[icedtea-web] RFC: integrate support for multiple KeyStores into the various validators
Deepak Bhole
dbhole at redhat.com
Thu Nov 11 08:10:16 PST 2010
* Omair Majid <omajid at redhat.com> [2010-11-11 11:07]:
> On 11/11/2010 10:42 AM, Deepak Bhole wrote:
> >* Omair Majid<omajid at redhat.com> [2010-11-11 10:39]:
> >>On 11/11/2010 10:02 AM, Deepak Bhole wrote:
> >>>* Omair Majid<omajid at redhat.com> [2010-11-11 09:53]:
> >>>>On 11/11/2010 08:42 AM, Deepak Bhole wrote:
> >>>>
> >>>...
> >>>>I based this code off code in KeyTool, and yes, it is slightly
> >>>>confusing. A KeyStore can be considered a HashMap: it maps a String,
> >>>>the alias, to a Certificate. The code first checks if the
> >>>>certificate already exists by trying to find an alias for the given
> >>>>certificate. If an alias is found, we know the certificate is in the
> >>>>KeyStore already. If the certificate is not in the KeyStore, we want
> >>>>to add a new entry to the HashMap, but we do not want to overwrite
> >>>>an existing certificate. So we create random aliases until we get an
> >>>>alias which has no mapping in the HashMap.
> >>>>
> >>>
> >>>
> >>>Ah okay then.
> >>>
> >>>>>Also, those methods should not be public static as untrusted apps could
> >>>>>access them. The keystores shouldn't be either (if they are, either now
> >>>>>or from before).
> >>>>>
> >>>>
> >>>>I dont think this will be a problem. For one, every time it is
> >>>>called, it reads the configuration (which untrusted apps are not
> >>>>allowed to do) and then it reads the keystore from the disk (which
> >>>>untrusted apps are not allowed to do). Making it non-public would
> >>>>mean it can not be used by classes in other packages (for example,
> >>>>JarSigner is in net.sourceforge.jnlp.tools and it uses this class).
> >>>>Please let me know if this is not enough; I will see what else I can
> >>>>do.
> >>>>
> >>>
> >>>Reliance on other methods to do security is bad imo. There is no
> >>>guarantee that the design will stay the same, If it changes and another
> >>>way to do those functions is implemented, security may be compromised.
> >>>It is fine to keep them public for other class usage, but please add an
> >>>AllPermission check in that case.
> >>>
> >>
> >>That's true. On further consideration, I dont think any methods in
> >>CertificateUtils need security checks though. They all operate on
> >>generic Certificate or KeyStore objects. There is nothing here that
> >>is netx specific or that an untrusted application could not do by
> >>itself. The actual action of obtaining the netx-specific KeyStores
> >>to operate on is the responsibility of KeyStores (see comment below
> >>for more about that). Do you think I should add checks anyway?
> >>
> >
> >Ah okay. Nope, in that case no security checks are needed for those
> >functions!
> >
> >>>>>>+ /**
> >>>>>>+ * Checks whether an X509Certificate is already in one of the keystores
> >>>>>>+ * @param c the certificate
> >>>>>>+ * @param keyStores the KeyStores to check in
> >>>>>>+ * @return true if the certificate is present in one of the keystores, false otherwise
> >>>>>>+ */
> >>>>>>+ public static final boolean inKeyStores(X509Certificate c, KeyStore[] keyStores) {
> >>>>>>+ for (int i = 0; i< keyStores.length; i++) {
> >>>...
> >>>>>
> >>>>>
> >>>>>What does printRfc represent? And if it's always true, why the else?
> >>>>>
> >>>>
> >>>>This code was originally from net.sourceforge.jnlp.tools.KeyTool and
> >>>>was moved over to CertificateUtils. n.s.j.t.KeyTool was adapted from
> >>>>sun.security.tools.KeyTool which allows dumping certificate in more
> >>>>than one format. printRfc indicates that the certifcate should be
> >>>>dumped in the RFC 4945 format
> >>>>(http://tools.ietf.org/html/rfc4945#section-6.1). Since this is the
> >>>>only option we support, I have removed that if condition; it is
> >>>>fixed in the updated patch.
> >>>>
> >>>
> >>>Great!
> >>>
> >>>...
> >>>...
> >>>>>
> >>>>>Should something like this be public static? Untrusted apps will be able
> >>>>>to access it and modify it...
> >>>>>
> >>>>
> >>>>I dont think this is a problem. getClientKeyStores() calls
> >>>>getKeyStore() which reads the configuration (which untrusted apps
> >>>>are not allowed to do) and then reads the acutal keystore from disk
> >>>>(which untrusted apps are again not allowed to do). So I dont think
> >>>>untrusted apps can actually get access to these keystores. If
> >>>>untrusted apps call getClientKeyStores (or the related methods
> >>>>getCAKeyStores or getCertKeyStores), they should get a
> >>>>SecurityException from DeploymentConfiguration.
> >>>>
> >>>>A KeyStore is an in-memory version of a keystore file on disk. Even
> >>>>if untrusted apps were somehow able to access it, saving the
> >>>>contents to disk would require permissions to write to disk.
> >>>>
> >>>
> >>>Same as with above. An AllPermission check in that case..
