|
@@ -0,0 +1,112 @@
|
|
1
|
+package com.dmdirc.tls;
|
|
2
|
+
|
|
3
|
+import java.io.IOException;
|
|
4
|
+import java.io.InputStream;
|
|
5
|
+import java.io.OutputStream;
|
|
6
|
+import java.nio.file.Files;
|
|
7
|
+import java.nio.file.Path;
|
|
8
|
+import java.security.GeneralSecurityException;
|
|
9
|
+import java.security.KeyStore;
|
|
10
|
+import java.security.cert.PKIXParameters;
|
|
11
|
+import java.security.cert.TrustAnchor;
|
|
12
|
+import java.security.cert.X509Certificate;
|
|
13
|
+import java.util.Collections;
|
|
14
|
+import java.util.Set;
|
|
15
|
+import java.util.stream.Collectors;
|
|
16
|
+import javax.annotation.Nullable;
|
|
17
|
+
|
|
18
|
+/**
|
|
19
|
+ * Manages certificates that the user has explicitly trusted, excepting them from the normal PKIX checks.
|
|
20
|
+ */
|
|
21
|
+public class CertificateExceptionManager {
|
|
22
|
+
|
|
23
|
+ /** Password to use for our exception keystore. */
|
|
24
|
+ private static final char[] PASSWORD = "dmdirc".toCharArray();
|
|
25
|
+
|
|
26
|
+ private final Path keyStorePath;
|
|
27
|
+
|
|
28
|
+ public CertificateExceptionManager(final Path keyStorePath) {
|
|
29
|
+ this.keyStorePath = keyStorePath;
|
|
30
|
+ }
|
|
31
|
+
|
|
32
|
+ /**
|
|
33
|
+ * Returns the set of certificates that the user has explicitly trusted.
|
|
34
|
+ */
|
|
35
|
+ public Set<X509Certificate> getExceptedCertificates() {
|
|
36
|
+ try {
|
|
37
|
+ final KeyStore keyStore = getKeyStore();
|
|
38
|
+ if (keyStore == null) {
|
|
39
|
+ return Collections.emptySet();
|
|
40
|
+ } else {
|
|
41
|
+ final PKIXParameters params = new PKIXParameters(keyStore);
|
|
42
|
+ return params.getTrustAnchors().stream()
|
|
43
|
+ .map(TrustAnchor::getTrustedCert)
|
|
44
|
+ .collect(Collectors.toSet());
|
|
45
|
+ }
|
|
46
|
+ } catch (GeneralSecurityException | IOException e) {
|
|
47
|
+ return Collections.emptySet();
|
|
48
|
+ }
|
|
49
|
+ }
|
|
50
|
+
|
|
51
|
+ /**
|
|
52
|
+ * Adds a new certificate that will be excepted from future PKIX checks.
|
|
53
|
+ *
|
|
54
|
+ * @return True if the certificate was successfully added; false otherwise.
|
|
55
|
+ */
|
|
56
|
+ public boolean addExceptedCertificate(final X509Certificate certificate) {
|
|
57
|
+ try {
|
|
58
|
+ final KeyStore keyStore = getKeyStore();
|
|
59
|
+ keyStore.setCertificateEntry(
|
|
60
|
+ "excepted-" + System.currentTimeMillis(),
|
|
61
|
+ certificate);
|
|
62
|
+ try (OutputStream os = Files.newOutputStream(keyStorePath)) {
|
|
63
|
+ keyStore.store(os, PASSWORD);
|
|
64
|
+ return true;
|
|
65
|
+ }
|
|
66
|
+ } catch (GeneralSecurityException | IOException e) {
|
|
67
|
+ return false;
|
|
68
|
+ }
|
|
69
|
+ }
|
|
70
|
+
|
|
71
|
+ /**
|
|
72
|
+ * Removes a certificate that was previously added.
|
|
73
|
+ *
|
|
74
|
+ * @return True if the remove was successful; false otherwise
|
|
75
|
+ */
|
|
76
|
+ public boolean removeExceptedCertificate(final X509Certificate certificate) {
|
|
77
|
+ try {
|
|
78
|
+ final KeyStore keyStore = getKeyStore();
|
|
79
|
+
|
|
80
|
+ @Nullable final String alias = keyStore.getCertificateAlias(certificate);
|
|
81
|
+ if (alias == null) {
|
|
82
|
+ // Not found
|
|
83
|
+ return false;
|
|
84
|
+ }
|
|
85
|
+
|
|
86
|
+ keyStore.deleteEntry(alias);
|
|
87
|
+ try (OutputStream os = Files.newOutputStream(keyStorePath)) {
|
|
88
|
+ keyStore.store(os, PASSWORD);
|
|
89
|
+ return true;
|
|
90
|
+ }
|
|
91
|
+ } catch (GeneralSecurityException | IOException e) {
|
|
92
|
+ return false;
|
|
93
|
+ }
|
|
94
|
+ }
|
|
95
|
+
|
|
96
|
+ /**
|
|
97
|
+ * Loads the existing excepted certs KeyStore from disk, if it exists, or creates a new KeyStore otherwise.
|
|
98
|
+ */
|
|
99
|
+ private KeyStore getKeyStore() throws GeneralSecurityException, IOException {
|
|
100
|
+ try (InputStream is = Files.newInputStream(keyStorePath)) {
|
|
101
|
+ final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
|
|
102
|
+ keyStore.load(is, PASSWORD);
|
|
103
|
+ return keyStore;
|
|
104
|
+ } catch (GeneralSecurityException | IOException ex) {
|
|
105
|
+ final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
|
|
106
|
+ keyStore.load(null, null);
|
|
107
|
+ return keyStore;
|
|
108
|
+ }
|
|
109
|
+ }
|
|
110
|
+
|
|
111
|
+
|
|
112
|
+}
|