Allow explicit server certificate whitelisting #27

Author: osiegmar

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   [\#86](https://github.com/osiegmar/logback-gelf/issues/86)
 - Add another method for adding static field to GelfEncoder
   [\#80](https://github.com/osiegmar/logback-gelf/issues/80)
+- Add server certificate whitelisting (`trustedServerCertificate`).
 
 ### Changed
 - Upgrade to Java 11 (Premier Support of Java 8 ended in March 2022).

README.md

@@ -80,6 +80,12 @@ Simple TCP with TLS configuration:
     <appender name="GELF" class="de.siegmar.logbackgelf.GelfTcpTlsAppender">
         <graylogHost>localhost</graylogHost>
         <graylogPort>12201</graylogPort>
+        <trustedServerCertificate>
+            -----BEGIN CERTIFICATE-----
+            ...
+            -----END CERTIFICATE-----
+        </trustedServerCertificate>
+        <insecure>false</insecure>
     </appender>
 
     <!-- Use AsyncAppender to prevent slowdowns -->
@@ -141,6 +147,12 @@ Find more advanced examples in the [examples directory](examples).
 `de.siegmar.logbackgelf.GelfTcpTlsAppender`
 
 * Everything from GelfTcpAppender
+* **trustedServerCertificate**: An optionally configured X.509 server certificate (PEM encoded) to
+  trust (whitelist). Can be configured multiple times to ease certification renewal.
+  If configured, the server needs to offer one of these certificates in order to allow
+  communication. The certificate offered by the server needs to be valid (matching hostname and
+  not expired). If this property is configured, the server's certificate chain is not validated in
+  order to allow self-signed certificates. Default: none.
 * **insecure**: If true, skip the TLS certificate validation.
   You should not use this in production! Default: false.
 

src/main/java/de/siegmar/logbackgelf/CustomX509TrustManager.java

@@ -26,6 +26,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import java.util.Objects;
 
 import javax.naming.InvalidNameException;
 import javax.naming.ldap.LdapName;
@@ -38,10 +39,17 @@ class CustomX509TrustManager implements X509TrustManager {
 
     private final X509TrustManager trustManager;
     private final String hostname;
+    private final List<X509Certificate> trustedServerCertificates;
 
     CustomX509TrustManager(final X509TrustManager trustManager, final String hostname) {
-        this.trustManager = trustManager;
-        this.hostname = hostname;
+        this(trustManager, hostname, Collections.emptyList());
+    }
+
+    CustomX509TrustManager(final X509TrustManager trustManager, final String hostname,
+                           final List<X509Certificate> trustedServerCertificates) {
+        this.trustManager = Objects.requireNonNull(trustManager);
+        this.hostname = Objects.requireNonNull(hostname);
+        this.trustedServerCertificates = Objects.requireNonNull(trustedServerCertificates);
     }
 
     @Override
@@ -53,34 +61,43 @@ public void checkClientTrusted(final X509Certificate[] chain, final String authT
     public void checkServerTrusted(final X509Certificate[] chain, final String authType)
         throws CertificateException {
 
-        // First, check the chain via the trust manager
-        trustManager.checkServerTrusted(chain, authType);
-
+        // The first certificate is the server certificate
         final X509Certificate serverCert = chain[0];
 
-        if (checkAlternativeNames(serverCert)) {
-            return;
+        if (trustedServerCertificates.isEmpty()) {
+            // If not explicitly trusted, check via the trust manager (chain validation)
+            trustManager.checkServerTrusted(chain, authType);
+        } else {
+            if (!trustedServerCertificates.contains(serverCert)) {
+                throw new CertificateException("Server did not offer a whitelisted certificate");
+            }
+
+            // Check if the certificate is valid. This is also done by the trust manager.
+            serverCert.checkValidity();
         }
 
