add hostname verification

Author: osiegmar

CHANGELOG.md

@@ -8,9 +8,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Allow encoder subclasses to customize the message before it is converted to String
   [\#40](https://github.com/osiegmar/logback-gelf/issues/40)
+- Server certificate hostname verification in `GelfTcpTlsAppender`.
 
 ### Changed
 - Upgrade to Java 8 (Premier Support of Java 7 ended in July 2019)
+- Rename `trustAllCertificates` property of `GelfTcpTlsAppender` to `insecure`.
 
 ## [2.2.0] - 2019-12-14
 ### Added

README.md

@@ -51,12 +51,15 @@ dependencies {
 
 ## Important notes
 
+Some changes may require to update your configuration.
+
 ### Breaking changes in version 3
-Version 3.0.0 of this library upgraded from Java 7 to Java 8.
+* Version 3.0.0 of this library upgraded from Java 7 to Java 8.
+* The server's certificate hostname now gets verified by `GelfTcpTlsAppender`.
+* The `trustAllCertificates` property of `GelfTcpTlsAppender` was renamed to `insecure`.
 
 ### Breaking changes in version 2
-Version 2.0.0 of this library introduced a configuration change. If you were already using this library, update
-your configuration to keep it working!
+* Version 2.0.0 of this library introduced a configuration change.
 
