mirror
/
DMDirc-Client
kopia lustrzana https://github.com/DMDirc/DMDirc.git
Obserwuj 1
Gwiazdka 0
Forkuj 0
Kod Problemy 0 Wydania 49 Wiki Aktywność
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10085 Commity
14 Gałęzie
Drzewo: 490c38cdfc
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '490c38cdfc'
${ noResults }
DMDirc-Client/src/main/java/com/dmdirc/tls/CertificateManager.java

CertificateManager.java 13KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353 
  1. /*

  2.  * Copyright (c) 2006-2017 DMDirc Developers

  3.  *

  4.  * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated

  5.  * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the

  6.  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to

  7.  * permit persons to whom the Software is furnished to do so, subject to the following conditions:

  8.  *

  9.  * The above copyright notice and this permission notice shall be included in all copies or substantial portions of the

  10.  * Software.

  11.  *

  12.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE

  13.  * WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS

  14.  * OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR

  15.  * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

  16.  */

  17. 

  18. package com.dmdirc.tls;

  19. 

  20. import com.dmdirc.config.provider.AggregateConfigProvider;

  21. import com.dmdirc.config.provider.ConfigProvider;

  22. import com.dmdirc.events.ServerCertificateProblemEncounteredEvent;

  23. import com.dmdirc.events.ServerCertificateProblemResolvedEvent;

  24. import com.dmdirc.events.eventbus.EventBus;

  25. import com.dmdirc.interfaces.Connection;

  26. import java.io.FileInputStream;

  27. import java.io.FileNotFoundException;

  28. import java.io.IOException;

  29. import java.security.GeneralSecurityException;

  30. import java.security.InvalidAlgorithmParameterException;

  31. import java.security.KeyStore;

  32. import java.security.KeyStoreException;

  33. import java.security.cert.CertificateException;

  34. import java.security.cert.PKIXParameters;

  35. import java.security.cert.TrustAnchor;

  36. import java.security.cert.X509Certificate;

  37. import java.util.ArrayList;

  38. import java.util.Arrays;

  39. import java.util.Base64;

  40. import java.util.Collection;

  41. import java.util.HashMap;

  42. import java.util.HashSet;

  43. import java.util.List;

  44. import java.util.Map;

  45. import java.util.Set;

  46. import java.util.concurrent.Semaphore;

  47. import java.util.stream.Collectors;

  48. import javax.naming.InvalidNameException;

  49. import javax.naming.ldap.LdapName;

  50. import javax.naming.ldap.Rdn;

  51. import javax.net.ssl.KeyManager;

  52. import javax.net.ssl.KeyManagerFactory;

  53. import javax.net.ssl.X509TrustManager;

  54. import org.slf4j.Logger;

  55. import org.slf4j.LoggerFactory;

  56. 

  57. import static com.dmdirc.util.LogUtils.USER_ERROR;

  58. 

  59. /**

  60.  * Manages storage and validation of certificates used when connecting to SSL servers.

  61.  *

  62.  * @since 0.6.3m1

  63.  */

  64. public class CertificateManager implements X509TrustManager {

  65. 

  66.     private static final Logger LOG = LoggerFactory.getLogger(CertificateManager.class);

  67.     /** Connection that owns this manager. */

  68.     private final Connection connection;

  69.     /** The server name the user is trying to connect to. */

  70.     private final String serverName;

  71.     /** The configuration manager to use for settings. */

  72.     private final AggregateConfigProvider config;

  73.     /** The set of CAs from the global cacert file. */

  74.     private final Set<X509Certificate> globalTrustedCAs = new HashSet<>();

  75.     /** Used to synchronise the manager with the certificate dialog. */

  76.     private final Semaphore actionSem = new Semaphore(0);

  77.     /** The event bus to post errors to. */

  78.     private final EventBus eventBus;

  79.     /** The action to perform. */

  80.     private CertificateAction action;

  81.     /** A list of problems encountered most recently. */

  82.     private final List<CertificateException> problems = new ArrayList<>();

  83.     /** The chain of certificates currently being validated. */

  84.     private X509Certificate[] chain;

  85.     /** The user settings to write to. */

  86.     private final ConfigProvider userSettings;

  87.     /** Locator to use to find a system keystore. */

  88.     private final KeyStoreLocator keyStoreLocator;

  89.     /** Checker to use for hostnames. */

  90.     private final CertificateHostChecker hostChecker;

  91. 

  92.     /**

  93.      * Creates a new certificate manager for a client connecting to the specified server.

  94.      *

  95.      * @param serverName   The name the user used to connect to the server

  96.      * @param config       The configuration manager to use

  97.      * @param userSettings The user settings to write to.

