Example 26 with X509TrustManager
use of javax.net.ssl.X509TrustManager in project robovm by robovm.
the class TrustManagerImplTest method testLearnIntermediate.
/**
* Ensure that our non-standard behavior of learning to trust new
* intermediate CAs does not regress. http://b/3404902
*/
public void testLearnIntermediate() throws Exception {
// chain3 should be server/intermediate/root
KeyStore.PrivateKeyEntry pke = TestKeyStore.getServer().getPrivateKey("RSA", "RSA");
X509Certificate[] chain3 = (X509Certificate[]) pke.getCertificateChain();
X509Certificate root = chain3[2];
X509Certificate intermediate = chain3[1];
X509Certificate server = chain3[0];
X509Certificate[] chain2 = new X509Certificate[] { server, intermediate };
X509Certificate[] chain1 = new X509Certificate[] { server };
// Normal behavior
assertValid(chain3, trustManager(root));
assertValid(chain2, trustManager(root));
assertInvalid(chain1, trustManager(root));
assertValid(chain3, trustManager(intermediate));
assertValid(chain2, trustManager(intermediate));
assertValid(chain1, trustManager(intermediate));
assertValid(chain3, trustManager(server));
assertValid(chain2, trustManager(server));
assertValid(chain1, trustManager(server));
// non-standard behavior
X509TrustManager tm = trustManager(root);
// fail on short chain with only root trusted
assertInvalid(chain1, tm);
// succeed on longer chain, learn intermediate
assertValid(chain2, tm);
// now we can validate the short chain
assertValid(chain1, tm);
}
Also used :
X509TrustManager(javax.net.ssl.X509TrustManager)
TestKeyStore(libcore.java.security.TestKeyStore)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
Example 27 with X509TrustManager
use of javax.net.ssl.X509TrustManager in project robovm by robovm.
the class TrustManagerImplTest method trustManager.
private X509TrustManager trustManager(X509Certificate ca) throws Exception {
KeyStore keyStore = TestKeyStore.createKeyStore();
keyStore.setCertificateEntry("alias", ca);
String algorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
tmf.init(keyStore);
return (X509TrustManager) tmf.getTrustManagers()[0];
}
Also used :
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
TestKeyStore(libcore.java.security.TestKeyStore)
KeyStore(java.security.KeyStore)
Example 28 with X509TrustManager
use of javax.net.ssl.X509TrustManager in project robovm by robovm.
the class TrustManagerImplTest method testGetFullChain.
public void testGetFullChain() throws Exception {
// build the trust manager
KeyStore.PrivateKeyEntry pke = TestKeyStore.getServer().getPrivateKey("RSA", "RSA");
X509Certificate[] chain3 = (X509Certificate[]) pke.getCertificateChain();
X509Certificate root = chain3[2];
X509TrustManager tm = trustManager(root);
// build the chains we'll use for testing
X509Certificate intermediate = chain3[1];
X509Certificate server = chain3[0];
X509Certificate[] chain2 = new X509Certificate[] { server, intermediate };
X509Certificate[] chain1 = new X509Certificate[] { server };
assertTrue(tm instanceof TrustManagerImpl);
TrustManagerImpl tmi = (TrustManagerImpl) tm;
List<X509Certificate> certs = tmi.checkServerTrusted(chain2, "RSA", "purple.com");
assertEquals(Arrays.asList(chain3), certs);
certs = tmi.checkServerTrusted(chain1, "RSA", "purple.com");
assertEquals(Arrays.asList(chain3), certs);
}
Also used :
X509TrustManager(javax.net.ssl.X509TrustManager)
TestKeyStore(libcore.java.security.TestKeyStore)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
Example 29 with X509TrustManager
use of javax.net.ssl.X509TrustManager in project muzei by romannurik.
the class OkHttpClientFactory method enableTls12.
