RFC: Fix for PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
Deepak Bhole
dbhole at redhat.com
Tue Sep 11 13:53:05 PDT 2012
* Omair Majid <omajid at redhat.com> [2012-09-11 14:48]:
> On 09/07/2012 05:33 PM, Deepak Bhole wrote:
> > Hi,
> >
> > This patch fixes PR1161:
> > http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1161
> >
> > As specified there, the issue is that Java 7 changed what parent class
> > a trust manager needs to implement in order to correctly intercept
> > issues such as CN mismatch. As a result, icedtea-web currently cannot
> > load sites whose certificate has a CN mismatch (proprietary tools work
> > fine in such cases).
> >
> > Attached patch adds support for Java 7 while maintaining compatibility
> > with Java 6 (loading one trust manager for 6 and a different one for 7+).
> >
> > I would like to see this backported to 1.3 as well given its importance, but we
> > can let it bake in HEAD for a couple of weeks.
>
> If I may make a request, when you are pushing this, could you push this
> as two changesets? One that deals with the JDK version problems and the
> other that changes the check for hostname (this patch includes both but
> mixes them).
>
Sorry can you elaborate a bit on what you mean by that? Which are the
JDK version problems that you are referring to? Just the autotools file
changes?
..
..
> > AC_MSG_RESULT(${JAVA})
> > AC_SUBST(JAVA)
> > - JAVA_VERSION=`$JAVA -version 2>&1 | sed -n '1s/@<:@^"@:>@*"\(.*\)"$/\1/p'`
> > - case "${JAVA_VERSION}" in
> > - 1.7*) VERSION_DEFS='-DHAVE_JAVA7';;
> > - esac
> > + JAVA_VERSION=`$JAVA -version 2>&1 | sed -n -e '1s/@<:@^"@:>@*"\(.*\)"$/\1/p'`
>
> We should try and make this regex readable at some point :)
>
Ah, I agree. I don't think even I fully understand it which is why I
kept it as is :) [Just noticed that I had an extra -e there to sed.
While it makes no difference, I have reverted it]
...
>
> > @@ -248,6 +269,42 @@
> > }
> >
> > /**
> > + * Returns a TrustManager ideal for the running VM.
> > + *
> > + * @return TrustManager the trust manager to use for verifying https certificates
> > + */
>
> Some indention seems to be off here.
>
Looks fine to me. Are you seeing tabs instead of spaces somewhere?
> > + private static TrustManager getSSLSocketTrustManager() throws
> > + ClassNotFoundException, IllegalAccessException, InstantiationException, InvocationTargetException {
> > +
> > + try {
> > +
> > + Class<?> trustManagerClass;
> > + Constructor<?> tmCtor = null;
>
> Perhaps it might be better to use X509TrustManager as the type argument
> to make thing clearer? You can chain it like
> Class.forName().asSubClass(X509TrustManager.class) to make the code more
> explicit.
>
> > +
> > + if (System.getProperty("java.version").startsWith("1.6")) { // Java 6
> > + trustManagerClass = Class.forName("net.sourceforge.jnlp.security.VariableX509TrustManagerJDK6");
> > + } else { // Java 7 or more (technically could be <= 1.5 but <= 1.5 is unsupported)
> > + trustManagerClass = Class.forName("net.sourceforge.jnlp.security.VariableX509TrustManagerJDK7");
> > + }
> > +
> > + Constructor<?>[] tmCtors = trustManagerClass.getDeclaredConstructors();
> > + tmCtor = tmCtors[0];
> > +
> > + for (Constructor<?> ctor : tmCtors) {
> > + if (tmCtor.getGenericParameterTypes().length == 0) {
> > + tmCtor = ctor;
> > + break;
> > + }
> > + }
> > +
> > + return (TrustManager) tmCtor.newInstance();
> > + } catch (RuntimeException e) {
> > + System.err.println("Unable to load JDK-specific TrustManager. Was this version of IcedTea-Web compiled with JDK6?");
>
> Is it worth i18n'ing this message?