  98.      * @param eventBus     The event bus to post errors to

  99.      */

  100.     public CertificateManager(

  101.             final Connection connection,

  102.             final String serverName,

  103.             final AggregateConfigProvider config,

  104.             final ConfigProvider userSettings,

  105.             final EventBus eventBus) {

  106.         this.connection = connection;

  107.         this.serverName = serverName;

  108.         this.config = config;

  109.         this.userSettings = userSettings;

  110.         this.eventBus = eventBus;

  111.         this.keyStoreLocator = new KeyStoreLocator();

  112.         this.hostChecker = new CertificateHostChecker();

  113. 

  114.         loadTrustedCAs();

  115.     }

  116. 

  117.     /**

  118.      * Loads the trusted CA certificates from the Java cacerts store.

  119.      */

  120.     private void loadTrustedCAs() {

  121.         try {

  122.             final KeyStore keyStore = keyStoreLocator.getKeyStore();

  123.             if (keyStore != null) {

  124.                 final PKIXParameters params = new PKIXParameters(keyStore);

  125.                 globalTrustedCAs.addAll(params.getTrustAnchors().stream()

  126.                         .map(TrustAnchor::getTrustedCert)

  127.                         .collect(Collectors.toList()));

  128.             }

  129.         } catch (InvalidAlgorithmParameterException | KeyStoreException ex) {

  130.             LOG.warn(USER_ERROR, "Unable to load trusted certificates", ex);

  131.         }

  132.     }

  133. 

  134.     /**

  135.      * Retrieves a KeyManager[] for the client certificate specified in the configuration, if there

  136.      * is one.

  137.      *

  138.      * @return A KeyManager to use for the SSL connection

  139.      */

  140.     public KeyManager[] getKeyManager() {

  141.         if (config.hasOptionString("ssl", "clientcert.file")) {

  142.             try (FileInputStream fis = new FileInputStream(config.getOption("ssl",

  143.                     "clientcert.file"))) {

  144.                 final char[] pass;

  145. 

  146.                 if (config.hasOptionString("ssl", "clientcert.pass")) {

  147.                     pass = config.getOption("ssl", "clientcert.pass").toCharArray();

  148.                 } else {

  149.                     pass = null;

  150.                 }

  151. 

  152.                 final KeyStore ks = KeyStore.getInstance("pkcs12");

  153.                 ks.load(fis, pass);

  154. 

  155.                 final KeyManagerFactory kmf = KeyManagerFactory.getInstance(

  156.                         KeyManagerFactory.getDefaultAlgorithm());

  157.                 kmf.init(ks, pass);

  158. 

  159.                 return kmf.getKeyManagers();

  160.             } catch (FileNotFoundException ex) {

  161.                 LOG.warn(USER_ERROR, "Certificate file not found", ex);

  162.             } catch (GeneralSecurityException | IOException ex) {

  163.                 LOG.warn(USER_ERROR, "Unable to get key manager", ex);

  164.             }

  165.         }

  166. 

  167.         return null;

  168.     }

  169. 

  170.     @Override

  171.     public void checkClientTrusted(final X509Certificate[] chain, final String authType)

  172.             throws CertificateException {

  173.         throw new CertificateException("Not supported.");

  174.     }

  175. 

  176.     /**

  177.      * Determines if the specified certificate is trusted by the user.

  178.      *

  179.      * @param certificate The certificate to be checked

  180.      *

  181.      * @return True if the certificate matches one in the trusted certificate store, or if the

  182.      *         certificate's details are marked as trusted in the DMDirc configuration file.

  183.      */

  184.     public TrustResult isTrusted(final X509Certificate certificate) {

  185.         try {

  186.             final String sig = Base64.getEncoder().encodeToString(certificate.getSignature());

  187. 

  188.             if (config.hasOptionString("ssl", "trusted") && config.getOptionList("ssl",

  189.                     "trusted").contains(sig)) {

  190.                 return TrustResult.TRUSTED_MANUALLY;

  191.             } else {

  192.                 for (X509Certificate trustedCert : globalTrustedCAs) {

  193.                     if (Arrays.equals(certificate.getSignature(), trustedCert.getSignature())

  194.                             && certificate.getIssuerDN().getName()

  195.                             .equals(trustedCert.getIssuerDN().getName())) {

  196.                         certificate.verify(trustedCert.getPublicKey());

  197.                         return TrustResult.TRUSTED_CA;

  198.                     }

  199.                 }

  200.             }

  201.         } catch (GeneralSecurityException ex) {

  202.             return TrustResult.UNTRUSTED_EXCEPTION;

  203.         }

  204. 

  205.         return TrustResult.UNTRUSTED_GENERAL;

  206.     }

  207. 

  208.     @Override

  209.     public void checkServerTrusted(final X509Certificate[] chain, final String authType)

  210.             throws CertificateException {

  211.         this.chain = Arrays.copyOf(chain, chain.length);

  212.         problems.clear();

  213. 

