Skip to content
This repository has been archived by the owner on Jan 21, 2022. It is now read-only.

Implementation of Hostname Verification when connecting to any endpoint #401

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Implementation of Hostname Verification when connecting to any endpoint #401

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion ...on/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,17 @@
import java.util.Collection;
import java.util.List;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/**
* Trust manager that works with a {@link TrustedCertificateConfiguration}.
*/
public class TrustedCertificateConfigurationTrustManager implements X509TrustManager {
public class TrustedCertificateConfigurationTrustManager implements X509TrustManager, HostnameVerifier {

private final Collection<X509TrustManager> publicPkiDelegates;
private final Collection<X509TrustManager> privateTrustStoreDelegates;
Expand Down Expand Up @@ -162,4 +165,22 @@ public void checkServerTrusted(X509Certificate[] chain, String s) throws Certifi
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}

@Override
public boolean verify(String hostname, SSLSession session) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method was not called anywhere.

if (config.isHostnameVerifierEnabled()) {
if (session.getPeerHost() != null && config.getHost().getHost().equals(session.getPeerHost())) {
return true;
} else {
try {
throw new SSLPeerUnverifiedException("Cannot verify hostname: " + hostname);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Throwing the exception and catching it immediately doesn't make any sense.
You can remove this try-catch block.

} catch (SSLPeerUnverifiedException e) {
e.printStackTrace();
}
return false;
}
} else {
return true;
}
}
}
17 changes: 17 additions & 0 deletions mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ public interface MASSecurityConfiguration {
boolean isPublic();
boolean trustPublicPki();
boolean allowSSLPinning();
boolean isHostnameVerifierEnabled();
List<Certificate> getCertificates();
List<String> getPublicKeyHashes();

Expand All @@ -32,6 +33,7 @@ class Builder {
private boolean isPublic;
private boolean allowSSLPinning = true;
private boolean trustPublicPKI;
private boolean isHostVerifyEnable;

private List<Certificate> certificates;
private List<String> publicKeyHashes;
Expand Down Expand Up @@ -68,6 +70,16 @@ public Builder allowSSLPinning(boolean sslPinning) {
return this;
}

/**
* Determines whether or not to include sensitive credentials from primary gateway in the network communication with the target host.
* @param enable to include or not
* @return the builder object
*/
public Builder enableHostnameVerifier(boolean enable) {
this.isHostVerifyEnable = enable;
return this;
}

/**
* The URI of the designated host.
* @param host URI for the host
Expand Down Expand Up @@ -150,6 +162,11 @@ public boolean trustPublicPki() {
public boolean allowSSLPinning() {
return allowSSLPinning;
}

@Override
public boolean isHostnameVerifierEnabled() {
return isHostVerifyEnable;
}
};
}
}
Expand Down