> >>>
> >>
> >>Yes, that's a good point. Thanks for pointing it out. I have added
> >>an AllPermission check in getKeyStore(Level,Type,boolean) which
> >>almost all public methods end up calling to access the KeyStores.
> >>The only public methods that dont call this check are
> >>getKeyStoreLocation (which is supposed to query the configuration
> >>object) and toTranslatableString and toDisplayableString (which are
> >>translation methods). Do you see any problems with this scheme?
> >>
> >
> >Translation methods don't need a check. But getKeyStoreLocation... can
> >that me made to return a location in user.home/* ? If so, it provides
> >access to user.home indirectly and needs a check.
> >
>
> getKeyStoreLocation is essentially a wrapper around
> JNLPRuntime.getConfiguration().getProperty(String). The only thing
> it does is find the appropriate String argument to use with
> getProperty(String). As such, I think it is OK in this one case to
> trust security to DeploymentConfiguration. But if you want, I can
> add a check here anyway.
>
Nope, not necessary in that case. Just wanted to make sure user.home was
protected.
Okay I have no other issues with the patch. Ok for HEAD.
Cheers,
Deepak
> >>>>>>+ /**
> >>>>>> * Returns the location of a KeyStore corresponding to the given level and type.
> >>>>>> * @param level
> >>>>>> * @param type
> >>>>>>@@ -334,4 +357,5 @@
> >>>>>> return ks;
> >>>>>> }
> >>>>>>
> >>>>>>+
> >>>>>> }
> >>>>>Rest looks fine to me.
> >>>>>
> >>>>
> >>>>Oh, and just to clarify something which might not have been obvious
> >>>>from the patch - in general, netx does not cache KeyStores. When it
> >>>>needs to make a security decision related to certificates, it will
> >>>>create appropriate KeyStore objects, do whatever operation it needs
> >>>>to and then discard the KeyStore. This is not true for
> >>>>VariableX509TrustManager, but it is true for JarSigner, Certificate
> >>>>Viewer and the various security prompts.
> >>>>
> >>>
> >>>That is fine. Normally I am all for optimizing by reducing disk access,
> >>>but in this case I think the decision is valid. Other apps may update
> >>>the keystore while one is running, in which case the running one should
> >>>have the latest information (especially if another app deleted a cert).
> >>>Perhaps VariableX509 should be changed to do the same?
> >>>
> >>
> >>That's a good point. I would like to do that in a separate patch if
> >>possible - this patch keeps the semantics of KeyStore caching as
> >>they were before.
> >>
> >
> >Sure! It should definitely be in a separate patch/
> >
>
> Ok, I will add it to my TODO list.
>
> >>>Also, are the trust store files locked when write happens? If not, they
> >>>should be.
> >>>
> >>
> >>They are not locked right now. I will take a look at this and post a
> >>patch for this separately.
> >>
> >
> >
> >Awesome, thanks!
> >
>
> Thank _you_ for the extensive reviews.
>
> Cheers,
> Omair
>
> >
> >>diff -r 44d47c366e5f netx/net/sourceforge/jnlp/runtime/Boot.java
> >>--- a/netx/net/sourceforge/jnlp/runtime/Boot.java Wed Nov 10 16:24:53 2010 -0500
> >>+++ b/netx/net/sourceforge/jnlp/runtime/Boot.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -172,20 +172,6 @@
> >> JNLPRuntime.setForksAllowed(false);
> >> }
> >>
> >>- // wire in custom authenticator
> >>- try {
> >>- SSLSocketFactory sslSocketFactory;
> >>- SSLContext context = SSLContext.getInstance("SSL");
> >>- TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
> >>- context.init(null, trust, null);
> >>- sslSocketFactory = context.getSocketFactory();
> >>-
> >>- HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
> >>- } catch (Exception e) {
> >>- System.err.println("Unable to set SSLSocketfactory (may _prevent_ access to sites that should be trusted)! Continuing anyway...");
> >>- e.printStackTrace();
> >>- }
> >>-
> >> JNLPRuntime.setInitialArgments(Arrays.asList(argsIn));
> >>
> >> // do in a privileged action to clear the security context of
> >>diff -r 44d47c366e5f netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
> >>--- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Wed Nov 10 16:24:53 2010 -0500
> >>+++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -26,12 +26,17 @@
> >> import java.security.*;
> >> import javax.jnlp.*;
> >> import javax.naming.ConfigurationException;
> >>+import javax.net.ssl.HttpsURLConnection;
> >>+import javax.net.ssl.SSLContext;
> >>+import javax.net.ssl.SSLSocketFactory;
> >>+import javax.net.ssl.TrustManager;
> >> import javax.swing.UIManager;
> >> import javax.swing.text.html.parser.ParserDelegator;
> >>
> >> import net.sourceforge.jnlp.*;
> >> import net.sourceforge.jnlp.cache.*;
> >> import net.sourceforge.jnlp.security.SecurityDialogMessageHandler;
