RFC: Fix for PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
Omair Majid
omajid at redhat.com
Tue Sep 11 14:33:28 PDT 2012
On 09/11/2012 04:53 PM, Deepak Bhole wrote:
> * Omair Majid <omajid at redhat.com> [2012-09-11 14:48]:
>> > On 09/07/2012 05:33 PM, Deepak Bhole wrote:
>>> > > Hi,
>>> > >
>>> > > This patch fixes PR1161:
>>> > > http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1161
>>> > >
>>> > > As specified there, the issue is that Java 7 changed what parent class
>>> > > a trust manager needs to implement in order to correctly intercept
>>> > > issues such as CN mismatch. As a result, icedtea-web currently cannot
>>> > > load sites whose certificate has a CN mismatch (proprietary tools work
>>> > > fine in such cases).
>>> > >
>>> > > Attached patch adds support for Java 7 while maintaining compatibility
>>> > > with Java 6 (loading one trust manager for 6 and a different one for 7+).
>>> > >
>>> > > I would like to see this backported to 1.3 as well given its importance, but we
>>> > > can let it bake in HEAD for a couple of weeks.
>> >
>> > If I may make a request, when you are pushing this, could you push this
>> > as two changesets? One that deals with the JDK version problems and the
>> > other that changes the check for hostname (this patch includes both but
>> > mixes them).
>> >
> Sorry can you elaborate a bit on what you mean by that? Which are the
> JDK version problems that you are referring to? Just the autotools file
> changes?
Oh, crap. I misread this part of the diff:
> -
> - if (hostName == null) {
> - CNMatched = false;
> - } else {
> + if (hostName != null) {
Without realizing the initial value of CNMatched has been changed too.
Please ignore this.
>
>>> > > AC_MSG_RESULT(${JAVA})
>>> > > AC_SUBST(JAVA)
>>> > > - JAVA_VERSION=`$JAVA -version 2>&1 | sed -n '1s/@<:@^"@:>@*"\(.*\)"$/\1/p'`
>>> > > - case "${JAVA_VERSION}" in
>>> > > - 1.7*) VERSION_DEFS='-DHAVE_JAVA7';;
>>> > > - esac
>>> > > + JAVA_VERSION=`$JAVA -version 2>&1 | sed -n -e '1s/@<:@^"@:>@*"\(.*\)"$/\1/p'`
>> >
>> > We should try and make this regex readable at some point :)
>> >
> Ah, I agree. I don't think even I fully understand it which is why I
> kept it as is :) [Just noticed that I had an extra -e there to sed.
> While it makes no difference, I have reverted it]
>
Thanks. The extra -e was what prompted me to verify this expression and
I couldn't get it to work outside the makefile :(
>
>> >
>>> > > @@ -248,6 +269,42 @@
>>> > > }
>>> > >
>>> > > /**
>>> > > + * Returns a TrustManager ideal for the running VM.
>>> > > + *
>>> > > + * @return TrustManager the trust manager to use for verifying https certificates
>>> > > + */
>> >
>> > Some indention seems to be off here.
>> >
> Looks fine to me. Are you seeing tabs instead of spaces somewhere?
>
I am.
* Returns a TrustManager ideal for the running VM.
^ tab in the beginning of this line and other lines in the javadoc
comment you have quoted above. The indentation in the method itself
seems to be fine.
>>> > > + private static TrustManager getSSLSocketTrustManager() throws
>>> > > + ClassNotFoundException, IllegalAccessException, InstantiationException, InvocationTargetException {
>>> > > +
>>> > > + try {
>>> > > +
>>> > > + Class<?> trustManagerClass;
>>> > > + Constructor<?> tmCtor = null;
>> >
>> > Perhaps it might be better to use X509TrustManager as the type argument
>> > to make thing clearer? You can chain it like
>> > Class.forName().asSubClass(X509TrustManager.class) to make the code more
>> > explicit.
>> >
>>> > > +
>>> > > + if (System.getProperty("java.version").startsWith("1.6")) { // Java 6
>>> > > + trustManagerClass = Class.forName("net.sourceforge.jnlp.security.VariableX509TrustManagerJDK6");
>>> > > + } else { // Java 7 or more (technically could be <= 1.5 but <= 1.5 is unsupported)
>>> > > + trustManagerClass = Class.forName("net.sourceforge.jnlp.security.VariableX509TrustManagerJDK7");
>>> > > + }
>>> > > +
>>> > > + Constructor<?>[] tmCtors = trustManagerClass.getDeclaredConstructors();
>>> > > + tmCtor = tmCtors[0];
>>> > > +
>>> > > + for (Constructor<?> ctor : tmCtors) {
>>> > > + if (tmCtor.getGenericParameterTypes().length == 0) {
>>> > > + tmCtor = ctor;
>>> > > + break;
>>> > > + }
>>> > > + }
>>> > > +
>>> > > + return (TrustManager) tmCtor.newInstance();
>>> > > + } catch (RuntimeException e) {
>>> > > + System.err.println("Unable to load JDK-specific TrustManager. Was this version of IcedTea-Web compiled with JDK6?");
>> >
>> > Is it worth i18n'ing this message?
