Changeset 7335 in josm for trunk/src/org/openstreetmap/josm/io

Timestamp:

2014-07-26T03:50:31+02:00 (10 years ago)

Author:

Don-vip

Message:

see #10230, see #10033 - big rework of HTTPS support for Remote Control:

• HTTPS disabled by default, must be enabled in remote control preferences
• Old certificate and private key removed from jar and Windows keystore if found, even if remote control disabled
• New certificate generated at runtime with critical X509 extensions BasicConstraints (non-CA certificate), ExtendedKeyUsage (usage restriction for TLS server sessions)
• New passwords generated at runtime (but stored in clear in user preferences)
• Private key is no longer stored in Windows keystore (only certificate)

Location:

trunk/src/org/openstreetmap/josm/io/remotecontrol

Files:

• RemoteControl.java (modified) (4 diffs)
• RemoteControlHttpsServer.java (modified) (9 diffs)

trunk/src/org/openstreetmap/josm/io/remotecontrol/RemoteControl.java

@@ -2 +2 @@
 package org.openstreetmap.josm.io.remotecontrol;
 
+import org.openstreetmap.josm.Main;
 import org.openstreetmap.josm.data.preferences.BooleanProperty;
 import org.openstreetmap.josm.io.remotecontrol.handler.RequestHandler;
@@ -11 +12 @@
  * and increment the major version and set minor to 0 on incompatible changes.
  */
-public class RemoteControl
-{
+public class RemoteControl {
+
     /**
      * If the remote control feature is enabled or disabled. If disabled,
@@ -18 +19 @@
      */
     public static final BooleanProperty PROP_REMOTECONTROL_ENABLED = new BooleanProperty("remotecontrol.enabled", false);
+
+    /**
+     * If the remote control feature is enabled or disabled for HTTPS. If disabled,
+     * only HTTP access will be available.
+     * @since 7335
+     */
+    public static final BooleanProperty PROP_REMOTECONTROL_HTTPS_ENABLED = new BooleanProperty("remotecontrol.https.enabled", false);
 
     /**
@@ -54 +62 @@
         RequestProcessor.addRequestHandlerClass(command, handlerClass);
     }
+
+    /**
+     * Returns the remote control directory.
+     * @return The remote control directory
+     * @since 7335
+     */
+    public static String getRemoteControlDir() {
+        return Main.pref.getPreferencesDir() + "remotecontrol/";
+    }
 }

trunk/src/org/openstreetmap/josm/io/remotecontrol/RemoteControlHttpsServer.java

@@ -7 +7 @@
 import java.io.IOException;
 import java.io.InputStream;
+import java.math.BigInteger;
 import java.net.BindException;
 import java.net.InetAddress;
@@ -12 +13 @@
 import java.net.Socket;
 import java.net.SocketException;
-import java.security.Key;
-import java.security.KeyManagementException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardOpenOption;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
 import java.security.KeyStore;
-import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
-import java.security.UnrecoverableEntryException;
+import java.security.SecureRandom;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Date;
 import java.util.Enumeration;
+import java.util.Vector;
 
 import javax.net.ssl.KeyManagerFactory;
@@ -32 +39 @@
 
 import org.openstreetmap.josm.Main;
+import org.openstreetmap.josm.data.preferences.StringProperty;
+
+import sun.security.util.ObjectIdentifier;
+import sun.security.x509.AlgorithmId;
+import sun.security.x509.BasicConstraintsExtension;
+import sun.security.x509.CertificateAlgorithmId;
+import sun.security.x509.CertificateExtensions;
+import sun.security.x509.CertificateIssuerName;
+import sun.security.x509.CertificateSerialNumber;
+import sun.security.x509.CertificateSubjectName;
+import sun.security.x509.CertificateValidity;
+import sun.security.x509.CertificateVersion;
+import sun.security.x509.CertificateX509Key;
+import sun.security.x509.DNSName;
+import sun.security.x509.ExtendedKeyUsageExtension;
+import sun.security.x509.GeneralName;
+import sun.security.x509.GeneralNameInterface;
+import sun.security.x509.GeneralNames;
+import sun.security.x509.IPAddressName;
+import sun.security.x509.OIDName;
+import sun.security.x509.SubjectAlternativeNameExtension;
+import sun.security.x509.URIName;
+import sun.security.x509.X500Name;
+import sun.security.x509.X509CertImpl;
+import sun.security.x509.X509CertInfo;
 
 /**
@@ -47 +79 @@
     private SSLContext sslContext;
 
