Recipe Name:
X509: Disabled validation in TrustManager
Description:
A TrustManager has overridden the getAcceptedIssuers method, and only returns null.
Level:
warning
Language:
  • java
Tags:
  • security
  • web
  • TLS
  • OWASP Top 10
Documentation

By overriding the getAcceptedIssuers to return null, two issues arise. Firstly, the overridden method's JavaDoc indicates that the return value of the function should be non-null. Returning null would break that contract. Secondly, not listing the accepted issuers disables validation of the issuer. This could lead to forged certificates, issued by a fraudulent issuer to be accepted. This in turn results in weakened transport encryption or even circumvention of the encryption.

References
Recipe
id: scw:web:x509-validation-disabled
version: 10
metadata:
  name: 'X509: Disabled validation in TrustManager'
  shortDescription: A TrustManager has overridden the getAcceptedIssuers method, and only returns null.
  level: warning
  language: java
  scwCategory: insufficient_transport_layer_protection:weak_certificate_validation
  enabled: true
  descriptionFile: descriptions/X509__Disabled_validation_in_TrustManager.html
  tags: security;web;TLS;OWASP Top 10
search:
  method:
    annotation:
      type: Override
    name: getAcceptedIssuers
    returnType: javax.security.cert.X509Certificate[]
    child:
      return:
        value:
          literal:
            value: "null"
availableFixes: []