|
@@ -23,6 +23,9 @@
|
23
|
23
|
package com.dmdirc;
|
24
|
24
|
|
25
|
25
|
import com.dmdirc.config.ConfigManager;
|
|
26
|
+import com.dmdirc.config.IdentityManager;
|
|
27
|
+import com.dmdirc.logger.ErrorLevel;
|
|
28
|
+import com.dmdirc.logger.Logger;
|
26
|
29
|
import com.dmdirc.ui.core.dialogs.sslcertificate.CertificateAction;
|
27
|
30
|
import com.dmdirc.ui.core.dialogs.sslcertificate.SSLCertificateDialogModel;
|
28
|
31
|
|
|
@@ -35,10 +38,12 @@ import java.security.KeyStoreException;
|
35
|
38
|
import java.security.NoSuchAlgorithmException;
|
36
|
39
|
import java.security.UnrecoverableKeyException;
|
37
|
40
|
import java.security.cert.CertificateException;
|
|
41
|
+import java.security.cert.CertificateParsingException;
|
38
|
42
|
import java.security.cert.PKIXParameters;
|
39
|
43
|
import java.security.cert.TrustAnchor;
|
40
|
44
|
import java.security.cert.X509Certificate;
|
41
|
45
|
import java.util.ArrayList;
|
|
46
|
+import java.util.Arrays;
|
42
|
47
|
import java.util.HashMap;
|
43
|
48
|
import java.util.HashSet;
|
44
|
49
|
import java.util.List;
|
|
@@ -52,6 +57,7 @@ import javax.naming.ldap.Rdn;
|
52
|
57
|
import javax.net.ssl.KeyManager;
|
53
|
58
|
import javax.net.ssl.KeyManagerFactory;
|
54
|
59
|
import javax.net.ssl.X509TrustManager;
|
|
60
|
+import net.miginfocom.Base64;
|
55
|
61
|
|
56
|
62
|
/**
|
57
|
63
|
* Manages storage and validation of certificates used when connecting to
|
|
@@ -106,27 +112,26 @@ public class CertificateManager implements X509TrustManager {
|
106
|
112
|
*/
|
107
|
113
|
protected void loadTrustedCAs() {
|
108
|
114
|
try {
|
109
|
|
- String filename = System.getProperty("java.home")
|
|
115
|
+ final String filename = System.getProperty("java.home")
|
110
|
116
|
+ "/lib/security/cacerts".replace('/', File.separatorChar);
|
111
|
|
- FileInputStream is = new FileInputStream(filename);
|
112
|
|
- KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
|
|
117
|
+ final FileInputStream is = new FileInputStream(filename);
|
|
118
|
+ final KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
|
113
|
119
|
keystore.load(is, cacertpass.toCharArray());
|
114
|
120
|
|
115
|
|
- // This class retrieves the most-trusted CAs from the keystore
|
116
|
|
- PKIXParameters params = new PKIXParameters(keystore);
|
|
121
|
+ final PKIXParameters params = new PKIXParameters(keystore);
|
117
|
122
|
for (TrustAnchor anchor : params.getTrustAnchors()) {
|
118
|
123
|
globalTrustedCAs.add(anchor.getTrustedCert());
|
119
|
124
|
}
|
120
|
125
|
} catch (CertificateException ex) {
|
121
|
|
-
|
|
126
|
+ Logger.appError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);
|
122
|
127
|
} catch (IOException ex) {
|
123
|
|
-
|
|
128
|
+ Logger.appError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);
|
124
|
129
|
} catch (InvalidAlgorithmParameterException ex) {
|
125
|
|
-
|
|
130
|
+ Logger.appError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);
|
126
|
131
|
} catch (KeyStoreException ex) {
|
127
|
|
-
|
|
132
|
+ Logger.appError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);
|
128
|
133
|
} catch (NoSuchAlgorithmException ex) {
|
129
|
|
-
|
|
134
|
+ Logger.appError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);
|
130
|
135
|
}
|
131
|
136
|
}
|
132
|
137
|
|
|
@@ -152,20 +157,21 @@ public class CertificateManager implements X509TrustManager {
|
152
|
157
|
final KeyStore ks = KeyStore.getInstance("pkcs12");
|
153
|
158
|
ks.load(fis, pass);
|
154
|
159
|
|
155
|
|
- final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
|
|
160
|
+ final KeyManagerFactory kmf = KeyManagerFactory.getInstance(
|
|
161
|
+ KeyManagerFactory.getDefaultAlgorithm());
|
156
|
162
|
kmf.init(ks, pass);
|
157
|
163
|
|
158
|
164
|
return kmf.getKeyManagers();
|
159
|
165
|
} catch (KeyStoreException ex) {
|
160
|
|
- ex.printStackTrace();
|
|
166
|
+ Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);
|
161
|
167
|
} catch (IOException ex) {
|
162
|
|
- ex.printStackTrace();
|
|
168
|
+ Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);
|
163
|
169
|
} catch (CertificateException ex) {
|
164
|
|
- ex.printStackTrace();
|
|
170
|
+ Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);
|
165
|
171
|
} catch (NoSuchAlgorithmException ex) {
|
166
|
|
- ex.printStackTrace();
|
|
172
|
+ Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);
|
167
|
173
|
} catch (UnrecoverableKeyException ex) {
|
168
|
|
- ex.printStackTrace();
|
|
174
|
+ Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);
|
169
|
175
|
} finally {
|
170
|
176
|
if (fis != null) {
|
171
|
177
|
try {
|
|
@@ -187,6 +193,62 @@ public class CertificateManager implements X509TrustManager {
|
187
|
193
|
throw new CertificateException("Not supported.");
|
188
|
194
|
}
|
189
|
195
|
|
|
196
|
+ /**
|
|
197
|
+ * Determines if the specified certificate is trusted by the user.
