Changeset 13450 in josm for trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java

Timestamp:

2018-02-23T00:01:20+01:00 (6 years ago)

Author:

Don-vip

Message:

fix #15992 - load native certificates from macOS system root trust store, see ​https://support.apple.com/en-us/HT208127

File:

• trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java (modified) (8 diffs)

trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java

@@ -5 +5 @@
 
 import java.io.ByteArrayInputStream;
-import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -49 +48 @@
      * @since 11943
      */
-    public static class CertAmend {
-        private final String id;
+    public abstract static class CertAmend {
         private final String filename;
         private final String sha256;
 
-        CertAmend(String id, String filename, String sha256) {
-            this.id = id;
-            this.filename = filename;
-            this.sha256 = sha256;
-        }
-
-        /**
-         * Returns the certificate identifier.
-         * @return path for JOSM embedded certificate, alias for Windows platform certificate
-         */
-        public final String getId() {
-            return id;
+        CertAmend(String filename, String sha256) {
+            this.filename = Objects.requireNonNull(filename);
+            this.sha256 = Objects.requireNonNull(sha256);
         }
 
@@ -87 +76 @@
 
     /**
+     * An embedded certificate amendment.
+     * @since 13450
+     */
+    public static class EmbeddedCertAmend extends CertAmend {
+        private final String url;
+
+        EmbeddedCertAmend(String url, String filename, String sha256) {
+            super(filename, sha256);
+            this.url = Objects.requireNonNull(url);
+        }
+
+        /**
+         * Returns the embedded URL in JOSM jar.
+         * @return path for JOSM embedded certificate
+         */
+        public final String getUrl() {
+            return url;
+        }
+
+        @Override
+        public String toString() {
+            return url;
+        }
+    }
+
+    /**
+     * A certificate amendment relying on native platform certificate store.
+     * @since 13450
+     */
+    public static class NativeCertAmend extends CertAmend {
+        private final String winAlias;
+        private final String macAlias;
+
+        NativeCertAmend(String winAlias, String macAlias, String filename, String sha256) {
+            super(filename, sha256);
+            this.winAlias = Objects.requireNonNull(winAlias);
+            this.macAlias = Objects.requireNonNull(macAlias);
+        }
+
+        /**
+         * Returns the Windows alias in System Root Certificates keystore.
+         * @return the Windows alias in System Root Certificates keystore
+         */
+        public final String getWinAlias() {
+            return winAlias;
+        }
+
+        /**
+         * Returns the macOS alias in System Root Certificates keychain.
+         * @return the macOS alias in System Root Certificates keychain
+         */
+        public final String getMacAlias() {
+            return macAlias;
+        }
+
+        @Override
+        public String toString() {
+            String result = winAlias;
+            if (!winAlias.equals(macAlias)) {
+                result += " / " + macAlias;
+            }
+            return result;
+        }
+    }
+
+    /**
      * Certificates embedded in JOSM
      */
-    private static final CertAmend[] CERT_AMEND = {
-        new CertAmend("resource://data/security/DST_Root_CA_X3.pem", "DST_Root_CA_X3.pem",
+    private static final EmbeddedCertAmend[] CERT_AMEND = {
+        new EmbeddedCertAmend("resource://data/security/DST_Root_CA_X3.pem", "DST_Root_CA_X3.pem",
                 "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739")
     };
@@ -96 +151 @@
     /**
      * Certificates looked into platform native keystore and not embedded in JOSM.
-     * Identifiers must match Windows keystore aliases and Unix filenames for efficient search.
-     */
-    private static final CertAmend[] PLATFORM_CERT_AMEND = {
+     * Identifiers must match Windows/macOS keystore aliases and Unix filenames for efficient search.
+     */
+    private static final NativeCertAmend[] PLATFORM_CERT_AMEND = {
         // Government of Netherlands
-        new CertAmend("Staat der Nederlanden Root CA - G2", "Staat_der_Nederlanden_Root_CA_-_G2.crt",
+        new NativeCertAmend("Staat der Nederlanden Root CA - G2", "Staat der Nederlanden Root CA - G2",
+                "Staat_der_Nederlanden_Root_CA_-_G2.crt",
                 "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f"),
         // Government of Netherlands
-        new CertAmend("Government of Netherlands G3", "Staat_der_Nederlanden_Root_CA_-_G3.crt",
+        new NativeCertAmend("Government of Netherlands G3", "Staat der Nederlanden Root CA - G3",
+                "Staat_der_Nederlanden_Root_CA_-_G3.crt",
                 "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428"),
         // Trusted and used by French Government - https://www.certigna.fr/autorites/index.xhtml?ac=Racine#lracine
-        new CertAmend("Certigna", "Certigna.crt",
+        new NativeCertAmend("Certigna", "Certigna", "Certigna.crt",
                 "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d"),
     };
@@ -132 +189 @@
         boolean certificateAdded = false;
         // Add embedded certificates. Exit in case of error
-        for (CertAmend certAmend : CERT_AMEND) {
-            try (CachedFile certCF = new CachedFile(certAmend.id)) {
+        for (EmbeddedCertAmend certAmend : CERT_AMEND) {
+            try (CachedFile certCF = new CachedFile(certAmend.url)) {
                 X509Certificate cert = (X509Certificate) cf.generateCertificate(
                         new ByteArrayInputStream(certCF.getByteContent()));
@@ -144 +201 @@
         try {
             // Try to add platform certificates. Do not exit in case of error (embedded certificates may be OK)
-            for (CertAmend certAmend : PLATFORM_CERT_AMEND) {
+            for (NativeCertAmend certAmend : PLATFORM_CERT_AMEND) {
                 X509Certificate cert = Main.platform.getX509Certificate(certAmend);
                 if (checkAndAddCertificate(md, cert, certAmend, keyStore)) {
@@ -170 +227 @@
                 throw new IllegalStateException(
                         tr("Error adding certificate {0} - certificate fingerprint mismatch. Expected {1}, was {2}",
-                            certAmend.id, certAmend.sha256, sha256));
+                            certAmend, certAmend.sha256, sha256));
             }
             if (certificateIsMissing(keyStore, cert)) {
@@ -176 +233 @@
                     Logging.debug(tr("Adding certificate for TLS connections: {0}", cert.getSubjectX500Principal().getName()));
                 }
-                String alias = "josm:" + new File(certAmend.id).getName();
+                String alias = "josm:" + certAmend.filename;
                 keyStore.setCertificateEntry(alias, cert);
                 return true;