Index: trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java (revision 13450) +++ trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java (revision 13451) @@ -108,9 +108,11 @@ private final String winAlias; private final String macAlias; - - NativeCertAmend(String winAlias, String macAlias, String filename, String sha256) { + private final String httpsWebSite; + + NativeCertAmend(String winAlias, String macAlias, String filename, String sha256, String httpsWebSite) { super(filename, sha256); this.winAlias = Objects.requireNonNull(winAlias); this.macAlias = Objects.requireNonNull(macAlias); + this.httpsWebSite = Objects.requireNonNull(httpsWebSite); } @@ -129,4 +131,13 @@ public final String getMacAlias() { return macAlias; + } + + /** + * Returns the https website we need to call to notify Windows we need its root certificate. + * @return the https website signed with this root CA + * @since 13451 + */ + public String getWebSite() { + return httpsWebSite; } @@ -157,12 +168,15 @@ new NativeCertAmend("Staat der Nederlanden Root CA - G2", "Staat der Nederlanden Root CA - G2", "Staat_der_Nederlanden_Root_CA_-_G2.crt", - "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f"), + "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f", + "https://roottest-g2.pkioverheid.nl"), // Government of Netherlands new NativeCertAmend("Government of Netherlands G3", "Staat der Nederlanden Root CA - G3", "Staat_der_Nederlanden_Root_CA_-_G3.crt", - "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428"), + "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428", + "https://roottest-g3.pkioverheid.nl"), // Trusted and used by French Government - https://www.certigna.fr/autorites/index.xhtml?ac=Racine#lracine new NativeCertAmend("Certigna", "Certigna", "Certigna.crt", - "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d"), + "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d", + "https://www.certigna.fr"), }; Index: trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java =================================================================== --- trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java (revision 13450) +++ trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java (revision 13451) @@ -59,4 +59,5 @@ import java.security.spec.X509EncodedKeySpec; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Enumeration; @@ -64,4 +65,5 @@ import java.util.Locale; import java.util.Properties; +import java.util.concurrent.ExecutionException; import javax.swing.JOptionPane; @@ -441,4 +443,17 @@ public X509Certificate getX509Certificate(NativeCertAmend certAmend) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { + // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list + // A better, but a lot more complex method might be to get certificate list from Windows Registry with PowerShell + // using (Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate').EncodedCtl) + // then decode it using CertUtil -dump or calling CertCreateCTLContext API using JNI, and finally find and decode the certificate + try { + // https://stackoverflow.com/a/41618979/2257172 + Utils.execOutput(Arrays.asList("powershell", "-Command", + "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;" + + "Invoke-WebRequest " + certAmend.getWebSite())); + } catch (ExecutionException | InterruptedException e) { + Logging.error(e); + } + // Get Windows Trust Root Store KeyStore ks = getRootKeystore(); // Search by alias (fast)