diff options
| author | Omair Majid <[email protected]> | 2010-11-11 11:43:13 -0500 |
|---|---|---|
| committer | Omair Majid <[email protected]> | 2010-11-11 11:43:13 -0500 |
| commit | 4b48fb654279154b6126c86d5998e02d74d125fb (patch) | |
| tree | 7f037a171f123564b80f5c1d237d26161ce7e8e4 /netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java | |
| parent | ec49901d9f4844acd69a51ebc0c7fa548be70ff3 (diff) | |
integrate support for multiple KeyStores into the various validators
2010-11-11 Omair Majid <[email protected]>
* netx/net/sourceforge/jnlp/runtime/Boot.java (main): Move trust
manager initialization code into JNLPRuntime.initialize.
* plugin/icedteanp/java/sun/applet/PluginMain.java
(init): Likewise.
* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java (initialize):
Set the default SSL TrustManager here.
* netx/net/sourceforge/jnlp/security/CertWarningPane.java
(CheckBoxListener.actionPerformed): Add this certificate into
user's trusted certificate store.
* netx/net/sourceforge/jnlp/tools/KeyTool.java
(addToKeyStore(File,KeyStore)): Move to CertificateUtils.
(addToKeyStore(X509Certificate,KeyStore)): Likewise.
(dumpCert): Likewise.
* netx/net/sourceforge/jnlp/security/CertificateUtils.java: New
class.
(addToKeyStore(File,KeyStore)): Moved from KeyTool.
(addToKeyStore(X509Certificate,KeyStore)): Likewise.
(dumpCert): Likewise.
(inKeyStores): New method.
* netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java
(getRootInCacerts): Check all available CA store to check if
root is in CA certificates.
* netx/net/sourceforge/jnlp/security/KeyStores.java
(getKeyStore(Level,Type,boolean)): Add security check.
(getClientKeyStores): New method.
* netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
(VariableX509TrustManager): Initialize multiple CA, certificate and
client trust managers.
(checkClientTrusted): Check all the client TrustManagers if
certificate is trusted.
(checkAllManagers): Check multiple CA certificates and trusted
certificates to determine if the certificate chain can be trusted.
(isExplicitlyTrusted): Check with multiple TrustManagers.
(getAcceptedIssuers): Gather results from multiple TrustManagers.
* netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java
(ImportButtonListener): Use CertificateUtils instead of KeyTool.
* netx/net/sourceforge/jnlp/tools/JarSigner.java
(checkTrustedCerts): Use multiple key stores to check if certificate
is directly trusted and if the root is trusted.
Diffstat (limited to 'netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java')
| -rw-r--r-- | netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java | 191 |
1 files changed, 137 insertions, 54 deletions
diff --git a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java index 5e9c981..d40513e 100644 --- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java +++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java @@ -42,6 +42,8 @@ import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; @@ -60,59 +62,98 @@ import net.sourceforge.jnlp.security.SecurityWarning.AccessType; * different certificates that are not in the keystore. */ -public class VariableX509TrustManager extends X509ExtendedTrustManager { +final public class VariableX509TrustManager extends X509ExtendedTrustManager { - KeyStore userKeyStore = null; - KeyStore caKeyStore = null; + /** TrustManagers containing trusted CAs */ + private X509TrustManager[] caTrustManagers = null; - X509TrustManager userTrustManager = null; - X509TrustManager caTrustManager = null; + /** TrustManagers containing trusted certificates */ + private X509TrustManager[] certTrustManagers = null; - ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>(); - ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>(); + /** TrustManagers containing trusted client certificates */ + private X509TrustManager[] clientTrustManagers = null; - static VariableX509TrustManager instance = null; + private ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>(); + private ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>(); + + private static VariableX509TrustManager instance = null; /** * Constructor initializes the system, user and custom stores */ public VariableX509TrustManager() { + /* + * Load TrustManagers for trusted certificates + */ try { - userKeyStore = SecurityUtil.getUserKeyStore(); - TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE"); - tmFactory.init(userKeyStore); + /** KeyStores containing trusted certificates */ + KeyStore[] trustedCertKeyStores = KeyStores.getCertKeyStores(); + certTrustManagers = new X509TrustManager[trustedCertKeyStores.length]; + + for (int j = 0; j < trustedCertKeyStores.length; j++) { + TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE"); + tmFactory.init(trustedCertKeyStores[j]); - // tm factory initialized, now get the managers so we can assign the X509 one - TrustManager[] trustManagers = tmFactory.getTrustManagers(); + // tm factory initialized, now get the managers so we can assign the X509 one + TrustManager[] trustManagers = tmFactory.getTrustManagers(); - for (int i=0; i < trustManagers.length; i++) { - if (trustManagers[i] instanceof X509TrustManager) { - userTrustManager = (X509TrustManager) trustManagers[i]; + for (int i = 0; i < trustManagers.length; i++) { + if (trustManagers[i] instanceof X509TrustManager) { + certTrustManagers[j] = (X509TrustManager) trustManagers[i]; + } } } - } catch (Exception e) { - // TODO Auto-generated catch block e.printStackTrace(); } + /* + * Load TrustManagers for trusted CAs + */ try { - caKeyStore = SecurityUtil.getCacertsKeyStore(); - TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE"); - tmFactory.init(caKeyStore); + /** KeyStores