mirror of
https://github.com/GravitLauncher/Launcher
synced 2024-12-23 00:51:01 +03:00
[FEATURE] Проверка сертификата на право подписывать приложения
This commit is contained in:
parent
2fc32aa1aa
commit
5e27db127a
5 changed files with 28 additions and 9 deletions
|
@ -1,8 +1,10 @@
|
|||
package pro.gravit.launchserver.binary.tasks;
|
||||
|
||||
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
|
||||
import org.bouncycastle.asn1.x500.X500Name;
|
||||
import org.bouncycastle.asn1.x500.X500NameBuilder;
|
||||
import org.bouncycastle.asn1.x500.style.BCStyle;
|
||||
import org.bouncycastle.asn1.x509.Extension;
|
||||
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
|
||||
import org.bouncycastle.cert.X509CertificateHolder;
|
||||
import org.bouncycastle.cert.X509v3CertificateBuilder;
|
||||
|
@ -58,6 +60,7 @@ public Path process(Path inputFile) throws IOException {
|
|||
Date.from(startDate.plusDays(3650).atZone(ZoneId.systemDefault()).toInstant()),
|
||||
new X500Name("CN=ca"),
|
||||
SubjectPublicKeyInfo.getInstance(server.publicKey.getEncoded()));
|
||||
builder.addExtension(Extension.getInstance("1.3.6.1.5.5.7.3.3"));
|
||||
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256WITHECDSA");
|
||||
ContentSigner signer = csBuilder.build(server.privateKey);
|
||||
bcCertificate = builder.build(signer);
|
||||
|
|
|
@ -208,9 +208,7 @@ else if (mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED)
|
|||
return;
|
||||
}
|
||||
try {
|
||||
trustManager.checkCertificate(certificates, (c, s) -> {
|
||||
|
||||
});
|
||||
trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker);
|
||||
} catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
|
||||
throw new SecurityException(e);
|
||||
}
|
||||
|
|
|
@ -47,9 +47,7 @@ public static void checkClass(Class<?> clazz) throws SecurityException {
|
|||
throw new SecurityException(String.format("Class %s not signed", clazz.getName()));
|
||||
}
|
||||
try {
|
||||
trustManager.checkCertificate(certificates, (c, s) -> {
|
||||
|
||||
});
|
||||
trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker);
|
||||
} catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
|
||||
throw new SecurityException(e);
|
||||
}
|
||||
|
|
|
@ -187,9 +187,7 @@ else if (mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED)
|
|||
return;
|
||||
}
|
||||
try {
|
||||
trustManager.checkCertificate(certificates, (c, s) -> {
|
||||
|
||||
});
|
||||
trustManager.checkCertificate(certificates, trustManager::stdCertificateChecker);
|
||||
} catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
|
||||
throw new SecurityException(e);
|
||||
}
|
||||
|
|
|
@ -91,8 +91,30 @@ public void isCertificateCodeSign(X509Certificate certificate)
|
|||
List<String> extended;
|
||||
try {
|
||||
extended = certificate.getExtendedKeyUsage();
|
||||
if(extended == null) throw new SecurityException("Certificate extendedKeyUsage null");
|
||||
boolean isCodeSign = false;
|
||||
for(String s : extended)
|
||||
{
|
||||
if(s.equals("1.3.6.1.5.5.7.3.3"))
|
||||
{
|
||||
isCodeSign = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if(!isCodeSign) throw new SecurityException("Certificate extendedKeyUsage codeSign checkFailed");
|
||||
} catch (CertificateParsingException e) {
|
||||
throw new SecurityException(e);
|
||||
}
|
||||
}
|
||||
public void isCertificateCA(X509Certificate certificate)
|
||||
{
|
||||
if(certificate.getBasicConstraints() <= 0) throw new SecurityException("This certificate not CA");
|
||||
}
|
||||
public void stdCertificateChecker(X509Certificate cert, X509Certificate signer)
|
||||
{
|
||||
if(signer == null)
|
||||
isCertificateCodeSign(cert);
|
||||
else
|
||||
isCertificateCA(cert);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue