Bad Implementations of TrustManager/HostnameVerifier not getting detected #11
Description
Hi,
My team is conducting academic research on Java Cryptography API based misuse using your tool. We found that we could not detect some potential cryptographic misuses.
We believe this may be due to underlying implementation or design gaps. Each cryptographic vulnerability was generated as a barebone Java project that only contained a single vulnerability in the main function and used up to two java source files. A jar was made which was then scanned using CryptoGuard.
Additionally, all cryptographic API calls were from Java Cryptographic Architecture (JCA).
Environment
| Component | Version |
|---|---|
| Java Runtime | OpenJDK version 1.8.0_232 64 bit |
| CG Commit Used | 42197b0 |
Problem
Complex Inheritance based cryptography API misuses are not reported
Code
Attempting to use a vulnerable SSL verification with an empty checkClientTrusted, checkServerTrusted, and/or getAcceptedIssuers is created in anonymous inner class objects created from theX509ExtendedTrustManagerclass from JCA:
public class BareBone_X509ExtendedTrustManagerCanBypass {
public static void main(String[] args) {
new X509ExtendedTrustManager(){
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public X509Certificate[] getAcceptedIssuers() {
// TODO Auto-generated method stub
return null;
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
throws CertificateException {
// TODO Auto-generated method stub
}
};
System.out.println("Hello World");
}
}Attempting to use a vulnerable SSL verification with an empty checkClientTrusted, checkServerTrusted, and/or getAcceptedIssuers that is created in anonymous inner class object created from an empty abstract class which implements the X509TrustManager interface from JCA:
public abstract class BareBone_X509TrustManagerCanBypassExt implements X509TrustManager {
}
public class BareBone_X509TrustManagerCanBypass {
static X509TrustManager getTrustManager(){
return new BareBone_X509TrustManagerCanBypassExt(){
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public X509Certificate[] getAcceptedIssuers() {
// TODO Auto-generated method stub
return null;
}
};
}
public static void main(String[] args) {
getTrustManager();
}
}Attempting to use a vulnerable hostname verification that is created in an anonymous inner class object that is created from an abstract class that extends the HostnameVerifier interface from JCA:
public abstract class ABadHostNameVerifier implements HostnameVerifier {}
public class BadHostName{
public static void main(String[] args) {
new ABadHostNameVerifier(){
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
}
}Attempting to use a vulnerable hostname verification in an anonymous inner class object that is created from an empty interface that implements the HostnameVerifier interface from JCA:
public interface ABadHostNameVerifier extends HostnameVerifier {
public boolean verify(String hostname, SSLSession session);
}
public class BadHostName{
public static void main(String[] args) {
new ABadHostNameVerifier(){
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
}
}Please let me know if you need any additional information (e.g., logs from our side) in fixing these issues.
Thanks! :)