Class FingerprintTrustManagerFactory
TrustManagerFactory
that trusts an X.509 certificate whose hash matches.
NOTE: It is recommended to verify certificates and their chain to prevent
Man-in-the-middle attacks.
This TrustManagerFactory
will only verify that the fingerprint of certificates match one
of the given fingerprints. This procedure is called
certificate pinning and
is an effective protection. For maximum security one should verify that the whole certificate chain is as expected.
It is worth mentioning that certain firewalls, proxies or other appliances found in corporate environments,
actually perform Man-in-the-middle attacks and thus present a different certificate fingerprint.
The hash of an X.509 certificate is calculated from its DER encoded format. You can get the fingerprint of
an X.509 certificate using the openssl
command. For example:
$ openssl x509 -fingerprint -sha256 -in my_certificate.crt SHA256 Fingerprint=1C:53:0E:6B:FF:93:F0:DE:C2:E6:E7:9D:10:53:58:FF:DD:8E:68:CD:82:D9:C9:36:9B:43:EE:B3:DC:13:68:FB -----BEGIN CERTIFICATE----- MIIC/jCCAeagAwIBAgIIIMONxElm0AIwDQYJKoZIhvcNAQELBQAwPjE8MDoGA1UE AwwzZThhYzAyZmEwZDY1YTg0MjE5MDE2MDQ1ZGI4YjA1YzQ4NWI0ZWNkZi5uZXR0 eS50ZXN0MCAXDTEzMDgwMjA3NTEzNloYDzk5OTkxMjMxMjM1OTU5WjA+MTwwOgYD VQQDDDNlOGFjMDJmYTBkNjVhODQyMTkwMTYwNDVkYjhiMDVjNDg1YjRlY2RmLm5l dHR5LnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDb+HBO3C0U RBKvDUgJHbhIlBye8X/cbNH3lDq3XOOFBz7L4XZKLDIXS+FeQqSAUMo2otmU+Vkj 0KorshMjbUXfE1KkTijTMJlaga2M2xVVt21fRIkJNWbIL0dWFLWyRq7OXdygyFkI iW9b2/LYaePBgET22kbtHSCAEj+BlSf265+1rNxyAXBGGGccCKzEbcqASBKHOgVp 6pLqlQAfuSy6g/OzGzces3zXRrGu1N3pBIzAIwCW429n52ZlYfYR0nr+REKDnRrP IIDsWASmEHhBezTD+v0qCJRyLz2usFgWY+7agUJE2yHHI2mTu2RAFngBilJXlMCt VwT0xGuQxkbHAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEv8N7Xm8qaY2FgrOc6P a1GTgA+AOb3aU33TGwAR86f+nLf6BSPaohcQfOeJid7FkFuYInuXl+oqs+RqM/j8 R0E5BuGYY2wOKpL/PbFi1yf/Kyvft7KVh8e1IUUec/i1DdYTDB0lNWvXXxjfMKGL ct3GMbEHKvLfHx42Iwz/+fva6LUrO4u2TDfv0ycHuR7UZEuC1DJ4xtFhbpq/QRAj CyfNx3cDc7L2EtJWnCmivTFA9l8MF1ZPMDSVd4ecQ7B0xZIFQ5cSSFt7WGaJCsGM zYkU4Fp4IykQcWxdlNX7wJZRwQ2TZJFFglpTiFZdeq6I6Ad9An1Encpz5W8UJ4tv hmw= -----END CERTIFICATE-----
-
Nested Class Summary
Nested classes/interfaces inherited from class io.netty.handler.ssl.util.SimpleTrustManagerFactory
SimpleTrustManagerFactory.SimpleTrustManagerFactorySpi
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate static final Pattern
private static final Pattern
private final byte[][]
private final FastThreadLocal
<MessageDigest> private final TrustManager
-
Constructor Summary
ConstructorsConstructorDescriptionFingerprintTrustManagerFactory
(byte[]... fingerprints) Deprecated.This deprecated constructor uses SHA-1 that is considered insecure.FingerprintTrustManagerFactory
(Iterable<String> fingerprints) Deprecated.This deprecated constructor uses SHA-1 that is considered insecure.FingerprintTrustManagerFactory
(String... fingerprints) Deprecated.This deprecated constructor uses SHA-1 that is considered insecure.FingerprintTrustManagerFactory
(String algorithm, byte[][] fingerprints) Creates a new instance. -
Method Summary
Modifier and TypeMethodDescriptionCreates a builder forFingerprintTrustManagerFactory
.protected TrustManager[]
Returns one trust manager for each type of trust material.protected void
engineInit
(KeyStore keyStore) Initializes this factory with a source of certificate authorities and related trust material.protected void
engineInit
(ManagerFactoryParameters managerFactoryParameters) Initializes this factory with a source of provider-specific key material.(package private) static byte[][]
toFingerprintArray
(Iterable<String> fingerprints) Methods inherited from class javax.net.ssl.TrustManagerFactory
getAlgorithm, getDefaultAlgorithm, getInstance, getInstance, getInstance, getProvider, getTrustManagers, init, init
-
Field Details
-
FINGERPRINT_PATTERN
-
FINGERPRINT_STRIP_PATTERN
-
tlmd
-
tm
-
fingerprints
private final byte[][] fingerprints
-
-
Constructor Details
-
FingerprintTrustManagerFactory
Deprecated.This deprecated constructor uses SHA-1 that is considered insecure. It is recommended to specify a stronger hash algorithm, such as SHA-256, by callingbuilder(String)
method.Creates a new instance.- Parameters:
fingerprints
- a list of SHA1 fingerprints in hexadecimal form
-
FingerprintTrustManagerFactory
Deprecated.This deprecated constructor uses SHA-1 that is considered insecure. It is recommended to specify a stronger hash algorithm, such as SHA-256, by callingbuilder(String)
method.Creates a new instance.- Parameters:
fingerprints
- a list of SHA1 fingerprints in hexadecimal form
-
FingerprintTrustManagerFactory
Deprecated.This deprecated constructor uses SHA-1 that is considered insecure. It is recommended to specify a stronger hash algorithm, such as SHA-256, by callingbuilder(String)
method.Creates a new instance.- Parameters:
fingerprints
- a list of SHA1 fingerprints
-
FingerprintTrustManagerFactory
FingerprintTrustManagerFactory(String algorithm, byte[][] fingerprints) Creates a new instance.- Parameters:
algorithm
- a hash algorithmfingerprints
- a list of fingerprints
-
-
Method Details
-
builder
Creates a builder forFingerprintTrustManagerFactory
.- Parameters:
algorithm
- a hash algorithm- Returns:
- a builder
-
toFingerprintArray
-
engineInit
Description copied from class:SimpleTrustManagerFactory
Initializes this factory with a source of certificate authorities and related trust material.- Specified by:
engineInit
in classSimpleTrustManagerFactory
- Throws:
Exception
- See Also:
-
engineInit
Description copied from class:SimpleTrustManagerFactory
Initializes this factory with a source of provider-specific key material.- Specified by:
engineInit
in classSimpleTrustManagerFactory
- Throws:
Exception
- See Also:
-
engineGetTrustManagers
Description copied from class:SimpleTrustManagerFactory
Returns one trust manager for each type of trust material.- Specified by:
engineGetTrustManagers
in classSimpleTrustManagerFactory
- See Also:
-