mirror
/
DMDirc-Client
mirror of https://github.com/DMDirc/DMDirc.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 49 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6967 Commits
14 Branches
Tree: a7a57eca29
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a7a57eca29'
${ noResults }
DMDirc-Client/src/com/dmdirc/tls/CertificateManager.java

CertificateManager.java 16KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467 
  1. /*

  2.  * Copyright (c) 2006-2011 DMDirc Developers

  3.  *

  4.  * Permission is hereby granted, free of charge, to any person obtaining a copy

  5.  * of this software and associated documentation files (the "Software"), to deal

  6.  * in the Software without restriction, including without limitation the rights

  7.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

  8.  * copies of the Software, and to permit persons to whom the Software is

  9.  * furnished to do so, subject to the following conditions:

  10.  *

  11.  * The above copyright notice and this permission notice shall be included in

  12.  * all copies or substantial portions of the Software.

  13.  *

  14.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

  15.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

  16.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

  17.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

  18.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

  19.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

  20.  * SOFTWARE.

  21.  */

  22. 

  23. package com.dmdirc.tls;

  24. 

  25. import com.dmdirc.config.ConfigManager;

  26. import com.dmdirc.config.IdentityManager;

  27. import com.dmdirc.logger.ErrorLevel;

  28. import com.dmdirc.logger.Logger;

  29. import com.dmdirc.util.collections.ListenerList;

  30. import com.dmdirc.util.io.StreamUtils;

  31. 

  32. import java.io.File;

  33. import java.io.FileInputStream;

  34. import java.io.FileNotFoundException;

  35. import java.io.IOException;

  36. import java.security.InvalidAlgorithmParameterException;

  37. import java.security.KeyStore;

  38. import java.security.KeyStoreException;

  39. import java.security.NoSuchAlgorithmException;

  40. import java.security.UnrecoverableKeyException;

  41. import java.security.cert.CertificateException;

  42. import java.security.cert.CertificateParsingException;

  43. import java.security.cert.PKIXParameters;

  44. import java.security.cert.TrustAnchor;

  45. import java.security.cert.X509Certificate;

  46. import java.util.ArrayList;

  47. import java.util.Arrays;

  48. import java.util.Collection;

  49. import java.util.HashMap;

  50. import java.util.HashSet;

  51. import java.util.List;

  52. import java.util.Map;

  53. import java.util.Set;

  54. import java.util.concurrent.Semaphore;

  55. 

  56. import javax.naming.InvalidNameException;

  57. import javax.naming.ldap.LdapName;

  58. import javax.naming.ldap.Rdn;

  59. import javax.net.ssl.KeyManager;

  60. import javax.net.ssl.KeyManagerFactory;

  61. import javax.net.ssl.X509TrustManager;

  62. 

  63. import net.miginfocom.Base64;

  64. 

  65. /**

  66.  * Manages storage and validation of certificates used when connecting to

  67.  * SSL servers.

  68.  *

  69.  * @since 0.6.3m1

  70.  */

  71. public class CertificateManager implements X509TrustManager {

  72. 

  73.     /** List of listeners. */

  74.     private final ListenerList listeners = new ListenerList();

  75. 

  76.     /** The server name the user is trying to connect to. */

  77.     private final String serverName;

  78. 

  79.     /** The configuration manager to use for settings. */

  80.     private final ConfigManager config;

  81. 

  82.     /** The set of CAs from the global cacert file. */

  83.     private final Set<X509Certificate> globalTrustedCAs = new HashSet<X509Certificate>();

  84. 

  85.     /** Whether or not to check specified parts of the certificate. */

  86.     private boolean checkDate, checkIssuer, checkHost;

  87. 

  88.     /** Used to synchronise the manager with the certificate dialog. */

  89.     private final Semaphore actionSem = new Semaphore(0);

  90. 

  91.     /** The action to perform. */

  92.     private CertificateAction action;

  93. 

  94.     /** A list of problems encountered most recently. */

  95.     private final List<CertificateException> problems = new ArrayList<CertificateException>();

  96. 

  97.     /** The chain of certificates currently being validated. */

  98.     private X509Certificate[] chain;

  99. 

  100.     /**

  101.      * Creates a new certificate manager for a client connecting to the

  102.      * specified server.

