A misconfigured Java SSLContext susceptible to man-in-the-middle attack?

Question

I was reading the source code of an open source P2P project* and encountered code that should make the application completely vulnerable to a man-in-middle attack as per Wikipedia.

At least if javax.net.ssl.X509TrustManager.getAcceptableIssuers() treats an empty array as Trust Any rather than Trust Nothing.

Which it probably would since as far as it knows you are acting as a server with anonymous clients instead of encrypted P2P requiring both peers to be who they say are.

class ATrustManager implements X509TrustManager { 
  public ATrustManager() {} 
  public void checkClientTrusted(X509Certificate[] certs, String authType) {} 
  public void checkServerTrusted(X509Certificate[] certs, String authType) {}

  // --- What!? ---
  public X509Certificate[] getAcceptedIssuers() {
    java.security.cert.X509Certificate[0]; 
  }
  // --------------
}

class Blah {
  SomeObject doBlah(...) {  
    // ... various code ...

    char[] password = "password".toCharArray();         
    KeyStore keystore = KeyStore.getInstance("JKS");
    keystore.load(FileInputStream("app.keys"), password);
    KeyManagerFactory aKeyManagerFactory =
        KeyManagerFactory.getInstance("SunX509");   
    aKeyManagerFactory.init(keystore, password);
    KeyManager[] aKeyManager = aKeyManagerFactory.getKeyManagers();
    TrustManager[] aTrustManager = new TrustManager[] { new ATrustManager() };
    SSLContext sslcontext = SSLContext.getInstance("SSL");
    sslcontext.init(aKeyManager, aTrustManager, null);

    SSLSocketFactory socketFactory = sslcontext.getSocketFactory();
    Socket socket = socketFactory.createSocket(hostname, port);
    OutputStream out = socket.getOutputStream();

    // ... various code ...     
}

My Question: Is this code open to man-in-the-middle? If so, I should probably let the project know about it.

Note:

• Application does not drop the connection elsewhere in the code if remote node's public key is unknown. I've checked.
• app.keys only stores the local node's keys, not any remote keys.

_{* Source code anonymised to protect the guilty.}

Answer 1

Is this code open to man-in-the-middle?

Yes it is. You are accepting absolutely any SSL certificate, whether or not it is valid, signed by a trusted CA, etc., and whether or not it is the certificate of the peer you are trying to contact. This code should never be deployed in production, which implies that it should never be written at all, unless you like testing deployments that aren't what you're going to deploy in production, and unless you like accepting risks such as the code leaking into the production environment, with radically insecure consequences.