Search in sources :

Example 6 with HandshakeCertificates

use of okhttp3.tls.HandshakeCertificates in project okhttp by square.

the class CertificatePinnerChainValidationTest method unrelatedPinnedIntermediateCertificateInChain.

@Test
public void unrelatedPinnedIntermediateCertificateInChain() throws Exception {
    // https://github.com/square/okhttp/issues/4729
    platform.expectFailureOnConscryptPlatform();
    platform.expectFailureOnCorrettoPlatform();
    // Start with two root CA certificates, one is good and the other is compromised.
    HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber(1L).certificateAuthority(1).commonName("root").build();
    HeldCertificate compromisedRootCa = new HeldCertificate.Builder().serialNumber(2L).certificateAuthority(1).commonName("compromised_root").build();
    // Add a good intermediate CA, and have that issue a good certificate to localhost. Prepare an
    // SSL context for an HTTP client under attack. It includes the trusted CA and a pinned
    // certificate.
    HeldCertificate goodIntermediateCa = new HeldCertificate.Builder().signedBy(rootCa).certificateAuthority(0).serialNumber(3L).commonName("intermediate_ca").build();
    CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(goodIntermediateCa.certificate())).build();
    HandshakeCertificates handshakeCertificates = new HandshakeCertificates.Builder().addTrustedCertificate(rootCa.certificate()).addTrustedCertificate(compromisedRootCa.certificate()).build();
    OkHttpClient client = clientTestRule.newClientBuilder().sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager()).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
    // The attacker compromises the root CA, issues an intermediate with the same common name
    // "intermediate_ca" as the good CA. This signs a rogue certificate for localhost. The server
    // serves the good CAs certificate in the chain, which means the certificate pinner sees a
    // different set of certificates than the SSL verifier.
    HeldCertificate compromisedIntermediateCa = new HeldCertificate.Builder().signedBy(compromisedRootCa).certificateAuthority(0).serialNumber(4L).commonName("intermediate_ca").build();
    HeldCertificate rogueCertificate = new HeldCertificate.Builder().serialNumber(5L).signedBy(compromisedIntermediateCa).commonName(server.getHostName()).build();
    SSLSocketFactory socketFactory = newServerSocketFactory(rogueCertificate, goodIntermediateCa.certificate(), compromisedIntermediateCa.certificate());
    server.useHttps(socketFactory, false);
    server.enqueue(new MockResponse().setBody("abc").addHeader("Content-Type: text/plain"));
    // Make a request from client to server. It should succeed certificate checks (unfortunately the
    // rogue CA is trusted) but it should fail certificate pinning.
    Request request = new Request.Builder().url(server.url("/")).build();
    Call call = client.newCall(request);
    try {
        call.execute();
        fail();
    } catch (SSLHandshakeException expected) {
        // On Android, the handshake fails before the certificate pinner runs.
        String message = expected.getMessage();
        assertThat(message).contains("Could not validate certificate");
    } catch (SSLPeerUnverifiedException expected) {
        // On OpenJDK, the handshake succeeds but the certificate pinner fails.
        String message = expected.getMessage();
        assertThat(message).startsWith("Certificate pinning failure!");
    }
}
Also used : MockResponse(mockwebserver3.MockResponse) Call(okhttp3.Call) OkHttpClient(okhttp3.OkHttpClient) HandshakeCertificates(okhttp3.tls.HandshakeCertificates) CertificatePinner(okhttp3.CertificatePinner) SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException) HeldCertificate(okhttp3.tls.HeldCertificate) Request(okhttp3.Request) SSLHandshakeException(javax.net.ssl.SSLHandshakeException) SSLSocketFactory(javax.net.ssl.SSLSocketFactory) RecordingHostnameVerifier(okhttp3.RecordingHostnameVerifier) Test(org.junit.jupiter.api.Test)

Example 7 with HandshakeCertificates

use of okhttp3.tls.HandshakeCertificates in project okhttp by square.

the class CertificatePinnerChainValidationTest method unrelatedPinnedLeafCertificateInChain.

