RFC: Fix for PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
Deepak Bhole
dbhole at redhat.com
Mon Sep 17 12:14:22 PDT 2012
* Omair Majid <omajid at redhat.com> [2012-09-11 17:36]:
> On 09/11/2012 04:53 PM, Deepak Bhole wrote:
> > * Omair Majid <omajid at redhat.com> [2012-09-11 14:48]:
> >> > On 09/07/2012 05:33 PM, Deepak Bhole wrote:
> >>> > > Hi,
> >>> > >
> >>> > > This patch fixes PR1161:
> >>> > > http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1161
> >>> > >
> >>> > > As specified there, the issue is that Java 7 changed what parent class
> >>> > > a trust manager needs to implement in order to correctly intercept
> >>> > > issues such as CN mismatch. As a result, icedtea-web currently cannot
> >>> > > load sites whose certificate has a CN mismatch (proprietary tools work
> >>> > > fine in such cases).
> >>> > >
> >>> > > Attached patch adds support for Java 7 while maintaining compatibility
> >>> > > with Java 6 (loading one trust manager for 6 and a different one for 7+).
> >>> > >
> >>> > > I would like to see this backported to 1.3 as well given its importance, but we
> >>> > > can let it bake in HEAD for a couple of weeks.
> >> >
> >> > If I may make a request, when you are pushing this, could you push this
> >> > as two changesets? One that deals with the JDK version problems and the
> >> > other that changes the check for hostname (this patch includes both but
> >> > mixes them).
> >> >
> > Sorry can you elaborate a bit on what you mean by that? Which are the
> > JDK version problems that you are referring to? Just the autotools file
> > changes?
>
> Oh, crap. I misread this part of the diff:
>
> > -
> > - if (hostName == null) {
> > - CNMatched = false;
> > - } else {
> > + if (hostName != null) {
>
> Without realizing the initial value of CNMatched has been changed too.
> Please ignore this.
>
> >
> >>> > > AC_MSG_RESULT(${JAVA})
> >>> > > AC_SUBST(JAVA)
> >>> > > - JAVA_VERSION=`$JAVA -version 2>&1 | sed -n '1s/@<:@^"@:>@*"\(.*\)"$/\1/p'`
> >>> > > - case "${JAVA_VERSION}" in
> >>> > > - 1.7*) VERSION_DEFS='-DHAVE_JAVA7';;
> >>> > > - esac
> >>> > > + JAVA_VERSION=`$JAVA -version 2>&1 | sed -n -e '1s/@<:@^"@:>@*"\(.*\)"$/\1/p'`
> >> >
> >> > We should try and make this regex readable at some point :)
> >> >
> > Ah, I agree. I don't think even I fully understand it which is why I
> > kept it as is :) [Just noticed that I had an extra -e there to sed.
> > While it makes no difference, I have reverted it]
> >
>
> Thanks. The extra -e was what prompted me to verify this expression and
> I couldn't get it to work outside the makefile :(
>
> >
> >> >
> >>> > > @@ -248,6 +269,42 @@
> >>> > > }
> >>> > >
> >>> > > /**
> >>> > > + * Returns a TrustManager ideal for the running VM.
> >>> > > + *
> >>> > > + * @return TrustManager the trust manager to use for verifying https certificates
> >>> > > + */
> >> >
> >> > Some indention seems to be off here.
> >> >
> > Looks fine to me. Are you seeing tabs instead of spaces somewhere?
> >
>
> I am.
> * Returns a TrustManager ideal for the running VM.
> ^ tab in the beginning of this line and other lines in the javadoc
> comment you have quoted above. The indentation in the method itself
> seems to be fine.
>
Doh. I can see it now. Fixed.
> >>> > > + private static TrustManager getSSLSocketTrustManager() throws
> >>> > > + ClassNotFoundException, IllegalAccessException, InstantiationException, InvocationTargetException {
> >>> > > +
> >>> > > + try {
> >>> > > +
> >>> > > + Class<?> trustManagerClass;
> >>> > > + Constructor<?> tmCtor = null;
> >> >
> >> > Perhaps it might be better to use X509TrustManager as the type argument
> >> > to make thing clearer? You can chain it like
> >> > Class.forName().asSubClass(X509TrustManager.class) to make the code more
> >> > explicit.
> >> >
> >>> > > +
> >>> > > + if (System.getProperty("java.version").startsWith("1.6")) { // Java 6
> >>> > > + trustManagerClass = Class.forName("net.sourceforge.jnlp.security.VariableX509TrustManagerJDK6");
> >>> > > + } else { // Java 7 or more (technically could be <= 1.5 but <= 1.5 is unsupported)
> >>> > > + trustManagerClass = Class.forName("net.sourceforge.jnlp.security.VariableX509TrustManagerJDK7");
> >>> > > + }
> >>> > > +
> >>> > > + Constructor<?>[] tmCtors = trustManagerClass.getDeclaredConstructors();
> >>> > > + tmCtor = tmCtors[0];
> >>> > > +
> >>> > > + for (Constructor<?> ctor : tmCtors) {
> >>> > > + if (tmCtor.getGenericParameterTypes().length == 0) {
> >>> > > + tmCtor = ctor;
> >>> > > + break;
> >>> > > + }
> >>> > > + }
> >>> > > +
> >>> > > + return (TrustManager) tmCtor.newInstance();
> >>> > > + } catch (RuntimeException e) {
> >>> > > + System.err.println("Unable to load JDK-specific TrustManager. Was this version of IcedTea-Web compiled with JDK6?");
> >> >
> >> > Is it worth i18n'ing this message?
> >> >
> > I thought about it but is not really a message the user can do much
> > about anyway, it is more of a reference for developers as to what is
> > going on. I can switch if you prefer though.
>
> No, that's fine.
>
> >> > Also, would it be better to print the "compiled with wrong jdk" message
> >> > (which really indicates that the wanted class is not found") in the
> >> > place where we do the jdk check?
> >> >
> > I think this is a better spot because not all applets will be loaded via
> > https so this code will not always run and thus if we forcibly do a
> > check elsewhere, we may be preventing initialization when there is no
> > reason to.
> >
>
> I just meant a few lines above. Something like:
> try {
> trustManagerClass = Class.forName("... VariableX509TrustManagerJDK6");
> } catch (ClassNotFoundException notFound) {
> System.err.println("class ...TrustManagerJDK6 not found");
> }
>
> Feel free to ignore this.
>
Changed.
> >>> > > diff -r 0db02eca94bf netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
> >>> > > --- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Fri Sep 07 13:52:23 2012 +0200
> >>> > > +++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Fri Sep 07 17:28:56 2012 -0400
> >>> > > /**
> >>> > > - * Check if the server is trusted
> >>> > > + * Check if the server is trusted.
> >>> > > *
> >>> > > * @param chain The cert chain
> >>> > > * @param authType The auth type algorithm
> >>> > > - * @param checkOnly Whether to "check only" i.e. no user prompt, or to prompt for permission
> >>> > > + * @param hostName The expected hostName that the server should have
> >>> > > + * @param socket The SSLSocket in use (may be null)
> >>> > > + * @param ending The SSLEngine in use (may be null)
> >>> > > */
> >>> > > - public synchronized void checkServerTrusted(X509Certificate[] chain,
> >>> > > + public synchronized void checkTrustServer(X509Certificate[] chain,
> >>> > > String authType, String hostName,
> >>> > > - boolean checkOnly) throws CertificateException {
> >>> > > + SSLSocket socket, SSLEngine engine) throws CertificateException {
> >>> > > CertificateException ce = null;
> >>> > > boolean trusted = true;
> >>> > > - boolean CNMatched = true;
> >>> > > + boolean CNMatched = false;
> >>> > >
> >>> > > try {
> >>> > > - checkAllManagers(chain, authType);
> >>> > > + checkAllManagers(chain, authType, socket, engine);
> >>> > > } catch (CertificateException e) {
> >>> > > trusted = false;
> >>> > > ce = e;
> >>> > > @@ -226,59 +214,92 @@
> >>> > > // If the certificate is not explicitly trusted, we
> >>> > > // need to prompt the user
> >>> > > if (!isExplicitlyTrusted(chain, authType)) {
> >>> > > -
> >>> > > - if (hostName == null) {
> >>> > > - CNMatched = false;
> >>> > > - } else {
> >>> > > + if (hostName != null) {
> >>> > > try {
> >>> > > HostnameChecker checker = HostnameChecker
> >>> > > .getInstance(HostnameChecker.TYPE_TLS);
> >>> > >
> >>> > > - checker.match(hostName, chain[0]); // only need to match @ 0 for
> >>> > > - // CN
> >>> > > + checker.match(hostName, chain[0]); // only need to match @ 0 for CN
> >>> > >
> >>> > > + CNMatched = true;
> >>> > > } catch (CertificateException e) {
> >>> > > - CNMatched = false;
> >>> > > ce = e;
> >>> > > }
> >>> > > }
> >>> > > + } else {
> >>> > > + // Else it is explicitly trusted. Return here.