>
I thought about it but is not really a message the user can do much
about anyway, it is more of a reference for developers as to what is
going on. I can switch if you prefer though.
> Also, would it be better to print the "compiled with wrong jdk" message
> (which really indicates that the wanted class is not found") in the
> place where we do the jdk check?
>
I think this is a better spot because not all applets will be loaded via
https so this code will not always run and thus if we forcibly do a
check elsewhere, we may be preventing initialization when there is no
reason to.
> > diff -r 0db02eca94bf netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
> > --- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Fri Sep 07 13:52:23 2012 +0200
> > +++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Fri Sep 07 17:28:56 2012 -0400
> > /**
> > - * Check if the server is trusted
> > + * Check if the server is trusted.
> > *
> > * @param chain The cert chain
> > * @param authType The auth type algorithm
> > - * @param checkOnly Whether to "check only" i.e. no user prompt, or to prompt for permission
> > + * @param hostName The expected hostName that the server should have
> > + * @param socket The SSLSocket in use (may be null)
> > + * @param ending The SSLEngine in use (may be null)
> > */
> > - public synchronized void checkServerTrusted(X509Certificate[] chain,
> > + public synchronized void checkTrustServer(X509Certificate[] chain,
> > String authType, String hostName,
> > - boolean checkOnly) throws CertificateException {
> > + SSLSocket socket, SSLEngine engine) throws CertificateException {
> > CertificateException ce = null;
> > boolean trusted = true;
> > - boolean CNMatched = true;
> > + boolean CNMatched = false;
> >
> > try {
> > - checkAllManagers(chain, authType);
> > + checkAllManagers(chain, authType, socket, engine);
> > } catch (CertificateException e) {
> > trusted = false;
> > ce = e;
> > @@ -226,59 +214,92 @@
> > // If the certificate is not explicitly trusted, we
> > // need to prompt the user
> > if (!isExplicitlyTrusted(chain, authType)) {
> > -
> > - if (hostName == null) {
> > - CNMatched = false;
> > - } else {
> > + if (hostName != null) {
> > try {
> > HostnameChecker checker = HostnameChecker
> > .getInstance(HostnameChecker.TYPE_TLS);
> >
> > - checker.match(hostName, chain[0]); // only need to match @ 0 for
> > - // CN
> > + checker.match(hostName, chain[0]); // only need to match @ 0 for CN
> >
> > + CNMatched = true;
> > } catch (CertificateException e) {
> > - CNMatched = false;
> > ce = e;
> > }
> > }
> > + } else {
> > + // Else it is explicitly trusted. Return here.
> > + return;
> > }
>
> I don't like this else block: if the code below ever adds more checks,
> they will be skipped. Why not let the code below handle this?
>
If we let it fall down to the code below, the CN will always mismatch
(even when cert is always trusted) and we will always end up showing a
prompt.
The Oracle plug-in does not pop up a warning once a cert is always
trusted (even if underlying host changes). Not sure how secure that is,
but then we don't store cert and host info so we cannot "always trust"
for a specific host.
> > // first try CA TrustManagers
> > boolean trusted = false;
> > ValidatorException savedException = null;
> > for (int i = 0; i < caTrustManagers.length; i++) {
> > try {
> > - caTrustManagers[i].checkServerTrusted(chain, authType);
> > + if (socket == null && engine == null) {
> > + caTrustManagers[i].checkServerTrusted(chain, authType);
> > + } else {
> > +
> > + try {
> > + Class<?> x509ETMClass = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
> > + if (engine == null) {
> > + Method mcheckServerTrusted = x509ETMClass.getDeclaredMethod("checkServerTrusted", X509Certificate[].class, String.class, Socket.class);
> > + mcheckServerTrusted.invoke(caTrustManagers[i], chain, authType, socket);
> > + } else {
> > + Method mcheckServerTrusted = x509ETMClass.getDeclaredMethod("checkServerTrusted", X509Certificate[].class, String.class, SSLEngine.class);
> > + mcheckServerTrusted.invoke(caTrustManagers[i], chain, authType, engine);
> > + }
> > + } catch (NoSuchMethodException nsme) {
> > + throw new ValidatorException(nsme.getMessage());
> > + } catch (InvocationTargetException ite) {
> > + throw new ValidatorException(ite.getMessage());
> > + } catch (IllegalAccessException iae) {
> > + throw new ValidatorException(iae.getMessage());
> > + } catch (ClassNotFoundException cnfe) {
> > + throw new ValidatorException(cnfe.getMessage());
> > + }
> > + }
> > +
>
> Since this is not common code, why not put it in the JDK6/7 specific class?
