Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper x.509 certificate validation in extensions of X509TrustManager with general conditions #367

Open
LordAmit opened this issue Jun 20, 2020 · 0 comments
Open

Improper x.509 certificate validation in extensions of X509TrustManager with general conditions #367

LordAmit opened this issue Jun 20, 2020 · 0 comments

Comments

@LordAmit
Copy link

LordAmit commented Jun 20, 2020
edited

We found that we could not detect some potential cryptographic vulnerabilities. We believe this may be due to underlying implementation or design gaps.
Here are the details of our analysis and the cryptographic misuses:

Using QARK version 4.0.0
Using Python version 3.5.2
Using OpenJDK version 1.8.0_232 64 bit
Running on Ubuntu: 18.04 Kernel: 4.4.0-174-generic

Each cryptographic vulnerability was generated as a barebones Java project that only contained a single vulnerability in the main function and used up to two java source files. Additionally, all cryptographic API calls were from Java Cryptographic Architecture (JCA).

We are reporting this since in your readme you mention that “Improper x.509 certificate validation” is attempted to be found.
Attempting to use an insecure validation of an overridden checkServerTrusted method that is created within an anonymous inner class object created from an empty abstract class which implements the X509TrustManager interface from JCA, which we believe is due to not detecting security exceptions thrown under impossible conditions; e.g., if(!(true || arg0== null || arg1 == null)) throw new CertificateException();

public abstract class BareboneTrustManagerExt implements javax.net.ssl.X509TrustManager{

}

public class BareboneTrustManagerConditional {
	static final X509Certificate[] EMPTY_X509CERTIFICATE_ARRAY = new X509Certificate[] {};

	public static void main(String[] args) {
		
		TrustManager[] trustAll = new TrustManager[] {

				new BareboneTrustManagerExt() {
					@java.lang.Override
					public void checkClientTrusted(java.security.cert.X509Certificate[] arg0, java.lang.String arg1)
						throws java.security.cert.CertificateException {
				  
					  if(!(true||arg0 == null||arg1 == null)){ 
						  throw new java.security.cert.CertificateException();
					  }
					}
				  
					@java.lang.Override
					public void checkServerTrusted(java.security.cert.X509Certificate[] arg0, java.lang.String arg1)
						throws java.security.cert.CertificateException {
				  
					  if(!(true||arg0 == null||arg1 == null)){
						  throw new java.security.cert.CertificateException();
					  }
					}

					@Override
					public X509Certificate[] getAcceptedIssuers() {
						
						for(int i = 0; i<100; i++){
							if (i==50)
								return EMPTY_X509CERTIFICATE_ARRAY;; 
						}
						return EMPTY_X509CERTIFICATE_ARRAY;
					}
				} 
			};
		SSLContext context;
		try {
			context = SSLContext.getInstance("TLS");
			context.init(null, trustAll, new SecureRandom());

		} catch (NoSuchAlgorithmException e) {
			// TODO Auto-generated catch block
			// e.printStackTrace();
		} catch (KeyManagementException e) {
			// TODO Auto-generated catch block
			// e.printStackTrace();
		}
		System.out.println("Hello World 8.6");
	}
}

Please let me know if you need any additional information (e.g., logs from our side) in fixing these issues.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LordAmit