/hg/icedtea6: Patch to detect certificate CN mismatches and offe...
cpdev-commits at icedtea.classpath.org
cpdev-commits at icedtea.classpath.org
Tue Aug 25 07:22:45 PDT 2009
changeset 65c5650a98c2 in /hg/icedtea6
details: http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=65c5650a98c2
summary: Patch to detect certificate CN mismatches and offer user the choice to ignore
diffstat:
4 files changed, 180 insertions(+), 26 deletions(-)
ChangeLog | 25 ++
rt/net/sourceforge/jnlp/resources/Messages.properties | 1
rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java | 83 +++++++-
rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java | 97 ++++++++--
diffs (367 lines):
diff -r 8362dc30d8d3 -r 65c5650a98c2 ChangeLog
--- a/ChangeLog Tue Aug 25 10:20:21 2009 -0400
+++ b/ChangeLog Tue Aug 25 10:26:42 2009 -0400
@@ -1,3 +1,26 @@ 2009-08-25 Deepak Bhole <dbhole at redhat
+2009-08-25 Deepak Bhole <dbhole at redhat.com>
+
+ * rt/net/sourceforge/jnlp/resources/Messages.properties: Add new
+ message key for CN name mismatches.
+ * rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java
+ (HttpsCertVerifier): Accept new parameters that indicate certificate trust
+ status, CN mismatch status, and the hostname.
+ (getAlreadyTrustPublisher): Use provided isTrusted boolean to get around
+ checkServerTrusted() synchronization.
+ (getDetails): Include details about CN mismatch.
+ (getNamesForCert): New private method. Returns all acceptable names for
+ a given X509Certificate.
+ (R): Overloaded the method to return messages that have 2 variables.
+ * rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java: Extend
+ X509ExtendedTrustManager rather than X509TrustManager.
+ (checkClientTrusted): Overloaded method with one that takes a hostname.
+ (checkServerTrusted): Same. The new overloaded method also checks for CN
+ mismatch if the certificate is not explicitly trusted.
+ (isExplicitlyTrusted): Returns if the given certificate chain is part of
+ the local user trusted DB.
+ (askUser): Change parameters to accept information about trust, host match
+ status, and hostname.
+
2009-08-25 Deepak Bhole <dbhole at redhat.com>
* rt/net/sourceforge/jnlp/JNLPFile.java: Add a new key variable that is
@@ -176,7 +199,7 @@ 2009-08-14 Deepak Bhole <dbhole at redhat.
(convertToNPVariant): New function. Narrows given java type to an
NPVariant as per type conversion specifications.
(sendMember): Remove unnecessary heap allocations and use function stack
- instead.
+ instead.
(storeVariantInJava): New function. Given an NPVariant, does the
appropriate conversion and saves it on the Java side. Arrays are not yet
handled.
diff -r 8362dc30d8d3 -r 65c5650a98c2 rt/net/sourceforge/jnlp/resources/Messages.properties
--- a/rt/net/sourceforge/jnlp/resources/Messages.properties Tue Aug 25 10:20:21 2009 -0400
+++ b/rt/net/sourceforge/jnlp/resources/Messages.properties Tue Aug 25 10:26:42 2009 -0400
@@ -168,6 +168,7 @@ SNotYetValidCert=Resources contain entri
SNotYetValidCert=Resources contain entries whose signer certificate is not yet valid.
SUntrustedCertificate=The digital signature was generated with an untrusted certificate.
STrustedCertificate=The digital signature was generated with a trusted certificate.
+SCNMisMatch=The expected hostname for this certificate is: "{0}"<BR>The address being connected to is: "{1}"
SRunWithoutRestrictions=This application will be run without the security restrictions normally provided by java.
diff -r 8362dc30d8d3 -r 65c5650a98c2 rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java
--- a/rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java Tue Aug 25 10:20:21 2009 -0400
+++ b/rt/net/sourceforge/jnlp/security/HttpsCertVerifier.java Tue Aug 25 10:26:42 2009 -0400
@@ -37,38 +37,49 @@ exception statement from your version.
