Examples with HandshakeCertificates okhttp3.tls.HandshakeCertificates used on opensource projects

Example 6 with HandshakeCertificates

use of okhttp3.tls.HandshakeCertificates in project okhttp by square.

the class CertificatePinnerChainValidationTest method unrelatedPinnedIntermediateCertificateInChain.

@Test
public void unrelatedPinnedIntermediateCertificateInChain() throws Exception {
    // https://github.com/square/okhttp/issues/4729
    platform.expectFailureOnConscryptPlatform();
    platform.expectFailureOnCorrettoPlatform();
    // Start with two root CA certificates, one is good and the other is compromised.
    HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber(1L).certificateAuthority(1).commonName("root").build();
    HeldCertificate compromisedRootCa = new HeldCertificate.Builder().serialNumber(2L).certificateAuthority(1).commonName("compromised_root").build();
    // Add a good intermediate CA, and have that issue a good certificate to localhost. Prepare an
    // SSL context for an HTTP client under attack. It includes the trusted CA and a pinned
    // certificate.
    HeldCertificate goodIntermediateCa = new HeldCertificate.Builder().signedBy(rootCa).certificateAuthority(0).serialNumber(3L).commonName("intermediate_ca").build();
    CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(goodIntermediateCa.certificate())).build();
    HandshakeCertificates handshakeCertificates = new HandshakeCertificates.Builder().addTrustedCertificate(rootCa.certificate()).addTrustedCertificate(compromisedRootCa.certificate()).build();
    OkHttpClient client = clientTestRule.newClientBuilder().sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager()).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
    // The attacker compromises the root CA, issues an intermediate with the same common name
    // "intermediate_ca" as the good CA. This signs a rogue certificate for localhost. The server
    // serves the good CAs certificate in the chain, which means the certificate pinner sees a
    // different set of certificates than the SSL verifier.
    HeldCertificate compromisedIntermediateCa = new HeldCertificate.Builder().signedBy(compromisedRootCa).certificateAuthority(0).serialNumber(4L).commonName("intermediate_ca").build();
    HeldCertificate rogueCertificate = new HeldCertificate.Builder().serialNumber(5L).signedBy(compromisedIntermediateCa).commonName(server.getHostName()).build();
    SSLSocketFactory socketFactory = newServerSocketFactory(rogueCertificate, goodIntermediateCa.certificate(), compromisedIntermediateCa.certificate());
    server.useHttps(socketFactory, false);
    server.enqueue(new MockResponse().setBody("abc").addHeader("Content-Type: text/plain"));
    // Make a request from client to server. It should succeed certificate checks (unfortunately the
    // rogue CA is trusted) but it should fail certificate pinning.
    Request request = new Request.Builder().url(server.url("/")).build();
    Call call = client.newCall(request);
    try {
        call.execute();
        fail();
    } catch (SSLHandshakeException expected) {
        // On Android, the handshake fails before the certificate pinner runs.
        String message = expected.getMessage();
        assertThat(message).contains("Could not validate certificate");
    } catch (SSLPeerUnverifiedException expected) {
        // On OpenJDK, the handshake succeeds but the certificate pinner fails.
        String message = expected.getMessage();
        assertThat(message).startsWith("Certificate pinning failure!");
    }
}

Example 7 with HandshakeCertificates

use of okhttp3.tls.HandshakeCertificates in project okhttp by square.

the class CertificatePinnerChainValidationTest method unrelatedPinnedLeafCertificateInChain.

