Merge pull request #81 from RUB-NDS/submodulehint

Submodulehint

Author: ic0ns

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/certificate/CertificateChain.java

@@ -142,24 +142,28 @@ public CertificateChain(Certificate certificate, String uri) {
                     LOGGER.debug("Could not find next certificate");
                     // Could not find issuer for certificate - check if its in
                     // the trust store
-                    if (TrustAnchorManager.getInstance().isTrustAnchor(
-                            tempCertificate.convertToX509Certificate().getIssuerX500Principal())) {
-                        // Certificate is issued by trust anchor
-                        LOGGER.debug("Could find issuer");
-                        chainIsComplete = true;
-                        org.bouncycastle.asn1.x509.Certificate trustAnchorCertificate = TrustAnchorManager
-                                .getInstance().getTrustAnchorCertificate(
-                                        tempCertificate.convertToX509Certificate().getIssuerX500Principal());
-                        if (trustAnchorCertificate != null) {
-                            CertificateReport trustAnchorReport = CertificateReportGenerator
-                                    .generateReport(trustAnchorCertificate);
-                            orderedCertificateChain.add(trustAnchorReport);
-                            trustAnchorReport.setTrustAnchor(true);
-                            trustAnchor = trustAnchorReport;
+                    if (TrustAnchorManager.getInstance().isInitialized()) {
+                        if (TrustAnchorManager.getInstance().isTrustAnchor(
+                                tempCertificate.convertToX509Certificate().getIssuerX500Principal())) {
+                            // Certificate is issued by trust anchor
+                            LOGGER.debug("Could find issuer");
+                            chainIsComplete = true;
+                            org.bouncycastle.asn1.x509.Certificate trustAnchorCertificate = TrustAnchorManager
+                                    .getInstance().getTrustAnchorCertificate(
+                                            tempCertificate.convertToX509Certificate().getIssuerX500Principal());
+                            if (trustAnchorCertificate != null) {
+                                CertificateReport trustAnchorReport = CertificateReportGenerator
+                                        .generateReport(trustAnchorCertificate);
+                                orderedCertificateChain.add(trustAnchorReport);
+                                trustAnchorReport.setTrustAnchor(true);
+                                trustAnchor = trustAnchorReport;
+                            }
+                        } else {
+                            LOGGER.debug("Could not find issuer");
+                            chainIsComplete = false;
                         }
                     } else {
-                        LOGGER.debug("Could not find issuer");
-                        chainIsComplete = false;
+                        LOGGER.error("Cannot check if the chain is complete since the trust manager is not initalized");
                     }
                     break;
                 }

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/certificate/CertificateReportGenerator.java

@@ -79,7 +79,11 @@ public static CertificateReport generateReport(org.bouncycastle.asn1.x509.Certif
         report.setCertificate(cert);
         setVulnerableRoca(report, cert);
         TrustAnchorManager anchorManger = TrustAnchorManager.getInstance();
-        report.setTrustAnchor(anchorManger.isTrustAnchor(report));
+        if (anchorManger.isInitialized()) {
+            report.setTrustAnchor(anchorManger.isTrustAnchor(report));
+        } else {
+            report.setTrustAnchor(null);
+        }
         if (report.getIssuer().equals(report.getSubject())) {
             report.setSelfSigned(true);
         } else {
@@ -234,6 +238,9 @@ private static void setRevoked(CertificateReport report, org.bouncycastle.asn1.x
                 TrustAnchorManager trustAnchorManager = TrustAnchorManager.getInstance();
                 X509Certificate x509cert = null;
                 try {
+                    if (!trustAnchorManager.isInitialized()) {
+                        return;
+                    }
                     x509cert = new X509CertificateObject(cert);
                     issuerCert = trustAnchorManager.getTrustAnchorCertificate(x509cert.getIssuerX500Principal());
                 } catch (CertificateParsingException exp) {

TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/trust/TrustAnchorManager.java

@@ -42,12 +42,12 @@ public class TrustAnchorManager {
 
     private List<TrustPlatform> trustPlatformList;
 
-    private final HashMap<String, CertificateEntry> trustAnchors;
+    private HashMap<String, CertificateEntry> trustAnchors;
 
     private static TrustAnchorManager INSTANCE = null;
 
-    private final Set<TrustAnchor> trustAnchorSet;
-    private final Set<Certificate> asn1CaCertificateSet;
+    private Set<TrustAnchor> trustAnchorSet;
+    private Set<Certificate> asn1CaCertificateSet;
 
     public static synchronized TrustAnchorManager getInstance() {
         if (INSTANCE == null) {
@@ -65,24 +65,36 @@ private TrustAnchorManager() {
             trustPlatformList.add(readPlatform("openjdk.yaml"));
             trustPlatformList.add(readPlatform("oracle_java.yaml"));
             trustPlatformList.add(readPlatform("apple.yaml"));
-        } catch (IOException | IllegalArgumentException ex) {
-            LOGGER.error("Could not load trusted platforms", ex);
-        }
-        trustAnchors = new HashMap<>();
-        for (TrustPlatform platform : trustPlatformList) {
-            for (CertificateEntry entry : platform.getCertificateEntries()) {
-                if (!trustAnchors.containsKey(entry.getFingerprint())) {
-                    trustAnchors.put(entry.getFingerprint(), entry);
+
+            trustAnchors = new HashMap<>();
+            for (TrustPlatform platform : trustPlatformList) {
+                for (CertificateEntry entry : platform.getCertificateEntries()) {
+                    if (!trustAnchors.containsKey(entry.getFingerprint())) {
+                        trustAnchors.put(entry.getFingerprint(), entry);
+                    }
                 }
-            }
-            for (CertificateEntry entry : platform.getBlockedCertificateEntries()) {
-                if (!trustAnchors.containsKey(entry.getFingerprint())) {
-                    trustAnchors.put(entry.getFingerprint(), entry);
+                for (CertificateEntry entry : platform.getBlockedCertificateEntries()) {
+                    if (!trustAnchors.containsKey(entry.getFingerprint())) {
+                        trustAnchors.put(entry.getFingerprint(), entry);
+                    }
                 }
             }
+            this.trustAnchorSet = getFullTrustAnchorSet();
+            this.asn1CaCertificateSet = getFullCaCertificateSet();
+        } catch (IOException | IllegalArgumentException ex) {
+            trustAnchorSet = null;
+            trustAnchors = null;
+            trustPlatformList = null;
+            asn1CaCertificateSet = null;
+            LOGGER.error("Could not load TrustAnchors. This means that you are running TLS-Scanner without its submodules. "
+                    + "If you want to evaluate if certificates are trusted by browsers you need to initialize submodules."
+                    + "You can do this by running the following command:'git submodule update --init --recursive'");
+            LOGGER.debug(ex);
         }
-        this.trustAnchorSet = getFullTrustAnchorSet();
-        this.asn1CaCertificateSet = getFullCaCertificateSet();
+    }
+
+    public boolean isInitialized() {
+        return trustAnchorSet != null && trustPlatformList != null && trustAnchors != null;
     }
 
     private TrustPlatform readPlatform(String name) throws IOException {