Examples with HeldCertificate okhttp3.tls.HeldCertificate used on opensource projects

Search in sources :

Example 26 with HeldCertificate

use of okhttp3.tls.HeldCertificate in project okhttp by square.

the class CertificatePinnerChainValidationTest method intermediateMustNotHaveMoreIntermediatesThanSigner.

/**
 * Attack the CA intermediates check by presenting unrelated chains to the handshake vs.
 * certificate pinner.
 *
 * This chain is valid but not pinned:
 *
 * <pre>{@code
 *
 *   attackerCa
 *    -> phonyVictim
 *
 * }</pre>
 *
 * This chain is pinned but not valid:
 *
 * <pre>{@code
 *
 *   attackerCa
 *     -> pinnedRoot (trusted by CertificatePinner)
 *         -> compromisedIntermediate (max intermediates: 0)
 *             -> attackerIntermediate (max intermediates: 0)
 *                 -> phonyVictim
 * }</pre>
 */
@Test
public void intermediateMustNotHaveMoreIntermediatesThanSigner() throws Exception {
    HeldCertificate attackerCa = new HeldCertificate.Builder().serialNumber(1L).certificateAuthority(2).commonName("attacker ca").build();
    HeldCertificate pinnedRoot = new HeldCertificate.Builder().serialNumber(2L).certificateAuthority(1).commonName("pinned root").signedBy(attackerCa).build();
    HeldCertificate compromisedIntermediate = new HeldCertificate.Builder().serialNumber(3L).certificateAuthority(0).commonName("compromised intermediate").signedBy(pinnedRoot).build();
    HeldCertificate attackerIntermediate = new HeldCertificate.Builder().keyPair(// Share keys between compromised CA and intermediate!
    attackerCa.keyPair()).serialNumber(4L).certificateAuthority(// More intermediates than permitted by signer!
    0).commonName("attacker intermediate").signedBy(compromisedIntermediate).build();
    HeldCertificate phonyVictim = new HeldCertificate.Builder().serialNumber(5L).signedBy(attackerIntermediate).addSubjectAlternativeName("victim.com").commonName("victim").build();
    CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(pinnedRoot.certificate())).build();
    HandshakeCertificates handshakeCertificates = new HandshakeCertificates.Builder().addTrustedCertificate(pinnedRoot.certificate()).addTrustedCertificate(attackerCa.certificate()).build();
    OkHttpClient client = clientTestRule.newClientBuilder().sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager()).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
    HandshakeCertificates serverHandshakeCertificates = new HandshakeCertificates.Builder().heldCertificate(phonyVictim, attackerIntermediate.certificate(), compromisedIntermediate.certificate(), pinnedRoot.certificate()).build();
    server.useHttps(serverHandshakeCertificates.sslSocketFactory(), false);
    server.enqueue(new MockResponse());
    // Make a request from client to server. It should not succeed certificate checks.
    Request request = new Request.Builder().url(server.url("/")).build();
    Call call = client.newCall(request);
    try (Response response = call.execute()) {
        fail("expected connection failure but got " + response);
    } catch (SSLHandshakeException expected) {
    }
}
Also used : MockResponse(mockwebserver3.MockResponse) Call(okhttp3.Call) OkHttpClient(okhttp3.OkHttpClient) HandshakeCertificates(okhttp3.tls.HandshakeCertificates) CertificatePinner(okhttp3.CertificatePinner) HeldCertificate(okhttp3.tls.HeldCertificate) Request(okhttp3.Request) SSLHandshakeException(javax.net.ssl.SSLHandshakeException) Response(okhttp3.Response) MockResponse(mockwebserver3.MockResponse) RecordingHostnameVerifier(okhttp3.RecordingHostnameVerifier) Test(org.junit.jupiter.api.Test)

Example 27 with HeldCertificate

use of okhttp3.tls.HeldCertificate in project okhttp by square.

the class CertificatePinnerChainValidationTest method lonePinnedCertificate.

@Test
public void lonePinnedCertificate() throws Exception {
    HeldCertificate onlyCertificate = new HeldCertificate.Builder().serialNumber(1L).commonName("root").build();
    CertificatePinner certificatePinner = new CertificatePinner.Builder().add(server.getHostName(), CertificatePinner.pin(onlyCertificate.certificate())).build();
    HandshakeCertificates handshakeCertificates = new HandshakeCertificates.Builder().addTrustedCertificate(onlyCertificate.certificate()).build();
    OkHttpClient client = clientTestRule.newClientBuilder().sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager()).hostnameVerifier(new RecordingHostnameVerifier()).certificatePinner(certificatePinner).build();
    HandshakeCertificates serverHandshakeCertificates = new HandshakeCertificates.Builder().heldCertificate(onlyCertificate).build();
    server.useHttps(serverHandshakeCertificates.sslSocketFactory(), false);
    // The request should complete successfully.
    server.enqueue(new MockResponse().setBody("abc"));
    Call call1 = client.newCall(new Request.Builder().url(server.url("/")).build());
    Response response1 = call1.execute();
    assertThat(response1.body().string()).isEqualTo("abc");
}
Also used : Response(okhttp3.Response) MockResponse(mockwebserver3.MockResponse) MockResponse(mockwebserver3.MockResponse) Call(okhttp3.Call) OkHttpClient(okhttp3.OkHttpClient) HandshakeCertificates(okhttp3.tls.HandshakeCertificates) CertificatePinner(okhttp3.CertificatePinner) HeldCertificate(okhttp3.tls.HeldCertificate) Request(okhttp3.Request) RecordingHostnameVerifier(okhttp3.RecordingHostnameVerifier) Test(org.junit.jupiter.api.Test)

Aggregations

HeldCertificate (okhttp3.tls.HeldCertificate)25 Test (org.junit.jupiter.api.Test)23 HandshakeCertificates (okhttp3.tls.HandshakeCertificates)12 CertificateChainCleaner (okhttp3.internal.tls.CertificateChainCleaner)11 Call (okhttp3.Call)9 OkHttpClient (okhttp3.OkHttpClient)9 RecordingHostnameVerifier (okhttp3.RecordingHostnameVerifier)9 Request (okhttp3.Request)9 MockResponse (mockwebserver3.MockResponse)7 CertificatePinner (okhttp3.CertificatePinner)7 Response (okhttp3.Response)6 SSLPeerUnverifiedException (javax.net.ssl.SSLPeerUnverifiedException)5 SSLHandshakeException (javax.net.ssl.SSLHandshakeException)4 SSLSocketFactory (javax.net.ssl.SSLSocketFactory)3 BufferedReader (java.io.BufferedReader)2 InputStreamReader (java.io.InputStreamReader)2 Certificate (java.security.cert.Certificate)2 X509Certificate (java.security.cert.X509Certificate)2 ArrayList (java.util.ArrayList)2 HttpsURLConnection (javax.net.ssl.HttpsURLConnection)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial