Changeset 15006 in josm

Timestamp:

2019-04-21T02:08:19+02:00 (6 years ago)

Author:

Don-vip

Message:

see #17619: use a common list of native certificate aliases, as they can change between Windows 7 and Windows 10 and are often the same between Windows and macOS

Location:

trunk/src/org/openstreetmap/josm

Files:

• io/CertificateAmendment.java (modified) (4 diffs)
• tools/PlatformHookOsx.java (modified) (1 diff)
• tools/PlatformHookWindows.java (modified) (2 diffs)

trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java

@@ -22 +22 @@
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Objects;
 
@@ -106 +109 @@
      */
     public static class NativeCertAmend extends CertAmend {
-        private final String winAlias;
-        private final String macAlias;
+        private final Collection<String> aliases;
         private final String httpsWebSite;
 
-        NativeCertAmend(String winAlias, String macAlias, String filename, String sha256, String httpsWebSite) {
+        NativeCertAmend(Collection<String> aliases, String filename, String sha256, String httpsWebSite) {
             super(filename, sha256);
-            this.winAlias = Objects.requireNonNull(winAlias);
-            this.macAlias = Objects.requireNonNull(macAlias);
+            this.aliases = Objects.requireNonNull(aliases);
             this.httpsWebSite = Objects.requireNonNull(httpsWebSite);
         }
 
         /**
-         * Returns the Windows alias in System Root Certificates keystore.
-         * @return the Windows alias in System Root Certificates keystore
-         */
-        public final String getWinAlias() {
-            return winAlias;
-        }
-
-        /**
-         * Returns the macOS alias in System Root Certificates keychain.
-         * @return the macOS alias in System Root Certificates keychain
-         */
-        public final String getMacAlias() {
-            return macAlias;
+         * Returns the native aliases in System Root Certificates keystore/keychain.
+         * @return the native aliases in System Root Certificates keystore/keychain
+         * @since 15006
+         */
+        public final Collection<String> getNativeAliases() {
+            return aliases;
         }
 
@@ -144 +138 @@
         @Override
         public String toString() {
-            String result = winAlias;
-            if (!winAlias.equals(macAlias)) {
-                result += " / " + macAlias;
-            }
-            return result;
+            return String.join(" / ", aliases);
         }
     }
@@ -166 +156 @@
     private static final NativeCertAmend[] PLATFORM_CERT_AMEND = {
         // Let's Encrypt - should be included in JDK, but problems with Ubuntu 18.04, see #15851
-        new NativeCertAmend("DST Root CA X3", "DST Root CA X3",
+        new NativeCertAmend(Collections.singleton("DST Root CA X3"),
                 "DST_Root_CA_X3.pem",
                 "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739",
                 "https://acme-v02.api.letsencrypt.org"),
         // Government of Netherlands
-        new NativeCertAmend("Staat der Nederlanden Root CA - G2", "Staat der Nederlanden Root CA - G2",
+        new NativeCertAmend(Collections.singleton("Staat der Nederlanden Root CA - G2"),
                 "Staat_der_Nederlanden_Root_CA_-_G2.crt",
                 "668c83947da63b724bece1743c31a0e6aed0db8ec5b31be377bb784f91b6716f",
                 "https://roottest-g2.pkioverheid.nl"),
         // Government of Netherlands
-        new NativeCertAmend("Government of Netherlands G3", "Staat der Nederlanden Root CA - G3",
+        new NativeCertAmend(Arrays.asList("Government of Netherlands G3", "Staat der Nederlanden Root CA - G3"),
                 "Staat_der_Nederlanden_Root_CA_-_G3.crt",
                 "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428",
                 "https://roottest-g3.pkioverheid.nl"),
         // Trusted and used by French Government - https://www.certigna.fr/autorites/index.xhtml?ac=Racine#lracine
-        new NativeCertAmend("Certigna", "Certigna", "Certigna.crt",
+        new NativeCertAmend(Collections.singleton("Certigna"),
+                "Certigna.crt",
                 "e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d",
                 "https://www.certigna.fr"),
         // Trusted and used by Slovakian Government - https://eidas.disig.sk/en/cacert/
-        new NativeCertAmend("CA Disig Root R2", "CA Disig Root R2", "CA_Disig_Root_R2.pem",
+        new NativeCertAmend(Collections.singleton("CA Disig Root R2"),
+                "CA_Disig_Root_R2.pem",
                 "e23d4a036d7b70e9f595b1422079d2b91edfbb1fb651a0633eaa8a9dc5f80703",
                 "https://eidas.disig.sk"),
         // Government of Taiwan - https://grca.nat.gov.tw/GRCAeng/index.html
-        new NativeCertAmend("TW Government Root Certification Authority", "Government Root Certification Authority", "Taiwan_GRCA.pem",
+        new NativeCertAmend(Arrays.asList("TW Government Root Certification Authority", "Government Root Certification Authority"),
+                "Taiwan_GRCA.pem",
                 "7600295eefe85b9e1fd624db76062aaaae59818a54d2774cd4c0b2c01131e1b3",
                 "https://grca.nat.gov.tw")