  103.      *

  104.      * @param serverName The name the user used to connect to the server

  105.      * @param config The configuration manager to use

  106.      */

  107.     public CertificateManager(final String serverName, final ConfigManager config) {

  108.         this.serverName = serverName;

  109.         this.config = config;

  110.         this.checkDate = config.getOptionBool("ssl", "checkdate");

  111.         this.checkIssuer = config.getOptionBool("ssl", "checkissuer");

  112.         this.checkHost = config.getOptionBool("ssl", "checkhost");

  113. 

  114.         loadTrustedCAs();

  115.     }

  116. 

  117.     /**

  118.      * Loads the trusted CA certificates from the Java cacerts store.

  119.      */

  120.     protected void loadTrustedCAs() {

  121.         FileInputStream is = null;

  122. 

  123.         try {

  124.             final String filename = System.getProperty("java.home")

  125.                 + "/lib/security/cacerts".replace('/', File.separatorChar);

  126.             is = new FileInputStream(filename);

  127.             final KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());

  128.             keystore.load(is, null);

  129. 

  130.             final PKIXParameters params = new PKIXParameters(keystore);

  131.             for (TrustAnchor anchor : params.getTrustAnchors()) {

  132.                 globalTrustedCAs.add(anchor.getTrustedCert());

  133.             }

  134.         } catch (CertificateException ex) {

  135.             Logger.userError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);

  136.         } catch (IOException ex) {

  137.             Logger.userError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);

  138.         } catch (InvalidAlgorithmParameterException ex) {

  139.             Logger.userError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);

  140.         } catch (KeyStoreException ex) {

  141.             Logger.userError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);

  142.         } catch (NoSuchAlgorithmException ex) {

  143.             Logger.userError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);

  144.         } finally {

  145.             StreamUtils.close(is);

  146.         }

  147.     }

  148. 

  149.     /**

  150.      * Retrieves a KeyManager[] for the client certificate specified in the

  151.      * configuration, if there is one.

  152.      *

  153.      * @return A KeyManager to use for the SSL connection

  154.      */

  155.     public KeyManager[] getKeyManager() {

  156.         if (config.hasOptionString("ssl", "clientcert.file")) {

  157.             FileInputStream fis = null;

  158.             try {

  159.                 final char[] pass;

  160. 

  161.                 if (config.hasOptionString("ssl", "clientcert.pass")) {

  162.                     pass = config.getOption("ssl", "clientcert.pass").toCharArray();

  163.                 } else {

  164.                     pass = null;

  165.                 }

  166. 

  167.                 fis = new FileInputStream(config.getOption("ssl", "clientcert.file"));

  168.                 final KeyStore ks = KeyStore.getInstance("pkcs12");

  169.                 ks.load(fis, pass);

  170. 

  171.                 final KeyManagerFactory kmf = KeyManagerFactory.getInstance(

  172.                         KeyManagerFactory.getDefaultAlgorithm());

  173.                 kmf.init(ks, pass);

  174. 

  175.                 return kmf.getKeyManagers();

  176.             } catch (FileNotFoundException ex) {

  177.                 Logger.userError(ErrorLevel.MEDIUM, "Certificate file not found", ex);

  178.             } catch (KeyStoreException ex) {

  179.                 Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);

  180.             } catch (IOException ex) {

  181.                 Logger.userError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);

  182.             } catch (CertificateException ex) {

  183.                 Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);

  184.             } catch (NoSuchAlgorithmException ex) {

  185.                 Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);

  186.             } catch (UnrecoverableKeyException ex) {

  187.                 Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);

  188.             } finally {

  189.                 StreamUtils.close(fis);

  190.             }

  191.         }

  192. 

  193.         return null;

  194.     }

  195. 

  196.     /** {@inheritDoc} */

  197.     @Override

  198.     public void checkClientTrusted(final X509Certificate[] chain, final String authType)

  199.             throws CertificateException {

  200.         throw new CertificateException("Not supported.");

  201.     }

  202. 

  203.     /**

  204.      * Determines if the specified certificate is trusted by the user.

  205.      *

  206.      * @param certificate The certificate to be checked

  207.      * @return True if the certificate matches one in the trusted certificate

  208.      * store, or if the certificate's details are marked as trusted in the

  209.      * DMDirc configuration file.

  210.      */

  211.     public TrustResult isTrusted(final X509Certificate certificate) {

  212.         try {

  213.             final String sig = Base64.encodeToString(certificate.getSignature(), false);

  214. 

