source: josm/trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java@ 13207

Last change on this file since 13207 was 12846, checked in by bastiK, 7 years ago

see #15229 - use Config.getPref() wherever possible
  • Property svn:eol-style set to native
File size: 8.3 KB
Line 
1// License: GPL. For details, see LICENSE file.
2package org.openstreetmap.josm.io;
3
4import static org.openstreetmap.josm.tools.I18n.tr;
5
6import java.io.ByteArrayInputStream;
7import java.io.File;
8import java.io.IOException;
9import java.io.InputStream;
10import java.nio.file.Files;
11import java.nio.file.Path;
12import java.nio.file.Paths;
13import java.security.GeneralSecurityException;
14import java.security.InvalidAlgorithmParameterException;
15import java.security.KeyStore;
16import java.security.KeyStoreException;
17import java.security.MessageDigest;
18import java.security.NoSuchAlgorithmException;
19import java.security.cert.CertificateEncodingException;
20import java.security.cert.CertificateException;
21import java.security.cert.CertificateFactory;
22import java.security.cert.PKIXParameters;
23import java.security.cert.TrustAnchor;
24import java.security.cert.X509Certificate;
25import java.util.Objects;
26
27import javax.net.ssl.SSLContext;
28import javax.net.ssl.TrustManagerFactory;
29
30import org.openstreetmap.josm.Main;
31import org.openstreetmap.josm.spi.preferences.Config;
32import org.openstreetmap.josm.tools.Logging;
33import org.openstreetmap.josm.tools.Utils;
34
35/**
36 * Class to add missing root certificates to the list of trusted certificates
37 * for TLS connections.
38 *
39 * The added certificates are deemed trustworthy by the main web browsers and
40 * operating systems, but not included in some distributions of Java.
41 *
42 * The certificates are added in-memory at each start, nothing is written to disk.
43 * @since 9995
44 */
45public final class CertificateAmendment {
46
47 /**
48 * A certificate amendment.
49 * @since 11943
50 */
51 public static class CertAmend {
52 private final String id;
53 private final String filename;
54 private final String sha256;
55
56 CertAmend(String id, String filename, String sha256) {
57 this.id = id;
58 this.filename = filename;
59 this.sha256 = sha256;
60 }
61
62 /**
63 * Returns the certificate identifier.
64 * @return path for JOSM embedded certificate, alias for Windows platform certificate
65 */
66 public final String getId() {
67 return id;
68 }
69
70 /**
71 * Returns the certificate filename.
72 * @return filename for both JOSM embedded certificate and Unix platform certificate
73 * @since 12241
74 */
75 public final String getFilename() {
76 return filename;
77 }
78
79 /**
80 * Returns the SHA-256 hash.
81 * @return the SHA-256 hash, in hexadecimal
82 */
83 public final String getSha256() {
84 return sha256;
85 }
86 }
87
88 /**
89 * Certificates embedded in JOSM
90 */
91 private static final CertAmend[] CERT_AMEND = {
92 new CertAmend("resource://data/security/DST_Root_CA_X3.pem", "DST_Root_CA_X3.pem",
93 "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739")
94 };
95
96 /**
97 * Certificates looked into platform native keystore and not embedded in JOSM.
98 * Identifiers must match Windows keystore aliases and Unix filenames for efficient search.
99 */
100 private static final CertAmend[] PLATFORM_CERT_AMEND = {
101 // Government of Netherlands
102 new CertAmend("Staat der Nederlanden Root CA - G2", "Staat_der_Nederlanden_Root_CA_-_G2.crt",
103 "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f"),
104 // Government of Netherlands
105 new CertAmend("Government of Netherlands G3", "Staat_der_Nederlanden_Root_CA_-_G3.crt",
106 "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428"),
107 // Trusted and used by French Government - https://www.certigna.fr/autorites/index.xhtml?ac=Racine#lracine
108 new CertAmend("Certigna", "Certigna.crt",
109 "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d"),
110 };
111
112 private CertificateAmendment() {
113 // Hide default constructor for utility classes
114 }
115
116 /**
117 * Add missing root certificates to the list of trusted certificates for TLS connections.