 **Old** format:
 ```xml
@@ -173,7 +176,7 @@ Find more advanced examples in the [examples directory](examples).
 `de.siegmar.logbackgelf.GelfTcpTlsAppender`
 
 * Everything from GelfTcpAppender
-* **trustAllCertificates**: If true, trust all TLS certificates (even self signed certificates).
+* **insecure**: If true, skip the TLS certificate validation.
   You should not use this in production! Default: false.
 
 ### Encoder

build.gradle

@@ -25,6 +25,7 @@ dependencies {
     testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.5.2'
     testImplementation 'com.google.guava:guava:28.1-jre'
     testImplementation 'com.fasterxml.jackson.core:jackson-databind:2.10.1'
+    testImplementation 'org.bouncycastle:bcpkix-jdk15on:1.64'
 }
 
 test {

config/checkstyle/import-control.xml

@@ -9,6 +9,7 @@
     <allow pkg="java.text"/>
     <allow pkg="java.util"/>
 
+    <allow pkg="javax.naming"/>
     <allow pkg="javax.net"/>
 
     <allow pkg="ch.qos.logback"/>

config/checkstyle/suppressions.xml

@@ -5,6 +5,7 @@
     <suppress files=".*Test.java" checks="MagicNumber"/>
     <suppress files=".*Test.java" checks="ImportControl"/>
     <suppress files="CustomGelfEncoder.java" checks="ImportControl"/>
+    <suppress files="X509Util.java" checks="ImportControl"/>
 
     <suppress files="Example.java" checks=".*"/>
     <suppress files="Manual.java" checks=".*"/>

examples/advanced_tcp_tls.xml

@@ -9,7 +9,7 @@
         <retryDelay>3000</retryDelay>
         <poolSize>2</poolSize>
         <poolMaxWaitTime>5000</poolMaxWaitTime>
-        <trustAllCertificates>false</trustAllCertificates>
+        <insecure>false</insecure>
         <encoder class="de.siegmar.logbackgelf.GelfEncoder">
             <originHost>localhost</originHost>
             <includeRawMessage>false</includeRawMessage>

src/main/java/de/siegmar/logbackgelf/CustomX509TrustManager.java

@@ -0,0 +1,138 @@
+/*
+ * Logback GELF - zero dependencies Logback GELF appender library.
+ * Copyright (C) 2019 Oliver Siegmar
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+package de.siegmar.logbackgelf;
+
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import javax.net.ssl.X509TrustManager;
+
+class CustomX509TrustManager implements X509TrustManager {
+
+    private static final int TYPE_DNS_NAME = 2;
+
+    private final X509TrustManager defaultTrustManager;
+    private final String hostname;
+
+    CustomX509TrustManager(final X509TrustManager defaultTrustManager, final String hostname) {
+        this.defaultTrustManager = defaultTrustManager;
+        this.hostname = hostname;
+    }
+
+    @Override
+    public void checkClientTrusted(final X509Certificate[] chain, final String authType) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void checkServerTrusted(final X509Certificate[] chain, final String authType)
+        throws CertificateException {
+
+        // First, check the chain via the default trust manager
+        defaultTrustManager.checkServerTrusted(chain, authType);
+
+        final X509Certificate serverCert = chain[0];
+
+        if (checkAlternativeNames(serverCert)) {
+            return;
+        }
+
+        // Check the deprecated common name
+        checkCommonName(serverCert);
+    }
+
+    private boolean checkAlternativeNames(final X509Certificate serverCert)
+        throws CertificateException {
+
+        final List<String> alternativeNames = getAlternativeNames(serverCert);
+        if (!alternativeNames.isEmpty()) {
+            for (final String alternativeName : alternativeNames) {
+                if (HostnameVerifier.verify(hostname, alternativeName)) {
+                    return true;
+                }
+            }
+
+            throw new CertificateException(String.format("Server certificate mismatch. Tried to "
+                + "verify %s against subject alternative names: %s", hostname, alternativeNames));
+        }
+        return false;
+    }
+
+    private static List<String> getAlternativeNames(final X509Certificate cert)
+        throws CertificateParsingException {
+
+        final Collection<List<?>> subjectAlternativeNames = cert.getSubjectAlternativeNames();
+        if (subjectAlternativeNames == null) {
+            return Collections.emptyList();
+        }
+
+        final List<String> ret = new ArrayList<>();
+        for (final List<?> entry : subjectAlternativeNames) {
+            if (((Integer) entry.get(0)) == TYPE_DNS_NAME) {
+                final String dNSName = (String) entry.get(1);
+                if (dNSName != null) {
+                    ret.add(dNSName);
+                }
+            }
+        }
+
+        return ret;
+    }
+
+    private void checkCommonName(final X509Certificate serverCert) throws CertificateException {
+        final String commonName;
+        try {
+            commonName = getCommonName(serverCert);
+            if (HostnameVerifier.verify(hostname, commonName)) {
+                return;
+            }
+        } catch (final InvalidNameException e) {
+            throw new CertificateException("Could not read CN from certificate", e);
+        }
+
+        throw new CertificateException(String.format("Server certificate mismatch. "
+            + "Tried to verify %s against common name: %s", hostname, commonName));
+    }
+
+    private static String getCommonName(final X509Certificate cert) throws InvalidNameException {
+        final LdapName ldapName = new LdapName(cert.getSubjectDN().getName());
+        for (final Rdn rdn : ldapName.getRdns()) {
+            if ("CN".equalsIgnoreCase(rdn.getType())) {
+                return (String) rdn.getValue();
+            }
+        }
+
+        throw new InvalidNameException("No common name found");
