[client] Remember finger prints supplied by master server

author: Simon Rettberg 2015-09-10 12:06:04 +0200
committer: Simon Rettberg 2015-09-10 12:06:04 +0200
commit: a4a47f3a636df76885275136f6c0757207c72763 (patch)
tree: 75930c80306e48acea8e1978b4eae20daff417a8
parent: [*] Improve SSL handling (diff)
download: tutor-module-a4a47f3a636df76885275136f6c0757207c72763.tar.gz
tutor-module-a4a47f3a636df76885275136f6c0757207c72763.tar.xz
tutor-module-a4a47f3a636df76885275136f6c0757207c72763.zip
3 files changed, 78 insertions, 14 deletions
diff --git a/dozentenmodul/src/main/java/org/openslx/dozmod/authentication/FingerprintManager.java b/dozentenmodul/src/main/java/org/openslx/dozmod/authentication/FingerprintManager.java
index 58b0d305..cc0d09f7 100644
--- a/dozentenmodul/src/main/java/org/openslx/dozmod/authentication/FingerprintManager.java
+++ b/dozentenmodul/src/main/java/org/openslx/dozmod/authentication/FingerprintManager.java
@@ -27,23 +27,53 @@ public class FingerprintManager {
 		}
 	}
 
-	public static void saveFingerprint(String address, byte[] fingerprint) {
-		saveFingerprint(address, fingerprint, true);
+	public static void saveKnownFingerprint(String address, byte[] fingerprint) {
+		if (saveFingerprint(address, fingerprint, true)) {
+			store();
+		}
+	}
+
+	public static void saveSuggestedFingerprint(String address, byte[] fingerprint) {
+		saveFingerprint(address, fingerprint, false);
+		prop.setProperty(address + "_master", Base64.encodeBase64String(fingerprint));
+		store();
 	}
 
-	public static void saveFingerprint(String address, byte[] fingerprint, boolean replace) {
+	private static boolean saveFingerprint(String address, byte[] fingerprint, boolean replace) {
 		if (replace || !prop.containsKey(address)) {
 			prop.setProperty(address, Base64.encodeBase64String(fingerprint));
-			try {
-				prop.store(new FileOutputStream(file), "Written by bwLehrstuhl");
-			} catch (IOException e) {
-				LOGGER.warn("Could not store fingerprint");
-			}
+			return true;
 		}
+		return false;
 	}
 
-	public static byte[] getFingerprint(String address) {
+	private static void store() {
+		try {
+			prop.store(new FileOutputStream(file), "Written by bwLehrstuhl");
+		} catch (IOException e) {
+			LOGGER.warn("Could not store fingerprint");
+		}
+	}
+
+	/**
+	 * Get the fingerprint we accepted previously for this address.
+	 * 
+	 * @param address
+	 * @return fingerprint, null if unknown
+	 */
+	public static byte[] getKnownFingerprint(String address) {
 		return Base64.decodeBase64(prop.getProperty(address));
 	}
 
