Add back trust all certificates

Author: Zhen Li

driver/src/main/java/org/neo4j/driver/Config.java

@@ -34,6 +34,7 @@
 import org.neo4j.driver.util.Immutable;
 import org.neo4j.driver.util.Resource;
 
+import static org.neo4j.driver.Config.TrustStrategy.trustSystemCertificates;
 import static org.neo4j.driver.Logging.javaUtilLogging;
 
 /**
@@ -249,7 +250,7 @@ public static class ConfigBuilder
         private long maxConnectionLifetimeMillis = PoolSettings.DEFAULT_MAX_CONNECTION_LIFETIME;
         private long connectionAcquisitionTimeoutMillis = PoolSettings.DEFAULT_CONNECTION_ACQUISITION_TIMEOUT;
         private boolean encrypted = false;
-        private TrustStrategy trustStrategy = TrustStrategy.trustSystemCertificates();
+        private TrustStrategy trustStrategy = trustSystemCertificates();
         private int routingFailureLimit = RoutingSettings.DEFAULT.maxRoutingFailures();
         private long routingRetryDelayMillis = RoutingSettings.DEFAULT.retryTimeoutDelay();
         private long routingTablePurgeDelayMillis = RoutingSettings.DEFAULT.routingTablePurgeDelayMs();
@@ -687,6 +688,7 @@ public static class TrustStrategy
          */
         public enum Strategy
         {
+            TRUST_ALL_CERTIFICATES,
             TRUST_CUSTOM_CA_SIGNED_CERTIFICATES,
             TRUST_SYSTEM_CA_SIGNED_CERTIFICATES
         }
@@ -782,5 +784,16 @@ public static TrustStrategy trustSystemCertificates()
         {
             return new TrustStrategy( Strategy.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES );
         }
+
+        /**
+         * Trust strategy for certificates that trust all certificates blindly. Suggested to only use this in tests.
+         *
+         * @return an authentication config
+         * @since 1.1
+         */
+        public static TrustStrategy trustAllCertificates()
+        {
+            return new TrustStrategy( Strategy.TRUST_ALL_CERTIFICATES );
+        }
     }
 }

driver/src/main/java/org/neo4j/driver/internal/DriverFactory.java

@@ -306,6 +306,8 @@ private static SecurityPlan createSecurityPlanImpl( Config config )
                 return SecurityPlan.forCustomCASignedCertificates( trustStrategy.certFile(), hostnameVerificationEnabled );
             case TRUST_SYSTEM_CA_SIGNED_CERTIFICATES:
                 return SecurityPlan.forSystemCASignedCertificates( hostnameVerificationEnabled );
+            case TRUST_ALL_CERTIFICATES:
+                return SecurityPlan.forAllCertificates( hostnameVerificationEnabled );
             default:
                 throw new ClientException(
                         "Unknown TLS authentication strategy: " + trustStrategy.strategy().name() );

driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlan.java

@@ -23,9 +23,13 @@
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 
 import static org.neo4j.driver.internal.util.CertificateTool.loadX509Cert;
 
@@ -34,6 +38,14 @@
  */
 public class SecurityPlan
 {
+    public static SecurityPlan forAllCertificates( boolean requiresHostnameVerification ) throws GeneralSecurityException
+    {
+        SSLContext sslContext = SSLContext.getInstance( "TLS" );
+        sslContext.init( new KeyManager[0], new TrustManager[]{new TrustAllTrustManager()}, null );
+
+        return new SecurityPlan( true, sslContext, requiresHostnameVerification );
+    }
+
     public static SecurityPlan forCustomCASignedCertificates( File certFile, boolean requiresHostnameVerification )
             throws GeneralSecurityException, IOException
     {
@@ -90,4 +102,22 @@ public boolean requiresHostnameVerification()
     {
         return requiresHostnameVerification;
     }
+
+    private static class TrustAllTrustManager implements X509TrustManager
+    {
+        public void checkClientTrusted( X509Certificate[] chain, String authType ) throws CertificateException
+        {
+            throw new CertificateException( "All client connections to this client are forbidden." );
+        }
+
+        public void checkServerTrusted( X509Certificate[] chain, String authType ) throws CertificateException
+        {
+            // all fine, pass through
+        }
+
+        public X509Certificate[] getAcceptedIssuers()
+        {
+            return new X509Certificate[0];
+        }
+    }
 }

driver/src/test/java/org/neo4j/driver/integration/ChannelConnectorImplIT.java

@@ -32,6 +32,7 @@
 import java.io.UncheckedIOException;
 import java.net.ServerSocket;
 import java.net.Socket;
+import java.security.GeneralSecurityException;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 
@@ -61,7 +62,6 @@
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.neo4j.driver.internal.logging.DevNullLogging.DEV_NULL_LOGGING;
-import static org.neo4j.driver.util.SecurityUtil.trustAllCertificates;
 import static org.neo4j.driver.util.TestUtil.await;
 
