Changeset 13450 in josm for trunk

Timestamp:

2018-02-23T00:01:20+01:00 (6 years ago)

Author:

Don-vip

Message:

fix #15992 - load native certificates from macOS system root trust store, see ​https://support.apple.com/en-us/HT208127

Location:

trunk/src/org/openstreetmap/josm

Files:

• io/CertificateAmendment.java (modified) (8 diffs)
• tools/PlatformHook.java (modified) (2 diffs)
• tools/PlatformHookOsx.java (modified) (3 diffs)
• tools/PlatformHookUnixoid.java (modified) (2 diffs)
• tools/PlatformHookWindows.java (modified) (2 diffs)
• tools/Utils.java (modified) (1 diff)

trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java

@@ -5 +5 @@
 
 import java.io.ByteArrayInputStream;
-import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -49 +48 @@
      * @since 11943
      */
-    public static class CertAmend {
-        private final String id;
+    public abstract static class CertAmend {
         private final String filename;
         private final String sha256;
 
-        CertAmend(String id, String filename, String sha256) {
-            this.id = id;
-            this.filename = filename;
-            this.sha256 = sha256;
-        }
-
-        /**
-         * Returns the certificate identifier.
-         * @return path for JOSM embedded certificate, alias for Windows platform certificate
-         */
-        public final String getId() {
-            return id;
+        CertAmend(String filename, String sha256) {
+            this.filename = Objects.requireNonNull(filename);
+            this.sha256 = Objects.requireNonNull(sha256);
         }
 
@@ -87 +76 @@
 
     /**
+     * An embedded certificate amendment.
+     * @since 13450
+     */
+    public static class EmbeddedCertAmend extends CertAmend {
+        private final String url;
+
+        EmbeddedCertAmend(String url, String filename, String sha256) {
+            super(filename, sha256);
+            this.url = Objects.requireNonNull(url);
+        }
+
+        /**
+         * Returns the embedded URL in JOSM jar.
+         * @return path for JOSM embedded certificate
+         */
+        public final String getUrl() {
+            return url;
+        }
+
+        @Override
+        public String toString() {
+            return url;
+        }
+    }
+
+    /**
+     * A certificate amendment relying on native platform certificate store.
+     * @since 13450
+     */
+    public static class NativeCertAmend extends CertAmend {
+        private final String winAlias;
+        private final String macAlias;
+
+        NativeCertAmend(String winAlias, String macAlias, String filename, String sha256) {
+            super(filename, sha256);
+            this.winAlias = Objects.requireNonNull(winAlias);
+            this.macAlias = Objects.requireNonNull(macAlias);
+        }
+
+        /**
+         * Returns the Windows alias in System Root Certificates keystore.
+         * @return the Windows alias in System Root Certificates keystore
+         */
+        public final String getWinAlias() {
+            return winAlias;
+        }
+
+        /**
+         * Returns the macOS alias in System Root Certificates keychain.
+         * @return the macOS alias in System Root Certificates keychain
+         */
+        public final String getMacAlias() {
+            return macAlias;
+        }
+
+        @Override
+        public String toString() {
+            String result = winAlias;
+            if (!winAlias.equals(macAlias)) {
+                result += " / " + macAlias;
+            }
+            return result;
+        }
+    }
+
+    /**
      * Certificates embedded in JOSM
      */
-    private static final CertAmend[] CERT_AMEND = {
-        new CertAmend("resource://data/security/DST_Root_CA_X3.pem", "DST_Root_CA_X3.pem",
+    private static final EmbeddedCertAmend[] CERT_AMEND = {
+        new EmbeddedCertAmend("resource://data/security/DST_Root_CA_X3.pem", "DST_Root_CA_X3.pem",
                 "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739")
     };
@@ -96 +151 @@
     /**
      * Certificates looked into platform native keystore and not embedded in JOSM.
-     * Identifiers must match Windows keystore aliases and Unix filenames for efficient search.
-     */
-    private static final CertAmend[] PLATFORM_CERT_AMEND = {
+     * Identifiers must match Windows/macOS keystore aliases and Unix filenames for efficient search.
+     */
+    private static final NativeCertAmend[] PLATFORM_CERT_AMEND = {
         // Government of Netherlands
-        new CertAmend("Staat der Nederlanden Root CA - G2", "Staat_der_Nederlanden_Root_CA_-_G2.crt",
+        new NativeCertAmend("Staat der Nederlanden Root CA - G2", "Staat der Nederlanden Root CA - G2",
+                "Staat_der_Nederlanden_Root_CA_-_G2.crt",
                 "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f"),
         // Government of Netherlands
-        new CertAmend("Government of Netherlands G3", "Staat_der_Nederlanden_Root_CA_-_G3.crt",
+        new NativeCertAmend("Government of Netherlands G3", "Staat der Nederlanden Root CA - G3",
+                "Staat_der_Nederlanden_Root_CA_-_G3.crt",
                 "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428"),
         // Trusted and used by French Government - https://www.certigna.fr/autorites/index.xhtml?ac=Racine#lracine
-        new CertAmend("Certigna", "Certigna.crt",
+        new NativeCertAmend("Certigna", "Certigna", "Certigna.crt",
                 "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d"),
     };
@@ -132 +189 @@
         boolean certificateAdded = false;
         // Add embedded certificates. Exit in case of error
-        for (CertAmend certAmend : CERT_AMEND) {
-            try (CachedFile certCF = new CachedFile(certAmend.id)) {
+        for (EmbeddedCertAmend certAmend : CERT_AMEND) {
+            try (CachedFile certCF = new CachedFile(certAmend.url)) {
                 X509Certificate cert = (X509Certificate) cf.generateCertificate(
                         new ByteArrayInputStream(certCF.getByteContent()));
@@ -144 +201 @@
         try {
             // Try to add platform certificates. Do not exit in case of error (embedded certificates may be OK)
-            for (CertAmend certAmend : PLATFORM_CERT_AMEND) {
+            for (NativeCertAmend certAmend : PLATFORM_CERT_AMEND) {
                 X509Certificate cert = Main.platform.getX509Certificate(certAmend);
                 if (checkAndAddCertificate(md, cert, certAmend, keyStore)) {
@@ -170 +227 @@
                 throw new IllegalStateException(
                         tr("Error adding certificate {0} - certificate fingerprint mismatch. Expected {1}, was {2}",
-                            certAmend.id, certAmend.sha256, sha256));
+                            certAmend, certAmend.sha256, sha256));
             }
             if (certificateIsMissing(keyStore, cert)) {
@@ -176 +233 @@
                     Logging.debug(tr("Adding certificate for TLS connections: {0}", cert.getSubjectX500Principal().getName()));
                 }
-                String alias = "josm:" + new File(certAmend.id).getName();
+                String alias = "josm:" + certAmend.filename;
                 keyStore.setCertificateEntry(alias, cert);
                 return true;