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return defaultTrustManager.getAcceptedIssuers();
+    }
+
+}

src/main/java/de/siegmar/logbackgelf/GelfTcpTlsAppender.java

@@ -19,63 +19,79 @@
 
 package de.siegmar.logbackgelf;
 
+import java.security.GeneralSecurityException;
 import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
-import java.security.cert.X509Certificate;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
 
 public class GelfTcpTlsAppender extends GelfTcpAppender {
 
     /**
-     * If {@code true}, trust all TLS certificates (even self signed certificates).
+     * If {@code true}, skip the TLS certificate validation.
      */
-    private boolean trustAllCertificates;
+    private boolean insecure;
 
-    public boolean isTrustAllCertificates() {
-        return trustAllCertificates;
+    public boolean isInsecure() {
+        return insecure;
     }
 
-    public void setTrustAllCertificates(final boolean trustAllCertificates) {
-        this.trustAllCertificates = trustAllCertificates;
+    public void setInsecure(final boolean insecure) {
+        this.insecure = insecure;
     }
 
     @Override
     protected SSLSocketFactory initSocketFactory() {
-        if (trustAllCertificates) {
-            addWarn("Enable trustAllCertificates - don't use this in production!");
-            try {
-                final SSLContext context = SSLContext.getInstance("TLS");
-                context.init(null, buildNoopTrustManagers(), new SecureRandom());
-                return context.getSocketFactory();
-            } catch (final NoSuchAlgorithmException | KeyManagementException e) {
-                throw new IllegalStateException(e);
+        return configureSocket();
+    }
+
+    private SSLSocketFactory configureSocket() {
+        final TrustManager trustManager;
+
+        try {
+            if (insecure) {
+                addWarn("Enabled insecure mode (skip TLS certificate validation)"
+                    + " - don't use this in production!");
+                trustManager = new NoopX509TrustManager();
+            } else {
+                trustManager = new CustomX509TrustManager(defaultTrustManager(), getGraylogHost());
             }
+
+            return configureSslFactory(trustManager);
+        } catch (final GeneralSecurityException e) {
+            throw new IllegalStateException(e);
         }
+    }
+
+    private static X509TrustManager defaultTrustManager()
+        throws NoSuchAlgorithmException, KeyStoreException {
 
-        return (SSLSocketFactory) SSLSocketFactory.getDefault();
+        final TrustManagerFactory trustManagerFactory =
+            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        trustManagerFactory.init((KeyStore) null);
+
+        for (final TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
+            if (trustManager instanceof X509TrustManager) {
+                return (X509TrustManager) trustManager;
+            }
+        }
+
+        return null;
     }
 
-    private static TrustManager[] buildNoopTrustManagers() {
-        return new TrustManager[] {
-            new X509TrustManager() {
-                public X509Certificate[] getAcceptedIssuers() {
-                    return null;
-                }
-
-                public void checkClientTrusted(final X509Certificate[] chain,
-                                               final String authType) {
-                }
-
-                public void checkServerTrusted(final X509Certificate[] chain,
-                                               final String authType) {
-                }
-            },
-        };
+    private SSLSocketFactory configureSslFactory(final TrustManager trustManager)
+        throws NoSuchAlgorithmException, KeyManagementException {
+
+        final SSLContext context = SSLContext.getInstance("TLS");
+        context.init(null, new TrustManager[]{trustManager}, new SecureRandom());
+        return context.getSocketFactory();
     }
 
 }

src/main/java/de/siegmar/logbackgelf/HostnameVerifier.java

@@ -0,0 +1,64 @@
+/*
+ * Logback GELF - zero dependencies Logback GELF appender library.
+ * Copyright (C) 2019 Oliver Siegmar
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+package de.siegmar.logbackgelf;
+
+import java.util.Locale;
+import java.util.Objects;
+
+final class HostnameVerifier {
+
+    private HostnameVerifier() {
+    }
+
+    /**
+     * Hostname verification logic based on RFC 6125.
+     * <p>
+     * If using a wildcard, the wildcard has to be the left-most label (e.g. "*.foo.com").
+     *
+     * @param hostname the hostname to validate (e.g. "bar.foo.com")
+     * @param certname the name (CN or SubjectAlternativeName) from the certificate to verify
+     *                 against (e.g. "bar.foo.com" or "*.foo.com")
+     * @return {@code true}, if the hostname is verified.
+     * @throws NullPointerException if {@code hostname} or {@code certname} is null.
+     */
+    public static boolean verify(final String hostname, final String certname) {
+        final String host = Objects.requireNonNull(hostname).toLowerCase(Locale.ENGLISH);
+        final String cert = Objects.requireNonNull(certname).toLowerCase(Locale.ENGLISH);
+
+        if (cert.startsWith("*.")) {
+            // *.foo.com becomes foo.com
+            final String cnSuffix = cert.substring(2);
+
+            // At least two labels -- no TLD alone
+            if (!cnSuffix.contains(".")) {
+                return false;
+            }
+
+            // bar.foo.com becomes foo.com
+            final String hostSuffix = host.substring(host.indexOf('.') + 1);
+
+            return cnSuffix.equals(hostSuffix);
+        }
+
+        // Simple case, exact match
+        return host.equals(cert);
+    }
+
+}