TLSUtils.java

  1. /**
  2.  *
  3.  * Copyright 2014 Florian Schmaus
  4.  *
  5.  * Licensed under the Apache License, Version 2.0 (the "License");
  6.  * you may not use this file except in compliance with the License.
  7.  * You may obtain a copy of the License at
  8.  *
  9.  *     http://www.apache.org/licenses/LICENSE-2.0
  10.  *
  11.  * Unless required by applicable law or agreed to in writing, software
  12.  * distributed under the License is distributed on an "AS IS" BASIS,
  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14.  * See the License for the specific language governing permissions and
  15.  * limitations under the License.
  16.  */
  17. package org.jivesoftware.smack.util;

  19. import java.security.KeyManagementException;
  20. import java.security.NoSuchAlgorithmException;
  21. import java.security.SecureRandom;
  22. import java.security.cert.CertificateException;
  23. import java.security.cert.X509Certificate;
  24. import java.util.Arrays;
  25. import java.util.HashSet;
  26. import java.util.Set;

  28. import javax.net.ssl.HostnameVerifier;
  29. import javax.net.ssl.SSLContext;
  30. import javax.net.ssl.SSLSession;
  31. import javax.net.ssl.SSLSocket;
  32. import javax.net.ssl.TrustManager;
  33. import javax.net.ssl.X509TrustManager;

  35. import org.jivesoftware.smack.ConnectionConfiguration;
  36. import org.jivesoftware.smack.SmackException.SecurityNotPossibleException;


  39. public class TLSUtils {

  41.     public static final String SSL = "SSL";
  42.     public static final String TLS = "TLS";
  43.     public static final String PROTO_SSL3 = SSL + "v3";
  44.     public static final String PROTO_TLSV1 = TLS + "v1";
  45.     public static final String PROTO_TLSV1_1 = TLS + "v1.1";
  46.     public static final String PROTO_TLSV1_2 = TLS + "v1.2";

  48.     /**
  49.      * Enable only TLS. Connections created with the given ConnectionConfiguration will only support TLS.
  50.      * <p>
  51.      * According to the <a
  52.      * href="https://raw.githubusercontent.com/stpeter/manifesto/master/manifesto.txt">Encrypted
  53.      * XMPP Manifesto</a>, TLSv1.2 shall be deployed, providing fallback support for SSLv3 and
  54.      * TLSv1.1. This method goes one step boyond and upgrades the handshake to use TLSv1 or better.
  55.      * This method requires the underlying OS to support all of TLSv1.2 , 1.1 and 1.0.
  56.      * </p>
  57.      * 
  58.      * @param builder the configuration builder to apply this setting to
  59.      */
  60.     public static <B extends ConnectionConfiguration.Builder<B,?>> B setTLSOnly(B builder) {
  61.         builder.setEnabledSSLProtocols(new String[] { PROTO_TLSV1_2,  PROTO_TLSV1_1, PROTO_TLSV1 });
  62.         return builder;
  63.     }

  65.     /**
  66.      * Enable only TLS and SSLv3. Connections created with the given ConnectionConfiguration will
  67.      * only support TLS and SSLv3.
  68.      * <p>
  69.      * According to the <a
  70.      * href="https://raw.githubusercontent.com/stpeter/manifesto/master/manifesto.txt">Encrypted
  71.      * XMPP Manifesto</a>, TLSv1.2 shall be deployed, providing fallback support for SSLv3 and
  72.      * TLSv1.1.
  73.      * </p>
  74.      * 
  75.      * @param builder the configuration builder to apply this setting to
  76.      */
  77.     public static <B extends ConnectionConfiguration.Builder<B,?>> B setSSLv3AndTLSOnly(B builder) {
  78.         builder.setEnabledSSLProtocols(new String[] { PROTO_TLSV1_2,  PROTO_TLSV1_1, PROTO_TLSV1, PROTO_SSL3 });
  79.         return builder;
  80.     }

  82.     /**
  83.      * Accept all TLS certificates.
  84.      * <p>
  85.      * <b>Warning:</b> Use with care. This method make the Connection use {@link AcceptAllTrustManager} and essentially
  86.      * <b>invalidates all security guarantees provided by TLS</b>. Only use this method if you understand the
  87.      * implications.
  88.      * </p>
  89.      * 
  90.      * @param builder a connection configuration builder.
  91.      * @throws NoSuchAlgorithmException
  92.      * @throws KeyManagementException
  93.      * @return the given builder.
  94.      */
  95.     public static <B extends ConnectionConfiguration.Builder<B,?>> B acceptAllCertificates(B builder) throws NoSuchAlgorithmException, KeyManagementException {
  96.         SSLContext context = SSLContext.getInstance(TLS);
  97.         context.init(null, new TrustManager[] { new AcceptAllTrustManager() }, new SecureRandom());
  98.         builder.setCustomSSLContext(context);
  99.         return builder;
  100.     }