> >>+import net.sourceforge.jnlp.security.VariableX509TrustManager;
> >> import net.sourceforge.jnlp.services.*;
> >> import net.sourceforge.jnlp.util.*;
> >>
> >>@@ -223,6 +228,20 @@
> >>
> >> securityDialogMessageHandler = startSecurityThreads();
> >>
> >>+ // wire in custom authenticator
> >>+ try {
> >>+ SSLSocketFactory sslSocketFactory;
> >>+ SSLContext context = SSLContext.getInstance("SSL");
> >>+ TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
> >>+ context.init(null, trust, null);
> >>+ sslSocketFactory = context.getSocketFactory();
> >>+
> >>+ HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
> >>+ } catch (Exception e) {
> >>+ System.err.println("Unable to set SSLSocketfactory (may _prevent_ access to sites that should be trusted)! Continuing anyway...");
> >>+ e.printStackTrace();
> >>+ }
> >>+
> >> initialized = true;
> >>
> >> }
> >>diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/CertWarningPane.java
> >>--- a/netx/net/sourceforge/jnlp/security/CertWarningPane.java Wed Nov 10 16:24:53 2010 -0500
> >>+++ b/netx/net/sourceforge/jnlp/security/CertWarningPane.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -47,6 +47,9 @@
> >> import java.awt.GridLayout;
> >> import java.awt.event.ActionEvent;
> >> import java.awt.event.ActionListener;
> >>+import java.io.FileOutputStream;
> >>+import java.io.OutputStream;
> >>+import java.security.KeyStore;
> >> import java.security.cert.Certificate;
> >> import java.security.cert.X509Certificate;
> >>
> >>@@ -62,6 +65,8 @@
> >> import net.sourceforge.jnlp.JNLPFile;
> >> import net.sourceforge.jnlp.PluginBridge;
> >> import net.sourceforge.jnlp.runtime.JNLPRuntime;
> >>+import net.sourceforge.jnlp.security.KeyStores.Level;
> >>+import net.sourceforge.jnlp.security.KeyStores.Type;
> >> import net.sourceforge.jnlp.security.SecurityWarning.AccessType;
> >> import net.sourceforge.jnlp.tools.KeyTool;
> >>
> >>@@ -232,25 +237,28 @@
> >> }
> >> }
> >>
> >>- /**
> >>- * Updates the user's KeyStore of trusted Certificates.
> >>- */
> >>- private class CheckBoxListener implements ActionListener {
> >>- public void actionPerformed(ActionEvent e) {
> >>- if (alwaysTrust != null&& alwaysTrust.isSelected()) {
> >>- try {
> >>- KeyTool kt = new KeyTool();
> >>- Certificate c = parent.getJarSigner().getPublisher();
> >>- kt.importCert(c);
> >>- if (JNLPRuntime.isDebug()) {
> >>- System.out.println("certificate is now permanently trusted");
> >>- }
> >>- } catch (Exception ex) {
> >>- //TODO: Let NetX show a dialog here notifying user
> >>- //about being unable to add cert to keystore
> >>- }
> >>- }
> >>+ /**
> >>+ * Updates the user's KeyStore of trusted Certificates.
> >>+ */
> >>+ private class CheckBoxListener implements ActionListener {
> >>+ public void actionPerformed(ActionEvent e) {
> >>+ if (alwaysTrust != null&& alwaysTrust.isSelected()) {
> >>+ try {
> >>+ KeyStore ks = KeyStores.getKeyStore(Level.USER, Type.CERTS);
> >>+ X509Certificate c = (X509Certificate) parent.getJarSigner().getPublisher();
> >>+ CertificateUtils.addToKeyStore(c, ks);
> >>+ OutputStream os = new FileOutputStream(KeyStores.getKeyStoreLocation(Level.USER, Type.CERTS));
> >>+ ks.store(os, KeyStores.getPassword());
> >>+ if (JNLPRuntime.isDebug()) {
> >>+ System.out.println("certificate is now permanently trusted");
> >>+ }
> >>+ } catch (Exception ex) {
> >>+ // TODO: Let NetX show a dialog here notifying user
> >>+ // about being unable to add cert to keystore
> >>+ ex.printStackTrace();
> >> }
> >>+ }
> >> }
> >>+ }
> >>
> >> }
> >>diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/CertificateUtils.java
> >>--- /dev/null Thu Jan 01 00:00:00 1970 +0000
> >>+++ b/netx/net/sourceforge/jnlp/security/CertificateUtils.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -0,0 +1,140 @@
> >>+/* CertificateUtils.java
> >>+ Copyright (C) 2010 Red Hat, Inc.
> >>+
> >>+This file is part of IcedTea.
> >>+
> >>+IcedTea is free software; you can redistribute it and/or
> >>+modify it under the terms of the GNU General Public License as published by
> >>+the Free Software Foundation, version 2.
> >>+
> >>+IcedTea is distributed in the hope that it will be useful,
> >>+but WITHOUT ANY WARRANTY; without even the implied warranty of
> >>+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> >>+General Public License for more details.
> >>+
> >>+You should have received a copy of the GNU General Public License
> >>+along with IcedTea; see the file COPYING. If not, write to
> >>+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> >>+02110-1301 USA.
> >>+
> >>+Linking this library statically or dynamically with other modules is
> >>+making a combined work based on this library. Thus, the terms and
> >>+conditions of the GNU General Public License cover the whole
> >>+combination.
