Skip to content

Commit b42fee2

Browse files
sureshgsureshg
committed
chore: tls scan refactorings
1 parent 58660c5 commit b42fee2

File tree

3 files changed

+65
-12
lines changed

3 files changed

+65
-12
lines changed

backend/security/src/main/kotlin/dev/suresh/cert/CertScan.kt

Lines changed: 5 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,33 +1,27 @@
11
package dev.suresh.cert
22

33
import dev.suresh.tls.SavingTrustManager
4+
import dev.suresh.tls.newTLSSocket
45
import java.net.InetSocketAddress
56
import java.security.cert.X509Certificate
67
import javax.net.ssl.SNIHostName
7-
import javax.net.ssl.SSLContext
8-
import javax.net.ssl.SSLSocket
98
import kotlin.time.Duration
10-
import kotlin.time.Duration.Companion.milliseconds
9+
import kotlin.time.Duration.Companion.seconds
1110

1211
object CertScan {
1312

1413
fun scan(
1514
host: String,
1615
port: Int = 443,
1716
sni: String? = null,
18-
timeout: Duration = 2_000.milliseconds
17+
timeout: Duration = 2.seconds
1918
): List<X509Certificate> {
2019
val trustManager = SavingTrustManager()
21-
val socket =
22-
SSLContext.getInstance("TLS").run {
23-
init(null, arrayOf(trustManager), null)
24-
socketFactory.createSocket() as SSLSocket
25-
}
26-
20+
val socket = trustManager.newTLSSocket()
2721
return socket.use { sock ->
2822
val handshake = runCatching {
2923
sni?.let {
30-
// sock.sslParameters will create a new object
24+
// sock.sslParameters will create a new copy
3125
val sslParams = sock.sslParameters
3226
sslParams.serverNames = listOf(SNIHostName(sni))
3327
sock.sslParameters = sslParams

backend/security/src/main/kotlin/dev/suresh/tls/SavingTrustManager.kt

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
package dev.suresh.tls
22

33
import java.security.cert.X509Certificate
4-
import javax.net.ssl.X509TrustManager
4+
import javax.net.ssl.*
55

66
class SavingTrustManager : X509TrustManager {
77

@@ -20,3 +20,11 @@ class SavingTrustManager : X509TrustManager {
2020

2121
override fun getAcceptedIssuers(): Array<X509Certificate> = emptyArray()
2222
}
23+
24+
fun SavingTrustManager.newTLSSocket(): SSLSocket {
25+
val tm = this
26+
return SSLContext.getInstance("TLS").run {
27+
init(null, arrayOf(tm), null)
28+
socketFactory.createSocket() as SSLSocket
29+
}
30+
}

backend/security/src/main/kotlin/dev/suresh/tls/TLSProp.kt

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
package dev.suresh.tls
2+
3+
import java.net.JarURLConnection
4+
import java.security.Security
5+
import java.util.jar.Manifest
6+
import kotlin.reflect.KClass
7+
8+
/**
9+
* Enumeration of JSSE (Java Secure Socket Extension) system and security properties used for
10+
* configuring TLS/SSL connections.
11+
*/
12+
enum class TLSProp(val prop: String, val desc: String, val system: Boolean = true) {
13+
Debug("javax.net.debug", "Debugging SSL/TLS Connections."),
14+
KeyStore("javax.net.ssl.keyStore", "Default keystore"),
15+
KeyStoreType("javax.net.ssl.keyStoreType", "Default keystore type"),
16+
KeyStorePassword("javax.net.ssl.keyStorePassword", "Default keystore password"),
17+
KeyStoreProvider("javax.net.ssl.keyStoreProvider", "Default keystore provider"),
18+
TrustStore("javax.net.ssl.trustStore", "Default truststore"),
19+
TrustStoreType("javax.net.ssl.trustStoreType", "Default truststore type"),
20+
TrustStorePassword("javax.net.ssl.trustStorePassword", "Default truststore password"),
21+
TrustStoreProvider("javax.net.ssl.trustStoreProvider", "Default truststore provider"),
22+
ProxyHost("https.proxyHost", "Default HTTPS proxy host"),
23+
ProxyPort("https.proxyPort", "Default HTTPS proxy port"),
24+
HttpsCipherSuites("https.cipherSuites", "Default cipher suites"),
25+
HttpsProtocols("https.protocols", "Default HTTPS handshaking protocols"),
26+
TLSProtocols("jdk.tls.client.protocols", "Default Enabled TLS Protocols"),
27+
CertPathDisabledAlgos(
28+
"jdk.certpath.disabledAlgorithms",
29+
"Disabled certificate verification cryptographic algorithms",
30+
false),
31+
TLSDisabledAlgos("jdk.tls.disabledAlgorithms", "Disabled/Restricted Algorithms", false);
32+
33+
/** Sets the JSSE system/security property to the given value. */
34+
fun set(value: String) {
35+
when (system) {
36+
true -> System.setProperty(prop, value)
37+
else -> Security.setProperty(prop, value)
38+
}
39+
}
40+
}
41+
42+
/**
43+
* Returns the jar [Manifest] of the class. Returns `null` if the class is not bundled in a jar
44+
* (Classes in an unpacked class hierarchy).
45+
*/
46+
val <T : Any> KClass<T>.jarManifest: Manifest?
47+
get() {
48+
val res = java.getResource("${java.simpleName}.class")
49+
val conn = res?.openConnection()
50+
return if (conn is JarURLConnection) conn.manifest else null
51+
}

0 commit comments

Comments
 (0)