mirror of
git://git.proxmox.com/git/vncterm.git
synced 2025-01-27 22:03:34 +03:00
194 lines
5.2 KiB
Diff
194 lines
5.2 KiB
Diff
|
|
Unfortunately the java certificate store does not correctly access
|
|
the browser certificate store (firefox, chrome). We also tunnel VNC
|
|
traffic from other cluster nodes.
|
|
|
|
So we implement our own trust manager, and allow to pass the server
|
|
certificate (or CA who signed the server certificate) as applet
|
|
parameter "PVECert" (newline encoded as '|').
|
|
|
|
Index: new/java/src/com/tigervnc/vncviewer/X509Tunnel.java
|
|
===================================================================
|
|
--- new.orig/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2011-01-28 13:22:50.000000000 +0100
|
|
+++ new/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2011-01-28 13:26:51.000000000 +0100
|
|
@@ -26,13 +26,23 @@
|
|
import javax.net.ssl.*;
|
|
import java.security.*;
|
|
import java.security.cert.*;
|
|
+import java.security.cert.Certificate;
|
|
+import java.security.cert.CertificateFactory;
|
|
+import java.io.*;
|
|
|
|
public class X509Tunnel extends TLSTunnelBase
|
|
{
|
|
|
|
- public X509Tunnel (Socket sock_)
|
|
+ Certificate pvecert;
|
|
+
|
|
+ public X509Tunnel (Socket sock_, String certstr) throws CertificateException
|
|
{
|
|
super (sock_);
|
|
+
|
|
+ if (certstr != null) {
|
|
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
|
+ pvecert = cf.generateCertificate(new StringBufferInputStream(certstr));
|
|
+ }
|
|
}
|
|
|
|
protected void setParam (SSLSocket sock)
|
|
@@ -52,9 +62,51 @@
|
|
protected void initContext (SSLContext sc) throws java.security.
|
|
GeneralSecurityException
|
|
{
|
|
- TrustManager[] myTM = new TrustManager[]
|
|
- {
|
|
- new MyX509TrustManager ()};
|
|
+ TrustManager[] myTM;
|
|
+
|
|
+ if (pvecert != null) {
|
|
+ myTM = new TrustManager[] {
|
|
+ new X509TrustManager() {
|
|
+ public java.security.cert.X509Certificate[]
|
|
+ getAcceptedIssuers() {
|
|
+ return null;
|
|
+ }
|
|
+ public void checkClientTrusted(
|
|
+ java.security.cert.X509Certificate[] certs,
|
|
+ String authType) throws CertificateException {
|
|
+ throw new CertificateException("no clients");
|
|
+ }
|
|
+ public void checkServerTrusted(
|
|
+ java.security.cert.X509Certificate[] certs,
|
|
+ String authType) throws CertificateException {
|
|
+
|
|
+ if (certs == null || certs.length < 1) {
|
|
+ throw new CertificateException("no certs");
|
|
+ }
|
|
+ if (certs == null || certs.length > 1) {
|
|
+ throw new CertificateException("cert path too long");
|
|
+ }
|
|
+ PublicKey cakey = pvecert.getPublicKey();
|
|
+
|
|
+ boolean ca_match;
|
|
+ try {
|
|
+ certs[0].verify(cakey);
|
|
+ ca_match = true;
|
|
+ } catch (Exception e) {
|
|
+ ca_match = false;
|
|
+ }
|
|
+
|
|
+ if (!ca_match && !pvecert.equals(certs[0])) {
|
|
+ throw new CertificateException("certificate does not match");
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ };
|
|
+ } else {
|
|
+ myTM = new TrustManager[] {
|
|
+ new MyX509TrustManager ()
|
|
+ };
|
|
+ }
|
|
sc.init (null, myTM, null);
|
|
}
|
|
|
|
@@ -100,4 +152,5 @@
|
|
return tm.getAcceptedIssuers ();
|
|
}
|
|
}
|
|
+
|
|
}
|
|
Index: new/java/src/com/tigervnc/vncviewer/RfbProto.java
|
|
===================================================================
|
|
--- new.orig/java/src/com/tigervnc/vncviewer/RfbProto.java 2011-01-28 13:22:50.000000000 +0100
|
|
+++ new/java/src/com/tigervnc/vncviewer/RfbProto.java 2011-01-28 13:26:51.000000000 +0100
|
|
@@ -411,7 +411,8 @@
|
|
}
|
|
|
|
void authenticateX509() throws Exception {
|
|
- X509Tunnel tunnel = new X509Tunnel(sock);
|
|
+
|
|
+ X509Tunnel tunnel = new X509Tunnel(sock, viewer.PVECert);
|
|
tunnel.setup (this);
|
|
}
|
|
|
|
Index: new/java/src/com/tigervnc/vncviewer/VncViewer.java
|
|
===================================================================
|
|
--- new.orig/java/src/com/tigervnc/vncviewer/VncViewer.java 2011-01-28 13:26:16.000000000 +0100
|
|
+++ new/java/src/com/tigervnc/vncviewer/VncViewer.java 2011-01-28 13:26:51.000000000 +0100
|
|
@@ -95,6 +95,8 @@
|
|
int debugStatsExcludeUpdates;
|
|
int debugStatsMeasureUpdates;
|
|
|
|
+ String PVECert;
|
|
+
|
|
JSObject jswin;
|
|
String myid;
|
|
|
|
@@ -278,7 +280,7 @@
|
|
fatalError(e.toString(), e);
|
|
}
|
|
}
|
|
-
|
|
+
|
|
}
|
|
|
|
//
|
|
@@ -314,7 +316,7 @@
|
|
// If the rfbThread is being stopped, ignore any exceptions,
|
|
// otherwise rethrow the exception so it can be handled.
|
|
//
|
|
-
|
|
+
|
|
void processNormalProtocol() throws Exception {
|
|
try {
|
|
vc.processNormalProtocol();
|
|
@@ -857,6 +859,11 @@
|
|
|
|
// SocketFactory.
|
|
socketFactory = readParameter("SocketFactory", false);
|
|
+
|
|
+ String tmpcert = readParameter("PVECert", false);
|
|
+ if (tmpcert != null) {
|
|
+ PVECert = tmpcert.replace('|', '\n');
|
|
+ }
|
|
}
|
|
|
|
//
|
|
@@ -1010,7 +1017,7 @@
|
|
}
|
|
|
|
synchronized public void fatalError(String str, Exception e) {
|
|
-
|
|
+
|
|
if (rfb != null && rfb.closed()) {
|
|
// Not necessary to show error message if the error was caused
|
|
// by I/O problems after the rfb.close() method call.
|
|
@@ -1108,11 +1115,11 @@
|
|
public void enableInput(boolean enable) {
|
|
vc.enableInput(enable);
|
|
}
|
|
-
|
|
+
|
|
//
|
|
// Resize framebuffer if autoScale is enabled.
|
|
//
|
|
-
|
|
+
|
|
public void componentResized(ComponentEvent e) {
|
|
if (e.getComponent() == vncFrame) {
|
|
if (options.autoScale) {
|
|
@@ -1124,11 +1131,11 @@
|
|
}
|
|
}
|
|
}
|
|
-
|
|
+
|
|
//
|
|
// Ignore component events we're not interested in.
|
|
//
|
|
-
|
|
+
|
|
public void componentShown(ComponentEvent e) { }
|
|
public void componentMoved(ComponentEvent e) { }
|
|
public void componentHidden(ComponentEvent e) { }
|