Add certificate pinning to address MITM vulnerabilities

Signed-off-by: Mitch Gaffigan <mitch.gaffigan@comcast.net>

Author: mgaffigan

client/src/com/mirth/connect/client/ui/CommandLineOptions.java

@@ -3,6 +3,10 @@
 
 package com.mirth.connect.client.ui;
 
+import java.util.ArrayDeque;
+import java.util.Arrays;
+import java.util.Deque;
+
 import org.apache.commons.lang3.StringUtils;
 
 /**
@@ -15,66 +19,56 @@ public class CommandLineOptions {
     private final String password;
     private final String protocols;
     private final String cipherSuites;
+    private final String pinnedClientTrust;
 
     /**
      * Parse command line arguments for Mirth client.
      */
     public CommandLineOptions(String[] args) {
+        if (args == null) {
+            args = new String[0];
+        }
+
         String server = "https://localhost:8443";
         String version = "";
         String username = "";
         String password = "";
         String protocols = "";
         String cipherSuites = "";
+        String pinnedClientTrust = "";
 
-        if (args == null) {
-            args = new String[0];
-        }
+        Deque<String> remaining = new ArrayDeque<String>(Arrays.asList(args));
+        int idx = 0;
+        while (true) {
+            String arg = remaining.pollFirst();
+            if (arg == null) {
+                break;
+            }
 
-        if (args.length > 0) {
-            server = args[0];
-        }
-        if (args.length > 1) {
-            version = args[1];
-        }
-        if (args.length > 2) {
-            if (StringUtils.equalsIgnoreCase(args[2], "-ssl")) {
-                // <server> <version> -ssl [<protocols> [<ciphersuites> [<username> [<password>]]]]
-                if (args.length > 3) {
-                    protocols = args[3];
-                }
-                if (args.length > 4) {
-                    cipherSuites = args[4];
-                }
-                if (args.length > 5) {
-                    username = args[5];
-                }
-                if (args.length > 6) {
-                    password = args[6];
-                }
+            if (StringUtils.equalsIgnoreCase(arg, "-ssl")) {
+                protocols = StringUtils.defaultString(remaining.pollFirst());
+                cipherSuites = StringUtils.defaultString(remaining.pollFirst());
+            } else if (StringUtils.equalsIgnoreCase(arg, "-trust")) {
+                pinnedClientTrust = StringUtils.defaultString(remaining.pollFirst());
             } else {
-                // <server> <version> <username> [<password> [-ssl [<protocols> [<ciphersuites>]]]]
-                username = args[2];
-                if (args.length > 3) {
-                    password = args[3];
-                }
-                if (args.length > 4 && StringUtils.equalsIgnoreCase(args[4], "-ssl")) {
-                    if (args.length > 5) {
-                        protocols = args[5];
-                    }
-                    if (args.length > 6) {
-                        cipherSuites = args[6];
-                    }
+                switch (idx) {
+                    case 0 -> server = arg;
+                    case 1 -> version = arg;
+                    case 2 -> username = arg;
+                    case 3 -> password = arg;
+                    default -> {} // Explicitly ignore extra arguments
                 }
+                idx++;
             }
         }
 
         this.server = server;
         this.version = version;
         this.username = username;
         this.password = password;
-        this.protocols = protocols;
-        this.cipherSuites = cipherSuites;
+        this.protocols = StringUtils.defaultString(protocols);
+        this.cipherSuites = StringUtils.defaultString(cipherSuites);
+        this.pinnedClientTrust = StringUtils.defaultString(pinnedClientTrust);
     }
 
     public String getServer() {
@@ -100,4 +94,8 @@ public String getProtocols() {
     public String getCipherSuites() {
         return cipherSuites;
     }
+
+    public String getPinnedClientTrust() {
+        return pinnedClientTrust;
+    }
 }

client/src/com/mirth/connect/client/ui/LoginPanel.java

@@ -423,7 +423,7 @@ public Void doInBackground() {
 
                 try {
                     String server = serverName.getText();
-                    client = new Client(server, PlatformUI.HTTPS_PROTOCOLS, PlatformUI.HTTPS_CIPHER_SUITES);
+                    client = new Client(server, PlatformUI.HTTPS_PROTOCOLS, PlatformUI.HTTPS_CIPHER_SUITES, PlatformUI.PINNED_CLIENT_TRUST);
                     PlatformUI.SERVER_URL = server;
 
