[icedtea-web] RFC: integrate support for multiple KeyStores into the various validators
Deepak Bhole
dbhole at redhat.com
Thu Nov 11 07:42:21 PST 2010
* Omair Majid <omajid at redhat.com> [2010-11-11 10:39]:
> On 11/11/2010 10:02 AM, Deepak Bhole wrote:
> >* Omair Majid<omajid at redhat.com> [2010-11-11 09:53]:
> >>On 11/11/2010 08:42 AM, Deepak Bhole wrote:
> >>
> >...
> >>I based this code off code in KeyTool, and yes, it is slightly
> >>confusing. A KeyStore can be considered a HashMap: it maps a String,
> >>the alias, to a Certificate. The code first checks if the
> >>certificate already exists by trying to find an alias for the given
> >>certificate. If an alias is found, we know the certificate is in the
> >>KeyStore already. If the certificate is not in the KeyStore, we want
> >>to add a new entry to the HashMap, but we do not want to overwrite
> >>an existing certificate. So we create random aliases until we get an
> >>alias which has no mapping in the HashMap.
> >>
> >
> >
> >Ah okay then.
> >
> >>>Also, those methods should not be public static as untrusted apps could
> >>>access them. The keystores shouldn't be either (if they are, either now
> >>>or from before).
> >>>
> >>
> >>I dont think this will be a problem. For one, every time it is
> >>called, it reads the configuration (which untrusted apps are not
> >>allowed to do) and then it reads the keystore from the disk (which
> >>untrusted apps are not allowed to do). Making it non-public would
> >>mean it can not be used by classes in other packages (for example,
> >>JarSigner is in net.sourceforge.jnlp.tools and it uses this class).
> >>Please let me know if this is not enough; I will see what else I can
> >>do.
> >>
> >
> >Reliance on other methods to do security is bad imo. There is no
> >guarantee that the design will stay the same, If it changes and another
> >way to do those functions is implemented, security may be compromised.
> >It is fine to keep them public for other class usage, but please add an
> >AllPermission check in that case.
> >
>
> That's true. On further consideration, I dont think any methods in
> CertificateUtils need security checks though. They all operate on
> generic Certificate or KeyStore objects. There is nothing here that
> is netx specific or that an untrusted application could not do by
> itself. The actual action of obtaining the netx-specific KeyStores
> to operate on is the responsibility of KeyStores (see comment below
> for more about that). Do you think I should add checks anyway?
>
Ah okay. Nope, in that case no security checks are needed for those
functions!
> >>>>+ /**
> >>>>+ * Checks whether an X509Certificate is already in one of the keystores
> >>>>+ * @param c the certificate
> >>>>+ * @param keyStores the KeyStores to check in
> >>>>+ * @return true if the certificate is present in one of the keystores, false otherwise
> >>>>+ */
> >>>>+ public static final boolean inKeyStores(X509Certificate c, KeyStore[] keyStores) {
> >>>>+ for (int i = 0; i< keyStores.length; i++) {
> >...
> >>>
> >>>
> >>>What does printRfc represent? And if it's always true, why the else?
> >>>
> >>
> >>This code was originally from net.sourceforge.jnlp.tools.KeyTool and
> >>was moved over to CertificateUtils. n.s.j.t.KeyTool was adapted from
> >>sun.security.tools.KeyTool which allows dumping certificate in more
> >>than one format. printRfc indicates that the certifcate should be
> >>dumped in the RFC 4945 format
> >>(http://tools.ietf.org/html/rfc4945#section-6.1). Since this is the
> >>only option we support, I have removed that if condition; it is
> >>fixed in the updated patch.
> >>
> >
> >Great!
> >
> >...
> >...
> >>>
> >>>Should something like this be public static? Untrusted apps will be able
> >>>to access it and modify it...
> >>>
> >>
> >>I dont think this is a problem. getClientKeyStores() calls
> >>getKeyStore() which reads the configuration (which untrusted apps
> >>are not allowed to do) and then reads the acutal keystore from disk
> >>(which untrusted apps are again not allowed to do). So I dont think
> >>untrusted apps can actually get access to these keystores. If
> >>untrusted apps call getClientKeyStores (or the related methods
> >>getCAKeyStores or getCertKeyStores), they should get a
> >>SecurityException from DeploymentConfiguration.
> >>
> >>A KeyStore is an in-memory version of a keystore file on disk. Even
> >>if untrusted apps were somehow able to access it, saving the
> >>contents to disk would require permissions to write to disk.
