Changeset 16120 in josm for trunk/src/org
- Timestamp:
- 2020-03-14T15:03:18+01:00 (5 years ago)
- Location:
- trunk/src/org/openstreetmap/josm
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/org/openstreetmap/josm/gui/MainApplication.java
r16050 r16120 650 650 "\t--debug "+tr("Print debugging messages to console")+"\n\n"+ 651 651 "\t--skip-plugins "+tr("Skip loading plugins")+"\n\n"+ 652 "\t--offline=<osm_api|josm_website| all>"+tr("Disable access to the given resource(s), separated by comma")+"\n\n"+652 "\t--offline=<osm_api|josm_website|certificates|all> "+tr("Disable access to the given resource(s), separated by comma")+"\n\n"+ 653 653 tr("options provided as Java system properties")+":\n"+ 654 654 align("\t-Djosm.dir.name=JOSM") + tr("Change the JOSM directory name") + "\n\n" + -
trunk/src/org/openstreetmap/josm/gui/ProgramArguments.java
r14415 r16120 62 62 /** --selection=<searchstring> Select with the given search */ 63 63 SELECTION(true), 64 /** --offline=<osm_api|josm_website| all> Disable access to the given resource(s), delimited by comma */64 /** --offline=<osm_api|josm_website|certificates|all> Disable access to the given resource(s), delimited by comma */ 65 65 OFFLINE(true), 66 66 /** --skip-plugins */ -
trunk/src/org/openstreetmap/josm/io/CertificateAmendment.java
r16068 r16120 151 151 * Certificates looked into platform native keystore and not embedded in JOSM. 152 152 * Identifiers must match Windows/macOS keystore aliases and Unix filenames for efficient search. 153 * To find correct values, see https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport 154 * and https://support.apple.com/en-us/HT208127 153 * To find correct values, see:<ul> 154 * <li><a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">Mozilla List</a></li> 155 * <li><a href="https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT">Microsoft List</a></li> 156 * <li><a href="https://support.apple.com/en-us/HT210770">Apple List</a></li> 157 * </ul> 155 158 */ 156 159 private static final NativeCertAmend[] PLATFORM_CERT_AMEND = { … … 190 193 "3c5f81fea5fab82c64bfa2eaecafcde8e077fc8620a7cae537163df36edbf378", 191 194 "https://e-szigno.hu"), 195 // #18920 - Spanish Government - https://www.sede.fnmt.gob.es/descargas/certificados-raiz-de-la-fnmt 196 new NativeCertAmend(Collections.singleton("AC RAIZ FNMT-RCM"), 197 "AC_RAIZ_FNMT-RCM.pem", 198 "ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa", 199 "https://www.sede.fnmt.gob.es"), 192 200 }; 193 201 -
trunk/src/org/openstreetmap/josm/tools/PlatformHookWindows.java
r15716 r16120 53 53 import java.security.NoSuchAlgorithmException; 54 54 import java.security.cert.Certificate; 55 import java.security.cert.CertificateEncodingException; 55 56 import java.security.cert.CertificateException; 56 57 import java.security.cert.X509Certificate; … … 340 341 public X509Certificate getX509Certificate(NativeCertAmend certAmend) 341 342 throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { 343 MessageDigest md = MessageDigest.getInstance("SHA-256"); 342 344 // Get Windows Trust Root Store 343 345 KeyStore ks = getRootKeystore(); … … 345 347 for (String winAlias : certAmend.getNativeAliases()) { 346 348 Certificate result = ks.getCertificate(winAlias); 349 // Check for SHA-256 signature, as sometimes Microsoft can ship several certificates with the same alias, for example: 350 // AC RAIZ FNMT-RCM: EBC5570C29018C4D67B1AA127BAF12F703B4611EBC17B7DAB5573894179B93FA (SHA256) 351 // AC RAIZ FNMT-RCM: 4D9EBB28825C9643AB15D54E5F9614F13CB3E95DE3CF4EAC971301F320F9226E (SHA1) 352 if (!sha256matches(result, certAmend, md)) { 353 Logging.trace("Ignoring {0} as SHA-256 signature does not match", result); 354 result = null; 355 } 347 356 if (result == null && !NetworkManager.isOffline(OnlineResource.CERTIFICATES)) { 348 357 // Make a web request to target site to force Windows to update if needed its trust root store from its certificate trust list … … 360 369 } 361 370 // If not found, search by SHA-256 (slower) 362 MessageDigest md = MessageDigest.getInstance("SHA-256");363 371 for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();) { 364 372 String alias = aliases.nextElement(); 365 373 Certificate result = ks.getCertificate(alias); 366 if (result instanceof X509Certificate 367 && certAmend.getSha256().equalsIgnoreCase(Utils.toHexString(md.digest(result.getEncoded())))) { 374 if (sha256matches(result, certAmend, md)) { 368 375 Logging.warn("Certificate not found for alias ''{0}'' but found for alias ''{1}''", certAmend.getNativeAliases(), alias); 369 376 return (X509Certificate) result; … … 372 379 // Not found 373 380 return null; 381 } 382 383 private static boolean sha256matches(Certificate result, NativeCertAmend certAmend, MessageDigest md) throws CertificateEncodingException { 384 return result instanceof X509Certificate 385 && certAmend.getSha256().equalsIgnoreCase(Utils.toHexString(md.digest(result.getEncoded()))); 374 386 } 375 387
Note:
See TracChangeset
for help on using the changeset viewer.