[icedtea-web] RFC: integrate support for multiple KeyStores into the various validators
Omair Majid
omajid at redhat.com
Thu Nov 11 08:07:42 PST 2010
On 11/11/2010 10:42 AM, Deepak Bhole wrote:
> * Omair Majid<omajid at redhat.com> [2010-11-11 10:39]:
>> On 11/11/2010 10:02 AM, Deepak Bhole wrote:
>>> * Omair Majid<omajid at redhat.com> [2010-11-11 09:53]:
>>>> On 11/11/2010 08:42 AM, Deepak Bhole wrote:
>>>>
>>> ...
>>>> I based this code off code in KeyTool, and yes, it is slightly
>>>> confusing. A KeyStore can be considered a HashMap: it maps a String,
>>>> the alias, to a Certificate. The code first checks if the
>>>> certificate already exists by trying to find an alias for the given
>>>> certificate. If an alias is found, we know the certificate is in the
>>>> KeyStore already. If the certificate is not in the KeyStore, we want
>>>> to add a new entry to the HashMap, but we do not want to overwrite
>>>> an existing certificate. So we create random aliases until we get an
>>>> alias which has no mapping in the HashMap.
>>>>
>>>
>>>
>>> Ah okay then.
>>>
>>>>> Also, those methods should not be public static as untrusted apps could
>>>>> access them. The keystores shouldn't be either (if they are, either now
>>>>> or from before).
>>>>>
>>>>
>>>> I dont think this will be a problem. For one, every time it is
>>>> called, it reads the configuration (which untrusted apps are not
>>>> allowed to do) and then it reads the keystore from the disk (which
>>>> untrusted apps are not allowed to do). Making it non-public would
>>>> mean it can not be used by classes in other packages (for example,
>>>> JarSigner is in net.sourceforge.jnlp.tools and it uses this class).
>>>> Please let me know if this is not enough; I will see what else I can
>>>> do.
>>>>
>>>
>>> Reliance on other methods to do security is bad imo. There is no
>>> guarantee that the design will stay the same, If it changes and another
>>> way to do those functions is implemented, security may be compromised.
>>> It is fine to keep them public for other class usage, but please add an
>>> AllPermission check in that case.
>>>
>>
>> That's true. On further consideration, I dont think any methods in
>> CertificateUtils need security checks though. They all operate on
>> generic Certificate or KeyStore objects. There is nothing here that
>> is netx specific or that an untrusted application could not do by
>> itself. The actual action of obtaining the netx-specific KeyStores
>> to operate on is the responsibility of KeyStores (see comment below
>> for more about that). Do you think I should add checks anyway?
>>
>
> Ah okay. Nope, in that case no security checks are needed for those
> functions!
>
>>>>>> + /**
>>>>>> + * Checks whether an X509Certificate is already in one of the keystores
>>>>>> + * @param c the certificate
>>>>>> + * @param keyStores the KeyStores to check in
>>>>>> + * @return true if the certificate is present in one of the keystores, false otherwise
>>>>>> + */
>>>>>> + public static final boolean inKeyStores(X509Certificate c, KeyStore[] keyStores) {
>>>>>> + for (int i = 0; i< keyStores.length; i++) {
>>> ...
>>>>>
>>>>>
>>>>> What does printRfc represent? And if it's always true, why the else?
>>>>>
>>>>
>>>> This code was originally from net.sourceforge.jnlp.tools.KeyTool and
>>>> was moved over to CertificateUtils. n.s.j.t.KeyTool was adapted from
>>>> sun.security.tools.KeyTool which allows dumping certificate in more
>>>> than one format. printRfc indicates that the certifcate should be
>>>> dumped in the RFC 4945 format
>>>> (http://tools.ietf.org/html/rfc4945#section-6.1). Since this is the
>>>> only option we support, I have removed that if condition; it is
>>>> fixed in the updated patch.
>>>>
>>>
>>> Great!
>>>
>>> ...
>>> ...
>>>>>
>>>>> Should something like this be public static? Untrusted apps will be able
>>>>> to access it and modify it...
>>>>>
>>>>
>>>> I dont think this is a problem. getClientKeyStores() calls
>>>> getKeyStore() which reads the configuration (which untrusted apps
>>>> are not allowed to do) and then reads the acutal keystore from disk
>>>> (which untrusted apps are again not allowed to do). So I dont think
>>>> untrusted apps can actually get access to these keystores. If
>>>> untrusted apps call getClientKeyStores (or the related methods
>>>> getCAKeyStores or getCertKeyStores), they should get a
>>>> SecurityException from DeploymentConfiguration.
>>>>
>>>> A KeyStore is an in-memory version of a keystore file on disk. Even
>>>> if untrusted apps were somehow able to access it, saving the
>>>> contents to disk would require permissions to write to disk.
