Example 1 with CertificatePinner
use of okhttp3.CertificatePinner in project okhttp by square.
the class CertificatePinnerTest method successfulFindMatchingPinsIgnoresCase.
@Test
public void successfulFindMatchingPinsIgnoresCase() {
CertificatePinner certificatePinner = new CertificatePinner.Builder().add("EXAMPLE.com", certA1Sha256Pin).add("*.MyExample.Com", certB1Sha256Pin).build();
List<Pin> expectedPin1 = Arrays.asList(new Pin("EXAMPLE.com", certA1Sha256Pin));
assertEquals(expectedPin1, certificatePinner.findMatchingPins("example.com"));
List<Pin> expectedPin2 = Arrays.asList(new Pin("*.MyExample.Com", certB1Sha256Pin));
assertEquals(expectedPin2, certificatePinner.findMatchingPins("a.myexample.com"));
}Example 2 with CertificatePinner
use of okhttp3.CertificatePinner in project okhttp by square.
the class CertificatePinnerTest method successfulFindMatchingPinsForWildcardAndDirectCertificates.
@Test
public void successfulFindMatchingPinsForWildcardAndDirectCertificates() {
CertificatePinner certificatePinner = new CertificatePinner.Builder().add("*.example.com", certA1Sha256Pin).add("a.example.com", certB1Sha256Pin).add("b.example.com", certC1Sha256Pin).build();
List<Pin> expectedPins = Arrays.asList(new Pin("*.example.com", certA1Sha256Pin), new Pin("a.example.com", certB1Sha256Pin));
assertEquals(expectedPins, certificatePinner.findMatchingPins("a.example.com"));
}Example 3 with CertificatePinner
use of okhttp3.CertificatePinner in project okhttp by square.
the class CertificatePinnerTest method successfulFindMatchingPins.
@Test
public void successfulFindMatchingPins() {
CertificatePinner certificatePinner = new CertificatePinner.Builder().add("first.com", certA1Sha256Pin, certB1Sha256Pin).add("second.com", certC1Sha256Pin).build();
List<Pin> expectedPins = Arrays.asList(new Pin("first.com", certA1Sha256Pin), new Pin("first.com", certB1Sha256Pin));
assertEquals(expectedPins, certificatePinner.findMatchingPins("first.com"));
}Example 4 with CertificatePinner
use of okhttp3.CertificatePinner in project okhttp by square.
the class CertificatePinnerTest method successfulFindMatchingPinPunycode.
@Test
public void successfulFindMatchingPinPunycode() {
CertificatePinner certificatePinner = new CertificatePinner.Builder().add("σkhttp.com", certA1Sha256Pin).build();
List<Pin> expectedPin = Arrays.asList(new Pin("σkhttp.com", certA1Sha256Pin));
assertEquals(expectedPin, certificatePinner.findMatchingPins("xn--khttp-fde.com"));
}Example 5 with CertificatePinner
use of okhttp3.CertificatePinner in project okhttp by square.
the class CertificatePinnerChainValidationTest method unrelatedPinnedIntermediateCertificateInChain.
@Test
public void unrelatedPinnedIntermediateCertificateInChain() throws Exception {
// Start with two root CA certificates, one is good and the other is compromised.
HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
HeldCertificate compromisedRootCa = new HeldCertificate.Builder().serialNumber("2").ca(3).commonName("compromised_root").build();
// Add a good intermediate CA, and have that issue a good certificate to localhost. Prepare an
// SSL context for an HTTP client under attack. It includes the trusted CA and a pinned
// certificate.
HeldCertificate goodIntermediateCa = new HeldCertificate.Builder().issuedBy(rootCa).ca(2).serialNumber("3").commonName("intermediate_ca").build();
CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(goodIntermediateCa.certificate)).build();
SslClient clientContextBuilder = new SslClient.Builder().addTrustedCertificate(rootCa.certificate).addTrustedCertificate(compromisedRootCa.certificate).build();
OkHttpClient client = defaultClient().newBuilder().sslSocketFactory(clientContextBuilder.socketFactory, clientContextBuilder.trustManager).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
// The attacker compromises the root CA, issues an intermediate with the same common name
// "intermediate_ca" as the good CA. This signs a rogue certificate for localhost. The server
// serves the good CAs certificate in the chain, which means the certificate pinner sees a
// different set of certificates than the SSL verifier.
HeldCertificate compromisedIntermediateCa = new HeldCertificate.Builder().issuedBy(compromisedRootCa).ca(2).serialNumber("4").commonName("intermediate_ca").build();
HeldCertificate rogueCertificate = new HeldCertificate.Builder().serialNumber("5").issuedBy(compromisedIntermediateCa).commonName(server.getHostName()).build();
SslClient.Builder sslBuilder = new SslClient.Builder();
// http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/2c1c21d11e58/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#l596
if (getPlatform().equals("jdk9")) {
sslBuilder.keyStoreType("JKS");
}
SslClient serverSslContext = sslBuilder.certificateChain(rogueCertificate.keyPair, rogueCertificate.certificate, goodIntermediateCa.certificate, compromisedIntermediateCa.certificate, compromisedRootCa.certificate).build();
server.useHttps(serverSslContext.socketFactory, false);
server.enqueue(new MockResponse().setBody("abc").addHeader("Content-Type: text/plain"));
// Make a request from client to server. It should succeed certificate checks (unfortunately the
// rogue CA is trusted) but it should fail certificate pinning.
Request request = new Request.Builder().url(server.url("/")).build();
Call call = client.newCall(request);
try {
call.execute();
fail();
} catch (SSLHandshakeException expected) {
// On Android, the handshake fails before the certificate pinner runs.
String message = expected.getMessage();
assertTrue(message, message.contains("Could not validate certificate"));
} catch (SSLPeerUnverifiedException expected) {
// On OpenJDK, the handshake succeeds but the certificate pinner fails.
String message = expected.getMessage();
assertTrue(message, message.startsWith("Certificate pinning failure!"));
}
}
Also used :
MockResponse(okhttp3.mockwebserver.MockResponse)
Call(okhttp3.Call)
OkHttpClient(okhttp3.OkHttpClient)
CertificatePinner(okhttp3.CertificatePinner)
SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException)
Request(okhttp3.Request)
SSLHandshakeException(javax.net.ssl.SSLHandshakeException)
RecordingHostnameVerifier(okhttp3.RecordingHostnameVerifier)
Test(org.junit.Test)
Aggregations
Test (org.junit.Test)10
MockResponse (okhttp3.mockwebserver.MockResponse)6
CertificatePinner (okhttp3.CertificatePinner)5
Call (okhttp3.Call)4
Pin (okhttp3.CertificatePinner.Pin)4
OkHttpClient (okhttp3.OkHttpClient)4
RecordingHostnameVerifier (okhttp3.RecordingHostnameVerifier)4
Request (okhttp3.Request)4
SSLPeerUnverifiedException (javax.net.ssl.SSLPeerUnverifiedException)3
Response (okhttp3.Response)2
RecordedRequest (okhttp3.mockwebserver.RecordedRequest)2
Certificate (java.security.cert.Certificate)1
HostnameVerifier (javax.net.ssl.HostnameVerifier)1
SSLHandshakeException (javax.net.ssl.SSLHandshakeException)1
SSLSocketFactory (javax.net.ssl.SSLSocketFactory)1
Address (okhttp3.Address)1
HeldCertificate (okhttp3.internal.tls.HeldCertificate)1
