Context Navigation

source: josm/trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java@ 10076

Last change on this file since 10076 was 10076, checked in by wiktorn, 8 years ago

Better error reporting for hash mismatch.

Property svn:eol-style set to native

File size: 6.0 KB

Line
1	// License: GPL. For details, see LICENSE file.
2	package org.openstreetmap.josm.io;
3
4	import static org.openstreetmap.josm.tools.I18n.tr;
5
6	import java.io.ByteArrayInputStream;
7	import java.io.File;
8	import java.io.IOException;
9	import java.io.InputStream;
10	import java.nio.file.Files;
11	import java.nio.file.Path;
12	import java.nio.file.Paths;
13	import java.security.InvalidAlgorithmParameterException;
14	import java.security.KeyManagementException;
15	import java.security.KeyStore;
16	import java.security.KeyStoreException;
17	import java.security.MessageDigest;
18	import java.security.NoSuchAlgorithmException;
19	import java.security.cert.CertificateException;
20	import java.security.cert.CertificateFactory;
21	import java.security.cert.PKIXParameters;
22	import java.security.cert.TrustAnchor;
23	import java.security.cert.X509Certificate;
24	import java.util.Objects;
25
26	import javax.net.ssl.SSLContext;
27	import javax.net.ssl.TrustManagerFactory;
28
29	import org.openstreetmap.josm.Main;
30	import org.openstreetmap.josm.tools.Utils;
31
32	/**
33	* Class to add missing root certificates to the list of trusted certificates
34	* for TLS connections.
35	*
36	* The added certificates are deemed trustworthy by the main web browsers and
37	* operating systems, but not included in some distributions of Java.
38	*
39	* The certificates are added in-memory at each start, nothing is written to disk.
40	* @since 9995
41	*/
42	public final class CertificateAmendment {
43
44	private static final String[] CERT_AMEND = {
45	"resource://data/security/DST_Root_CA_X3.pem",
46	"resource://data/security/StartCom_Certification_Authority.pem"
47	};
48
49	private static final String[] SHA_HASHES = {
50	"139a5e4a4e0fa505378c72c5f700934ce8333f4e6b1b508886c4b0eb14f4be99",
51	"916a8f9232328192968c81c8edb672fa539f726861dfe379ca722050e19962cd"
52	};
53
54	private CertificateAmendment() {
55	// Hide default constructor for utility classes
56	}
57
58	/**
59	* Add missing root certificates to the list of trusted certificates for TLS connections.
60	* @throws IOException if an I/O error occurs
61	*/
62	public static void addMissingCertificates() throws IOException {
63	if (!Main.pref.getBoolean("tls.add-missing-certificates", true))
64	return;
65	KeyStore keyStore;
66	try {
67	keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
68	} catch (KeyStoreException ex) {
69	throw new IOException(ex);
70	}
71	Path cacertsPath = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
72	try (InputStream is = Files.newInputStream(cacertsPath)) {
73	keyStore.load(is, "changeit".toCharArray());
74	} catch (NoSuchAlgorithmException ex) {
75	throw new RuntimeException(ex);
76	} catch (CertificateException ex) {
77	throw new IOException(ex);
78	}
79
80	CertificateFactory cf;
81	try {
82	cf = CertificateFactory.getInstance("X.509");
83	} catch (CertificateException ex) {
84	throw new RuntimeException(ex);
85	}
86	boolean certificateAdded = false;
87	for (int i = 0; i < CERT_AMEND.length; i++) {
88	CachedFile certCF = new CachedFile(CERT_AMEND[i]);
89	MessageDigest md;
90	try {
91	md = MessageDigest.getInstance("SHA-256");
92	} catch (NoSuchAlgorithmException ex) {
93	throw new RuntimeException(ex);
94	}
95	byte[] certBytes = certCF.getByteContent();
96	byte[] sha = md.digest(certBytes);
97	if (!SHA_HASHES[i].equals(Utils.toHexString(sha)))
98	throw new RuntimeException(tr("Error adding certificate {0} - hash mismatch. Expected {1}, was {2}", CERT_AMEND[i], SHA_HASHES[i], Utils.toHexString(sha)));
99
100	ByteArrayInputStream certIS = new ByteArrayInputStream(certBytes);
101	X509Certificate cert;
102	try {
103	cert = (X509Certificate) cf.generateCertificate(certIS);
104	} catch (CertificateException ex) {
105	throw new IOException(ex);
106	}
107	if (certificateIsMissing(keyStore, cert)) {
108	if (Main.isDebugEnabled()) {
109	Main.debug(tr("Adding certificate for TLS connections: {0}", cert.getSubjectX500Principal().getName()));
110	}
111	String alias = "josm:" + new File(CERT_AMEND[i]).getName();
112	try {
113	keyStore.setCertificateEntry(alias, cert);
114	} catch (KeyStoreException ex) {
115	throw new AssertionError(ex);
116	}
117	certificateAdded = true;
118	}
119	}
120
121	if (certificateAdded) {
122	try {
123	TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
124	tmf.init(keyStore);
125	SSLContext sslContext = SSLContext.getInstance("TLS");
126	sslContext.init(null, tmf.getTrustManagers(), null);
127	SSLContext.setDefault(sslContext);
128	} catch (NoSuchAlgorithmException \| KeyStoreException \| KeyManagementException ex) {
129	throw new RuntimeException(ex);
130	}
131	}
132	}
133
134	/**
135	* Check if the certificate is missing and needs to be added to the keystore.
136	* @param keyStore the keystore
137	* @param crt the certificate
138	* @return true, if the certificate is not contained in the keystore
139	*/
140	private static boolean certificateIsMissing(KeyStore keyStore, X509Certificate crt) {
141	PKIXParameters params;
142	try {
143	params = new PKIXParameters(keyStore);
144	} catch (KeyStoreException ex) {
145	throw new AssertionError(ex);
146	} catch (InvalidAlgorithmParameterException ex) {
147	throw new RuntimeException(ex);
148	}
149	String id = crt.getSubjectX500Principal().getName();
150	for (TrustAnchor ta : params.getTrustAnchors()) {
151	X509Certificate cert = ta.getTrustedCert();
152	if (Objects.equals(id, cert.getSubjectX500Principal().getName()))
153	return false;
154	}
155	return true;
156	}
157	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: