dozentenmodul/src/main/java/org/openslx/dozmod/gui/GraphicalCertHandler.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

package org.openslx.dozmod.gui;

import java.math.BigInteger;
import java.security.KeyManagementException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;

import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.LogManager;
import org.openslx.dozmod.authentication.FingerprintManager;
import org.openslx.dozmod.gui.Gui.GuiCallable;
import org.openslx.dozmod.gui.helper.I18n;
import org.openslx.dozmod.gui.helper.MessageType;
import org.openslx.dozmod.util.ProxyConfigurator;

public class GraphicalCertHandler {

	private static final Logger LOGGER = LogManager.getLogger(GraphicalCertHandler.GuiTrustManager.class);

	private class GuiTrustManager implements X509TrustManager {

		@Override
		public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {
		}

		@Override
		public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
			try {
				if (certs == null || certs.length == 0) {
					Boolean ret = Gui.syncExec(new GuiCallable<Boolean>() {
						@Override
						public Boolean run() {
							return Gui.showMessageBox(null,
									I18n.GUI.getString("GraphicalCertHandler.Message.warning.noCertificate"),
									MessageType.WARNING, LOGGER, null);
						}
					});
					if (ret)
						return;
					throw new CertificateException("No certificate provided by server");
				}
				byte[] encoded = certs[0].getEncoded();
				MessageDigest md;
				try {
					md = MessageDigest.getInstance("SHA-256");
				} catch (NoSuchAlgorithmException e) {
					LOGGER.warn("Could not get SHA-256 hash of certificate", e);
					throw new CertificateException("Could not get SHA-256 hash of certificate");
				}
				md.update(encoded);
				byte[] actualFingerprint = md.digest();
				final String actualFingerprintReadable = new BigInteger(actualFingerprint).toString(16);
				// Now check the finger print
				byte[] expectedFingerprint = FingerprintManager.getKnownFingerprint(address);
				if (expectedFingerprint == null) {
					expectedFingerprint = FingerprintManager.getSuggestedFingerprint(address);
				}
				final String question;
				if (expectedFingerprint == null) {
					// First time we connect to this server, so remember the finger print
					FingerprintManager.saveKnownFingerprint(address, actualFingerprint);
					return;
				} else if (Arrays.equals(actualFingerprint, expectedFingerprint)) {
					// Known, matches, everything's fine
					return;
				} else {
					byte[] sf = FingerprintManager.getSuggestedFingerprint(address);
					if (sf != null && Arrays.equals(actualFingerprint, sf)) {
						// User stored invalid finger print, but master suggests the finger print we found.
						// It probably changed, the satellite told the master server, but the user doesn't know yet.
						FingerprintManager.saveKnownFingerprint(address, actualFingerprint);
						return;
					}
					// Known, mismatch, panic!
					question = I18n.GUI.getString("GraphicalCertHandler.Message.yesNo.fingerprintChanged",
							address,
							new BigInteger(expectedFingerprint).toString(16), actualFingerprintReadable);
				}
				// Some question needs to be asked
				Boolean userOk = Gui.syncExec(new GuiCallable<Boolean>() {
					@Override
					public Boolean run() {
						return Gui.showMessageBox(null, question, MessageType.QUESTION_YESNO, null, null);
					}
				});
				if (userOk) {
					FingerprintManager.saveKnownFingerprint(address, actualFingerprint);
				} else {
					throw new CertificateException("Rejected by user");
				}
			} catch (Throwable t) {
				LOGGER.warn("Exception when checking cert of satellite", t);
				throw t;
			}
		}

		@Override
		public X509Certificate[] getAcceptedIssuers() {
			return null;
		}

	}

	private final String address;

	private final SSLContext sslContext;

	private GraphicalCertHandler(String address) {
		SSLContext ctx = null;
		try {
			ctx = ProxyConfigurator.getThriftSslContext();
			// Make copy
			ctx = SSLContext.getInstance(ctx.getProtocol(), ctx.getProvider());
		} catch (NoSuchAlgorithmException e) {
			Gui.asyncMessageBox(I18n.GUI.getString("GraphicalCertHandler.Message.error.couldNotGetSSLContext"),
					MessageType.ERROR, LOGGER, e);
		}
		if (ctx != null) {
			try {
				ctx.init(null, new TrustManager[] { new GuiTrustManager() }, null);
			} catch (KeyManagementException e) {
				Gui.asyncMessageBox(
						I18n.GUI.getString("GraphicalCertHandler.Message.error.couldNotInitializeSSLContext"),
						MessageType.ERROR, LOGGER, e);
				ctx = null;
			}
		}
		this.sslContext = ctx;
		this.address = address;
	}

	public static SSLContext getSslContext(String address) {
		return new GraphicalCertHandler(address).sslContext;
	}

}