5
0
mirror of git://git.proxmox.com/git/vncterm.git synced 2024-12-22 21:33:49 +03:00
vncterm/tigerpatches/trust-manager.patch
Dietmar Maurer 6b53b0de88 disable javascript-events.patch
We do not really use that, and the old netscape library is not
in openjdk (plugin.jar)
2013-04-20 15:59:38 +02:00

194 lines
5.3 KiB
Diff

Unfortunately the java certificate store does not correctly access
the browser certificate store (firefox, chrome). We also tunnel VNC
traffic from other cluster nodes.
So we implement our own trust manager, and allow to pass the server
certificate (or CA who signed the server certificate) as applet
parameter "PVECert" (newline encoded as '|').
Index: new/java/src/com/tigervnc/vncviewer/X509Tunnel.java
===================================================================
--- new.orig/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2013-04-20 15:24:59.000000000 +0200
+++ new/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2013-04-20 15:28:55.000000000 +0200
@@ -26,13 +26,23 @@
import javax.net.ssl.*;
import java.security.*;
import java.security.cert.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.io.*;
public class X509Tunnel extends TLSTunnelBase
{
- public X509Tunnel (Socket sock_)
+ Certificate pvecert;
+
+ public X509Tunnel (Socket sock_, String certstr) throws CertificateException
{
super (sock_);
+
+ if (certstr != null) {
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ pvecert = cf.generateCertificate(new StringBufferInputStream(certstr));
+ }
}
protected void setParam (SSLSocket sock)
@@ -52,9 +62,51 @@
protected void initContext (SSLContext sc) throws java.security.
GeneralSecurityException
{
- TrustManager[] myTM = new TrustManager[]
- {
- new MyX509TrustManager ()};
+ TrustManager[] myTM;
+
+ if (pvecert != null) {
+ myTM = new TrustManager[] {
+ new X509TrustManager() {
+ public java.security.cert.X509Certificate[]
+ getAcceptedIssuers() {
+ return null;
+ }
+ public void checkClientTrusted(
+ java.security.cert.X509Certificate[] certs,
+ String authType) throws CertificateException {
+ throw new CertificateException("no clients");
+ }
+ public void checkServerTrusted(
+ java.security.cert.X509Certificate[] certs,
+ String authType) throws CertificateException {
+
+ if (certs == null || certs.length < 1) {
+ throw new CertificateException("no certs");
+ }
+ if (certs == null || certs.length > 1) {
+ throw new CertificateException("cert path too long");
+ }
+ PublicKey cakey = pvecert.getPublicKey();
+
+ boolean ca_match;
+ try {
+ certs[0].verify(cakey);
+ ca_match = true;
+ } catch (Exception e) {
+ ca_match = false;
+ }
+
+ if (!ca_match && !pvecert.equals(certs[0])) {
+ throw new CertificateException("certificate does not match");
+ }
+ }
+ }
+ };
+ } else {
+ myTM = new TrustManager[] {
+ new MyX509TrustManager ()
+ };
+ }
sc.init (null, myTM, null);
}
@@ -100,4 +152,5 @@
return tm.getAcceptedIssuers ();
}
}
+
}
Index: new/java/src/com/tigervnc/vncviewer/RfbProto.java
===================================================================
--- new.orig/java/src/com/tigervnc/vncviewer/RfbProto.java 2013-04-20 15:24:59.000000000 +0200
+++ new/java/src/com/tigervnc/vncviewer/RfbProto.java 2013-04-20 15:28:55.000000000 +0200
@@ -411,7 +411,8 @@
}
void authenticateX509() throws Exception {
- X509Tunnel tunnel = new X509Tunnel(sock);
+
+ X509Tunnel tunnel = new X509Tunnel(sock, viewer.PVECert);
tunnel.setup (this);
}
Index: new/java/src/com/tigervnc/vncviewer/VncViewer.java
===================================================================
--- new.orig/java/src/com/tigervnc/vncviewer/VncViewer.java 2013-04-20 15:28:42.000000000 +0200
+++ new/java/src/com/tigervnc/vncviewer/VncViewer.java 2013-04-20 15:29:55.000000000 +0200
@@ -91,6 +91,8 @@
int debugStatsExcludeUpdates;
int debugStatsMeasureUpdates;
+ String PVECert;
+
// Reference to this applet for inter-applet communication.
public static java.applet.Applet refApplet;
@@ -263,7 +265,7 @@
fatalError(e.toString(), e);
}
}
-
+
}
//
@@ -299,7 +301,7 @@
// If the rfbThread is being stopped, ignore any exceptions,
// otherwise rethrow the exception so it can be handled.
//
-
+
void processNormalProtocol() throws Exception {
try {
vc.processNormalProtocol();
@@ -842,6 +844,11 @@
// SocketFactory.
socketFactory = readParameter("SocketFactory", false);
+
+ String tmpcert = readParameter("PVECert", false);
+ if (tmpcert != null) {
+ PVECert = tmpcert.replace('|', '\n');
+ }
}
//
@@ -991,7 +998,7 @@
}
synchronized public void fatalError(String str, Exception e) {
-
+
if (rfb != null && rfb.closed()) {
// Not necessary to show error message if the error was caused
// by I/O problems after the rfb.close() method call.
@@ -1084,11 +1091,11 @@
public void enableInput(boolean enable) {
vc.enableInput(enable);
}
-
+
//
// Resize framebuffer if autoScale is enabled.
//
-
+
public void componentResized(ComponentEvent e) {
if (e.getComponent() == vncFrame) {
if (options.autoScale) {
@@ -1100,11 +1107,11 @@
}
}
}
-
+
//
// Ignore component events we're not interested in.
//
-
+
public void componentShown(ComponentEvent e) { }
public void componentMoved(ComponentEvent e) { }
public void componentHidden(ComponentEvent e) { }