From 4b48fb654279154b6126c86d5998e02d74d125fb Mon Sep 17 00:00:00 2001
From: Omair Majid <omajid@redhat.com>
Date: Thu, 11 Nov 2010 11:43:13 -0500
Subject: integrate support for multiple KeyStores into the various validators
2010-11-11 Omair Majid <omajid@redhat.com>
* netx/net/sourceforge/jnlp/runtime/Boot.java (main): Move trust
manager initialization code into JNLPRuntime.initialize.
* plugin/icedteanp/java/sun/applet/PluginMain.java
(init): Likewise.
* netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java (initialize):
Set the default SSL TrustManager here.
* netx/net/sourceforge/jnlp/security/CertWarningPane.java
(CheckBoxListener.actionPerformed): Add this certificate into
user's trusted certificate store.
* netx/net/sourceforge/jnlp/tools/KeyTool.java
(addToKeyStore(File,KeyStore)): Move to CertificateUtils.
(addToKeyStore(X509Certificate,KeyStore)): Likewise.
(dumpCert): Likewise.
* netx/net/sourceforge/jnlp/security/CertificateUtils.java: New
class.
(addToKeyStore(File,KeyStore)): Moved from KeyTool.
(addToKeyStore(X509Certificate,KeyStore)): Likewise.
(dumpCert): Likewise.
(inKeyStores): New method.
* netx/net/sourceforge/jnlp/security/HttpsCertVerifier.java
(getRootInCacerts): Check all available CA store to check if
root is in CA certificates.
* netx/net/sourceforge/jnlp/security/KeyStores.java
(getKeyStore(Level,Type,boolean)): Add security check.
(getClientKeyStores): New method.
* netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
(VariableX509TrustManager): Initialize multiple CA, certificate and
client trust managers.
(checkClientTrusted): Check all the client TrustManagers if
certificate is trusted.
(checkAllManagers): Check multiple CA certificates and trusted
certificates to determine if the certificate chain can be trusted.
(isExplicitlyTrusted): Check with multiple TrustManagers.
(getAcceptedIssuers): Gather results from multiple TrustManagers.
* netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java
(ImportButtonListener): Use CertificateUtils instead of KeyTool.
* netx/net/sourceforge/jnlp/tools/JarSigner.java
(checkTrustedCerts): Use multiple key stores to check if certificate
is directly trusted and if the root is trusted.
---
.../jnlp/security/VariableX509TrustManager.java | 191 +++++++++++++++------
1 file changed, 137 insertions(+), 54 deletions(-)
(limited to 'netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java')
diff --git a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
index 5e9c981..d40513e 100644
--- a/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
+++ b/netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java
@@ -42,6 +42,8 @@ import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
@@ -60,59 +62,98 @@ import net.sourceforge.jnlp.security.SecurityWarning.AccessType;
* different certificates that are not in the keystore.
