1 | // License: GPL. For details, see LICENSE file.
|
---|
2 | package org.openstreetmap.josm.io;
|
---|
3 |
|
---|
4 | import static org.openstreetmap.josm.tools.I18n.tr;
|
---|
5 |
|
---|
6 | import java.io.ByteArrayInputStream;
|
---|
7 | import java.io.File;
|
---|
8 | import java.io.IOException;
|
---|
9 | import java.io.InputStream;
|
---|
10 | import java.nio.file.Files;
|
---|
11 | import java.nio.file.Path;
|
---|
12 | import java.nio.file.Paths;
|
---|
13 | import java.security.InvalidAlgorithmParameterException;
|
---|
14 | import java.security.KeyManagementException;
|
---|
15 | import java.security.KeyStore;
|
---|
16 | import java.security.KeyStoreException;
|
---|
17 | import java.security.MessageDigest;
|
---|
18 | import java.security.NoSuchAlgorithmException;
|
---|
19 | import java.security.cert.CertificateException;
|
---|
20 | import java.security.cert.CertificateFactory;
|
---|
21 | import java.security.cert.PKIXParameters;
|
---|
22 | import java.security.cert.TrustAnchor;
|
---|
23 | import java.security.cert.X509Certificate;
|
---|
24 | import java.util.Objects;
|
---|
25 |
|
---|
26 | import javax.net.ssl.SSLContext;
|
---|
27 | import javax.net.ssl.TrustManagerFactory;
|
---|
28 |
|
---|
29 | import org.openstreetmap.josm.Main;
|
---|
30 | import org.openstreetmap.josm.tools.Utils;
|
---|
31 |
|
---|
32 | /**
|
---|
33 | * Class to add missing root certificates to the list of trusted certificates
|
---|
34 | * for TLS connections.
|
---|
35 | *
|
---|
36 | * The added certificates are deemed trustworthy by the main web browsers and
|
---|
37 | * operating systems, but not included in some distributions of Java.
|
---|
38 | *
|
---|
39 | * The certificates are added in-memory at each start, nothing is written to disk.
|
---|
40 | * @since 9995
|
---|
41 | */
|
---|
42 | public final class CertificateAmendment {
|
---|
43 |
|
---|
44 | private static final String[] CERT_AMEND = {
|
---|
45 | "resource://data/security/DST_Root_CA_X3.pem",
|
---|
46 | "resource://data/security/StartCom_Certification_Authority.pem"
|
---|
47 | };
|
---|
48 |
|
---|
49 | private static final String[] SHA_HASHES = {
|
---|
50 | "139a5e4a4e0fa505378c72c5f700934ce8333f4e6b1b508886c4b0eb14f4be99",
|
---|
51 | "916a8f9232328192968c81c8edb672fa539f726861dfe379ca722050e19962cd"
|
---|
52 | };
|
---|
53 |
|
---|
54 | private CertificateAmendment() {
|
---|
55 | // Hide default constructor for utility classes
|
---|
56 | }
|
---|
57 |
|
---|
58 | /**
|
---|
59 | * Add missing root certificates to the list of trusted certificates for TLS connections.