118 * @throws IOException if an I/O error occurs
119 * @throws GeneralSecurityException if a security error occurs
120 */
121 public static void addMissingCertificates() throws IOException, GeneralSecurityException {
122 if (!Config.getPref().getBoolean("tls.add-missing-certificates", true))
123 return;
124 KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
125 Path cacertsPath = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
126 try (InputStream is = Files.newInputStream(cacertsPath)) {
127 keyStore.load(is, "changeit".toCharArray());
128 }
129
130 MessageDigest md = MessageDigest.getInstance("SHA-256");
131 CertificateFactory cf = CertificateFactory.getInstance("X.509");
132 boolean certificateAdded = false;
133 // Add embedded certificates. Exit in case of error
134 for (CertAmend certAmend : CERT_AMEND) {
135 try (CachedFile certCF = new CachedFile(certAmend.id)) {
136 X509Certificate cert = (X509Certificate) cf.generateCertificate(
137 new ByteArrayInputStream(certCF.getByteContent()));
138 if (checkAndAddCertificate(md, cert, certAmend, keyStore)) {
139 certificateAdded = true;
140 }
141 }
142 }
143
144 try {
145 // Try to add platform certificates. Do not exit in case of error (embedded certificates may be OK)
146 for (CertAmend certAmend : PLATFORM_CERT_AMEND) {
147 X509Certificate cert = Main.platform.getX509Certificate(certAmend);
148 if (checkAndAddCertificate(md, cert, certAmend, keyStore)) {
149 certificateAdded = true;
150 }
151 }
152 } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException | IllegalStateException e) {
153 Logging.error(e);
154 }
155
156 if (certificateAdded) {
157 TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
158 tmf.init(keyStore);
159 SSLContext sslContext = SSLContext.getInstance("TLS");
160 sslContext.init(null, tmf.getTrustManagers(), null);
161 SSLContext.setDefault(sslContext);
162 }
163 }
164
165 private static boolean checkAndAddCertificate(MessageDigest md, X509Certificate cert, CertAmend certAmend, KeyStore keyStore)
166 throws CertificateEncodingException, KeyStoreException, InvalidAlgorithmParameterException {
167 if (cert != null) {
168 String sha256 = Utils.toHexString(md.digest(cert.getEncoded()));
169 if (!certAmend.sha256.equals(sha256)) {
170 throw new IllegalStateException(
171 tr("Error adding certificate {0} - certificate fingerprint mismatch. Expected {1}, was {2}",
172 certAmend.id, certAmend.sha256, sha256));
173 }
174 if (certificateIsMissing(keyStore, cert)) {
175 if (Logging.isDebugEnabled()) {
176 Logging.debug(tr("Adding certificate for TLS connections: {0}", cert.getSubjectX500Principal().getName()));
177 }
178 String alias = "josm:" + new File(certAmend.id).getName();
179 keyStore.setCertificateEntry(alias, cert);
180 return true;
181 }
182 }
183 return false;
184 }
185
186 /**
187 * Check if the certificate is missing and needs to be added to the keystore.
188 * @param keyStore the keystore
189 * @param crt the certificate
190 * @return true, if the certificate is not contained in the keystore
191 * @throws InvalidAlgorithmParameterException if the keystore does not contain at least one trusted certificate entry
192 * @throws KeyStoreException if the keystore has not been initialized
193 */
194 private static boolean certificateIsMissing(KeyStore keyStore, X509Certificate crt)
195 throws KeyStoreException, InvalidAlgorithmParameterException {
196 PKIXParameters params = new PKIXParameters(keyStore);
197 String id = crt.getSubjectX500Principal().getName();
198 for (TrustAnchor ta : params.getTrustAnchors()) {
199 X509Certificate cert = ta.getTrustedCert();
200 if (Objects.equals(id, cert.getSubjectX500Principal().getName()))
201 return false;
202 }
203 return true;
204 }
205}
Note: See TracBrowser for help on using the repository browser.