>>>>
>>>
>>> Same as with above. An AllPermission check in that case..
>>>
>>
>> Yes, that's a good point. Thanks for pointing it out. I have added
>> an AllPermission check in getKeyStore(Level,Type,boolean) which
>> almost all public methods end up calling to access the KeyStores.
>> The only public methods that dont call this check are
>> getKeyStoreLocation (which is supposed to query the configuration
>> object) and toTranslatableString and toDisplayableString (which are
>> translation methods). Do you see any problems with this scheme?
>>
>
> Translation methods don't need a check. But getKeyStoreLocation... can
> that me made to return a location in user.home/* ? If so, it provides
> access to user.home indirectly and needs a check.
>
getKeyStoreLocation is essentially a wrapper around
JNLPRuntime.getConfiguration().getProperty(String). The only thing it
does is find the appropriate String argument to use with
getProperty(String). As such, I think it is OK in this one case to trust
security to DeploymentConfiguration. But if you want, I can add a check
here anyway.
>>>>>> + /**
>>>>>> * Returns the location of a KeyStore corresponding to the given level and type.
>>>>>> * @param level
>>>>>> * @param type
>>>>>> @@ -334,4 +357,5 @@
>>>>>> return ks;
>>>>>> }
>>>>>>
>>>>>> +
>>>>>> }
>>>>> Rest looks fine to me.
>>>>>
>>>>
>>>> Oh, and just to clarify something which might not have been obvious
>>> >from the patch - in general, netx does not cache KeyStores. When it
>>>> needs to make a security decision related to certificates, it will
>>>> create appropriate KeyStore objects, do whatever operation it needs
>>>> to and then discard the KeyStore. This is not true for
>>>> VariableX509TrustManager, but it is true for JarSigner, Certificate
>>>> Viewer and the various security prompts.
>>>>
>>>
>>> That is fine. Normally I am all for optimizing by reducing disk access,
>>> but in this case I think the decision is valid. Other apps may update
>>> the keystore while one is running, in which case the running one should
>>> have the latest information (especially if another app deleted a cert).
>>> Perhaps VariableX509 should be changed to do the same?
>>>
>>
>> That's a good point. I would like to do that in a separate patch if
>> possible - this patch keeps the semantics of KeyStore caching as
>> they were before.
>>
>
> Sure! It should definitely be in a separate patch/
>
Ok, I will add it to my TODO list.
>>> Also, are the trust store files locked when write happens? If not, they
>>> should be.
>>>
>>
>> They are not locked right now. I will take a look at this and post a
>> patch for this separately.
>>
>
>
> Awesome, thanks!
>
Thank _you_ for the extensive reviews.
Cheers,
Omair
>
>> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/runtime/Boot.java
>> --- a/netx/net/sourceforge/jnlp/runtime/Boot.java Wed Nov 10 16:24:53 2010 -0500
>> +++ b/netx/net/sourceforge/jnlp/runtime/Boot.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -172,20 +172,6 @@
>> JNLPRuntime.setForksAllowed(false);
>> }
>>
>> - // wire in custom authenticator
>> - try {
>> - SSLSocketFactory sslSocketFactory;
>> - SSLContext context = SSLContext.getInstance("SSL");
>> - TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
>> - context.init(null, trust, null);
>> - sslSocketFactory = context.getSocketFactory();
>> -
>> - HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
>> - } catch (Exception e) {
>> - System.err.println("Unable to set SSLSocketfactory (may _prevent_ access to sites that should be trusted)! Continuing anyway...");
>> - e.printStackTrace();
>> - }
>> -
>> JNLPRuntime.setInitialArgments(Arrays.asList(argsIn));
>>
>> // do in a privileged action to clear the security context of
>> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
>> --- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Wed Nov 10 16:24:53 2010 -0500
>> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -26,12 +26,17 @@
>> import java.security.*;
>> import javax.jnlp.*;
>> import javax.naming.ConfigurationException;
>> +import javax.net.ssl.HttpsURLConnection;
>> +import javax.net.ssl.SSLContext;
>> +import javax.net.ssl.SSLSocketFactory;
>> +import javax.net.ssl.TrustManager;
>> import javax.swing.UIManager;
>> import javax.swing.text.html.parser.ParserDelegator;
>>
>> import net.sourceforge.jnlp.*;
>> import net.sourceforge.jnlp.cache.*;
>> import net.sourceforge.jnlp.security.SecurityDialogMessageHandler;
>> +import net.sourceforge.jnlp.security.VariableX509TrustManager;
