Changeset 16120 in josm


Ignore:
Timestamp:
2020-03-14T15:03:18+01:00 (17 months ago)
Author:
Don-vip
Message:

fix #18920 - load AC RAIZ FNMT-RCM from Spanish Royal Mint

Location:
trunk/src/org/openstreetmap/josm
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/org/openstreetmap/josm/gui/MainApplication.java

    r16050 r16120  
    650650                "\t--debug                                   "+tr("Print debugging messages to console")+"\n\n"+
    651651                "\t--skip-plugins                            "+tr("Skip loading plugins")+"\n\n"+
    652                 "\t--offline=<osm_api|josm_website|all>      "+tr("Disable access to the given resource(s), separated by comma")+"\n\n"+
     652                "\t--offline=<osm_api|josm_website|certificates|all> "+tr("Disable access to the given resource(s), separated by comma")+"\n\n"+
    653653                tr("options provided as Java system properties")+":\n"+
    654654                align("\t-Djosm.dir.name=JOSM") + tr("Change the JOSM directory name") + "\n\n" +
  • trunk/src/org/openstreetmap/josm/gui/ProgramArguments.java

    r14415 r16120  
    6262        /** --selection=&lt;searchstring&gt;           Select with the given search */
    6363        SELECTION(true),
    64         /** --offline=&lt;osm_api|josm_website|all&gt; Disable access to the given resource(s), delimited by comma */
     64        /** --offline=&lt;osm_api|josm_website|certificates|all&gt; Disable access to the given resource(s), delimited by comma */
    6565        OFFLINE(true),
    6666        /** --skip-plugins */
  • trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java

    r16068 r16120  
    151151     * Certificates looked into platform native keystore and not embedded in JOSM.
    152152     * Identifiers must match Windows/macOS keystore aliases and Unix filenames for efficient search.
    153      * To find correct values, see https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport
    154      * and https://support.apple.com/en-us/HT208127
     153     * To find correct values, see:<ul>
     154     * <li><a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">Mozilla List</a></li>
     155     * <li><a href="https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT">Microsoft List</a></li>
     156     * <li><a href="https://support.apple.com/en-us/HT210770">Apple List</a></li>
     157     * </ul>
    155158     */
    156159    private static final NativeCertAmend[] PLATFORM_CERT_AMEND = {
     
    190193                "3c5f81fea5fab82c64bfa2eaecafcde8e077fc8620a7cae537163df36edbf378",
    191194                "https://e-szigno.hu"),
     195        // #18920 - Spanish Government - https://www.sede.fnmt.gob.es/descargas/certificados-raiz-de-la-fnmt
     196        new NativeCertAmend(Collections.singleton("AC RAIZ FNMT-RCM"),
     197                "AC_RAIZ_FNMT-RCM.pem",
     198                "ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa",
     199                "https://www.sede.fnmt.gob.es"),
    192200    };
    193201
  • trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java

    r15716 r16120  
    5353import java.security.NoSuchAlgorithmException;
    5454import java.security.cert.Certificate;
     55import java.security.cert.CertificateEncodingException;
    5556import java.security.cert.CertificateException;
    5657import java.security.cert.X509Certificate;
     
    340341    public X509Certificate getX509Certificate(NativeCertAmend certAmend)
    341342            throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
     343        MessageDigest md = MessageDigest.getInstance("SHA-256");
    342344        // Get Windows Trust Root Store
    343345        KeyStore ks = getRootKeystore();
     
    345347        for (String winAlias : certAmend.getNativeAliases()) {
    346348            Certificate result = ks.getCertificate(winAlias);
     349            // Check for SHA-256 signature, as sometimes Microsoft can ship several certificates with the same alias, for example:
     350            // AC RAIZ FNMT-RCM: EBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA (SHA256)
     351            // AC RAIZ FNMT-RCM: 4D9EBB28825C9643AB15D54E5F9614F13CB3E95DE3CF4EAC971301F320F9226E (SHA1)
     352            if (!sha256matches(result, certAmend, md)) {
     353                Logging.trace("Ignoring {0} as SHA-256 signature does not match", result);
     354                result = null;
     355            }
    347356            if (result == null && !NetworkManager.isOffline(OnlineResource.CERTIFICATES)) {
    348357                // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list
     
    360369        }
    361370        // If not found, search by SHA-256 (slower)
    362         MessageDigest md = MessageDigest.getInstance("SHA-256");
    363371        for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();) {
    364372            String alias = aliases.nextElement();
    365373            Certificate result = ks.getCertificate(alias);
    366             if (result instanceof X509Certificate
    367                     && certAmend.getSha256().equalsIgnoreCase(Utils.toHexString(md.digest(result.getEncoded())))) {
     374            if (sha256matches(result, certAmend, md)) {
    368375                Logging.warn("Certificate not found for alias ''{0}'' but found for alias ''{1}''", certAmend.getNativeAliases(), alias);
    369376                return (X509Certificate) result;
     
    372379        // Not found
    373380        return null;
     381    }
     382
     383    private static boolean sha256matches(Certificate result, NativeCertAmend certAmend, MessageDigest md) throws CertificateEncodingException {
     384        return result instanceof X509Certificate
     385                && certAmend.getSha256().equalsIgnoreCase(Utils.toHexString(md.digest(result.getEncoded())));
    374386    }
    375387
Note: See TracChangeset for help on using the changeset viewer.