source: josm/trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java@ 12668

Last change on this file since 12668 was 12623, checked in by Don-vip, 7 years ago

see #14649, see #15178 - load Certigna certificate from platform keystore, needed for cadastre-fr plugin, as it is now used by French government
  • Property svn:eol-style set to native
File size: 8.2 KB
Line 
1// License: GPL. For details, see LICENSE file.
2package org.openstreetmap.josm.io;
3
4import static org.openstreetmap.josm.tools.I18n.tr;
5
6import java.io.ByteArrayInputStream;
7import java.io.File;
8import java.io.IOException;
9import java.io.InputStream;
10import java.nio.file.Files;
11import java.nio.file.Path;
12import java.nio.file.Paths;
13import java.security.GeneralSecurityException;
14import java.security.InvalidAlgorithmParameterException;
15import java.security.KeyStore;
16import java.security.KeyStoreException;
17import java.security.MessageDigest;
18import java.security.NoSuchAlgorithmException;
19import java.security.cert.CertificateEncodingException;
20import java.security.cert.CertificateException;
21import java.security.cert.CertificateFactory;
22import java.security.cert.PKIXParameters;
23import java.security.cert.TrustAnchor;
24import java.security.cert.X509Certificate;
25import java.util.Objects;
26
27import javax.net.ssl.SSLContext;
28import javax.net.ssl.TrustManagerFactory;
29
30import org.openstreetmap.josm.Main;
31import org.openstreetmap.josm.tools.Logging;
32import org.openstreetmap.josm.tools.Utils;
33
34/**
35 * Class to add missing root certificates to the list of trusted certificates
36 * for TLS connections.
37 *
38 * The added certificates are deemed trustworthy by the main web browsers and
39 * operating systems, but not included in some distributions of Java.
40 *
41 * The certificates are added in-memory at each start, nothing is written to disk.
42 * @since 9995
43 */
44public final class CertificateAmendment {
45
46 /**
47 * A certificate amendment.
48 * @since 11943
49 */
50 public static class CertAmend {
51 private final String id;
52 private final String filename;
53 private final String sha256;
54
55 CertAmend(String id, String filename, String sha256) {
56 this.id = id;
57 this.filename = filename;
58 this.sha256 = sha256;
59 }
60
61 /**
62 * Returns the certificate identifier.
63 * @return path for JOSM embedded certificate, alias for Windows platform certificate
64 */
65 public final String getId() {
66 return id;
67 }
68
69 /**
70 * Returns the certificate filename.
71 * @return filename for both JOSM embedded certificate and Unix platform certificate
72 * @since 12241
73 */
74 public final String getFilename() {
75 return filename;
76 }
77
78 /**
79 * Returns the SHA-256 hash.
80 * @return the SHA-256 hash, in hexadecimal
81 */
82 public final String getSha256() {
83 return sha256;
84 }
85 }
86
87 /**
88 * Certificates embedded in JOSM
89 */
90 private static final CertAmend[] CERT_AMEND = {
91 new CertAmend("resource://data/security/DST_Root_CA_X3.pem", "DST_Root_CA_X3.pem",
92 "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739")
93 };
94
95 /**
96 * Certificates looked into platform native keystore and not embedded in JOSM.
97 * Identifiers must match Windows keystore aliases and Unix filenames for efficient search.
98 */
99 private static final CertAmend[] PLATFORM_CERT_AMEND = {
100 // Government of Netherlands
101 new CertAmend("Staat der Nederlanden Root CA - G2", "Staat_der_Nederlanden_Root_CA_-_G2.crt",
102 "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f"),
103 // Government of Netherlands
104 new CertAmend("Government of Netherlands G3", "Staat_der_Nederlanden_Root_CA_-_G3.crt",
105 "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428"),
106 // Trusted and used by French Government - https://www.certigna.fr/autorites/index.xhtml?ac=Racine#lracine
107 new CertAmend("Certigna", "Certigna.crt",
108 "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d"),
109 };
110
111 private CertificateAmendment() {
112 // Hide default constructor for utility classes
113 }
114
115 /**
116 * Add missing root certificates to the list of trusted certificates for TLS connections.
