java.lang.security.audit.crypto.ssl.insecure-trust-manager.insecure-trust-manager
Verifed by r2c
Community Favorite
returntocorpAuthor
121,021
Download Count*
License
Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-trust-manager
metadata:
cwe:
- "CWE-295: Improper Certificate Validation"
owasp:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER
asvs:
section: V9 Communications Verification Requirements
control_id: 9.2.1 Weak TLS
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x17-V9-Communications.md#v92-server-communications-security-requirements
version: "4"
references:
- https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https
category: security
technology:
- java
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
message: Detected empty trust manager implementations. This is dangerous because
it accepts any certificate, enabling man-in-the-middle attacks. Consider
using a KeyStore and TrustManagerFactory instead. See
https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https
for more information.
severity: WARNING
languages:
- java
patterns:
- pattern-either:
- pattern-inside: |
class $CLASS implements X509TrustManager {
...
}
- pattern-inside: |
new X509TrustManager() {
...
}
- pattern-inside: |
class $CLASS implements X509ExtendedTrustManager {
...
}
- pattern-inside: |
new X509ExtendedTrustManager() {
...
}
- pattern-not: public void checkClientTrusted(...) { $SOMETHING; }
- pattern-not: public void checkServerTrusted(...) { $SOMETHING; }
- pattern-either:
- pattern: public void checkClientTrusted(...) {}
- pattern: public void checkServerTrusted(...) {}
- pattern: public X509Certificate[] getAcceptedIssuers(...) { return null; }
Examples
insecure-trust-manager.java
package Trust;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
//cf. https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER
public class TrustAllManager implements X509TrustManager {
// ruleid:insecure-trust-manager
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
//Trust any client connecting (no certificate validation)
}
// ruleid:insecure-trust-manager
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
//Trust any remote server (no certificate validation)
}
// ruleid:insecure-trust-manager
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
public class GoodTrustManager implements X509TrustManager {
protected KeyStore loadKeyStore() {
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
return ks;
}
// ok:insecure-trust-manager
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
KeyStore ks = loadKeyStore();
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);
tmf.getTrustManagers[0].checkClientTrusted(x509Certificates, s);
}
// ok:insecure-trust-manager
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
KeyStore ks = loadKeyStore();
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);
tmf.getTrustManagers[0].checkClientTrusted(x509Certificates, s);
}
// ok:insecure-trust-manager
@Override
public X509Certificate[] getAcceptedIssuers() {
return loadKeyStore().getCertificate("alias");
}
}
public final class TMClass {
private static final X509TrustManager TM = new X509TrustManager() {
// ruleid:insecure-trust-manager
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType)
throws CertificateException {
}
// ruleid:insecure-trust-manager
@Override
public void checkServerTrusted(final X509Certificate[] chain, final String authType)
throws CertificateException {
}
// ruleid:insecure-trust-manager
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
}
public final class TMEClass {
TrustManager[] trustAllCerts = new TrustManager[]{new X509ExtendedTrustManager() {
// ruleid:insecure-trust-manager
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
// ruleid:insecure-trust-manager
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
// ruleid:insecure-trust-manager
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
// ruleid:insecure-trust-manager
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
}
// ruleid:insecure-trust-manager
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
}
// ruleid:insecure-trust-manager
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
}
// ruleid:insecure-trust-manager
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
}
}};
}
Short Link: https://sg.run/GePy