> >>
> >
> >Same as with above. An AllPermission check in that case..
> >
>
> Yes, that's a good point. Thanks for pointing it out. I have added
> an AllPermission check in getKeyStore(Level,Type,boolean) which
> almost all public methods end up calling to access the KeyStores.
> The only public methods that dont call this check are
> getKeyStoreLocation (which is supposed to query the configuration
> object) and toTranslatableString and toDisplayableString (which are
> translation methods). Do you see any problems with this scheme?
>
Translation methods don't need a check. But getKeyStoreLocation... can
that me made to return a location in user.home/* ? If so, it provides
access to user.home indirectly and needs a check.
> >>>>+ /**
> >>>> * Returns the location of a KeyStore corresponding to the given level and type.
> >>>> * @param level
> >>>> * @param type
> >>>>@@ -334,4 +357,5 @@
> >>>> return ks;
> >>>> }
> >>>>
> >>>>+
> >>>> }
> >>>Rest looks fine to me.
> >>>
> >>
> >>Oh, and just to clarify something which might not have been obvious
> >>from the patch - in general, netx does not cache KeyStores. When it
> >>needs to make a security decision related to certificates, it will
> >>create appropriate KeyStore objects, do whatever operation it needs
> >>to and then discard the KeyStore. This is not true for
> >>VariableX509TrustManager, but it is true for JarSigner, Certificate
> >>Viewer and the various security prompts.
> >>
> >
> >That is fine. Normally I am all for optimizing by reducing disk access,
> >but in this case I think the decision is valid. Other apps may update
> >the keystore while one is running, in which case the running one should
> >have the latest information (especially if another app deleted a cert).
> >Perhaps VariableX509 should be changed to do the same?
> >
>
> That's a good point. I would like to do that in a separate patch if
> possible - this patch keeps the semantics of KeyStore caching as
> they were before.
>
Sure! It should definitely be in a separate patch/
> >Also, are the trust store files locked when write happens? If not, they
> >should be.
> >
>
> They are not locked right now. I will take a look at this and post a
> patch for this separately.
>
Awesome, thanks!
Cheers,
Deepak
> Omair,
> Omair
> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/runtime/Boot.java
> --- a/netx/net/sourceforge/jnlp/runtime/Boot.java Wed Nov 10 16:24:53 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/runtime/Boot.java Thu Nov 11 10:36:55 2010 -0500
> @@ -172,20 +172,6 @@
> JNLPRuntime.setForksAllowed(false);
> }
>
> - // wire in custom authenticator
> - try {
> - SSLSocketFactory sslSocketFactory;
> - SSLContext context = SSLContext.getInstance("SSL");
> - TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
> - context.init(null, trust, null);
> - sslSocketFactory = context.getSocketFactory();
> -
> - HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
> - } catch (Exception e) {
> - System.err.println("Unable to set SSLSocketfactory (may _prevent_ access to sites that should be trusted)! Continuing anyway...");
> - e.printStackTrace();
> - }
> -
> JNLPRuntime.setInitialArgments(Arrays.asList(argsIn));
>
> // do in a privileged action to clear the security context of
> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Wed Nov 10 16:24:53 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Thu Nov 11 10:36:55 2010 -0500
> @@ -26,12 +26,17 @@
> import java.security.*;
> import javax.jnlp.*;
> import javax.naming.ConfigurationException;
> +import javax.net.ssl.HttpsURLConnection;
> +import javax.net.ssl.SSLContext;
> +import javax.net.ssl.SSLSocketFactory;
> +import javax.net.ssl.TrustManager;
> import javax.swing.UIManager;
> import javax.swing.text.html.parser.ParserDelegator;
>
> import net.sourceforge.jnlp.*;
> import net.sourceforge.jnlp.cache.*;
> import net.sourceforge.jnlp.security.SecurityDialogMessageHandler;
> +import net.sourceforge.jnlp.security.VariableX509TrustManager;
> import net.sourceforge.jnlp.services.*;
> import net.sourceforge.jnlp.util.*;
>
> @@ -223,6 +228,20 @@
>
> securityDialogMessageHandler = startSecurityThreads();
>
> + // wire in custom authenticator
> + try {
> + SSLSocketFactory sslSocketFactory;
> + SSLContext context = SSLContext.getInstance("SSL");
> + TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
> + context.init(null, trust, null);
> + sslSocketFactory = context.getSocketFactory();
> +
> + HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
> + } catch (Exception e) {
