Changeset 13451 in josm


Ignore:
Timestamp:
2018-02-24T17:14:11+01:00 (6 months ago)
Author:
Don-vip
Message:

fix #15992 - force Windows to update its root CA trust store before we search for known CA in it

Location:
trunk/src/org/openstreetmap/josm
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java

    r13450 r13451  
    108108        private final String winAlias;
    109109        private final String macAlias;
    110 
    111         NativeCertAmend(String winAlias, String macAlias, String filename, String sha256) {
     110        private final String httpsWebSite;
     111
     112        NativeCertAmend(String winAlias, String macAlias, String filename, String sha256, String httpsWebSite) {
    112113            super(filename, sha256);
    113114            this.winAlias = Objects.requireNonNull(winAlias);
    114115            this.macAlias = Objects.requireNonNull(macAlias);
     116            this.httpsWebSite = Objects.requireNonNull(httpsWebSite);
    115117        }
    116118
     
    129131        public final String getMacAlias() {
    130132            return macAlias;
     133        }
     134
     135        /**
     136         * Returns the https website we need to call to notify Windows we need its root certificate.
     137         * @return the https website signed with this root CA
     138         * @since 13451
     139         */
     140        public String getWebSite() {
     141            return httpsWebSite;
    131142        }
    132143
     
    157168        new NativeCertAmend("Staat der Nederlanden Root CA - G2", "Staat der Nederlanden Root CA - G2",
    158169                "Staat_der_Nederlanden_Root_CA_-_G2.crt",
    159                 "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f"),
     170                "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f",
     171                "https://roottest-g2.pkioverheid.nl"),
    160172        // Government of Netherlands
    161173        new NativeCertAmend("Government of Netherlands G3", "Staat der Nederlanden Root CA - G3",
    162174                "Staat_der_Nederlanden_Root_CA_-_G3.crt",
    163                 "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428"),
     175                "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428",
     176                "https://roottest-g3.pkioverheid.nl"),
    164177        // Trusted and used by French Government - https://www.certigna.fr/autorites/index.xhtml?ac=Racine#lracine
    165178        new NativeCertAmend("Certigna", "Certigna", "Certigna.crt",
    166                 "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d"),
     179                "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d",
     180                "https://www.certigna.fr"),
    167181    };
    168182
  • trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java

    r13450 r13451  
    5959import java.security.spec.X509EncodedKeySpec;
    6060import java.util.ArrayList;
     61import java.util.Arrays;
    6162import java.util.Collection;
    6263import java.util.Enumeration;
     
    6465import java.util.Locale;
    6566import java.util.Properties;
     67import java.util.concurrent.ExecutionException;
    6668
    6769import javax.swing.JOptionPane;
     
    441443    public X509Certificate getX509Certificate(NativeCertAmend certAmend)
    442444            throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
     445        // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list
     446        // A better, but a lot more complex method might be to get certificate list from Windows Registry with PowerShell
     447        // using (Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate').EncodedCtl)
     448        // then decode it using CertUtil -dump or calling CertCreateCTLContext API using JNI, and finally find and decode the certificate
     449        try {
     450            // https://stackoverflow.com/a/41618979/2257172
     451            Utils.execOutput(Arrays.asList("powershell", "-Command",
     452                    "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;" +
     453                    "Invoke-WebRequest " + certAmend.getWebSite()));
     454        } catch (ExecutionException | InterruptedException e) {
     455            Logging.error(e);
     456        }
     457        // Get Windows Trust Root Store
    443458        KeyStore ks = getRootKeystore();
    444459        // Search by alias (fast)
Note: See TracChangeset for help on using the changeset viewer.