>
Not sure I understand -- the loop and initial checkServerTrusted() call are common.
> > diff -r 0db02eca94bf netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK6.java
> > --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> > +++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK6.java Fri Sep 07 17:28:56 2012 -0400
> > @@ -0,0 +1,38 @@
> > +package net.sourceforge.jnlp.security;
>
> Missing license header.
>
Doh, will add it to both.
> > +import java.security.cert.CertificateException;
> > +import java.security.cert.X509Certificate;
> > +
> > +import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager;
> > +
> > +public class VariableX509TrustManagerJDK6 extends X509ExtendedTrustManager {
> > +
> > + VariableX509TrustManager vX509TM = VariableX509TrustManager.getInstance();
>
> Could you make this private? I don't think package-private is a problem,
> but just to be safe.
>
Sure.
> > diff -r 0db02eca94bf netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK7.java
> > --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> > +++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK7.java Fri Sep 07 17:28:56 2012 -0400
> > @@ -0,0 +1,122 @@
> > +package net.sourceforge.jnlp.security;
>
> Missing license header.
>
Will add.
> > +public class VariableX509TrustManagerJDK7 extends X509ExtendedTrustManager {
> > +
> > + VariableX509TrustManager vX509TM = VariableX509TrustManager.getInstance();
>
> Please make this private too.
>
Yep, will do.
> > + /**
> > + * Check if the server is trusted
> > + *
> > + * @param chain The cert chain
> > + * @param authType The auth type algorithm
> > + * @param socket the SSLSocket, if provided
> > + * @param engine the SSLEngine, if provided
> > + */
>
> s/if provided/may be null/ ?
>
Ah, good catch. if provides would imply variadic method. Thanks, will
change.
> > + private void checkTrustServer(X509Certificate[] chain,
> > + String authType, Socket socket,
> > + SSLEngine engine) throws CertificateException {
> > +
> > + String hostName = null;
> > +
> > + if (socket != null) {
> > + hostName = ((SSLSocket) socket).getHandshakeSession().getPeerHost();
> > + } else if (engine != null) {
> > + hostName = engine.getHandshakeSession().getPeerHost();
> > + }
> > +
> > + vX509TM.checkTrustServer(chain, authType, hostName, (SSLSocket) socket, engine);
> > + }
> > +
> > + /**
> > + * Check if the server is trusted
>
> /me looks at method name
>
Intentional. check[Server|Client]Trusted are overridden whereas
checkTrust* methods are helpers.
> > + * @param chain The cert chain
> > + * @param authType The auth type algorithm
> > + * @param socket the SSLSocket, if provided
> > + * @param engine the SSLEngine, if provided
> > + */
> > + private void checkTrustClient(X509Certificate[] chain,
> > + String authType, Socket socket,
> > + SSLEngine engine) throws CertificateException {
> > +
> > + String hostName = null;
> > +
> > + try {
> > + if (socket != null) {
> > + Method mgetHandshakeSession = SSLSocket.class.getDeclaredMethod("getHandshakeSession");
> > + SSLSession session = (SSLSession) mgetHandshakeSession.invoke(socket);
> > +
> > + if (session == null) {
> > + throw new CertificateException("No handshake session");
> > + }
> > +
> > + hostName = session.getPeerHost();
> > + } else if (engine != null) {
> > + Method mgetHandshakeSession = SSLEngine.class.getDeclaredMethod("getHandshakeSession");
> > + SSLSession session = (SSLSession) mgetHandshakeSession.invoke(engine);
> > +
> > + if (session == null) {
> > + throw new CertificateException("No handshake session");
> > + }
> > +
> > + hostName = session.getPeerHost();
> > + }
>
> I don't see why we are using reflection here. Could you explain?