*/
-public class VariableX509TrustManager extends X509ExtendedTrustManager {
+final public class VariableX509TrustManager extends X509ExtendedTrustManager {
- KeyStore userKeyStore = null;
- KeyStore caKeyStore = null;
+ /** TrustManagers containing trusted CAs */
+ private X509TrustManager[] caTrustManagers = null;
- X509TrustManager userTrustManager = null;
- X509TrustManager caTrustManager = null;
+ /** TrustManagers containing trusted certificates */
+ private X509TrustManager[] certTrustManagers = null;
- ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>();
- ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>();
+ /** TrustManagers containing trusted client certificates */
+ private X509TrustManager[] clientTrustManagers = null;
- static VariableX509TrustManager instance = null;
+ private ArrayList<Certificate> temporarilyTrusted = new ArrayList<Certificate>();
+ private ArrayList<Certificate> temporarilyUntrusted = new ArrayList<Certificate>();
+
+ private static VariableX509TrustManager instance = null;
/**
* Constructor initializes the system, user and custom stores
*/
public VariableX509TrustManager() {
+ /*
+ * Load TrustManagers for trusted certificates
+ */
try {
- userKeyStore = SecurityUtil.getUserKeyStore();
- TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
- tmFactory.init(userKeyStore);
+ /** KeyStores containing trusted certificates */
+ KeyStore[] trustedCertKeyStores = KeyStores.getCertKeyStores();
+ certTrustManagers = new X509TrustManager[trustedCertKeyStores.length];
+
+ for (int j = 0; j < trustedCertKeyStores.length; j++) {
+ TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
+ tmFactory.init(trustedCertKeyStores[j]);
- // tm factory initialized, now get the managers so we can assign the X509 one
- TrustManager[] trustManagers = tmFactory.getTrustManagers();
+ // tm factory initialized, now get the managers so we can assign the X509 one
+ TrustManager[] trustManagers = tmFactory.getTrustManagers();
- for (int i=0; i < trustManagers.length; i++) {
- if (trustManagers[i] instanceof X509TrustManager) {
- userTrustManager = (X509TrustManager) trustManagers[i];
+ for (int i = 0; i < trustManagers.length; i++) {
+ if (trustManagers[i] instanceof X509TrustManager) {
+ certTrustManagers[j] = (X509TrustManager) trustManagers[i];
+ }
}
}
-
} catch (Exception e) {
- // TODO Auto-generated catch block
e.printStackTrace();
}
+ /*
+ * Load TrustManagers for trusted CAs
+ */
try {
- caKeyStore = SecurityUtil.getCacertsKeyStore();
- TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
- tmFactory.init(caKeyStore);
+ /** KeyStores containing trusted CAs */
+ KeyStore[] trustedCAKeyStores = KeyStores.getCAKeyStores();
+ caTrustManagers = new X509TrustManager[trustedCAKeyStores.length];
+
+ for (int j = 0; j < caTrustManagers.length; j++) {
+ TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
+ tmFactory.init(trustedCAKeyStores[j]);
- // tm factory initialized, now get the managers so we can extract the X509 one
- TrustManager[] trustManagers = tmFactory.getTrustManagers();
+ // tm factory initialized, now get the managers so we can extract the X509 one
+ TrustManager[] trustManagers = tmFactory.getTrustManagers();
- for (int i=0; i < trustManagers.length; i++) {
- if (trustManagers[i] instanceof X509TrustManager) {
- caTrustManager = (X509TrustManager) trustManagers[i];
+ for (int i=0; i < trustManagers.length; i++) {
+ if (trustManagers[i] instanceof X509TrustManager) {
+ caTrustManagers[j] = (X509TrustManager) trustManagers[i];
+ }
}
}
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+
+ /*
+ * Load TrustManagers for trusted clients certificates
+ */
+ try {
+ KeyStore[] clientKeyStores = KeyStores.getClientKeyStores();
+ clientTrustManagers = new X509TrustManager[clientKeyStores.length];
+ for (int j = 0; j < clientTrustManagers.length; j++) {
+ TrustManagerFactory tmFactory = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
+ tmFactory.init(clientKeyStores[j]);
+
+ // tm factory initialized, now get the managers so we can extract the X509 one
+ TrustManager[] trustManagers = tmFactory.getTrustManagers();
