[9995] | 1 | // License: GPL. For details, see LICENSE file.
|
---|
| 2 | package org.openstreetmap.josm.io;
|
---|
| 3 |
|
---|
| 4 | import static org.openstreetmap.josm.tools.I18n.tr;
|
---|
| 5 |
|
---|
| 6 | import java.io.ByteArrayInputStream;
|
---|
| 7 | import java.io.File;
|
---|
| 8 | import java.io.IOException;
|
---|
| 9 | import java.io.InputStream;
|
---|
| 10 | import java.nio.file.Files;
|
---|
| 11 | import java.nio.file.Path;
|
---|
| 12 | import java.nio.file.Paths;
|
---|
[10235] | 13 | import java.security.GeneralSecurityException;
|
---|
[9995] | 14 | import java.security.InvalidAlgorithmParameterException;
|
---|
| 15 | import java.security.KeyStore;
|
---|
| 16 | import java.security.KeyStoreException;
|
---|
| 17 | import java.security.MessageDigest;
|
---|
[11943] | 18 | import java.security.NoSuchAlgorithmException;
|
---|
| 19 | import java.security.cert.CertificateEncodingException;
|
---|
| 20 | import java.security.cert.CertificateException;
|
---|
[9995] | 21 | import java.security.cert.CertificateFactory;
|
---|
| 22 | import java.security.cert.PKIXParameters;
|
---|
| 23 | import java.security.cert.TrustAnchor;
|
---|
| 24 | import java.security.cert.X509Certificate;
|
---|
| 25 | import java.util.Objects;
|
---|
| 26 |
|
---|
| 27 | import javax.net.ssl.SSLContext;
|
---|
| 28 | import javax.net.ssl.TrustManagerFactory;
|
---|
| 29 |
|
---|
| 30 | import org.openstreetmap.josm.Main;
|
---|
[12846] | 31 | import org.openstreetmap.josm.spi.preferences.Config;
|
---|
[12620] | 32 | import org.openstreetmap.josm.tools.Logging;
|
---|
[9995] | 33 | import org.openstreetmap.josm.tools.Utils;
|
---|
| 34 |
|
---|
| 35 | /**
|
---|
| 36 | * Class to add missing root certificates to the list of trusted certificates
|
---|
| 37 | * for TLS connections.
|
---|
| 38 | *
|
---|
| 39 | * The added certificates are deemed trustworthy by the main web browsers and
|
---|
| 40 | * operating systems, but not included in some distributions of Java.
|
---|
| 41 | *
|
---|
| 42 | * The certificates are added in-memory at each start, nothing is written to disk.
|
---|
[9997] | 43 | * @since 9995
|
---|
[9995] | 44 | */
|
---|
[9997] | 45 | public final class CertificateAmendment {
|
---|
[9995] | 46 |
|
---|
[11943] | 47 | /**
|
---|
| 48 | * A certificate amendment.
|
---|
[11944] | 49 | * @since 11943
|
---|
[11943] | 50 | */
|
---|
| 51 | public static class CertAmend {
|
---|
| 52 | private final String id;
|
---|
[12241] | 53 | private final String filename;
|
---|
[11943] | 54 | private final String sha256;
|
---|
| 55 |
|
---|
[12241] | 56 | CertAmend(String id, String filename, String sha256) {
|
---|
| 57 | this.id = id;
|
---|
| 58 | this.filename = filename;
|
---|
[11943] | 59 | this.sha256 = sha256;
|
---|
| 60 | }
|
---|
| 61 |
|
---|
| 62 | /**
|
---|
| 63 | * Returns the certificate identifier.
|
---|
[12623] | 64 | * @return path for JOSM embedded certificate, alias for Windows platform certificate
|
---|
[11943] | 65 | */
|
---|
| 66 | public final String getId() {
|
---|
| 67 | return id;
|
---|
| 68 | }
|
---|
| 69 |
|
---|
| 70 | /**
|
---|
[12241] | 71 | * Returns the certificate filename.
|
---|
[12623] | 72 | * @return filename for both JOSM embedded certificate and Unix platform certificate
|
---|
[12241] | 73 | * @since 12241
|
---|
| 74 | */
|
---|
| 75 | public final String getFilename() {
|
---|
| 76 | return filename;
|
---|
| 77 | }
|
---|
| 78 |
|
---|
| 79 | /**
|
---|
[11943] | 80 | * Returns the SHA-256 hash.