>
getHandshakeSession() is new in 1.7 so it will not compile with 1.6
without reflection (both socket and engine will never be null for Java 6
so the above code will only be entered with 7).
Thanks for the detailed review!
New iteration of patch attached.
Cheers,
Deepak
-------------- next part --------------
diff -r 0db02eca94bf Makefile.am
--- a/Makefile.am Fri Sep 07 13:52:23 2012 +0200
+++ b/Makefile.am Tue Sep 11 16:49:58 2012 -0400
@@ -348,6 +348,9 @@
if !WITH_RHINO
sed -i '/RhinoBasedPacEvaluator/ d' $@
endif
+if !HAVE_JAVA7
+ sed -i '/VariableX509TrustManagerJDK7/ d' $@
+endif
stamps/netx.stamp: netx-source-files.txt stamps/bootstrap-directory.stamp
mkdir -p $(NETX_DIR)
diff -r 0db02eca94bf NEWS
--- a/NEWS Fri Sep 07 13:52:23 2012 +0200
+++ b/NEWS Tue Sep 11 16:49:58 2012 -0400
@@ -17,6 +17,7 @@
* Common
- PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered
- PR955: regression: SweetHome3D fails to run
+ - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
New in release 1.3 (2012-XX-XX):
* NetX
diff -r 0db02eca94bf acinclude.m4
--- a/acinclude.m4 Fri Sep 07 13:52:23 2012 +0200
+++ b/acinclude.m4 Tue Sep 11 16:49:58 2012 -0400
@@ -715,9 +715,12 @@
AC_MSG_RESULT(${JAVA})
AC_SUBST(JAVA)
JAVA_VERSION=`$JAVA -version 2>&1 | sed -n '1s/@<:@^"@:>@*"\(.*\)"$/\1/p'`
- case "${JAVA_VERSION}" in
- 1.7*) VERSION_DEFS='-DHAVE_JAVA7';;
- esac
+ HAVE_JAVA7=`echo $JAVA_VERSION | awk '{if ($(0) >= 1.7) print "yes"}'`
+ if ! test -z "$HAVE_JAVA7" ; then
+ VERSION_DEFS='-DHAVE_JAVA7'
+ fi
+
+ AM_CONDITIONAL([HAVE_JAVA7], test x"${HAVE_JAVA7}" = "xyes" )
AC_SUBST(VERSION_DEFS)
])
diff -r 0db02eca94bf netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Fri Sep 07 13:52:23 2012 +0200
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Tue Sep 11 16:49:58 2012 -0400
@@ -16,38 +16,59 @@
package net.sourceforge.jnlp.runtime;
-import java.io.*;
+import java.awt.EventQueue;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
import java.net.Authenticator;
import java.net.ProxySelector;
import java.nio.channels.FileChannel;
import java.nio.channels.FileLock;
-import java.awt.*;
-import java.text.*;
-import java.util.*;
+import java.security.AllPermission;
+import java.security.KeyStore;
+import java.security.Policy;
+import java.security.Security;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.text.MessageFormat;
import java.util.List;
-import java.security.*;
-import javax.jnlp.*;
+import java.util.ResourceBundle;
+
+import javax.jnlp.ServiceManager;
import javax.naming.ConfigurationException;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.swing.UIManager;
import javax.swing.text.html.parser.ParserDelegator;
-import sun.net.www.protocol.jar.URLJarFile;
-
-import net.sourceforge.jnlp.*;
+import net.sourceforge.jnlp.DefaultLaunchHandler;
+import net.sourceforge.jnlp.GuiLaunchHandler;