> + System.err.println("Unable to set SSLSocketfactory (may _prevent_ access to sites that should be trusted)! Continuing anyway...");
> + e.printStackTrace();
> + }
> +
> initialized = true;
>
> }
> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/CertWarningPane.java
> --- a/netx/net/sourceforge/jnlp/security/CertWarningPane.java Wed Nov 10 16:24:53 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/security/CertWarningPane.java Thu Nov 11 10:36:55 2010 -0500
> @@ -47,6 +47,9 @@
> import java.awt.GridLayout;
> import java.awt.event.ActionEvent;
> import java.awt.event.ActionListener;
> +import java.io.FileOutputStream;
> +import java.io.OutputStream;
> +import java.security.KeyStore;
> import java.security.cert.Certificate;
> import java.security.cert.X509Certificate;
>
> @@ -62,6 +65,8 @@
> import net.sourceforge.jnlp.JNLPFile;
> import net.sourceforge.jnlp.PluginBridge;
> import net.sourceforge.jnlp.runtime.JNLPRuntime;
> +import net.sourceforge.jnlp.security.KeyStores.Level;
> +import net.sourceforge.jnlp.security.KeyStores.Type;
> import net.sourceforge.jnlp.security.SecurityWarning.AccessType;
> import net.sourceforge.jnlp.tools.KeyTool;
>
> @@ -232,25 +237,28 @@
> }
> }
>
> - /**
> - * Updates the user's KeyStore of trusted Certificates.
> - */
> - private class CheckBoxListener implements ActionListener {
> - public void actionPerformed(ActionEvent e) {
> - if (alwaysTrust != null && alwaysTrust.isSelected()) {
> - try {
> - KeyTool kt = new KeyTool();
> - Certificate c = parent.getJarSigner().getPublisher();
> - kt.importCert(c);
> - if (JNLPRuntime.isDebug()) {
> - System.out.println("certificate is now permanently trusted");
> - }
> - } catch (Exception ex) {
> - //TODO: Let NetX show a dialog here notifying user
> - //about being unable to add cert to keystore
> - }
> - }
> + /**
> + * Updates the user's KeyStore of trusted Certificates.
> + */
> + private class CheckBoxListener implements ActionListener {
> + public void actionPerformed(ActionEvent e) {
> + if (alwaysTrust != null && alwaysTrust.isSelected()) {
> + try {
> + KeyStore ks = KeyStores.getKeyStore(Level.USER, Type.CERTS);
> + X509Certificate c = (X509Certificate) parent.getJarSigner().getPublisher();
> + CertificateUtils.addToKeyStore(c, ks);
> + OutputStream os = new FileOutputStream(KeyStores.getKeyStoreLocation(Level.USER, Type.CERTS));
> + ks.store(os, KeyStores.getPassword());
> + if (JNLPRuntime.isDebug()) {
> + System.out.println("certificate is now permanently trusted");
> + }
> + } catch (Exception ex) {
> + // TODO: Let NetX show a dialog here notifying user
> + // about being unable to add cert to keystore
> + ex.printStackTrace();
> }
> + }
> }
> + }
>
> }
> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/CertificateUtils.java
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++ b/netx/net/sourceforge/jnlp/security/CertificateUtils.java Thu Nov 11 10:36:55 2010 -0500
> @@ -0,0 +1,140 @@
> +/* CertificateUtils.java
> + Copyright (C) 2010 Red Hat, Inc.
> +
> +This file is part of IcedTea.
> +
> +IcedTea is free software; you can redistribute it and/or
> +modify it under the terms of the GNU General Public License as published by
> +the Free Software Foundation, version 2.
> +
> +IcedTea is distributed in the hope that it will be useful,
> +but WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +General Public License for more details.
> +
> +You should have received a copy of the GNU General Public License
> +along with IcedTea; see the file COPYING. If not, write to
> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> +02110-1301 USA.
> +
> +Linking this library statically or dynamically with other modules is
> +making a combined work based on this library. Thus, the terms and
> +conditions of the GNU General Public License cover the whole
> +combination.
> +
> +As a special exception, the copyright holders of this library give you
> +permission to link this library with independent modules to produce an
> +executable, regardless of the license terms of these independent
> +modules, and to copy and distribute the resulting executable under
> +terms of your choice, provided that you also meet, for each linked
> +independent module, the terms and conditions of the license of that
> +module. An independent module is a module which is not derived from
> +or based on this library. If you modify this library, you may extend
> +this exception to your version of the library, but you are not
> +obligated to do so. If you do not wish to do so, delete this
> +exception statement from your version.
