mirror
/
DMDirc-Client
mirror of https://github.com/DMDirc/DMDirc.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 49 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6549 Commits
14 Branches
Tree: fd83b6b2a9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fd83b6b2a9'
${ noResults }
DMDirc-Client/src/com/dmdirc/CertificateManager.java

CertificateManager.java 16KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469 
  1. /*

  2.  * Copyright (c) 2006-2011 Chris Smith, Shane Mc Cormack, Gregory Holmes

  3.  *

  4.  * Permission is hereby granted, free of charge, to any person obtaining a copy

  5.  * of this software and associated documentation files (the "Software"), to deal

  6.  * in the Software without restriction, including without limitation the rights

  7.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

  8.  * copies of the Software, and to permit persons to whom the Software is

  9.  * furnished to do so, subject to the following conditions:

  10.  *

  11.  * The above copyright notice and this permission notice shall be included in

  12.  * all copies or substantial portions of the Software.

  13.  *

  14.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

  15.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

  16.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

  17.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

  18.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

  19.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

  20.  * SOFTWARE.

  21.  */

  22. 

  23. package com.dmdirc;

  24. 

  25. import com.dmdirc.config.ConfigManager;

  26. import com.dmdirc.config.IdentityManager;

  27. import com.dmdirc.logger.ErrorLevel;

  28. import com.dmdirc.logger.Logger;

  29. import com.dmdirc.ui.core.dialogs.sslcertificate.CertificateAction;

  30. import com.dmdirc.ui.core.dialogs.sslcertificate.SSLCertificateDialogModel;

  31. import com.dmdirc.util.StreamUtil;

  32. 

  33. import java.io.File;

  34. import java.io.FileInputStream;

  35. import java.io.FileNotFoundException;

  36. import java.io.IOException;

  37. import java.security.InvalidAlgorithmParameterException;

  38. import java.security.KeyStore;

  39. import java.security.KeyStoreException;

  40. import java.security.NoSuchAlgorithmException;

  41. import java.security.UnrecoverableKeyException;

  42. import java.security.cert.CertificateException;

  43. import java.security.cert.CertificateParsingException;

  44. import java.security.cert.PKIXParameters;

  45. import java.security.cert.TrustAnchor;

  46. import java.security.cert.X509Certificate;

  47. import java.util.ArrayList;

  48. import java.util.Arrays;

  49. import java.util.HashMap;

  50. import java.util.HashSet;

  51. import java.util.List;

  52. import java.util.Map;

  53. import java.util.Set;

  54. import java.util.concurrent.Semaphore;

  55. 

  56. import javax.naming.InvalidNameException;

  57. import javax.naming.ldap.LdapName;

  58. import javax.naming.ldap.Rdn;

  59. import javax.net.ssl.KeyManager;

  60. import javax.net.ssl.KeyManagerFactory;

  61. import javax.net.ssl.X509TrustManager;

  62. 

  63. import net.miginfocom.Base64;

  64. 

  65. /**

  66.  * Manages storage and validation of certificates used when connecting to

  67.  * SSL servers.

  68.  *

  69.  * @since 0.6.3m1

  70.  * @author chris

  71.  */

  72. public class CertificateManager implements X509TrustManager {

  73. 

  74.     public static enum TrustResult {

  75. 

  76.         TRUSTED_CA(true),

  77.         TRUSTED_MANUALLY(true),

  78.         UNTRUSTED_EXCEPTION(false),

  79.         UNTRUSTED_GENERAL(false);

  80. 

  81.         private final boolean trusted;

  82. 

  83.         private TrustResult(final boolean trusted) {

  84.             this.trusted = trusted;

  85.         }

  86. 

  87.         public boolean isTrusted() {

  88.             return trusted;

  89.         }

  90.     }

  91. 

  92.     /** The server name the user is trying to connect to. */

  93.     private final String serverName;

  94. 

  95.     /** The configuration manager to use for settings. */

  96.     private final ConfigManager config;

  97. 

  98.     /** The set of CAs from the global cacert file. */

  99.     private final Set<X509Certificate> globalTrustedCAs = new HashSet<X509Certificate>();

  100. 

  101.     /** Whether or not to check specified parts of the certificate. */

  102.     private boolean checkDate, checkIssuer, checkHost;

  103. 

  104.     /** Used to synchronise the manager with the certificate dialog. */

  105.     private final Semaphore actionSem = new Semaphore(0);

  106. 

  107.     /** The action to perform. */

  108.     private CertificateAction action;

  109. 