@Test
public void unrelatedPinnedLeafCertificateInChain() throws Exception {
    // https://github.com/square/okhttp/issues/4729
    platform.expectFailureOnConscryptPlatform();
    platform.expectFailureOnCorrettoPlatform();
    // Start with a trusted root CA certificate.
    HeldCertificate rootCa = new HeldCertificate.Builder().serialNumber(1L).certificateAuthority(1).commonName("root").build();
    // Add a good intermediate CA, and have that issue a good certificate to localhost. Prepare an
    // SSL context for an HTTP client under attack. It includes the trusted CA and a pinned
    // certificate.
    HeldCertificate goodIntermediateCa = new HeldCertificate.Builder().signedBy(rootCa).certificateAuthority(0).serialNumber(2L).commonName("good_intermediate_ca").build();
    HeldCertificate goodCertificate = new HeldCertificate.Builder().signedBy(goodIntermediateCa).serialNumber(3L).commonName(server.getHostName()).build();
    CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(goodCertificate.certificate())).build();
    HandshakeCertificates handshakeCertificates = new HandshakeCertificates.Builder().addTrustedCertificate(rootCa.certificate()).build();
    OkHttpClient client = clientTestRule.newClientBuilder().sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager()).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
    // Add a bad intermediate CA and have that issue a rogue certificate for localhost. Prepare
    // an SSL context for an attacking webserver. It includes both these rogue certificates plus the
    // trusted good certificate above. The attack is that by including the good certificate in the
    // chain, we may trick the certificate pinner into accepting the rouge certificate.
    HeldCertificate compromisedIntermediateCa = new HeldCertificate.Builder().signedBy(rootCa).certificateAuthority(0).serialNumber(4L).commonName("bad_intermediate_ca").build();
    HeldCertificate rogueCertificate = new HeldCertificate.Builder().serialNumber(5L).signedBy(compromisedIntermediateCa).commonName(server.getHostName()).build();
    SSLSocketFactory socketFactory = newServerSocketFactory(rogueCertificate, compromisedIntermediateCa.certificate(), goodCertificate.certificate());
    server.useHttps(socketFactory, false);
    server.enqueue(new MockResponse().setBody("abc").addHeader("Content-Type: text/plain"));
    // Make a request from client to server. It should succeed certificate checks (unfortunately the
    // rogue CA is trusted) but it should fail certificate pinning.
    Request request = new Request.Builder().url(server.url("/")).build();
    Call call = client.newCall(request);
    try {
        call.execute();
        fail();
    } catch (SSLPeerUnverifiedException expected) {
        // Certificate pinning fails!
        String message = expected.getMessage();
        assertThat(message).startsWith("Certificate pinning failure!");
    }
}

Example 8 with HandshakeCertificates

use of okhttp3.tls.HandshakeCertificates in project okhttp by square.

the class HttpsServer method run.

public void run() throws Exception {
    String localhost = InetAddress.getByName("localhost").getCanonicalHostName();
    HeldCertificate localhostCertificate = new HeldCertificate.Builder().addSubjectAlternativeName(localhost).build();
    HandshakeCertificates serverCertificates = new HandshakeCertificates.Builder().heldCertificate(localhostCertificate).build();
    MockWebServer server = new MockWebServer();
    server.useHttps(serverCertificates.sslSocketFactory(), false);
    server.enqueue(new MockResponse());
    HandshakeCertificates clientCertificates = new HandshakeCertificates.Builder().addTrustedCertificate(localhostCertificate.certificate()).build();
    OkHttpClient client = new OkHttpClient.Builder().sslSocketFactory(clientCertificates.sslSocketFactory(), clientCertificates.trustManager()).build();
    Call call = client.newCall(new Request.Builder().url(server.url("/")).build());
    Response response = call.execute();
    System.out.println(response.handshake().tlsVersion());
}

Example 9 with HandshakeCertificates

use of okhttp3.tls.HandshakeCertificates in project okhttp by square.

the class ClientAuthTest method buildClient.

private OkHttpClient buildClient(HeldCertificate heldCertificate, X509Certificate... intermediates) {
    HandshakeCertificates.Builder builder = new HandshakeCertificates.Builder().addTrustedCertificate(serverRootCa.certificate());
    if (heldCertificate != null) {
        builder.heldCertificate(heldCertificate, intermediates);
    }
    HandshakeCertificates handshakeCertificates = builder.build();
    return clientTestRule.newClientBuilder().sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager()).build();
}

Example 10 with HandshakeCertificates

use of okhttp3.tls.HandshakeCertificates in project collect by opendatakit.

the class OkHttpOpenRosaServerClientProvider method addTrustForLetsEncryptRoot.

// https://stackoverflow.com/a/64844360/137744
private void addTrustForLetsEncryptRoot(OkHttpClient.Builder builder) throws CertificateException {
    String isgCert = "-----BEGIN CERTIFICATE-----\n" + "MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\n" + "TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n" + "cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\n" + "WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\n" + "ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\n" + "MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\n" + "h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\n" + "0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\n" + "A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\n" + "T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\n" + "B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\n" + "B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\n" + "KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\n" + "OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\n" + "jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\n" + "qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\n" + "rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\n" + "HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\n" + "hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\n" + "ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\n" + "3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\n" + "NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\n" + "ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\n" + "TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\n" + "jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\n" + "oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\n" + "4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\n" + "mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n" + "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n" + "-----END CERTIFICATE-----";
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    Certificate isgCertificate = cf.generateCertificate(new ByteArrayInputStream(isgCert.getBytes(StandardCharsets.UTF_8)));
    HandshakeCertificates certificates = new HandshakeCertificates.Builder().addTrustedCertificate((X509Certificate) isgCertificate).addPlatformTrustedCertificates().build();
    builder.sslSocketFactory(certificates.sslSocketFactory(), certificates.trustManager());
}