> +*/
> +
> +package net.sourceforge.jnlp.security;
> +
> +import java.io.BufferedInputStream;
> +import java.io.File;
> +import java.io.FileInputStream;
> +import java.io.IOException;
> +import java.io.PrintStream;
> +import java.math.BigInteger;
> +import java.security.KeyStore;
> +import java.security.KeyStoreException;
> +import java.security.cert.Certificate;
> +import java.security.cert.CertificateException;
> +import java.security.cert.CertificateFactory;
> +import java.security.cert.X509Certificate;
> +import java.util.Random;
> +
> +import net.sourceforge.jnlp.runtime.JNLPRuntime;
> +
> +import sun.misc.BASE64Encoder;
> +import sun.security.provider.X509Factory;
> +
> +public class CertificateUtils {
> + /**
> + * Adds the X509Certficate in the file to the KeyStore. Note that it does
> + * not update the copy of the KeyStore on disk.
> + */
> + public static final void addToKeyStore(File file, KeyStore ks) throws CertificateException,
> + IOException, KeyStoreException {
> + if (JNLPRuntime.isDebug()) {
> + System.out.println("Importing certificate from " + file + " into " + ks);
> + }
> +
> + BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file));
> + CertificateFactory cf = CertificateFactory.getInstance("X509");
> + X509Certificate cert = null;
> +
> + try {
> + cert = (X509Certificate) cf.generateCertificate(bis);
> + } catch (ClassCastException cce) {
> + throw new CertificateException("Input file is not an X509 Certificate", cce);
> + }
> +
> + addToKeyStore(cert, ks);
> + }
> +
> + /**
> + * Adds an X509Certificate to the KeyStore. Note that it does not update the
> + * copy of the KeyStore on disk.
> + */
> + public static final void addToKeyStore(X509Certificate cert, KeyStore ks)
> + throws KeyStoreException {
> + if (JNLPRuntime.isDebug()) {
> + System.out.println("Importing " + cert.getSubjectX500Principal().getName());
> + }
> +
> + String alias = null;
> + Random random = new Random();
> + alias = ks.getCertificateAlias(cert);
> + if (alias != null) {
> + return;
> + }
> +
> + do {
> + alias = new BigInteger(20, random).toString();
> + } while (ks.getCertificate(alias) != null);
> + ks.setCertificateEntry(alias, cert);
> + }
> +
> + /**
> + * Checks whether an X509Certificate is already in one of the keystores
> + * @param c the certificate
> + * @param keyStores the KeyStores to check in
> + * @return true if the certificate is present in one of the keystores, false otherwise
> + */
> + public static final boolean inKeyStores(X509Certificate c, KeyStore[] keyStores) {
> + for (int i = 0; i < keyStores.length; i++) {
> + try {
> + if (keyStores[i].getCertificateAlias(c) != null) {
> + if (JNLPRuntime.isDebug()) {
> + System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts");
> + }
> + return true;
> + }
> + } catch (KeyStoreException e) {
> + e.printStackTrace();
> + // continue
> + }
> + }
> + return false;
> + }
> +
> + /**
> + * Writes the certificate in base64 encoded from to the print stream
> + */
> + public static void dump(Certificate cert, PrintStream out) throws IOException,
> + CertificateException {
> +
> + BASE64Encoder encoder = new BASE64Encoder();
> + out.println(X509Factory.BEGIN_CERT);
> + encoder.encodeBuffer(cert.getEncoded(), out);
> + out.println(X509Factory.END_CERT);
> + }
> +}
> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java
> --- a/netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java Wed Nov 10 16:24:53 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java Thu Nov 11 10:36:55 2010 -0500
> @@ -40,6 +40,7 @@
> import static net.sourceforge.jnlp.runtime.Translator.R;
>
> import java.io.IOException;
> +import java.security.KeyStore;
> import java.security.cert.CertPath;
> import java.security.cert.Certificate;
> import java.security.cert.CertificateException;
> @@ -213,8 +214,8 @@
>
> public boolean getRootInCacerts() {
> try {
> - KeyTool kt = new KeyTool();
> - return kt.checkCacertsForCertificate(getRoot());
> + KeyStore[] caCertsKeyStores = KeyStores.getCAKeyStores();
> + return CertificateUtils.inKeyStores((X509Certificate)getRoot(), caCertsKeyStores);
