Package io.netty.handler.ssl.util

Class FingerprintTrustManagerFactory

java.lang.Object

javax.net.ssl.TrustManagerFactory

io.netty.handler.ssl.util.SimpleTrustManagerFactory

io.netty.handler.ssl.util.FingerprintTrustManagerFactory

public final class FingerprintTrustManagerFactory
extends SimpleTrustManagerFactory

An TrustManagerFactory that trusts an X.509 certificate whose hash matches.

NOTE: It is recommended to verify certificates and their chain to prevent Man-in-the-middle attacks. This TrustManagerFactory will only verify that the fingerprint of certificates match one of the given fingerprints. This procedure is called certificate pinning and is an effective protection. For maximum security one should verify that the whole certificate chain is as expected. It is worth mentioning that certain firewalls, proxies or other appliances found in corporate environments, actually perform Man-in-the-middle attacks and thus present a different certificate fingerprint.

The hash of an X.509 certificate is calculated from its DER encoded format. You can get the fingerprint of an X.509 certificate using the openssl command. For example:

 $ openssl x509 -fingerprint -sha256 -in my_certificate.crt
 SHA256 Fingerprint=1C:53:0E:6B:FF:93:F0:DE:C2:E6:E7:9D:10:53:58:FF:DD:8E:68:CD:82:D9:C9:36:9B:43:EE:B3:DC:13:68:FB
 -----BEGIN CERTIFICATE-----
 MIIC/jCCAeagAwIBAgIIIMONxElm0AIwDQYJKoZIhvcNAQELBQAwPjE8MDoGA1UE
 AwwzZThhYzAyZmEwZDY1YTg0MjE5MDE2MDQ1ZGI4YjA1YzQ4NWI0ZWNkZi5uZXR0
 eS50ZXN0MCAXDTEzMDgwMjA3NTEzNloYDzk5OTkxMjMxMjM1OTU5WjA+MTwwOgYD
 VQQDDDNlOGFjMDJmYTBkNjVhODQyMTkwMTYwNDVkYjhiMDVjNDg1YjRlY2RmLm5l
 dHR5LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDb+HBO3C0U
 RBKvDUgJHbhIlBye8X/cbNH3lDq3XOOFBz7L4XZKLDIXS+FeQqSAUMo2otmU+Vkj
 0KorshMjbUXfE1KkTijTMJlaga2M2xVVt21fRIkJNWbIL0dWFLWyRq7OXdygyFkI
 iW9b2/LYaePBgET22kbtHSCAEj+BlSf265+1rNxyAXBGGGccCKzEbcqASBKHOgVp
 6pLqlQAfuSy6g/OzGzces3zXRrGu1N3pBIzAIwCW429n52ZlYfYR0nr+REKDnRrP
 IIDsWASmEHhBezTD+v0qCJRyLz2usFgWY+7agUJE2yHHI2mTu2RAFngBilJXlMCt
 VwT0xGuQxkbHAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEv8N7Xm8qaY2FgrOc6P
 a1GTgA+AOb3aU33TGwAR86f+nLf6BSPaohcQfOeJid7FkFuYInuXl+oqs+RqM/j8
 R0E5BuGYY2wOKpL/PbFi1yf/Kyvft7KVh8e1IUUec/i1DdYTDB0lNWvXXxjfMKGL
 ct3GMbEHKvLfHx42Iwz/+fva6LUrO4u2TDfv0ycHuR7UZEuC1DJ4xtFhbpq/QRAj
 CyfNx3cDc7L2EtJWnCmivTFA9l8MF1ZPMDSVd4ecQ7B0xZIFQ5cSSFt7WGaJCsGM
 zYkU4Fp4IykQcWxdlNX7wJZRwQ2TZJFFglpTiFZdeq6I6Ad9An1Encpz5W8UJ4tv
 hmw=
 -----END CERTIFICATE-----
 

Constructor Summary

Constructors

Constructor	Description
FingerprintTrustManagerFactory(byte[]... fingerprints)	Deprecated. This deprecated constructor uses SHA-1 that is considered insecure.
FingerprintTrustManagerFactory(java.lang.Iterable<java.lang.String> fingerprints)	Deprecated. This deprecated constructor uses SHA-1 that is considered insecure.
FingerprintTrustManagerFactory(java.lang.String... fingerprints)	Deprecated. This deprecated constructor uses SHA-1 that is considered insecure.

