TrustManager that accepts all certificates¶
ID: java/insecure-trustmanagerKind: path-problemSecurity severity: 7.5Severity: errorPrecision: highTags: - security - external/cwe/cwe-295Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
If thecheckServerTrusted method of aTrustManager never throws aCertificateException, it trusts every certificate. This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.
An attack might look like this:
The vulnerable program connects to
https://example.com.The attacker intercepts this connection and presents a valid, self-signed certificate for
https://example.com.The vulnerable program calls the
checkServerTrustedmethod to check whether it should trust the certificate.The
checkServerTrustedmethod of yourTrustManagerdoes not throw aCertificateException.The vulnerable program accepts the certificate and proceeds with the connection since your
TrustManagerimplicitly trusted it by not throwing an exception.The attacker can now read the data your program sends to
https://example.comand/or alter its replies while the program thinks the connection is secure.
Recommendation¶
Do not use a customTrustManager that trusts any certificate. If you have to use a self-signed certificate, don’t trust every certificate, but instead only trust this specific certificate. See below for an example of how to do this.
Example¶
In the first (bad) example, theTrustManager never throws aCertificateException and therefore implicitly trusts any certificate. This allows an attacker to perform a machine-in-the-middle attack. In the second (good) example, the self-signed certificate that should be trusted is loaded into aKeyStore. This explicitly defines the certificate as trusted and there is no need to create a customTrustManager.
publicstaticvoidmain(String[]args)throwsException{{classInsecureTrustManagerimplementsX509TrustManager{@OverridepublicX509Certificate[]getAcceptedIssuers(){returnnull;}@OverridepublicvoidcheckServerTrusted(X509Certificate[]chain,StringauthType)throwsCertificateException{// BAD: Does not verify the certificate chain, allowing any certificate.}@OverridepublicvoidcheckClientTrusted(X509Certificate[]chain,StringauthType)throwsCertificateException{}}SSLContextcontext=SSLContext.getInstance("TLS");TrustManager[]trustManager=newTrustManager[]{newInsecureTrustManager()};context.init(null,trustManager,null);}{SSLContextcontext=SSLContext.getInstance("TLS");FilecertificateFile=newFile("path/to/self-signed-certificate");// Create a `KeyStore` with default typeKeyStorekeyStore=KeyStore.getInstance(KeyStore.getDefaultType());// `keyStore` is initially emptykeyStore.load(null,null);X509CertificategeneratedCertificate;try(InputStreamcert=newFileInputStream(certificateFile)){generatedCertificate=(X509Certificate)CertificateFactory.getInstance("X509").generateCertificate(cert);}// Add the self-signed certificate to the key storekeyStore.setCertificateEntry(certificateFile.getName(),generatedCertificate);// Get default `TrustManagerFactory`TrustManagerFactorytmf=TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());// Use it with our key store that trusts our self-signed certificatetmf.init(keyStore);TrustManager[]trustManagers=tmf.getTrustManagers();context.init(null,trustManagers,null);// GOOD, we are not using a custom `TrustManager` but instead have// added the self-signed certificate we want to trust to the key// store. Note, the `trustManagers` will **only** trust this one// certificate.URLurl=newURL("https://self-signed.badssl.com/");HttpsURLConnectionconn=(HttpsURLConnection)url.openConnection();conn.setSSLSocketFactory(context.getSocketFactory());}}
References¶
Android Developers:Security with HTTPS and SSL.
Common Weakness Enumeration:CWE-295.