  110.     /**

  111.      * Creates a new certificate manager for a client connecting to the

  112.      * specified server.

  113.      *

  114.      * @param serverName The name the user used to connect to the server

  115.      * @param config The configuration manager to use

  116.      */

  117.     public CertificateManager(final String serverName, final ConfigManager config) {

  118.         this.serverName = serverName;

  119.         this.config = config;

  120.         this.checkDate = config.getOptionBool("ssl", "checkdate");

  121.         this.checkIssuer = config.getOptionBool("ssl", "checkissuer");

  122.         this.checkHost = config.getOptionBool("ssl", "checkhost");

  123. 

  124.         loadTrustedCAs();

  125.     }

  126. 

  127.     /**

  128.      * Loads the trusted CA certificates from the Java cacerts store.

  129.      */

  130.     protected void loadTrustedCAs() {

  131.         FileInputStream is = null;

  132. 

  133.         try {

  134.             final String filename = System.getProperty("java.home")

  135.                 + "/lib/security/cacerts".replace('/', File.separatorChar);

  136.             is = new FileInputStream(filename);

  137.             final KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());

  138.             keystore.load(is, null);

  139. 

  140.             final PKIXParameters params = new PKIXParameters(keystore);

  141.             for (TrustAnchor anchor : params.getTrustAnchors()) {

  142.                 globalTrustedCAs.add(anchor.getTrustedCert());

  143.             }

  144.         } catch (CertificateException ex) {

  145.             Logger.userError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);

  146.         } catch (IOException ex) {

  147.             Logger.userError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);

  148.         } catch (InvalidAlgorithmParameterException ex) {

  149.             Logger.userError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);

  150.         } catch (KeyStoreException ex) {

  151.             Logger.userError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);

  152.         } catch (NoSuchAlgorithmException ex) {

  153.             Logger.userError(ErrorLevel.MEDIUM, "Unable to load trusted certificates", ex);

  154.         } finally {

  155.             StreamUtil.close(is);

  156.         }

  157.     }

  158. 

  159.     /**

  160.      * Retrieves a KeyManager[] for the client certificate specified in the

  161.      * configuration, if there is one.

  162.      *

  163.      * @return A KeyManager to use for the SSL connection

  164.      */

  165.     public KeyManager[] getKeyManager() {

  166.         if (config.hasOptionString("ssl", "clientcert.file")) {

  167.             FileInputStream fis = null;

  168.             try {

  169.                 final char[] pass;

  170. 

  171.                 if (config.hasOptionString("ssl", "clientcert.pass")) {

  172.                     pass = config.getOption("ssl", "clientcert.pass").toCharArray();

  173.                 } else {

  174.                     pass = null;

  175.                 }

  176. 

  177.                 fis = new FileInputStream(config.getOption("ssl", "clientcert.file"));

  178.                 final KeyStore ks = KeyStore.getInstance("pkcs12");

  179.                 ks.load(fis, pass);

  180. 

  181.                 final KeyManagerFactory kmf = KeyManagerFactory.getInstance(

  182.                         KeyManagerFactory.getDefaultAlgorithm());

  183.                 kmf.init(ks, pass);

  184. 

  185.                 return kmf.getKeyManagers();

  186.             } catch (FileNotFoundException ex) {

  187.                 Logger.userError(ErrorLevel.MEDIUM, "Certificate file not found", ex);

  188.             } catch (KeyStoreException ex) {

  189.                 Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);

  190.             } catch (IOException ex) {

  191.                 Logger.userError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);

  192.             } catch (CertificateException ex) {

  193.                 Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);

  194.             } catch (NoSuchAlgorithmException ex) {

  195.                 Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);

  196.             } catch (UnrecoverableKeyException ex) {

  197.                 Logger.appError(ErrorLevel.MEDIUM, "Unable to get key manager", ex);

  198.             } finally {

  199.                 StreamUtil.close(fis);

  200.             }

  201.         }

  202. 

  203.         return null;

  204.     }

  205. 

  206.     /** {@inheritDoc} */

  207.     @Override

  208.     public void checkClientTrusted(final X509Certificate[] chain, final String authType)

  209.             throws CertificateException {

  210.         throw new CertificateException("Not supported.");

  211.     }

  212. 

  213.     /**

  214.      * Determines if the specified certificate is trusted by the user.

  215.      *

  216.      * @param certificate The certificate to be checked

  217.      * @return True if the certificate matches one in the trusted certificate

  218.      * store, or if the certificate's details are marked as trusted in the

  219.      * DMDirc configuration file.

