From a9a9e1cb62123475edd733a53ecc00611c2aa764 Mon Sep 17 00:00:00 2001 From: Christof Rabensteiner Date: Thu, 27 Jun 2019 17:39:24 +0200 Subject: Honor & Test TrustAll and LaxHostNameVerification - Print a big scary warning message for everyone who enables "trustAll" - Test TrustAll and LaxHostNameVerification - Describe test case requirements and add key material needed to run these test cases. --- .../at/gv/egiz/moazs/msg/MsgClientFactory.java | 33 ++++++++++--- .../at/gv/egiz/moazs/util/SSLContextCreator.java | 55 +++++++++++++++++++++- 2 files changed, 79 insertions(+), 9 deletions(-) (limited to 'src/main/java/at/gv/egiz/moazs') diff --git a/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java b/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java index 389fa5c..e55debc 100644 --- a/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java +++ b/src/main/java/at/gv/egiz/moazs/msg/MsgClientFactory.java @@ -4,6 +4,7 @@ import at.gv.egiz.moazs.util.FileUtils; import at.gv.egiz.moazs.util.SSLContextCreator; import at.gv.zustellung.app2mzs.xsd.ClientType; import at.gv.zustellung.app2mzs.xsd.KeyStoreType; +import at.gv.zustellung.app2mzs.xsd.SSLType; import at.gv.zustellung.msg.xsd.App2ZusePort; import org.apache.cxf.configuration.jsse.TLSClientParameters; import org.apache.cxf.endpoint.Client; @@ -32,7 +33,9 @@ public class MsgClientFactory { private final FileUtils fileUtils; @Autowired - public MsgClientFactory(StoreSOAPBodyBinaryInRepositoryInterceptor storeResponseInterceptor, SSLContextCreator creator, FileUtils fileUtils) { + public MsgClientFactory(StoreSOAPBodyBinaryInRepositoryInterceptor storeResponseInterceptor, + SSLContextCreator creator, + FileUtils fileUtils) { this.storeResponseInterceptor = storeResponseInterceptor; this.sslContextCreator = creator; this.fileUtils = fileUtils; @@ -44,7 +47,6 @@ public class MsgClientFactory { * @param params for the client, such as service url and ssl parameters. * @return the msg client */ - //TODO evaluate and honor laxhostnameverification and trustall parameter! public App2ZusePort create(ClientType params) { var factory = new JaxWsClientFactoryBean(); @@ -62,11 +64,7 @@ public class MsgClientFactory { http.setClient(httpClientPolicy); if (params.getURL().startsWith("https")) { - var keystore = resolveKeyStorePath(params.getSSL().getKeyStore()); - var truststore = resolveKeyStorePath(params.getSSL().getTrustStore()); - SSLContext sslContext = sslContextCreator.createSSLContext(keystore, truststore); - var tlsParams = new TLSClientParameters(); - tlsParams.setSSLSocketFactory(sslContext.getSocketFactory()); + TLSClientParameters tlsParams = setupTLSParams(params.getSSL()); http.setTlsClientParameters(tlsParams); log.info("SSLContext initialized. "); } @@ -74,6 +72,27 @@ public class MsgClientFactory { return ((App2ZusePort)proxy); } + private TLSClientParameters setupTLSParams(SSLType ssl) { + + var tlsParams = new TLSClientParameters(); + var keystore = resolveKeyStorePath(ssl.getKeyStore()); + + SSLContext sslContext; + if (ssl.isTrustAll()) { + sslContext = sslContextCreator.createUnsafeSSLContext(keystore); + } else { + var truststore = resolveKeyStorePath(ssl.getTrustStore()); + sslContext = sslContextCreator.createSSLContext(keystore, truststore); + } + tlsParams.setSSLSocketFactory(sslContext.getSocketFactory()); + + if (ssl.isLaxHostNameVerification()) { + tlsParams.setDisableCNCheck(true); + } + + return tlsParams; + } + private KeyStoreType resolveKeyStorePath(@Nullable KeyStoreType store) { if (store == null) return null; diff --git a/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java b/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java index b4d66d1..302bbf0 100644 --- a/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java +++ b/src/main/java/at/gv/egiz/moazs/util/SSLContextCreator.java @@ -6,6 +6,9 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.lang.Nullable; import org.springframework.stereotype.Component; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import javax.net.ssl.X509TrustManager; import javax.net.ssl.*; import java.io.IOException; @@ -15,23 +18,46 @@ import static at.gv.egiz.moazs.MoaZSException.moaZSException; import static java.lang.String.format; @Component + /** + * Adapted from at.asitplus.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient + */ public class SSLContextCreator { private static final Logger log = LoggerFactory.getLogger(SSLContextCreator.class); + private static final String SSL_WARN_MAN_IN_THE_MIDDLE_MSG = + "HTTP Client trusts ANY server certificate and is therefore vulnerable to Man-In-The-Middle attacks. " + + "Use this configuration for testing purposes only and NOT IN PRODUCTION. "; + /** * Creates an SSL Context. - * Adapted from at.asitplus.eidas.specific.modules.authmodule_eIDASv2.szr.SZRClient * * @param keystore (if null, use no key store) * @param truststore (if null, use default trust store) * @throws at.gv.egiz.moazs.MoaZSException */ public SSLContext createSSLContext(@Nullable KeyStoreType keystore, @Nullable KeyStoreType truststore) { + return createSSLContext(keystore, false, truststore); + } + + /** + * Creates an SSL Context that trusts all certificates. Don't use in production. + * + * @param keystore (if null, use no key store) + * @throws at.gv.egiz.moazs.MoaZSException + */ + public SSLContext createUnsafeSSLContext(@Nullable KeyStoreType keystore) { + log.warn(SSL_WARN_MAN_IN_THE_MIDDLE_MSG); + return createSSLContext(keystore, true, null); + } + + private SSLContext createSSLContext(@Nullable KeyStoreType keystore, boolean trustAll, @Nullable KeyStoreType truststore) { try { SSLContext context = SSLContext.getInstance("TLS"); KeyManager[] keyManager = initKeyManager(keystore); - TrustManager[] trustManager = initTrustManager(truststore); + TrustManager[] trustManager = trustAll + ? new TrustManager[]{new TrustAllManager()} + : initTrustManager(truststore); context.init(keyManager, trustManager, new SecureRandom()); return context; } catch (NoSuchAlgorithmException | KeyManagementException e) { @@ -79,4 +105,29 @@ public class SSLContextCreator { } } + /** + * Class implementing a trust manager that trusts all certificates. + * + * @author Arne Tauber + */ + public static class TrustAllManager implements X509TrustManager { + + private static Logger log = LoggerFactory.getLogger(TrustAllManager.class); + + public X509Certificate[] getAcceptedIssuers() { + return new X509Certificate[0]; + } + + public void checkClientTrusted(X509Certificate[] arg0, String arg1) + throws CertificateException { + log.debug("Automatically accepting client certificate as trusted."); + } + + public void checkServerTrusted(X509Certificate[] arg0, String arg1) + throws CertificateException { + log.debug("Automatically accepting server certificate as trusted."); + } + } + + } -- cgit v1.2.3