|
|
198
|
+ *
|
|
199
|
+ * @param certificate The certificate to be checked
|
|
200
|
+ * @return True if the certificate matches one in the trusted certificate
|
|
201
|
+ * store, or if the certificate's details are marked as trusted in the
|
|
202
|
+ * DMDirc configuration file.
|
|
203
|
+ */
|
|
204
|
+ public boolean isTrusted(final X509Certificate certificate) {
|
|
205
|
+ try {
|
|
206
|
+ final String sig = Base64.encodeToString(certificate.getSignature(), false);
|
|
207
|
+
|
|
208
|
+ if (config.hasOption("ssl", "trusted") && config.getOptionList("ssl",
|
|
209
|
+ "trusted").contains(sig)) {
|
|
210
|
+ return true;
|
|
211
|
+ } else {
|
|
212
|
+ for (X509Certificate trustedCert : globalTrustedCAs) {
|
|
213
|
+ if (Arrays.equals(certificate.getSignature(), trustedCert.getSignature())
|
|
214
|
+ && certificate.getIssuerDN().getName()
|
|
215
|
+ .equals(trustedCert.getIssuerDN().getName())) {
|
|
216
|
+ certificate.verify(trustedCert.getPublicKey());
|
|
217
|
+ return true;
|
|
218
|
+ }
|
|
219
|
+ }
|
|
220
|
+ }
|
|
221
|
+ } catch (Exception ex) {
|
|
222
|
+ return false;
|
|
223
|
+ }
|
|
224
|
+
|
|
225
|
+ return false;
|
|
226
|
+ }
|
|
227
|
+
|
|
228
|
+ public boolean isValidHost(final X509Certificate certificate) {
|
|
229
|
+ final Map<String, String> fields = getDNFieldsFromCert(certificate);
|
|
230
|
+ if (fields.containsKey("CN") && fields.get("CN").equals(serverName)) {
|
|
231
|
+ return true;
|
|
232
|
+ }
|
|
233
|
+
|
|
234
|
+ try {
|
|
235
|
+ if (certificate.getSubjectAlternativeNames() != null) {
|
|
236
|
+ for (List<?> entry : certificate.getSubjectAlternativeNames()) {
|
|
237
|
+ final int type = ((Integer) entry.get(0)).intValue();
|
|
238
|
+
|
|
239
|
+ // DNS or IP
|
|
240
|
+ if ((type == 2 || type == 7) && entry.get(1).equals(serverName)) {
|
|
241
|
+ return true;
|
|
242
|
+ }
|
|
243
|
+ }
|
|
244
|
+ }
|
|
245
|
+ } catch (CertificateParsingException ex) {
|
|
246
|
+ return false;
|
|
247
|
+ }
|
|
248
|
+
|
|
249
|
+ return false;
|
|
250
|
+ }
|
|
251
|
+
|
190
|
252
|
/** {@inheritDoc} */
|
191
|
253
|
@Override
|
192
|
254
|
public void checkServerTrusted(final X509Certificate[] chain, final String authType)
|
|
@@ -196,22 +258,7 @@ public class CertificateManager implements X509TrustManager {
|
196
|
258
|
|
197
|
259
|
if (checkHost) {
|
198
|
260
|
// Check that the cert is issued to the correct host
|
199
|
|
- final Map<String, String> fields = getDNFieldsFromCert(chain[0]);
|
200
|
|
- if (fields.containsKey("CN") && fields.get("CN").equals(serverName)) {
|
201
|
|
- verified = true;
|
202
|
|
- }
|
203
|
|
-
|
204
|
|
- if (chain[0].getSubjectAlternativeNames() != null && !verified) {
|
205
|
|
- for (List<?> entry : chain[0].getSubjectAlternativeNames()) {
|
206
|
|
- final int type = ((Integer) entry.get(0)).intValue();
|
207
|
