diff options
author | Simon Rettberg | 2015-09-10 12:06:04 +0200 |
---|---|---|
committer | Simon Rettberg | 2015-09-10 12:06:04 +0200 |
commit | a4a47f3a636df76885275136f6c0757207c72763 (patch) | |
tree | 75930c80306e48acea8e1978b4eae20daff417a8 | |
parent | [*] Improve SSL handling (diff) | |
download | tutor-module-a4a47f3a636df76885275136f6c0757207c72763.tar.gz tutor-module-a4a47f3a636df76885275136f6c0757207c72763.tar.xz tutor-module-a4a47f3a636df76885275136f6c0757207c72763.zip |
[client] Remember finger prints supplied by master server
3 files changed, 78 insertions, 14 deletions
diff --git a/dozentenmodul/src/main/java/org/openslx/dozmod/authentication/FingerprintManager.java b/dozentenmodul/src/main/java/org/openslx/dozmod/authentication/FingerprintManager.java index 58b0d305..cc0d09f7 100644 --- a/dozentenmodul/src/main/java/org/openslx/dozmod/authentication/FingerprintManager.java +++ b/dozentenmodul/src/main/java/org/openslx/dozmod/authentication/FingerprintManager.java @@ -27,23 +27,53 @@ public class FingerprintManager { } } - public static void saveFingerprint(String address, byte[] fingerprint) { - saveFingerprint(address, fingerprint, true); + public static void saveKnownFingerprint(String address, byte[] fingerprint) { + if (saveFingerprint(address, fingerprint, true)) { + store(); + } + } + + public static void saveSuggestedFingerprint(String address, byte[] fingerprint) { + saveFingerprint(address, fingerprint, false); + prop.setProperty(address + "_master", Base64.encodeBase64String(fingerprint)); + store(); } - public static void saveFingerprint(String address, byte[] fingerprint, boolean replace) { + private static boolean saveFingerprint(String address, byte[] fingerprint, boolean replace) { if (replace || !prop.containsKey(address)) { prop.setProperty(address, Base64.encodeBase64String(fingerprint)); - try { - prop.store(new FileOutputStream(file), "Written by bwLehrstuhl"); - } catch (IOException e) { - LOGGER.warn("Could not store fingerprint"); - } + return true; } + return false; } - public static byte[] getFingerprint(String address) { + private static void store() { + try { + prop.store(new FileOutputStream(file), "Written by bwLehrstuhl"); + } catch (IOException e) { + LOGGER.warn("Could not store fingerprint"); + } + } + + /** + * Get the fingerprint we accepted previously for this address. + * + * @param address + * @return fingerprint, null if unknown + */ + public static byte[] getKnownFingerprint(String address) { return Base64.decodeBase64(prop.getProperty(address)); } + /** + * Get the fingerprint the master server suggests should be + * the one for the given address. + * + * @param address + * @return fingerprint, null if unknown + */ + public static byte[] getSuggestedFingerprint(String address) { + return Base64.decodeBase64(prop.getProperty(address + "_master")); + } + } diff --git a/dozentenmodul/src/main/java/org/openslx/dozmod/gui/GraphicalCertHandler.java b/dozentenmodul/src/main/java/org/openslx/dozmod/gui/GraphicalCertHandler.java index 35297c9f..99c03373 100644 --- a/dozentenmodul/src/main/java/org/openslx/dozmod/gui/GraphicalCertHandler.java +++ b/dozentenmodul/src/main/java/org/openslx/dozmod/gui/GraphicalCertHandler.java @@ -54,17 +54,27 @@ public class GraphicalCertHandler { md.update(encoded); byte[] actualFingerprint = md.digest(); final String actualFingerprintReadable = new BigInteger(actualFingerprint).toString(16); - // Now check the fingerprint - byte[] expectedFingerprint = FingerprintManager.getFingerprint(address); + // Now check the finger print + byte[] expectedFingerprint = FingerprintManager.getKnownFingerprint(address); + if (expectedFingerprint == null) { + expectedFingerprint = FingerprintManager.getSuggestedFingerprint(address); + } final String question; if (expectedFingerprint == null) { - // First time we connect to this server, so remember the fingerprint - FingerprintManager.saveFingerprint(address, actualFingerprint); + // First time we connect to this server, so remember the finger print + FingerprintManager.saveKnownFingerprint(address, actualFingerprint); return; } else if (Arrays.equals(actualFingerprint, expectedFingerprint)) { // Known, matches, everything's fine return; } else { + byte[] sf = FingerprintManager.getSuggestedFingerprint(address); + if (sf != null && Arrays.equals(actualFingerprint, sf)) { + // User stored invalid finger print, but master suggests the finger print we found. + // It probably changed, the satellite told the master server, but the user doesn't know yet. + FingerprintManager.saveKnownFingerprint(address, actualFingerprint); + return; + } // Known, mismatch, panic! question = "!!! ALARM !!!! ALARM !!!\n\n" + "Der Fingerabdruck von " + address + " hat sich verändert.\n" + "Erwartet: " @@ -80,7 +90,7 @@ public class GraphicalCertHandler { } }); if (userOk) { - FingerprintManager.saveFingerprint(address, actualFingerprint); + FingerprintManager.saveKnownFingerprint(address, actualFingerprint); } else { throw new CertificateException("Rejected by user"); } diff --git a/dozentenmodul/src/main/java/org/openslx/dozmod/gui/window/LoginWindow.java b/dozentenmodul/src/main/java/org/openslx/dozmod/gui/window/LoginWindow.java index c16c4f0a..47fc0178 100644 --- a/dozentenmodul/src/main/java/org/openslx/dozmod/gui/window/LoginWindow.java +++ b/dozentenmodul/src/main/java/org/openslx/dozmod/gui/window/LoginWindow.java @@ -17,14 +17,17 @@ import javax.swing.DefaultComboBoxModel; import javax.swing.JFrame; import org.apache.log4j.Logger; +import org.apache.thrift.TBaseHelper; import org.apache.thrift.TException; import org.openslx.bwlp.thrift.iface.Organization; +import org.openslx.bwlp.thrift.iface.Satellite; import org.openslx.dozmod.App; import org.openslx.dozmod.Config; import org.openslx.dozmod.authentication.Authenticator; import org.openslx.dozmod.authentication.Authenticator.AuthenticationData; import org.openslx.dozmod.authentication.Authenticator.AuthenticatorCallback; import org.openslx.dozmod.authentication.EcpAuthenticator; +import org.openslx.dozmod.authentication.FingerprintManager; import org.openslx.dozmod.authentication.ShibbolethEcp; import org.openslx.dozmod.authentication.ShibbolethEcp.ReturnCode; import org.openslx.dozmod.authentication.TestAccountAuthenticator; @@ -330,6 +333,8 @@ public class LoginWindow extends LoginWindowLayout { */ private void postSuccessfulLogin(AuthenticationData data) { LOGGER.info(loginType.toString() + " succeeded, token " + data.satelliteToken); + // Update known suggested fingerprints + importFingerprints(data.satellites); // now try to init the session with the data received if (ThriftActions.initSession(data)) { if (saveUsernameCheck.isSelected()) { @@ -341,6 +346,25 @@ public class LoginWindow extends LoginWindowLayout { } } + /** + * If master server supplies certificate finger prints for a satellite, + * store them so we can verify later. + * + * @param satellites + */ + private void importFingerprints(List<Satellite> satellites) { + if (satellites == null || satellites.isEmpty()) + return; + for (Satellite sat : satellites) { + if (sat.addressList == null || sat.certSha256 == null || sat.addressList.isEmpty()) + continue; + byte[] fingerprint = TBaseHelper.byteBufferToByteArray(sat.certSha256); + for (String address : sat.addressList) { + FingerprintManager.saveSuggestedFingerprint(address, fingerprint); + } + } + } + @SuppressWarnings("deprecation") @Override public void show() { |