@Test
public void unrelatedPinnedLeafCertificateInChain() throws Exception {
    // https://github.com/square/okhttp/issues/4729
    platform.expectFailureOnConscryptPlatform();
    platform.expectFailureOnCorrettoPlatform();
    // Start with a trusted root CA certificate.
    HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber(1L).certificateAuthority(1).commonName("root").build();
    // Add a good intermediate CA, and have that issue a good certificate to localhost. Prepare an
    // SSL context for an HTTP client under attack. It includes the trusted CA and a pinned
    // certificate.
    HeldCertificate goodIntermediateCa = new HeldCertificate.Builder().signedBy(rootCa).certificateAuthority(0).serialNumber(2L).commonName("good_intermediate_ca").build();
    HeldCertificate goodCertificate = new HeldCertificate.Builder().signedBy(goodIntermediateCa).serialNumber(3L).commonName(server.getHostName()).build();
    CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(goodCertificate.certificate())).build();
    HandshakeCertificates handshakeCertificates = new HandshakeCertificates.Builder().addTrustedCertificate(rootCa.certificate()).build();
    OkHttpClient client = clientTestRule.newClientBuilder().sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager()).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
    // Add a bad intermediate CA and have that issue a rogue certificate for localhost. Prepare
    // an SSL context for an attacking webserver. It includes both these rogue certificates plus the
    // trusted good certificate above. The attack is that by including the good certificate in the
    // chain, we may trick the certificate pinner into accepting the rouge certificate.
    HeldCertificate compromisedIntermediateCa = new HeldCertificate.Builder().signedBy(rootCa).certificateAuthority(0).serialNumber(4L).commonName("bad_intermediate_ca").build();
    HeldCertificate rogueCertificate = new HeldCertificate.Builder().serialNumber(5L).signedBy(compromisedIntermediateCa).commonName(server.getHostName()).build();
    SSLSocketFactory socketFactory = newServerSocketFactory(rogueCertificate, compromisedIntermediateCa.certificate(), goodCertificate.certificate());
    server.useHttps(socketFactory, false);
    server.enqueue(new MockResponse().setBody("abc").addHeader("Content-Type: text/plain"));
    // Make a request from client to server. It should succeed certificate checks (unfortunately the
    // rogue CA is trusted) but it should fail certificate pinning.
    Request request = new Request.Builder().url(server.url("/")).build();
    Call call = client.newCall(request);
    try {
        call.execute();
        fail();
    } catch (SSLPeerUnverifiedException expected) {
        // Certificate pinning fails!
        String message = expected.getMessage();
        assertThat(message).startsWith("Certificate pinning failure!");
    }
}
Also used : MockResponse(mockwebserver3.MockResponse) Call(okhttp3.Call) OkHttpClient(okhttp3.OkHttpClient) HandshakeCertificates(okhttp3.tls.HandshakeCertificates) CertificatePinner(okhttp3.CertificatePinner) SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException) HeldCertificate(okhttp3.tls.HeldCertificate) Request(okhttp3.Request) SSLSocketFactory(javax.net.ssl.SSLSocketFactory) RecordingHostnameVerifier(okhttp3.RecordingHostnameVerifier) Test(org.junit.jupiter.api.Test)

Example 8 with HandshakeCertificates

use of okhttp3.tls.HandshakeCertificates in project okhttp by square.

the class HttpsServer method run.

public void run() throws Exception {
    String localhost = InetAddress.getByName("localhost").getCanonicalHostName();
    HeldCertificate localhostCertificate = new HeldCertificate.Builder().addSubjectAlternativeName(localhost).build();
    HandshakeCertificates serverCertificates = new HandshakeCertificates.Builder().heldCertificate(localhostCertificate).build();
    MockWebServer server = new MockWebServer();
    server.useHttps(serverCertificates.sslSocketFactory(), false);
    server.enqueue(new MockResponse());
    HandshakeCertificates clientCertificates = new HandshakeCertificates.Builder().addTrustedCertificate(localhostCertificate.certificate()).build();
    OkHttpClient client = new OkHttpClient.Builder().sslSocketFactory(clientCertificates.sslSocketFactory(), clientCertificates.trustManager()).build();
    Call call = client.newCall(new Request.Builder().url(server.url("/")).build());
    Response response = call.execute();
    System.out.println(response.handshake().tlsVersion());
}
Also used : Response(okhttp3.Response) MockResponse(okhttp3.mockwebserver.MockResponse) MockResponse(okhttp3.mockwebserver.MockResponse) Call(okhttp3.Call) OkHttpClient(okhttp3.OkHttpClient) HandshakeCertificates(okhttp3.tls.HandshakeCertificates) HeldCertificate(okhttp3.tls.HeldCertificate) MockWebServer(okhttp3.mockwebserver.MockWebServer) Request(okhttp3.Request)