> >>> > > + return;
> >>> > > }
> >> >
> >> > I don't like this else block: if the code below ever adds more checks,
> >> > they will be skipped. Why not let the code below handle this?
> >> >
> > If we let it fall down to the code below, the CN will always mismatch
> > (even when cert is always trusted) and we will always end up showing a
> > prompt.
> >
> > The Oracle plug-in does not pop up a warning once a cert is always
> > trusted (even if underlying host changes). Not sure how secure that is,
> > but then we don't store cert and host info so we cannot "always trust"
> > for a specific host.
> >
>
> I am not disagreeing with the logic, just pointing out that the code is
> hard to follow (or maybe just the diff is), what with multiple escape
> points, multiple nested if statements and throwing exceptions on
> failure. Anything you can do to make it more linear?
>
I am looking at the patched file and though a bit convoluted, I think
along with the comments it is fairly clear as to what is happening.
I have added additional comments to further clarify it. Please let me
know if you feel more changes are needed.
> >>> > > // first try CA TrustManagers
> >>> > > boolean trusted = false;
> >>> > > ValidatorException savedException = null;
> >>> > > for (int i = 0; i < caTrustManagers.length; i++) {
> >>> > > try {
> >>> > > - caTrustManagers[i].checkServerTrusted(chain, authType);
> >>> > > + if (socket == null && engine == null) {
> >>> > > + caTrustManagers[i].checkServerTrusted(chain, authType);
> >>> > > + } else {
> >>> > > +
> >>> > > + try {
> >>> > > + Class<?> x509ETMClass = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
> >>> > > + if (engine == null) {
> >>> > > + Method mcheckServerTrusted = x509ETMClass.getDeclaredMethod("checkServerTrusted", X509Certificate[].class, String.class, Socket.class);
> >>> > > + mcheckServerTrusted.invoke(caTrustManagers[i], chain, authType, socket);
> >>> > > + } else {
> >>> > > + Method mcheckServerTrusted = x509ETMClass.getDeclaredMethod("checkServerTrusted", X509Certificate[].class, String.class, SSLEngine.class);
> >>> > > + mcheckServerTrusted.invoke(caTrustManagers[i], chain, authType, engine);
> >>> > > + }
> >>> > > + } catch (NoSuchMethodException nsme) {
> >>> > > + throw new ValidatorException(nsme.getMessage());
> >>> > > + } catch (InvocationTargetException ite) {
> >>> > > + throw new ValidatorException(ite.getMessage());
> >>> > > + } catch (IllegalAccessException iae) {
> >>> > > + throw new ValidatorException(iae.getMessage());
> >>> > > + } catch (ClassNotFoundException cnfe) {
> >>> > > + throw new ValidatorException(cnfe.getMessage());
> >>> > > + }
> >>> > > + }
> >>> > > +
> >> >
> >> > Since this is not common code, why not put it in the JDK6/7 specific class?
> >> >
> > Not sure I understand -- the loop and initial checkServerTrusted() call are common.
>
> Yeah, they are. Maybe we can avoid this reflective code some other way?
> Perhaps you can make both JDK-specific TrustManager classes implement a
> custom interface with a single method:
>
> interface ServerCheckerCallback {
> void isTrusted(TrustManager,X509Certificate[],String,SSLEngine)
> }
>
> Both the JDK-specific classes inject themselves into
> VariableX509TrustManager using this interface and implement the method
> to do the invoke the right JDK-version-specific thing.
>
> Or do you think this is too complicated?
>
There is already a lot of confusion with regards to interface extensions
and overloaded methods, so I think avoiding additional interfaces of our
own might be better if possible. If your objection if reflection is
based on performance, the above code will run very rarely and only
during the initial connect, so I don't think performance would suffer
much.
Still, I can change it you think it is better to have an additional
interface though. Please let me know.
> >>> > > + private void checkTrustServer(X509Certificate[] chain,
> >>> > > + String authType, Socket socket,
> >>> > > + SSLEngine engine) throws CertificateException {
> >>> > > +
> >>> > > + String hostName = null;
> >>> > > +
> >>> > > + if (socket != null) {
> >>> > > + hostName = ((SSLSocket) socket).getHandshakeSession().getPeerHost();
> >>> > > + } else if (engine != null) {
> >>> > > + hostName = engine.getHandshakeSession().getPeerHost();
> >>> > > + }
> >>> > > +
> >>> > > + vX509TM.checkTrustServer(chain, authType, hostName, (SSLSocket) socket, engine);
> >>> > > + }
> >>> > > +
> >>> > > + /**
> >>> > > + * Check if the server is trusted
> >> >
> >> > /me looks at method name
> >> >
> > Intentional. check[Server|Client]Trusted are overridden whereas
> > checkTrust* methods are helpers.
