Index: trunk/src/org/openstreetmap/josm/Main.java =================================================================== --- trunk/src/org/openstreetmap/josm/Main.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/Main.java (revision 7335) @@ -1514,3 +1514,12 @@ return Main.platform instanceof PlatformHookOsx; } + + /** + * Determines if we are currently running on Windows. + * @return {@code true} if we are currently running on Windows + * @since 7335 + */ + public static boolean isPlatformWindows() { + return Main.platform instanceof PlatformHookWindows; + } } Index: trunk/src/org/openstreetmap/josm/actions/FullscreenToggleAction.java =================================================================== --- trunk/src/org/openstreetmap/josm/actions/FullscreenToggleAction.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/actions/FullscreenToggleAction.java (revision 7335) @@ -21,5 +21,4 @@ import org.openstreetmap.josm.Main; -import org.openstreetmap.josm.tools.PlatformHookWindows; import org.openstreetmap.josm.tools.Shortcut; @@ -77,5 +76,5 @@ } } - + boolean selected = isSelected(); @@ -95,5 +94,5 @@ // screen by default (it's a simulated mode, but should be ok) String exclusive = Main.pref.get("draw.fullscreen.exclusive-mode", "auto"); - if ("true".equals(exclusive) || ("auto".equals(exclusive) && !(Main.platform instanceof PlatformHookWindows))) { + if ("true".equals(exclusive) || ("auto".equals(exclusive) && !Main.isPlatformWindows())) { gd.setFullScreenWindow(selected ? frame : null); } Index: trunk/src/org/openstreetmap/josm/actions/RestartAction.java =================================================================== --- trunk/src/org/openstreetmap/josm/actions/RestartAction.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/actions/RestartAction.java (revision 7335) @@ -18,5 +18,4 @@ import org.openstreetmap.josm.gui.HelpAwareOptionPane.ButtonSpec; import org.openstreetmap.josm.tools.ImageProvider; -import org.openstreetmap.josm.tools.PlatformHookWindows; import org.openstreetmap.josm.tools.Shortcut; @@ -76,5 +75,5 @@ // java binary final String java = System.getProperty("java.home") + File.separator + "bin" + File.separator + - (Main.platform instanceof PlatformHookWindows ? "java.exe" : "java"); + (Main.isPlatformWindows() ? "java.exe" : "java"); if (!new File(java).isFile()) { throw new IOException("Unable to find suitable java runtime at "+java); Index: trunk/src/org/openstreetmap/josm/actions/ShowStatusReportAction.java =================================================================== --- trunk/src/org/openstreetmap/josm/actions/ShowStatusReportAction.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/actions/ShowStatusReportAction.java (revision 7335) @@ -31,5 +31,4 @@ import org.openstreetmap.josm.tools.OpenBrowser; import org.openstreetmap.josm.tools.PlatformHookUnixoid; -import org.openstreetmap.josm.tools.PlatformHookWindows; import org.openstreetmap.josm.tools.Shortcut; import org.openstreetmap.josm.tools.Utils; @@ -105,5 +104,5 @@ try { final String envJavaHome = System.getenv("JAVA_HOME"); - final String envJavaHomeAlt = Main.platform instanceof PlatformHookWindows ? "%JAVA_HOME%" : "${JAVA_HOME}"; + final String envJavaHomeAlt = Main.isPlatformWindows() ? "%JAVA_HOME%" : "${JAVA_HOME}"; final String propJavaHome = System.getProperty("java.home"); final String propJavaHomeAlt = ""; @@ -160,11 +159,8 @@ try { Map> settings = Main.pref.getAllSettings(); - settings.remove("osm-server.username"); - settings.remove("osm-server.password"); - settings.remove("oauth.access-token.key"); - settings.remove("oauth.access-token.secret"); Set keys = new HashSet<>(settings.keySet()); for (String key : keys) { - if (key.startsWith("marker.show")) { + // Remove sensitive information from status report + if (key.startsWith("marker.show") || key.contains("username") || key.contains("password") || key.contains("access-token")) { settings.remove(key); } Index: trunk/src/org/openstreetmap/josm/data/validation/OsmValidator.java =================================================================== --- trunk/src/org/openstreetmap/josm/data/validation/OsmValidator.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/data/validation/OsmValidator.java (revision 7335) @@ -145,7 +145,7 @@ /** - * Returns the plugin's directory of the plugin + * Returns the validator directory. * - * @return The directory of the plugin + * @return The validator directory */ public static String getValidatorDir() { Index: trunk/src/org/openstreetmap/josm/gui/MainApplication.java =================================================================== --- trunk/src/org/openstreetmap/josm/gui/MainApplication.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/gui/MainApplication.java (revision 7335) @@ -13,4 +13,5 @@ import java.awt.event.WindowEvent; import java.io.File; +import java.io.IOException; import java.io.InputStream; import java.net.Authenticator; @@ -19,7 +20,10 @@ import java.security.AllPermission; import java.security.CodeSource; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; import java.security.PermissionCollection; import java.security.Permissions; import java.security.Policy; +import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Collection; @@ -59,4 +63,5 @@ import org.openstreetmap.josm.tools.ImageProvider; import org.openstreetmap.josm.tools.OsmUrlToBounds; +import org.openstreetmap.josm.tools.PlatformHookWindows; import org.openstreetmap.josm.tools.Utils; @@ -323,6 +328,4 @@ // Enable JOSM debug level logLevel = 4; - // Enable debug in OAuth signpost - Preferences.updateSystemProperty("debug", "true"); Main.info(tr("Printing debugging messages to console")); } @@ -331,4 +334,6 @@ // Enable JOSM debug level logLevel = 5; + // Enable debug in OAuth signpost via system preference, but only at trace level + Preferences.updateSystemProperty("debug", "true"); Main.info(tr("Enabled detailed debug level (trace)")); } @@ -435,4 +440,14 @@ SwingUtilities.invokeLater(new GuiFinalizationWorker(args, proxySelector)); + + if (Main.isPlatformWindows()) { + try { + // Check for insecure certificates to remove. + // This is Windows-dependant code but it can't go to preStartupHook (need i18n) neither startupHook (need to be called before remote control) + ((PlatformHookWindows)Main.platform).removeInsecureCertificates(); + } catch (NoSuchAlgorithmException | CertificateException | KeyStoreException | IOException e) { + error(e); + } + } if (RemoteControl.PROP_REMOTECONTROL_ENABLED.get()) { Index: trunk/src/org/openstreetmap/josm/gui/preferences/remotecontrol/RemoteControlPreference.java =================================================================== --- trunk/src/org/openstreetmap/josm/gui/preferences/remotecontrol/RemoteControlPreference.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/gui/preferences/remotecontrol/RemoteControlPreference.java (revision 7335) @@ -28,4 +28,5 @@ import org.openstreetmap.josm.io.remotecontrol.PermissionPrefWithDefault; import org.openstreetmap.josm.io.remotecontrol.RemoteControl; +import org.openstreetmap.josm.io.remotecontrol.RemoteControlHttpsServer; import org.openstreetmap.josm.io.remotecontrol.handler.RequestHandler; import org.openstreetmap.josm.tools.GBC; @@ -59,4 +60,5 @@ private final Map prefs = new LinkedHashMap<>(); private JCheckBox enableRemoteControl; + private JCheckBox enableHttpsSupport; private JCheckBox loadInNewLayer = new JCheckBox(tr("Download objects to new layer")); private JCheckBox alwaysAskUserConfirm = new JCheckBox(tr("Confirm all Remote Control actions manually")); @@ -89,5 +91,9 @@ remote.add(wrapper, GBC.eol().fill(GBC.HORIZONTAL).insets(5, 5, 5, 5)); - wrapper.add(new JLabel(tr("Permitted actions:")), GBC.eol()); + enableHttpsSupport = new JCheckBox(tr("Enable HTTPS support"), RemoteControl.PROP_REMOTECONTROL_HTTPS_ENABLED.get()); + wrapper.add(enableHttpsSupport, GBC.eol().fill(GBC.HORIZONTAL)); + wrapper.add(new JSeparator(), GBC.eop().fill(GBC.HORIZONTAL).insets(15, 5, 15, 5)); + + wrapper.add(new JLabel(tr("Permitted actions:")), GBC.eol().insets(5, 0, 0, 0)); for (JCheckBox p : prefs.values()) { wrapper.add(p, GBC.eol().insets(15, 5, 0, 0).fill(GBC.HORIZONTAL)); @@ -120,5 +126,7 @@ public boolean ok() { boolean enabled = enableRemoteControl.isSelected(); + boolean httpsEnabled = enableHttpsSupport.isSelected(); boolean changed = RemoteControl.PROP_REMOTECONTROL_ENABLED.put(enabled); + boolean httpsChanged = RemoteControl.PROP_REMOTECONTROL_HTTPS_ENABLED.put(httpsEnabled); if (enabled) { for (Entry p : prefs.entrySet()) { @@ -134,4 +142,10 @@ RemoteControl.stop(); } + } else if (httpsChanged) { + if (httpsEnabled) { + RemoteControlHttpsServer.restartRemoteControlHttpsServer(); + } else { + RemoteControlHttpsServer.stopRemoteControlHttpsServer(); + } } return false; Index: trunk/src/org/openstreetmap/josm/io/remotecontrol/RemoteControl.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/remotecontrol/RemoteControl.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/io/remotecontrol/RemoteControl.java (revision 7335) @@ -2,4 +2,5 @@ package org.openstreetmap.josm.io.remotecontrol; +import org.openstreetmap.josm.Main; import org.openstreetmap.josm.data.preferences.BooleanProperty; import org.openstreetmap.josm.io.remotecontrol.handler.RequestHandler; @@ -11,6 +12,6 @@ * and increment the major version and set minor to 0 on incompatible changes. */ -public class RemoteControl -{ +public class RemoteControl { + /** * If the remote control feature is enabled or disabled. If disabled, @@ -18,4 +19,11 @@ */ public static final BooleanProperty PROP_REMOTECONTROL_ENABLED = new BooleanProperty("remotecontrol.enabled", false); + + /** + * If the remote control feature is enabled or disabled for HTTPS. If disabled, + * only HTTP access will be available. + * @since 7335 + */ + public static final BooleanProperty PROP_REMOTECONTROL_HTTPS_ENABLED = new BooleanProperty("remotecontrol.https.enabled", false); /** @@ -54,3 +62,12 @@ RequestProcessor.addRequestHandlerClass(command, handlerClass); } + + /** + * Returns the remote control directory. + * @return The remote control directory + * @since 7335 + */ + public static String getRemoteControlDir() { + return Main.pref.getPreferencesDir() + "remotecontrol/"; + } } Index: trunk/src/org/openstreetmap/josm/io/remotecontrol/RemoteControlHttpsServer.java =================================================================== --- trunk/src/org/openstreetmap/josm/io/remotecontrol/RemoteControlHttpsServer.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/io/remotecontrol/RemoteControlHttpsServer.java (revision 7335) @@ -7,4 +7,5 @@ import java.io.IOException; import java.io.InputStream; +import java.math.BigInteger; import java.net.BindException; import java.net.InetAddress; @@ -12,15 +13,21 @@ import java.net.Socket; import java.net.SocketException; -import java.security.Key; -import java.security.KeyManagementException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.nio.file.StandardOpenOption; +import java.security.GeneralSecurityException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; import java.security.KeyStore; -import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; -import java.security.UnrecoverableEntryException; +import java.security.SecureRandom; import java.security.cert.Certificate; -import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; import java.util.Arrays; +import java.util.Date; import java.util.Enumeration; +import java.util.Vector; import javax.net.ssl.KeyManagerFactory; @@ -32,4 +39,29 @@ import org.openstreetmap.josm.Main; +import org.openstreetmap.josm.data.preferences.StringProperty; + +import sun.security.util.ObjectIdentifier; +import sun.security.x509.AlgorithmId; +import sun.security.x509.BasicConstraintsExtension; +import sun.security.x509.CertificateAlgorithmId; +import sun.security.x509.CertificateExtensions; +import sun.security.x509.CertificateIssuerName; +import sun.security.x509.CertificateSerialNumber; +import sun.security.x509.CertificateSubjectName; +import sun.security.x509.CertificateValidity; +import sun.security.x509.CertificateVersion; +import sun.security.x509.CertificateX509Key; +import sun.security.x509.DNSName; +import sun.security.x509.ExtendedKeyUsageExtension; +import sun.security.x509.GeneralName; +import sun.security.x509.GeneralNameInterface; +import sun.security.x509.GeneralNames; +import sun.security.x509.IPAddressName; +import sun.security.x509.OIDName; +import sun.security.x509.SubjectAlternativeNameExtension; +import sun.security.x509.URIName; +import sun.security.x509.X500Name; +import sun.security.x509.X509CertImpl; +import sun.security.x509.X509CertInfo; /** @@ -47,56 +79,171 @@ private SSLContext sslContext; - private static final String KEYSTORE_PATH = "/data/josm.keystore"; - private static final String KEYSTORE_PASSWORD = "josm_ssl"; + private static final String KEYSTORE_FILENAME = "josm.keystore"; + + /** + * Preference for keystore password (automatically generated by JOSM). + * @since 7335 + */ + public StringProperty KEYSTORE_PASSWORD = new StringProperty("remotecontrol.https.keystore.password", ""); + + /** + * Preference for certificate password (automatically generated by JOSM). + * @since 7335 + */ + public StringProperty KEYENTRY_PASSWORD = new StringProperty("remotecontrol.https.keyentry.password", ""); + + /** + * Creates a GeneralName object from known types. + * @param t one of 4 known types + * @param v value + * @return which one + * @throws IOException + */ + private static GeneralName createGeneralName(String t, String v) throws IOException { + GeneralNameInterface gn; + switch (t.toLowerCase()) { + case "uri": gn = new URIName(v); break; + case "dns": gn = new DNSName(v); break; + case "ip": gn = new IPAddressName(v); break; + default: gn = new OIDName(v); + } + return new GeneralName(gn); + } + + /** + * Create a self-signed X.509 Certificate. + * @param dn the X.509 Distinguished Name, eg "CN=localhost, OU=JOSM, O=OpenStreetMap" + * @param pair the KeyPair + * @param days how many days from now the Certificate is valid for + * @param algorithm the signing algorithm, eg "SHA256withRSA" + * @param san SubjectAlternativeName extension (optional) + */ + private static X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm, String san) throws GeneralSecurityException, IOException { + PrivateKey privkey = pair.getPrivate(); + X509CertInfo info = new X509CertInfo(); + Date from = new Date(); + Date to = new Date(from.getTime() + days * 86400000l); + CertificateValidity interval = new CertificateValidity(from, to); + BigInteger sn = new BigInteger(64, new SecureRandom()); + X500Name owner = new X500Name(dn); + + info.set(X509CertInfo.VALIDITY, interval); + info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); + info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner)); + info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner)); + info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic())); + info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); + AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid); + info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo)); + + CertificateExtensions ext = new CertificateExtensions(); + // Critical: Not CA, max path len 0 + ext.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(true, false, 0)); + // Critical: only allow TLS ("serverAuth" = 1.3.6.1.5.5.7.3.1) + ext.set(ExtendedKeyUsageExtension.NAME, new ExtendedKeyUsageExtension(true, + new Vector(Arrays.asList(new ObjectIdentifier("1.3.6.1.5.5.7.3.1"))))); + + if (san != null) { + int colonpos; + String[] ps = san.split(","); + GeneralNames gnames = new GeneralNames(); + for(String item: ps) { + colonpos = item.indexOf(':'); + if (colonpos < 0) { + throw new IllegalArgumentException("Illegal item " + item + " in " + san); + } + String t = item.substring(0, colonpos); + String v = item.substring(colonpos+1); + gnames.add(createGeneralName(t, v)); + } + // Non critical + ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(false, gnames)); + } + + info.set(X509CertInfo.EXTENSIONS, ext); + + // Sign the cert to identify the algorithm that's used. + X509CertImpl cert = new X509CertImpl(info); + cert.sign(privkey, algorithm); + + // Update the algorithm, and resign. + algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG); + info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo); + cert = new X509CertImpl(info); + cert.sign(privkey, algorithm); + return cert; + } private void initialize() { if (!initOK) { try { - // Create new keystore - KeyStore ks = KeyStore.getInstance("JKS"); - char[] password = KEYSTORE_PASSWORD.toCharArray(); - - // Load keystore generated with Java 7 keytool as follows: - // keytool -genkeypair -storepass josm_ssl -keypass josm_ssl -alias josm_localhost -dname "CN=localhost, OU=JOSM, O=OpenStreetMap" - // -ext san=ip:127.0.0.1 -keyalg RSA -validity 1825 - try (InputStream in = RemoteControlHttpsServer.class.getResourceAsStream(KEYSTORE_PATH)) { - if (in == null) { - Main.error(tr("Unable to find JOSM keystore at {0}. Remote control will not be available on HTTPS.", KEYSTORE_PATH)); - } else { - ks.load(in, password); - - if (Main.isDebugEnabled()) { - for (Enumeration aliases = ks.aliases(); aliases.hasMoreElements();) { - Main.debug("Alias in keystore: "+aliases.nextElement()); - } + char[] storePassword = KEYSTORE_PASSWORD.get().toCharArray(); + char[] entryPassword = KEYENTRY_PASSWORD.get().toCharArray(); + + Path dir = Paths.get(RemoteControl.getRemoteControlDir()); + Path path = dir.resolve(KEYSTORE_FILENAME); + Files.createDirectories(dir); + + if (!Files.exists(path)) { + Main.debug("No keystore found, creating a new one"); + + // Create new keystore like previous one generated with JDK