public final class FingerprintTrustManagerFactory extends SimpleTrustManagerFactory
TrustManagerFactory
that trusts an X.509 certificate whose SHA1 checksum matches.
NOTE: It is recommended to verify certificates and their chain to prevent
Man-in-the-middle attacks.
This TrustManagerFactory
will only verify that the fingerprint of certificates match one
of the given fingerprints. This procedure is called
certificate pinning and
is an effective protection. For maximum security one should verify that the whole certificate chain is as expected.
It is worth mentioning that certain firewalls, proxies or other appliances found in corporate environments,
actually perform Man-in-the-middle attacks and thus present a different certificate fingerprint.
The SHA1 checksum of an X.509 certificate is calculated from its DER encoded format. You can get the fingerprint of
an X.509 certificate using the openssl
command. For example:
$ openssl x509 -fingerprint -sha1 -in my_certificate.crt SHA1 Fingerprint=4E:85:10:55:BC:7B:12:08:D1:EA:0A:12:C9:72:EE:F3:AA:B2:C7:CB -----BEGIN CERTIFICATE----- MIIBqjCCAROgAwIBAgIJALiT3Nvp0kvmMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNV BAMTC2V4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMFoYDzk5OTkxMjMxMjM1OTU5 WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAnadvODG0QCiHhaFZlLHtr5gLIkDQS8ErZ//KfqeCHTC/KJsl3xYFk0zG aCv2FcmkOlokm77qV8qOW2DZdND7WuYzX6nLVuLb+GYxZ7b45iMAbAajvGh8jc9U o07fUIahGqTDAIAGCWsoLUOQ9nMzO/8GRHcXJAeQ2MGY2VpCcv0CAwEAATANBgkq hkiG9w0BAQUFAAOBgQBpRCnmjmNM0D7yrpkUJpBTNiqinhKLbeOvPWm+YmdInUUs LoMu0mZ1IANemLwqbwJJ76fknngeB+YuVAj46SurvVCV6ekwHcbgpW1u063IRwKk tQhOBO0HQxldUS4+4MYv/kuvnKkbjfgh5qfWw89Kx4kD+cycpP4yPtgDGk8ZMA== -----END CERTIFICATE-----
Constructor and Description |
---|
FingerprintTrustManagerFactory(byte[]... fingerprints)
Creates a new instance.
|
FingerprintTrustManagerFactory(java.lang.Iterable<java.lang.String> fingerprints)
Creates a new instance.
|
FingerprintTrustManagerFactory(java.lang.String... fingerprints)
Creates a new instance.
|
Modifier and Type | Method and Description |
---|---|
protected javax.net.ssl.TrustManager[] |
engineGetTrustManagers()
Returns one trust manager for each type of trust material.
|
protected void |
engineInit(java.security.KeyStore keyStore)
Initializes this factory with a source of certificate authorities and related trust material.
|
protected void |
engineInit(javax.net.ssl.ManagerFactoryParameters managerFactoryParameters)
Initializes this factory with a source of provider-specific key material.
|
public FingerprintTrustManagerFactory(java.lang.Iterable<java.lang.String> fingerprints)
fingerprints
- a list of SHA1 fingerprints in hexadecimal formpublic FingerprintTrustManagerFactory(java.lang.String... fingerprints)
fingerprints
- a list of SHA1 fingerprints in hexadecimal formpublic FingerprintTrustManagerFactory(byte[]... fingerprints)
fingerprints
- a list of SHA1 fingerprintsprotected void engineInit(java.security.KeyStore keyStore) throws java.lang.Exception
SimpleTrustManagerFactory
engineInit
in class SimpleTrustManagerFactory
java.lang.Exception
TrustManagerFactorySpi.engineInit(KeyStore)
protected void engineInit(javax.net.ssl.ManagerFactoryParameters managerFactoryParameters) throws java.lang.Exception
SimpleTrustManagerFactory
engineInit
in class SimpleTrustManagerFactory
java.lang.Exception
TrustManagerFactorySpi.engineInit(ManagerFactoryParameters)
protected javax.net.ssl.TrustManager[] engineGetTrustManagers()
SimpleTrustManagerFactory
engineGetTrustManagers
in class SimpleTrustManagerFactory
TrustManagerFactorySpi.engineGetTrustManagers()
Copyright © 2008–2018 The Netty Project. All rights reserved.