+	/**
+	 * Get the fingerprint the master server suggests should be
+	 * the one for the given address.
+	 * 
+	 * @param address
+	 * @return fingerprint, null if unknown
+	 */
+	public static byte[] getSuggestedFingerprint(String address) {
+		return Base64.decodeBase64(prop.getProperty(address + "_master"));
+	}
+
 }
diff --git a/dozentenmodul/src/main/java/org/openslx/dozmod/gui/GraphicalCertHandler.java b/dozentenmodul/src/main/java/org/openslx/dozmod/gui/GraphicalCertHandler.java
index 35297c9f..99c03373 100644
--- a/dozentenmodul/src/main/java/org/openslx/dozmod/gui/GraphicalCertHandler.java
+++ b/dozentenmodul/src/main/java/org/openslx/dozmod/gui/GraphicalCertHandler.java
@@ -54,17 +54,27 @@ public class GraphicalCertHandler {
 			md.update(encoded);
 			byte[] actualFingerprint = md.digest();
 			final String actualFingerprintReadable = new BigInteger(actualFingerprint).toString(16);
-			// Now check the fingerprint
-			byte[] expectedFingerprint = FingerprintManager.getFingerprint(address);
+			// Now check the finger print
+			byte[] expectedFingerprint = FingerprintManager.getKnownFingerprint(address);
+			if (expectedFingerprint == null) {
+				expectedFingerprint = FingerprintManager.getSuggestedFingerprint(address);
+			}
 			final String question;
 			if (expectedFingerprint == null) {
-				// First time we connect to this server, so remember the fingerprint
-				FingerprintManager.saveFingerprint(address, actualFingerprint);
+				// First time we connect to this server, so remember the finger print
+				FingerprintManager.saveKnownFingerprint(address, actualFingerprint);
 				return;
 			} else if (Arrays.equals(actualFingerprint, expectedFingerprint)) {
 				// Known, matches, everything's fine
 				return;
 			} else {
+				byte[] sf = FingerprintManager.getSuggestedFingerprint(address);
+				if (sf != null && Arrays.equals(actualFingerprint, sf)) {
+					// User stored invalid finger print, but master suggests the finger print we found.
+					// It probably changed, the satellite told the master server, but the user doesn't know yet.
+					FingerprintManager.saveKnownFingerprint(address, actualFingerprint);
+					return;
+				}
 				// Known, mismatch, panic!
 				question = "!!! ALARM !!!! ALARM !!!\n\n" + "Der Fingerabdruck von " + address
 						+ " hat sich verändert.\n" + "Erwartet: "
@@ -80,7 +90,7 @@ public class GraphicalCertHandler {
 				}
 			});
 			if (userOk) {
-				FingerprintManager.saveFingerprint(address, actualFingerprint);
+				FingerprintManager.saveKnownFingerprint(address, actualFingerprint);
 			} else {
 				throw new CertificateException("Rejected by user");
 			}
diff --git a/dozentenmodul/src/main/java/org/openslx/dozmod/gui/window/LoginWindow.java b/dozentenmodul/src/main/java/org/openslx/dozmod/gui/window/LoginWindow.java
index c16c4f0a..47fc0178 100644
--- a/dozentenmodul/src/main/java/org/openslx/dozmod/gui/window/LoginWindow.java
+++ b/dozentenmodul/src/main/java/org/openslx/dozmod/gui/window/LoginWindow.java
@@ -17,14 +17,17 @@ import javax.swing.DefaultComboBoxModel;
 import javax.swing.JFrame;
 
 import org.apache.log4j.Logger;
+import org.apache.thrift.TBaseHelper;
 import org.apache.thrift.TException;
 import org.openslx.bwlp.thrift.iface.Organization;
+import org.openslx.bwlp.thrift.iface.Satellite;
 import org.openslx.dozmod.App;
 import org.openslx.dozmod.Config;
 import org.openslx.dozmod.authentication.Authenticator;
 import org.openslx.dozmod.authentication.Authenticator.AuthenticationData;
 import org.openslx.dozmod.authentication.Authenticator.AuthenticatorCallback;
 import org.openslx.dozmod.authentication.EcpAuthenticator;
+import org.openslx.dozmod.authentication.FingerprintManager;
 import org.openslx.dozmod.authentication.ShibbolethEcp;
 import org.openslx.dozmod.authentication.ShibbolethEcp.ReturnCode;
 import org.openslx.dozmod.authentication.TestAccountAuthenticator;
@@ -330,6 +333,8 @@ public class LoginWindow extends LoginWindowLayout {
 	 */
 	private void postSuccessfulLogin(AuthenticationData data) {
 		LOGGER.info(loginType.toString() + " succeeded, token " + data.satelliteToken);
+		// Update known suggested fingerprints
+		importFingerprints(data.satellites);
 		// now try to init the session with the data received
 		if (ThriftActions.initSession(data)) {
 			if (saveUsernameCheck.isSelected()) {
@@ -341,6 +346,25 @@ public class LoginWindow extends LoginWindowLayout {
 		}
 	}
 
+	/**
+	 * If master server supplies certificate finger prints for a satellite,
+	 * store them so we can verify later.
+	 * 
+	 * @param satellites
+	 */
+	private void importFingerprints(List<Satellite> satellites) {
+		if (satellites == null || satellites.isEmpty())
+			return;
+		for (Satellite sat : satellites) {
+			if (sat.addressList == null || sat.certSha256 == null || sat.addressList.isEmpty())
+				continue;
+			byte[] fingerprint = TBaseHelper.byteBufferToByteArray(sat.certSha256);
+			for (String address : sat.addressList) {
+				FingerprintManager.saveSuggestedFingerprint(address, fingerprint);
+			}
+		}
+	}
+
 	@SuppressWarnings("deprecation")
 	@Override
 	public void show() {
author	Simon Rettberg	2015-09-10 12:06:04 +0200
committer	Simon Rettberg	2015-09-10 12:06:04 +0200
commit	a4a47f3a636df76885275136f6c0757207c72763 (patch)
tree	75930c80306e48acea8e1978b4eae20daff417a8
parent	[*] Improve SSL handling (diff)
download	tutor-module-a4a47f3a636df76885275136f6c0757207c72763.tar.gz tutor-module-a4a47f3a636df76885275136f6c0757207c72763.tar.xz tutor-module-a4a47f3a636df76885275136f6c0757207c72763.zip