>> import net.sourceforge.jnlp.services.*;
>> import net.sourceforge.jnlp.util.*;
>>
>> @@ -223,6 +228,20 @@
>>
>> securityDialogMessageHandler = startSecurityThreads();
>>
>> + // wire in custom authenticator
>> + try {
>> + SSLSocketFactory sslSocketFactory;
>> + SSLContext context = SSLContext.getInstance("SSL");
>> + TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
>> + context.init(null, trust, null);
>> + sslSocketFactory = context.getSocketFactory();
>> +
>> + HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
>> + } catch (Exception e) {
>> + System.err.println("Unable to set SSLSocketfactory (may _prevent_ access to sites that should be trusted)! Continuing anyway...");
>> + e.printStackTrace();
>> + }
>> +
>> initialized = true;
>>
>> }
>> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/CertWarningPane.java
>> --- a/netx/net/sourceforge/jnlp/security/CertWarningPane.java Wed Nov 10 16:24:53 2010 -0500
>> +++ b/netx/net/sourceforge/jnlp/security/CertWarningPane.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -47,6 +47,9 @@
>> import java.awt.GridLayout;
>> import java.awt.event.ActionEvent;
>> import java.awt.event.ActionListener;
>> +import java.io.FileOutputStream;
>> +import java.io.OutputStream;
>> +import java.security.KeyStore;
>> import java.security.cert.Certificate;
>> import java.security.cert.X509Certificate;
>>
>> @@ -62,6 +65,8 @@
>> import net.sourceforge.jnlp.JNLPFile;
>> import net.sourceforge.jnlp.PluginBridge;
>> import net.sourceforge.jnlp.runtime.JNLPRuntime;
>> +import net.sourceforge.jnlp.security.KeyStores.Level;
>> +import net.sourceforge.jnlp.security.KeyStores.Type;
>> import net.sourceforge.jnlp.security.SecurityWarning.AccessType;
>> import net.sourceforge.jnlp.tools.KeyTool;
>>
>> @@ -232,25 +237,28 @@
>> }
>> }
>>
>> - /**
>> - * Updates the user's KeyStore of trusted Certificates.
>> - */
>> - private class CheckBoxListener implements ActionListener {
>> - public void actionPerformed(ActionEvent e) {
>> - if (alwaysTrust != null&& alwaysTrust.isSelected()) {
>> - try {
>> - KeyTool kt = new KeyTool();
>> - Certificate c = parent.getJarSigner().getPublisher();
>> - kt.importCert(c);
>> - if (JNLPRuntime.isDebug()) {
>> - System.out.println("certificate is now permanently trusted");
>> - }
>> - } catch (Exception ex) {
>> - //TODO: Let NetX show a dialog here notifying user
>> - //about being unable to add cert to keystore
>> - }
>> - }
>> + /**
>> + * Updates the user's KeyStore of trusted Certificates.
>> + */
>> + private class CheckBoxListener implements ActionListener {
>> + public void actionPerformed(ActionEvent e) {
>> + if (alwaysTrust != null&& alwaysTrust.isSelected()) {
>> + try {
>> + KeyStore ks = KeyStores.getKeyStore(Level.USER, Type.CERTS);
>> + X509Certificate c = (X509Certificate) parent.getJarSigner().getPublisher();
>> + CertificateUtils.addToKeyStore(c, ks);
>> + OutputStream os = new FileOutputStream(KeyStores.getKeyStoreLocation(Level.USER, Type.CERTS));
>> + ks.store(os, KeyStores.getPassword());
>> + if (JNLPRuntime.isDebug()) {
>> + System.out.println("certificate is now permanently trusted");
>> + }
>> + } catch (Exception ex) {
>> + // TODO: Let NetX show a dialog here notifying user
>> + // about being unable to add cert to keystore
>> + ex.printStackTrace();
>> }
>> + }
>> }
>> + }
>>
>> }
>> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/CertificateUtils.java
>> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
>> +++ b/netx/net/sourceforge/jnlp/security/CertificateUtils.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -0,0 +1,140 @@
>> +/* CertificateUtils.java
>> + Copyright (C) 2010 Red Hat, Inc.
>> +
>> +This file is part of IcedTea.
>> +
>> +IcedTea is free software; you can redistribute it and/or
>> +modify it under the terms of the GNU General Public License as published by
>> +the Free Software Foundation, version 2.
>> +
>> +IcedTea is distributed in the hope that it will be useful,
>> +but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +General Public License for more details.
>> +
>> +You should have received a copy of the GNU General Public License
>> +along with IcedTea; see the file COPYING. If not, write to
>> +the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +02110-1301 USA.
>> +
>> +Linking this library statically or dynamically with other modules is
>> +making a combined work based on this library. Thus, the terms and
>> +conditions of the GNU General Public License cover the whole
>> +combination.