  214.         if (!hostChecker.isValidFor(chain[0], serverName)) {

  215.             problems.add(new CertificateDoesntMatchHostException(

  216.                     "Certificate was not issued to " + serverName));

  217.         }

  218. 

  219.         if (checkIssuer(chain)) {

  220.             problems.clear();

  221.         }

  222. 

  223.         if (!problems.isEmpty()) {

  224.             eventBus.publishAsync(new ServerCertificateProblemEncounteredEvent(connection, this,

  225.                     Arrays.asList(chain), problems));

  226. 

  227.             try {

  228.                 actionSem.acquire();

  229.             } catch (InterruptedException ie) {

  230.                 throw new CertificateException("Thread aborted", ie);

  231.             } finally {

  232.                 problems.clear();

  233.                 eventBus.publishAsync(new ServerCertificateProblemResolvedEvent(connection, this));

  234.             }

  235. 

  236.             switch (action) {

  237.                 case DISCONNECT:

  238.                     throw new CertificateException("Not trusted");

  239.                 case IGNORE_PERMANENTLY:

  240.                     final List<String> list = new ArrayList<>(config

  241.                             .getOptionList("ssl", "trusted"));

  242.                     list.add(Base64.getEncoder().encodeToString(chain[0].getSignature()));

  243.                     userSettings.setOption("ssl", "trusted", list);

  244.                     break;

  245.                 case IGNORE_TEMPORARILY:

  246.                     // Do nothing, continue connecting

  247.                     break;

  248.             }

  249.         }

  250.     }

  251. 

  252.     /**

  253.      * Checks that some issuer in the certificate chain is trusted, either by the global CA list,

  254.      * or manually by the user.

  255.      *

  256.      * @param chain The chain of certificates to check.

  257.      * @return True if the certificate is trusted manually, false otherwise (i.e., trusted globally

  258.      * OR untrusted).

  259.      */

  260.     private boolean checkIssuer(final X509Certificate... chain) {

  261.         boolean manual = false;

  262.         boolean verified = false;

  263.         for (X509Certificate cert : chain) {

  264.             final TrustResult trustResult = isTrusted(cert);

  265. 

  266.             // Check that the certificate is in-date

  267.             try {

  268.                 cert.checkValidity();

  269.             } catch (CertificateException ex) {

  270.                 problems.add(ex);

  271.             }

  272. 

  273.             // Check that we trust an issuer

  274.             verified |= trustResult.isTrusted();

  275. 

  276.             if (trustResult == TrustResult.TRUSTED_MANUALLY) {

  277.                 manual = true;

  278.             }

  279.         }

  280. 

  281.         if (!verified) {

  282.             problems.add(new CertificateNotTrustedException("Issuer is not trusted"));

  283.         }

  284.         return manual;

  285.     }

  286. 

  287.     /**

  288.      * Gets the chain of certificates currently being validated, if any.

  289.      *

  290.      * @return The chain of certificates being validated

  291.      */

  292.     public X509Certificate[] getChain() {

  293.         return chain;

  294.     }

  295. 

  296.     /**

  297.      * Gets the set of problems that were encountered with the last certificate.

  298.      *

  299.      * @return The set of problems encountered, or any empty collection if there is no current

  300.      *         validation attempt ongoing.

  301.      */

  302.     public Collection<CertificateException> getProblems() {

  303.         return problems;

  304.     }

  305. 

  306.     /**

  307.      * Sets the action to perform for the request that's in progress.

  308.      *

  309.      * @param action The action that's been selected

  310.      */

  311.     public void setAction(final CertificateAction action) {

  312.         this.action = action;

  313. 

  314.         actionSem.release();

  315.     }

  316. 

  317.     /**

  318.      * Retrieves the name of the server to which the user is trying to connect.

  319.      *

  320.      * @return The name of the server that the user is trying to connect to

  321.      */

  322.     public String getServerName() {

  323.         return serverName;

  324.     }

  325. 

  326.     /**

  327.      * Reads the fields from the subject's designated name in the specified certificate.

  328.      *

  329.      * @param cert The certificate to read

  330.      *

  331.      * @return A map of the fields in the certificate's subject's designated name

  332.      */

  333.     public static Map<String, String> getDNFieldsFromCert(final X509Certificate cert) {

  334.         final Map<String, String> res = new HashMap<>();

  335. 

  336.         try {

  337.             final LdapName name = new LdapName(cert.getSubjectX500Principal().getName());

  338.             for (Rdn rdn : name.getRdns()) {

  339.                 res.put(rdn.getType(), rdn.getValue().toString());

  340.             }

  341.         } catch (InvalidNameException ex) {

  342.             // Don't care

  343.         }

  344. 

  345.         return res;

  346.     }

  347. 

  348.     @Override

  349.     public X509Certificate[] getAcceptedIssuers() {

  350.         return globalTrustedCAs.toArray(new X509Certificate[globalTrustedCAs.size()]);

  351.     }

  352. 

  353. }