keytool as follows: + // keytool -genkeypair -storepass josm_ssl -keypass josm_ssl -alias josm_localhost -dname "CN=localhost, OU=JOSM, O=OpenStreetMap" + // -ext san=ip:127.0.0.1 -keyalg RSA -validity 1825 + + KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA"); + generator.initialize(2048); + KeyPair pair = generator.generateKeyPair(); + + X509Certificate cert = generateCertificate("CN=localhost, OU=JOSM, O=OpenStreetMap", pair, 1825, "SHA256withRSA", "ip:127.0.0.1"); + + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(null, null); + + // Generate new passwords. See https://stackoverflow.com/a/41156/2257172 + SecureRandom random = new SecureRandom(); + KEYSTORE_PASSWORD.put(new BigInteger(130, random).toString(32)); + KEYENTRY_PASSWORD.put(new BigInteger(130, random).toString(32)); + + storePassword = KEYSTORE_PASSWORD.get().toCharArray(); + entryPassword = KEYENTRY_PASSWORD.get().toCharArray(); + + ks.setKeyEntry("josm_localhost", pair.getPrivate(), entryPassword, new Certificate[]{cert}); + ks.store(Files.newOutputStream(path, StandardOpenOption.CREATE), storePassword); + } + + try (InputStream in = Files.newInputStream(path)) { + // Load keystore + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(in, storePassword); + + if (Main.isDebugEnabled()) { + for (Enumeration aliases = ks.aliases(); aliases.hasMoreElements();) { + Main.debug("Alias in keystore: "+aliases.nextElement()); } - - KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); - kmf.init(ks, password); - - TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); - tmf.init(ks); - - sslContext = SSLContext.getInstance("TLS"); - sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); - - if (Main.isDebugEnabled()) { - Main.debug("SSL Context protocol: " + sslContext.getProtocol()); - Main.debug("SSL Context provider: " + sslContext.getProvider()); - } - - Enumeration aliases = ks.aliases(); - if (aliases.hasMoreElements()) { - String aliasKey = aliases.nextElement(); - Key key = ks.getKey(aliasKey, password); - Certificate[] chain = ks.getCertificateChain(aliasKey); - Main.platform.setupHttpsCertificate(new KeyStore.PrivateKeyEntry((PrivateKey) key, chain)); - } - - initOK = true; } - } - } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | - IOException | KeyManagementException | UnrecoverableEntryException e) { + + KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); + kmf.init(ks, entryPassword); + + TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); + tmf.init(ks); + + sslContext = SSLContext.getInstance("TLS"); + sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); + + if (Main.isTraceEnabled()) { + Main.trace("SSL Context protocol: " + sslContext.getProtocol()); + Main.trace("SSL Context provider: " + sslContext.getProvider()); + } + + Enumeration aliases = ks.aliases(); + if (aliases.hasMoreElements()) { + Main.platform.setupHttpsCertificate(new KeyStore.TrustedCertificateEntry(ks.getCertificate(aliases.nextElement()))); + } + + initOK = true; + } + } catch (IOException | GeneralSecurityException e) { Main.error(e); } @@ -112,7 +259,9 @@ stopRemoteControlHttpsServer(); - instance = new RemoteControlHttpsServer(port); - if (instance.initOK) { - instance.start(); + if (RemoteControl.PROP_REMOTECONTROL_HTTPS_ENABLED.get()) { + instance = new RemoteControlHttpsServer(port); + if (instance.initOK) { + instance.start(); + } } } catch (BindException ex) { @@ -152,8 +301,13 @@ initialize(); + if (!initOK) { + Main.error(tr("Unable to initialize Remote Control HTTPS Server")); + return; + } + // Create SSL Server factory SSLServerSocketFactory factory = sslContext.getServerSocketFactory(); - if (Main.isDebugEnabled()) { - Main.debug("SSL factory - Supported Cipher suites: "+Arrays.toString(factory.getSupportedCipherSuites())); + if (Main.isTraceEnabled()) { + Main.trace("SSL factory - Supported Cipher suites: "+Arrays.toString(factory.getSupportedCipherSuites())); } @@ -165,12 +319,12 @@ InetAddress.getByName(Main.pref.get("remote.control.host", "localhost"))); - if (Main.isDebugEnabled() && server instanceof SSLServerSocket) { + if (Main.isTraceEnabled() && server instanceof SSLServerSocket) { SSLServerSocket sslServer = (SSLServerSocket) server; - Main.debug("SSL server - Enabled Cipher suites: "+Arrays.toString(sslServer.getEnabledCipherSuites())); - Main.debug("SSL server - Enabled Protocols: "+Arrays.toString(sslServer.getEnabledProtocols())); - Main.debug("SSL server - Enable Session Creation: "+sslServer.getEnableSessionCreation()); - Main.debug("SSL server - Need Client Auth: "+sslServer.getNeedClientAuth()); - Main.debug("SSL server - Want Client Auth: "+sslServer.getWantClientAuth()); - Main.debug("SSL server - Use Client Mode: "+sslServer.getUseClientMode()); + Main.trace("SSL server - Enabled Cipher suites: "+Arrays.toString(sslServer.getEnabledCipherSuites())); + Main.trace("SSL server - Enabled Protocols: "+Arrays.toString(sslServer.getEnabledProtocols())); + Main.trace("SSL server - Enable Session Creation: "+sslServer.getEnableSessionCreation()); + Main.trace("SSL server - Need Client Auth: "+sslServer.getNeedClientAuth()); + Main.trace("SSL server - Want Client Auth: "+sslServer.getWantClientAuth()); + Main.trace("SSL server - Use Client Mode: "+sslServer.getUseClientMode()); } } @@ -187,13 +341,13 @@ @SuppressWarnings("resource") Socket request = server.accept(); - if (Main.isDebugEnabled() && request instanceof SSLSocket) { + if (Main.isTraceEnabled() && request instanceof SSLSocket) { SSLSocket sslSocket = (SSLSocket) request; - Main.debug("SSL socket - Enabled Cipher suites: "+Arrays.toString(sslSocket.getEnabledCipherSuites())); - Main.debug("SSL socket - Enabled Protocols: "+Arrays.toString(sslSocket.getEnabledProtocols())); - Main.debug("SSL socket - Enable Session Creation: "+sslSocket.getEnableSessionCreation()); - Main.debug("SSL socket - Need Client Auth: "+sslSocket.getNeedClientAuth()); - Main.debug("SSL socket - Want Client Auth: "+sslSocket.getWantClientAuth()); - Main.debug("SSL socket - Use Client Mode: "+sslSocket.getUseClientMode()); - Main.debug("SSL socket - Session: "+sslSocket.getSession()); + Main.trace("SSL socket - Enabled Cipher suites: "+Arrays.toString(sslSocket.getEnabledCipherSuites())); + Main.trace("SSL socket - Enabled Protocols: "+Arrays.toString(sslSocket.getEnabledProtocols())); + Main.trace("SSL socket - Enable Session Creation: "+sslSocket.getEnableSessionCreation()); + Main.trace("SSL socket - Need Client Auth: "+sslSocket.getNeedClientAuth()); + Main.trace("SSL socket - Want Client Auth: "+sslSocket.getWantClientAuth()); + Main.trace("SSL socket - Use Client Mode: "+sslSocket.getUseClientMode()); + Main.trace("SSL socket - Session: "+sslSocket.getSession()); } RequestProcessor.processRequest(request); @@ -214,6 +368,8 @@ */ public void stopServer() throws IOException { - server.close(); - Main.info(marktr("RemoteControl::Server (https) stopped.")); + if (server != null) { + server.close(); + Main.info(marktr("RemoteControl::Server (https) stopped.")); + } } } Index: trunk/src/org/openstreetmap/josm/tools/OpenBrowser.java =================================================================== --- trunk/src/org/openstreetmap/josm/tools/OpenBrowser.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/tools/OpenBrowser.java (revision 7335) @@ -44,5 +44,5 @@ if (Desktop.isDesktopSupported()) { try { - if (Main.platform instanceof PlatformHookWindows) { + if (Main.isPlatformWindows()) { // Desktop API works fine under Windows, so we don't try any fallback in case of I/O exceptions because it's not API's fault Desktop.getDesktop().browse(uri); Index: trunk/src/org/openstreetmap/josm/tools/PlatformHook.java =================================================================== --- trunk/src/org/openstreetmap/josm/tools/PlatformHook.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/tools/PlatformHook.java (revision 7335) @@ -109,5 +109,5 @@ /** * Setup system keystore to add JOSM HTTPS certificate (for remote control). - * @param privateKeyEntry the JOSM certificate for localhost and associated private key + * @param trustedCert the JOSM certificate for localhost * @throws KeyStoreException in case of error * @throws IOException in case of error @@ -116,5 +116,5 @@ * @since 7206 */ - public void setupHttpsCertificate(KeyStore.PrivateKeyEntry privateKeyEntry) + public void setupHttpsCertificate(KeyStore.TrustedCertificateEntry trustedCert) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException; } Index: trunk/src/org/openstreetmap/josm/tools/PlatformHookUnixoid.java =================================================================== --- trunk/src/org/openstreetmap/josm/tools/PlatformHookUnixoid.