                     // Attempt to login

client/src/com/mirth/connect/client/ui/Mirth.java

@@ -261,6 +261,7 @@ public static void main(String[] args) {
         if (StringUtils.isNotBlank(opts.getCipherSuites())) {
             PlatformUI.HTTPS_CIPHER_SUITES = StringUtils.split(opts.getCipherSuites(), ',');
         }
+        PlatformUI.PINNED_CLIENT_TRUST = opts.getPinnedClientTrust();
         PlatformUI.SERVER_URL = opts.getServer();
         PlatformUI.CLIENT_VERSION = opts.getVersion();
 

client/src/com/mirth/connect/client/ui/PlatformUI.java

@@ -33,6 +33,7 @@ public class PlatformUI {
     public static String SERVER_DATABASE;
     public static String USER_NAME;
     public static String CLIENT_VERSION;
+    public static String PINNED_CLIENT_TRUST;
     public static String SERVER_VERSION;
     public static String BUILD_DATE;
     public static Color DEFAULT_BACKGROUND_COLOR = ServerSettings.DEFAULT_COLOR;

client/test/com/mirth/connect/client/ui/CommandLineOptionsTest.java

@@ -20,6 +20,7 @@ public void testParseSslForm() {
         assertEquals("secret", opts.getPassword());
         assertEquals("TLSv1.2,TLSv1.3", opts.getProtocols());
         assertEquals("TLS_RSA_WITH_AES_128_GCM_SHA256", opts.getCipherSuites());
+        assertEquals("", opts.getPinnedClientTrust());
     }
 
     @Test
@@ -33,6 +34,49 @@ public void testParseUsernameFormWithSsl() {
         assertEquals("pw", opts.getPassword());
         assertEquals("TLSv1.2", opts.getProtocols());
         assertEquals("CIPHER", opts.getCipherSuites());
+        assertEquals("", opts.getPinnedClientTrust());
+    }
+
+    @Test
+    public void testParseSslFormWithPinnedClientTrust() {
+        String[] args = new String[] { "https://example:8443", "1.0", "-ssl", "TLSv1.2,TLSv1.3", "TLS_RSA_WITH_AES_128_GCM_SHA256", "alice", "secret", "-trust", "abcdef1234,5489349" };
+        CommandLineOptions opts = new CommandLineOptions(args);
+
+        assertEquals("https://example:8443", opts.getServer());
+        assertEquals("1.0", opts.getVersion());
+        assertEquals("alice", opts.getUsername());
+        assertEquals("secret", opts.getPassword());
+        assertEquals("TLSv1.2,TLSv1.3", opts.getProtocols());
+        assertEquals("TLS_RSA_WITH_AES_128_GCM_SHA256", opts.getCipherSuites());
+        assertEquals("abcdef1234,5489349", opts.getPinnedClientTrust());
+    }
+
+    @Test
+    public void testParseUsernameFormWithPinnedClientTrust() {
+        String[] args = new String[] { "https://example:8443", "1.0", "bob", "pw", "-trust", "localhost,a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3" };
+        CommandLineOptions opts = new CommandLineOptions(args);
+
+        assertEquals("https://example:8443", opts.getServer());
+        assertEquals("1.0", opts.getVersion());
+        assertEquals("bob", opts.getUsername());
+        assertEquals("pw", opts.getPassword());
+        assertEquals("", opts.getProtocols());
+        assertEquals("", opts.getCipherSuites());
+        assertEquals("localhost,a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3", opts.getPinnedClientTrust());
+    }
+
+    @Test
+    public void testParsePinnedClientTrustAfterredentials() {
+        String[] args = new String[] { "https://example:8443", "1.0", "bob", "pw", "-trust", "localhost,a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3" };
+        CommandLineOptions opts = new CommandLineOptions(args);
+
+        assertEquals("https://example:8443", opts.getServer());
+        assertEquals("1.0", opts.getVersion());
+        assertEquals("bob", opts.getUsername());
+        assertEquals("pw", opts.getPassword());
+        assertEquals("", opts.getProtocols());
+        assertEquals("", opts.getCipherSuites());
+        assertEquals("localhost,a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3", opts.getPinnedClientTrust());
     }
 
