All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.hedera.hashgraph.sdk.HederaTrustManager Maven / Gradle / Ivy

The newest version!
/*-
 *
 * Hedera Java SDK
 *
 * Copyright (C) 2020 - 2024 Hedera Hashgraph, LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */
package com.hedera.hashgraph.sdk;

import com.google.protobuf.ByteString;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.bouncycastle.util.encoders.Hex;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemWriter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.annotation.Nullable;
import javax.net.ssl.X509TrustManager;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

/**
 * Internal class used by node.
 */
class HederaTrustManager implements X509TrustManager {
    private static final String CERTIFICATE = "CERTIFICATE";
    private static final String PEM_HEADER = "-----BEGIN CERTIFICATE-----\n";
    private static final String PEM_FOOTER = "-----END CERTIFICATE-----\n";
    protected final Logger logger = LoggerFactory.getLogger(getClass());

    @Nullable
    private final String certHash;

    /**
     * Constructor.
     *
     * @param certHash                  a byte string of the certificate hash
     * @param verifyCertificate         should be verified
     */
    HederaTrustManager(@Nullable ByteString certHash, boolean verifyCertificate) {
        if (certHash == null || certHash.isEmpty()) {
            if (verifyCertificate) {
                throw new IllegalStateException("transport security and certificate verification are enabled, but no applicable address book was found");
            }

            logger.warn("skipping certificate check since no cert hash was found");
            this.certHash = null;
        } else {
            this.certHash = new String(certHash.toByteArray(), StandardCharsets.UTF_8);
        }
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) {
        throw new UnsupportedOperationException("Attempted to use HederaTrustManager to verify a client, but this trust manager is for verifying server only");
    }

    @Override
    @SuppressFBWarnings(
        value = "DLS_DEAD_LOCAL_STORE",
        justification = "SpotBugs seems to be getting confused by the control flow here.  It thinks certHashBytes is not used."
    )
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        if (certHash == null) {
            return;
        }

        for (var cert : chain) {
            byte[] pem;

            try (
                var outputStream = new ByteArrayOutputStream();
                var pemWriter = new PemWriter(new OutputStreamWriter(outputStream, StandardCharsets.UTF_8))
            ) {
                pemWriter.writeObject(new PemObject(CERTIFICATE, cert.getEncoded()));
                pemWriter.flush();

                pem = outputStream.toByteArray();
            } catch (IOException e) {
                logger.warn("Failed to write PEM to byte array: ", e);
                continue;
            }

            var certHashBytes = new byte[0];

            try {
                certHashBytes = MessageDigest.getInstance("SHA-384").digest(pem);
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalStateException("Failed to find SHA-384 digest for certificate hashing", e);
            }

            if (this.certHash.equals(Hex.toHexString(certHashBytes))) {
                return;
            }
        }

        throw new CertificateException("Failed to confirm the server's certificate from a known address book");
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy