Changeset 16120 in josm for trunk/src/org/openstreetmap/josm/tools

Timestamp:

2020-03-14T15:03:18+01:00 (6 years ago)

Author:

Don-vip

Message:

fix #18920 - load AC RAIZ FNMT-RCM from Spanish Royal Mint

File:

• trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java (modified) (5 diffs)

trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java

@@ -53 +53 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -340 +341 @@
     public X509Certificate getX509Certificate(NativeCertAmend certAmend)
             throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
+        MessageDigest md = MessageDigest.getInstance("SHA-256");
         // Get Windows Trust Root Store
         KeyStore ks = getRootKeystore();
@@ -345 +347 @@
         for (String winAlias : certAmend.getNativeAliases()) {
             Certificate result = ks.getCertificate(winAlias);
+            // Check for SHA-256 signature, as sometimes Microsoft can ship several certificates with the same alias, for example:
+            // AC RAIZ FNMT-RCM: EBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA (SHA256)
+            // AC RAIZ FNMT-RCM: 4D9EBB28825C9643AB15D54E5F9614F13CB3E95DE3CF4EAC971301F320F9226E (SHA1)
+            if (!sha256matches(result, certAmend, md)) {
+                Logging.trace("Ignoring {0} as SHA-256 signature does not match", result);
+                result = null;
+            }
             if (result == null && !NetworkManager.isOffline(OnlineResource.CERTIFICATES)) {
                 // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list
@@ -360 +369 @@
         }
         // If not found, search by SHA-256 (slower)
-        MessageDigest md = MessageDigest.getInstance("SHA-256");
         for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();) {
             String alias = aliases.nextElement();
             Certificate result = ks.getCertificate(alias);
-            if (result instanceof X509Certificate
-                    && certAmend.getSha256().equalsIgnoreCase(Utils.toHexString(md.digest(result.getEncoded())))) {
+            if (sha256matches(result, certAmend, md)) {
                 Logging.warn("Certificate not found for alias ''{0}'' but found for alias ''{1}''", certAmend.getNativeAliases(), alias);
                 return (X509Certificate) result;
@@ -372 +379 @@
         // Not found
         return null;
+    }
+
+    private static boolean sha256matches(Certificate result, NativeCertAmend certAmend, MessageDigest md) throws CertificateEncodingException {
+        return result instanceof X509Certificate
+                && certAmend.getSha256().equalsIgnoreCase(Utils.toHexString(md.digest(result.getEncoded())));
     }