Lanmikeman/Launcher
1
1
Fork 0
mirror of https://github.com/GravitLauncher/Launcher synced 2025-01-09 00:59:44 +03:00
Code Issues Projects Releases Packages Wiki Activity

[FEATURE] Проверка сертификата на право подписывать приложения

Browse source
This commit is contained in:
Gravit 2019-12-11 10:24:26 +07:00
parent 2fc32aa1aa
commit 5e27db127a
No known key found for this signature in database
GPG key ID: 061981E1E85D3216
5 changed files with 28 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
LaunchServer/src/main/java/pro/gravit/launchserver/binary/tasks/CertificateAutogenTask.java
View file

@ -1,8 +1,10 @@
package pro.gravit.launchserver.binary.tasks; package pro.gravit.launchserver.binary.tasks;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder; import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle; import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder; import org.bouncycastle.cert.X509v3CertificateBuilder;
@ -58,6 +60,7 @@ public Path process(Path inputFile) throws IOException {
Date.from(startDate.plusDays(3650).atZone(ZoneId.systemDefault()).toInstant()), Date.from(startDate.plusDays(3650).atZone(ZoneId.systemDefault()).toInstant()),
new X500Name("CN=ca"), new X500Name("CN=ca"),
SubjectPublicKeyInfo.getInstance(server.publicKey.getEncoded())); SubjectPublicKeyInfo.getInstance(server.publicKey.getEncoded()));
builder.addExtension(Extension.getInstance("1.3.6.1.5.5.7.3.3"));
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256WITHECDSA"); JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256WITHECDSA");
ContentSigner signer = csBuilder.build(server.privateKey); ContentSigner signer = csBuilder.build(server.privateKey);
bcCertificate = builder.build(signer); bcCertificate = builder.build(signer);

4
LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java
View file

@ -208,9 +208,7 @@ else if (mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED)
return; return;
} }
try { try {
trustManager.checkCertificate(certificates, (c, s) -> { trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker);
});
} catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { } catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
throw new SecurityException(e); throw new SecurityException(e);
} }

4
Launcher/src/main/java/pro/gravit/launcher/LauncherEngine.java
View file

@ -47,9 +47,7 @@ public static void checkClass(Class<?> clazz) throws SecurityException {
throw new SecurityException(String.format("Class %s not signed", clazz.getName())); throw new SecurityException(String.format("Class %s not signed", clazz.getName()));
} }
try { try {
trustManager.checkCertificate(certificates, (c, s) -> { trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker);
});
} catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { } catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
throw new SecurityException(e); throw new SecurityException(e);
} }

4
LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java
View file

@ -187,9 +187,7 @@ else if (mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED)
return; return;
} }
try { try {
trustManager.checkCertificate(certificates, (c, s) -> { trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker);
});
} catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { } catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
throw new SecurityException(e); throw new SecurityException(e);
} }

22
LauncherCore/src/main/java/pro/gravit/launcher/LauncherTrustManager.java
View file

@ -91,8 +91,30 @@ public void isCertificateCodeSign(X509Certificate certificate)
List<String> extended; List<String> extended;
try { try {
extended = certificate.getExtendedKeyUsage(); extended = certificate.getExtendedKeyUsage();
if(extended == null) throw new SecurityException("Certificate extendedKeyUsage null");
boolean isCodeSign = false;
for(String s : extended)
{
if(s.equals("1.3.6.1.5.5.7.3.3"))
{
isCodeSign = true;
break;
}
}
if(!isCodeSign) throw new SecurityException("Certificate extendedKeyUsage codeSign checkFailed");
} catch (CertificateParsingException e) { } catch (CertificateParsingException e) {
throw new SecurityException(e); throw new SecurityException(e);
} }
} }
public void isCertificateCA(X509Certificate certificate)
{
if(certificate.getBasicConstraints() <= 0) throw new SecurityException("This certificate not CA");
}
public void stdCertificateChecker(X509Certificate cert, X509Certificate signer)
{
if(signer == null)
isCertificateCodeSign(cert);
else
isCertificateCA(cert);
}
} }