+import net.sourceforge.jnlp.LaunchHandler;
+import net.sourceforge.jnlp.Launcher;
import net.sourceforge.jnlp.browser.BrowserAwareProxySelector;
-import net.sourceforge.jnlp.cache.*;
+import net.sourceforge.jnlp.cache.CacheUtil;
+import net.sourceforge.jnlp.cache.DefaultDownloadIndicator;
+import net.sourceforge.jnlp.cache.DownloadIndicator;
+import net.sourceforge.jnlp.cache.UpdatePolicy;
import net.sourceforge.jnlp.config.DeploymentConfiguration;
import net.sourceforge.jnlp.security.JNLPAuthenticator;
import net.sourceforge.jnlp.security.KeyStores;
import net.sourceforge.jnlp.security.SecurityDialogMessageHandler;
import net.sourceforge.jnlp.security.VariableX509TrustManager;
-import net.sourceforge.jnlp.services.*;
-import net.sourceforge.jnlp.util.*;
+import net.sourceforge.jnlp.services.XServiceManagerStub;
+import net.sourceforge.jnlp.util.FileUtils;
+import net.sourceforge.jnlp.util.TeeOutputStream;
+import sun.net.www.protocol.jar.URLJarFile;
/**
* Configure and access the runtime environment. This class
@@ -223,7 +244,7 @@
KeyStore ks = KeyStores.getKeyStore(KeyStores.Level.USER, KeyStores.Type.CLIENT_CERTS);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, KeyStores.getPassword());
- TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
+ TrustManager[] trust = new TrustManager[] { getSSLSocketTrustManager() };
context.init(kmf.getKeyManagers(), trust, null);
sslSocketFactory = context.getSocketFactory();
@@ -248,6 +269,42 @@
}
/**
+ * Returns a TrustManager ideal for the running VM.
+ *
+ * @return TrustManager the trust manager to use for verifying https certificates
+ */
+ private static TrustManager getSSLSocketTrustManager() throws
+ ClassNotFoundException, IllegalAccessException, InstantiationException, InvocationTargetException {
+
+ try {
+
+ Class<?> trustManagerClass;
+ Constructor<?> tmCtor = null;
+
+ if (System.getProperty("java.version").startsWith("1.6")) { // Java 6
+ trustManagerClass = Class.forName("net.sourceforge.jnlp.security.VariableX509TrustManagerJDK6");
+ } else { // Java 7 or more (technically could be <= 1.5 but <= 1.5 is unsupported)
+ trustManagerClass = Class.forName("net.sourceforge.jnlp.security.VariableX509TrustManagerJDK7");
+ }
+
+ Constructor<?>[] tmCtors = trustManagerClass.getDeclaredConstructors();
+ tmCtor = tmCtors[0];
+
+ for (Constructor<?> ctor : tmCtors) {
+ if (tmCtor.getGenericParameterTypes().length == 0) {
+ tmCtor = ctor;
+ break;
+ }
+ }
+
+ return (TrustManager) tmCtor.newInstance();
+ } catch (RuntimeException e) {
+ System.err.println("Unable to load JDK-specific TrustManager. Was this version of IcedTea-Web compiled with JDK6?");
+ throw e;
+ }
+ }
+
+ /**
* This must NOT be called form the application ThreadGroup. An application
* can inject events into its {@link EventQueue} and bypass the security
* dialogs.