/**
* Enable TLS on the OKHttp builder by setting a custom SocketFactory
*/
private static OkHttpClient.Builder enableTls12(OkHttpClient.Builder client) {
Log.i(TAG, "Enabling HTTPS compatibility mode");
try {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
}
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
client.sslSocketFactory(new TLSSocketFactory(), trustManager);
ConnectionSpec cs = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS).tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_1).build();
List<ConnectionSpec> specs = new ArrayList<>();
specs.add(cs);
specs.add(ConnectionSpec.COMPATIBLE_TLS);
specs.add(ConnectionSpec.CLEARTEXT);
client.connectionSpecs(specs);
} catch (Exception exc) {
Log.e(TAG, "Error while setting TLS", exc);
}
return client;
}
Also used :
ConnectionSpec(okhttp3.ConnectionSpec)
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
ArrayList(java.util.ArrayList)
TrustManager(javax.net.ssl.TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
Example 30 with X509TrustManager
use of javax.net.ssl.X509TrustManager in project robovm by robovm.
the class ServerHandshakeImpl method processClientHello.
/**
*
* Processes Client Hello message.
* Server responds to client hello message with server hello
* and (if necessary) server certificate, server key exchange,
* certificate request, and server hello done messages.
*/
void processClientHello() {
CipherSuite cipher_suite;
// check that clientHello contains CompressionMethod.null
checkCompression: {
for (int i = 0; i < clientHello.compression_methods.length; i++) {
if (clientHello.compression_methods[i] == 0) {
break checkCompression;
}
}
fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "HANDSHAKE FAILURE. Incorrect client hello message");
}
byte[] server_version = clientHello.client_version;
if (!ProtocolVersion.isSupported(clientHello.client_version)) {
if (clientHello.client_version[0] >= 3) {
// Protocol from the future, admit that the newest thing we know is TLSv1
server_version = ProtocolVersion.TLSv1.version;
} else {
fatalAlert(AlertProtocol.PROTOCOL_VERSION, "PROTOCOL VERSION. Unsupported client version " + clientHello.client_version[0] + clientHello.client_version[1]);
}
}
isResuming = false;
FIND: if (clientHello.session_id.length != 0) {
// client wishes to reuse session
SSLSessionImpl sessionToResume;
boolean reuseCurrent = false;
// reuse current session
if (session != null && Arrays.equals(session.id, clientHello.session_id)) {
if (session.isValid()) {
isResuming = true;
break FIND;
}
reuseCurrent = true;
}
// find session in cash
sessionToResume = findSessionToResume(clientHello.session_id);
if (sessionToResume == null || !sessionToResume.isValid()) {
if (!parameters.getEnableSessionCreation()) {
if (reuseCurrent) {
// we can continue current session
sendWarningAlert(AlertProtocol.NO_RENEGOTIATION);
status = NOT_HANDSHAKING;
clearMessages();
return;
}
// throw AlertException
fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "SSL Session may not be created");
}
session = null;
} else {
session = (SSLSessionImpl) sessionToResume.clone();
isResuming = true;
}
}
if (isResuming) {
cipher_suite = session.cipherSuite;
// clientHello.cipher_suites must include at least cipher_suite from the session
checkCipherSuite: {
for (int i = 0; i < clientHello.cipher_suites.length; i++) {
if (cipher_suite.equals(clientHello.cipher_suites[i])) {
break checkCipherSuite;
}
}
fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "HANDSHAKE FAILURE. Incorrect client hello message");
}
} else {