trunk/src/org/openstreetmap/josm/tools/PlatformHookOsx.java

@@ -412 +412 @@
     public X509Certificate getX509Certificate(NativeCertAmend certAmend)
             throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
-        try {
-            // Get platform certificate in PEM format
-            String pem = Utils.execOutput(Arrays.asList("security", "find-certificate",
-                    "-c", certAmend.getMacAlias(), "-p", "/System/Library/Keychains/SystemRootCertificates.keychain"));
-            Logging.debug(pem);
-            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(
-                    new ByteArrayInputStream(pem.getBytes(StandardCharsets.UTF_8)));
-        } catch (ExecutionException | InterruptedException | IllegalArgumentException e) {
-            throw new IOException(e);
-        }
+        for (String macAlias : certAmend.getNativeAliases()) {
+            try {
+                // Get platform certificate in PEM format
+                String pem = Utils.execOutput(Arrays.asList("security", "find-certificate",
+                        "-c", macAlias, "-p", "/System/Library/Keychains/SystemRootCertificates.keychain"));
+                Logging.debug(pem);
+                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(
+                        new ByteArrayInputStream(pem.getBytes(StandardCharsets.UTF_8)));
+            } catch (ExecutionException | InterruptedException | IllegalArgumentException | CertificateException e) {
+                Logging.debug(e);
+            }
+        }
+        return null;
     }
 }

trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java

@@ -480 +480 @@
         KeyStore ks = getRootKeystore();
         // Search by alias (fast)
-        Certificate result = ks.getCertificate(certAmend.getWinAlias());
-        if (result == null && !NetworkManager.isOffline(OnlineResource.CERTIFICATES)) {
-            // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list
-            // A better, but a lot more complex method might be to get certificate list from Windows Registry with PowerShell
-            // using (Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate').EncodedCtl)
-            // then decode it using CertUtil -dump or calling CertCreateCTLContext API using JNI, and finally find and decode the certificate
-            Logging.trace(webRequest(certAmend.getWebSite()));
-            // Reload Windows Trust Root Store and search again by alias (fast)
-            ks = getRootKeystore();
-            result = ks.getCertificate(certAmend.getWinAlias());
-        }
-        if (result instanceof X509Certificate) {
-            return (X509Certificate) result;
+        for (String winAlias : certAmend.getNativeAliases()) {
+            Certificate result = ks.getCertificate(winAlias);
+            if (result == null && !NetworkManager.isOffline(OnlineResource.CERTIFICATES)) {
+                // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list
+                // A better, but a lot more complex method might be to get certificate list from Windows Registry with PowerShell
+                // using (Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate').EncodedCtl)
+                // then decode it using CertUtil -dump or calling CertCreateCTLContext API using JNI, and finally find and decode the certificate
+                Logging.trace(webRequest(certAmend.getWebSite()));
+                // Reload Windows Trust Root Store and search again by alias (fast)
+                ks = getRootKeystore();
+                result = ks.getCertificate(winAlias);
+            }
+            if (result instanceof X509Certificate) {
+                return (X509Certificate) result;
+            }
         }
         // If not found, search by SHA-256 (slower)
@@ -498 +500 @@
         for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();) {
             String alias = aliases.nextElement();
-            result = ks.getCertificate(alias);
+            Certificate result = ks.getCertificate(alias);
             if (result instanceof X509Certificate
                     && certAmend.getSha256().equalsIgnoreCase(Utils.toHexString(md.digest(result.getEncoded())))) {
-                Logging.warn("Certificate not found for alias ''{0}'' but found for alias ''{1}''", certAmend.getWinAlias(), alias);
+                Logging.warn("Certificate not found for alias ''{0}'' but found for alias ''{1}''", certAmend.getNativeAliases(), alias);
                 return (X509Certificate) result;
             }