-    private static final String KEYSTORE_PATH = "/data/josm.keystore";
-    private static final String KEYSTORE_PASSWORD = "josm_ssl";
+    private static final String KEYSTORE_FILENAME = "josm.keystore";
+
+    /**
+     * Preference for keystore password (automatically generated by JOSM).
+     * @since 7335
+     */
+    public StringProperty KEYSTORE_PASSWORD = new StringProperty("remotecontrol.https.keystore.password", "");
+
+    /**
+     * Preference for certificate password (automatically generated by JOSM).
+     * @since 7335
+     */
+    public StringProperty KEYENTRY_PASSWORD = new StringProperty("remotecontrol.https.keyentry.password", "");
+
+    /**
+     * Creates a GeneralName object from known types.
+     * @param t one of 4 known types
+     * @param v value
+     * @return which one
+     * @throws IOException
+     */
+    private static GeneralName createGeneralName(String t, String v) throws IOException {
+        GeneralNameInterface gn;
+        switch (t.toLowerCase()) {
+            case "uri": gn = new URIName(v); break;
+            case "dns": gn = new DNSName(v); break;
+            case "ip": gn = new IPAddressName(v); break;
+            default: gn = new OIDName(v);
+        }
+        return new GeneralName(gn);
+    }
+
+    /**
+     * Create a self-signed X.509 Certificate.
+     * @param dn the X.509 Distinguished Name, eg "CN=localhost, OU=JOSM, O=OpenStreetMap"
+     * @param pair the KeyPair
+     * @param days how many days from now the Certificate is valid for
+     * @param algorithm the signing algorithm, eg "SHA256withRSA"
+     * @param san SubjectAlternativeName extension (optional)
+     */
+    private static X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm, String san) throws GeneralSecurityException, IOException {
+        PrivateKey privkey = pair.getPrivate();
+        X509CertInfo info = new X509CertInfo();
+        Date from = new Date();
+        Date to = new Date(from.getTime() + days * 86400000l);
+        CertificateValidity interval = new CertificateValidity(from, to);
+        BigInteger sn = new BigInteger(64, new SecureRandom());
+        X500Name owner = new X500Name(dn);
+
+        info.set(X509CertInfo.VALIDITY, interval);
+        info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
+        info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
+        info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
+        info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
+        info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
+        AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
+        info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
+
+        CertificateExtensions ext = new CertificateExtensions();
+        // Critical: Not CA, max path len 0
+        ext.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(true, false, 0));
+        // Critical: only allow TLS ("serverAuth" = 1.3.6.1.5.5.7.3.1)
+        ext.set(ExtendedKeyUsageExtension.NAME, new ExtendedKeyUsageExtension(true,
+                new Vector<ObjectIdentifier>(Arrays.asList(new ObjectIdentifier("1.3.6.1.5.5.7.3.1")))));
+
+        if (san != null) {
+            int colonpos;
+            String[] ps = san.split(",");
+            GeneralNames gnames = new GeneralNames();
+            for(String item: ps) {
+                colonpos = item.indexOf(':');
+                if (colonpos < 0) {
+                    throw new IllegalArgumentException("Illegal item " + item + " in " + san);
+                }
+                String t = item.substring(0, colonpos);
+                String v = item.substring(colonpos+1);
+                gnames.add(createGeneralName(t, v));
+            }
+            // Non critical
+            ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(false, gnames));
+        }
+
+        info.set(X509CertInfo.EXTENSIONS, ext);
+
+        // Sign the cert to identify the algorithm that's used.
+        X509CertImpl cert = new X509CertImpl(info);
+        cert.sign(privkey, algorithm);
+
+        // Update the algorithm, and resign.
+        algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
+        info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
+        cert = new X509CertImpl(info);
+        cert.sign(privkey, algorithm);
+        return cert;
+    }
 