> >
>
> Could you make that distinction more explicit? It's hard to tell how the
> ordering implies the helper role.
>
Everything in VariableX509TrustManager is a helper as it does not extend
any of the trust manager interfaces itself.
> Besides, I meant the comment says "server is trusted" and the method
> name is "checkTrust_Client_".
>
Ah, fixed.
> >>> > > + * @param chain The cert chain
> >>> > > + * @param authType The auth type algorithm
> >>> > > + * @param socket the SSLSocket, if provided
> >>> > > + * @param engine the SSLEngine, if provided
> >>> > > + */
> >>> > > + private void checkTrustClient(X509Certificate[] chain,
> >>> > > + String authType, Socket socket,
> >>> > > + SSLEngine engine) throws CertificateException {
> >>> > > +
> >>> > > + String hostName = null;
> >>> > > +
> >>> > > + try {
> >>> > > + if (socket != null) {
> >>> > > + Method mgetHandshakeSession = SSLSocket.class.getDeclaredMethod("getHandshakeSession");
> >>> > > + SSLSession session = (SSLSession) mgetHandshakeSession.invoke(socket);
> >>> > > +
> >>> > > + if (session == null) {
> >>> > > + throw new CertificateException("No handshake session");
> >>> > > + }
> >>> > > +
> >>> > > + hostName = session.getPeerHost();
> >>> > > + } else if (engine != null) {
> >>> > > + Method mgetHandshakeSession = SSLEngine.class.getDeclaredMethod("getHandshakeSession");
> >>> > > + SSLSession session = (SSLSession) mgetHandshakeSession.invoke(engine);
> >>> > > +
> >>> > > + if (session == null) {
> >>> > > + throw new CertificateException("No handshake session");
> >>> > > + }
> >>> > > +
> >>> > > + hostName = session.getPeerHost();
> >>> > > + }
> >> >
> >> > I don't see why we are using reflection here. Could you explain?
> >> >
> > getHandshakeSession() is new in 1.7 so it will not compile with 1.6
> > without reflection (both socket and engine will never be null for Java 6
> > so the above code will only be entered with 7).
>
> But the class is named VariableX509TrustManagerJDK7 and is only built
> with 7, no?
>
Doh. I did it in the function just above it too :/ You're right, fixed
now.
New patch attached.
Thanks,
Deepak
-------------- next part --------------
diff -r 439f0b1cee5c Makefile.am
--- a/Makefile.am Fri Sep 07 17:06:08 2012 -0400
+++ b/Makefile.am Mon Sep 17 15:12:13 2012 -0400
@@ -348,6 +348,9 @@
if !WITH_RHINO
sed -i '/RhinoBasedPacEvaluator/ d' $@
endif
+if !HAVE_JAVA7
+ sed -i '/VariableX509TrustManagerJDK7/ d' $@
+endif
stamps/netx.stamp: netx-source-files.txt stamps/bootstrap-directory.stamp
mkdir -p $(NETX_DIR)
diff -r 439f0b1cee5c NEWS
--- a/NEWS Fri Sep 07 17:06:08 2012 -0400
+++ b/NEWS Mon Sep 17 15:12:13 2012 -0400
@@ -17,6 +17,7 @@
* Common
- PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered
- PR955: regression: SweetHome3D fails to run
+ - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7
New in release 1.3 (2012-XX-XX):
* NetX
diff -r 439f0b1cee5c acinclude.m4
--- a/acinclude.m4 Fri Sep 07 17:06:08 2012 -0400
+++ b/acinclude.m4 Mon Sep 17 15:12:13 2012 -0400
@@ -715,9 +715,12 @@
AC_MSG_RESULT(${JAVA})
AC_SUBST(JAVA)
JAVA_VERSION=`$JAVA -version 2>&1 | sed -n '1s/@<:@^"@:>@*"\(.*\)"$/\1/p'`
- case "${JAVA_VERSION}" in
- 1.7*) VERSION_DEFS='-DHAVE_JAVA7';;
- esac
+ HAVE_JAVA7=`echo $JAVA_VERSION | awk '{if ($(0) >= 1.7) print "yes"}'`
+ if ! test -z "$HAVE_JAVA7" ; then
+ VERSION_DEFS='-DHAVE_JAVA7'
+ fi
+
+ AM_CONDITIONAL([HAVE_JAVA7], test x"${HAVE_JAVA7}" = "xyes" )
AC_SUBST(VERSION_DEFS)
])
diff -r 439f0b1cee5c netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
--- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Fri Sep 07 17:06:08 2012 -0400
+++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Mon Sep 17 15:12:13 2012 -0400
@@ -16,38 +16,59 @@
package net.sourceforge.jnlp.runtime;
-import java.io.*;
+import java.awt.EventQueue;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
import java.net.Authenticator;
import java.net.ProxySelector;
import java.nio.channels.FileChannel;
