com.amazonaws.http.conn.ssl.privileged.PrivilegedMasterSecretValidator Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of ibm-cos-java-sdk-bundle Show documentation
Show all versions of ibm-cos-java-sdk-bundle Show documentation
A single bundled dependency that includes all service and dependent JARs with third-party libraries relocated to different namespaces.
/*
* Copyright 2015-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package com.amazonaws.http.conn.ssl.privileged;
import java.lang.reflect.Method;
import java.net.Socket;
import java.security.AccessController;
import java.security.PrivilegedAction;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.amazonaws.http.conn.ssl.MasterSecretValidators.MasterSecretValidator;
/**
* Implementation of {@link MasterSecretValidator} that verifies the master secret is non null
* through use of Sun internal APIs. This validation is done only for JVMs affected by the SKIP-TLS
* bug. It is best effort and any exception encountered while trying to validate the master secret
* (including {@link SecurityException}) will be ignored
*/
public class PrivilegedMasterSecretValidator implements MasterSecretValidator {
private static final Log LOG = LogFactory.getLog(PrivilegedMasterSecretValidator.class);
/**
* Double check the master secret of an SSL session is not null
*
* @param socket
* connected socket
* @return True if master secret is valid (i.e. non-null) or master secret cannot be validated,
* false otherwise
*/
public boolean isMasterSecretValid(final Socket socket) {
return AccessController.doPrivileged(new PrivilegedAction() {
@Override
public Boolean run() {
return privilegedIsMasterSecretValid(socket);
}
});
}
/**
* Checks the validity of an SSLSession's master secret. Should be run within a doPrivileged
* block
*/
private boolean privilegedIsMasterSecretValid(final Socket socket) {
if (socket instanceof SSLSocket) {
SSLSession session = getSslSession(socket);
if (session != null) {
String className = session.getClass().getName();
if ("sun.security.ssl.SSLSessionImpl".equals(className)) {
try {
Object masterSecret = getMasterSecret(session, className);
if (masterSecret == null) {
session.invalidate();
if (LOG.isDebugEnabled()) {
LOG.debug("Invalidated session " + session);
}
return false;
}
} catch (Exception e) {
failedToVerifyMasterSecret(e);
}
}
}
}
return true;
}
/**
* @return The active {@link SSLSession} for the Socket or null if there is none
*/
private SSLSession getSslSession(final Socket socket) {
return ((SSLSocket) socket).getSession();
}
private Object getMasterSecret(SSLSession session, String className) throws Exception {
Class clazz = Class.forName(className);
Method method = clazz.getDeclaredMethod("getMasterSecret");
method.setAccessible(true);
return method.invoke(session);
}
private void failedToVerifyMasterSecret(Throwable t) {
if (LOG.isDebugEnabled()) {
LOG.debug("Failed to verify the SSL master secret", t);
}
}
} © 2015 - 2025 Weber Informatics LLC | Privacy Policy