     private void initialize() {
         if (!initOK) {
             try {
-                // Create new keystore
-                KeyStore ks = KeyStore.getInstance("JKS");
-                char[] password = KEYSTORE_PASSWORD.toCharArray();
-
-                // Load keystore generated with Java 7 keytool as follows:
-                // keytool -genkeypair -storepass josm_ssl -keypass josm_ssl -alias josm_localhost -dname "CN=localhost, OU=JOSM, O=OpenStreetMap"
-                // -ext san=ip:127.0.0.1 -keyalg RSA -validity 1825
-                try (InputStream in = RemoteControlHttpsServer.class.getResourceAsStream(KEYSTORE_PATH)) {
-                    if (in == null) {
-                        Main.error(tr("Unable to find JOSM keystore at {0}. Remote control will not be available on HTTPS.", KEYSTORE_PATH));
-                    } else {
-                        ks.load(in, password);
-
-                        if (Main.isDebugEnabled()) {
-                            for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();) {
-                                Main.debug("Alias in keystore: "+aliases.nextElement());
-                            }
+                char[] storePassword = KEYSTORE_PASSWORD.get().toCharArray();
+                char[] entryPassword = KEYENTRY_PASSWORD.get().toCharArray();
+
+                Path dir = Paths.get(RemoteControl.getRemoteControlDir());
+                Path path = dir.resolve(KEYSTORE_FILENAME);
+                Files.createDirectories(dir);
+
+                if (!Files.exists(path)) {
+                    Main.debug("No keystore found, creating a new one");
+
+                    // Create new keystore like previous one generated with JDK keytool as follows:
+                    // keytool -genkeypair -storepass josm_ssl -keypass josm_ssl -alias josm_localhost -dname "CN=localhost, OU=JOSM, O=OpenStreetMap"
+                    // -ext san=ip:127.0.0.1 -keyalg RSA -validity 1825
+
+                    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
+                    generator.initialize(2048);
+                    KeyPair pair = generator.generateKeyPair();
+
+                    X509Certificate cert = generateCertificate("CN=localhost, OU=JOSM, O=OpenStreetMap", pair, 1825, "SHA256withRSA", "ip:127.0.0.1");
+
+                    KeyStore ks = KeyStore.getInstance("JKS");
+                    ks.load(null, null);
+
+                    // Generate new passwords. See https://stackoverflow.com/a/41156/2257172
+                    SecureRandom random = new SecureRandom();
+                    KEYSTORE_PASSWORD.put(new BigInteger(130, random).toString(32));
+                    KEYENTRY_PASSWORD.put(new BigInteger(130, random).toString(32));
+
+                    storePassword = KEYSTORE_PASSWORD.get().toCharArray();
+                    entryPassword = KEYENTRY_PASSWORD.get().toCharArray();
+
+                    ks.setKeyEntry("josm_localhost", pair.getPrivate(), entryPassword, new Certificate[]{cert});
+                    ks.store(Files.newOutputStream(path, StandardOpenOption.CREATE), storePassword);
+                }
+
+                try (InputStream in = Files.newInputStream(path)) {
+                    // Load keystore
+                    KeyStore ks = KeyStore.getInstance("JKS");
+                    ks.load(in, storePassword);
+
+                    if (Main.isDebugEnabled()) {
+                        for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();) {
+                            Main.debug("Alias in keystore: "+aliases.nextElement());
                         }
-
-                        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
-                        kmf.init(ks, password);
-
-                        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
-                        tmf.init(ks);
-
-                        sslContext = SSLContext.getInstance("TLS");
-                        sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
-
-                        if (Main.isDebugEnabled()) {
-                            Main.debug("SSL Context protocol: " + sslContext.getProtocol());
-                            Main.debug("SSL Context provider: " + sslContext.getProvider());
-                        }
-
-                        Enumeration<String> aliases = ks.aliases();
-                        if (aliases.hasMoreElements()) {
-                            String aliasKey = aliases.nextElement();
-                            Key key = ks.getKey(aliasKey, password);
-                            Certificate[] chain = ks.getCertificateChain(aliasKey);
-                            Main.platform.setupHttpsCertificate(new KeyStore.PrivateKeyEntry((PrivateKey) key, chain));
-                        }
-
-                        initOK = true;
                     }
-                }
-            } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException |
-                    IOException | KeyManagementException | UnrecoverableEntryException e) {
+
+                    KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+                    kmf.init(ks, entryPassword);
+
+                    TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+                    tmf.init(ks);
+
+                    sslContext = SSLContext.getInstance("TLS");
+                    sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+
+                    if (Main.isTraceEnabled()) {
+                        Main.trace("SSL Context protocol: " + sslContext.getProtocol());
+                        Main.trace("SSL Context provider: " + sslContext.getProvider());
+                    }
+
+                    Enumeration<String> aliases = ks.aliases();
+                    if (aliases.hasMoreElements()) {
+                        Main.platform.setupHttpsCertificate(new KeyStore.TrustedCertificateEntry(ks.getCertificate(aliases.nextElement())));
+                    }
+
+                    initOK = true;
+                }
+            } catch (IOException | GeneralSecurityException e) {
                 Main.error(e);
             }
@@ -112 +259 @@
             stopRemoteControlHttpsServer();
 
-            instance = new RemoteControlHttpsServer(port);
-            if (instance.initOK) {
-                instance.start();
+            if (RemoteControl.PROP_REMOTECONTROL_HTTPS_ENABLED.get()) {
+                instance = new RemoteControlHttpsServer(port);
+                if (instance.initOK) {
+                    instance.start();
+                }
             }
         } catch (BindException ex) {
@@ -152 +301 @@
         initialize();
 
