SV.ECV.TRUSTMANAGER

Unsafe implementation of the interface X509TrustManager

Klocwork reports an SV.ECV.TRUSTMANAGER defect when an implementation of the X509TrustManager does not control the validity of the certificate, that is, no exception is raised.

Vulnerability and risk

Empty implementations of the X509TrustManager interface are often created to disable certificate validation that in turn makes the code vulnerable to man-in-the-middle attacks.

Mitigation and prevention

Validation of X.509 certificates is essential to create secure SSL/TLS sessions that are not vulnerable to man-in-the-middle attacks.

Provide an appropriate trust store by using certificate chain validation. Certificate chain validation includes these conditions:

• The certificate must be issued by its parent Certificate Authority or by the root CA trusted by the system.

• Each Certificate Authority is allowed to issue certificates.

• Each certificate in the chain is not expired.

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import javax.net.ssl.*;
import java.security.cert.*;
 
import javax.net.ssl.*;
import java.security.cert.*;
 
class TrustAll implements X509TrustManager {
 
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {  // Noncompliant, nothing means trust any client
    }
 
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType)
            throws CertificateException { // Noncompliant
        System.out.println("error message");
    }
 
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }
}

Klocwork reports an SV.ECV.TRUSTMANAGER defect on line 8, indicating, "Method '{0}' does nothing." Validate whether the checkServerTrusted method overridden in your class raises either the CertificateException or the IllegalArgumentException whenever the certificate presented by the server is not valid.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import javax.net.ssl.*;
import java.security.cert.*;
 
class TrustAllManager implements X509TrustManager {
    private X509TrustManager standardTrustManager = null;
 
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        throw CertificateException();
    }
 
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        if ((chain != null) && (chain.length == 1)) {
            chain[0].checkValidity();
        } else {
            System.out.print("");
        }
    }
 
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] certs = this.standardTrustManager.getAcceptedIssuers();
        return certs;
    }
}

In this fixed example, Klocwork no longer reports an SV.ECV.TRUSTMANAGER defect.

External guidance

• CWE-295: Improper Certificate Validation
• OWASP A6:2017 Security Misconfiguration
• OWASP A2:2021 Cryptographic Failures
• OWASP A5:2021 Security Misconfiguration
• OWASP A7:2021 Identification and Authentication Failures
• V-222550 (APSC-DV-001810): The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor..
• V-222555 (APSC-DV-001860): The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

Security training

Application security training materials provided by Secure Code Warrior.

• Weak Certificate Validation Training Video - Test your skills with a training example
• Security Misconfiguration Training Video - Test your skills with a training example