diff -r 0db02eca94bf netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java
--- a/netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java Fri Sep 07 13:52:23 2012 +0200
+++ b/netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java Tue Sep 11 16:49:58 2012 -0400
@@ -59,7 +59,6 @@
public class HttpsCertVerifier implements CertVerifier {
- private VariableX509TrustManager tm;
private X509Certificate[] chain;
private String authType;
private String hostName;
@@ -67,11 +66,9 @@
private boolean hostMatched;
private ArrayList<String> details = new ArrayList<String>();
- public HttpsCertVerifier(VariableX509TrustManager tm,
- X509Certificate[] chain, String authType,
+ public HttpsCertVerifier(X509Certificate[] chain, String authType,
boolean isTrusted, boolean hostMatched,
String hostName) {
- this.tm = tm;
this.chain = chain;
this.authType = authType;
this.hostName = hostName;
diff -r 0db02eca94bf netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
--- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Fri Sep 07 13:52:23 2012 +0200
+++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Tue Sep 11 16:49:58 2012 -0400
@@ -37,6 +37,9 @@
package net.sourceforge.jnlp.security;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.net.Socket;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.PrivilegedAction;
@@ -47,25 +50,24 @@
import java.util.Arrays;
import java.util.List;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
+import net.sourceforge.jnlp.runtime.JNLPRuntime;
+import net.sourceforge.jnlp.security.SecurityDialogs.AccessType;
import sun.security.util.HostnameChecker;
import sun.security.validator.ValidatorException;
-import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager;
-import net.sourceforge.jnlp.runtime.JNLPRuntime;
-
-import net.sourceforge.jnlp.security.SecurityDialogs.AccessType;
-
/**
* This class implements an X509 Trust Manager. The certificates it trusts are
* "variable", in the sense that it can dynamically, and temporarily support
* different certificates that are not in the keystore.
*/
-final public class VariableX509TrustManager extends X509ExtendedTrustManager {
+final public class VariableX509TrustManager {
/** TrustManagers containing trusted CAs */
private X509TrustManager[] caTrustManagers = null;
@@ -164,8 +166,8 @@
/**
* Check if client is trusted (no support for custom here, only system/user)
*/
- public void checkClientTrusted(X509Certificate[] chain, String authType,
- String hostName, String algorithm)
+ public void checkTrustClient(X509Certificate[] chain, String authType,
+ String hostName)
throws CertificateException {
boolean trusted = false;
@@ -186,38 +188,24 @@
throw savedException;
}
- public void checkClientTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- checkClientTrusted(chain, authType, null, null);
- }
-
- public void checkServerTrusted(X509Certificate[] chain, String authType,
- String hostName, String algorithm)
- throws CertificateException {
- checkServerTrusted(chain, authType, hostName, false);
- }
-
- public void checkServerTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- checkServerTrusted(chain, authType, null, null);
- }
-
/**
- * Check if the server is trusted
+ * Check if the server is trusted.
*
* @param chain The cert chain
* @param authType The auth type algorithm
- * @param checkOnly Whether to "check only" i.e. no user prompt, or to prompt for permission
+ * @param hostName The expected hostName that the server should have
+ * @param socket The SSLSocket in use (may be null)
+ * @param ending The SSLEngine in use (may be null)
*/
- public synchronized void checkServerTrusted(X509Certificate[] chain,
+ public synchronized void checkTrustServer(X509Certificate[] chain,
String authType, String hostName,
- boolean checkOnly) throws CertificateException {
+ SSLSocket socket, SSLEngine engine) throws CertificateException {
CertificateException ce = null;
boolean trusted = true;
- boolean CNMatched = true;
+ boolean CNMatched = false;
try {
- checkAllManagers(chain, authType);
+ checkAllManagers(chain, authType, socket, engine);
} catch (CertificateException e) {
trusted = false;
ce = e;
@@ -226,59 +214,92 @@
// If the certificate is not explicitly trusted, we
// need to prompt the user
if (!isExplicitlyTrusted(chain, authType)) {
-
- if (hostName == null) {
- CNMatched = false;
- } else {
+ if (hostName != null) {
try {
HostnameChecker checker = HostnameChecker
.getInstance(HostnameChecker.TYPE_TLS);
- checker.match(hostName, chain[0]); // only need to match @ 0 for
- // CN
+ checker.match(hostName, chain[0]); // only need to match @ 0 for CN
+ CNMatched = true;
} catch (CertificateException e) {
- CNMatched = false;
ce = e;
}
}
+ } else {
+ // Else it is trusted
+ trusted = true;
}
if (!trusted || !CNMatched) {
- if (checkOnly) {
- throw ce;
- } else {
- if (!isTemporarilyUntrusted(chain[0])) {
- boolean b = askUser(chain, authType, trusted, CNMatched, hostName);
+ if (!isTemporarilyUntrusted(chain[0])) {
+ boolean b = askUser(chain, authType, trusted, CNMatched, hostName);
- if (b) {
- temporarilyTrust(chain[0]);
- } else {
- temporarilyUntrust(chain[0]);
- }
+ if (b) {
+ temporarilyTrust(chain[0]);
+ return;
+ } else {
+ temporarilyUntrust(chain[0]);
}
+ }
- checkAllManagers(chain, authType);
- }
+ throw ce;
}
}
/**
- * Check system, user and custom trust manager
+ * Check system, user and custom trust manager.