-        // Check the deprecated common name
-        checkCommonName(serverCert);
+        if (!checkAlternativeNames(serverCert)) {
+            // Check the deprecated common name
+            checkCommonName(serverCert);
+        }
     }
 
     private boolean checkAlternativeNames(final X509Certificate serverCert)
         throws CertificateException {
 
         final List<String> alternativeNames = getAlternativeNames(serverCert);
-        if (!alternativeNames.isEmpty()) {
-            for (final String alternativeName : alternativeNames) {
-                if (HostnameVerifier.verify(hostname, alternativeName)) {
-                    return true;
-                }
-            }
+        if (alternativeNames.isEmpty()) {
+            return false;
+        }
 
-            throw new CertificateException(String.format("Server certificate mismatch. Tried to "
-                + "verify %s against subject alternative names: %s", hostname, alternativeNames));
+        for (final String alternativeName : alternativeNames) {
+            if (HostnameVerifier.verify(hostname, alternativeName)) {
+                return true;
+            }
         }
-        return false;
+
+        throw new CertificateException(String.format("Server certificate mismatch. Tried to "
+            + "verify %s against subject alternative names: %s", hostname, alternativeNames));
     }
 
     private static List<String> getAlternativeNames(final X509Certificate cert)

src/main/java/de/siegmar/logbackgelf/GelfTcpTlsAppender.java

@@ -19,12 +19,19 @@
 
 package de.siegmar.logbackgelf;
 
+import java.io.ByteArrayInputStream;
+import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
@@ -39,6 +46,8 @@ public class GelfTcpTlsAppender extends GelfTcpAppender {
      */
     private boolean insecure;
 
+    private final List<X509Certificate> trustedServerCertificates = new ArrayList<>();
+
     public boolean isInsecure() {
         return insecure;
     }
@@ -47,6 +56,22 @@ public void setInsecure(final boolean insecure) {
         this.insecure = insecure;
     }
 
+    public List<X509Certificate> getTrustedServerCertificates() {
+        return trustedServerCertificates;
+    }
+
+    public void addTrustedServerCertificate(final String trustedServerCertificate)
+        throws CertificateException {
+
+        trustedServerCertificates.add(readCert(trustedServerCertificate));
+    }
+
+    private X509Certificate readCert(final String cert) throws CertificateException {
+        final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+        return (X509Certificate) certificateFactory.generateCertificate(
+            new ByteArrayInputStream(cert.getBytes(StandardCharsets.US_ASCII)));
+    }
+
     @Override
     protected SSLSocketFactory initSocketFactory() {
         try {
@@ -60,13 +85,20 @@ private TrustManager newTrustManager() throws NoSuchAlgorithmException, KeyStore
         if (insecure) {
             addWarn("Enabled insecure mode (skip TLS certificate validation)"
                 + " - don't use this in production!");
+
+            if (!trustedServerCertificates.isEmpty()) {
+                throw new IllegalStateException("Configuration options 'insecure' and "
+                    + "'trustedServerCertificates' are mutually exclusive!");
+            }
+
             return new NoopX509TrustManager();
         }
 
-        return new CustomX509TrustManager(findDefaultX509TrustManager(), getGraylogHost());
+        return new CustomX509TrustManager(defaultTrustManager(), getGraylogHost(),
+            trustedServerCertificates);
     }
 
-    private static X509TrustManager findDefaultX509TrustManager()
+    private static X509TrustManager defaultTrustManager()
         throws NoSuchAlgorithmException, KeyStoreException {
 
         final TrustManagerFactory trustManagerFactory =

src/test/java/de/siegmar/logbackgelf/CustomX509TrustManagerTest.java

@@ -33,6 +33,7 @@
 import java.security.cert.X509Certificate;
 import java.time.LocalDate;
 import java.util.Arrays;
+import java.util.List;
 
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
@@ -142,6 +143,21 @@ public void expired() throws Exception {
             () -> validate(cert, caBuilder.getCaCertificate()));
     }
 
