[FIX] SecurityCheck command

This commit is contained in:
Gravita 2021-06-22 11:45:04 +07:00
parent 81be9d21de
commit b4718a8062

View file

@ -12,17 +12,25 @@
import pro.gravit.launchserver.command.Command; import pro.gravit.launchserver.command.Command;
import pro.gravit.launchserver.components.ProGuardComponent; import pro.gravit.launchserver.components.ProGuardComponent;
import pro.gravit.launchserver.config.LaunchServerConfig; import pro.gravit.launchserver.config.LaunchServerConfig;
import pro.gravit.launchserver.helper.SignHelper;
import pro.gravit.utils.helper.IOHelper; import pro.gravit.utils.helper.IOHelper;
import pro.gravit.utils.helper.JVMHelper; import pro.gravit.utils.helper.JVMHelper;
import pro.gravit.utils.helper.LogHelper; import pro.gravit.utils.helper.LogHelper;
import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.nio.file.Paths; import java.nio.file.Paths;
import java.nio.file.attribute.PosixFilePermission; import java.nio.file.attribute.PosixFilePermission;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.StringTokenizer; import java.util.StringTokenizer;
import java.util.stream.Collectors;
public class SecurityCheckCommand extends Command { public class SecurityCheckCommand extends Command {
private static transient final Logger logger = LogManager.getLogger(); private static transient final Logger logger = LogManager.getLogger();
@ -32,7 +40,13 @@ public SecurityCheckCommand(LaunchServer server) {
} }
public static void printCheckResult(String module, String comment, Boolean status) { public static void printCheckResult(String module, String comment, Boolean status) {
logger.info(String.format("[%s] %s - %s", module, comment, status == null ? "WARN" : (status ? "OK" : "FAIL")), false); if (status == null) {
logger.warn(String.format("[%s] %s", module, comment));
} else if (status) {
logger.info(String.format("[%s] %s OK", module, comment));
} else {
logger.error(String.format("[%s] %s", module, comment));
}
} }
@Deprecated @Deprecated
@ -119,25 +133,30 @@ public void invoke(String... args) {
if (!config.sign.enabled) { if (!config.sign.enabled) {
printCheckResult("sign", "it is recommended to use a signature", null); printCheckResult("sign", "it is recommended to use a signature", null);
} else { } else {
/*boolean bad = false; boolean bad = false;
KeyStore keyStore = SignHelper.getStore(new File(config.sign.keyStore).toPath(), config.sign.keyStorePass, config.sign.keyStoreType); try {
X509Certificate[] certChain = (X509Certificate[]) keyStore.getCertificateChain(config.sign.keyAlias); KeyStore keyStore = SignHelper.getStore(new File(config.sign.keyStore).toPath(), config.sign.keyStorePass, config.sign.keyStoreType);
X509Certificate cert = (X509Certificate) keyStore.getCertificate(config.sign.keyAlias); Certificate[] certChainPlain = keyStore.getCertificateChain(config.sign.keyAlias);
cert.checkValidity(); List<X509Certificate> certChain = Arrays.stream(certChainPlain).map(e -> (X509Certificate) e).collect(Collectors.toList());
if(certChain.length <= 1) { X509Certificate cert = certChain.get(0);
printCheckResult("sign", "certificate chain contains <2 element(recommend 2 and more)", false); cert.checkValidity();
if (certChain.size() <= 1) {
printCheckResult("sign", "certificate chain contains <2 element(recommend 2 and more)", false);
bad = true;
}
if ((cert.getBasicConstraints() & 1) == 1) {
printCheckResult("sign", "end certificate - CA", false);
bad = true;
}
for (X509Certificate certificate : certChain) {
certificate.checkValidity();
}
} catch (Throwable e) {
logger.error("Sign check failed", e);
bad = true; bad = true;
} }
if((cert.getBasicConstraints() & 1) != 0) { if (!bad)
printCheckResult("sign", "end certificate - CA", false); printCheckResult("sign", "", true);
bad = true;
}
for(X509Certificate certificate : certChain)
{
certificate.checkValidity();
}
if(!bad)*/
printCheckResult("sign", "", true);
} }
if (config.components.values().stream().noneMatch(c -> c instanceof ProGuardComponent)) { if (config.components.values().stream().noneMatch(c -> c instanceof ProGuardComponent)) {