce some security risk because of just blindly accept certificates. Such a tool did tag our code because we have such an implementation (which then is actually never be used). We should just change the impl to not do this as it does not matter for us and it makes such tools happier.

Modifications:

Throw CertificateException

Result:

Fixes https://github.com/netty/netty/issues/9032
2019-04-12 21:37:31 +02:00

179 lines
7.9 KiB
Java
Raw Blame History

/*
* Copyright 2018 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.util.internal.EmptyArrays;
import io.netty.util.internal.PlatformDependent;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import java.lang.reflect.Field;
import java.security.AccessController;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* Utility which allows to wrap {@link X509TrustManager} implementations with the internal implementation used by
* {@code SSLContextImpl} that provides extended verification.
*
* This is really a "hack" until there is an official API as requested on the in
* <a href="https://bugs.openjdk.java.net/projects/JDK/issues/JDK-8210843">JDK-8210843</a>.
*/
final class OpenSslX509TrustManagerWrapper {
private static final InternalLogger LOGGER = InternalLoggerFactory
.getInstance(OpenSslX509TrustManagerWrapper.class);
private static final TrustManagerWrapper WRAPPER;
static {
// By default we will not do any wrapping but just return the passed in manager.
TrustManagerWrapper wrapper = manager -> manager;
Throwable cause = null;
Throwable unsafeCause = PlatformDependent.getUnsafeUnavailabilityCause();
if (unsafeCause == null) {
SSLContext context;
try {
context = newSSLContext();
// Now init with an array that only holds a X509TrustManager. This should be wrapped into an
// AbstractTrustManagerWrapper which will delegate the TrustManager itself but also do extra
// validations.
//
// See:
// - http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/
// cadea780bc76/src/share/classes/sun/security/ssl/SSLContextImpl.java#l127
context.init(null, new TrustManager[] {
new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s)
throws CertificateException {
throw new CertificateException();
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s)
throws CertificateException {
throw new CertificateException();
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return EmptyArrays.EMPTY_X509_CERTIFICATES;
}
}
}, null);
} catch (Throwable error) {
context = null;
cause = error;
}
if (cause != null) {
LOGGER.debug("Unable to access wrapped TrustManager", cause);
} else {
final SSLContext finalContext = context;
Object maybeWrapper = AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
try {
Field contextSpiField = SSLContext.class.getDeclaredField("contextSpi");
final long spiOffset = PlatformDependent.objectFieldOffset(contextSpiField);
Object spi = PlatformDependent.getObject(finalContext, spiOffset);
if (spi != null) {
Class<?> clazz = spi.getClass();
// Let's cycle through the whole hierarchy until we find what we are looking for or
// there is nothing left in which case we will not wrap at all.
do {
try {
Field trustManagerField = clazz.getDeclaredField("trustManager");
final long tmOffset = PlatformDependent.objectFieldOffset(trustManagerField);
Object trustManager = PlatformDependent.getObject(spi, tmOffset);
if (trustManager instanceof X509ExtendedTrustManager) {
return new UnsafeTrustManagerWrapper(spiOffset, tmOffset);
}
} catch (NoSuchFieldException ignore) {
// try next
}
clazz = clazz.getSuperclass();
} while (clazz != null);
}
throw new NoSuchFieldException();
} catch (NoSuchFieldException | SecurityException e) {
return e;
}
});
if (maybeWrapper instanceof Throwable) {
LOGGER.debug("Unable to access wrapped TrustManager", (Throwable) maybeWrapper);
} else {
wrapper = (TrustManagerWrapper) maybeWrapper;
}
}
} else {
LOGGER.debug("Unable to access wrapped TrustManager", cause);
}
WRAPPER = wrapper;
}
private OpenSslX509TrustManagerWrapper() { }
static X509TrustManager wrapIfNeeded(X509TrustManager trustManager) {
return WRAPPER.wrapIfNeeded(trustManager);
}
private interface TrustManagerWrapper {
X509TrustManager wrapIfNeeded(X509TrustManager manager);
}
private static SSLContext newSSLContext() throws NoSuchAlgorithmException {
return SSLContext.getInstance("TLS");
}
private static final class UnsafeTrustManagerWrapper implements TrustManagerWrapper {
private final long spiOffset;
private final long tmOffset;
UnsafeTrustManagerWrapper(long spiOffset, long tmOffset) {
this.spiOffset = spiOffset;
this.tmOffset = tmOffset;
}
@Override
public X509TrustManager wrapIfNeeded(X509TrustManager manager) {
if (!(manager instanceof X509ExtendedTrustManager)) {
try {
SSLContext ctx = newSSLContext();
ctx.init(null, new TrustManager[] { manager }, null);
Object spi = PlatformDependent.getObject(ctx, spiOffset);
if (spi != null) {
Object tm = PlatformDependent.getObject(spi, tmOffset);
if (tm instanceof X509ExtendedTrustManager) {
return (X509TrustManager) tm;
}
}
} catch (NoSuchAlgorithmException | KeyManagementException e) {
// This should never happen as we did the same in the static
// before.
PlatformDependent.throwException(e);
}
}
return manager;
}
}
}
Reference in New Issue View Git Blame Copy Permalink