source: josm/trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java@ 10171

Last change on this file since 10171 was 10088, checked in by stoecker, 8 years ago

see #12264 - revert r10085
  • Property svn:eol-style set to native
File size: 6.1 KB
Line 
1// License: GPL. For details, see LICENSE file.
2package org.openstreetmap.josm.io;
3
4import static org.openstreetmap.josm.tools.I18n.tr;
5
6import java.io.ByteArrayInputStream;
7import java.io.File;
8import java.io.IOException;
9import java.io.InputStream;
10import java.nio.file.Files;
11import java.nio.file.Path;
12import java.nio.file.Paths;
13import java.security.InvalidAlgorithmParameterException;
14import java.security.KeyManagementException;
15import java.security.KeyStore;
16import java.security.KeyStoreException;
17import java.security.MessageDigest;
18import java.security.NoSuchAlgorithmException;
19import java.security.cert.CertificateException;
20import java.security.cert.CertificateFactory;
21import java.security.cert.PKIXParameters;
22import java.security.cert.TrustAnchor;
23import java.security.cert.X509Certificate;
24import java.util.Objects;
25
26import javax.net.ssl.SSLContext;
27import javax.net.ssl.TrustManagerFactory;
28
29import org.openstreetmap.josm.Main;
30import org.openstreetmap.josm.tools.Utils;
31
32/**
33 * Class to add missing root certificates to the list of trusted certificates
34 * for TLS connections.
35 *
36 * The added certificates are deemed trustworthy by the main web browsers and
37 * operating systems, but not included in some distributions of Java.
38 *
39 * The certificates are added in-memory at each start, nothing is written to disk.
40 * @since 9995
41 */
42public final class CertificateAmendment {
43
44 private static final String[] CERT_AMEND = {
45 "resource://data/security/DST_Root_CA_X3.pem",
46 "resource://data/security/StartCom_Certification_Authority.pem"
47 };
48
49 private static final String[] SHA_HASHES = {
50 "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739",
51 "c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea"
52 };
53
54 private CertificateAmendment() {
55 // Hide default constructor for utility classes
56 }
57
58 /**
59 * Add missing root certificates to the list of trusted certificates for TLS connections.
60 * @throws IOException if an I/O error occurs
61 */
62 public static void addMissingCertificates() throws IOException {
63 if (!Main.pref.getBoolean("tls.add-missing-certificates", true))
64 return;
65 KeyStore keyStore;
66 try {
67 keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
68 } catch (KeyStoreException ex) {
69 throw new IOException(ex);
70 }
71 Path cacertsPath = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
72 try (InputStream is = Files.newInputStream(cacertsPath)) {
73 keyStore.load(is, "changeit".toCharArray());
74 } catch (NoSuchAlgorithmException ex) {
75 throw new RuntimeException(ex);
76 } catch (CertificateException ex) {
77 throw new IOException(ex);
78 }
79
80 CertificateFactory cf;
81 try {
82 cf = CertificateFactory.getInstance("X.509");
83 } catch (CertificateException ex) {
84 throw new RuntimeException(ex);
85 }
86 boolean certificateAdded = false;
87 for (int i = 0; i < CERT_AMEND.length; i++) {
88 CachedFile certCF = new CachedFile(CERT_AMEND[i]);
89 byte[] certBytes = certCF.getByteContent();
90 ByteArrayInputStream certIS = new ByteArrayInputStream(certBytes);
91 X509Certificate cert;
92
93 try {
94 cert = (X509Certificate) cf.generateCertificate(certIS);
95 MessageDigest md = MessageDigest.getInstance("SHA-256");
96 String sha1 = Utils.toHexString(md.digest(cert.getEncoded()));
97 if (!SHA_HASHES[i].equals(sha1)) {
98 throw new RuntimeException(tr("Error adding certificate {0} - certificate fingerprint mismatch. Expected {1}, was {2}",
99 CERT_AMEND[i],
100 SHA_HASHES[i],
101 sha1
102 ));
103 }
104 } catch (CertificateException ex) {
105 throw new IOException(ex);
106 } catch (NoSuchAlgorithmException ex) {
107 throw new RuntimeException(ex);
108 }
109 if (certificateIsMissing(keyStore, cert)) {
110 if (Main.isDebugEnabled()) {
111 Main.debug(tr("Adding certificate for TLS connections: {0}", cert.getSubjectX500Principal().getName()));
112 }
113 String alias = "josm:" + new File(CERT_AMEND[i]).getName();
114 try {
115 keyStore.setCertificateEntry(alias, cert);
116 } catch (KeyStoreException ex) {
117 throw new AssertionError(ex);
118 }
119 certificateAdded = true;
120 }
121 }
122
123 if (certificateAdded) {
124 try {
125 TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
126 tmf.init(keyStore);
127 SSLContext sslContext = SSLContext.getInstance("TLS");
128 sslContext.init(null, tmf.getTrustManagers(), null);
129 SSLContext.setDefault(sslContext);
130 } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException ex) {
131 throw new RuntimeException(ex);
132 }
133 }
134 }
135
136 /**
137 * Check if the certificate is missing and needs to be added to the keystore.
138 * @param keyStore the keystore
139 * @param crt the certificate
140 * @return true, if the certificate is not contained in the keystore
141 */
142 private static boolean certificateIsMissing(KeyStore keyStore, X509Certificate crt) {
143 PKIXParameters params;
144 try {
145 params = new PKIXParameters(keyStore);
146 } catch (KeyStoreException ex) {
147 throw new AssertionError(ex);
148 } catch (InvalidAlgorithmParameterException ex) {
149 throw new RuntimeException(ex);
150 }
151 String id = crt.getSubjectX500Principal().getName();
152 for (TrustAnchor ta : params.getTrustAnchors()) {
153 X509Certificate cert = ta.getTrustedCert();
154 if (Objects.equals(id, cert.getSubjectX500Principal().getName()))
155 return false;
156 }
157 return true;
158 }
159}
Note: See TracBrowser for help on using the repository browser.