SV.ECV.TRUSTMANAGER

Unsafe implementation of the interface X509TrustManager

Klocwork reports an SV.ECV.TRUSTMANAGER defect when an implementation of the X509TrustManager does not control the validity of the certificate, that is, no exception is raised.

Vulnerability and risk

Empty implementations of the X509TrustManager interface are often created to disable certificate validation that in turn makes the code vulnerable to man-in-the-middle attacks.

Mitigation and prevention

Validation of X.509 certificates is essential to create secure SSL/TLS sessions that are not vulnerable to man-in-the-middle attacks.

Provide an appropriate trust store by using certificate chain validation. Certificate chain validation includes these conditions:

  • The certificate must be issued by its parent Certificate Authority or by the root CA trusted by the system.

  • Each Certificate Authority is allowed to issue certificates.

  • Each certificate in the chain is not expired.

Vulnerable code example

Copy
import javax.net.ssl.*;
import java.security.cert.*;
 
import javax.net.ssl.*;
import java.security.cert.*;
 
class TrustAll implements X509TrustManager {
 
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {  // Noncompliant, nothing means trust any client
    }
 
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType)
            throws CertificateException { // Noncompliant
        System.out.println("error message");
    }
 
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }
}

Klocwork reports an SV.ECV.TRUSTMANAGER defect on line 8, indicating, "Method '{0}' does nothing." Validate whether the checkServerTrusted method overridden in your class raises either the CertificateException or the IllegalArgumentException whenever the certificate presented by the server is not valid.

Fixed code example

Copy
import javax.net.ssl.*;
import java.security.cert.*;
 
class TrustAllManager implements X509TrustManager {
    private X509TrustManager standardTrustManager = null;
 
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        throw CertificateException();
    }
 
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        if ((chain != null) && (chain.length == 1)) {
            chain[0].checkValidity();
        } else {
            System.out.print("");
        }
    }
 
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] certs = this.standardTrustManager.getAcceptedIssuers();
        return certs;
    }
}

In this fixed example, Klocwork no longer reports an SV.ECV.TRUSTMANAGER defect.