change ca cert import mode default to CA_ONLY

Author: jrivard

server/src/main/java/password/pwm/AppProperty.java

@@ -45,6 +45,7 @@ public enum AppProperty
     AUDIT_SYSLOG_CEF_HEADER_PRODUCT                 ( "audit.syslog.cef.header.product" ),
     AUDIT_SYSLOG_CEF_HEADER_SEVERITY                ( "audit.syslog.cef.header.severity" ),
     AUDIT_SYSLOG_CEF_HEADER_VENDOR                  ( "audit.syslog.cef.header.vendor" ),
+    AUDIT_SYSLOG_CEF_MAX_EXTENSION_CHARS            ( "audit.syslog.cef.maxExtensionChars" ),
     AUDIT_SYSLOG_MAX_MESSAGE_LENGTH                 ( "audit.syslog.message.length" ),
     AUDIT_SYSLOG_TRUNCATE_MESSAGE                   ( "audit.syslog.message.truncateMsg" ),
     AUTH_ALLOW_SSO_WITH_UNKNOWN_PW                  ( "auth.allowSSOwithUnknownPassword" ),
@@ -324,6 +325,7 @@ public enum AppProperty
     SECURITY_SHAREDHISTORY_HASH_NAME                ( "security.sharedHistory.hashName" ),
     SECURITY_SHAREDHISTORY_CASE_INSENSITIVE         ( "security.sharedHistory.caseInsensitive" ),
     SECURITY_SHAREDHISTORY_SALT_LENGTH              ( "security.sharedHistory.saltLength" ),
+    SECURITY_CERTIFICATES_ALLOW_SELF_SIGNED         ( "security.certs.allowSelfSigned" ),
     SECURITY_CERTIFICATES_VALIDATE_TIMESTAMPS       ( "security.certs.validateTimestamps" ),
     SECURITY_CONFIG_MIN_SECURITY_KEY_LENGTH         ( "security.config.minSecurityKeyLength" ),
     SECURITY_DEFAULT_EPHEMERAL_BLOCK_ALG            ( "security.defaultEphemeralBlockAlg" ),

server/src/main/java/password/pwm/util/secure/X509Utils.java

@@ -320,12 +320,14 @@ public static class CertMatchingTrustManager implements X509TrustManager
     {
         final List<X509Certificate> trustedCertificates;
         final boolean validateTimestamps;
+        final boolean allowSelfSigned;
         final CertificateMatchingMode certificateMatchingMode;
 
         public CertMatchingTrustManager( final Configuration config, final List<X509Certificate> trustedCertificates )
         {
             this.trustedCertificates = new ArrayList<>( trustedCertificates );
             validateTimestamps = config != null && Boolean.parseBoolean( config.readAppProperty( AppProperty.SECURITY_CERTIFICATES_VALIDATE_TIMESTAMPS ) );
+            allowSelfSigned = config != null && Boolean.parseBoolean( config.readAppProperty( AppProperty.SECURITY_CERTIFICATES_ALLOW_SELF_SIGNED ) );
             certificateMatchingMode = config == null
                     ? CertificateMatchingMode.CERTIFICATE_CHAIN
                     : config.readCertificateMatchingMode();
@@ -339,25 +341,42 @@ public void checkClientTrusted( final X509Certificate[] x509Certificates, final
         @Override
         public void checkServerTrusted( final X509Certificate[] x509Certificates, final String s ) throws CertificateException
         {
+            final List<X509Certificate> trustedRootCA = X509Utils.identifyRootCACertificate( trustedCertificates );
+            final List<X509Certificate> remoteCertificates = Arrays.asList( x509Certificates );
+            if ( trustedCertificates.size() == 1 && trustedRootCA.isEmpty() && remoteCertificates.size() == 1 )
+            {
+                if ( allowSelfSigned )
+                {
+                    doValidation( remoteCertificates, trustedCertificates, validateTimestamps );
+                    return;
+                }
+                else
+                {
+                    final String msg = "unable to trust self-signed certificate due to app property '"
+                            + AppProperty.SECURITY_CERTIFICATES_ALLOW_SELF_SIGNED.getKey() + "'";
+                    throw new CertificateException( msg );
+                }
+            }
+
+
             switch ( certificateMatchingMode )
             {
                 case CERTIFICATE_CHAIN:
                 {
-                    doValidation( trustedCertificates, Arrays.asList( x509Certificates ), validateTimestamps );
+                    doValidation( trustedCertificates, remoteCertificates, validateTimestamps );
                     break;
                 }
 