 @ParallelizableIT
@@ -232,4 +232,9 @@ private ChannelConnectorImpl newConnector( AuthToken authToken, SecurityPlan sec
         ConnectionSettings settings = new ConnectionSettings( authToken, connectTimeoutMillis );
         return new ChannelConnectorImpl( settings, securityPlan, DEV_NULL_LOGGING, new FakeClock() );
     }
+
+    private static SecurityPlan trustAllCertificates() throws GeneralSecurityException
+    {
+        return SecurityPlan.forAllCertificates( false );
+    }
 }

driver/src/test/java/org/neo4j/driver/integration/EncryptionIT.java

@@ -38,7 +38,7 @@
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.junit.MatcherAssert.assertThat;
 import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.neo4j.driver.Config.TrustStrategy.trustCustomCertificateSignedBy;
+import static org.neo4j.driver.Config.TrustStrategy.trustAllCertificates;
 
 @ParallelizableIT
 class EncryptionIT
@@ -121,7 +121,7 @@ private static Config newConfig( boolean withEncryption )
 
     private static Config configWithEncryption()
     {
-        return Config.builder().withEncryption().withTrustStrategy( trustCustomCertificateSignedBy( neo4j.tlsCertFile() ) ).build();
+        return Config.builder().withEncryption().withTrustStrategy( trustAllCertificates() ).build();
     }
 
     private static Config configWithoutEncryption()

driver/src/test/java/org/neo4j/driver/internal/async/connection/NettyChannelInitializerTest.java

@@ -63,7 +63,7 @@ void tearDown()
     @Test
     void shouldAddSslHandlerWhenRequiresEncryption() throws Exception
     {
-        SecurityPlan security = secure();
+        SecurityPlan security = trustAllCertificates();
         NettyChannelInitializer initializer = newInitializer( security );
 
         initializer.initChannel( channel );
@@ -86,7 +86,7 @@ void shouldNotAddSslHandlerWhenDoesNotRequireEncryption()
     void shouldAddSslHandlerWithHandshakeTimeout() throws Exception
     {
         int timeoutMillis = 424242;
-        SecurityPlan security = secure();
+        SecurityPlan security = trustAllCertificates();
         NettyChannelInitializer initializer = newInitializer( security, timeoutMillis );
 
         initializer.initChannel( channel );
@@ -115,7 +115,7 @@ void shouldUpdateChannelAttributes()
     void shouldIncludeSniHostName() throws Exception
     {
         BoltServerAddress address = new BoltServerAddress( "database.neo4j.com", 8989 );
-        NettyChannelInitializer initializer = new NettyChannelInitializer( address, secure(), 10000, Clock.SYSTEM, DEV_NULL_LOGGING );
+        NettyChannelInitializer initializer = new NettyChannelInitializer( address, trustAllCertificates(), 10000, Clock.SYSTEM, DEV_NULL_LOGGING );
 
         initializer.initChannel( channel );
 
@@ -142,7 +142,7 @@ void shouldNotEnableHostnameVerificationWhenNotConfigured() throws Exception
 
     private void testHostnameVerificationSetting( boolean enabled, String expectedValue ) throws Exception
     {
-        NettyChannelInitializer initializer = newInitializer( SecurityPlan.forSystemCASignedCertificates( enabled ) );
+        NettyChannelInitializer initializer = newInitializer( SecurityPlan.forAllCertificates( enabled ) );
 
         initializer.initChannel( channel );
 
@@ -169,9 +169,8 @@ private static NettyChannelInitializer newInitializer( SecurityPlan securityPlan
                 DEV_NULL_LOGGING );
     }
 
-    private static SecurityPlan secure() throws GeneralSecurityException
+    private static SecurityPlan trustAllCertificates() throws GeneralSecurityException
     {
-        // Any secure security plan
-        return SecurityPlan.forSystemCASignedCertificates( false );
+        return SecurityPlan.forAllCertificates( false );
     }
 }