Changeset 15006 in josm


Ignore:
Timestamp:
2019-04-21T02:08:19+02:00 (3 years ago)
Author:
Don-vip
Message:

see #17619: use a common list of native certificate aliases, as they can change between Windows 7 and Windows 10 and are often the same between Windows and macOS

Location:
trunk/src/org/openstreetmap/josm
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java

    r14999 r15006  
    2222import java.security.cert.TrustAnchor;
    2323import java.security.cert.X509Certificate;
     24import java.util.Arrays;
     25import java.util.Collection;
     26import java.util.Collections;
    2427import java.util.Objects;
    2528
     
    106109     */
    107110    public static class NativeCertAmend extends CertAmend {
    108         private final String winAlias;
    109         private final String macAlias;
     111        private final Collection<String> aliases;
    110112        private final String httpsWebSite;
    111113
    112         NativeCertAmend(String winAlias, String macAlias, String filename, String sha256, String httpsWebSite) {
     114        NativeCertAmend(Collection<String> aliases, String filename, String sha256, String httpsWebSite) {
    113115            super(filename, sha256);
    114             this.winAlias = Objects.requireNonNull(winAlias);
    115             this.macAlias = Objects.requireNonNull(macAlias);
     116            this.aliases = Objects.requireNonNull(aliases);
    116117            this.httpsWebSite = Objects.requireNonNull(httpsWebSite);
    117118        }
    118119
    119120        /**
    120          * Returns the Windows alias in System Root Certificates keystore.
    121          * @return the Windows alias in System Root Certificates keystore
    122          */
    123         public final String getWinAlias() {
    124             return winAlias;
    125         }
    126 
    127         /**
    128          * Returns the macOS alias in System Root Certificates keychain.
    129          * @return the macOS alias in System Root Certificates keychain
    130          */
    131         public final String getMacAlias() {
    132             return macAlias;
     121         * Returns the native aliases in System Root Certificates keystore/keychain.
     122         * @return the native aliases in System Root Certificates keystore/keychain
     123         * @since 15006
     124         */
     125        public final Collection<String> getNativeAliases() {
     126            return aliases;
    133127        }
    134128
     
    144138        @Override
    145139        public String toString() {
    146             String result = winAlias;
    147             if (!winAlias.equals(macAlias)) {
    148                 result += " / " + macAlias;
    149             }
    150             return result;
     140            return String.join(" / ", aliases);
    151141        }
    152142    }
     
    166156    private static final NativeCertAmend[] PLATFORM_CERT_AMEND = {
    167157        // Let's Encrypt - should be included in JDK, but problems with Ubuntu 18.04, see #15851
    168         new NativeCertAmend("DST Root CA X3", "DST Root CA X3",
     158        new NativeCertAmend(Collections.singleton("DST Root CA X3"),
    169159                "DST_Root_CA_X3.pem",
    170160                "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739",
    171161                "https://acme-v02.api.letsencrypt.org"),
    172162        // Government of Netherlands
    173         new NativeCertAmend("Staat der Nederlanden Root CA - G2", "Staat der Nederlanden Root CA - G2",
     163        new NativeCertAmend(Collections.singleton("Staat der Nederlanden Root CA - G2"),
    174164                "Staat_der_Nederlanden_Root_CA_-_G2.crt",
    175165                "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f",
    176166                "https://roottest-g2.pkioverheid.nl"),
    177167        // Government of Netherlands
    178         new NativeCertAmend("Government of Netherlands G3", "Staat der Nederlanden Root CA - G3",
     168        new NativeCertAmend(Arrays.asList("Government of Netherlands G3", "Staat der Nederlanden Root CA - G3"),
    179169                "Staat_der_Nederlanden_Root_CA_-_G3.crt",
    180170                "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428",
    181171                "https://roottest-g3.pkioverheid.nl"),
    182172        // Trusted and used by French Government - https://www.certigna.fr/autorites/index.xhtml?ac=Racine#lracine
    183         new NativeCertAmend("Certigna", "Certigna", "Certigna.crt",
     173        new NativeCertAmend(Collections.singleton("Certigna"),
     174                "Certigna.crt",
    184175                "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d",
    185176                "https://www.certigna.fr"),
    186177        // Trusted and used by Slovakian Government - https://eidas.disig.sk/en/cacert/
    187         new NativeCertAmend("CA Disig Root R2", "CA Disig Root R2", "CA_Disig_Root_R2.pem",
     178        new NativeCertAmend(Collections.singleton("CA Disig Root R2"),
     179                "CA_Disig_Root_R2.pem",
    188180                "e23d4a036d7b70e9f595b1422079d2b91edfbb1fb651a0633eaa8a9dc5f80703",
    189181                "https://eidas.disig.sk"),
    190182        // Government of Taiwan - https://grca.nat.gov.tw/GRCAeng/index.html
    191         new NativeCertAmend("TW Government Root Certification Authority", "Government Root Certification Authority", "Taiwan_GRCA.pem",
     183        new NativeCertAmend(Arrays.asList("TW Government Root Certification Authority", "Government Root Certification Authority"),
     184                "Taiwan_GRCA.pem",
    192185                "7600295eefe85b9e1fd624db76062aaaae59818a54d2774cd4c0b2c01131e1b3",
    193186                "https://grca.nat.gov.tw")
  • trunk/src/org/openstreetmap/josm/tools/PlatformHookOsx.java

    r14689 r15006  
    412412    public X509Certificate getX509Certificate(NativeCertAmend certAmend)
    413413            throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
    414         try {
    415             // Get platform certificate in PEM format
    416             String pem = Utils.execOutput(Arrays.asList("security", "find-certificate",
    417                     "-c", certAmend.getMacAlias(), "-p", "/System/Library/Keychains/SystemRootCertificates.keychain"));
    418             Logging.debug(pem);
    419             return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(
    420                     new ByteArrayInputStream(pem.getBytes(StandardCharsets.UTF_8)));
    421         } catch (ExecutionException | InterruptedException | IllegalArgumentException e) {
    422             throw new IOException(e);
    423         }
     414        for (String macAlias : certAmend.getNativeAliases()) {
     415            try {
     416                // Get platform certificate in PEM format
     417                String pem = Utils.execOutput(Arrays.asList("security", "find-certificate",
     418                        "-c", macAlias, "-p", "/System/Library/Keychains/SystemRootCertificates.keychain"));
     419                Logging.debug(pem);
     420                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(
     421                        new ByteArrayInputStream(pem.getBytes(StandardCharsets.UTF_8)));
     422            } catch (ExecutionException | InterruptedException | IllegalArgumentException | CertificateException e) {
     423                Logging.debug(e);
     424            }
     425        }
     426        return null;
    424427    }
    425428}
  • trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java

    r14999 r15006  
    480480        KeyStore ks = getRootKeystore();
    481481        // Search by alias (fast)
    482         Certificate result = ks.getCertificate(certAmend.getWinAlias());
    483         if (result == null && !NetworkManager.isOffline(OnlineResource.CERTIFICATES)) {
    484             // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list
    485             // A better, but a lot more complex method might be to get certificate list from Windows Registry with PowerShell
    486             // using (Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate').EncodedCtl)
    487             // then decode it using CertUtil -dump or calling CertCreateCTLContext API using JNI, and finally find and decode the certificate
    488             Logging.trace(webRequest(certAmend.getWebSite()));
    489             // Reload Windows Trust Root Store and search again by alias (fast)
    490             ks = getRootKeystore();
    491             result = ks.getCertificate(certAmend.getWinAlias());
    492         }
    493         if (result instanceof X509Certificate) {
    494             return (X509Certificate) result;
     482        for (String winAlias : certAmend.getNativeAliases()) {
     483            Certificate result = ks.getCertificate(winAlias);
     484            if (result == null && !NetworkManager.isOffline(OnlineResource.CERTIFICATES)) {
     485                // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list
     486                // A better, but a lot more complex method might be to get certificate list from Windows Registry with PowerShell
     487                // using (Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate').EncodedCtl)
     488                // then decode it using CertUtil -dump or calling CertCreateCTLContext API using JNI, and finally find and decode the certificate
     489                Logging.trace(webRequest(certAmend.getWebSite()));
     490                // Reload Windows Trust Root Store and search again by alias (fast)
     491                ks = getRootKeystore();
     492                result = ks.getCertificate(winAlias);
     493            }
     494            if (result instanceof X509Certificate) {
     495                return (X509Certificate) result;
     496            }
    495497        }
    496498        // If not found, search by SHA-256 (slower)
     
    498500        for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();) {
    499501            String alias = aliases.nextElement();
    500             result = ks.getCertificate(alias);
     502            Certificate result = ks.getCertificate(alias);
    501503            if (result instanceof X509Certificate
    502504                    && certAmend.getSha256().equalsIgnoreCase(Utils.toHexString(md.digest(result.getEncoded())))) {
    503                 Logging.warn("Certificate not found for alias ''{0}'' but found for alias ''{1}''", certAmend.getWinAlias(), alias);
     505                Logging.warn("Certificate not found for alias ''{0}'' but found for alias ''{1}''", certAmend.getNativeAliases(), alias);
    504506                return (X509Certificate) result;
    505507            }
Note: See TracChangeset for help on using the changeset viewer.