+
+ for (int i=0; i < trustManagers.length; i++) {
+ if (trustManagers[i] instanceof X509TrustManager) {
+ clientTrustManagers[j] = (X509TrustManager) trustManagers[i];
+ }
+ }
+ }
} catch (Exception e) {
- // TODO Auto-generated catch block
e.printStackTrace();
}
}
@@ -123,18 +164,23 @@ public class VariableX509TrustManager extends X509ExtendedTrustManager {
public void checkClientTrusted(X509Certificate[] chain, String authType,
String hostName, String algorithm)
throws CertificateException {
- // First try catrustmanager, then try usertrustmanager
- try {
- caTrustManager.checkClientTrusted(chain, authType);
- } catch (Exception caex) {
+
+ boolean trusted = false;
+ ValidatorException savedException = null;
+ for (int i = 0; i < clientTrustManagers.length; i++) {
try {
- userTrustManager.checkClientTrusted(chain, authType);
- } catch (Exception userex) {
- // Do nothing here. This trust manager is intended to be used
- // only in the plugin instance vm, which does not act as a
- // server
+ clientTrustManagers[i].checkClientTrusted(chain, authType);
+ trusted = true;
+ break;
+ } catch (ValidatorException caex) {
+ savedException = caex;
}
}
+ if (trusted) {
+ return;
+ }
+
+ throw savedException;
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
@@ -214,17 +260,45 @@ public class VariableX509TrustManager extends X509ExtendedTrustManager {
* Check system, user and custom trust manager
*/
private void checkAllManagers(X509Certificate[] chain, String authType) throws CertificateException {
- // First try catrustmanager, then try usertrustmanager, and finally, check temp trusted certs
- try {
- caTrustManager.checkServerTrusted(chain, authType);
- } catch (ValidatorException caex) {
+ // first try CA TrustManagers
+ boolean trusted = false;
+ ValidatorException savedException = null;
+ for (int i = 0; i < caTrustManagers.length; i++) {
try {
- userTrustManager.checkServerTrusted(chain, authType);
- } catch (ValidatorException uex) {
- if (!temporarilyTrusted.contains(chain[0]))
- throw (CertificateException) uex;
+ caTrustManagers[i].checkServerTrusted(chain, authType);
+ trusted = true;
+ break;
+ } catch (ValidatorException caex) {
+ savedException = caex;
+ }
+ }
+ if (trusted) {
+ return;
+ }
+
+ // then try certificate TrustManagers
+ for (int i = 0; i < certTrustManagers.length; i++) {
+ try {
+ certTrustManagers[i].checkServerTrusted(chain, authType);
+ trusted = true;
+ break;
+ } catch (ValidatorException caex) {
+ savedException = caex;
+ }
+ }
+ if (trusted) {
+ return;
+ }
+
+ // finally check temp trusted certs
+ if (!temporarilyTrusted.contains(chain[0])) {
+ if (savedException == null) {
+ // System.out.println("IMPOSSIBLE!");
+ throw new ValidatorException(ValidatorException.T_SIGNATURE_ERROR, chain[0]);
}
+ throw savedException;
}
+
}
/**
@@ -233,23 +307,32 @@ public class VariableX509TrustManager extends X509ExtendedTrustManager {
private boolean isExplicitlyTrusted(X509Certificate[] chain, String authType) {
boolean explicitlyTrusted = false;
- try {
- userTrustManager.checkServerTrusted(chain, authType);
- explicitlyTrusted = true;
- } catch (ValidatorException uex) {
- if (temporarilyTrusted.contains(chain[0]))
+ for (int i = 0; i < certTrustManagers.length; i++) {
+ try {
+ certTrustManagers[i].checkServerTrusted(chain, authType);
explicitlyTrusted = true;
- } catch (CertificateException ce) {
- // do nothing, this means that the cert is not explicitly trusted
+ break;
+ } catch (ValidatorException uex) {
+ if (temporarilyTrusted.contains(chain[0])) {
+ explicitlyTrusted = true;
+ break;
+ }
+ } catch (CertificateException ce) {
+ // not explicitly trusted
+ }
}
return explicitlyTrusted;
-
}
public X509Certificate[] getAcceptedIssuers() {
- // delegate to default
- return caTrustManager.getAcceptedIssuers();
+ List<X509Certificate> issuers = new ArrayList<X509Certificate>();
+
+ for (int i = 0; i < caTrustManagers.length; i++) {
+ issuers.addAll(Arrays.asList(caTrustManagers[i].getAcceptedIssuers()));
+ }
+
+ return issuers.toArray(new X509Certificate[issuers.size()]);
}
/**
--
cgit v1.2.3