Class FingerprintTrustManagerFactory
java.lang.Object
javax.net.ssl.TrustManagerFactory
io.netty.handler.ssl.util.SimpleTrustManagerFactory
io.netty.handler.ssl.util.FingerprintTrustManagerFactory
An
TrustManagerFactory that trusts an X.509 certificate whose hash matches.
NOTE: It is recommended to verify certificates and their chain to prevent
Man-in-the-middle attacks.
This TrustManagerFactory will only verify that the fingerprint of certificates match one
of the given fingerprints. This procedure is called
certificate pinning and
is an effective protection. For maximum security one should verify that the whole certificate chain is as expected.
It is worth mentioning that certain firewalls, proxies or other appliances found in corporate environments,
actually perform Man-in-the-middle attacks and thus present a different certificate fingerprint.
The hash of an X.509 certificate is calculated from its DER encoded format. You can get the fingerprint of
an X.509 certificate using the openssl command. For example:
$ openssl x509 -fingerprint -sha256 -in my_certificate.crt SHA256 Fingerprint=1C:53:0E:6B:FF:93:F0:DE:C2:E6:E7:9D:10:53:58:FF:DD:8E:68:CD:82:D9:C9:36:9B:43:EE:B3:DC:13:68:FB -----BEGIN CERTIFICATE----- MIIC/jCCAeagAwIBAgIIIMONxElm0AIwDQYJKoZIhvcNAQELBQAwPjE8MDoGA1UE AwwzZThhYzAyZmEwZDY1YTg0MjE5MDE2MDQ1ZGI4YjA1YzQ4NWI0ZWNkZi5uZXR0 eS50ZXN0MCAXDTEzMDgwMjA3NTEzNloYDzk5OTkxMjMxMjM1OTU5WjA+MTwwOgYD VQQDDDNlOGFjMDJmYTBkNjVhODQyMTkwMTYwNDVkYjhiMDVjNDg1YjRlY2RmLm5l dHR5LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDb+HBO3C0U RBKvDUgJHbhIlBye8X/cbNH3lDq3XOOFBz7L4XZKLDIXS+FeQqSAUMo2otmU+Vkj 0KorshMjbUXfE1KkTijTMJlaga2M2xVVt21fRIkJNWbIL0dWFLWyRq7OXdygyFkI iW9b2/LYaePBgET22kbtHSCAEj+BlSf265+1rNxyAXBGGGccCKzEbcqASBKHOgVp 6pLqlQAfuSy6g/OzGzces3zXRrGu1N3pBIzAIwCW429n52ZlYfYR0nr+REKDnRrP IIDsWASmEHhBezTD+v0qCJRyLz2usFgWY+7agUJE2yHHI2mTu2RAFngBilJXlMCt VwT0xGuQxkbHAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEv8N7Xm8qaY2FgrOc6P a1GTgA+AOb3aU33TGwAR86f+nLf6BSPaohcQfOeJid7FkFuYInuXl+oqs+RqM/j8 R0E5BuGYY2wOKpL/PbFi1yf/Kyvft7KVh8e1IUUec/i1DdYTDB0lNWvXXxjfMKGL ct3GMbEHKvLfHx42Iwz/+fva6LUrO4u2TDfv0ycHuR7UZEuC1DJ4xtFhbpq/QRAj CyfNx3cDc7L2EtJWnCmivTFA9l8MF1ZPMDSVd4ecQ7B0xZIFQ5cSSFt7WGaJCsGM zYkU4Fp4IykQcWxdlNX7wJZRwQ2TZJFFglpTiFZdeq6I6Ad9An1Encpz5W8UJ4tv hmw= -----END CERTIFICATE-----
-
Constructor Summary
ConstructorsConstructorDescriptionFingerprintTrustManagerFactory(byte[]... fingerprints) Deprecated.This deprecated constructor uses SHA-1 that is considered insecure.FingerprintTrustManagerFactory(Iterable<String> fingerprints) Deprecated.This deprecated constructor uses SHA-1 that is considered insecure.FingerprintTrustManagerFactory(String... fingerprints) Deprecated.This deprecated constructor uses SHA-1 that is considered insecure. -
Method Summary
Modifier and TypeMethodDescriptionCreates a builder forFingerprintTrustManagerFactory.protected TrustManager[]Returns one trust manager for each type of trust material.protected voidengineInit(KeyStore keyStore) Initializes this factory with a source of certificate authorities and related trust material.protected voidengineInit(ManagerFactoryParameters managerFactoryParameters) Initializes this factory with a source of provider-specific key material.Methods inherited from class TrustManagerFactory
getAlgorithm, getDefaultAlgorithm, getInstance, getInstance, getInstance, getProvider, getTrustManagers, init, init
-
Constructor Details
-
FingerprintTrustManagerFactory
Deprecated.This deprecated constructor uses SHA-1 that is considered insecure. It is recommended to specify a stronger hash algorithm, such as SHA-256, by callingbuilder(String)method.Creates a new instance.- Parameters:
fingerprints- a list of SHA1 fingerprints in hexadecimal form
-
FingerprintTrustManagerFactory
Deprecated.This deprecated constructor uses SHA-1 that is considered insecure. It is recommended to specify a stronger hash algorithm, such as SHA-256, by callingbuilder(String)method.Creates a new instance.- Parameters:
fingerprints- a list of SHA1 fingerprints in hexadecimal form
-
FingerprintTrustManagerFactory
Deprecated.This deprecated constructor uses SHA-1 that is considered insecure. It is recommended to specify a stronger hash algorithm, such as SHA-256, by callingbuilder(String)method.Creates a new instance.- Parameters:
fingerprints- a list of SHA1 fingerprints
-
-
Method Details
-
builder
Creates a builder forFingerprintTrustManagerFactory.- Parameters:
algorithm- a hash algorithm- Returns:
- a builder
-
engineInit
Description copied from class:SimpleTrustManagerFactoryInitializes this factory with a source of certificate authorities and related trust material.- Specified by:
engineInitin classSimpleTrustManagerFactory- Throws:
Exception- See Also:
-
engineInit
Description copied from class:SimpleTrustManagerFactoryInitializes this factory with a source of provider-specific key material.- Specified by:
engineInitin classSimpleTrustManagerFactory- Throws:
Exception- See Also:
-
engineGetTrustManagers
Description copied from class:SimpleTrustManagerFactoryReturns one trust manager for each type of trust material.- Specified by:
engineGetTrustManagersin classSimpleTrustManagerFactory- See Also:
-