>> +
>> +As a special exception, the copyright holders of this library give you
>> +permission to link this library with independent modules to produce an
>> +executable, regardless of the license terms of these independent
>> +modules, and to copy and distribute the resulting executable under
>> +terms of your choice, provided that you also meet, for each linked
>> +independent module, the terms and conditions of the license of that
>> +module. An independent module is a module which is not derived from
>> +or based on this library. If you modify this library, you may extend
>> +this exception to your version of the library, but you are not
>> +obligated to do so. If you do not wish to do so, delete this
>> +exception statement from your version.
>> +*/
>> +
>> +package net.sourceforge.jnlp.security;
>> +
>> +import java.io.BufferedInputStream;
>> +import java.io.File;
>> +import java.io.FileInputStream;
>> +import java.io.IOException;
>> +import java.io.PrintStream;
>> +import java.math.BigInteger;
>> +import java.security.KeyStore;
>> +import java.security.KeyStoreException;
>> +import java.security.cert.Certificate;
>> +import java.security.cert.CertificateException;
>> +import java.security.cert.CertificateFactory;
>> +import java.security.cert.X509Certificate;
>> +import java.util.Random;
>> +
>> +import net.sourceforge.jnlp.runtime.JNLPRuntime;
>> +
>> +import sun.misc.BASE64Encoder;
>> +import sun.security.provider.X509Factory;
>> +
>> +public class CertificateUtils {
>> + /**
>> + * Adds the X509Certficate in the file to the KeyStore. Note that it does
>> + * not update the copy of the KeyStore on disk.
>> + */
>> + public static final void addToKeyStore(File file, KeyStore ks) throws CertificateException,
>> + IOException, KeyStoreException {
>> + if (JNLPRuntime.isDebug()) {
>> + System.out.println("Importing certificate from " + file + " into " + ks);
>> + }
>> +
>> + BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file));
>> + CertificateFactory cf = CertificateFactory.getInstance("X509");
>> + X509Certificate cert = null;
>> +
>> + try {
>> + cert = (X509Certificate) cf.generateCertificate(bis);
>> + } catch (ClassCastException cce) {
>> + throw new CertificateException("Input file is not an X509 Certificate", cce);
>> + }
>> +
>> + addToKeyStore(cert, ks);
>> + }
>> +
>> + /**
>> + * Adds an X509Certificate to the KeyStore. Note that it does not update the
>> + * copy of the KeyStore on disk.
>> + */
>> + public static final void addToKeyStore(X509Certificate cert, KeyStore ks)
>> + throws KeyStoreException {
>> + if (JNLPRuntime.isDebug()) {
>> + System.out.println("Importing " + cert.getSubjectX500Principal().getName());
>> + }
>> +
>> + String alias = null;
>> + Random random = new Random();
>> + alias = ks.getCertificateAlias(cert);
>> + if (alias != null) {
>> + return;
>> + }
>> +
>> + do {
>> + alias = new BigInteger(20, random).toString();
>> + } while (ks.getCertificate(alias) != null);
>> + ks.setCertificateEntry(alias, cert);
>> + }
>> +
>> + /**
>> + * Checks whether an X509Certificate is already in one of the keystores
>> + * @param c the certificate
>> + * @param keyStores the KeyStores to check in
>> + * @return true if the certificate is present in one of the keystores, false otherwise
>> + */
>> + public static final boolean inKeyStores(X509Certificate c, KeyStore[] keyStores) {
>> + for (int i = 0; i< keyStores.length; i++) {
>> + try {
>> + if (keyStores[i].getCertificateAlias(c) != null) {
>> + if (JNLPRuntime.isDebug()) {
>> + System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts");
>> + }
>> + return true;
>> + }
>> + } catch (KeyStoreException e) {
>> + e.printStackTrace();
>> + // continue
>> + }
>> + }
>> + return false;
>> + }
>> +
>> + /**
>> + * Writes the certificate in base64 encoded from to the print stream
>> + */
>> + public static void dump(Certificate cert, PrintStream out) throws IOException,
>> + CertificateException {
>> +
>> + BASE64Encoder encoder = new BASE64Encoder();
>> + out.println(X509Factory.BEGIN_CERT);
>> + encoder.encodeBuffer(cert.getEncoded(), out);
>> + out.println(X509Factory.END_CERT);
>> + }
>> +}
>> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java
>> --- a/netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java Wed Nov 10 16:24:53 2010 -0500