trunk/src/org/openstreetmap/josm/tools/PlatformHook.java

@@ -20 +20 @@
 
 import org.openstreetmap.josm.data.projection.datum.NTV2Proj4DirGridShiftFileSource;
-import org.openstreetmap.josm.io.CertificateAmendment.CertAmend;
+import org.openstreetmap.josm.io.CertificateAmendment.NativeCertAmend;
 import org.openstreetmap.josm.spi.preferences.Config;
 import org.openstreetmap.josm.tools.date.DateUtils;
@@ -211 +211 @@
      * @throws CertificateException in case of error
      * @throws NoSuchAlgorithmException in case of error
-     * @since 11943
-     */
-    default X509Certificate getX509Certificate(CertAmend certAmend)
+     * @since 13450
+     */
+    default X509Certificate getX509Certificate(NativeCertAmend certAmend)
             throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
         return null;

trunk/src/org/openstreetmap/josm/tools/PlatformHookOsx.java

@@ -8 +8 @@
 import java.awt.Window;
 import java.awt.event.KeyEvent;
+import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.IOException;
@@ -14 +15 @@
 import java.lang.reflect.Method;
 import java.lang.reflect.Proxy;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Objects;
+import java.util.concurrent.ExecutionException;
 
 import javax.swing.UIManager;
 
 import org.openstreetmap.josm.Main;
+import org.openstreetmap.josm.io.CertificateAmendment.NativeCertAmend;
 
 /**
@@ -427 +436 @@
                 Main.pref.getJOSMDirectoryBaseName());
     }
+
+    @Override
+    public X509Certificate getX509Certificate(NativeCertAmend certAmend)
+            throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
+        try {
+            // Get platform certificate in PEM format
+            String pem = Utils.execOutput(Arrays.asList("security", "find-certificate",
+                    "-c", certAmend.getMacAlias(), "-p", "/System/Library/Keychains/SystemRootCertificates.keychain"));
+            Logging.debug(pem);
+            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(
+                    new ByteArrayInputStream(pem.getBytes(StandardCharsets.UTF_8)));
+        } catch (ExecutionException | InterruptedException | IllegalArgumentException e) {
+            throw new IOException(e);
+        }
+    }
 }

trunk/src/org/openstreetmap/josm/tools/PlatformHookUnixoid.java

@@ -26 +26 @@
 
 import org.openstreetmap.josm.Main;
-import org.openstreetmap.josm.io.CertificateAmendment.CertAmend;
+import org.openstreetmap.josm.io.CertificateAmendment.NativeCertAmend;
 import org.openstreetmap.josm.spi.preferences.Config;
 
@@ -398 +398 @@
 
     @Override
-    public X509Certificate getX509Certificate(CertAmend certAmend)
+    public X509Certificate getX509Certificate(NativeCertAmend certAmend)
             throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
         File f = new File("/usr/share/ca-certificates/mozilla", certAmend.getFilename());

trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java

@@ -71 +71 @@
 import org.openstreetmap.josm.data.StructUtils.StructEntry;
 import org.openstreetmap.josm.data.StructUtils.WriteExplicitly;
-import org.openstreetmap.josm.io.CertificateAmendment.CertAmend;
+import org.openstreetmap.josm.io.CertificateAmendment.NativeCertAmend;
 import org.openstreetmap.josm.spi.preferences.Config;
 
@@ -439 +439 @@
 
     @Override
-    public X509Certificate getX509Certificate(CertAmend certAmend)
+    public X509Certificate getX509Certificate(NativeCertAmend certAmend)
             throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
         KeyStore ks = getRootKeystore();
         // Search by alias (fast)
-        Certificate result = ks.getCertificate(certAmend.getId());
+        Certificate result = ks.getCertificate(certAmend.getWinAlias());
         if (result instanceof X509Certificate) {
             return (X509Certificate) result;

trunk/src/org/openstreetmap/josm/tools/Utils.java

@@ -847 +847 @@
                     all = new StringBuilder(line);
                 } else {
-                    all.append('\n');
-                    all.append(line);
+                    all.append('\n')
+                       .append(line);
                 }
             }