|
---|
| 81 | * @return the SHA-256 hash, in hexadecimal
|
---|
| 82 | */
|
---|
| 83 | public final String getSha256() {
|
---|
| 84 | return sha256;
|
---|
| 85 | }
|
---|
| 86 | }
|
---|
| 87 |
|
---|
| 88 | /**
|
---|
| 89 | * Certificates embedded in JOSM
|
---|
| 90 | */
|
---|
| 91 | private static final CertAmend[] CERT_AMEND = {
|
---|
[12241] | 92 | new CertAmend("resource://data/security/DST_Root_CA_X3.pem", "DST_Root_CA_X3.pem",
|
---|
[11943] | 93 | "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739")
|
---|
[9995] | 94 | };
|
---|
[9997] | 95 |
|
---|
[11943] | 96 | /**
|
---|
| 97 | * Certificates looked into platform native keystore and not embedded in JOSM.
|
---|
[12623] | 98 | * Identifiers must match Windows keystore aliases and Unix filenames for efficient search.
|
---|
[11943] | 99 | */
|
---|
| 100 | private static final CertAmend[] PLATFORM_CERT_AMEND = {
|
---|
[12623] | 101 | // Government of Netherlands
|
---|
[12241] | 102 | new CertAmend("Staat der Nederlanden Root CA - G2", "Staat_der_Nederlanden_Root_CA_-_G2.crt",
|
---|
[11943] | 103 | "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f"),
|
---|
[12623] | 104 | // Government of Netherlands
|
---|
[12241] | 105 | new CertAmend("Government of Netherlands G3", "Staat_der_Nederlanden_Root_CA_-_G3.crt",
|
---|
[12623] | 106 | "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428"),
|
---|
| 107 | // Trusted and used by French Government - https://www.certigna.fr/autorites/index.xhtml?ac=Racine#lracine
|
---|
| 108 | new CertAmend("Certigna", "Certigna.crt",
|
---|
| 109 | "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d"),
|
---|
[9995] | 110 | };
|
---|
| 111 |
|
---|
[9997] | 112 | private CertificateAmendment() {
|
---|
| 113 | // Hide default constructor for utility classes
|
---|
| 114 | }
|
---|
| 115 |
|
---|
[9995] | 116 | /**
|
---|
| 117 | * Add missing root certificates to the list of trusted certificates for TLS connections.
|
---|
| 118 | * @throws IOException if an I/O error occurs
|
---|
[10235] | 119 | * @throws GeneralSecurityException if a security error occurs
|
---|
[9995] | 120 | */
|
---|
[10235] | 121 | public static void addMissingCertificates() throws IOException, GeneralSecurityException {
|
---|
[12846] | 122 | if (!Config.getPref().getBoolean("tls.add-missing-certificates", true))
|
---|
[9995] | 123 | return;
|
---|
[10235] | 124 | KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
|
---|
[9995] | 125 | Path cacertsPath = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
|
---|
| 126 | try (InputStream is = Files.newInputStream(cacertsPath)) {
|
---|
| 127 | keyStore.load(is, "changeit".toCharArray());
|
---|
| 128 | }
|
---|
| 129 |
|
---|
[11943] | 130 | MessageDigest md = MessageDigest.getInstance("SHA-256");
|
---|
[10235] | 131 | CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
---|
[9995] | 132 | boolean certificateAdded = false;
|
---|
[11943] | 133 | // Add embedded certificates. Exit in case of error
|
---|
| 134 | for (CertAmend certAmend : CERT_AMEND) {
|
---|
| 135 | try (CachedFile certCF = new CachedFile(certAmend.id)) {
|
---|
| 136 | X509Certificate cert = (X509Certificate) cf.generateCertificate(
|
---|
| 137 | new ByteArrayInputStream(certCF.getByteContent()));
|
---|
| 138 | if (checkAndAddCertificate(md, cert, certAmend, keyStore)) {
|
---|
| 139 | certificateAdded = true;
|
---|
[10083] | 140 | }
|
---|
[11943] | 141 | }