+        if (!initOK) {
+            Main.error(tr("Unable to initialize Remote Control HTTPS Server"));
+            return;
+        }
+
         // Create SSL Server factory
         SSLServerSocketFactory factory = sslContext.getServerSocketFactory();
-        if (Main.isDebugEnabled()) {
-            Main.debug("SSL factory - Supported Cipher suites: "+Arrays.toString(factory.getSupportedCipherSuites()));
+        if (Main.isTraceEnabled()) {
+            Main.trace("SSL factory - Supported Cipher suites: "+Arrays.toString(factory.getSupportedCipherSuites()));
         }
 
@@ -165 +319 @@
             InetAddress.getByName(Main.pref.get("remote.control.host", "localhost")));
 
-        if (Main.isDebugEnabled() && server instanceof SSLServerSocket) {
+        if (Main.isTraceEnabled() && server instanceof SSLServerSocket) {
             SSLServerSocket sslServer = (SSLServerSocket) server;
-            Main.debug("SSL server - Enabled Cipher suites: "+Arrays.toString(sslServer.getEnabledCipherSuites()));
-            Main.debug("SSL server - Enabled Protocols: "+Arrays.toString(sslServer.getEnabledProtocols()));
-            Main.debug("SSL server - Enable Session Creation: "+sslServer.getEnableSessionCreation());
-            Main.debug("SSL server - Need Client Auth: "+sslServer.getNeedClientAuth());
-            Main.debug("SSL server - Want Client Auth: "+sslServer.getWantClientAuth());
-            Main.debug("SSL server - Use Client Mode: "+sslServer.getUseClientMode());
+            Main.trace("SSL server - Enabled Cipher suites: "+Arrays.toString(sslServer.getEnabledCipherSuites()));
+            Main.trace("SSL server - Enabled Protocols: "+Arrays.toString(sslServer.getEnabledProtocols()));
+            Main.trace("SSL server - Enable Session Creation: "+sslServer.getEnableSessionCreation());
+            Main.trace("SSL server - Need Client Auth: "+sslServer.getNeedClientAuth());
+            Main.trace("SSL server - Want Client Auth: "+sslServer.getWantClientAuth());
+            Main.trace("SSL server - Use Client Mode: "+sslServer.getUseClientMode());
         }
     }
@@ -187 +341 @@
                 @SuppressWarnings("resource")
                 Socket request = server.accept();
-                if (Main.isDebugEnabled() && request instanceof SSLSocket) {
+                if (Main.isTraceEnabled() && request instanceof SSLSocket) {
                     SSLSocket sslSocket = (SSLSocket) request;
-                    Main.debug("SSL socket - Enabled Cipher suites: "+Arrays.toString(sslSocket.getEnabledCipherSuites()));
-                    Main.debug("SSL socket - Enabled Protocols: "+Arrays.toString(sslSocket.getEnabledProtocols()));
-                    Main.debug("SSL socket - Enable Session Creation: "+sslSocket.getEnableSessionCreation());
-                    Main.debug("SSL socket - Need Client Auth: "+sslSocket.getNeedClientAuth());
-                    Main.debug("SSL socket - Want Client Auth: "+sslSocket.getWantClientAuth());
-                    Main.debug("SSL socket - Use Client Mode: "+sslSocket.getUseClientMode());
-                    Main.debug("SSL socket - Session: "+sslSocket.getSession());
+                    Main.trace("SSL socket - Enabled Cipher suites: "+Arrays.toString(sslSocket.getEnabledCipherSuites()));
+                    Main.trace("SSL socket - Enabled Protocols: "+Arrays.toString(sslSocket.getEnabledProtocols()));
+                    Main.trace("SSL socket - Enable Session Creation: "+sslSocket.getEnableSessionCreation());
+                    Main.trace("SSL socket - Need Client Auth: "+sslSocket.getNeedClientAuth());
+                    Main.trace("SSL socket - Want Client Auth: "+sslSocket.getWantClientAuth());
+                    Main.trace("SSL socket - Use Client Mode: "+sslSocket.getUseClientMode());
+                    Main.trace("SSL socket - Session: "+sslSocket.getSession());
                 }
                 RequestProcessor.processRequest(request);
@@ -214 +368 @@
      */
     public void stopServer() throws IOException {
-        server.close();
-        Main.info(marktr("RemoteControl::Server (https) stopped."));
+        if (server != null) {
+            server.close();
+            Main.info(marktr("RemoteControl::Server (https) stopped."));
+        }
     }
 }