|
-
|
208
|
|
- // DNS or IP
|
209
|
|
- if ((type == 2 || type == 7) && entry.get(1).equals(serverName)) {
|
210
|
|
- verified = true;
|
211
|
|
- break;
|
212
|
|
- }
|
213
|
|
- }
|
214
|
|
- }
|
|
261
|
+ verified = isValidHost(chain[0]);
|
215
|
262
|
|
216
|
263
|
if (!verified) {
|
217
|
264
|
problems.add(new CertificateDoesntMatchHostException(
|
|
@@ -233,18 +280,8 @@ public class CertificateManager implements X509TrustManager {
|
233
|
280
|
|
234
|
281
|
if (checkIssuer) {
|
235
|
282
|
// Check that we trust an issuer
|
236
|
|
- try {
|
237
|
|
- for (X509Certificate trustedCert : globalTrustedCAs) {
|
238
|
|
- if (cert.getSerialNumber().equals(trustedCert.getSerialNumber())
|
239
|
|
- && cert.getIssuerDN().getName().equals(trustedCert.getIssuerDN().getName())) {
|
240
|
|
- cert.verify(trustedCert.getPublicKey());
|
241
|
|
- verified = true;
|
242
|
|
- break;
|
243
|
|
- }
|
244
|
|
- }
|
245
|
|
- } catch (Exception ex) {
|
246
|
|
- problems.add(new CertificateException("Issuer couldn't be verified", ex));
|
247
|
|
- }
|
|
283
|
+
|
|
284
|
+ verified |= isTrusted(cert);
|
248
|
285
|
}
|
249
|
286
|
}
|
250
|
287
|
|
|
@@ -256,19 +293,22 @@ public class CertificateManager implements X509TrustManager {
|
256
|
293
|
Main.getUI().showSSLCertificateDialog(
|
257
|
294
|
new SSLCertificateDialogModel(chain, problems, this));
|
258
|
295
|
|
259
|
|
- /*actionSem.acquireUninterruptibly();
|
|
296
|
+ actionSem.acquireUninterruptibly();
|
260
|
297
|
|
261
|
298
|
switch (action) {
|
262
|
299
|
case DISCONNECT:
|
263
|
|
- // TODO: implement
|
264
|
|
- break;
|
|
300
|
+ throw new CertificateException("Not trusted");
|
265
|
301
|
case IGNORE_PERMANENTY:
|
266
|
|
- // TODO: implement
|
|
302
|
+ final List<String> list = new ArrayList<String>(config
|
|
303
|
+ .getOptionList("ssl", "trusted"));
|
|
304
|
+ list.add(Base64.encodeToString(chain[0].getSignature(), false));
|
|
305
|
+ IdentityManager.getConfigIdentity().setOption("ssl",
|
|
306
|
+ "trusted", list);
|
267
|
307
|
break;
|
268
|
308
|
case IGNORE_TEMPORARILY:
|
269
|
|
- // TODO: implement
|
|
309
|
+ // Do nothing, continue connecting
|
270
|
310
|
break;
|
271
|
|
- }*/
|
|
311
|
+ }
|
272
|
312
|
}
|
273
|
313
|
}
|
274
|
314
|
|
|
@@ -283,6 +323,15 @@ public class CertificateManager implements X509TrustManager {
|
283
|
323
|
actionSem.release();
|
284
|
324
|
}
|
285
|
325
|
|
|
326
|
+ /**
|
|
327
|
+ * Retrieves the name of the server to which the user is trying to connect.
|
|
328
|
+ *
|
|
329
|
+ * @return The name of the server that the user is trying to connect to
|
|
330
|
+ */
|
|
331
|
+ public String getServerName() {
|
|
332
|
+ return serverName;
|
|
333
|
+ }
|
|
334
|
+
|
286
|
335
|
/**
|
287
|
336
|
* Reads the fields from the subject's designated name in the specified
|
288
|
337
|
* certificate.
|