> >>+
> >>+As a special exception, the copyright holders of this library give you
> >>+permission to link this library with independent modules to produce an
> >>+executable, regardless of the license terms of these independent
> >>+modules, and to copy and distribute the resulting executable under
> >>+terms of your choice, provided that you also meet, for each linked
> >>+independent module, the terms and conditions of the license of that
> >>+module. An independent module is a module which is not derived from
> >>+or based on this library. If you modify this library, you may extend
> >>+this exception to your version of the library, but you are not
> >>+obligated to do so. If you do not wish to do so, delete this
> >>+exception statement from your version.
> >>+*/
> >>+
> >>+package net.sourceforge.jnlp.security;
> >>+
> >>+import java.io.BufferedInputStream;
> >>+import java.io.File;
> >>+import java.io.FileInputStream;
> >>+import java.io.IOException;
> >>+import java.io.PrintStream;
> >>+import java.math.BigInteger;
> >>+import java.security.KeyStore;
> >>+import java.security.KeyStoreException;
> >>+import java.security.cert.Certificate;
> >>+import java.security.cert.CertificateException;
> >>+import java.security.cert.CertificateFactory;
> >>+import java.security.cert.X509Certificate;
> >>+import java.util.Random;
> >>+
> >>+import net.sourceforge.jnlp.runtime.JNLPRuntime;
> >>+
> >>+import sun.misc.BASE64Encoder;
> >>+import sun.security.provider.X509Factory;
> >>+
> >>+public class CertificateUtils {
> >>+ /**
> >>+ * Adds the X509Certficate in the file to the KeyStore. Note that it does
> >>+ * not update the copy of the KeyStore on disk.
> >>+ */
> >>+ public static final void addToKeyStore(File file, KeyStore ks) throws CertificateException,
> >>+ IOException, KeyStoreException {
> >>+ if (JNLPRuntime.isDebug()) {
> >>+ System.out.println("Importing certificate from " + file + " into " + ks);
> >>+ }
> >>+
> >>+ BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file));
> >>+ CertificateFactory cf = CertificateFactory.getInstance("X509");
> >>+ X509Certificate cert = null;
> >>+
> >>+ try {
> >>+ cert = (X509Certificate) cf.generateCertificate(bis);
> >>+ } catch (ClassCastException cce) {
> >>+ throw new CertificateException("Input file is not an X509 Certificate", cce);
> >>+ }
> >>+
> >>+ addToKeyStore(cert, ks);
> >>+ }
> >>+
> >>+ /**
> >>+ * Adds an X509Certificate to the KeyStore. Note that it does not update the
> >>+ * copy of the KeyStore on disk.
> >>+ */
> >>+ public static final void addToKeyStore(X509Certificate cert, KeyStore ks)
> >>+ throws KeyStoreException {
> >>+ if (JNLPRuntime.isDebug()) {
> >>+ System.out.println("Importing " + cert.getSubjectX500Principal().getName());
> >>+ }
> >>+
> >>+ String alias = null;
> >>+ Random random = new Random();
> >>+ alias = ks.getCertificateAlias(cert);
> >>+ if (alias != null) {
> >>+ return;
> >>+ }
> >>+
> >>+ do {
> >>+ alias = new BigInteger(20, random).toString();
> >>+ } while (ks.getCertificate(alias) != null);
> >>+ ks.setCertificateEntry(alias, cert);
> >>+ }
> >>+
> >>+ /**
> >>+ * Checks whether an X509Certificate is already in one of the keystores
> >>+ * @param c the certificate
> >>+ * @param keyStores the KeyStores to check in
> >>+ * @return true if the certificate is present in one of the keystores, false otherwise
> >>+ */
> >>+ public static final boolean inKeyStores(X509Certificate c, KeyStore[] keyStores) {
> >>+ for (int i = 0; i< keyStores.length; i++) {
> >>+ try {
> >>+ if (keyStores[i].getCertificateAlias(c) != null) {
> >>+ if (JNLPRuntime.isDebug()) {
> >>+ System.out.println(c.getSubjectX500Principal().getName() + " found in cacerts");
> >>+ }
> >>+ return true;
> >>+ }
> >>+ } catch (KeyStoreException e) {
> >>+ e.printStackTrace();
> >>+ // continue
> >>+ }
> >>+ }
> >>+ return false;
> >>+ }
> >>+
> >>+ /**
> >>+ * Writes the certificate in base64 encoded from to the print stream
> >>+ */
> >>+ public static void dump(Certificate cert, PrintStream out) throws IOException,
> >>+ CertificateException {
> >>+
> >>+ BASE64Encoder encoder = new BASE64Encoder();
> >>+ out.println(X509Factory.BEGIN_CERT);
> >>+ encoder.encodeBuffer(cert.getEncoded(), out);
> >>+ out.println(X509Factory.END_CERT);
> >>+ }
> >>+}
> >>diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java
> >>--- a/netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java Wed Nov 10 16:24:53 2010 -0500
> >>+++ b/netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -40,6 +40,7 @@