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/tools/PlatformHookUnixoid.java (revision 7335) @@ -358,5 +358,5 @@ @Override - public void setupHttpsCertificate(KeyStore.PrivateKeyEntry privateKeyEntry) + public void setupHttpsCertificate(KeyStore.TrustedCertificateEntry trustedCert) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { // TODO setup HTTPS certificate on Unix systems Index: trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java =================================================================== --- trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java (revision 7333) +++ trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java (revision 7335) @@ -30,10 +30,20 @@ import java.io.File; import java.io.IOException; +import java.security.InvalidKeyException; +import java.security.KeyFactory; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; -import java.security.cert.Certificate; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.SignatureException; import java.security.cert.CertificateException; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.X509EncodedKeySpec; +import java.util.ArrayList; +import java.util.Collection; import java.util.Enumeration; + +import javax.swing.JOptionPane; import org.openstreetmap.josm.Main; @@ -44,4 +54,30 @@ */ public class PlatformHookWindows extends PlatformHookUnixoid implements PlatformHook { + + private static final byte[] INSECURE_PUBLIC_KEY = new byte[] { + 0x30, (byte) 0x82, 0x1, 0x22, 0x30, 0xd, 0x6, 0x9, 0x2a, (byte) 0x86, 0x48, (byte) 0x86, (byte) 0xf7, 0xd, 0x1, 0x1, 0x1, 0x5, 0x0, 0x3, (byte) 0x82, 0x1, 0xf, 0x0, + 0x30, (byte) 0x82, 0x01, 0x0a, 0x02, (byte) 0x82, 0x01, 0x01, 0x00, (byte) 0x95, (byte) 0x95, (byte) 0x88, + (byte) 0x84, (byte) 0xc8, (byte) 0xd9, 0x6b, (byte) 0xc5, (byte) 0xda, 0x0b, 0x69, (byte) 0xbf, (byte) 0xfc, 0x7e, (byte) 0xb9, (byte) 0x96, 0x2c, (byte) 0xeb, (byte) 0x8f, + (byte) 0xbc, 0x6e, 0x40, (byte) 0xe6, (byte) 0xe2, (byte) 0xfc, (byte) 0xf1, 0x7f, 0x73, (byte) 0xa7, (byte) 0x9d, (byte) 0xde, (byte) 0xc7, (byte) 0x88, + 0x57, 0x51, (byte) 0x84, (byte) 0xed, (byte) 0x96, (byte) 0xfb, (byte) 0xe1, 0x38, (byte) 0xef, 0x08, 0x2b, (byte) 0xf3, (byte) 0xc7, (byte) 0xc3, + 0x5d, (byte) 0xfe, (byte) 0xf9, 0x51, (byte) 0xe6, 0x29, (byte) 0xfc, (byte) 0xe5, 0x0d, (byte) 0xa1, 0x0d, (byte) 0xa8, (byte) 0xb4, (byte) 0xae, + 0x26, 0x18, 0x19, 0x4d, 0x6c, 0x0c, 0x3b, 0x12, (byte) 0xba, (byte) 0xbc, 0x5f, 0x32, (byte) 0xb3, (byte) 0xbe, + (byte) 0x9d, 0x17, 0x0d, 0x4d, 0x2f, 0x1a, 0x48, (byte) 0xb7, (byte) 0xac, (byte) 0xf7, 0x1a, 0x43, 0x01, (byte) 0x97, + (byte) 0xf4, (byte) 0xf8, 0x4c, (byte) 0xbb, 0x6a, (byte) 0xbc, 0x33, (byte) 0xe1, 0x73, 0x1e, (byte) 0x86, (byte) 0xfb, 0x2e, (byte) 0xb1, + 0x63, 0x75, (byte) 0x85, (byte) 0xdc, (byte) 0x82, 0x6c, 0x28, (byte) 0xf1, (byte) 0xe3, (byte) 0x90, 0x63, (byte) 0x9d, 0x3d, 0x48, + (byte) 0x8a, (byte) 0x8c, 0x47, (byte) 0xe2, 0x10, 0x0b, (byte) 0xef, (byte) 0x91, (byte) 0x94, (byte) 0xb0, 0x6c, 0x4c, (byte) 0x80, 0x76, + 0x03, (byte) 0xe1, (byte) 0xb6, (byte) 0x90, (byte) 0x87, (byte) 0xd9, (byte) 0xae, (byte) 0xf4, (byte) 0x8e, (byte) 0xe0, (byte) 0x9f, (byte) 0xe7, 0x3a, 0x2c, + 0x2f, 0x21, (byte) 0xd4, 0x46, (byte) 0xba, (byte) 0x95, 0x70, (byte) 0xa9, 0x5b, 0x20, 0x2a, (byte) 0xfa, 0x52, 0x3e, + (byte) 0x9d, (byte) 0xd9, (byte) 0xef, 0x28, (byte) 0xc5, (byte) 0xd1, 0x60, (byte) 0x89, 0x68, 0x6e, 0x7f, (byte) 0xd7, (byte) 0x9e, (byte) 0x89, + 0x4c, (byte) 0xeb, 0x4d, (byte) 0xd2, (byte) 0xc6, (byte) 0xf4, 0x2d, 0x02, 0x5d, (byte) 0xda, (byte) 0xde, 0x33, (byte) 0xfe, (byte) 0xc1, + 0x7e, (byte) 0xde, 0x4f, 0x1f, (byte) 0x9b, 0x6e, 0x6f, 0x0f, 0x66, 0x71, 0x19, (byte) 0xe9, 0x43, 0x3c, + (byte) 0x83, 0x0a, 0x0f, 0x28, 0x21, (byte) 0xc8, 0x38, (byte) 0xd3, 0x4e, 0x48, (byte) 0xdf, (byte) 0xd4, (byte) 0x99, (byte) 0xb5, + (byte) 0xc6, (byte) 0x8d, (byte) 0xd4, (byte) 0xc1, 0x69, 0x58, 0x79, (byte) 0x82, 0x32, (byte) 0x82, (byte) 0xd4, (byte) 0x86, (byte) 0xe2, 0x04, + 0x08, 0x63, (byte) 0x87, (byte) 0xf0, 0x2a, (byte) 0xf6, (byte) 0xec, 0x3e, 0x51, 0x0f, (byte) 0xda, (byte) 0xb4, 0x67, 0x19, + 0x5e, 0x16, 0x02, (byte) 0x9f, (byte) 0xf1, 0x19, 0x0c, 0x3e, (byte) 0xb8, 0x04, 0x49, 0x07, 0x53, 0x02, + 0x03, 0x01, 0x00, 0x01 + }; + + private static final String WINDOWS_ROOT = "Windows-ROOT"; @Override @@ -138,14 +174,88 @@ } - @Override - public void setupHttpsCertificate(KeyStore.PrivateKeyEntry privateKeyEntry) - throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { - KeyStore ks = KeyStore.getInstance("Windows-ROOT"); + /** + * Loads Windows-ROOT keystore. + * @return Windows-ROOT keystore + * @throws