> } catch (Exception e) {
> }
> return false;
> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/KeyStores.java
> --- a/netx/net/sourceforge/jnlp/security/KeyStores.java Wed Nov 10 16:24:53 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/security/KeyStores.java Thu Nov 11 10:36:55 2010 -0500
> @@ -41,6 +41,7 @@
> import java.io.FileInputStream;
> import java.io.FileOutputStream;
> import java.io.IOException;
> +import java.security.AllPermission;
> import java.security.KeyStore;
> import java.security.KeyStoreException;
> import java.security.NoSuchAlgorithmException;
> @@ -111,6 +112,11 @@
> * @return a KeyStore containing certificates from the appropriate
> */
> public static final KeyStore getKeyStore(Level level, Type type, boolean create) {
> + SecurityManager sm = System.getSecurityManager();
> + if (sm != null) {
> + sm.checkPermission(new AllPermission());
> + }
> +
> String location = getKeyStoreLocation(level, type);
> KeyStore ks = null;
> try {
> @@ -189,6 +195,29 @@
> }
>
> /**
> + * Returns KeyStores containing trusted client certificates
> + *
> + * @return an array of KeyStore objects that can be used to check client
> + * authentication certificates
> + */
> + public static KeyStore[] getClientKeyStores() {
> + List<KeyStore> result = new ArrayList<KeyStore>();
> + KeyStore ks = null;
> +
> + ks = getKeyStore(Level.SYSTEM, Type.CLIENT_CERTS);
> + if (ks != null) {
> + result.add(ks);
> + }
> +
> + ks = getKeyStore(Level.USER, Type.CLIENT_CERTS);
> + if (ks != null) {
> + result.add(ks);
> + }
> +
> + return result.toArray(new KeyStore[result.size()]);
> + }
> +
> + /**
> * Returns the location of a KeyStore corresponding to the given level and type.
> * @param level
> * @param type
> @@ -336,4 +365,5 @@
> return ks;
> }
>
> +
> }
> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
> --- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Wed Nov 10 16:24:53 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Thu Nov 11 10:36:55 2010 -0500
> @@ -42,6 +42,8 @@
> import java.security.cert.CertificateException;
> import java.security.cert.X509Certificate;
> import java.util.ArrayList;
> +import java.util.Arrays;
> +import java.util.List;
>
> import javax.net.ssl.TrustManager;
> import javax.net.ssl.TrustManagerFactory;
> @@ -60,59 +62,98 @@
> * different certificates that are not in the keystore.
> */
>
> -public class VariableX509TrustManager extends X509ExtendedTrustManager {
> +final public class VariableX509TrustManager extends X509ExtendedTrustManager {
>
> - KeyStore userKeyStore = null;
> - KeyStore caKeyStore = null;
> + /** TrustManagers containing trusted CAs */
> + private X509TrustManager[] caTrustManagers = null;
>
> - X509TrustManager userTrustManager = null;
> - X509TrustManager caTrustManager = null;
> + /** TrustManagers containing trusted certificates */
> + private X509TrustManager[] certTrustManagers = null;
>
> - ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>();
> - ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>();
> + /** TrustManagers containing trusted client certificates */
> + private X509TrustManager[] clientTrustManagers = null;
>
> - static VariableX509TrustManager instance = null;
> + private ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>();
> + private ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>();
> +
> + private static VariableX509TrustManager instance = null;
>
> /**
> * Constructor initializes the system, user and custom stores
> */
> public VariableX509TrustManager() {
>
> + /*
> + * Load TrustManagers for trusted certificates
> + */
> try {
> - userKeyStore = SecurityUtil.getUserKeyStore();
> - TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
> - tmFactory.init(userKeyStore);
> + /** KeyStores containing trusted certificates */
> + KeyStore[] trustedCertKeyStores = KeyStores.getCertKeyStores();
> + certTrustManagers = new X509TrustManager[trustedCertKeyStores.length];
>
> - // tm factory initialized, now get the managers so we can assign the X509 one
> - TrustManager[] trustManagers = tmFactory.getTrustManagers();