> >> import static net.sourceforge.jnlp.runtime.Translator.R;
> >>
> >> import java.io.IOException;
> >>+import java.security.KeyStore;
> >> import java.security.cert.CertPath;
> >> import java.security.cert.Certificate;
> >> import java.security.cert.CertificateException;
> >>@@ -213,8 +214,8 @@
> >>
> >> public boolean getRootInCacerts() {
> >> try {
> >>- KeyTool kt = new KeyTool();
> >>- return kt.checkCacertsForCertificate(getRoot());
> >>+ KeyStore[] caCertsKeyStores = KeyStores.getCAKeyStores();
> >>+ return CertificateUtils.inKeyStores((X509Certificate)getRoot(), caCertsKeyStores);
> >> } catch (Exception e) {
> >> }
> >> return false;
> >>diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/KeyStores.java
> >>--- a/netx/net/sourceforge/jnlp/security/KeyStores.java Wed Nov 10 16:24:53 2010 -0500
> >>+++ b/netx/net/sourceforge/jnlp/security/KeyStores.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -41,6 +41,7 @@
> >> import java.io.FileInputStream;
> >> import java.io.FileOutputStream;
> >> import java.io.IOException;
> >>+import java.security.AllPermission;
> >> import java.security.KeyStore;
> >> import java.security.KeyStoreException;
> >> import java.security.NoSuchAlgorithmException;
> >>@@ -111,6 +112,11 @@
> >> * @return a KeyStore containing certificates from the appropriate
> >> */
> >> public static final KeyStore getKeyStore(Level level, Type type, boolean create) {
> >>+ SecurityManager sm = System.getSecurityManager();
> >>+ if (sm != null) {
> >>+ sm.checkPermission(new AllPermission());
> >>+ }
> >>+
> >> String location = getKeyStoreLocation(level, type);
> >> KeyStore ks = null;
> >> try {
> >>@@ -189,6 +195,29 @@
> >> }
> >>
> >> /**
> >>+ * Returns KeyStores containing trusted client certificates
> >>+ *
> >>+ * @return an array of KeyStore objects that can be used to check client
> >>+ * authentication certificates
> >>+ */
> >>+ public static KeyStore[] getClientKeyStores() {
> >>+ List<KeyStore> result = new ArrayList<KeyStore>();
> >>+ KeyStore ks = null;
> >>+
> >>+ ks = getKeyStore(Level.SYSTEM, Type.CLIENT_CERTS);
> >>+ if (ks != null) {
> >>+ result.add(ks);
> >>+ }
> >>+
> >>+ ks = getKeyStore(Level.USER, Type.CLIENT_CERTS);
> >>+ if (ks != null) {
> >>+ result.add(ks);
> >>+ }
> >>+
> >>+ return result.toArray(new KeyStore[result.size()]);
> >>+ }
> >>+
> >>+ /**
> >> * Returns the location of a KeyStore corresponding to the given level and type.
> >> * @param level
> >> * @param type
> >>@@ -336,4 +365,5 @@
> >> return ks;
> >> }
> >>
> >>+
> >> }
> >>diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
> >>--- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Wed Nov 10 16:24:53 2010 -0500
> >>+++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -42,6 +42,8 @@
> >> import java.security.cert.CertificateException;
> >> import java.security.cert.X509Certificate;
> >> import java.util.ArrayList;
> >>+import java.util.Arrays;
> >>+import java.util.List;
> >>
> >> import javax.net.ssl.TrustManager;
> >> import javax.net.ssl.TrustManagerFactory;
> >>@@ -60,59 +62,98 @@
> >> * different certificates that are not in the keystore.
> >> */
> >>
> >>-public class VariableX509TrustManager extends X509ExtendedTrustManager {
> >>+final public class VariableX509TrustManager extends X509ExtendedTrustManager {
> >>
> >>- KeyStore userKeyStore = null;
> >>- KeyStore caKeyStore = null;
> >>+ /** TrustManagers containing trusted CAs */
> >>+ private X509TrustManager[] caTrustManagers = null;
> >>
> >>- X509TrustManager userTrustManager = null;
> >>- X509TrustManager caTrustManager = null;
> >>+ /** TrustManagers containing trusted certificates */
> >>+ private X509TrustManager[] certTrustManagers = null;
> >>
> >>- ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>();
> >>- ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>();
> >>+ /** TrustManagers containing trusted client certificates */
> >>+ private X509TrustManager[] clientTrustManagers = null;
> >>
> >>- static VariableX509TrustManager instance = null;
> >>+ private ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>();
> >>+ private ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>();
> >>+
> >>+ private static VariableX509TrustManager instance = null;
> >>
> >> /**
> >> * Constructor initializes the system, user and custom stores
> >> */
> >> public VariableX509TrustManager() {
> >>
> >>+ /*
> >>+ * Load TrustManagers for trusted certificates
> >>+ */
> >> try {
> >>- userKeyStore = SecurityUtil.getUserKeyStore();