containing trusted CAs */ + KeyStore[] trustedCAKeyStores = KeyStores.getCAKeyStores(); + caTrustManagers = new X509TrustManager[trustedCAKeyStores.length]; + + for (int j = 0; j < caTrustManagers.length; j++) { + TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE"); + tmFactory.init(trustedCAKeyStores[j]); - // tm factory initialized, now get the managers so we can extract the X509 one - TrustManager[] trustManagers = tmFactory.getTrustManagers(); + // tm factory initialized, now get the managers so we can extract the X509 one + TrustManager[] trustManagers = tmFactory.getTrustManagers(); - for (int i=0; i < trustManagers.length; i++) { - if (trustManagers[i] instanceof X509TrustManager) { - caTrustManager = (X509TrustManager) trustManagers[i]; + for (int i=0; i < trustManagers.length; i++) { + if (trustManagers[i] instanceof X509TrustManager) { + caTrustManagers[j] = (X509TrustManager) trustManagers[i]; + } } } + } catch (Exception e) { + e.printStackTrace(); + } + + /* + * Load TrustManagers for trusted clients certificates + */ + try { + KeyStore[] clientKeyStores = KeyStores.getClientKeyStores(); + clientTrustManagers = new X509TrustManager[clientKeyStores.length]; + for (int j = 0; j < clientTrustManagers.length; j++) { + TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE"); + tmFactory.init(clientKeyStores[j]); + + // tm factory initialized, now get the managers so we can extract the X509 one + TrustManager[] trustManagers = tmFactory.getTrustManagers(); + + for (int i=0; i < trustManagers.length; i++) { + if (trustManagers[i] instanceof X509TrustManager) { + clientTrustManagers[j] = (X509TrustManager) trustManagers[i]; + } + } + } } catch (Exception e) { - // TODO Auto-generated catch block e.printStackTrace(); } } @@ -123,18 +164,23 @@ public class VariableX509TrustManager extends X509ExtendedTrustManager { public void checkClientTrusted(X509Certificate[] chain, String authType, String hostName, String algorithm) throws CertificateException { - // First try catrustmanager, then try usertrustmanager - try { - caTrustManager.checkClientTrusted(chain, authType); - } catch (Exception caex) { + + boolean trusted = false; + ValidatorException savedException = null; + for (int i = 0; i < clientTrustManagers.length; i++) { try { - userTrustManager.checkClientTrusted(chain, authType); - } catch (Exception userex) { - // Do nothing here. This trust manager is intended to be used - // only in the plugin instance vm, which does not act as a - // server + clientTrustManagers[i].checkClientTrusted(chain, authType); + trusted = true; + break; + } catch (ValidatorException caex) { + savedException = caex; } } + if (trusted) { + return; + } + + throw savedException; } public void checkClientTrusted(X509Certificate[] chain, String authType) @@ -214,17 +260,45 @@ public class VariableX509TrustManager extends X509ExtendedTrustManager { * Check system, user and custom trust manager */ private void checkAllManagers(X509Certificate[] chain, String authType) throws CertificateException { - // First try catrustmanager, then try usertrustmanager, and finally, check temp trusted certs - try { - caTrustManager.checkServerTrusted(chain, authType); - } catch (ValidatorException caex) { + // first try CA TrustManagers + boolean trusted = false; + ValidatorException savedException = null; + for (int i = 0; i < caTrustManagers.length; i++) { try { - userTrustManager.checkServerTrusted(chain, authType); - } catch (ValidatorException uex) { - if (!temporarilyTrusted.contains(chain[0])) - throw (CertificateException) uex; + caTrustManagers[i].checkServerTrusted(chain, authType); + trusted = true; + break; + } catch (ValidatorException caex) { + savedException = caex; + } + } + if (trusted) { + return; + } + + // then try certificate TrustManagers + for (int i = 0; i < certTrustManagers.length; i++) { + try { + certTrustManagers[i].checkServerTrusted(chain, authType); + trusted = true; + break; + } catch (ValidatorException caex) { + savedException = caex; + } + } + if (trusted) { + return; + } + + // finally check temp trusted certs + if (!temporarilyTrusted.contains(chain[0])) { + if (savedException == null) { + // System.out.println("IMPOSSIBLE!"); + throw new ValidatorException(ValidatorException.T_SIGNATURE_ERROR, chain[0]); } + throw savedException; } + } /** @@ -233,23 +307,32 @@ public class VariableX509TrustManager extends X509ExtendedTrustManager { private boolean isExplicitlyTrusted(X509Certificate[] chain, String authType) { boolean explicitlyTrusted = false; - try { - userTrustManager.checkServerTrusted(chain, authType); - explicitlyTrusted = true; - } catch (ValidatorException uex) { - if (temporarilyTrusted.contains(chain[0])) + for (int i = 0; i < certTrustManagers.length; i++) { + try { + certTrustManagers[i].checkServerTrusted(chain, authType); explicitlyTrusted = true; - } catch (CertificateException ce) { - // do nothing, this means that the cert is not explicitly trusted + break; + } catch (ValidatorException uex) { + if (temporarilyTrusted.contains(chain[0])) { + explicitlyTrusted = true; + break; + } + } catch (CertificateException ce) { + // not explicitly trusted + } } return explicitlyTrusted; - } public X509Certificate[] getAcceptedIssuers() { - // delegate to default - return caTrustManager.getAcceptedIssuers(); + List<X509Certificate> issuers = new ArrayList<X509Certificate>(); + + for (int i = 0; i < caTrustManagers.length; i++) { + issuers.addAll(Arrays.asList(caTrustManagers[i].getAcceptedIssuers())); + } + + return issuers.toArray(new X509Certificate[issuers.size()]); } /** |