117 * @throws IOException if an I/O error occurs
118 * @throws GeneralSecurityException if a security error occurs
119 */
120 public static void addMissingCertificates() throws IOException, GeneralSecurityException {
121 if (!Main.pref.getBoolean("tls.add-missing-certificates", true))
122 return;
123 KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
124 Path cacertsPath = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
125 try (InputStream is = Files.newInputStream(cacertsPath)) {
126 keyStore.load(is, "changeit".toCharArray());
127 }
128
129 MessageDigest md = MessageDigest.getInstance("SHA-256");
130 CertificateFactory cf = CertificateFactory.getInstance("X.509");
131 boolean certificateAdded = false;
132 // Add embedded certificates. Exit in case of error
133 for (CertAmend certAmend : CERT_AMEND) {
134 try (CachedFile certCF = new CachedFile(certAmend.id)) {
135 X509Certificate cert = (X509Certificate) cf.generateCertificate(
136 new ByteArrayInputStream(certCF.getByteContent()));
137 if (checkAndAddCertificate(md, cert, certAmend, keyStore)) {
138 certificateAdded = true;
139 }
140 }
141 }
142
143 try {
144 // Try to add platform certificates. Do not exit in case of error (embedded certificates may be OK)
145 for (CertAmend certAmend : PLATFORM_CERT_AMEND) {
146 X509Certificate cert = Main.platform.getX509Certificate(certAmend);
147 if (checkAndAddCertificate(md, cert, certAmend, keyStore)) {
148 certificateAdded = true;
149 }
150 }
151 } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException | IllegalStateException e) {
152 Logging.error(e);
153 }
154
155 if (certificateAdded) {
156 TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
157 tmf.init(keyStore);
158 SSLContext sslContext = SSLContext.getInstance("TLS");
159 sslContext.init(null, tmf.getTrustManagers(), null);
160 SSLContext.setDefault(sslContext);
161 }
162 }
163
164 private static boolean checkAndAddCertificate(MessageDigest md, X509Certificate cert, CertAmend certAmend, KeyStore keyStore)
165 throws CertificateEncodingException, KeyStoreException, InvalidAlgorithmParameterException {
166 if (cert != null) {
167 String sha256 = Utils.toHexString(md.digest(cert.getEncoded()));
168 if (!certAmend.sha256.equals(sha256)) {
169 throw new IllegalStateException(
170 tr("Error adding certificate {0} - certificate fingerprint mismatch. Expected {1}, was {2}",
171 certAmend.id, certAmend.sha256, sha256));
172 }
173 if (certificateIsMissing(keyStore, cert)) {
174 if (Logging.isDebugEnabled()) {
175 Logging.debug(tr("Adding certificate for TLS connections: {0}", cert.getSubjectX500Principal().getName()));
176 }
177 String alias = "josm:" + new File(certAmend.id).getName();
178 keyStore.setCertificateEntry(alias, cert);
179 return true;
180 }
181 }
182 return false;
183 }
184
185 /**
186 * Check if the certificate is missing and needs to be added to the keystore.
187 * @param keyStore the keystore
188 * @param crt the certificate
189 * @return true, if the certificate is not contained in the keystore
190 * @throws InvalidAlgorithmParameterException if the keystore does not contain at least one trusted certificate entry
191 * @throws KeyStoreException if the keystore has not been initialized
192 */
193 private static boolean certificateIsMissing(KeyStore keyStore, X509Certificate crt)
194 throws KeyStoreException, InvalidAlgorithmParameterException {
195 PKIXParameters params = new PKIXParameters(keyStore);
196 String id = crt.getSubjectX500Principal().getName();
197 for (TrustAnchor ta : params.getTrustAnchors()) {
198 X509Certificate cert = ta.getTrustedCert();
199 if (Objects.equals(id, cert.getSubjectX500Principal().getName()))
200 return false;
201 }
202 return true;
203 }
204}
Note: See TracBrowser for help on using the repository browser.