+ *
+ * This method is intended to work with both, JRE6 and JRE7. If socket
+ * and engine are null, it assumes that the call is for JRE6 (i.e. not
+ * javax.net.ssl.X509ExtendedTrustManager which is Java 7 specific). If
+ * either of those are not null, it will assume that the caTrustManagers
+ * are javax.net.ssl.X509ExtendedTrustManager instances and will
+ * invoke their check methods.
+ *
+ * @param chain The certificate chain
+ * @param authType The authentication type
+ * @param socket the SSLSocket being used for the connection
+ * @param engine the SSLEngine being used for the connection
*/
- private void checkAllManagers(X509Certificate[] chain, String authType) throws CertificateException {
+ private void checkAllManagers(X509Certificate[] chain, String authType, Socket socket, SSLEngine engine) throws CertificateException {
+
// first try CA TrustManagers
boolean trusted = false;
ValidatorException savedException = null;
for (int i = 0; i < caTrustManagers.length; i++) {
try {
- caTrustManagers[i].checkServerTrusted(chain, authType);
+ if (socket == null && engine == null) {
+ caTrustManagers[i].checkServerTrusted(chain, authType);
+ } else {
+
+ try {
+ Class<?> x509ETMClass = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
+ if (engine == null) {
+ Method mcheckServerTrusted = x509ETMClass.getDeclaredMethod("checkServerTrusted", X509Certificate[].class, String.class, Socket.class);
+ mcheckServerTrusted.invoke(caTrustManagers[i], chain, authType, socket);
+ } else {
+ Method mcheckServerTrusted = x509ETMClass.getDeclaredMethod("checkServerTrusted", X509Certificate[].class, String.class, SSLEngine.class);
+ mcheckServerTrusted.invoke(caTrustManagers[i], chain, authType, engine);
+ }
+ } catch (NoSuchMethodException nsme) {
+ throw new ValidatorException(nsme.getMessage());
+ } catch (InvocationTargetException ite) {
+ throw new ValidatorException(ite.getMessage());
+ } catch (IllegalAccessException iae) {
+ throw new ValidatorException(iae.getMessage());
+ } catch (ClassNotFoundException cnfe) {
+ throw new ValidatorException(cnfe.getMessage());
+ }
+ }
+
trusted = true;
break;
} catch (ValidatorException caex) {
savedException = caex;
}
}
+
if (trusted) {
return;
}
@@ -332,7 +353,7 @@
return explicitlyTrusted;
}
- public X509Certificate[] getAcceptedIssuers() {
+ protected X509Certificate[] getAcceptedIssuers() {
List<X509Certificate> issuers = new ArrayList<X509Certificate>();
for (int i = 0; i < caTrustManagers.length; i++) {
@@ -394,7 +415,7 @@
public Boolean run() {
return SecurityDialogs.showCertWarningDialog(
AccessType.UNVERIFIED, null,
- new HttpsCertVerifier(trustManager, chain, authType,
+ new HttpsCertVerifier(chain, authType,
isTrusted, hostMatched,
hostName));
}
diff -r 0db02eca94bf netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK6.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK6.java Tue Sep 11 16:49:58 2012 -0400
@@ -0,0 +1,75 @@
+/* VariableX509TrustManagerJDK6.java
+ Copyright (C) 2012 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+*/
+
+package net.sourceforge.jnlp.security;
+
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager;
+
+public class VariableX509TrustManagerJDK6 extends X509ExtendedTrustManager {
+
+ private VariableX509TrustManager vX509TM = VariableX509TrustManager.getInstance();
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ checkClientTrusted(chain, authType, null, null);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ vX509TM.checkTrustServer(chain, authType, null /* hostname*/, null /* socket */, null /* engine */);
+ }
+
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return vX509TM.getAcceptedIssuers();
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType, String hostname, String algorithm) throws CertificateException {
+ vX509TM.checkTrustClient(chain, authType, hostname); // We don't need algorithm, we will always use this for TLS only