>> +++ b/netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -40,6 +40,7 @@
>> import static net.sourceforge.jnlp.runtime.Translator.R;
>>
>> import java.io.IOException;
>> +import java.security.KeyStore;
>> import java.security.cert.CertPath;
>> import java.security.cert.Certificate;
>> import java.security.cert.CertificateException;
>> @@ -213,8 +214,8 @@
>>
>> public boolean getRootInCacerts() {
>> try {
>> - KeyTool kt = new KeyTool();
>> - return kt.checkCacertsForCertificate(getRoot());
>> + KeyStore[] caCertsKeyStores = KeyStores.getCAKeyStores();
>> + return CertificateUtils.inKeyStores((X509Certificate)getRoot(), caCertsKeyStores);
>> } catch (Exception e) {
>> }
>> return false;
>> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/KeyStores.java
>> --- a/netx/net/sourceforge/jnlp/security/KeyStores.java Wed Nov 10 16:24:53 2010 -0500
>> +++ b/netx/net/sourceforge/jnlp/security/KeyStores.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -41,6 +41,7 @@
>> import java.io.FileInputStream;
>> import java.io.FileOutputStream;
>> import java.io.IOException;
>> +import java.security.AllPermission;
>> import java.security.KeyStore;
>> import java.security.KeyStoreException;
>> import java.security.NoSuchAlgorithmException;
>> @@ -111,6 +112,11 @@
>> * @return a KeyStore containing certificates from the appropriate
>> */
>> public static final KeyStore getKeyStore(Level level, Type type, boolean create) {
>> + SecurityManager sm = System.getSecurityManager();
>> + if (sm != null) {
>> + sm.checkPermission(new AllPermission());
>> + }
>> +
>> String location = getKeyStoreLocation(level, type);
>> KeyStore ks = null;
>> try {
>> @@ -189,6 +195,29 @@
>> }
>>
>> /**
>> + * Returns KeyStores containing trusted client certificates
>> + *
>> + * @return an array of KeyStore objects that can be used to check client
>> + * authentication certificates
>> + */
>> + public static KeyStore[] getClientKeyStores() {
>> + List<KeyStore> result = new ArrayList<KeyStore>();
>> + KeyStore ks = null;
>> +
>> + ks = getKeyStore(Level.SYSTEM, Type.CLIENT_CERTS);
>> + if (ks != null) {
>> + result.add(ks);
>> + }
>> +
>> + ks = getKeyStore(Level.USER, Type.CLIENT_CERTS);
>> + if (ks != null) {
>> + result.add(ks);
>> + }
>> +
>> + return result.toArray(new KeyStore[result.size()]);
>> + }
>> +
>> + /**
>> * Returns the location of a KeyStore corresponding to the given level and type.
>> * @param level
>> * @param type
>> @@ -336,4 +365,5 @@
>> return ks;
>> }
>>
>> +
>> }
>> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
>> --- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Wed Nov 10 16:24:53 2010 -0500
>> +++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -42,6 +42,8 @@
>> import java.security.cert.CertificateException;
>> import java.security.cert.X509Certificate;
>> import java.util.ArrayList;
>> +import java.util.Arrays;
>> +import java.util.List;
>>
>> import javax.net.ssl.TrustManager;
>> import javax.net.ssl.TrustManagerFactory;
>> @@ -60,59 +62,98 @@
>> * different certificates that are not in the keystore.
>> */
>>
>> -public class VariableX509TrustManager extends X509ExtendedTrustManager {
>> +final public class VariableX509TrustManager extends X509ExtendedTrustManager {
>>
>> - KeyStore userKeyStore = null;
>> - KeyStore caKeyStore = null;
>> + /** TrustManagers containing trusted CAs */
>> + private X509TrustManager[] caTrustManagers = null;
>>
>> - X509TrustManager userTrustManager = null;
>> - X509TrustManager caTrustManager = null;
>> + /** TrustManagers containing trusted certificates */
>> + private X509TrustManager[] certTrustManagers = null;
>>
>> - ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>();
>> - ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>();
>> + /** TrustManagers containing trusted client certificates */
>> + private X509TrustManager[] clientTrustManagers = null;
>>
>> - static VariableX509TrustManager instance = null;
>> + private ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>();
>> + private ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>();
>> +
>> + private static VariableX509TrustManager instance = null;
>>
>> /**
>> * Constructor initializes the system, user and custom stores
>> */
>> public VariableX509TrustManager() {
>>
>> + /*
>> + * Load TrustManagers for trusted certificates
>> + */
>> try {