package net.sourceforge.jnlp.security;
+import java.io.IOException;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
import net.sourceforge.jnlp.runtime.JNLPRuntime;
import net.sourceforge.jnlp.tools.KeyTool;
+import sun.security.util.DerValue;
+import sun.security.util.HostnameChecker;
+import sun.security.x509.X500Name;
public class HttpsCertVerifier implements CertVerifier {
private VariableX509TrustManager tm;
private X509Certificate[] chain;
private String authType;
+ private String hostName;
+ private boolean isTrusted;
+ private boolean hostMatched;
private ArrayList<String> details = new ArrayList<String>();
- public HttpsCertVerifier(VariableX509TrustManager tm, X509Certificate[] chain, String authType) {
+ public HttpsCertVerifier(VariableX509TrustManager tm,
+ X509Certificate[] chain, String authType,
+ boolean isTrusted, boolean hostMatched,
+ String hostName) {
this.tm = tm;
this.chain = chain;
this.authType = authType;
+ this.hostName = hostName;
+ this.isTrusted = isTrusted;
+ this.hostMatched = hostMatched;
}
public boolean getAlreadyTrustPublisher() {
- try {
- tm.checkServerTrusted(chain, authType, true);
- return true;
- } catch (CertificateException ce) {
- return false;
- }
+ return isTrusted;
}
public ArrayList<CertPath> getCerts() {
@@ -91,10 +102,12 @@ public class HttpsCertVerifier implement
}
public ArrayList<String> getDetails() {
+
boolean hasExpiredCert=false;
boolean hasExpiringCert=false;
boolean notYetValidCert=false;
boolean isUntrusted=false;
+ boolean CNMisMatch = !hostMatched;
if (! getAlreadyTrustPublisher())
isUntrusted = true;
@@ -121,7 +134,9 @@ public class HttpsCertVerifier implement
}
}
- if (isUntrusted || hasExpiredCert || hasExpiringCert || notYetValidCert) {
+ String altNames = getNamesForCert(chain[0]);
+
+ if (isUntrusted || hasExpiredCert || hasExpiringCert || notYetValidCert || CNMisMatch) {
if (isUntrusted)
addToDetails(R("SUntrustedCertificate"));
if (hasExpiredCert)
@@ -130,10 +145,54 @@ public class HttpsCertVerifier implement
addToDetails(R("SHasExpiringCert"));
if (notYetValidCert)
addToDetails(R("SNotYetValidCert"));
- }
+ if (CNMisMatch)
+ addToDetails(R("SCNMisMatch", altNames, this.hostName));
+ }
+
+
return details;
}
+ private String getNamesForCert(X509Certificate c) {
+
+ String names = "";
+
+
+ // We use the specification from
+ // http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/X509Certificate.html#getSubjectAlternativeNames()
+ // to determine the type of address
+ int ALTNAME_DNS = 2;
+ int ALTNAME_IP = 7;
+
+ try {
+ Collection<List<?>> subjAltNames = c.getSubjectAlternativeNames();
+ X500Name subjectName = HostnameChecker.getSubjectX500Name(c);
+ DerValue derValue = subjectName.findMostSpecificAttribute
+ (X500Name.commonName_oid);
+ names += derValue.getAsString();
+
+ if (subjAltNames != null) {
+ for (List<?> next : subjAltNames) {
+ if ( ((Integer)next.get(0)).intValue() == ALTNAME_IP ||
+ ((Integer)next.get(0)).intValue() == ALTNAME_DNS
+ ) {
+ names += ", " + (String)next.get(1);
+ }
+ }
+ }
+
+ if (subjAltNames != null)
+ names = names.substring(2); // remove proceeding ", "
+
+ } catch (CertificateParsingException cpe) {
+ cpe.printStackTrace();
+ } catch (IOException ioe) {
+ ioe.printStackTrace();
+ }
+
+ return names;
+ }
+
private void addToDetails(String detail) {
if (!details.contains(detail))
details.add(detail);
@@ -141,6 +200,10 @@ public class HttpsCertVerifier implement
private static String R(String key) {
return JNLPRuntime.getMessage(key);
+ }
+
+ private static String R(String key, String arg1, String arg2) {
+ return JNLPRuntime.getMessage(key, new Object[] { arg1, arg2 });
}
public Certificate getPublisher() {
diff -r 8362dc30d8d3 -r 65c5650a98c2 rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java
--- a/rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java Tue Aug 25 10:20:21 2009 -0400
+++ b/rt/net/sourceforge/jnlp/security/VariableX509TrustManager.java Tue Aug 25 10:26:42 2009 -0400
@@ -47,7 +47,10 @@ import javax.net.ssl.TrustManagerFactory
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
+import sun.security.util.HostnameChecker;
import sun.security.validator.ValidatorException;
+
+import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager;
/**
* This class implements an X509 Trust Manager. The certificates it trusts are
@@ -55,7 +58,7 @@ import sun.security.validator.ValidatorE
* different certificates that are not in the keystore.
*/
-public class VariableX509TrustManager implements X509TrustManager {
+public class VariableX509TrustManager extends X509ExtendedTrustManager {
KeyStore userKeyStore = null;
KeyStore caKeyStore = null;
@@ -112,11 +115,11 @@ public class VariableX509TrustManager im
}
/**
- * Check if client is trusted (not support for custom here, only system/user)
- */
- public void checkClientTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
-
+ * Check if client is trusted (no support for custom here, only system/user)
+ */
+ public void checkClientTrusted(X509Certificate[] chain, String authType,
+ String hostName, String algorithm)
+ throws CertificateException {
// First try catrustmanager, then try usertrustmanager
try {
caTrustManager.checkClientTrusted(chain, authType);
@@ -131,9 +134,20 @@ public class VariableX509TrustManager im
}
}
+ public void checkClientTrusted(X509Certificate[] chain, String authType)
+ throws CertificateException {
+ checkClientTrusted(chain, authType, null, null);
+ }
+
+ public void checkServerTrusted(X509Certificate[] chain, String authType,
+ String hostName, String algorithm)
+ throws CertificateException {
+ checkServerTrusted(chain, authType, hostName, false);
+ }
+
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
- checkServerTrusted(chain, authType, false);
+ checkServerTrusted(chain, authType, null, null);
}
/**
@@ -143,17 +157,44 @@ public class VariableX509TrustManager im
* @param authType The auth type algorithm
* @param checkOnly Whether to "check only" i.e. no user prompt, or to prompt for permission
*/
- public synchronized void checkServerTrusted(X509Certificate[] chain, String authType, boolean checkOnly) throws CertificateException {
+ public synchronized void checkServerTrusted(X509Certificate[] chain,
+ String authType, String hostName,
+ boolean checkOnly) throws CertificateException {
+ CertificateException ce = null;
+ boolean trusted = true;
+ boolean CNMatched = true;
+
try {
checkAllManagers(chain, authType);
- } catch (CertificateException ce) {
-
+ } catch (CertificateException e) {
+ trusted = false;
+ ce = e;
+ }
+
+ // If the certificate is not explicitly trusted, we
+ // need to prompt the user
+ if (!isExplicitlyTrusted(chain, authType)) {
+
+ try {
+ HostnameChecker checker = HostnameChecker
+ .getInstance(HostnameChecker.TYPE_TLS);
+
+ checker.match(hostName, chain[0]); // only need to match @ 0 for
+ // CN
+
+ } catch (CertificateException e) {
+ CNMatched = false;
+ ce = e;
+ }
+ }
+
+ if (!trusted || !CNMatched) {
if (checkOnly) {
throw ce;
} else {
- boolean b = askUser(chain,authType);
-
+ boolean b = askUser(chain, authType, trusted, CNMatched, hostName);
+
if (b) {
temporarilyTrust(chain[0]);
}
@@ -162,7 +203,7 @@ public class VariableX509TrustManager im
}
}
}
-
+
/**
* Check system, user and custom trust manager
*/
@@ -179,6 +220,26 @@ public class VariableX509TrustManager im
}
}
}
+
+ /**
+ * Return if the user explicitly trusted this i.e. in userTrustManager or temporarilyTrusted
+ */
+ private boolean isExplicitlyTrusted(X509Certificate[] chain, String authType) {
+ boolean explicitlyTrusted = false;
+
+ try {
+ userTrustManager.checkServerTrusted(chain, authType);
+ explicitlyTrusted = true;
+ } catch (ValidatorException uex) {
+ if (temporarilyTrusted.contains(chain[0]))
+ explicitlyTrusted = true;
+ } catch (CertificateException ce) {
+ // do nothing, this means that the cert is not explicitly trusted
+ }
+
+ return explicitlyTrusted;
+
+ }
public X509Certificate[] getAcceptedIssuers() {
// delegate to default
@@ -201,8 +262,14 @@ public class VariableX509TrustManager im
* @param authType The authentication algorithm
* @return user's response
*/
- private boolean askUser(X509Certificate[] chain, String authType) {
- return SecurityWarningDialog.showCertWarningDialog(SecurityWarningDialog.AccessType.UNVERIFIED, null, new HttpsCertVerifier(this, chain, authType));
+ private boolean askUser(X509Certificate[] chain, String authType,
+ boolean isTrusted, boolean hostMatched,
+ String hostName) {
+ return SecurityWarningDialog.showCertWarningDialog(
+ SecurityWarningDialog.AccessType.UNVERIFIED, null,
+ new HttpsCertVerifier(this, chain, authType,
+ isTrusted, hostMatched,
+ hostName));
}
/**
More information about the distro-pkg-dev
mailing list