> >>- TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
> >>- tmFactory.init(userKeyStore);
> >>+ /** KeyStores containing trusted certificates */
> >>+ KeyStore[] trustedCertKeyStores = KeyStores.getCertKeyStores();
> >>+ certTrustManagers = new X509TrustManager[trustedCertKeyStores.length];
> >>
> >>- // tm factory initialized, now get the managers so we can assign the X509 one
> >>- TrustManager[] trustManagers = tmFactory.getTrustManagers();
> >>+ for (int j = 0; j< trustedCertKeyStores.length; j++) {
> >>+ TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
> >>+ tmFactory.init(trustedCertKeyStores[j]);
> >>
> >>- for (int i=0; i< trustManagers.length; i++) {
> >>- if (trustManagers[i] instanceof X509TrustManager) {
> >>- userTrustManager = (X509TrustManager) trustManagers[i];
> >>+ // tm factory initialized, now get the managers so we can assign the X509 one
> >>+ TrustManager[] trustManagers = tmFactory.getTrustManagers();
> >>+
> >>+ for (int i = 0; i< trustManagers.length; i++) {
> >>+ if (trustManagers[i] instanceof X509TrustManager) {
> >>+ certTrustManagers[j] = (X509TrustManager) trustManagers[i];
> >>+ }
> >> }
> >> }
> >>-
> >> } catch (Exception e) {
> >>- // TODO Auto-generated catch block
> >> e.printStackTrace();
> >> }
> >>
> >>+ /*
> >>+ * Load TrustManagers for trusted CAs
> >>+ */
> >> try {
> >>- caKeyStore = SecurityUtil.getCacertsKeyStore();
> >>- TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
> >>- tmFactory.init(caKeyStore);
> >>+ /** KeyStores containing trusted CAs */
> >>+ KeyStore[] trustedCAKeyStores = KeyStores.getCAKeyStores();
> >>+ caTrustManagers = new X509TrustManager[trustedCAKeyStores.length];
> >>
> >>- // tm factory initialized, now get the managers so we can extract the X509 one
> >>- TrustManager[] trustManagers = tmFactory.getTrustManagers();
> >>+ for (int j = 0; j< caTrustManagers.length; j++) {
> >>+ TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
> >>+ tmFactory.init(trustedCAKeyStores[j]);
> >>
> >>- for (int i=0; i< trustManagers.length; i++) {
> >>- if (trustManagers[i] instanceof X509TrustManager) {
> >>- caTrustManager = (X509TrustManager) trustManagers[i];
> >>+ // tm factory initialized, now get the managers so we can extract the X509 one
> >>+ TrustManager[] trustManagers = tmFactory.getTrustManagers();
> >>+
> >>+ for (int i=0; i< trustManagers.length; i++) {
> >>+ if (trustManagers[i] instanceof X509TrustManager) {
> >>+ caTrustManagers[j] = (X509TrustManager) trustManagers[i];
> >>+ }
> >> }
> >> }
> >>+ } catch (Exception e) {
> >>+ e.printStackTrace();
> >>+ }
> >>
> >>+ /*
> >>+ * Load TrustManagers for trusted clients certificates
> >>+ */
> >>+ try {
> >>+ KeyStore[] clientKeyStores = KeyStores.getClientKeyStores();
> >>+ clientTrustManagers = new X509TrustManager[clientKeyStores.length];
> >>+
> >>+ for (int j = 0; j< clientTrustManagers.length; j++) {
> >>+ TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
> >>+ tmFactory.init(clientKeyStores[j]);
> >>+
> >>+ // tm factory initialized, now get the managers so we can extract the X509 one
> >>+ TrustManager[] trustManagers = tmFactory.getTrustManagers();
> >>+
> >>+ for (int i=0; i< trustManagers.length; i++) {
> >>+ if (trustManagers[i] instanceof X509TrustManager) {
> >>+ clientTrustManagers[j] = (X509TrustManager) trustManagers[i];
> >>+ }
> >>+ }
> >>+ }
> >> } catch (Exception e) {
> >>- // TODO Auto-generated catch block
> >> e.printStackTrace();
> >> }
> >> }
> >>@@ -123,18 +164,23 @@
> >> public void checkClientTrusted(X509Certificate[] chain, String authType,
> >> String hostName, String algorithm)
> >> throws CertificateException {
> >>- // First try catrustmanager, then try usertrustmanager
> >>- try {
> >>- caTrustManager.checkClientTrusted(chain, authType);
> >>- } catch (Exception caex) {
> >>+
> >>+ boolean trusted = false;
> >>+ ValidatorException savedException = null;
> >>+ for (int i = 0; i< clientTrustManagers.length; i++) {
> >> try {
> >>- userTrustManager.checkClientTrusted(chain, authType);
> >>- } catch (Exception userex) {
> >>- // Do nothing here. This trust manager is intended to be used
> >>- // only in the plugin instance vm, which does not act as a
> >>- // server
> >>+ clientTrustManagers[i].checkClientTrusted(chain, authType);
> >>+ trusted = true;
> >>+ break;
> >>+ } catch (ValidatorException caex) {
> >>+ savedException = caex;
> >> }
> >> }
> >>+ if (trusted) {
> >>+ return;
> >>+ }
> >>+
> >>+ throw savedException;
> >> }
> >>