     @Test
@@ -45,6 +89,7 @@ public void testNullArgsUsesDefaults() {
         assertEquals("", opts.getPassword());
         assertEquals("", opts.getProtocols());
         assertEquals("", opts.getCipherSuites());
+        assertEquals("", opts.getPinnedClientTrust());
     }
 
     @Test
@@ -58,5 +103,6 @@ public void testNormal() {
         assertEquals("", opts.getPassword());
         assertEquals("", opts.getProtocols());
         assertEquals("", opts.getCipherSuites());
+        assertEquals("", opts.getPinnedClientTrust());
     }
 }

server/conf/mirth.properties

@@ -63,6 +63,19 @@ server.includecustomlib = false
 
 # administrator
 administrator.maxheapsize = 512m
+# Controls how the client should validate the server's SSL certificate.
+# Comma separated list of options:
+# - pki
+#   Trust CA's and peer trust based on the client JVM config.  Requires
+#   the server hostname to match the certificate CN or SAN.  This is the
+#   "normal" trust required by most SSL clients.
+# - webserver
+#   Trust this server's certificate specifically.  Do not validate hostname.
+# - <thumbprint>
+#   Trust the specified SHA-256 certificate thumbprint.  Do not validate hostname.
+# - insecure_trust_all_certs
+#   Trust all certificates without validation. (not recommended)
+administrator.pinnedclienttrust = pki,webserver
 
 # properties file that will store the configuration map and be loaded during server startup
 configurationmap.path = ${dir.appdata}/configuration.properties

server/src/com/mirth/connect/client/core/CertificateThumbprintMatcher.java

@@ -0,0 +1,70 @@
+// SPDX-License-Identifier: MPL-2.0
+// SPDX-FileCopyrightText: 2026 Mitch Gaffigan
+
+package com.mirth.connect.client.core;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.HexFormat;
+import java.util.Locale;
+import java.util.Set;
+
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSession;
+
+import org.apache.commons.lang3.StringUtils;
+
+/** A collection of trusted certificate thumbprints. */
+final class CertificateThumbprintMatcher {
+
+    private final Set<String> pinnedThumbprints;
+
+    CertificateThumbprintMatcher(Set<String> pinnedThumbprints) {
+        this.pinnedThumbprints = pinnedThumbprints;
+    }
+
+    boolean matches(SSLSession session) {
+        try {
+            return matches(session.getPeerCertificates());
+        } catch (SSLPeerUnverifiedException e) {
+            return false;
+        }
+    }
+
+    boolean matches(Certificate[] certificates) {
+        if (pinnedThumbprints.isEmpty() || certificates == null) {
+            return false;
+        }
+
+        for (Certificate certificate : certificates) {
+            if (certificate instanceof X509Certificate) {
+                try {
+                    if (pinnedThumbprints.contains(getThumbprint((X509Certificate) certificate))) {
+                        return true;
+                    }
+                } catch (CertificateException e) {
+                    continue;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    static String normalize(String thumbprint) {
+        return StringUtils.lowerCase(StringUtils.deleteWhitespace(StringUtils.trimToEmpty(thumbprint)), Locale.ROOT);
+    }
+
+    private String getThumbprint(X509Certificate certificate) throws CertificateException {
+        try {
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            return HexFormat.of().formatHex(digest.digest(certificate.getEncoded()));
+        } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
+            throw new CertificateException("Unable to calculate certificate thumbprint.", e);
+        }
+    }
+}