  220.      */

  221.     public TrustResult isTrusted(final X509Certificate certificate) {

  222.         try {

  223.             final String sig = Base64.encodeToString(certificate.getSignature(), false);

  224. 

  225.             if (config.hasOptionString("ssl", "trusted") && config.getOptionList("ssl",

  226.                     "trusted").contains(sig)) {

  227.                 return TrustResult.TRUSTED_MANUALLY;

  228.             } else {

  229.                 for (X509Certificate trustedCert : globalTrustedCAs) {

  230.                     if (Arrays.equals(certificate.getSignature(), trustedCert.getSignature())

  231.                             && certificate.getIssuerDN().getName()

  232.                             .equals(trustedCert.getIssuerDN().getName())) {

  233.                         certificate.verify(trustedCert.getPublicKey());

  234.                         return TrustResult.TRUSTED_CA;

  235.                     }

  236.                 }

  237.             }

  238.         } catch (Exception ex) {

  239.            return TrustResult.UNTRUSTED_EXCEPTION;

  240.         }

  241. 

  242.         return TrustResult.UNTRUSTED_GENERAL;

  243.     }

  244. 

  245.     public boolean isValidHost(final X509Certificate certificate) {

  246.         final Map<String, String> fields = getDNFieldsFromCert(certificate);

  247.         if (fields.containsKey("CN") && isMatchingServerName(fields.get("CN"))) {

  248.             return true;

  249.         }

  250. 

  251.         try {

  252.             if (certificate.getSubjectAlternativeNames() != null) {

  253.                 for (List<?> entry : certificate.getSubjectAlternativeNames()) {

  254.                     final int type = ((Integer) entry.get(0)).intValue();

  255. 

  256.                     // DNS or IP

  257.                     if ((type == 2 || type == 7) && isMatchingServerName((String) entry.get(1))) {

  258.                         return true;

  259.                     }

  260.                 }

  261.             }

  262.         } catch (CertificateParsingException ex) {

  263.             return false;

  264.         }

  265. 

  266.         return false;

  267.     }

  268. 

  269.     /**

  270.      * Checks whether the specified target matches the server name this

  271.      * certificate manager was initialised with.

  272.      *

  273.      * Target names may contain wildcards per RFC2818.

  274.      *

  275.      * @since 0.6.5

  276.      * @param target The target to compare to our server name

  277.      * @return True if the target matches, false otherwise

  278.      */

  279.     protected boolean isMatchingServerName(final String target) {

  280.         final String[] targetParts = target.split("\\.");

  281.         final String[] serverParts = serverName.split("\\.");

  282. 

  283.         if (targetParts.length != serverParts.length) {

  284.             // Fail fast if they don't match

  285.             return false;

  286.         }

  287. 

  288.         for (int i = 0; i < serverParts.length; i++) {

  289.             if (!serverParts[i].matches("\\Q" + targetParts[i].replace("*", "\\E.*\\Q") + "\\E")) {

  290.                 return false;

  291.             }

  292.         }

  293. 

  294.         return true;

  295.     }

  296. 

  297.     /** {@inheritDoc} */

  298.     @Override

  299.     public void checkServerTrusted(final X509Certificate[] chain, final String authType)

  300.             throws CertificateException {

  301.         final List<CertificateException> problems = new ArrayList<CertificateException>();

  302.         boolean verified = false;

  303.         boolean manual = false;

  304. 

  305.         if (checkHost) {

  306.             // Check that the cert is issued to the correct host

  307.             verified = isValidHost(chain[0]);

  308. 

  309.             if (!verified) {

  310.                 problems.add(new CertificateDoesntMatchHostException(

  311.                         "Certificate was not issued to " + serverName));

  312.             }

  313. 

  314.             verified = false;

  315.         }

  316. 

  317.         for (X509Certificate cert : chain) {

  318.             TrustResult trustResult = isTrusted(cert);

  319. 

  320.             if (checkDate) {

  321.                 // Check that the certificate is in-date

  322.                 try {

  323.                     cert.checkValidity();

  324.                 } catch (CertificateException ex) {

  325.                     problems.add(ex);

  326.                 }

  327.             }

  328. 

  329.             if (checkIssuer) {

  330.                 // Check that we trust an issuer

  331. 

  332.                 verified |= trustResult.isTrusted();

  333.             }

  334. 

  335.             if (trustResult == TrustResult.TRUSTED_MANUALLY) {

  336.                 manual = true;

  337.             }

  338.         }

  339. 