import java.nio.channels.FileLock;
-import java.awt.*;
-import java.text.*;
-import java.util.*;
+import java.security.AllPermission;
+import java.security.KeyStore;
+import java.security.Policy;
+import java.security.Security;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.text.MessageFormat;
import java.util.List;
-import java.security.*;
-import javax.jnlp.*;
+import java.util.ResourceBundle;
+
+import javax.jnlp.ServiceManager;
import javax.naming.ConfigurationException;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.swing.UIManager;
import javax.swing.text.html.parser.ParserDelegator;
-import sun.net.www.protocol.jar.URLJarFile;
-
-import net.sourceforge.jnlp.*;
+import net.sourceforge.jnlp.DefaultLaunchHandler;
+import net.sourceforge.jnlp.GuiLaunchHandler;
+import net.sourceforge.jnlp.LaunchHandler;
+import net.sourceforge.jnlp.Launcher;
import net.sourceforge.jnlp.browser.BrowserAwareProxySelector;
-import net.sourceforge.jnlp.cache.*;
+import net.sourceforge.jnlp.cache.CacheUtil;
+import net.sourceforge.jnlp.cache.DefaultDownloadIndicator;
+import net.sourceforge.jnlp.cache.DownloadIndicator;
+import net.sourceforge.jnlp.cache.UpdatePolicy;
import net.sourceforge.jnlp.config.DeploymentConfiguration;
import net.sourceforge.jnlp.security.JNLPAuthenticator;
import net.sourceforge.jnlp.security.KeyStores;
import net.sourceforge.jnlp.security.SecurityDialogMessageHandler;
import net.sourceforge.jnlp.security.VariableX509TrustManager;
-import net.sourceforge.jnlp.services.*;
-import net.sourceforge.jnlp.util.*;
+import net.sourceforge.jnlp.services.XServiceManagerStub;
+import net.sourceforge.jnlp.util.FileUtils;
+import net.sourceforge.jnlp.util.TeeOutputStream;
+import sun.net.www.protocol.jar.URLJarFile;
/**
* Configure and access the runtime environment. This class
@@ -223,7 +244,7 @@
KeyStore ks = KeyStores.getKeyStore(KeyStores.Level.USER, KeyStores.Type.CLIENT_CERTS);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, KeyStores.getPassword());
- TrustManager[] trust = new TrustManager[] { VariableX509TrustManager.getInstance() };
+ TrustManager[] trust = new TrustManager[] { getSSLSocketTrustManager() };
context.init(kmf.getKeyManagers(), trust, null);
sslSocketFactory = context.getSocketFactory();
@@ -248,6 +269,52 @@
}
/**
+ * Returns a TrustManager ideal for the running VM.
+ *
+ * @return TrustManager the trust manager to use for verifying https certificates
+ */
+ private static TrustManager getSSLSocketTrustManager() throws
+ ClassNotFoundException, IllegalAccessException, InstantiationException, InvocationTargetException {
+
+ try {
+
+ Class<?> trustManagerClass;
+ Constructor<?> tmCtor = null;
+
+ if (System.getProperty("java.version").startsWith("1.6")) { // Java 6
+ try {
+ trustManagerClass = Class.forName("net.sourceforge.jnlp.security.VariableX509TrustManagerJDK6");
+ } catch (ClassNotFoundException cnfe) {
+ System.err.println("Unable to find class net.sourceforge.jnlp.security.VariableX509TrustManagerJDK6");
+ return null;
+ }
+ } else { // Java 7 or more (technically could be <= 1.5 but <= 1.5 is unsupported)
+ try {
+ trustManagerClass = Class.forName("net.sourceforge.jnlp.security.VariableX509TrustManagerJDK7");
+ } catch (ClassNotFoundException cnfe) {
+ System.err.println("Unable to find class net.sourceforge.jnlp.security.VariableX509TrustManagerJDK7");
+ return null;
+ }
+ }
+
+ Constructor<?>[] tmCtors = trustManagerClass.getDeclaredConstructors();
+ tmCtor = tmCtors[0];
+
+ for (Constructor<?> ctor : tmCtors) {
+ if (tmCtor.getGenericParameterTypes().length == 0) {
+ tmCtor = ctor;
+ break;
+ }
+ }
+
+ return (TrustManager) tmCtor.newInstance();
+ } catch (RuntimeException e) {
+ System.err.println("Unable to load JDK-specific TrustManager. Was this version of IcedTea-Web compiled with JDK6?");
+ throw e;
+ }
+ }
+
+ /**
* This must NOT be called form the application ThreadGroup. An application
* can inject events into its {@link EventQueue} and bypass the security
* dialogs.
