Add manager for user-trusted certificates.

When the user manually trusts a certificate, we should be storing
the whole cert instead of just an encoding of its fingerprint.

This allows us to display it properly, chain other certs trusted
by it, and generally do everything more sanely.

Baby step for issue #806

src/main/java/com/dmdirc/tls/CertificateExceptionManager.java

@@ -0,0 +1,112 @@
+package com.dmdirc.tls;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.Set;
+import java.util.stream.Collectors;
+import javax.annotation.Nullable;
+
+/**
+ * Manages certificates that the user has explicitly trusted, excepting them from the normal PKIX checks.
+ */
+public class CertificateExceptionManager {
+
+    /** Password to use for our exception keystore. */
+    private static final char[] PASSWORD = "dmdirc".toCharArray();
+
+    private final Path keyStorePath;
+
+    public CertificateExceptionManager(final Path keyStorePath) {
+        this.keyStorePath = keyStorePath;
+    }
+
+    /**
+     * Returns the set of certificates that the user has explicitly trusted.
+     */
+    public Set<X509Certificate> getExceptedCertificates() {
+        try {
+            final KeyStore keyStore = getKeyStore();
+            if (keyStore == null) {
+                return Collections.emptySet();
+            } else {
+                final PKIXParameters params = new PKIXParameters(keyStore);
+                return params.getTrustAnchors().stream()
+                        .map(TrustAnchor::getTrustedCert)
+                        .collect(Collectors.toSet());
+            }
+        } catch (GeneralSecurityException | IOException e) {
+            return Collections.emptySet();
+        }
+    }
+
+    /**
+     * Adds a new certificate that will be excepted from future PKIX checks.
+     *
+     * @return True if the certificate was successfully added; false otherwise.
+     */
+    public boolean addExceptedCertificate(final X509Certificate certificate) {
+        try {
+            final KeyStore keyStore = getKeyStore();
+            keyStore.setCertificateEntry(
+                    "excepted-" + System.currentTimeMillis(),
+                    certificate);
+            try (OutputStream os = Files.newOutputStream(keyStorePath)) {
+                keyStore.store(os, PASSWORD);
+                return true;
+            }
+        } catch (GeneralSecurityException | IOException e) {
+            return false;
+        }
+    }
+
+    /**
+     * Removes a certificate that was previously added.
+     *
+     * @return True if the remove was successful; false otherwise
+     */
+    public boolean removeExceptedCertificate(final X509Certificate certificate) {
+        try {
+            final KeyStore keyStore = getKeyStore();
+
+            @Nullable final String alias = keyStore.getCertificateAlias(certificate);
+            if (alias == null) {
+                // Not found
+                return false;
+            }
+
+            keyStore.deleteEntry(alias);
+            try (OutputStream os = Files.newOutputStream(keyStorePath)) {
+                keyStore.store(os, PASSWORD);
+                return true;
+            }
+        } catch (GeneralSecurityException | IOException e) {
+            return false;
+        }
+    }
+
+    /**
+     * Loads the existing excepted certs KeyStore from disk, if it exists, or creates a new KeyStore otherwise.
+     */
+    private KeyStore getKeyStore() throws GeneralSecurityException, IOException {
+        try (InputStream is = Files.newInputStream(keyStorePath)) {
+            final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+            keyStore.load(is, PASSWORD);
+            return keyStore;
+        } catch (GeneralSecurityException | IOException ex) {
+            final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+            keyStore.load(null, null);
+            return keyStore;
+        }
+    }
+
+
+}

src/test/java/com/dmdirc/tls/CertificateExceptionManagerTest.java

@@ -0,0 +1,84 @@
+package com.dmdirc.tls;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.GeneralSecurityException;
+import java.security.cert.X509Certificate;
+import java.util.Set;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+import sun.security.tools.keytool.CertAndKeyGen;
+import sun.security.x509.X500Name;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Tests for {@link CertificateExceptionManager}.
+ */
+public class CertificateExceptionManagerTest {
+
+    @Rule
+    public TemporaryFolder tempFolderRule = new TemporaryFolder();
+
+    private Path keyStorePath;
+    private CertificateExceptionManager manager;
+
+    @Before
+    public void setup() throws IOException {
+        keyStorePath = tempFolderRule.newFile("certs.keystore").toPath();
+        manager = new CertificateExceptionManager(keyStorePath);
+    }
+
+    @Test
+    public void testGetCertsNoFile() {
+        assertTrue(manager.getExceptedCertificates().isEmpty());
+    }
+
+    @Test
+    public void testAddCert() throws GeneralSecurityException, IOException {
+        X509Certificate cert = generateCertificate();
+        assertTrue(manager.addExceptedCertificate(cert));
+        assertTrue(Files.exists(keyStorePath));
+        Set<X509Certificate> certs = manager.getExceptedCertificates();
+        assertEquals(1, certs.size());
+        assertTrue(certs.contains(cert));
+    }
+
+    @Test
+    public void testRemoveUnknownCert() throws GeneralSecurityException, IOException {
+        X509Certificate cert = generateCertificate();
+        assertFalse(manager.removeExceptedCertificate(cert));
+    }
+
+    @Test
+    public void testRemoveCert() throws GeneralSecurityException, IOException {
+        X509Certificate cert = generateCertificate();
+        manager.addExceptedCertificate(cert);
+        assertTrue(manager.removeExceptedCertificate(cert));
+        assertTrue(manager.getExceptedCertificates().isEmpty());
+    }
+
+    @Test
+    public void testRemoveCertLeavesExisting() throws GeneralSecurityException, IOException {
+        X509Certificate cert1 = generateCertificate();
+        X509Certificate cert2 = generateCertificate();
+        manager.addExceptedCertificate(cert1);
+        manager.addExceptedCertificate(cert2);
+        assertTrue(manager.removeExceptedCertificate(cert1));
+        Set<X509Certificate> certs = manager.getExceptedCertificates();
+        assertEquals(1, certs.size());
+        assertTrue(certs.contains(cert2));
+    }
+
+    private X509Certificate generateCertificate() throws GeneralSecurityException, IOException {
+        CertAndKeyGen certGen = new CertAndKeyGen("RSA", "SHA256WithRSA", null);
+        certGen.generate(2048);
+        return certGen.getSelfCertificate(new X500Name("CN=Test,O=DMDirc,C=GB"), 120);
+    }
+
+}