  340.         if (!verified && checkIssuer) {

  341.             problems.add(new CertificateNotTrustedException("Issuer is not trusted"));

  342.         }

  343. 

  344.         if (!problems.isEmpty() && !manual) {

  345.             final SSLCertificateDialogModel model

  346.                     = new SSLCertificateDialogModel(chain, problems, this);

  347.             Main.getUI().showSSLCertificateDialog(model);

  348. 

  349.             try {

  350.                 actionSem.acquire();

  351.             } catch (InterruptedException ie) {

  352.                 throw new CertificateException("Thread aborted, ");

  353.             }

  354. 

  355.             switch (action) {

  356.                 case DISCONNECT:

  357.                     throw new CertificateException("Not trusted");

  358.                 case IGNORE_PERMANENTY:

  359.                     final List<String> list = new ArrayList<String>(config

  360.                             .getOptionList("ssl", "trusted"));

  361.                     list.add(Base64.encodeToString(chain[0].getSignature(), false));

  362.                     IdentityManager.getConfigIdentity().setOption("ssl",

  363.                             "trusted", list);

  364.                     break;

  365.                 case IGNORE_TEMPORARILY:

  366.                     // Do nothing, continue connecting

  367.                     break;

  368.             }

  369.         }

  370.     }

  371. 

  372.     /**

  373.      * Sets the action to perform for the request that's in progress.

  374.      *

  375.      * @param action The action that's been selected

  376.      */

  377.     public void setAction(final CertificateAction action) {

  378.         this.action = action;

  379. 

  380.         actionSem.release();

  381.     }

  382. 

  383.     /**

  384.      * Retrieves the name of the server to which the user is trying to connect.

  385.      *

  386.      * @return The name of the server that the user is trying to connect to

  387.      */

  388.     public String getServerName() {

  389.         return serverName;

  390.     }

  391. 

  392.     /**

  393.      * Reads the fields from the subject's designated name in the specified

  394.      * certificate.

  395.      *

  396.      * @param cert The certificate to read

  397.      * @return A map of the fields in the certificate's subject's designated

  398.      * name

  399.      */

  400.     public static Map<String, String> getDNFieldsFromCert(final X509Certificate cert) {

  401.         final Map<String, String> res = new HashMap<String, String>();

  402. 

  403.         try {

  404.             final LdapName name = new LdapName(cert.getSubjectX500Principal().getName());

  405.             for (Rdn rdn : name.getRdns()) {

  406.                 res.put(rdn.getType(), rdn.getValue().toString());

  407.             }

  408.         } catch (InvalidNameException ex) {

  409.             // Don't care

  410.         }

  411. 

  412.         return res;

  413.     }

  414. 

  415.     /** {@inheritDoc} */

  416.     @Override

  417.     public X509Certificate[] getAcceptedIssuers() {

  418.         return globalTrustedCAs.toArray(new X509Certificate[globalTrustedCAs.size()]);

  419.     }

  420. 

  421.     /**

  422.      * An exception to indicate that the host on a certificate doesn't match

  423.      * the host we're trying to connect to.

  424.      */

  425.     public static class CertificateDoesntMatchHostException extends CertificateException {

  426. 

  427.         /**

  428.          * A version number for this class. It should be changed whenever the

  429.          * class structure is changed (or anything else that would prevent

  430.          * serialized objects being unserialized with the new class).

  431.          */

  432.         private static final long serialVersionUID = 1;

  433. 

  434.         /**

  435.          * Creates a new CertificateDoesntMatchHostException

  436.          *

  437.          * @param msg A description of the problem

  438.          */

  439.         public CertificateDoesntMatchHostException(final String msg) {

  440.             super(msg);

  441.         }

  442. 

  443.     }

  444. 

  445.     /**

  446.      * An exception to indicate that we do not trust the issuer of the

  447.      * certificate (or the CA).

  448.      */

  449.     public static class CertificateNotTrustedException extends CertificateException {

  450. 

  451.         /**

  452.          * A version number for this class. It should be changed whenever the

  453.          * class structure is changed (or anything else that would prevent

  454.          * serialized objects being unserialized with the new class).

  455.          */

  456.         private static final long serialVersionUID = 1;

  457. 

  458.         /**

  459.          * Creates a new CertificateNotTrustedException

  460.          *

  461.          * @param msg A description of the problem

  462.          */

  463.         public CertificateNotTrustedException(final String msg) {

  464.             super(msg);

  465.         }

  466. 

  467.     }

  468. 

  469. }