  102.     private static final HostnameVerifier DOES_NOT_VERIFY_VERIFIER = new HostnameVerifier() {
  103.         @Override
  104.         public boolean verify(String hostname, SSLSession session) {
  105.             // This verifier doesn't verify the hostname, it always returns true.
  106.             return true;
  107.         }
  108.     };

  110.     /**
  111.      * Disable the hostname verification of TLS certificates.
  112.      * <p>
  113.      * <b>Warning:</b> Use with care. This disables hostname verification of TLS certificates and essentially
  114.      * <b>invalidates all security guarantees provided by TLS</b>. Only use this method if you understand the
  115.      * implications.
  116.      * </p>
  117.      * 
  118.      * @param builder a connection configuration builder.
  119.      * @return the given builder.
  120.      */
  121.     public static <B extends ConnectionConfiguration.Builder<B,?>> B disableHostnameVerificationForTlsCertificicates(B builder) {
  122.         builder.setHostnameVerifier(DOES_NOT_VERIFY_VERIFIER);
  123.         return builder;
  124.     }

  126.     public static void setEnabledProtocolsAndCiphers(final SSLSocket sslSocket,
  127.                     String[] enabledProtocols, String[] enabledCiphers)
  128.                     throws SecurityNotPossibleException {
  129.         if (enabledProtocols != null) {
  130.             Set<String> enabledProtocolsSet = new HashSet<String>(Arrays.asList(enabledProtocols));
  131.             Set<String> supportedProtocolsSet = new HashSet<String>(
  132.                             Arrays.asList(sslSocket.getSupportedProtocols()));
  133.             Set<String> protocolsIntersection = new HashSet<String>(supportedProtocolsSet);
  134.             protocolsIntersection.retainAll(enabledProtocolsSet);
  135.             if (protocolsIntersection.isEmpty()) {
  136.                 throw new SecurityNotPossibleException("Request to enable SSL/TLS protocols '"
  137.                                 + StringUtils.collectionToString(enabledProtocolsSet)
  138.                                 + "', but only '"
  139.                                 + StringUtils.collectionToString(supportedProtocolsSet)
  140.                                 + "' are supported.");
  141.             }

  143.             // Set the enabled protocols
  144.             enabledProtocols = new String[protocolsIntersection.size()];
  145.             enabledProtocols = protocolsIntersection.toArray(enabledProtocols);
  146.             sslSocket.setEnabledProtocols(enabledProtocols);
  147.         }

  149.         if (enabledCiphers != null) {
  150.             Set<String> enabledCiphersSet = new HashSet<String>(Arrays.asList(enabledCiphers));
  151.             Set<String> supportedCiphersSet = new HashSet<String>(
  152.                             Arrays.asList(sslSocket.getEnabledCipherSuites()));
  153.             Set<String> ciphersIntersection = new HashSet<String>(supportedCiphersSet);
  154.             ciphersIntersection.retainAll(enabledCiphersSet);
  155.             if (ciphersIntersection.isEmpty()) {
  156.                 throw new SecurityNotPossibleException("Request to enable SSL/TLS ciphers '"
  157.                                 + StringUtils.collectionToString(enabledCiphersSet)
  158.                                 + "', but only '"
  159.                                 + StringUtils.collectionToString(supportedCiphersSet)
  160.                                 + "' are supported.");
  161.             }

  163.             enabledCiphers = new String[ciphersIntersection.size()];
  164.             enabledCiphers = ciphersIntersection.toArray(enabledCiphers);
  165.             sslSocket.setEnabledCipherSuites(enabledCiphers);
  166.         }
  167.     }

  169.     /**
  170.      * A {@link X509TrustManager} that <b>doesn't validate</b> X.509 certificates.
  171.      * <p>
  172.      * Connections that use this TrustManager will just be encrypted, without any guarantee that the
  173.      * counter part is actually the intended one. Man-in-the-Middle attacks will be possible, since
  174.      * any certificate presented by the attacker will be considered valid.
  175.      * </p>
  176.      */
  177.     public static class AcceptAllTrustManager implements X509TrustManager {

  179.         @Override
  180.         public void checkClientTrusted(X509Certificate[] arg0, String arg1)
  181.                         throws CertificateException {
  182.             // Nothing to do here
  183.         }

  185.         @Override
  186.         public void checkServerTrusted(X509Certificate[] arg0, String arg1)
  187.                         throws CertificateException {
  188.             // Nothing to do here
  189.         }

  191.         @Override
  192.         public X509Certificate[] getAcceptedIssuers() {
  193.             return new X509Certificate[0];
  194.         }
  195.     }
  196. }
Created with JaCoCo 0.7.4.201502262128