NoSuchAlgorithmException if the algorithm used to check the integrity of the keystore cannot be found + * @throws CertificateException if any of the certificates in the keystore could not be loaded + * @throws IOException if there is an I/O or format problem with the keystore data, if a password is required but not given + * @throws KeyStoreException if no Provider supports a KeyStore implementation for the type "Windows-ROOT" + */ + private KeyStore getWindowsKeystore() throws NoSuchAlgorithmException, CertificateException, IOException, KeyStoreException { + KeyStore ks = KeyStore.getInstance(WINDOWS_ROOT); ks.load(null, null); + return ks; + } + + /** + * Removes potential insecure certificates installed with previous versions of JOSM on Windows. + * @throws NoSuchAlgorithmException on unsupported signature algorithms + * @throws CertificateException if any of the certificates in the Windows keystore could not be loaded + * @throws KeyStoreException if no Provider supports a KeyStoreSpi implementation for the type "Windows-ROOT" + * @throws IOException if there is an I/O or format problem with the keystore data, if a password is required but not given + * @since 7335 + */ + public void removeInsecureCertificates() throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException { + // We offered before a public private key we need now to remove from Windows PCs as it might be a huge security risk (see #10230) + PublicKey insecurePubKey = null; + try { + insecurePubKey = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(INSECURE_PUBLIC_KEY)); + } catch (InvalidKeySpecException | NoSuchAlgorithmException e) { + Main.error(e); + return; + } + KeyStore ks = getWindowsKeystore(); Enumeration en = ks.aliases(); + Collection insecureCertificates = new ArrayList<>(); while (en.hasMoreElements()) { String alias = en.nextElement(); - Certificate c = ks.getCertificate(alias); - if (ks.isKeyEntry(alias) && c.equals(privateKeyEntry.getCertificate())) { + // Look for certificates associated with a private key + if (ks.isKeyEntry(alias)) { + try { + ks.getCertificate(alias).verify(insecurePubKey); + // If no exception, this is a certificate signed with the insecure key -> remove it + insecureCertificates.add(alias); + } catch (InvalidKeyException | NoSuchProviderException | SignatureException e) { + // If exception this is not a certificate related to JOSM, just trace it + Main.trace(alias + " --> " + e.getClass().getName()); + } + } + } + // Remove insecure certificates + if (!insecureCertificates.isEmpty()) { + StringBuilder message = new StringBuilder(""); + message.append(tr("A previous version of JOSM has installed a custom certificate in order to provide HTTPS support for Remote Control:")); + message.append("
    "); + for (String alias : insecureCertificates) { + message.append("
  • "); + message.append(alias); + message.append("
    • "); + } + message.append("
"); + message.append(tr("It appears it could be an important security risk.

"+ + "You are now going to be prompted by Windows to remove this insecure certificate.
For your own safety, please click Yes in next dialog.")); + message.append(""); + JOptionPane.showMessageDialog(Main.parent, message.toString(), tr("Warning"), JOptionPane.WARNING_MESSAGE); + for (String alias : insecureCertificates) { + Main.warn(tr("Removing insecure certificate from {0} keystore: {1}", WINDOWS_ROOT, alias)); + try { + ks.deleteEntry(alias); + } catch (KeyStoreException e) { + Main.error(tr("Unable to remove insecure certificate from keystore: {0}", e.getMessage())); + } + } + } + } + + @Override + public void setupHttpsCertificate(KeyStore.TrustedCertificateEntry trustedCert) + throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { + KeyStore ks = getWindowsKeystore(); + Enumeration en = ks.aliases(); + + while (en.hasMoreElements()) { + String alias = en.nextElement(); + // Look for certificate to install + if (ks.isKeyEntry(alias) && ks.getCertificate(alias).equals(trustedCert.getTrustedCertificate())) { // JOSM certificate found, return return; @@ -153,6 +263,6 @@ } // JOSM certificate not found, install it - Main.info("Adding JOSM localhost certificate to Windows-ROOT keystore"); - ks.setEntry("josm_localhost", privateKeyEntry, new KeyStore.PasswordProtection("josm_ssl".toCharArray())); + Main.info(tr("Adding JOSM localhost certificate to {0} keystore", WINDOWS_ROOT)); + ks.setEntry("josm_localhost", trustedCert, null); } }