>> >
> I thought about it but is not really a message the user can do much
> about anyway, it is more of a reference for developers as to what is
> going on. I can switch if you prefer though.
No, that's fine.
>> > Also, would it be better to print the "compiled with wrong jdk" message
>> > (which really indicates that the wanted class is not found") in the
>> > place where we do the jdk check?
>> >
> I think this is a better spot because not all applets will be loaded via
> https so this code will not always run and thus if we forcibly do a
> check elsewhere, we may be preventing initialization when there is no
> reason to.
>
I just meant a few lines above. Something like:
try {
trustManagerClass = Class.forName("... VariableX509TrustManagerJDK6");
} catch (ClassNotFoundException notFound) {
System.err.println("class ...TrustManagerJDK6 not found");
}
Feel free to ignore this.
>>> > > diff -r 0db02eca94bf netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
>>> > > --- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Fri Sep 07 13:52:23 2012 +0200
>>> > > +++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Fri Sep 07 17:28:56 2012 -0400
>>> > > /**
>>> > > - * Check if the server is trusted
>>> > > + * Check if the server is trusted.
>>> > > *
>>> > > * @param chain The cert chain
>>> > > * @param authType The auth type algorithm
>>> > > - * @param checkOnly Whether to "check only" i.e. no user prompt, or to prompt for permission
>>> > > + * @param hostName The expected hostName that the server should have
>>> > > + * @param socket The SSLSocket in use (may be null)
>>> > > + * @param ending The SSLEngine in use (may be null)
>>> > > */
>>> > > - public synchronized void checkServerTrusted(X509Certificate[] chain,
>>> > > + public synchronized void checkTrustServer(X509Certificate[] chain,
>>> > > String authType, String hostName,
>>> > > - boolean checkOnly) throws CertificateException {
>>> > > + SSLSocket socket, SSLEngine engine) throws CertificateException {
>>> > > CertificateException ce = null;
>>> > > boolean trusted = true;
>>> > > - boolean CNMatched = true;
>>> > > + boolean CNMatched = false;
>>> > >
>>> > > try {
>>> > > - checkAllManagers(chain, authType);
>>> > > + checkAllManagers(chain, authType, socket, engine);
>>> > > } catch (CertificateException e) {
>>> > > trusted = false;
>>> > > ce = e;
>>> > > @@ -226,59 +214,92 @@
>>> > > // If the certificate is not explicitly trusted, we
>>> > > // need to prompt the user
>>> > > if (!isExplicitlyTrusted(chain, authType)) {
>>> > > -
>>> > > - if (hostName == null) {
>>> > > - CNMatched = false;
>>> > > - } else {
>>> > > + if (hostName != null) {
>>> > > try {
>>> > > HostnameChecker checker = HostnameChecker
>>> > > .getInstance(HostnameChecker.TYPE_TLS);
>>> > >
>>> > > - checker.match(hostName, chain[0]); // only need to match @ 0 for
>>> > > - // CN
>>> > > + checker.match(hostName, chain[0]); // only need to match @ 0 for CN
>>> > >
>>> > > + CNMatched = true;
>>> > > } catch (CertificateException e) {
>>> > > - CNMatched = false;
>>> > > ce = e;
>>> > > }
>>> > > }
>>> > > + } else {
>>> > > + // Else it is explicitly trusted. Return here.
>>> > > + return;
>>> > > }
>> >
>> > I don't like this else block: if the code below ever adds more checks,
>> > they will be skipped. Why not let the code below handle this?
>> >
> If we let it fall down to the code below, the CN will always mismatch
> (even when cert is always trusted) and we will always end up showing a
> prompt.
>
> The Oracle plug-in does not pop up a warning once a cert is always
> trusted (even if underlying host changes). Not sure how secure that is,
> but then we don't store cert and host info so we cannot "always trust"
> for a specific host.
>
I am not disagreeing with the logic, just pointing out that the code is
hard to follow (or maybe just the diff is), what with multiple escape
points, multiple nested if statements and throwing exceptions on
failure. Anything you can do to make it more linear?
