Changeset 13451 in josm for trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java

Timestamp:

2018-02-24T17:14:11+01:00 (6 years ago)

Author:

Don-vip

Message:

fix #15992 - force Windows to update its root CA trust store before we search for known CA in it

File:

• trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java (modified) (3 diffs)

trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java

@@ -59 +59 @@
 import java.security.spec.X509EncodedKeySpec;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Enumeration;
@@ -64 +65 @@
 import java.util.Locale;
 import java.util.Properties;
+import java.util.concurrent.ExecutionException;
 
 import javax.swing.JOptionPane;
@@ -441 +443 @@
     public X509Certificate getX509Certificate(NativeCertAmend certAmend)
             throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
+        // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list
+        // A better, but a lot more complex method might be to get certificate list from Windows Registry with PowerShell
+        // using (Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate').EncodedCtl)
+        // then decode it using CertUtil -dump or calling CertCreateCTLContext API using JNI, and finally find and decode the certificate
+        try {
+            // https://stackoverflow.com/a/41618979/2257172
+            Utils.execOutput(Arrays.asList("powershell", "-Command",
+                    "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;" +
+                    "Invoke-WebRequest " + certAmend.getWebSite()));
+        } catch (ExecutionException | InterruptedException e) {
+            Logging.error(e);
+        }
+        // Get Windows Trust Root Store
         KeyStore ks = getRootKeystore();
         // Search by alias (fast)