|
---|
| 142 | }
|
---|
| 143 |
|
---|
| 144 | try {
|
---|
| 145 | // Try to add platform certificates. Do not exit in case of error (embedded certificates may be OK)
|
---|
| 146 | for (CertAmend certAmend : PLATFORM_CERT_AMEND) {
|
---|
| 147 | X509Certificate cert = Main.platform.getX509Certificate(certAmend);
|
---|
| 148 | if (checkAndAddCertificate(md, cert, certAmend, keyStore)) {
|
---|
[10235] | 149 | certificateAdded = true;
|
---|
[9995] | 150 | }
|
---|
| 151 | }
|
---|
[11943] | 152 | } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException | IllegalStateException e) {
|
---|
[12620] | 153 | Logging.error(e);
|
---|
[9995] | 154 | }
|
---|
| 155 |
|
---|
| 156 | if (certificateAdded) {
|
---|
[10235] | 157 | TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
|
---|
| 158 | tmf.init(keyStore);
|
---|
| 159 | SSLContext sslContext = SSLContext.getInstance("TLS");
|
---|
| 160 | sslContext.init(null, tmf.getTrustManagers(), null);
|
---|
| 161 | SSLContext.setDefault(sslContext);
|
---|
[9995] | 162 | }
|
---|
| 163 | }
|
---|
| 164 |
|
---|
[11943] | 165 | private static boolean checkAndAddCertificate(MessageDigest md, X509Certificate cert, CertAmend certAmend, KeyStore keyStore)
|
---|
| 166 | throws CertificateEncodingException, KeyStoreException, InvalidAlgorithmParameterException {
|
---|
| 167 | if (cert != null) {
|
---|
| 168 | String sha256 = Utils.toHexString(md.digest(cert.getEncoded()));
|
---|
| 169 | if (!certAmend.sha256.equals(sha256)) {
|
---|
| 170 | throw new IllegalStateException(
|
---|
| 171 | tr("Error adding certificate {0} - certificate fingerprint mismatch. Expected {1}, was {2}",
|
---|
| 172 | certAmend.id, certAmend.sha256, sha256));
|
---|
| 173 | }
|
---|
| 174 | if (certificateIsMissing(keyStore, cert)) {
|
---|
[12620] | 175 | if (Logging.isDebugEnabled()) {
|
---|
| 176 | Logging.debug(tr("Adding certificate for TLS connections: {0}", cert.getSubjectX500Principal().getName()));
|
---|
[11943] | 177 | }
|
---|
| 178 | String alias = "josm:" + new File(certAmend.id).getName();
|
---|
| 179 | keyStore.setCertificateEntry(alias, cert);
|
---|
| 180 | return true;
|
---|
| 181 | }
|
---|
| 182 | }
|
---|
| 183 | return false;
|
---|
| 184 | }
|
---|
| 185 |
|
---|
[9995] | 186 | /**
|
---|
| 187 | * Check if the certificate is missing and needs to be added to the keystore.
|
---|
| 188 | * @param keyStore the keystore
|
---|
| 189 | * @param crt the certificate
|
---|
| 190 | * @return true, if the certificate is not contained in the keystore
|
---|
[10235] | 191 | * @throws InvalidAlgorithmParameterException if the keystore does not contain at least one trusted certificate entry
|
---|
| 192 | * @throws KeyStoreException if the keystore has not been initialized
|
---|
[9995] | 193 | */
|
---|
[10235] | 194 | private static boolean certificateIsMissing(KeyStore keyStore, X509Certificate crt)
|
---|
| 195 | throws KeyStoreException, InvalidAlgorithmParameterException {
|
---|
| 196 | PKIXParameters params = new PKIXParameters(keyStore);
|
---|
[9997] | 197 | String id = crt.getSubjectX500Principal().getName();
|
---|
[9995] | 198 | for (TrustAnchor ta : params.getTrustAnchors()) {
|
---|
| 199 | X509Certificate cert = ta.getTrustedCert();
|
---|
| 200 | if (Objects.equals(id, cert.getSubjectX500Principal().getName()))
|
---|
| 201 | return false;
|
---|
| 202 | }
|
---|
| 203 | return true;
|
---|
| 204 | }
|
---|
| 205 | }
|
---|