>>> > > // first try CA TrustManagers
>>> > > boolean trusted = false;
>>> > > ValidatorException savedException = null;
>>> > > for (int i = 0; i < caTrustManagers.length; i++) {
>>> > > try {
>>> > > - caTrustManagers[i].checkServerTrusted(chain, authType);
>>> > > + if (socket == null && engine == null) {
>>> > > + caTrustManagers[i].checkServerTrusted(chain, authType);
>>> > > + } else {
>>> > > +
>>> > > + try {
>>> > > + Class<?> x509ETMClass = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
>>> > > + if (engine == null) {
>>> > > + Method mcheckServerTrusted = x509ETMClass.getDeclaredMethod("checkServerTrusted", X509Certificate[].class, String.class, Socket.class);
>>> > > + mcheckServerTrusted.invoke(caTrustManagers[i], chain, authType, socket);
>>> > > + } else {
>>> > > + Method mcheckServerTrusted = x509ETMClass.getDeclaredMethod("checkServerTrusted", X509Certificate[].class, String.class, SSLEngine.class);
>>> > > + mcheckServerTrusted.invoke(caTrustManagers[i], chain, authType, engine);
>>> > > + }
>>> > > + } catch (NoSuchMethodException nsme) {
>>> > > + throw new ValidatorException(nsme.getMessage());
>>> > > + } catch (InvocationTargetException ite) {
>>> > > + throw new ValidatorException(ite.getMessage());
>>> > > + } catch (IllegalAccessException iae) {
>>> > > + throw new ValidatorException(iae.getMessage());
>>> > > + } catch (ClassNotFoundException cnfe) {
>>> > > + throw new ValidatorException(cnfe.getMessage());
>>> > > + }
>>> > > + }
>>> > > +
>> >
>> > Since this is not common code, why not put it in the JDK6/7 specific class?
>> >
> Not sure I understand -- the loop and initial checkServerTrusted() call are common.
Yeah, they are. Maybe we can avoid this reflective code some other way?
Perhaps you can make both JDK-specific TrustManager classes implement a
custom interface with a single method:
interface ServerCheckerCallback {
void isTrusted(TrustManager,X509Certificate[],String,SSLEngine)
}
Both the JDK-specific classes inject themselves into
VariableX509TrustManager using this interface and implement the method
to do the invoke the right JDK-version-specific thing.
Or do you think this is too complicated?
>>> > > + private void checkTrustServer(X509Certificate[] chain,
>>> > > + String authType, Socket socket,
>>> > > + SSLEngine engine) throws CertificateException {
>>> > > +
>>> > > + String hostName = null;
>>> > > +
>>> > > + if (socket != null) {
>>> > > + hostName = ((SSLSocket) socket).getHandshakeSession().getPeerHost();
>>> > > + } else if (engine != null) {
>>> > > + hostName = engine.getHandshakeSession().getPeerHost();
>>> > > + }
>>> > > +
>>> > > + vX509TM.checkTrustServer(chain, authType, hostName, (SSLSocket) socket, engine);
>>> > > + }
>>> > > +
>>> > > + /**
>>> > > + * Check if the server is trusted
>> >
>> > /me looks at method name
>> >
> Intentional. check[Server|Client]Trusted are overridden whereas
> checkTrust* methods are helpers.
>
Could you make that distinction more explicit? It's hard to tell how the
ordering implies the helper role.
Besides, I meant the comment says "server is trusted" and the method
name is "checkTrust_Client_".
>>> > > + * @param chain The cert chain
>>> > > + * @param authType The auth type algorithm
>>> > > + * @param socket the SSLSocket, if provided
>>> > > + * @param engine the SSLEngine, if provided
>>> > > + */
>>> > > + private void checkTrustClient(X509Certificate[] chain,
>>> > > + String authType, Socket socket,
>>> > > + SSLEngine engine) throws CertificateException {
>>> > > +
>>> > > + String hostName = null;
>>> > > +
>>> > > + try {
>>> > > + if (socket != null) {
>>> > > + Method mgetHandshakeSession = SSLSocket.class.getDeclaredMethod("getHandshakeSession");
>>> > > + SSLSession session = (SSLSession) mgetHandshakeSession.invoke(socket);
>>> > > +
>>> > > + if (session == null) {
>>> > > + throw new CertificateException("No handshake session");
>>> > > + }
>>> > > +
>>> > > + hostName = session.getPeerHost();
>>> > > + } else if (engine != null) {
>>> > > + Method mgetHandshakeSession = SSLEngine.class.getDeclaredMethod("getHandshakeSession");
>>> > > + SSLSession session = (SSLSession) mgetHandshakeSession.invoke(engine);
>>> > > +
>>> > > + if (session == null) {
>>> > > + throw new CertificateException("No handshake session");
>>> > > + }
>>> > > +
>>> > > + hostName = session.getPeerHost();
>>> > > + }
>> >
>> > I don't see why we are using reflection here. Could you explain?
>> >
> getHandshakeSession() is new in 1.7 so it will not compile with 1.6
> without reflection (both socket and engine will never be null for Java 6
> so the above code will only be entered with 7).
But the class is named VariableX509TrustManagerJDK7 and is only built
with 7, no?
> Thanks for the detailed review!
>
> New iteration of patch attached.
Thanks for addressing my concerns!
Omair
More information about the distro-pkg-dev
mailing list