  215.             if (config.hasOptionString("ssl", "trusted") && config.getOptionList("ssl",

  216.                     "trusted").contains(sig)) {

  217.                 return TrustResult.TRUSTED_MANUALLY;

  218.             } else {

  219.                 for (X509Certificate trustedCert : globalTrustedCAs) {

  220.                     if (Arrays.equals(certificate.getSignature(), trustedCert.getSignature())

  221.                             && certificate.getIssuerDN().getName()

  222.                             .equals(trustedCert.getIssuerDN().getName())) {

  223.                         certificate.verify(trustedCert.getPublicKey());

  224.                         return TrustResult.TRUSTED_CA;

  225.                     }

  226.                 }

  227.             }

  228.         } catch (Exception ex) {

  229.            return TrustResult.UNTRUSTED_EXCEPTION;

  230.         }

  231. 

  232.         return TrustResult.UNTRUSTED_GENERAL;

  233.     }

  234. 

  235.     /**

  236.      * Determines whether the given certificate has a valid CN or alternate

  237.      * name for this server's hostname.

  238.      *

  239.      * @param certificate The certificate to be validated

  240.      * @return True if the certificate is valid for this server's host, false

  241.      * otherwise

  242.      */

  243.     public boolean isValidHost(final X509Certificate certificate) {

  244.         final Map<String, String> fields = getDNFieldsFromCert(certificate);

  245.         if (fields.containsKey("CN") && isMatchingServerName(fields.get("CN"))) {

  246.             return true;

  247.         }

  248. 

  249.         try {

  250.             if (certificate.getSubjectAlternativeNames() != null) {

  251.                 for (List<?> entry : certificate.getSubjectAlternativeNames()) {

  252.                     final int type = ((Integer) entry.get(0)).intValue();

  253. 

  254.                     // DNS or IP

  255.                     if ((type == 2 || type == 7) && isMatchingServerName((String) entry.get(1))) {

  256.                         return true;

  257.                     }

  258.                 }

  259.             }

  260.         } catch (CertificateParsingException ex) {

  261.             return false;

  262.         }

  263. 

  264.         return false;

  265.     }

  266. 

  267.     /**

  268.      * Checks whether the specified target matches the server name this

  269.      * certificate manager was initialised with.

  270.      *

  271.      * Target names may contain wildcards per RFC2818.

  272.      *

  273.      * @since 0.6.5

  274.      * @param target The target to compare to our server name

  275.      * @return True if the target matches, false otherwise

  276.      */

  277.     protected boolean isMatchingServerName(final String target) {

  278.         final String[] targetParts = target.split("\\.");

  279.         final String[] serverParts = serverName.split("\\.");

  280. 

  281.         if (targetParts.length != serverParts.length) {

  282.             // Fail fast if they don't match

  283.             return false;

  284.         }

  285. 

  286.         for (int i = 0; i < serverParts.length; i++) {

  287.             if (!serverParts[i].matches("\\Q" + targetParts[i].replace("*", "\\E.*\\Q") + "\\E")) {

  288.                 return false;

  289.             }

  290.         }

  291. 

  292.         return true;

  293.     }

  294. 

  295.     /** {@inheritDoc} */

  296.     @Override

  297.     public void checkServerTrusted(final X509Certificate[] chain, final String authType)

  298.             throws CertificateException {

  299.         this.chain = chain;

  300.         problems.clear();

  301. 

  302.         boolean verified = false;

  303.         boolean manual = false;

  304. 

  305.         if (checkHost) {

  306.             // Check that the cert is issued to the correct host

  307.             verified = isValidHost(chain[0]);

  308. 

  309.             if (!verified) {

  310.                 problems.add(new CertificateDoesntMatchHostException(

  311.                         "Certificate was not issued to " + serverName));

  312.             }

  313. 

  314.             verified = false;

  315.         }

  316. 

  317.         for (X509Certificate cert : chain) {

  318.             final TrustResult trustResult = isTrusted(cert);

  319. 

  320.             if (checkDate) {

  321.                 // Check that the certificate is in-date

  322.                 try {

  323.                     cert.checkValidity();

  324.                 } catch (CertificateException ex) {

  325.                     problems.add(ex);

  326.                 }

  327.             }

  328. 

  329.             if (checkIssuer) {

  330.                 // Check that we trust an issuer

  331. 

  332.                 verified |= trustResult.isTrusted();

  333.             }

  334. 

  335.             if (trustResult == TrustResult.TRUSTED_MANUALLY) {

  336.                 manual = true;

  337.             }

  338.         }

  339. 