Example 9 with HandshakeCertificates

use of okhttp3.tls.HandshakeCertificates in project okhttp by square.

the class ClientAuthTest method buildClient.

private OkHttpClient buildClient(HeldCertificate heldCertificate, X509Certificate... intermediates) {
    HandshakeCertificates.Builder builder = new HandshakeCertificates.Builder().addTrustedCertificate(serverRootCa.certificate());
    if (heldCertificate != null) {
        builder.heldCertificate(heldCertificate, intermediates);
    }
    HandshakeCertificates handshakeCertificates = builder.build();
    return clientTestRule.newClientBuilder().sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager()).build();
}
Also used : HandshakeCertificates(okhttp3.tls.HandshakeCertificates)

Example 10 with HandshakeCertificates

use of okhttp3.tls.HandshakeCertificates in project collect by opendatakit.

the class OkHttpOpenRosaServerClientProvider method addTrustForLetsEncryptRoot.

// https://stackoverflow.com/a/64844360/137744
private void addTrustForLetsEncryptRoot(OkHttpClient.Builder builder) throws CertificateException {
    String isgCert = "-----BEGIN CERTIFICATE-----\n" + "MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\n" + "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n" + "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\n" + "WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\n" + "ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\n" + "MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\n" + "h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n" + "0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\n" + "A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\n" + "T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\n" + "B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\n" + "B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\n" + "KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\n" + "OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\n" + "jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\n" + "qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\n" + "rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\n" + "HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\n" + "hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\n" + "ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n" + "3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\n" + "NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\n" + "ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\n" + "TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\n" + "jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\n" + "oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n" + "4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\n" + "mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n" + "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n" + "-----END CERTIFICATE-----";
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    Certificate isgCertificate = cf.generateCertificate(new ByteArrayInputStream(isgCert.getBytes(StandardCharsets.UTF_8)));
    HandshakeCertificates certificates = new HandshakeCertificates.Builder().addTrustedCertificate((X509Certificate) isgCertificate).addPlatformTrustedCertificates().build();
    builder.sslSocketFactory(certificates.sslSocketFactory(), certificates.trustManager());
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) HandshakeCertificates(okhttp3.tls.HandshakeCertificates) CertificateFactory(java.security.cert.CertificateFactory) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Aggregations

HandshakeCertificates (okhttp3.tls.HandshakeCertificates)17 Test (org.junit.jupiter.api.Test)12 RecordingHostnameVerifier (okhttp3.RecordingHostnameVerifier)11 HeldCertificate (okhttp3.tls.HeldCertificate)11 OkHttpClient (okhttp3.OkHttpClient)9 Call (okhttp3.Call)8 Request (okhttp3.Request)8 MockResponse (mockwebserver3.MockResponse)7 CertificatePinner (okhttp3.CertificatePinner)7 Response (okhttp3.Response)6 BufferedReader (java.io.BufferedReader)4 InputStreamReader (java.io.InputStreamReader)4 HttpsURLConnection (javax.net.ssl.HttpsURLConnection)4 SSLHandshakeException (javax.net.ssl.SSLHandshakeException)4 Handshake (okhttp3.Handshake)4 HttpUrl (okhttp3.HttpUrl)4 SSLPeerUnverifiedException (javax.net.ssl.SSLPeerUnverifiedException)3 ByteArrayInputStream (java.io.ByteArrayInputStream)2 Certificate (java.security.cert.Certificate)2 CertificateFactory (java.security.cert.CertificateFactory)2