diff -r 439f0b1cee5c netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java
--- a/netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java Fri Sep 07 17:06:08 2012 -0400
+++ b/netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java Mon Sep 17 15:12:13 2012 -0400
@@ -59,7 +59,6 @@
public class HttpsCertVerifier implements CertVerifier {
- private VariableX509TrustManager tm;
private X509Certificate[] chain;
private String authType;
private String hostName;
@@ -67,11 +66,9 @@
private boolean hostMatched;
private ArrayList<String> details = new ArrayList<String>();
- public HttpsCertVerifier(VariableX509TrustManager tm,
- X509Certificate[] chain, String authType,
+ public HttpsCertVerifier(X509Certificate[] chain, String authType,
boolean isTrusted, boolean hostMatched,
String hostName) {
- this.tm = tm;
this.chain = chain;
this.authType = authType;
this.hostName = hostName;
diff -r 439f0b1cee5c netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
--- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Fri Sep 07 17:06:08 2012 -0400
+++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java Mon Sep 17 15:12:13 2012 -0400
@@ -37,6 +37,9 @@
package net.sourceforge.jnlp.security;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.net.Socket;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.PrivilegedAction;
@@ -47,25 +50,24 @@
import java.util.Arrays;
import java.util.List;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
+import net.sourceforge.jnlp.runtime.JNLPRuntime;
+import net.sourceforge.jnlp.security.SecurityDialogs.AccessType;
import sun.security.util.HostnameChecker;
import sun.security.validator.ValidatorException;
-import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager;
-import net.sourceforge.jnlp.runtime.JNLPRuntime;
-
-import net.sourceforge.jnlp.security.SecurityDialogs.AccessType;
-
/**
* This class implements an X509 Trust Manager. The certificates it trusts are
* "variable", in the sense that it can dynamically, and temporarily support
* different certificates that are not in the keystore.
*/
-final public class VariableX509TrustManager extends X509ExtendedTrustManager {
+final public class VariableX509TrustManager {
/** TrustManagers containing trusted CAs */
private X509TrustManager[] caTrustManagers = null;
@@ -164,8 +166,8 @@
/**
* Check if client is trusted (no support for custom here, only system/user)
*/
- public void checkClientTrusted(X509Certificate[] chain, String authType,
- String hostName, String algorithm)
+ public void checkTrustClient(X509Certificate[] chain, String authType,
+ String hostName)
throws CertificateException {
boolean trusted = false;
@@ -186,99 +188,125 @@
throw savedException;
}
- public void checkClientTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- checkClientTrusted(chain, authType, null, null);
- }
-
- public void checkServerTrusted(X509Certificate[] chain, String authType,
- String hostName, String algorithm)
- throws CertificateException {
- checkServerTrusted(chain, authType, hostName, false);
- }
-
- public void checkServerTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- checkServerTrusted(chain, authType, null, null);
- }
-
/**
- * Check if the server is trusted
+ * Check if the server is trusted.
+ *
+ * First, existing stores are checked to see if the certificate is trusted.
+ * Next, if the certificate is not explicitly trusted by the user, a host
+ * name check is performed. The user is them prompted as needed.
