Class FingerprintTrustManagerFactory


  • public final class FingerprintTrustManagerFactory
    extends SimpleTrustManagerFactory
    An TrustManagerFactory that trusts an X.509 certificate whose SHA1 checksum matches.

    NOTE: It is recommended to verify certificates and their chain to prevent Man-in-the-middle attacks. This TrustManagerFactory will only verify that the fingerprint of certificates match one of the given fingerprints. This procedure is called certificate pinning and is an effective protection. For maximum security one should verify that the whole certificate chain is as expected. It is worth mentioning that certain firewalls, proxies or other appliances found in corporate environments, actually perform Man-in-the-middle attacks and thus present a different certificate fingerprint.

    The SHA1 checksum of an X.509 certificate is calculated from its DER encoded format. You can get the fingerprint of an X.509 certificate using the openssl command. For example:

     $ openssl x509 -fingerprint -sha1 -in my_certificate.crt
     SHA1 Fingerprint=4E:85:10:55:BC:7B:12:08:D1:EA:0A:12:C9:72:EE:F3:AA:B2:C7:CB
     -----BEGIN CERTIFICATE-----
     MIIBqjCCAROgAwIBAgIJALiT3Nvp0kvmMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNV
     BAMTC2V4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMFoYDzk5OTkxMjMxMjM1OTU5
     WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
     gYkCgYEAnadvODG0QCiHhaFZlLHtr5gLIkDQS8ErZ//KfqeCHTC/KJsl3xYFk0zG
     aCv2FcmkOlokm77qV8qOW2DZdND7WuYzX6nLVuLb+GYxZ7b45iMAbAajvGh8jc9U
     o07fUIahGqTDAIAGCWsoLUOQ9nMzO/8GRHcXJAeQ2MGY2VpCcv0CAwEAATANBgkq
     hkiG9w0BAQUFAAOBgQBpRCnmjmNM0D7yrpkUJpBTNiqinhKLbeOvPWm+YmdInUUs
     LoMu0mZ1IANemLwqbwJJ76fknngeB+YuVAj46SurvVCV6ekwHcbgpW1u063IRwKk
     tQhOBO0HQxldUS4+4MYv/kuvnKkbjfgh5qfWw89Kx4kD+cycpP4yPtgDGk8ZMA==
     -----END CERTIFICATE-----
     

    • Field Detail

      • FINGERPRINT_PATTERN

        private static final java.util.regex.Pattern FINGERPRINT_PATTERN
      • FINGERPRINT_STRIP_PATTERN

        private static final java.util.regex.Pattern FINGERPRINT_STRIP_PATTERN
      • tlmd

        private static final FastThreadLocal<java.security.MessageDigest> tlmd
      • tm

        private final javax.net.ssl.TrustManager tm
      • fingerprints

        private final byte[][] fingerprints
    • Constructor Detail

      • FingerprintTrustManagerFactory

        public FingerprintTrustManagerFactory​(java.lang.Iterable<java.lang.String> fingerprints)
        Creates a new instance.
        Parameters:
        fingerprints - a list of SHA1 fingerprints in hexadecimal form
      • FingerprintTrustManagerFactory

        public FingerprintTrustManagerFactory​(java.lang.String... fingerprints)
        Creates a new instance.
        Parameters:
        fingerprints - a list of SHA1 fingerprints in hexadecimal form
      • FingerprintTrustManagerFactory

        public FingerprintTrustManagerFactory​(byte[]... fingerprints)
        Creates a new instance.
        Parameters:
        fingerprints - a list of SHA1 fingerprints
    • Method Detail

      • toFingerprintArray

        private static byte[][] toFingerprintArray​(java.lang.Iterable<java.lang.String> fingerprints)
      • engineInit

        protected void engineInit​(java.security.KeyStore keyStore)
                           throws java.lang.Exception
        Description copied from class: SimpleTrustManagerFactory
        Initializes this factory with a source of certificate authorities and related trust material.
        Specified by:
        engineInit in class SimpleTrustManagerFactory
        Throws:
        java.lang.Exception
        See Also:
        TrustManagerFactorySpi.engineInit(KeyStore)
      • engineInit

        protected void engineInit​(javax.net.ssl.ManagerFactoryParameters managerFactoryParameters)
                           throws java.lang.Exception
        Description copied from class: SimpleTrustManagerFactory
        Initializes this factory with a source of provider-specific key material.
        Specified by:
        engineInit in class SimpleTrustManagerFactory
        Throws:
        java.lang.Exception
        See Also:
        TrustManagerFactorySpi.engineInit(ManagerFactoryParameters)