  340.         if (!verified && checkIssuer) {

  341.             problems.add(new CertificateNotTrustedException("Issuer is not trusted"));

  342.         }

  343. 

  344.         if (!problems.isEmpty() && !manual) {

  345.             for (CertificateProblemListener listener : listeners.get(CertificateProblemListener.class)) {

  346.                 listener.certificateProblemEncountered(chain, problems, this);

  347.             }

  348. 

  349.             try {

  350.                 actionSem.acquire();

  351.             } catch (InterruptedException ie) {

  352.                 throw new CertificateException("Thread aborted", ie);

  353.             } finally {

  354.                 problems.clear();

  355. 

  356.                 for (CertificateProblemListener listener : listeners.get(CertificateProblemListener.class)) {

  357.                     listener.certificateProblemResolved(this);

  358.                 }

  359.             }

  360. 

  361.             switch (action) {

  362.                 case DISCONNECT:

  363.                     throw new CertificateException("Not trusted");

  364.                 case IGNORE_PERMANENTY:

  365.                     final List<String> list = new ArrayList<String>(config

  366.                             .getOptionList("ssl", "trusted"));

  367.                     list.add(Base64.encodeToString(chain[0].getSignature(), false));

  368.                     IdentityManager.getConfigIdentity().setOption("ssl",

  369.                             "trusted", list);

  370.                     break;

  371.                 case IGNORE_TEMPORARILY:

  372.                     // Do nothing, continue connecting

  373.                     break;

  374.             }

  375.         }

  376.         if (manual) {

  377.             problems.clear();

  378.         }

  379.     }

  380. 

  381.     /**

  382.      * Gets the chain of certificates currently being validated, if any.

  383.      *

  384.      * @return The chain of certificates being validated

  385.      */

  386.     public X509Certificate[] getChain() {

  387.         return chain;

  388.     }

  389. 

  390.     /**

  391.      * Gets the set of problems that were encountered with the last certificate.

  392.      *

  393.      * @return The set of problems encountered, or any empty collection if there

  394.      * is no current validation attempt ongoing.

  395.      */

  396.     public Collection<CertificateException> getProblems() {

  397.         return problems;

  398.     }

  399. 

  400.     /**

  401.      * Sets the action to perform for the request that's in progress.

  402.      *

  403.      * @param action The action that's been selected

  404.      */

  405.     public void setAction(final CertificateAction action) {

  406.         this.action = action;

  407. 

  408.         actionSem.release();

  409.     }

  410. 

  411.     /**

  412.      * Retrieves the name of the server to which the user is trying to connect.

  413.      *

  414.      * @return The name of the server that the user is trying to connect to

  415.      */

  416.     public String getServerName() {

  417.         return serverName;

  418.     }

  419. 

  420.     /**

  421.      * Reads the fields from the subject's designated name in the specified

  422.      * certificate.

  423.      *

  424.      * @param cert The certificate to read

  425.      * @return A map of the fields in the certificate's subject's designated

  426.      * name

  427.      */

  428.     public static Map<String, String> getDNFieldsFromCert(final X509Certificate cert) {

  429.         final Map<String, String> res = new HashMap<String, String>();

  430. 

  431.         try {

  432.             final LdapName name = new LdapName(cert.getSubjectX500Principal().getName());

  433.             for (Rdn rdn : name.getRdns()) {

  434.                 res.put(rdn.getType(), rdn.getValue().toString());

  435.             }

  436.         } catch (InvalidNameException ex) {

  437.             // Don't care

  438.         }

  439. 

  440.         return res;

  441.     }

  442. 

  443.     /** {@inheritDoc} */

  444.     @Override

  445.     public X509Certificate[] getAcceptedIssuers() {

  446.         return globalTrustedCAs.toArray(new X509Certificate[globalTrustedCAs.size()]);

  447.     }

  448. 

  449.    /**

  450.      * Adds a new certificate problem listener to this manager.

  451.      *

  452.      * @param listener The listener to be added

  453.      */

  454.     public void addCertificateProblemListener(final CertificateProblemListener listener) {

  455.         listeners.add(CertificateProblemListener.class, listener);

  456.     }

  457. 

  458.     /**

  459.      * Removes the specified listener from this manager.

  460.      *

  461.      * @param listener The listener to be removed

  462.      */

  463.     public void removeCertificateProblemListener(final CertificateProblemListener listener) {

  464.         listeners.remove(CertificateProblemListener.class, listener);

  465.     }

  466. 

  467. }