                 case CA_ONLY:
                 {
-                    final List<X509Certificate> trustedRootCA = X509Utils.identifyRootCACertificate( trustedCertificates );
                     if ( trustedRootCA.isEmpty() )
                     {
                         final String errorMsg = "no root CA certificates in configuration trust store for this operation";
                         throw new CertificateException( errorMsg );
                     }
                     doValidation(
                             trustedRootCA,
-                            X509Utils.identifyRootCACertificate( Arrays.asList( x509Certificates ) ),
+                            X509Utils.identifyRootCACertificate( remoteCertificates ),
                             validateTimestamps
                     );
                     break;

server/src/main/resources/password/pwm/AppProperty.properties

@@ -36,6 +36,7 @@ audit.syslog.cef.timezone=Zulu
 audit.syslog.cef.header.product=@PwmAppName@
 audit.syslog.cef.header.severity=Medium
 audit.syslog.cef.header.vendor=@PwmVendorName@
+audit.syslog.cef.maxExtensionChars=1023
 audit.syslog.message.length=900
 audit.syslog.message.truncateMsg=[truncated]
 auth.allowSSOwithUnknownPassword=true
@@ -303,6 +304,7 @@ security.sharedHistory.hashIterations=100000
 security.sharedHistory.hashName=SHA-512
 security.sharedHistory.caseInsensitive=true
 security.sharedHistory.saltLength=64
+security.certs.allowSelfSigned=true
 security.certs.validateTimestamps=false
 security.defaultEphemeralBlockAlg=AES128_GCM
 security.defaultEphemeralHashAlg=SHA512

server/src/main/resources/password/pwm/config/PwmSetting.xml

@@ -1569,7 +1569,7 @@
     </setting>
     <setting hidden="false" key="security.certificate.validationMode" level="2">
         <default>
-            <value>CERTIFICATE_CHAIN</value>
+            <value>CA_ONLY</value>
         </default>
         <options>
             <option value="CA_ONLY">Root Certificate Only</option>

server/src/test/java/password/pwm/http/client/PwmHttpClientTest.java

@@ -29,6 +29,7 @@
 import org.apache.http.HttpResponse;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.methods.HttpGet;
+import org.apache.http.entity.ContentType;
 import org.junit.Assert;
 import org.junit.Rule;
 import org.junit.Test;
@@ -39,6 +40,7 @@
 import password.pwm.config.PwmSetting;
 import password.pwm.config.stored.StoredConfigurationImpl;
 import password.pwm.error.PwmUnrecoverableException;
+import password.pwm.http.HttpHeader;
 
 import javax.net.ssl.SSLHandshakeException;
 import java.io.InputStream;
@@ -149,7 +151,7 @@ public void testGetHttpClientSslWithCertificates() throws Exception
         // Stub out our local HTTP server
         wireMockRule.stubFor( WireMock.get( WireMock.urlEqualTo( "/simpleHello" ) )
                 .willReturn( WireMock.aResponse()
-                        .withHeader( "Content-Type", "text/plain" )
+                        .withHeader( HttpHeader.ContentType.getHttpName(), ContentType.TEXT_PLAIN.getMimeType() )
                         .withBody( "PwmAbout from the local mock server" ) ) );
 
         final PwmHttpClientConfiguration pwmHttpClientConfiguration = PwmHttpClientConfiguration.builder()
@@ -181,7 +183,7 @@ public void testGetHttpClientProxyHello() throws Exception
         // Stub out our local HTTP server
         wireMockRule.stubFor( WireMock.get( WireMock.urlEqualTo( "/simpleHello" ) )
                 .willReturn( WireMock.aResponse()
-                        .withHeader( "Content-Type", "text/plain" )
+                        .withHeader( HttpHeader.ContentType.getHttpName(), ContentType.TEXT_PLAIN.getMimeType() )
                         .withBody( "PwmAbout from the local mock server" ) ) );
 
         // Stub out some mock object behavior