> + for (int j = 0; j < trustedCertKeyStores.length; j++) {
> + TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
> + tmFactory.init(trustedCertKeyStores[j]);
>
> - for (int i=0; i < trustManagers.length; i++) {
> - if (trustManagers[i] instanceof X509TrustManager) {
> - userTrustManager = (X509TrustManager) trustManagers[i];
> + // tm factory initialized, now get the managers so we can assign the X509 one
> + TrustManager[] trustManagers = tmFactory.getTrustManagers();
> +
> + for (int i = 0; i < trustManagers.length; i++) {
> + if (trustManagers[i] instanceof X509TrustManager) {
> + certTrustManagers[j] = (X509TrustManager) trustManagers[i];
> + }
> }
> }
> -
> } catch (Exception e) {
> - // TODO Auto-generated catch block
> e.printStackTrace();
> }
>
> + /*
> + * Load TrustManagers for trusted CAs
> + */
> try {
> - caKeyStore = SecurityUtil.getCacertsKeyStore();
> - TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
> - tmFactory.init(caKeyStore);
> + /** KeyStores containing trusted CAs */
> + KeyStore[] trustedCAKeyStores = KeyStores.getCAKeyStores();
> + caTrustManagers = new X509TrustManager[trustedCAKeyStores.length];
>
> - // tm factory initialized, now get the managers so we can extract the X509 one
> - TrustManager[] trustManagers = tmFactory.getTrustManagers();
> + for (int j = 0; j < caTrustManagers.length; j++) {
> + TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
> + tmFactory.init(trustedCAKeyStores[j]);
>
> - for (int i=0; i < trustManagers.length; i++) {
> - if (trustManagers[i] instanceof X509TrustManager) {
> - caTrustManager = (X509TrustManager) trustManagers[i];
> + // tm factory initialized, now get the managers so we can extract the X509 one
> + TrustManager[] trustManagers = tmFactory.getTrustManagers();
> +
> + for (int i=0; i < trustManagers.length; i++) {
> + if (trustManagers[i] instanceof X509TrustManager) {
> + caTrustManagers[j] = (X509TrustManager) trustManagers[i];
> + }
> }
> }
> + } catch (Exception e) {
> + e.printStackTrace();
> + }
>
> + /*
> + * Load TrustManagers for trusted clients certificates
> + */
> + try {
> + KeyStore[] clientKeyStores = KeyStores.getClientKeyStores();
> + clientTrustManagers = new X509TrustManager[clientKeyStores.length];
> +
> + for (int j = 0; j < clientTrustManagers.length; j++) {
> + TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
> + tmFactory.init(clientKeyStores[j]);
> +
> + // tm factory initialized, now get the managers so we can extract the X509 one
> + TrustManager[] trustManagers = tmFactory.getTrustManagers();
> +
> + for (int i=0; i < trustManagers.length; i++) {
> + if (trustManagers[i] instanceof X509TrustManager) {
> + clientTrustManagers[j] = (X509TrustManager) trustManagers[i];
> + }
> + }
> + }
> } catch (Exception e) {
> - // TODO Auto-generated catch block
> e.printStackTrace();
> }
> }
> @@ -123,18 +164,23 @@
> public void checkClientTrusted(X509Certificate[] chain, String authType,
> String hostName, String algorithm)
> throws CertificateException {
> - // First try catrustmanager, then try usertrustmanager
> - try {
> - caTrustManager.checkClientTrusted(chain, authType);
> - } catch (Exception caex) {
> +
> + boolean trusted = false;
> + ValidatorException savedException = null;
> + for (int i = 0; i < clientTrustManagers.length; i++) {
> try {
> - userTrustManager.checkClientTrusted(chain, authType);
> - } catch (Exception userex) {
> - // Do nothing here. This trust manager is intended to be used
> - // only in the plugin instance vm, which does not act as a
> - // server
> + clientTrustManagers[i].checkClientTrusted(chain, authType);
> + trusted = true;
> + break;
> + } catch (ValidatorException caex) {
> + savedException = caex;
> }
> }
> + if (trusted) {
> + return;
> + }
> +
> + throw savedException;
> }
>
> public void checkClientTrusted(X509Certificate[] chain, String authType)
> @@ -214,17 +260,45 @@
> * Check system, user and custom trust manager
> */
> private void checkAllManagers(X509Certificate[] chain, String authType) throws CertificateException {
