6

I have a gRPC server which is using mutual TLS for encryption and authentication. So, every client that connects to this server provides an SSL certificate and I want to reject connections from clients who have a public key size less than 2048 bits. There seems to be no straightforward way to do this yet.

I was able to do it using a ServerInterceptor this way

public class SSLInterceptor implements ServerInterceptor {
    @Override
    public <ReqT, RespT> Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) {
        try {
            SSLSession sslSession = call.getAttributes().get(Grpc.TRANSPORT_ATTR_SSL_SESSION);
            RSAPublicKeyImpl pk = (RSAPublicKeyImpl) sslSession.getPeerCertificates()[0].getPublicKey();
            if (pk.getModulus().bitLength() < 2048) {
                // reject call
            }
            // proceed with the call
        } catch (SSLPeerUnverifiedException e) {
            // do something
        }
        ...
    }
}

This is a bad way to do it because

  1. The validation is being done after the connection is already established.
  2. The validation is only triggered when a request/call is made.
  3. Every single call involves an extra overhead of validation.
  4. In case of a validation failure, only the call is rejected but not the connection to the client.

In an ideal scenario

  1. The validation is done during the connection establishment phase. (or some point during the creation of the channel between client and server)
  2. The validation failure would prevent the connection from being created and not set it up and disconnect later.
  3. A client is only validated once per session and all the calls made during that session do not incur any overhead.

How can I do this better?

Aditya Vikas Devarapalli
  • 3,186
  • 2
  • 36
  • 54
  • Who generates the client certificates? If it is you, you can know the public key size at the moment of certificate issuance and hence just not issue certificate not using keys long enough per your constraints. – Patrick Mevzek Sep 26 '19 at 21:02
  • @PatrickMevzek I thought of this. Yes, I generate the client certificates and what you said can be done. But, I want to find out how this can be done in a case where I'm not generating the client certs but I'm just trusting the CA that generates the client certs – Aditya Vikas Devarapalli Sep 26 '19 at 21:26
  • Agreed, and this is interesting as a question. But since I know nothing about grpc-java I was just trying to find another solution if it could help. Let us wait on answers. – Patrick Mevzek Sep 26 '19 at 21:57
  • Could you do this by setting the list of supported ciphers? https://www.java.com/en/configure_crypto.html – Ed Randall Sep 27 '19 at 13:40
  • 1
    @EdRandall Yes, I can change the `java.security` file in the jdk to include this line `jdk.certpath.disabledAlgorithms=RSA keySize < 2048` and it works as intended, but this changes things at the environment level and not at the app level – Aditya Vikas Devarapalli Sep 27 '19 at 13:57

2 Answers2

4

You can customize certificate checking by providing your own javax.net.ssl.TrustManagerFactory to Netty's SslContextBuilder. You'd probably want to implement X509ExtendedTrustManager, do your check, and then delegate to a "real" implementation for the rest of the cert chain checking.

You can do something like this to get the default-configuration TrustManagerFactory:

TrustManagerFactory tmf = TrustManagerFactory.getInstance(
    TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
// loop through tmf.getTrustManagers() checking for one implementing X509TrustManager
Eric Anderson
  • 24,057
  • 5
  • 55
  • 76
1

The following may help if gRPC allows you to get at the SSLEngine:

I made a mock-up using SSLEngineSimpleDemo (which is part of Oracle jssesamples.zip) to set custom AlgorithmConstraints where it creates the SSLEngine:

private void createSSLEngines() throws Exception {
    ...
    serverEngine = sslc.createSSLEngine();
    ...
    // Set custom AlgorithmConstraints on the SSL engine
    SSLParameters sslParams = sslc.getSupportedSSLParameters();
    sslParams.setAlgorithmConstraints( new MyAlgorithmConstraints() );
    serverEngine.setSSLParameters(sslParams);

The class MyAlgorithmConstraints looks something like:

import java.security.AlgorithmConstraints;
import java.security.AlgorithmParameters;
import java.security.CryptoPrimitive;
import java.security.Key;
import java.security.interfaces.RSAKey;
import java.util.Set;

public class MyAlgorithmConstraints implements AlgorithmConstraints {


    @Override
    public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, AlgorithmParameters parameters) {
        return true;
    }

    @Override
    public boolean permits(Set<CryptoPrimitive> primitives, Key key) {
        boolean permitted = permittedRSAKey(primitives, key);
        return permitted;
    }

    @Override
    public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, Key key, AlgorithmParameters parameters) {
        boolean permitted = permittedRSAKey(primitives, key);
        return permitted;
    }

    private boolean permittedRSAKey(Set<CryptoPrimitive> primitives, Key key) {
        boolean permitted = true;
        if (primitives.contains(CryptoPrimitive.KEY_AGREEMENT) && key instanceof RSAKey) {
            int length = ((RSAKey)key).getModulus().bitLength();
            if (length < 2040) {
                permitted = false;
                System.out.println("+*+*+* MyConstraints: short RSA key not allowed ["+length+"]");
            }
        }
        return permitted;
    }

}

Length 2040 chosen in case of leading zeroes on the key as per warning in How to get the size of a RSA key in Java but you could just as well reverse the condition to length > 1024 permitted=true.

Ed Randall
  • 6,887
  • 2
  • 50
  • 45