server/src/com/mirth/connect/client/core/Client.java

@@ -151,30 +151,43 @@ public class Client implements UserServletInterface, ConfigurationServletInterfa
      */
     public Client(String address) throws URISyntaxException {
         // Default timeout is infinite.
-        this(address, 0, MirthSSLUtil.DEFAULT_HTTPS_CLIENT_PROTOCOLS, MirthSSLUtil.DEFAULT_HTTPS_CIPHER_SUITES, null);
+        this(address, 0, MirthSSLUtil.DEFAULT_HTTPS_CLIENT_PROTOCOLS, MirthSSLUtil.DEFAULT_HTTPS_CIPHER_SUITES, null, null);
     }
 
     public Client(String address, String[] httpsProtocols, String[] httpsCipherSuites) throws URISyntaxException {
         // Default timeout is infinite.
-        this(address, 0, httpsProtocols, httpsCipherSuites, null);
+        this(address, httpsProtocols, httpsCipherSuites, (String) null);
+    }
+
+    public Client(String address, String[] httpsProtocols, String[] httpsCipherSuites, String pinnedClientTrust) throws URISyntaxException {
+        // Default timeout is infinite.
+        this(address, 0, httpsProtocols, httpsCipherSuites, pinnedClientTrust, null);
     }
 
     public Client(String address, String[] httpsProtocols, String[] httpsCipherSuites, String[] apiProviderClasses) throws URISyntaxException {
         // Default timeout is infinite.
-        this(address, 0, httpsProtocols, httpsCipherSuites, apiProviderClasses);
+        this(address, 0, httpsProtocols, httpsCipherSuites, null, apiProviderClasses);
     }
 
     public Client(String address, int timeout, String[] httpsProtocols, String[] httpsCipherSuites) throws URISyntaxException {
-        this(address, timeout, httpsProtocols, httpsCipherSuites, null);
+        this(address, timeout, httpsProtocols, httpsCipherSuites, null, null);
     }
 
     public Client(String address, int timeout, String[] httpsProtocols, String[] httpsCipherSuites, String[] apiProviderClasses) throws URISyntaxException {
+        this(address, timeout, httpsProtocols, httpsCipherSuites, null, apiProviderClasses);
+    }
+
+    public Client(String address, int timeout, String[] httpsProtocols, String[] httpsCipherSuites, String pinnedClientTrust) throws URISyntaxException {
+        this(address, timeout, httpsProtocols, httpsCipherSuites, pinnedClientTrust, null);
+    }
+
+    public Client(String address, int timeout, String[] httpsProtocols, String[] httpsCipherSuites, String pinnedClientTrust, String[] apiProviderClasses) throws URISyntaxException {
         if (!address.endsWith("/")) {
             address += "/";
         }
         URI addressURI = new URI(address);
 
-        serverConnection = new ServerConnection(timeout, httpsProtocols, httpsCipherSuites, StringUtils.equalsIgnoreCase(addressURI.getScheme(), "http"));
+        serverConnection = new ServerConnection(timeout, httpsProtocols, httpsCipherSuites, pinnedClientTrust, addressURI.getHost(), StringUtils.equalsIgnoreCase(addressURI.getScheme(), "http"));
 
         ClientConfig config = new ClientConfig().connectorProvider(new ConnectorProvider() {
             @Override

server/src/com/mirth/connect/client/core/CompositeHostnameVerifier.java

@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: MPL-2.0
+// SPDX-FileCopyrightText: 2026 Mitch Gaffigan
+
+package com.mirth.connect.client.core;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLSession;
+
+/** A composite hostname verifier that delegates to multiple implementations. */
+public class CompositeHostnameVerifier implements HostnameVerifier {
+
+    private final List<HostnameVerifier> hostnameVerifiers;
+
+    public CompositeHostnameVerifier(List<HostnameVerifier> hostnameVerifiers) {
+        this.hostnameVerifiers = new ArrayList<HostnameVerifier>(hostnameVerifiers);
+    }
+
+    @Override
+    public boolean verify(String host, SSLSession session) {
+        for (HostnameVerifier hostnameVerifier : hostnameVerifiers) {
+            if (hostnameVerifier.verify(host, session)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}