cipher_suite = selectSuite(clientHello.cipher_suites);
if (cipher_suite == null) {
fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "HANDSHAKE FAILURE. NO COMMON SUITE");
}
if (!parameters.getEnableSessionCreation()) {
fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "SSL Session may not be created");
}
session = new SSLSessionImpl(cipher_suite, parameters.getSecureRandom());
if (engineOwner != null) {
session.setPeer(engineOwner.getPeerHost(), engineOwner.getPeerPort());
} else {
session.setPeer(socketOwner.getInetAddress().getHostName(), socketOwner.getPort());
}
}
recordProtocol.setVersion(server_version);
session.protocol = ProtocolVersion.getByVersion(server_version);
session.clientRandom = clientHello.random;
// create server hello message
serverHello = new ServerHello(parameters.getSecureRandom(), server_version, session.getId(), cipher_suite, //CompressionMethod.null
(byte) 0);
session.serverRandom = serverHello.random;
send(serverHello);
if (isResuming) {
sendChangeCipherSpec();
return;
}
// create and send server certificate message if needed
if (!cipher_suite.isAnonymous()) {
// need to send server certificate
X509Certificate[] certs = null;
String certType = cipher_suite.getServerKeyType();
if (certType == null) {
fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "NO CERT TYPE FOR " + cipher_suite.getName());
}
// obtain certificates from key manager
String alias = null;
X509KeyManager km = parameters.getKeyManager();
if (km instanceof X509ExtendedKeyManager) {
X509ExtendedKeyManager ekm = (X509ExtendedKeyManager) km;
if (this.socketOwner != null) {
alias = ekm.chooseServerAlias(certType, null, this.socketOwner);
} else {
alias = ekm.chooseEngineServerAlias(certType, null, this.engineOwner);
}
if (alias != null) {
certs = ekm.getCertificateChain(alias);
}
} else {
alias = km.chooseServerAlias(certType, null, this.socketOwner);
if (alias != null) {
certs = km.getCertificateChain(alias);
}
}
if (certs == null) {
fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "NO SERVER CERTIFICATE FOUND");
return;
}
session.localCertificates = certs;
serverCert = new CertificateMessage(certs);
privKey = km.getPrivateKey(alias);
send(serverCert);
}
// create and send server key exchange message if needed
RSAPublicKey rsakey = null;
DHPublicKeySpec dhkeySpec = null;
byte[] hash = null;
BigInteger p = null;
BigInteger g = null;
KeyPairGenerator kpg = null;
try {
if (cipher_suite.keyExchange == CipherSuite.KEY_EXCHANGE_RSA_EXPORT) {
PublicKey pk = serverCert.certs[0].getPublicKey();
if (getRSAKeyLength(pk) > 512) {
// key is longer than 512 bits
kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(512);
}
} else if (cipher_suite.keyExchange == CipherSuite.KEY_EXCHANGE_DHE_DSS || cipher_suite.keyExchange == CipherSuite.KEY_EXCHANGE_DHE_DSS_EXPORT || cipher_suite.keyExchange == CipherSuite.KEY_EXCHANGE_DHE_RSA || cipher_suite.keyExchange == CipherSuite.KEY_EXCHANGE_DHE_RSA_EXPORT || cipher_suite.keyExchange == CipherSuite.KEY_EXCHANGE_DH_anon || cipher_suite.keyExchange == CipherSuite.KEY_EXCHANGE_DH_anon_EXPORT) {
kpg = KeyPairGenerator.getInstance("DH");
p = new BigInteger(1, DHParameters.getPrime());
g = new BigInteger("2");
DHParameterSpec spec = new DHParameterSpec(p, g);
kpg.initialize(spec);
}
} catch (Exception e) {
fatalAlert(AlertProtocol.INTERNAL_ERROR, "INTERNAL ERROR", e);
}
if (kpg != null) {
// need to send server key exchange message
DigitalSignature ds = new DigitalSignature(cipher_suite.authType);
KeyPair kp = null;
try {
kp = kpg.genKeyPair();
if (cipher_suite.keyExchange == CipherSuite.KEY_EXCHANGE_RSA_EXPORT) {
