Fix bug in insecure TLSContext

doytsujin · Jun 3, 2021 · 27c49fd · 27c49fd
1 parent cb9d9ee
commit 27c49fd
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 12 deletions.
diff --git a/io/src/main/scala/fs2/io/net/tls/TLSContext.scala b/io/src/main/scala/fs2/io/net/tls/TLSContext.scala
@@ -28,18 +28,10 @@ import java.io.{FileInputStream, InputStream}
 import java.nio.file.Path
 import java.security.KeyStore
 import java.security.cert.X509Certificate
-import javax.net.ssl.{
-  KeyManagerFactory,
-  SSLContext,
-  SSLEngine,
-  TrustManagerFactory,
-  X509TrustManager
-}
-
+import javax.net.ssl.{KeyManagerFactory, SSLContext, SSLEngine, TrustManagerFactory, X509ExtendedTrustManager, X509TrustManager}
 import cats.Applicative
 import cats.effect.kernel.{Async, Resource}
 import cats.syntax.all._
-
 import com.comcast.ip4s.{IpAddress, SocketAddress}
 
 import java.util.function.BiFunction
@@ -257,10 +249,18 @@ object TLSContext {
         Async[F]
           .blocking {
             val ctx = SSLContext.getInstance("TLS")
-            val tm = new X509TrustManager {
+            val tm = new X509ExtendedTrustManager {
               def checkClientTrusted(x: Array[X509Certificate], y: String): Unit = {}
               def checkServerTrusted(x: Array[X509Certificate], y: String): Unit = {}
               def getAcceptedIssuers(): Array[X509Certificate] = Array()
+
+              override def checkClientTrusted(chain: Array[X509Certificate], authType: String, socket: java.net.Socket): Unit = {}
+
+              override def checkServerTrusted(chain: Array[X509Certificate], authType: String, socket: java.net.Socket): Unit = {}
+
+              override def checkClientTrusted(chain: Array[X509Certificate], authType: String, engine: SSLEngine): Unit = {}
+
+              override def checkServerTrusted(chain: Array[X509Certificate], authType: String, engine: SSLEngine): Unit = {}
             }
             ctx.init(null, Array(tm), null)
             ctx

diff --git a/io/src/test/scala/fs2/io/net/tls/TLSSocketSuite.scala b/io/src/test/scala/fs2/io/net/tls/TLSSocketSuite.scala
@@ -148,7 +148,7 @@ class TLSSocketSuite extends TLSSuite {
         .assertEquals(msg)
     }
 
-    test("echo fail?") {
+    test("echo insecure client with Endpoint verification") {
       val msg = Chunk.array(("Hello, world! " * 20000).getBytes)
 
       val setup = for {
@@ -161,7 +161,6 @@ class TLSSocketSuite extends TLSSuite {
           .flatMap(
             clientContext
               .client(_, TLSParameters.apply(endpointIdentificationAlgorithm = Some("HTTPS"))) //makes test fail
-              //.client(_, TLSParameters.Default)
           )
       } yield server.flatMap(s => Stream.resource(tlsContext.server(s))) -> client