+    @Test
+    public void caSignedNotWhitelisted() throws Exception {
+        final X509Util.CABuilder caBuilder = new X509Util.CABuilder();
+        final X509Certificate cert = prepareCaSigned(caBuilder)
+            .build(HOSTNAME);
+
+        tm = new CustomX509TrustManager(defaultTrustManager(null), HOSTNAME,
+            List.of(c.build(null, HOSTNAME)));
+
+        final CertificateException e = assertThrows(CertificateException.class,
+            () -> validate(cert, caBuilder.getCaCertificate()));
+
+        assertEquals("Server did not offer a whitelisted certificate", e.getMessage());
+    }
+
     private void validate(final X509Certificate... certificates) throws CertificateException {
         tm.checkServerTrusted(certificates, "RSA");
     }

src/test/java/de/siegmar/logbackgelf/GelfTcpTlsAppenderTest.java

@@ -28,12 +28,14 @@
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.net.Socket;
+import java.security.cert.X509Certificate;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
+import java.util.concurrent.atomic.AtomicReference;
 
 import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLServerSocketFactory;
@@ -47,6 +49,7 @@
 
 import ch.qos.logback.classic.Logger;
 import ch.qos.logback.classic.LoggerContext;
+import ch.qos.logback.core.status.Status;
 
 public class GelfTcpTlsAppenderTest {
 
@@ -75,6 +78,40 @@ void defaultValues() {
         assertFalse(appender.isInsecure());
     }
 
+    @Test
+    public void configurationError() throws Exception {
+        final LoggerContext lc = (LoggerContext) LoggerFactory.getILoggerFactory();
+
+        final AtomicReference<Status> lastStatus = new AtomicReference<>();
+        lc.getStatusManager().add(lastStatus::set);
+
+        final GelfEncoder gelfEncoder = new GelfEncoder();
+        gelfEncoder.setContext(lc);
+        gelfEncoder.setOriginHost("localhost");
+        gelfEncoder.start();
+
+        final Logger logger = (Logger) LoggerFactory.getLogger(LOGGER_NAME);
+        logger.addAppender(buildAppender(lc, gelfEncoder));
+        logger.setAdditive(false);
+
+        final X509Certificate cert = new X509Util.CertBuilder()
+            .build(null, "foo.example.com");
+
+        final GelfTcpTlsAppender gelfAppender = new GelfTcpTlsAppender();
+        gelfAppender.setContext(lc);
+        gelfAppender.setName("GELF");
+        gelfAppender.setEncoder(gelfEncoder);
+        gelfAppender.setGraylogHost("localhost");
+        gelfAppender.setGraylogPort(port);
+        gelfAppender.setInsecure(true);
+        gelfAppender.addTrustedServerCertificate(X509Util.toPEM(cert));
+        gelfAppender.start();
+
+        final IllegalStateException e = (IllegalStateException) lastStatus.get().getThrowable();
+        assertEquals("Configuration options 'insecure' and 'trustedServerCertificates' "
+            + "are mutually exclusive!", e.getMessage());
+    }
+
     @Test
     public void simple() {
         final Logger logger = setupLogger();

src/test/java/de/siegmar/logbackgelf/X509Util.java

@@ -20,6 +20,7 @@
 package de.siegmar.logbackgelf;
 
 import java.io.IOException;
+import java.io.StringWriter;
 import java.math.BigInteger;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
@@ -54,6 +55,7 @@
 import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
 import org.bouncycastle.crypto.util.PrivateKeyFactory;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
@@ -62,7 +64,7 @@
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 
 @SuppressWarnings({"checkstyle:classdataabstractioncoupling", "checkstyle:classfanoutcomplexity"})
-public class X509Util {
+final class X509Util {
 
     private static final String ALGORITHM = "RSA";
     private static final String SIG_ALGORITHM = "SHA256withRSA";
@@ -73,12 +75,24 @@ public class X509Util {
         Security.addProvider(new BouncyCastleProvider());
     }
 
+    private X509Util() {
+    }
+
     private static KeyPair generateKeyPair() throws NoSuchAlgorithmException {
         final KeyPairGenerator keyGen = KeyPairGenerator.getInstance(ALGORITHM);
         keyGen.initialize(KEY_SIZE);
         return keyGen.genKeyPair();
     }
 
+    static String toPEM(final X509Certificate certificate) throws IOException {
+        final StringWriter sw = new StringWriter();
+        try (JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(sw)) {
+            jcaPEMWriter.writeObject(certificate);
+        }
+
+        return sw.toString();
+    }
+
     static class CABuilder {
 
         private final KeyPair keyPair;