*
* @param chain The cert chain
* @param authType The auth type algorithm
- * @param checkOnly Whether to "check only" i.e. no user prompt, or to prompt for permission
+ * @param hostName The expected hostName that the server should have
+ * @param socket The SSLSocket in use (may be null)
+ * @param ending The SSLEngine in use (may be null)
*/
- public synchronized void checkServerTrusted(X509Certificate[] chain,
+ public synchronized void checkTrustServer(X509Certificate[] chain,
String authType, String hostName,
- boolean checkOnly) throws CertificateException {
+ SSLSocket socket, SSLEngine engine) throws CertificateException {
CertificateException ce = null;
boolean trusted = true;
- boolean CNMatched = true;
+ boolean CNMatched = false;
+ // Check trust stores
try {
- checkAllManagers(chain, authType);
+ checkAllManagers(chain, authType, socket, engine);
} catch (CertificateException e) {
trusted = false;
ce = e;
}
// If the certificate is not explicitly trusted, we
- // need to prompt the user
+ // check host match
if (!isExplicitlyTrusted(chain, authType)) {
-
- if (hostName == null) {
- CNMatched = false;
- } else {
+ if (hostName != null) {
try {
HostnameChecker checker = HostnameChecker
.getInstance(HostnameChecker.TYPE_TLS);
- checker.match(hostName, chain[0]); // only need to match @ 0 for
- // CN
+ checker.match(hostName, chain[0]); // only need to match @ 0 for CN
+ CNMatched = true;
} catch (CertificateException e) {
- CNMatched = false;
ce = e;
}
}
+ } else {
+ // If it is explicitly trusted, just return right away.
+ return;
}
+ // If it is (not explicitly trusted) AND
+ // ((it is not in store) OR (there is a host mismatch))
if (!trusted || !CNMatched) {
- if (checkOnly) {
- throw ce;
- } else {
- if (!isTemporarilyUntrusted(chain[0])) {
- boolean b = askUser(chain, authType, trusted, CNMatched, hostName);
+ if (!isTemporarilyUntrusted(chain[0])) {
+ boolean b = askUser(chain, authType, trusted, CNMatched, hostName);
- if (b) {
- temporarilyTrust(chain[0]);
- } else {
- temporarilyUntrust(chain[0]);
- }
+ if (b) {
+ temporarilyTrust(chain[0]);
+ return;
+ } else {
+ temporarilyUntrust(chain[0]);
}
+ }
- checkAllManagers(chain, authType);
- }
+ throw ce;
}
}
/**
- * Check system, user and custom trust manager
+ * Check system, user and custom trust manager.
+ *
+ * This method is intended to work with both, JRE6 and JRE7. If socket
+ * and engine are null, it assumes that the call is for JRE6 (i.e. not
+ * javax.net.ssl.X509ExtendedTrustManager which is Java 7 specific). If
+ * either of those are not null, it will assume that the caTrustManagers
+ * are javax.net.ssl.X509ExtendedTrustManager instances and will
+ * invoke their check methods.
+ *
+ * @param chain The certificate chain
+ * @param authType The authentication type
+ * @param socket the SSLSocket being used for the connection
+ * @param engine the SSLEngine being used for the connection
*/
- private void checkAllManagers(X509Certificate[] chain, String authType) throws CertificateException {
+ private void checkAllManagers(X509Certificate[] chain, String authType, Socket socket, SSLEngine engine) throws CertificateException {
+
// first try CA TrustManagers
boolean trusted = false;
ValidatorException savedException = null;
for (int i = 0; i < caTrustManagers.length; i++) {
try {
- caTrustManagers[i].checkServerTrusted(chain, authType);
+ if (socket == null && engine == null) {
+ caTrustManagers[i].checkServerTrusted(chain, authType);
+ } else {
+
+ try {
+ Class<?> x509ETMClass = Class.forName("javax.net.ssl.X509ExtendedTrustManager");
+ if (engine == null) {
+ Method mcheckServerTrusted = x509ETMClass.getDeclaredMethod("checkServerTrusted", X509Certificate[].class, String.class, Socket.class);
+ mcheckServerTrusted.invoke(caTrustManagers[i], chain, authType, socket);
+ } else {
+ Method mcheckServerTrusted = x509ETMClass.getDeclaredMethod("checkServerTrusted", X509Certificate[].class, String.class, SSLEngine.class);
+ mcheckServerTrusted.invoke(caTrustManagers[i], chain, authType, engine);
+ }
+ } catch (NoSuchMethodException nsme) {
+ throw new ValidatorException(nsme.getMessage());
+ } catch (InvocationTargetException ite) {
+ throw new ValidatorException(ite.getMessage());
+ } catch (IllegalAccessException iae) {
+ throw new ValidatorException(iae.getMessage());
+ } catch (ClassNotFoundException cnfe) {
+ throw new ValidatorException(cnfe.getMessage());
+ }
+ }
+
trusted = true;
break;
} catch (ValidatorException caex) {
savedException = caex;
}
}
+
if (trusted) {
return;
}
@@ -332,7 +360,7 @@
return explicitlyTrusted;
}
- public X509Certificate[] getAcceptedIssuers() {
+ protected X509Certificate[] getAcceptedIssuers() {
List<X509Certificate> issuers = new ArrayList<X509Certificate>();
for (int i = 0; i < caTrustManagers.length; i++) {
@@ -394,7 +422,7 @@
public Boolean run() {
return SecurityDialogs.showCertWarningDialog(
AccessType.UNVERIFIED, null,