Method Summary

Modifier and Type	Method	Description
static FingerprintTrustManagerFactoryBuilder	builder(java.lang.String algorithm)	Creates a builder for FingerprintTrustManagerFactory.
protected javax.net.ssl.TrustManager[]	engineGetTrustManagers()	Returns one trust manager for each type of trust material.
protected void	engineInit(java.security.KeyStore keyStore)	Initializes this factory with a source of certificate authorities and related trust material.
protected void	engineInit(javax.net.ssl.ManagerFactoryParameters managerFactoryParameters)	Initializes this factory with a source of provider-specific key material.

Methods inherited from class javax.net.ssl.TrustManagerFactory

getAlgorithm, getDefaultAlgorithm, getInstance, getInstance, getInstance, getProvider, getTrustManagers, init, init

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

FingerprintTrustManagerFactory

@Deprecated
public FingerprintTrustManagerFactory(java.lang.Iterable<java.lang.String> fingerprints)

Deprecated.

This deprecated constructor uses SHA-1 that is considered insecure. It is recommended to specify a stronger hash algorithm, such as SHA-256, by calling builder(String) method.

Creates a new instance.

Parameters:

fingerprints - a list of SHA1 fingerprints in hexadecimal form

FingerprintTrustManagerFactory

@Deprecated
public FingerprintTrustManagerFactory(java.lang.String... fingerprints)

Deprecated.

This deprecated constructor uses SHA-1 that is considered insecure. It is recommended to specify a stronger hash algorithm, such as SHA-256, by calling builder(String) method.

Creates a new instance.

Parameters:

fingerprints - a list of SHA1 fingerprints in hexadecimal form

FingerprintTrustManagerFactory

@Deprecated
public FingerprintTrustManagerFactory(byte[]... fingerprints)

Deprecated.

This deprecated constructor uses SHA-1 that is considered insecure. It is recommended to specify a stronger hash algorithm, such as SHA-256, by calling builder(String) method.

Creates a new instance.

Parameters:

fingerprints - a list of SHA1 fingerprints

Method Detail

builder

public static FingerprintTrustManagerFactoryBuilder builder(java.lang.String algorithm)

Creates a builder for FingerprintTrustManagerFactory.

Parameters:

algorithm - a hash algorithm

Returns:

a builder

engineInit

protected void engineInit(java.security.KeyStore keyStore)
                   throws java.lang.Exception

Description copied from class: SimpleTrustManagerFactory

Initializes this factory with a source of certificate authorities and related trust material.

Specified by:

engineInit in class SimpleTrustManagerFactory

Throws:

java.lang.Exception

See Also:

TrustManagerFactorySpi.engineInit(KeyStore)

engineInit

protected void engineInit(javax.net.ssl.ManagerFactoryParameters managerFactoryParameters)
                   throws java.lang.Exception

Description copied from class: SimpleTrustManagerFactory

Initializes this factory with a source of provider-specific key material.

Specified by:

engineInit in class SimpleTrustManagerFactory

Throws:

java.lang.Exception

See Also:

TrustManagerFactorySpi.engineInit(ManagerFactoryParameters)

engineGetTrustManagers

protected javax.net.ssl.TrustManager[] engineGetTrustManagers()

Description copied from class: SimpleTrustManagerFactory

Returns one trust manager for each type of trust material.

Specified by:

engineGetTrustManagers in class SimpleTrustManagerFactory

See Also:

TrustManagerFactorySpi.engineGetTrustManagers()