>> - userKeyStore = SecurityUtil.getUserKeyStore();
>> - TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
>> - tmFactory.init(userKeyStore);
>> + /** KeyStores containing trusted certificates */
>> + KeyStore[] trustedCertKeyStores = KeyStores.getCertKeyStores();
>> + certTrustManagers = new X509TrustManager[trustedCertKeyStores.length];
>>
>> - // tm factory initialized, now get the managers so we can assign the X509 one
>> - TrustManager[] trustManagers = tmFactory.getTrustManagers();
>> + for (int j = 0; j< trustedCertKeyStores.length; j++) {
>> + TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
>> + tmFactory.init(trustedCertKeyStores[j]);
>>
>> - for (int i=0; i< trustManagers.length; i++) {
>> - if (trustManagers[i] instanceof X509TrustManager) {
>> - userTrustManager = (X509TrustManager) trustManagers[i];
>> + // tm factory initialized, now get the managers so we can assign the X509 one
>> + TrustManager[] trustManagers = tmFactory.getTrustManagers();
>> +
>> + for (int i = 0; i< trustManagers.length; i++) {
>> + if (trustManagers[i] instanceof X509TrustManager) {
>> + certTrustManagers[j] = (X509TrustManager) trustManagers[i];
>> + }
>> }
>> }
>> -
>> } catch (Exception e) {
>> - // TODO Auto-generated catch block
>> e.printStackTrace();
>> }
>>
>> + /*
>> + * Load TrustManagers for trusted CAs
>> + */
>> try {
>> - caKeyStore = SecurityUtil.getCacertsKeyStore();
>> - TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
>> - tmFactory.init(caKeyStore);
>> + /** KeyStores containing trusted CAs */
>> + KeyStore[] trustedCAKeyStores = KeyStores.getCAKeyStores();
>> + caTrustManagers = new X509TrustManager[trustedCAKeyStores.length];
>>
>> - // tm factory initialized, now get the managers so we can extract the X509 one
>> - TrustManager[] trustManagers = tmFactory.getTrustManagers();
>> + for (int j = 0; j< caTrustManagers.length; j++) {
>> + TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
>> + tmFactory.init(trustedCAKeyStores[j]);
>>
>> - for (int i=0; i< trustManagers.length; i++) {
>> - if (trustManagers[i] instanceof X509TrustManager) {
>> - caTrustManager = (X509TrustManager) trustManagers[i];
>> + // tm factory initialized, now get the managers so we can extract the X509 one
>> + TrustManager[] trustManagers = tmFactory.getTrustManagers();
>> +
>> + for (int i=0; i< trustManagers.length; i++) {
>> + if (trustManagers[i] instanceof X509TrustManager) {
>> + caTrustManagers[j] = (X509TrustManager) trustManagers[i];
>> + }
>> }
>> }
>> + } catch (Exception e) {
>> + e.printStackTrace();
>> + }
>>
>> + /*
>> + * Load TrustManagers for trusted clients certificates
>> + */
>> + try {
>> + KeyStore[] clientKeyStores = KeyStores.getClientKeyStores();
>> + clientTrustManagers = new X509TrustManager[clientKeyStores.length];
>> +
>> + for (int j = 0; j< clientTrustManagers.length; j++) {
>> + TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
>> + tmFactory.init(clientKeyStores[j]);
>> +
>> + // tm factory initialized, now get the managers so we can extract the X509 one
>> + TrustManager[] trustManagers = tmFactory.getTrustManagers();
>> +
>> + for (int i=0; i< trustManagers.length; i++) {
>> + if (trustManagers[i] instanceof X509TrustManager) {
>> + clientTrustManagers[j] = (X509TrustManager) trustManagers[i];
>> + }
>> + }
>> + }
>> } catch (Exception e) {
>> - // TODO Auto-generated catch block
>> e.printStackTrace();
>> }
>> }
>> @@ -123,18 +164,23 @@
>> public void checkClientTrusted(X509Certificate[] chain, String authType,
>> String hostName, String algorithm)
>> throws CertificateException {
>> - // First try catrustmanager, then try usertrustmanager
>> - try {
>> - caTrustManager.checkClientTrusted(chain, authType);
>> - } catch (Exception caex) {
>> +
>> + boolean trusted = false;
>> + ValidatorException savedException = null;
>> + for (int i = 0; i< clientTrustManagers.length; i++) {
>> try {
>> - userTrustManager.checkClientTrusted(chain, authType);
>> - } catch (Exception userex) {
>> - // Do nothing here. This trust manager is intended to be used
>> - // only in the plugin instance vm, which does not act as a
>> - // server
>> + clientTrustManagers[i].checkClientTrusted(chain, authType);
>> + trusted = true;
>> + break;
>> + } catch (ValidatorException caex) {
>> + savedException = caex;
>> }
>> }
>> + if (trusted) {
>> + return;
>> + }
