diff --git a/LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/CertificateAutogenTask.java b/LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/CertificateAutogenTask.java index feaddff3..5301903c 100644 --- a/LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/CertificateAutogenTask.java +++ b/LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/CertificateAutogenTask.java @@ -1,8 +1,10 @@ package pro.gravit.launchserver.binary.tasks; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.X500NameBuilder; import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509v3CertificateBuilder; @@ -58,6 +60,7 @@ public Path process(Path inputFile) throws IOException { Date.from(startDate.plusDays(3650).atZone(ZoneId.systemDefault()).toInstant()), new X500Name("CN=ca"), SubjectPublicKeyInfo.getInstance(server.publicKey.getEncoded())); + builder.addExtension(Extension.getInstance("1.3.6.1.5.5.7.3.3")); JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256WITHECDSA"); ContentSigner signer = csBuilder.build(server.privateKey); bcCertificate = builder.build(signer); diff --git a/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java b/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java index 8744e7e6..c0eb3603 100644 --- a/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java +++ b/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java @@ -208,9 +208,7 @@ else if (mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED) return; } try { - trustManager.checkCertificate(certificates, (c, s) -> { - - }); + trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker); } catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { throw new SecurityException(e); } diff --git a/Launcher/src/main/java/pro/gravit/launcher/LauncherEngine.java b/Launcher/src/main/java/pro/gravit/launcher/LauncherEngine.java index 9b3a3715..d8070087 100644 --- a/Launcher/src/main/java/pro/gravit/launcher/LauncherEngine.java +++ b/Launcher/src/main/java/pro/gravit/launcher/LauncherEngine.java @@ -47,9 +47,7 @@ public static void checkClass(Class clazz) throws SecurityException { throw new SecurityException(String.format("Class %s not signed", clazz.getName())); } try { - trustManager.checkCertificate(certificates, (c, s) -> { - - }); + trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker); } catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { throw new SecurityException(e); } diff --git a/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java b/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java index ce124b68..af9c68a8 100644 --- a/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java +++ b/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java @@ -187,9 +187,7 @@ else if (mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED) return; } try { - trustManager.checkCertificate(certificates, (c, s) -> { - - }); + trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker); } catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { throw new SecurityException(e); } diff --git a/LauncherCore/src/main/java/pro/gravit/launcher/LauncherTrustManager.java b/LauncherCore/src/main/java/pro/gravit/launcher/LauncherTrustManager.java index 5710081a..23a280ff 100644 --- a/LauncherCore/src/main/java/pro/gravit/launcher/LauncherTrustManager.java +++ b/LauncherCore/src/main/java/pro/gravit/launcher/LauncherTrustManager.java @@ -91,8 +91,30 @@ public void isCertificateCodeSign(X509Certificate certificate) List extended; try { extended = certificate.getExtendedKeyUsage(); + if(extended == null) throw new SecurityException("Certificate extendedKeyUsage null"); + boolean isCodeSign = false; + for(String s : extended) + { + if(s.equals("1.3.6.1.5.5.7.3.3")) + { + isCodeSign = true; + break; + } + } + if(!isCodeSign) throw new SecurityException("Certificate extendedKeyUsage codeSign checkFailed"); } catch (CertificateParsingException e) { throw new SecurityException(e); } } + public void isCertificateCA(X509Certificate certificate) + { + if(certificate.getBasicConstraints() <= 0) throw new SecurityException("This certificate not CA"); + } + public void stdCertificateChecker(X509Certificate cert, X509Certificate signer) + { + if(signer == null) + isCertificateCodeSign(cert); + else + isCertificateCA(cert); + } }