> - // First try catrustmanager, then try usertrustmanager, and finally, check temp trusted certs
> - try {
> - caTrustManager.checkServerTrusted(chain, authType);
> - } catch (ValidatorException caex) {
> + // first try CA TrustManagers
> + boolean trusted = false;
> + ValidatorException savedException = null;
> + for (int i = 0; i < caTrustManagers.length; i++) {
> try {
> - userTrustManager.checkServerTrusted(chain, authType);
> - } catch (ValidatorException uex) {
> - if (!temporarilyTrusted.contains(chain[0]))
> - throw (CertificateException) uex;
> + caTrustManagers[i].checkServerTrusted(chain, authType);
> + trusted = true;
> + break;
> + } catch (ValidatorException caex) {
> + savedException = caex;
> }
> }
> + if (trusted) {
> + return;
> + }
> +
> + // then try certificate TrustManagers
> + for (int i = 0; i < certTrustManagers.length; i++) {
> + try {
> + certTrustManagers[i].checkServerTrusted(chain, authType);
> + trusted = true;
> + break;
> + } catch (ValidatorException caex) {
> + savedException = caex;
> + }
> + }
> + if (trusted) {
> + return;
> + }
> +
> + // finally check temp trusted certs
> + if (!temporarilyTrusted.contains(chain[0])) {
> + if (savedException == null) {
> + // System.out.println("IMPOSSIBLE!");
> + throw new ValidatorException(ValidatorException.T_SIGNATURE_ERROR, chain[0]);
> + }
> + throw savedException;
> + }
> +
> }
>
> /**
> @@ -233,23 +307,32 @@
> private boolean isExplicitlyTrusted(X509Certificate[] chain, String authType) {
> boolean explicitlyTrusted = false;
>
> - try {
> - userTrustManager.checkServerTrusted(chain, authType);
> - explicitlyTrusted = true;
> - } catch (ValidatorException uex) {
> - if (temporarilyTrusted.contains(chain[0]))
> + for (int i = 0; i < certTrustManagers.length; i++) {
> + try {
> + certTrustManagers[i].checkServerTrusted(chain, authType);
> explicitlyTrusted = true;
> - } catch (CertificateException ce) {
> - // do nothing, this means that the cert is not explicitly trusted
> + break;
> + } catch (ValidatorException uex) {
> + if (temporarilyTrusted.contains(chain[0])) {
> + explicitlyTrusted = true;
> + break;
> + }
> + } catch (CertificateException ce) {
> + // not explicitly trusted
> + }
> }
>
> return explicitlyTrusted;
> -
> }
>
> public X509Certificate[] getAcceptedIssuers() {
> - // delegate to default
> - return caTrustManager.getAcceptedIssuers();
> + List<X509Certificate> issuers = new ArrayList<X509Certificate>();
> +
> + for (int i = 0; i < caTrustManagers.length; i++) {
> + issuers.addAll(Arrays.asList(caTrustManagers[i].getAcceptedIssuers()));
> + }
> +
> + return issuers.toArray(new X509Certificate[issuers.size()]);
> }
>
> /**
> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java
> --- a/netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java Wed Nov 10 16:24:53 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java Thu Nov 11 10:36:55 2010 -0500
> @@ -71,6 +71,7 @@
> import javax.swing.event.ChangeListener;
> import javax.swing.table.DefaultTableModel;
>
> +import net.sourceforge.jnlp.security.CertificateUtils;
> import net.sourceforge.jnlp.security.KeyStores;
> import net.sourceforge.jnlp.security.SecurityUtil;
> import net.sourceforge.jnlp.security.SecurityWarningDialog;
> @@ -359,9 +360,8 @@
> int returnVal = chooser.showOpenDialog(parent);
> if(returnVal == JFileChooser.APPROVE_OPTION) {
> try {
> - KeyTool kt = new KeyTool();
> KeyStore ks = keyStore;
> - kt.addToKeyStore(chooser.getSelectedFile(), ks);
> + CertificateUtils.addToKeyStore(chooser.getSelectedFile(), ks);
> OutputStream os = new FileOutputStream(
> KeyStores.getKeyStoreLocation(currentKeyStoreLevel, currentKeyStoreType));
> ks.store(os, KeyStores.getPassword());
> @@ -399,7 +399,7 @@
> if (alias != null) {
> Certificate c = keyStore.getCertificate(alias);
> PrintStream ps = new PrintStream(chooser.getSelectedFile().getAbsolutePath());
> - KeyTool.dumpCert(c, ps);
> + CertificateUtils.dump(c, ps);
> repopulateTables();
> }
> }
> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/tools/JarSigner.java