|
---|
60 | * @throws IOException if an I/O error occurs
|
---|
61 | */
|
---|
62 | public static void addMissingCertificates() throws IOException {
|
---|
63 | if (!Main.pref.getBoolean("tls.add-missing-certificates", true))
|
---|
64 | return;
|
---|
65 | KeyStore keyStore;
|
---|
66 | try {
|
---|
67 | keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
|
---|
68 | } catch (KeyStoreException ex) {
|
---|
69 | throw new IOException(ex);
|
---|
70 | }
|
---|
71 | Path cacertsPath = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
|
---|
72 | try (InputStream is = Files.newInputStream(cacertsPath)) {
|
---|
73 | keyStore.load(is, "changeit".toCharArray());
|
---|
74 | } catch (NoSuchAlgorithmException ex) {
|
---|
75 | throw new RuntimeException(ex);
|
---|
76 | } catch (CertificateException ex) {
|
---|
77 | throw new IOException(ex);
|
---|
78 | }
|
---|
79 |
|
---|
80 | CertificateFactory cf;
|
---|
81 | try {
|
---|
82 | cf = CertificateFactory.getInstance("X.509");
|
---|
83 | } catch (CertificateException ex) {
|
---|
84 | throw new RuntimeException(ex);
|
---|
85 | }
|
---|
86 | boolean certificateAdded = false;
|
---|
87 | for (int i = 0; i < CERT_AMEND.length; i++) {
|
---|
88 | CachedFile certCF = new CachedFile(CERT_AMEND[i]);
|
---|
89 | MessageDigest md;
|
---|
90 | try {
|
---|
91 | md = MessageDigest.getInstance("SHA-256");
|
---|
92 | } catch (NoSuchAlgorithmException ex) {
|
---|
93 | throw new RuntimeException(ex);
|
---|
94 | }
|
---|
95 | byte[] certBytes = certCF.getByteContent();
|
---|
96 | byte[] sha = md.digest(certBytes);
|
---|
97 | if (!SHA_HASHES[i].equals(Utils.toHexString(sha)))
|
---|
98 | throw new RuntimeException(tr("certificate hash mismatch"));
|
---|
99 |
|
---|
100 | ByteArrayInputStream certIS = new ByteArrayInputStream(certBytes);
|
---|
101 | X509Certificate cert;
|
---|
102 | try {
|
---|
103 | cert = (X509Certificate) cf.generateCertificate(certIS);
|
---|
104 | } catch (CertificateException ex) {
|
---|
105 | throw new IOException(ex);
|
---|
106 | }
|
---|
107 | if (certificateIsMissing(keyStore, cert)) {
|
---|
108 | if (Main.isDebugEnabled()) {
|
---|
109 | Main.debug(tr("Adding certificate for TLS connections: {0}", cert.getSubjectX500Principal().getName()));
|
---|
110 | }
|
---|
111 | String alias = "josm:" + new File(CERT_AMEND[i]).getName();
|
---|
112 | try {
|
---|
113 | keyStore.setCertificateEntry(alias, cert);
|
---|
114 | } catch (KeyStoreException ex) {
|
---|
115 | throw new AssertionError(ex);
|
---|
116 | }
|
---|
117 | certificateAdded = true;
|
---|
118 | }
|
---|
119 | }
|
---|
120 |
|
---|
121 | if (certificateAdded) {
|
---|
122 | try {
|
---|
123 | TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
|
---|
124 | tmf.init(keyStore);
|
---|
125 | SSLContext sslContext = SSLContext.getInstance("TLS");
|
---|
126 | sslContext.init(null, tmf.getTrustManagers(), null);
|
---|
127 | SSLContext.setDefault(sslContext);
|
---|
128 | } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException ex) {
|
---|
129 | throw new RuntimeException(ex);
|
---|
130 | }
|
---|
131 | }
|
---|
132 | }
|
---|
133 |
|
---|
134 | /**
|
---|
135 | * Check if the certificate is missing and needs to be added to the keystore.
|
---|
136 | * @param keyStore the keystore
|
---|
137 | * @param crt the certificate
|
---|
138 | * @return true, if the certificate is not contained in the keystore
|
---|
139 | */
|
---|
140 | private static boolean certificateIsMissing(KeyStore keyStore, X509Certificate crt) {
|
---|
141 | PKIXParameters params;
|
---|
142 | try {
|
---|
143 | params = new PKIXParameters(keyStore);
|
---|
144 | } catch (KeyStoreException ex) {
|
---|
145 | throw new AssertionError(ex);
|
---|
146 | } catch (InvalidAlgorithmParameterException ex) {
|
---|
147 | throw new RuntimeException(ex);
|
---|
148 | }
|
---|
149 | String id = crt.getSubjectX500Principal().getName();
|
---|
150 | for (TrustAnchor ta : params.getTrustAnchors()) {
|
---|
151 | X509Certificate cert = ta.getTrustedCert();
|
---|
152 | if (Objects.equals(id, cert.getSubjectX500Principal().getName()))
|
---|
153 | return false;
|
---|
154 | }
|
---|
155 | return true;
|
---|
156 | }
|
---|
157 | }
|
---|