- new HttpsCertVerifier(trustManager, chain, authType,
+ new HttpsCertVerifier(chain, authType,
isTrusted, hostMatched,
hostName));
}
diff -r 439f0b1cee5c netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK6.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK6.java Mon Sep 17 15:12:13 2012 -0400
@@ -0,0 +1,75 @@
+/* VariableX509TrustManagerJDK6.java
+ Copyright (C) 2012 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+*/
+
+package net.sourceforge.jnlp.security;
+
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager;
+
+public class VariableX509TrustManagerJDK6 extends X509ExtendedTrustManager {
+
+ private VariableX509TrustManager vX509TM = VariableX509TrustManager.getInstance();
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ checkClientTrusted(chain, authType, null, null);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ vX509TM.checkTrustServer(chain, authType, null /* hostname*/, null /* socket */, null /* engine */);
+ }
+
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return vX509TM.getAcceptedIssuers();
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType, String hostname, String algorithm) throws CertificateException {
+ vX509TM.checkTrustClient(chain, authType, hostname); // We don't need algorithm, we will always use this for TLS only
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType, String hostname, String algorithm) throws CertificateException {
+ // We don't need to pass algorithm, we will always use this for TLS only
+ vX509TM.checkTrustServer(chain, authType, hostname, null /* socket */, null /* engine */);
+ }
+
+}
diff -r 439f0b1cee5c netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK7.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManagerJDK7.java Mon Sep 17 15:12:13 2012 -0400
@@ -0,0 +1,136 @@
+/* VariableX509TrustManagerJDK7.java
+ Copyright (C) 2012 Red Hat, Inc.
+
+This file is part of IcedTea.
+
+IcedTea is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 2.
+
+IcedTea is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with IcedTea; see the file COPYING. If not, write to
+the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library. Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module. An independent module is a module which is not derived from
+or based on this library. If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so. If you do not wish to do so, delete this
+exception statement from your version.
+*/
+
+package net.sourceforge.jnlp.security;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.net.Socket;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.X509ExtendedTrustManager;
+
+public class VariableX509TrustManagerJDK7 extends X509ExtendedTrustManager {
+
+ private VariableX509TrustManager vX509TM = VariableX509TrustManager.getInstance();
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ vX509TM.checkTrustClient(chain, authType, null /* hostname*/);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+ vX509TM.checkTrustServer(chain, authType, null /* hostname*/, null /* socket */, null /* engine */);
+ }
+
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return vX509TM.getAcceptedIssuers();
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+ checkTrustClient(chain, authType, socket, null);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+ checkTrustServer(chain, authType, socket, null);
+
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+ checkTrustClient(chain, authType, null, engine);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+ checkTrustServer(chain, authType, null, engine);
+ }
+
+ /**
+ * Check if the server is trusted
+ *
+ * @param chain The cert chain
+ * @param authType The auth type algorithm
+ * @param socket the SSLSocket, may be null
+ * @param engine the SSLEngine, may be null
+ */
+ private void checkTrustServer(X509Certificate[] chain,
+ String authType, Socket socket,
+ SSLEngine engine) throws CertificateException {
+
+ String hostName = null;
+
+ if (socket != null) {
+ hostName = ((SSLSocket) socket).getHandshakeSession().getPeerHost();
+ } else if (engine != null) {
+ hostName = engine.getHandshakeSession().getPeerHost();
+ }
+
+ vX509TM.checkTrustServer(chain, authType, hostName, (SSLSocket) socket, engine);
+ }
+
+ /**
+ * Check if the client is trusted
+ *
+ * @param chain The cert chain
+ * @param authType The auth type algorithm
+ * @param socket the SSLSocket, if provided
+ * @param engine the SSLEngine, if provided
+ */
+ private void checkTrustClient(X509Certificate[] chain,
+ String authType, Socket socket,
+ SSLEngine engine) throws CertificateException {
+
+ String hostName = null;
+
+ if (socket != null) {
+ hostName = ((SSLSocket) socket).getHandshakeSession().getPeerHost();
+ } else if (engine != null) {
+ hostName = engine.getHandshakeSession().getPeerHost();
+ }
+
+ vX509TM.checkTrustClient(chain, authType, hostName);
+ }
+}
More information about the distro-pkg-dev
mailing list