> --- a/netx/net/sourceforge/jnlp/tools/JarSigner.java Wed Nov 10 16:24:53 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java Thu Nov 11 10:36:55 2010 -0500
> @@ -371,9 +371,12 @@
> private void checkTrustedCerts() throws Exception {
> if (certPath != null) {
> try {
> - KeyTool kt = new KeyTool();
> - alreadyTrustPublisher = kt.isTrusted(getPublisher());
> - rootInCacerts = kt.checkCacertsForCertificate(getRoot());
> + X509Certificate publisher = (X509Certificate) getPublisher();
> + KeyStore[] certKeyStores = KeyStores.getCertKeyStores();
> + alreadyTrustPublisher = CertificateUtils.inKeyStores(publisher, certKeyStores);
> + X509Certificate root = (X509Certificate) getRoot();
> + KeyStore[] caKeyStores = KeyStores.getCAKeyStores();
> + rootInCacerts = CertificateUtils.inKeyStores(root, caKeyStores);
> } catch (Exception e) {
> // TODO: Warn user about not being able to
> // look through their cacerts/trusted.certs
> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/tools/KeyTool.java
> --- a/netx/net/sourceforge/jnlp/tools/KeyTool.java Wed Nov 10 16:24:53 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/tools/KeyTool.java Thu Nov 11 10:36:55 2010 -0500
> @@ -119,43 +119,6 @@
> return importCert((Certificate)cert);
> }
>
> - /**
> - * Adds the X509Certficate in the file to the KeyStore
> - */
> - public final void addToKeyStore(File file, KeyStore ks) throws CertificateException,
> - IOException, KeyStoreException {
> - BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file));
> - CertificateFactory cf = CertificateFactory.getInstance("X509");
> - X509Certificate cert = null;
> -
> - try {
> - cert = (X509Certificate) cf.generateCertificate(bis);
> - } catch (ClassCastException cce) {
> - throw new CertificateException("Input file is not an X509 Certificate", cce);
> - }
> -
> - addToKeyStore(cert, ks);
> -
> - }
> -
> - /**
> - * Adds an X509Certificate to the KeyStore
> - */
> - public final void addToKeyStore(X509Certificate cert, KeyStore ks) throws KeyStoreException {
> - String alias = null;
> - Random random = new Random();
> - alias = ks.getCertificateAlias(cert);
> - // already in keystore; done
> - if (alias != null) {
> - return;
> - }
> -
> - do {
> - alias = new BigInteger(20, random).toString();
> - } while (ks.getCertificate(alias) != null);
> - ks.setCertificateEntry(alias, cert);
> - }
> -
> /**
> * Adds a trusted certificate to the user's keystore.
> * @return true if the add was successful, false otherwise.
> @@ -479,20 +442,6 @@
> return false;
> }
>
> - public static void dumpCert(Certificate cert, PrintStream out)
> - throws IOException, CertificateException {
> -
> - boolean printRfc = true;
> - if (printRfc) {
> - BASE64Encoder encoder = new BASE64Encoder();
> - out.println(X509Factory.BEGIN_CERT);
> - encoder.encodeBuffer(cert.getEncoded(), out);
> - out.println(X509Factory.END_CERT);
> - } else {
> - out.write(cert.getEncoded()); // binary
> - }
> - }
> -
> public static void main(String[] args) throws Exception {
> KeyTool kt = new KeyTool();
> kt.doPrintEntries(System.out);
> diff -r 44d47c366e5f plugin/icedteanp/java/sun/applet/PluginMain.java
> --- a/plugin/icedteanp/java/sun/applet/PluginMain.java Wed Nov 10 16:24:53 2010 -0500
> +++ b/plugin/icedteanp/java/sun/applet/PluginMain.java Thu Nov 11 10:36:55 2010 -0500
> @@ -215,20 +215,6 @@
> // INSTALL THE PROPERTY LIST
> System.setProperties(avProps);
>
> -
> - try {
> - SSLSocketFactory sslSocketFactory;
> - SSLContext context = SSLContext.getInstance("SSL");
> - TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
> - context.init(null, trust, null);
> - sslSocketFactory = context.getSocketFactory();
> -
> - HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
> - } catch (Exception e) {
> - System.err.println("Unable to set SSLSocketfactory (may _prevent_ access to sites that should be trusted)! Continuing anyway...");
> - e.printStackTrace();
> - }
> -
> // plug in a custom authenticator and proxy selector
> Authenticator.setDefault(new CustomAuthenticator());
> ProxySelector.setDefault(new PluginProxySelector());
More information about the distro-pkg-dev
mailing list