public final class FingerprintTrustManagerFactory extends SimpleTrustManagerFactory
TrustManagerFactory that trusts an X.509 certificate whose hash matches.
NOTE: It is recommended to verify certificates and their chain to prevent
Man-in-the-middle attacks.
This TrustManagerFactory will only verify that the fingerprint of certificates match one
of the given fingerprints. This procedure is called
certificate pinning and
is an effective protection. For maximum security one should verify that the whole certificate chain is as expected.
It is worth mentioning that certain firewalls, proxies or other appliances found in corporate environments,
actually perform Man-in-the-middle attacks and thus present a different certificate fingerprint.
The hash of an X.509 certificate is calculated from its DER encoded format. You can get the fingerprint of
an X.509 certificate using the openssl command. For example:
$ openssl x509 -fingerprint -sha256 -in my_certificate.crt SHA256 Fingerprint=1C:53:0E:6B:FF:93:F0:DE:C2:E6:E7:9D:10:53:58:FF:DD:8E:68:CD:82:D9:C9:36:9B:43:EE:B3:DC:13:68:FB -----BEGIN CERTIFICATE----- MIIC/jCCAeagAwIBAgIIIMONxElm0AIwDQYJKoZIhvcNAQELBQAwPjE8MDoGA1UE AwwzZThhYzAyZmEwZDY1YTg0MjE5MDE2MDQ1ZGI4YjA1YzQ4NWI0ZWNkZi5uZXR0 eS50ZXN0MCAXDTEzMDgwMjA3NTEzNloYDzk5OTkxMjMxMjM1OTU5WjA+MTwwOgYD VQQDDDNlOGFjMDJmYTBkNjVhODQyMTkwMTYwNDVkYjhiMDVjNDg1YjRlY2RmLm5l dHR5LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDb+HBO3C0U RBKvDUgJHbhIlBye8X/cbNH3lDq3XOOFBz7L4XZKLDIXS+FeQqSAUMo2otmU+Vkj 0KorshMjbUXfE1KkTijTMJlaga2M2xVVt21fRIkJNWbIL0dWFLWyRq7OXdygyFkI iW9b2/LYaePBgET22kbtHSCAEj+BlSf265+1rNxyAXBGGGccCKzEbcqASBKHOgVp 6pLqlQAfuSy6g/OzGzces3zXRrGu1N3pBIzAIwCW429n52ZlYfYR0nr+REKDnRrP IIDsWASmEHhBezTD+v0qCJRyLz2usFgWY+7agUJE2yHHI2mTu2RAFngBilJXlMCt VwT0xGuQxkbHAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEv8N7Xm8qaY2FgrOc6P a1GTgA+AOb3aU33TGwAR86f+nLf6BSPaohcQfOeJid7FkFuYInuXl+oqs+RqM/j8 R0E5BuGYY2wOKpL/PbFi1yf/Kyvft7KVh8e1IUUec/i1DdYTDB0lNWvXXxjfMKGL ct3GMbEHKvLfHx42Iwz/+fva6LUrO4u2TDfv0ycHuR7UZEuC1DJ4xtFhbpq/QRAj CyfNx3cDc7L2EtJWnCmivTFA9l8MF1ZPMDSVd4ecQ7B0xZIFQ5cSSFt7WGaJCsGM zYkU4Fp4IykQcWxdlNX7wJZRwQ2TZJFFglpTiFZdeq6I6Ad9An1Encpz5W8UJ4tv hmw= -----END CERTIFICATE-----
| Constructor and Description |
|---|
FingerprintTrustManagerFactory(byte[]... fingerprints)
Deprecated.
This deprecated constructor uses SHA-1 that is considered insecure.
It is recommended to specify a stronger hash algorithm, such as SHA-256,
by calling
builder(String) method. |
FingerprintTrustManagerFactory(Iterable<String> fingerprints)
Deprecated.
This deprecated constructor uses SHA-1 that is considered insecure.
It is recommended to specify a stronger hash algorithm, such as SHA-256,
by calling
builder(String) method. |
FingerprintTrustManagerFactory(String... fingerprints)
Deprecated.
This deprecated constructor uses SHA-1 that is considered insecure.
It is recommended to specify a stronger hash algorithm, such as SHA-256,
by calling
builder(String) method. |
| Modifier and Type | Method and Description |
|---|---|
static FingerprintTrustManagerFactoryBuilder |
builder(String algorithm)
Creates a builder for
FingerprintTrustManagerFactory. |
protected TrustManager[] |
engineGetTrustManagers()
Returns one trust manager for each type of trust material.
|
protected void |
engineInit(KeyStore keyStore)
Initializes this factory with a source of certificate authorities and related trust material.
|
protected void |
engineInit(ManagerFactoryParameters managerFactoryParameters)
Initializes this factory with a source of provider-specific key material.
|
getAlgorithm, getDefaultAlgorithm, getInstance, getInstance, getInstance, getProvider, getTrustManagers, init, init@Deprecated public FingerprintTrustManagerFactory(Iterable<String> fingerprints)
builder(String) method.fingerprints - a list of SHA1 fingerprints in hexadecimal form@Deprecated public FingerprintTrustManagerFactory(String... fingerprints)
builder(String) method.fingerprints - a list of SHA1 fingerprints in hexadecimal form@Deprecated public FingerprintTrustManagerFactory(byte[]... fingerprints)
builder(String) method.fingerprints - a list of SHA1 fingerprintspublic static FingerprintTrustManagerFactoryBuilder builder(String algorithm)
FingerprintTrustManagerFactory.algorithm - a hash algorithmprotected void engineInit(KeyStore keyStore) throws Exception
SimpleTrustManagerFactoryengineInit in class SimpleTrustManagerFactoryExceptionTrustManagerFactorySpi.engineInit(KeyStore)protected void engineInit(ManagerFactoryParameters managerFactoryParameters) throws Exception
SimpleTrustManagerFactoryengineInit in class SimpleTrustManagerFactoryExceptionTrustManagerFactorySpi.engineInit(ManagerFactoryParameters)protected TrustManager[] engineGetTrustManagers()
SimpleTrustManagerFactoryengineGetTrustManagers in class SimpleTrustManagerFactoryTrustManagerFactorySpi.engineGetTrustManagers()Copyright © 2008–2024 The Netty Project. All rights reserved.