> >> public void checkClientTrusted(X509Certificate[] chain, String authType)
> >>@@ -214,17 +260,45 @@
> >> * Check system, user and custom trust manager
> >> */
> >> private void checkAllManagers(X509Certificate[] chain, String authType) throws CertificateException {
> >>- // First try catrustmanager, then try usertrustmanager, and finally, check temp trusted certs
> >>- try {
> >>- caTrustManager.checkServerTrusted(chain, authType);
> >>- } catch (ValidatorException caex) {
> >>+ // first try CA TrustManagers
> >>+ boolean trusted = false;
> >>+ ValidatorException savedException = null;
> >>+ for (int i = 0; i< caTrustManagers.length; i++) {
> >> try {
> >>- userTrustManager.checkServerTrusted(chain, authType);
> >>- } catch (ValidatorException uex) {
> >>- if (!temporarilyTrusted.contains(chain[0]))
> >>- throw (CertificateException) uex;
> >>+ caTrustManagers[i].checkServerTrusted(chain, authType);
> >>+ trusted = true;
> >>+ break;
> >>+ } catch (ValidatorException caex) {
> >>+ savedException = caex;
> >> }
> >> }
> >>+ if (trusted) {
> >>+ return;
> >>+ }
> >>+
> >>+ // then try certificate TrustManagers
> >>+ for (int i = 0; i< certTrustManagers.length; i++) {
> >>+ try {
> >>+ certTrustManagers[i].checkServerTrusted(chain, authType);
> >>+ trusted = true;
> >>+ break;
> >>+ } catch (ValidatorException caex) {
> >>+ savedException = caex;
> >>+ }
> >>+ }
> >>+ if (trusted) {
> >>+ return;
> >>+ }
> >>+
> >>+ // finally check temp trusted certs
> >>+ if (!temporarilyTrusted.contains(chain[0])) {
> >>+ if (savedException == null) {
> >>+ // System.out.println("IMPOSSIBLE!");
> >>+ throw new ValidatorException(ValidatorException.T_SIGNATURE_ERROR, chain[0]);
> >>+ }
> >>+ throw savedException;
> >>+ }
> >>+
> >> }
> >>
> >> /**
> >>@@ -233,23 +307,32 @@
> >> private boolean isExplicitlyTrusted(X509Certificate[] chain, String authType) {
> >> boolean explicitlyTrusted = false;
> >>
> >>- try {
> >>- userTrustManager.checkServerTrusted(chain, authType);
> >>- explicitlyTrusted = true;
> >>- } catch (ValidatorException uex) {
> >>- if (temporarilyTrusted.contains(chain[0]))
> >>+ for (int i = 0; i< certTrustManagers.length; i++) {
> >>+ try {
> >>+ certTrustManagers[i].checkServerTrusted(chain, authType);
> >> explicitlyTrusted = true;
> >>- } catch (CertificateException ce) {
> >>- // do nothing, this means that the cert is not explicitly trusted
> >>+ break;
> >>+ } catch (ValidatorException uex) {
> >>+ if (temporarilyTrusted.contains(chain[0])) {
> >>+ explicitlyTrusted = true;
> >>+ break;
> >>+ }
> >>+ } catch (CertificateException ce) {
> >>+ // not explicitly trusted
> >>+ }
> >> }
> >>
> >> return explicitlyTrusted;
> >>-
> >> }
> >>
> >> public X509Certificate[] getAcceptedIssuers() {
> >>- // delegate to default
> >>- return caTrustManager.getAcceptedIssuers();
> >>+ List<X509Certificate> issuers = new ArrayList<X509Certificate>();
> >>+
> >>+ for (int i = 0; i< caTrustManagers.length; i++) {
> >>+ issuers.addAll(Arrays.asList(caTrustManagers[i].getAcceptedIssuers()));
> >>+ }
> >>+
> >>+ return issuers.toArray(new X509Certificate[issuers.size()]);
> >> }
> >>
> >> /**
> >>diff -r 44d47c366e5f netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java
> >>--- a/netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java Wed Nov 10 16:24:53 2010 -0500
> >>+++ b/netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -71,6 +71,7 @@
> >> import javax.swing.event.ChangeListener;
> >> import javax.swing.table.DefaultTableModel;
> >>
> >>+import net.sourceforge.jnlp.security.CertificateUtils;
> >> import net.sourceforge.jnlp.security.KeyStores;
> >> import net.sourceforge.jnlp.security.SecurityUtil;
> >> import net.sourceforge.jnlp.security.SecurityWarningDialog;
> >>@@ -359,9 +360,8 @@
> >> int returnVal = chooser.showOpenDialog(parent);
> >> if(returnVal == JFileChooser.APPROVE_OPTION) {
> >> try {
> >>- KeyTool kt = new KeyTool();
> >> KeyStore ks = keyStore;
> >>- kt.addToKeyStore(chooser.getSelectedFile(), ks);
> >>+ CertificateUtils.addToKeyStore(chooser.getSelectedFile(), ks);
> >> OutputStream os = new FileOutputStream(
> >> KeyStores.getKeyStoreLocation(currentKeyStoreLevel, currentKeyStoreType));
> >> ks.store(os, KeyStores.getPassword());
> >>@@ -399,7 +399,7 @@
> >> if (alias != null) {
> >> Certificate c = keyStore.getCertificate(alias);
> >> PrintStream ps = new PrintStream(chooser.getSelectedFile().getAbsolutePath());
> >>- KeyTool.dumpCert(c, ps);
> >>+ CertificateUtils.dump(c, ps);
> >> repopulateTables();