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType, String hostname, String algorithm) throws CertificateException {
+ // We don't need to pass algorithm, we will always use this for TLS only
+ vX509TM.checkTrustServer(chain, authType, hostname, null /* socket */, null /* engine */);
+ }
+
+}
diff -r 0db02eca94bf netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK7.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK7.java Tue Sep 11 16:49:58 2012 -0400
@@ -0,0 +1,159 @@
+/* VariableX509TrustManagerJDK7.java
+ Copyright (C) 2012 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+*/
+
+package net.sourceforge.jnlp.security;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.net.Socket;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.X509ExtendedTrustManager;
+
+public class VariableX509TrustManagerJDK7 extends X509ExtendedTrustManager {
+
+ private VariableX509TrustManager vX509TM = VariableX509TrustManager.getInstance();
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ vX509TM.checkTrustClient(chain, authType, null /* hostname*/);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ vX509TM.checkTrustServer(chain, authType, null /* hostname*/, null /* socket */, null /* engine */);
+ }
+
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return vX509TM.getAcceptedIssuers();
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+ checkTrustClient(chain, authType, socket, null);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+ checkTrustServer(chain, authType, socket, null);
+
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+ checkTrustClient(chain, authType, null, engine);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+ checkTrustServer(chain, authType, null, engine);
+ }
+
+ /**
+ * Check if the server is trusted
+ *
+ * @param chain The cert chain
+ * @param authType The auth type algorithm
+ * @param socket the SSLSocket, may be null
+ * @param engine the SSLEngine, may be null
+ */
+ private void checkTrustServer(X509Certificate[] chain,
+ String authType, Socket socket,
+ SSLEngine engine) throws CertificateException {
+
+ String hostName = null;
+
+ if (socket != null) {
+ hostName = ((SSLSocket) socket).getHandshakeSession().getPeerHost();
+ } else if (engine != null) {
+ hostName = engine.getHandshakeSession().getPeerHost();
+ }
+
+ vX509TM.checkTrustServer(chain, authType, hostName, (SSLSocket) socket, engine);
+ }
+
+ /**
+ * Check if the server is trusted
+ *
+ * @param chain The cert chain
+ * @param authType The auth type algorithm
+ * @param socket the SSLSocket, if provided
+ * @param engine the SSLEngine, if provided
+ */
+ private void checkTrustClient(X509Certificate[] chain,
+ String authType, Socket socket,
+ SSLEngine engine) throws CertificateException {
+
+ String hostName = null;
+
+ try {
+ if (socket != null) {
+ Method mgetHandshakeSession = SSLSocket.class.getDeclaredMethod("getHandshakeSession");
+ SSLSession session = (SSLSession) mgetHandshakeSession.invoke(socket);
+
+ if (session == null) {
+ throw new CertificateException("No handshake session");
+ }
+
+ hostName = session.getPeerHost();
+
+ } else if (engine != null) {
+ Method mgetHandshakeSession = SSLEngine.class.getDeclaredMethod("getHandshakeSession");
+ SSLSession session = (SSLSession) mgetHandshakeSession.invoke(engine);
+
+ if (session == null) {
+ throw new CertificateException("No handshake session");
+ }
+
+ hostName = session.getPeerHost();
+ }
+ } catch (NoSuchMethodException nsme) {
+ // Do nothing. hostName will be null
+ } catch (InvocationTargetException ite) {
+ //Do nothing. hostName will be null
+ } catch (IllegalAccessException iae) {
+ //Do nothing. hostName will be null
+ }
+
+ vX509TM.checkTrustClient(chain, authType, hostName);
+ }
+}
More information about the distro-pkg-dev
mailing list