From 5e27db127ab22bd36f8f244a044e01a08f3edada Mon Sep 17 00:00:00 2001 From: Gravit Date: Wed, 11 Dec 2019 10:24:26 +0700 Subject: [PATCH] =?UTF-8?q?[FEATURE]=20=D0=9F=D1=80=D0=BE=D0=B2=D0=B5?= =?UTF-8?q?=D1=80=D0=BA=D0=B0=20=D1=81=D0=B5=D1=80=D1=82=D0=B8=D1=84=D0=B8?= =?UTF-8?q?=D0=BA=D0=B0=D1=82=D0=B0=20=D0=BD=D0=B0=20=D0=BF=D1=80=D0=B0?= =?UTF-8?q?=D0=B2=D0=BE=20=D0=BF=D0=BE=D0=B4=D0=BF=D0=B8=D1=81=D1=8B=D0=B2?= =?UTF-8?q?=D0=B0=D1=82=D1=8C=20=D0=BF=D1=80=D0=B8=D0=BB=D0=BE=D0=B6=D0=B5?= =?UTF-8?q?=D0=BD=D0=B8=D1=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../binary/tasks/CertificateAutogenTask.java | 3 +++ .../manangers/CertificateManager.java | 4 +--- .../pro/gravit/launcher/LauncherEngine.java | 4 +--- .../modules/impl/SimpleModuleManager.java | 4 +--- .../gravit/launcher/LauncherTrustManager.java | 22 +++++++++++++++++++ 5 files changed, 28 insertions(+), 9 deletions(-) diff --git a/LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/CertificateAutogenTask.java b/LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/CertificateAutogenTask.java index feaddff3..5301903c 100644 --- a/LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/CertificateAutogenTask.java +++ b/LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/CertificateAutogenTask.java @@ -1,8 +1,10 @@ package pro.gravit.launchserver.binary.tasks; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.X500NameBuilder; import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509v3CertificateBuilder; @@ -58,6 +60,7 @@ public Path process(Path inputFile) throws IOException { Date.from(startDate.plusDays(3650).atZone(ZoneId.systemDefault()).toInstant()), new X500Name("CN=ca"), SubjectPublicKeyInfo.getInstance(server.publicKey.getEncoded())); + builder.addExtension(Extension.getInstance("1.3.6.1.5.5.7.3.3")); JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256WITHECDSA"); ContentSigner signer = csBuilder.build(server.privateKey); bcCertificate = builder.build(signer); diff --git a/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java b/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java index 8744e7e6..c0eb3603 100644 --- a/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java +++ b/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java @@ -208,9 +208,7 @@ else if (mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED) return; } try { - trustManager.checkCertificate(certificates, (c, s) -> { - - }); + trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker); } catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { throw new SecurityException(e); } diff --git a/Launcher/src/main/java/pro/gravit/launcher/LauncherEngine.java b/Launcher/src/main/java/pro/gravit/launcher/LauncherEngine.java index 9b3a3715..d8070087 100644 --- a/Launcher/src/main/java/pro/gravit/launcher/LauncherEngine.java +++ b/Launcher/src/main/java/pro/gravit/launcher/LauncherEngine.java @@ -47,9 +47,7 @@ public static void checkClass(Class clazz) throws SecurityException { throw new SecurityException(String.format("Class %s not signed", clazz.getName())); } try { - trustManager.checkCertificate(certificates, (c, s) -> { - - }); + trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker); } catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { throw new SecurityException(e); } diff --git a/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java b/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java index ce124b68..af9c68a8 100644 --- a/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java +++ b/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java @@ -187,9 +187,7 @@ else if (mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED) return; } try { - trustManager.checkCertificate(certificates, (c, s) -> { - - }); + trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker); } catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { throw new SecurityException(e); } diff --git a/LauncherCore/src/main/java/pro/gravit/launcher/LauncherTrustManager.java b/LauncherCore/src/main/java/pro/gravit/launcher/LauncherTrustManager.java index 5710081a..23a280ff 100644 --- a/LauncherCore/src/main/java/pro/gravit/launcher/LauncherTrustManager.java +++ b/LauncherCore/src/main/java/pro/gravit/launcher/LauncherTrustManager.java @@ -91,8 +91,30 @@ public void isCertificateCodeSign(X509Certificate certificate) List extended; try { extended = certificate.getExtendedKeyUsage(); + if(extended == null) throw new SecurityException("Certificate extendedKeyUsage null"); + boolean isCodeSign = false; + for(String s : extended) + { + if(s.equals("1.3.6.1.5.5.7.3.3")) + { + isCodeSign = true; + break; + } + } + if(!isCodeSign) throw new SecurityException("Certificate extendedKeyUsage codeSign checkFailed"); } catch (CertificateParsingException e) { throw new SecurityException(e); } } + public void isCertificateCA(X509Certificate certificate) + { + if(certificate.getBasicConstraints() <= 0) throw new SecurityException("This certificate not CA"); + } + public void stdCertificateChecker(X509Certificate cert, X509Certificate signer) + { + if(signer == null) + isCertificateCodeSign(cert); + else + isCertificateCA(cert); + } }