> >> }
> >> }
> >>diff -r 44d47c366e5f netx/net/sourceforge/jnlp/tools/JarSigner.java
> >>--- a/netx/net/sourceforge/jnlp/tools/JarSigner.java Wed Nov 10 16:24:53 2010 -0500
> >>+++ b/netx/net/sourceforge/jnlp/tools/JarSigner.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -371,9 +371,12 @@
> >> private void checkTrustedCerts() throws Exception {
> >> if (certPath != null) {
> >> try {
> >>- KeyTool kt = new KeyTool();
> >>- alreadyTrustPublisher = kt.isTrusted(getPublisher());
> >>- rootInCacerts = kt.checkCacertsForCertificate(getRoot());
> >>+ X509Certificate publisher = (X509Certificate) getPublisher();
> >>+ KeyStore[] certKeyStores = KeyStores.getCertKeyStores();
> >>+ alreadyTrustPublisher = CertificateUtils.inKeyStores(publisher, certKeyStores);
> >>+ X509Certificate root = (X509Certificate) getRoot();
> >>+ KeyStore[] caKeyStores = KeyStores.getCAKeyStores();
> >>+ rootInCacerts = CertificateUtils.inKeyStores(root, caKeyStores);
> >> } catch (Exception e) {
> >> // TODO: Warn user about not being able to
> >> // look through their cacerts/trusted.certs
> >>diff -r 44d47c366e5f netx/net/sourceforge/jnlp/tools/KeyTool.java
> >>--- a/netx/net/sourceforge/jnlp/tools/KeyTool.java Wed Nov 10 16:24:53 2010 -0500
> >>+++ b/netx/net/sourceforge/jnlp/tools/KeyTool.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -119,43 +119,6 @@
> >> return importCert((Certificate)cert);
> >> }
> >>
> >>- /**
> >>- * Adds the X509Certficate in the file to the KeyStore
> >>- */
> >>- public final void addToKeyStore(File file, KeyStore ks) throws CertificateException,
> >>- IOException, KeyStoreException {
> >>- BufferedInputStream bis = new BufferedInputStream(new FileInputStream(file));
> >>- CertificateFactory cf = CertificateFactory.getInstance("X509");
> >>- X509Certificate cert = null;
> >>-
> >>- try {
> >>- cert = (X509Certificate) cf.generateCertificate(bis);
> >>- } catch (ClassCastException cce) {
> >>- throw new CertificateException("Input file is not an X509 Certificate", cce);
> >>- }
> >>-
> >>- addToKeyStore(cert, ks);
> >>-
> >>- }
> >>-
> >>- /**
> >>- * Adds an X509Certificate to the KeyStore
> >>- */
> >>- public final void addToKeyStore(X509Certificate cert, KeyStore ks) throws KeyStoreException {
> >>- String alias = null;
> >>- Random random = new Random();
> >>- alias = ks.getCertificateAlias(cert);
> >>- // already in keystore; done
> >>- if (alias != null) {
> >>- return;
> >>- }
> >>-
> >>- do {
> >>- alias = new BigInteger(20, random).toString();
> >>- } while (ks.getCertificate(alias) != null);
> >>- ks.setCertificateEntry(alias, cert);
> >>- }
> >>-
> >> /**
> >> * Adds a trusted certificate to the user's keystore.
> >> * @return true if the add was successful, false otherwise.
> >>@@ -479,20 +442,6 @@
> >> return false;
> >> }
> >>
> >>- public static void dumpCert(Certificate cert, PrintStream out)
> >>- throws IOException, CertificateException {
> >>-
> >>- boolean printRfc = true;
> >>- if (printRfc) {
> >>- BASE64Encoder encoder = new BASE64Encoder();
> >>- out.println(X509Factory.BEGIN_CERT);
> >>- encoder.encodeBuffer(cert.getEncoded(), out);
> >>- out.println(X509Factory.END_CERT);
> >>- } else {
> >>- out.write(cert.getEncoded()); // binary
> >>- }
> >>- }
> >>-
> >> public static void main(String[] args) throws Exception {
> >> KeyTool kt = new KeyTool();
> >> kt.doPrintEntries(System.out);
> >>diff -r 44d47c366e5f plugin/icedteanp/java/sun/applet/PluginMain.java
> >>--- a/plugin/icedteanp/java/sun/applet/PluginMain.java Wed Nov 10 16:24:53 2010 -0500
> >>+++ b/plugin/icedteanp/java/sun/applet/PluginMain.java Thu Nov 11 10:36:55 2010 -0500
> >>@@ -215,20 +215,6 @@
> >> // INSTALL THE PROPERTY LIST
> >> System.setProperties(avProps);
> >>
> >>-
> >>- try {
> >>- SSLSocketFactory sslSocketFactory;
> >>- SSLContext context = SSLContext.getInstance("SSL");
> >>- TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
> >>- context.init(null, trust, null);
> >>- sslSocketFactory = context.getSocketFactory();
> >>-
> >>- HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
> >>- } catch (Exception e) {
> >>- System.err.println("Unable to set SSLSocketfactory (may _prevent_ access to sites that should be trusted)! Continuing anyway...");
> >>- e.printStackTrace();
> >>- }
> >>-
> >> // plug in a custom authenticator and proxy selector
> >> Authenticator.setDefault(new CustomAuthenticator());
> >> ProxySelector.setDefault(new PluginProxySelector());
> >
>
More information about the distro-pkg-dev
mailing list