>> +
>> + throw savedException;
>> }
>>
>> public void checkClientTrusted(X509Certificate[] chain, String authType)
>> @@ -214,17 +260,45 @@
>> * Check system, user and custom trust manager
>> */
>> private void checkAllManagers(X509Certificate[] chain, String authType) throws CertificateException {
>> - // First try catrustmanager, then try usertrustmanager, and finally, check temp trusted certs
>> - try {
>> - caTrustManager.checkServerTrusted(chain, authType);
>> - } catch (ValidatorException caex) {
>> + // first try CA TrustManagers
>> + boolean trusted = false;
>> + ValidatorException savedException = null;
>> + for (int i = 0; i< caTrustManagers.length; i++) {
>> try {
>> - userTrustManager.checkServerTrusted(chain, authType);
>> - } catch (ValidatorException uex) {
>> - if (!temporarilyTrusted.contains(chain[0]))
>> - throw (CertificateException) uex;
>> + caTrustManagers[i].checkServerTrusted(chain, authType);
>> + trusted = true;
>> + break;
>> + } catch (ValidatorException caex) {
>> + savedException = caex;
>> }
>> }
>> + if (trusted) {
>> + return;
>> + }
>> +
>> + // then try certificate TrustManagers
>> + for (int i = 0; i< certTrustManagers.length; i++) {
>> + try {
>> + certTrustManagers[i].checkServerTrusted(chain, authType);
>> + trusted = true;
>> + break;
>> + } catch (ValidatorException caex) {
>> + savedException = caex;
>> + }
>> + }
>> + if (trusted) {
>> + return;
>> + }
>> +
>> + // finally check temp trusted certs
>> + if (!temporarilyTrusted.contains(chain[0])) {
>> + if (savedException == null) {
>> + // System.out.println("IMPOSSIBLE!");
>> + throw new ValidatorException(ValidatorException.T_SIGNATURE_ERROR, chain[0]);
>> + }
>> + throw savedException;
>> + }
>> +
>> }
>>
>> /**
>> @@ -233,23 +307,32 @@
>> private boolean isExplicitlyTrusted(X509Certificate[] chain, String authType) {
>> boolean explicitlyTrusted = false;
>>
>> - try {
>> - userTrustManager.checkServerTrusted(chain, authType);
>> - explicitlyTrusted = true;
>> - } catch (ValidatorException uex) {
>> - if (temporarilyTrusted.contains(chain[0]))
>> + for (int i = 0; i< certTrustManagers.length; i++) {
>> + try {
>> + certTrustManagers[i].checkServerTrusted(chain, authType);
>> explicitlyTrusted = true;
>> - } catch (CertificateException ce) {
>> - // do nothing, this means that the cert is not explicitly trusted
>> + break;
>> + } catch (ValidatorException uex) {
>> + if (temporarilyTrusted.contains(chain[0])) {
>> + explicitlyTrusted = true;
>> + break;
>> + }
>> + } catch (CertificateException ce) {
>> + // not explicitly trusted
>> + }
>> }
>>
>> return explicitlyTrusted;
>> -
>> }
>>
>> public X509Certificate[] getAcceptedIssuers() {
>> - // delegate to default
>> - return caTrustManager.getAcceptedIssuers();
>> + List<X509Certificate> issuers = new ArrayList<X509Certificate>();
>> +
>> + for (int i = 0; i< caTrustManagers.length; i++) {
>> + issuers.addAll(Arrays.asList(caTrustManagers[i].getAcceptedIssuers()));
>> + }
>> +
>> + return issuers.toArray(new X509Certificate[issuers.size()]);
>> }
>>
>> /**
>> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java
>> --- a/netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java Wed Nov 10 16:24:53 2010 -0500
>> +++ b/netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -71,6 +71,7 @@
>> import javax.swing.event.ChangeListener;
>> import javax.swing.table.DefaultTableModel;
>>
>> +import net.sourceforge.jnlp.security.CertificateUtils;
>> import net.sourceforge.jnlp.security.KeyStores;
>> import net.sourceforge.jnlp.security.SecurityUtil;
>> import net.sourceforge.jnlp.security.SecurityWarningDialog;
>> @@ -359,9 +360,8 @@
>> int returnVal = chooser.showOpenDialog(parent);
>> if(returnVal == JFileChooser.APPROVE_OPTION) {
>> try {
>> - KeyTool kt = new KeyTool();
>> KeyStore ks = keyStore;
>> - kt.addToKeyStore(chooser.getSelectedFile(), ks);
>> + CertificateUtils.addToKeyStore(chooser.getSelectedFile(), ks);
>> OutputStream os = new FileOutputStream(
>> KeyStores.getKeyStoreLocation(currentKeyStoreLevel, currentKeyStoreType));
>> ks.store(os, KeyStores.getPassword());
>> @@ -399,7 +399,7 @@
>> if (alias != null) {
>> Certificate c = keyStore.getCertificate(alias);
>> PrintStream ps = new PrintStream(chooser.getSelectedFile().getAbsolutePath());
>> - KeyTool.dumpCert(c, ps);
>> + CertificateUtils.dump(c, ps);
