public final class FingerprintTrustManagerFactory extends SimpleTrustManagerFactory
TrustManagerFactory that trusts an X.509 certificate whose SHA1 checksum matches.
NOTE: It is recommended to verify certificates and their chain to prevent
Man-in-the-middle attacks.
This TrustManagerFactory will only verify that the fingerprint of certificates match one
of the given fingerprints. This procedure is called
certificate pinning and
is an effective protection. For maximum security one should verify that the whole certificate chain is as expected.
It is worth mentioning that certain firewalls, proxies or other appliances found in corporate environments,
actually perform Man-in-the-middle attacks and thus present a different certificate fingerprint.
The SHA1 checksum of an X.509 certificate is calculated from its DER encoded format. You can get the fingerprint of
an X.509 certificate using the openssl command. For example:
$ openssl x509 -fingerprint -sha1 -in my_certificate.crt SHA1 Fingerprint=4E:85:10:55:BC:7B:12:08:D1:EA:0A:12:C9:72:EE:F3:AA:B2:C7:CB -----BEGIN CERTIFICATE----- MIIBqjCCAROgAwIBAgIJALiT3Nvp0kvmMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNV BAMTC2V4YW1wbGUuY29tMCAXDTcwMDEwMTAwMDAwMFoYDzk5OTkxMjMxMjM1OTU5 WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAnadvODG0QCiHhaFZlLHtr5gLIkDQS8ErZ//KfqeCHTC/KJsl3xYFk0zG aCv2FcmkOlokm77qV8qOW2DZdND7WuYzX6nLVuLb+GYxZ7b45iMAbAajvGh8jc9U o07fUIahGqTDAIAGCWsoLUOQ9nMzO/8GRHcXJAeQ2MGY2VpCcv0CAwEAATANBgkq hkiG9w0BAQUFAAOBgQBpRCnmjmNM0D7yrpkUJpBTNiqinhKLbeOvPWm+YmdInUUs LoMu0mZ1IANemLwqbwJJ76fknngeB+YuVAj46SurvVCV6ekwHcbgpW1u063IRwKk tQhOBO0HQxldUS4+4MYv/kuvnKkbjfgh5qfWw89Kx4kD+cycpP4yPtgDGk8ZMA== -----END CERTIFICATE-----
| Constructor and Description |
|---|
FingerprintTrustManagerFactory(byte[]... fingerprints)
Creates a new instance.
|
FingerprintTrustManagerFactory(Iterable<String> fingerprints)
Creates a new instance.
|
FingerprintTrustManagerFactory(String... fingerprints)
Creates a new instance.
|
| Modifier and Type | Method and Description |
|---|---|
protected TrustManager[] |
engineGetTrustManagers()
Returns one trust manager for each type of trust material.
|
protected void |
engineInit(KeyStore keyStore)
Initializes this factory with a source of certificate authorities and related trust material.
|
protected void |
engineInit(ManagerFactoryParameters managerFactoryParameters)
Initializes this factory with a source of provider-specific key material.
|
getAlgorithm, getDefaultAlgorithm, getInstance, getInstance, getInstance, getProvider, getTrustManagers, init, initpublic FingerprintTrustManagerFactory(Iterable<String> fingerprints)
fingerprints - a list of SHA1 fingerprints in hexadecimal formpublic FingerprintTrustManagerFactory(String... fingerprints)
fingerprints - a list of SHA1 fingerprints in hexadecimal formpublic FingerprintTrustManagerFactory(byte[]... fingerprints)
fingerprints - a list of SHA1 fingerprintsprotected void engineInit(KeyStore keyStore) throws Exception
SimpleTrustManagerFactoryengineInit in class SimpleTrustManagerFactoryExceptionTrustManagerFactorySpi.engineInit(KeyStore)protected void engineInit(ManagerFactoryParameters managerFactoryParameters) throws Exception
SimpleTrustManagerFactoryengineInit in class SimpleTrustManagerFactoryExceptionTrustManagerFactorySpi.engineInit(ManagerFactoryParameters)protected TrustManager[] engineGetTrustManagers()
SimpleTrustManagerFactoryengineGetTrustManagers in class SimpleTrustManagerFactoryTrustManagerFactorySpi.engineGetTrustManagers()Copyright © 2008–2017 The Netty Project. All rights reserved.