Using netty SslContext instead of JDK SSLContext when creating client and server connections using ImpersonatingMitmManager

Author: jekh

mitm/src/main/java/net/lightbody/bmp/mitm/manager/ImpersonatingMitmManager.java

@@ -4,6 +4,9 @@
 import com.google.common.base.Suppliers;
 import com.google.common.cache.Cache;
 import com.google.common.cache.CacheBuilder;
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
 import net.lightbody.bmp.mitm.CertificateAndKey;
 import net.lightbody.bmp.mitm.CertificateAndKeySource;
 import net.lightbody.bmp.mitm.CertificateInfo;
@@ -25,13 +28,11 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
 import java.security.KeyPair;
-import java.security.KeyStore;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.Collections;
@@ -47,32 +48,21 @@
 public class ImpersonatingMitmManager implements MitmManager {
     private static final Logger log = LoggerFactory.getLogger(ImpersonatingMitmManager.class);
 
-    /**
-     * The KeyStore password for impersonated server KeyStores. This value can be anything, since it is only used to store and immediately extract
-     * the Java KeyManagers after creating an impersonated server certificate.
-     */
-    private static final String IMPERSONATED_SERVER_KEYSTORE_PASSWORD = "impersonationPassword";
-
-    /**
-     * The alias for the impersonated server certificate. This value can be anything, since it is only used to store the cert in the KeyStore.
-     */
-    private static final String IMPERSONATED_CERTIFICATE_ALIAS = "impersonatedCertificate";
-
     /**
      * The SSLContext that will be used for communications with all upstream servers. This can be reused, so store it as a lazily-loaded singleton.
      */
-    private final Supplier<SSLContext> upstreamServerSslContext = Suppliers.memoize(new Supplier<SSLContext>() {
+    private final Supplier<SslContext> upstreamServerSslContext = Suppliers.memoize(new Supplier<SslContext>() {
         @Override
-        public SSLContext get() {
+        public SslContext get() {
             return SslUtil.getUpstreamServerSslContext(trustAllUpstreamServers);
         }
     });
 
     /**
-     * Cache for impersonating SSLContexts. SSLContexts can be safely reused, so caching the impersonating contexts avoids
+     * Cache for impersonating netty SslContexts. SslContexts can be safely reused, so caching the impersonating contexts avoids
      * repeatedly re-impersonating upstream servers.
      */
-    private final Cache<String, SSLContext> sslContextCache;
+    private final Cache<String, SslContext> sslContextCache;
 
     /**
      * Generator used to create public and private keys for the server certificates.
@@ -175,7 +165,7 @@ public ImpersonatingMitmManager(CertificateAndKeySource rootCertificateSource,
     @Override
     public SSLEngine serverSslEngine(String peerHost, int peerPort) {
         try {
-            SSLEngine sslEngine = upstreamServerSslContext.get().createSSLEngine(peerHost, peerPort);
+            SSLEngine sslEngine = upstreamServerSslContext.get().newEngine(ByteBufAllocator.DEFAULT, peerHost, peerPort);
 
             // support SNI by setting the endpoint identification algorithm. this requires Java 7+.
             SSLParameters sslParams = new SSLParameters();
@@ -191,9 +181,9 @@ public SSLEngine serverSslEngine(String peerHost, int peerPort) {
     @Override
     public SSLEngine clientSslEngineFor(SSLSession sslSession) {
         try {
-            SSLContext ctx = getHostnameImpersonatingSslContext(sslSession);
+            SslContext ctx = getHostnameImpersonatingSslContext(sslSession);
 
-            return ctx.createSSLEngine();
+            return ctx.newEngine(ByteBufAllocator.DEFAULT);
         } catch (RuntimeException e) {
             throw new MitmException("Error creating SSLEngine for connection to client to impersonate upstream host: " + sslSession.getPeerHost(), e);
         }
@@ -207,15 +197,15 @@ public SSLEngine clientSslEngineFor(SSLSession sslSession) {
      * @param sslSession the upstream server SSLSession
      * @return SSLContext which will present an impersonated certificate
      */
-    private SSLContext getHostnameImpersonatingSslContext(final SSLSession sslSession) {
+    private SslContext getHostnameImpersonatingSslContext(final SSLSession sslSession) {
         final String hostnameToImpersonate = sslSession.getPeerHost();
 
         //TODO: generate wildcard certificates, rather than one certificate per host, to reduce the number of certs generated
 
         try {
-            return sslContextCache.get(hostnameToImpersonate, new Callable<SSLContext>() {
+            return sslContextCache.get(hostnameToImpersonate, new Callable<SslContext>() {
                 @Override
-                public SSLContext call() throws Exception {
+                public SslContext call() throws Exception {
                     return createImpersonatingSslContext(sslSession, hostnameToImpersonate);
                 }
             });
@@ -231,7 +221,7 @@ public SSLContext call() throws Exception {
      * @param hostnameToImpersonate hostname (supplied by the client's HTTP CONNECT) that will be impersonated
      * @return an SSLContext presenting a certificate matching the hostnameToImpersonate
      */
-    private SSLContext createImpersonatingSslContext(SSLSession sslSession, String hostnameToImpersonate) {
+    private SslContext createImpersonatingSslContext(SSLSession sslSession, String hostnameToImpersonate) {
         long impersonationStart = System.currentTimeMillis();
 
         // generate a Java KeyStore which contains the impersonated server certificate and the certificate's private key.
@@ -272,25 +262,21 @@ private SSLContext createImpersonatingSslContext(SSLSession sslSession, String h
                 serverKeyPair,
                 serverCertificateMessageDigest);
 
-        // bundle the newly-forged server certificate into a java KeyStore, for use by the SSLContext
-        KeyStore impersonatedServerKeyStore = securityProviderTool.createServerKeyStore(
-                MitmConstants.DEFAULT_KEYSTORE_TYPE,
-                impersonatedCertificateAndKey,
-                caRootCertificate,
-                IMPERSONATED_CERTIFICATE_ALIAS, IMPERSONATED_SERVER_KEYSTORE_PASSWORD
-        );
+        X509Certificate[] certChain = {impersonatedCertificateAndKey.getCertificate(), caRootCertificate};
+        SslContext sslContext;
+        try {
+            sslContext = SslContextBuilder.forServer(impersonatedCertificateAndKey.getPrivateKey(), certChain).build();
+        } catch (SSLException e) {
+            throw new MitmException("Error creating SslContext for connection to client using impersonated certificate and private key", e);
+        }
 
         long impersonationFinish = System.currentTimeMillis();
 
         statistics.certificateCreated(impersonationStart, impersonationFinish);
 
         log.debug("Impersonated certificate for {} in {}ms", hostnameToImpersonate, impersonationFinish - impersonationStart);
 
-        // retrieve the Java KeyManagers that the SSLContext will use to retrieve the impersonated certificate and private key
-        KeyManager[] keyManagers = securityProviderTool.getKeyManagers(impersonatedServerKeyStore, IMPERSONATED_SERVER_KEYSTORE_PASSWORD);
-
-        // create an SSLContext for this communication with the client that will present the impersonated upstream server credentials
-        return SslUtil.getClientSslContext(keyManagers);
+        return sslContext;
     }
 
     /**

mitm/src/main/java/net/lightbody/bmp/mitm/util/SslUtil.java

@@ -1,17 +1,15 @@
 package net.lightbody.bmp.mitm.util;
 
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import net.lightbody.bmp.mitm.exception.SslContextInitializationException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManager;
-import java.security.KeyManagementException;
-import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 
@@ -22,53 +20,29 @@ public class SslUtil {
     private static final Logger log = LoggerFactory.getLogger(SslUtil.class);
 
     /**
-     * Creates an SSLContext for use when connecting to upstream servers. When trustAllServers is true, no upstream certificate
+     * Creates a netty SslContext for use when connecting to upstream servers. When trustAllServers is true, no upstream certificate
      * verification will be performed. <b>This will make it possible for attackers to MITM communications with the upstream
      * server</b>, so use trustAllServers only when testing.
      *
      * @param trustAllServers when true, no upstream server certificate validation will be performed
      * @return an SSLContext to connect to upstream servers with
      */
-    public static SSLContext getUpstreamServerSslContext(boolean trustAllServers) {
+    public static SslContext getUpstreamServerSslContext(boolean trustAllServers) {
         //TODO: add the ability to specify an explicit additional trust source, so clients don't need to import trust into the JDK trust source or forgo trust entirely
 
-        try {
-            if (trustAllServers) {
-                log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");
-
-                TrustManager[] trustManagers = InsecureTrustManagerFactory.INSTANCE.getTrustManagers();
+        SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
 
-                // start with the default SSL context, but override the default TrustManager with the "always trust everything" TrustManager
-                SSLContext newSslContext = SSLContext.getInstance("TLS");
-                newSslContext.init(null, trustManagers, null);
+        if (trustAllServers) {
+            log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers.");
 
-                return newSslContext;
-            } else {
-                return SSLContext.getDefault();
-            }
-        } catch (NoSuchAlgorithmException | KeyManagementException e) {
-            throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
+            sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
         }
-    }
 
-    /**
-     * Creates an SSLContext for use with clients' connections to this server. The specified keyManagers should contain
-     * the impersonated server certificate and private key used to encrypt communications with the client.
-     *
-     * @param keyManagers keyManagers that will be used to encrypt communications with the client; should contain the impersonated upstream server certificate
-     * @return SSLContext for use with clients' connections to this server
-     */
-    public static SSLContext getClientSslContext(KeyManager[] keyManagers) {
         try {
-            SSLContext sslContext = SSLContext.getInstance("TLS");
-            sslContext.init(keyManagers, null, null);
-
-            return sslContext;
-        } catch (NoSuchAlgorithmException | KeyManagementException e) {
-            throw new SslContextInitializationException("Error creating new SSL context for connection to client", e);
+            return sslContextBuilder.build();
+        } catch (SSLException e) {
+            throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e);
         }
-
-
     }
 
     /**