>> repopulateTables();
>> }
>> }
>> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/tools/JarSigner.java
>> --- a/netx/net/sourceforge/jnlp/tools/JarSigner.java Wed Nov 10 16:24:53 2010 -0500
>> +++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -371,9 +371,12 @@
>> private void checkTrustedCerts() throws Exception {
>> if (certPath != null) {
>> try {
>> - KeyTool kt = new KeyTool();
>> - alreadyTrustPublisher = kt.isTrusted(getPublisher());
>> - rootInCacerts = kt.checkCacertsForCertificate(getRoot());
>> + X509Certificate publisher = (X509Certificate) getPublisher();
>> + KeyStore[] certKeyStores = KeyStores.getCertKeyStores();
>> + alreadyTrustPublisher = CertificateUtils.inKeyStores(publisher, certKeyStores);
>> + X509Certificate root = (X509Certificate) getRoot();
>> + KeyStore[] caKeyStores = KeyStores.getCAKeyStores();
>> + rootInCacerts = CertificateUtils.inKeyStores(root, caKeyStores);
>> } catch (Exception e) {
>> // TODO: Warn user about not being able to
>> // look through their cacerts/trusted.certs
>> diff -r 44d47c366e5f netx/net/sourceforge/jnlp/tools/KeyTool.java
>> --- a/netx/net/sourceforge/jnlp/tools/KeyTool.java Wed Nov 10 16:24:53 2010 -0500
>> +++ b/netx/net/sourceforge/jnlp/tools/KeyTool.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -119,43 +119,6 @@
>> return importCert((Certificate)cert);
>> }
>>
>> - /**
>> - * Adds the X509Certficate in the file to the KeyStore
>> - */
>> - public final void addToKeyStore(File file, KeyStore ks) throws CertificateException,
>> - IOException, KeyStoreException {
>> - BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file));
>> - CertificateFactory cf = CertificateFactory.getInstance("X509");
>> - X509Certificate cert = null;
>> -
>> - try {
>> - cert = (X509Certificate) cf.generateCertificate(bis);
>> - } catch (ClassCastException cce) {
>> - throw new CertificateException("Input file is not an X509 Certificate", cce);
>> - }
>> -
>> - addToKeyStore(cert, ks);
>> -
>> - }
>> -
>> - /**
>> - * Adds an X509Certificate to the KeyStore
>> - */
>> - public final void addToKeyStore(X509Certificate cert, KeyStore ks) throws KeyStoreException {
>> - String alias = null;
>> - Random random = new Random();
>> - alias = ks.getCertificateAlias(cert);
>> - // already in keystore; done
>> - if (alias != null) {
>> - return;
>> - }
>> -
>> - do {
>> - alias = new BigInteger(20, random).toString();
>> - } while (ks.getCertificate(alias) != null);
>> - ks.setCertificateEntry(alias, cert);
>> - }
>> -
>> /**
>> * Adds a trusted certificate to the user's keystore.
>> * @return true if the add was successful, false otherwise.
>> @@ -479,20 +442,6 @@
>> return false;
>> }
>>
>> - public static void dumpCert(Certificate cert, PrintStream out)
>> - throws IOException, CertificateException {
>> -
>> - boolean printRfc = true;
>> - if (printRfc) {
>> - BASE64Encoder encoder = new BASE64Encoder();
>> - out.println(X509Factory.BEGIN_CERT);
>> - encoder.encodeBuffer(cert.getEncoded(), out);
>> - out.println(X509Factory.END_CERT);
>> - } else {
>> - out.write(cert.getEncoded()); // binary
>> - }
>> - }
>> -
>> public static void main(String[] args) throws Exception {
>> KeyTool kt = new KeyTool();
>> kt.doPrintEntries(System.out);
>> diff -r 44d47c366e5f plugin/icedteanp/java/sun/applet/PluginMain.java
>> --- a/plugin/icedteanp/java/sun/applet/PluginMain.java Wed Nov 10 16:24:53 2010 -0500
>> +++ b/plugin/icedteanp/java/sun/applet/PluginMain.java Thu Nov 11 10:36:55 2010 -0500
>> @@ -215,20 +215,6 @@
>> // INSTALL THE PROPERTY LIST
>> System.setProperties(avProps);
>>
>> -
>> - try {
>> - SSLSocketFactory sslSocketFactory;
>> - SSLContext context = SSLContext.getInstance("SSL");
>> - TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
>> - context.init(null, trust, null);
>> - sslSocketFactory = context.getSocketFactory();
>> -
>> - HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
>> - } catch (Exception e) {
>> - System.err.println("Unable to set SSLSocketfactory (may _prevent_ access to sites that should be trusted)! Continuing anyway...");
>> - e.printStackTrace();
>> - }
>> -
>> // plug in a custom authenticator and proxy selector
>> Authenticator.setDefault(new CustomAuthenticator());
>> ProxySelector.setDefault(new PluginProxySelector());
>
More information about the distro-pkg-dev
mailing list