rsakey = (RSAPublicKey) kp.getPublic();
} else {
DHPublicKey dhkey = (DHPublicKey) kp.getPublic();
KeyFactory kf = KeyFactory.getInstance("DH");
dhkeySpec = kf.getKeySpec(dhkey, DHPublicKeySpec.class);
}
if (!cipher_suite.isAnonymous()) {
// calculate signed_params
// init by private key which correspond to
// server certificate
ds.init(privKey);
// use emphemeral key for key exchange
privKey = kp.getPrivate();
ds.update(clientHello.getRandom());
ds.update(serverHello.getRandom());
//FIXME 1_byte==0x00
if (cipher_suite.keyExchange == CipherSuite.KEY_EXCHANGE_RSA_EXPORT) {
ServerKeyExchange.updateSignatureRsa(ds, rsakey.getModulus(), rsakey.getPublicExponent());
} else {
ServerKeyExchange.updateSignatureDh(ds, dhkeySpec.getP(), dhkeySpec.getG(), dhkeySpec.getY());
}
hash = ds.sign();
} else {
// use emphemeral key for key exchange
privKey = kp.getPrivate();
}
} catch (Exception e) {
fatalAlert(AlertProtocol.INTERNAL_ERROR, "INTERNAL ERROR", e);
}
if (cipher_suite.keyExchange == CipherSuite.KEY_EXCHANGE_RSA_EXPORT) {
serverKeyExchange = new ServerKeyExchange(rsakey.getModulus(), rsakey.getPublicExponent(), null, hash);
} else {
serverKeyExchange = new ServerKeyExchange(p, g, dhkeySpec.getY(), hash);
}
send(serverKeyExchange);
}
// CERTIFICATE_REQUEST
certRequest: if (parameters.getWantClientAuth() || parameters.getNeedClientAuth()) {
X509Certificate[] accepted;
try {
X509TrustManager tm = parameters.getTrustManager();
accepted = tm.getAcceptedIssuers();
} catch (ClassCastException e) {
// don't send certificateRequest
break certRequest;
}
byte[] requestedClientCertTypes = { CipherSuite.TLS_CT_RSA_SIGN, CipherSuite.TLS_CT_DSS_SIGN };
certificateRequest = new CertificateRequest(requestedClientCertTypes, accepted);
send(certificateRequest);
}
// SERVER_HELLO_DONE
serverHelloDone = new ServerHelloDone();
send(serverHelloDone);
status = NEED_UNWRAP;
}
Also used :
DHPublicKey(javax.crypto.interfaces.DHPublicKey)
DHParameterSpec(javax.crypto.spec.DHParameterSpec)
X509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
X509KeyManager(javax.net.ssl.X509KeyManager)
KeyFactory(java.security.KeyFactory)
KeyPair(java.security.KeyPair)
PublicKey(java.security.PublicKey)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
DHPublicKey(javax.crypto.interfaces.DHPublicKey)
KeyPairGenerator(java.security.KeyPairGenerator)
X509Certificate(java.security.cert.X509Certificate)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
X509TrustManager(javax.net.ssl.X509TrustManager)
BigInteger(java.math.BigInteger)
DHPublicKeySpec(javax.crypto.spec.DHPublicKeySpec)
Aggregations
X509TrustManager (javax.net.ssl.X509TrustManager)150
TrustManager (javax.net.ssl.TrustManager)87
X509Certificate (java.security.cert.X509Certificate)79
SSLContext (javax.net.ssl.SSLContext)70
CertificateException (java.security.cert.CertificateException)49
IOException (java.io.IOException)40
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)40
SecureRandom (java.security.SecureRandom)35
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)25
KeyManagementException (java.security.KeyManagementException)22
KeyStore (java.security.KeyStore)16
GeneralSecurityException (java.security.GeneralSecurityException)15
Test (org.junit.Test)15
KeyStoreException (java.security.KeyStoreException)14
HostnameVerifier (javax.net.ssl.HostnameVerifier)14
SSLSocketFactory (javax.net.ssl.SSLSocketFactory)14
SSLException (javax.net.ssl.SSLException)13
SSLSession (javax.net.ssl.SSLSession)11
OkHttpClient (okhttp3.OkHttpClient)8
X509KeyManager (javax.net.ssl.X509KeyManager)7
