Lanmikeman/Launcher
1
1
Fork 0
mirror of https://github.com/GravitLauncher/Launcher synced 2024-11-15 03:31:15 +03:00
Code Issues Projects Releases Packages Wiki Activity

[FIX] Фиксы системы сертификатов

Browse source
This commit is contained in:
Gravit 2019-10-17 20:58:52 +07:00
parent 7c5616ef2b
commit d897a692f7
No known key found for this signature in database
GPG key ID: 061981E1E85D3216
5 changed files with 48 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
LaunchServer/src/main/java/pro/gravit/launchserver/LaunchServerStarter.java
View file

@ -32,6 +32,7 @@
import pro.gravit.launchserver.manangers.LaunchServerGsonManager;
import pro.gravit.launchserver.modules.impl.LaunchServerModulesManager;
import pro.gravit.launchserver.socket.WebSocketService;
import pro.gravit.utils.Version;
import pro.gravit.utils.command.CommandHandler;
import pro.gravit.utils.command.JLineCommandHandler;
import pro.gravit.utils.command.StdCommandHandler;
@ -41,9 +42,8 @@
import pro.gravit.utils.helper.SecurityHelper;
import pro.gravit.utils.verify.LauncherTrustManager;
import javax.crypto.Cipher;
public class LaunchServerStarter {
public static boolean allowUnsigned = Boolean.getBoolean("launchserver.allowUnsigned");
public static void main(String[] args) throws Exception {
JVMHelper.checkStackTrace(LaunchServerStarter.class);
JVMHelper.verifySystemProperties(LaunchServer.class, true);
@ -67,6 +67,12 @@ public static void main(String[] args) throws Exception {
} catch (CertificateException e) {
throw new IOException(e);
}
{
LauncherTrustManager.CheckMode mode = (Version.RELEASE == Version.Type.LTS || Version.RELEASE == Version.Type.STABLE) ?
(allowUnsigned ? LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED : LauncherTrustManager.CheckMode.EXCEPTION_IN_NOT_SIGNED) :
(allowUnsigned ? LauncherTrustManager.CheckMode.NONE_IN_NOT_SIGNED : LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED);
certificateManager.checkClass(LaunchServer.class, mode);
}
LaunchServerRuntimeConfig runtimeConfig;
LaunchServerConfig config;

30
LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java
View file

@ -8,12 +8,7 @@
import java.nio.file.Path;
import java.nio.file.SimpleFileVisitor;
import java.nio.file.attribute.BasicFileAttributes;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.*;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
@ -48,6 +43,8 @@
import org.bouncycastle.util.io.pem.PemWriter;
import pro.gravit.utils.helper.IOHelper;
import pro.gravit.utils.helper.JVMHelper;
import pro.gravit.utils.helper.LogHelper;
import pro.gravit.utils.helper.SecurityHelper;
import pro.gravit.utils.verify.LauncherTrustManager;
@ -207,4 +204,25 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IO
}, false);
trustManager = new LauncherTrustManager(certificates.toArray(new X509Certificate[0]));
}
public void checkClass(Class<?> clazz, LauncherTrustManager.CheckMode mode) throws SecurityException
{
if(trustManager == null) return;
X509Certificate[] certificates = JVMHelper.getCertificates(clazz);
if(certificates == null)
{
if(mode == LauncherTrustManager.CheckMode.EXCEPTION_IN_NOT_SIGNED)
throw new SecurityException(String.format("Class %s not signed", clazz.getName()));
else if(mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED)
LogHelper.warning("Class %s not signed", clazz.getName());
return;
}
try {
trustManager.checkCertificate(certificates, (c,s) -> {
});
} catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
throw new SecurityException(e);
}
}
}

29
LaunchServer/src/main/java/pro/gravit/launchserver/socket/handlers/NettyServerSocketHandler.java
View file

@ -1,24 +1,9 @@
package pro.gravit.launchserver.socket.handlers;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Set;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.TrustManager;
import pro.gravit.launcher.ssl.LauncherKeyStore;
import pro.gravit.launcher.ssl.LauncherTrustManager;
import pro.gravit.launchserver.LaunchServer;
import pro.gravit.launchserver.config.LaunchServerConfig;
import pro.gravit.launchserver.socket.LauncherNettyServer;
@ -46,20 +31,6 @@ public void close() {
//TODO: Close Impl
}
public SSLContext SSLContextInit() throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, KeyManagementException, IOException, CertificateException {
TrustManager[] trustAllCerts = new TrustManager[]{
new LauncherTrustManager()
};
KeyStore ks = LauncherKeyStore.getKeyStore("keystore", "PSP1000");
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
.getDefaultAlgorithm());
kmf.init(ks, "PSP1000".toCharArray());
SSLContext sc = SSLContext.getInstance("TLSv1.2");
sc.init(kmf.getKeyManagers(), trustAllCerts, new SecureRandom());
return sc;
}
@Override
public void run() {
/*SSLContext sc = null;

13
LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java
View file

@ -40,6 +40,7 @@ public class SimpleModuleManager implements LauncherModulesManager {
protected final Path modulesDir;
protected final LauncherTrustManager trustManager;
protected LauncherInitContext initContext;
protected LauncherTrustManager.CheckMode checkMode = LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED;
protected PublicURLClassLoader classLoader = new PublicURLClassLoader(new URL[]{});
@ -160,7 +161,7 @@ public LauncherModule loadModule(Path file) throws IOException {
classLoader.addURL(file.toUri().toURL());
@SuppressWarnings("unchecked cast")
Class<? extends LauncherModule> clazz = (Class<? extends LauncherModule>) Class.forName(moduleClass, false, classLoader);
checkModuleClass(clazz);
checkModuleClass(clazz, checkMode);
LauncherModule module = clazz.newInstance();
loadModule(module);
return module;
@ -171,13 +172,19 @@ public LauncherModule loadModule(Path file) throws IOException {
}
}
protected void checkModuleClass(Class<? extends LauncherModule> clazz) throws SecurityException
public void checkModuleClass(Class<? extends LauncherModule> clazz, LauncherTrustManager.CheckMode mode) throws SecurityException
{
if(trustManager == null) return;
X509Certificate[] certificates = JVMHelper.getCertificates(clazz);
if(certificates == null)
{
LogHelper.warning("Module class %s not signed", clazz.getName());
if(mode == LauncherTrustManager.CheckMode.EXCEPTION_IN_NOT_SIGNED)
throw new SecurityException(String.format("Class %s not signed", clazz.getName()));
else if(mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED)
LogHelper.warning("Class %s not signed", clazz.getName());
return;
}
try {
trustManager.checkCertificate(certificates, (c,s) -> {

6
LauncherCore/src/main/java/pro/gravit/utils/verify/LauncherTrustManager.java
View file

@ -37,6 +37,12 @@ public LauncherTrustManager(byte[][] encodedCertificate) throws CertificateExcep
}
}).toArray(X509Certificate[]::new);
}
public enum CheckMode
{
EXCEPTION_IN_NOT_SIGNED, WARN_IN_NOT_SIGNED, NONE_IN_NOT_SIGNED
}
public interface CertificateChecker
{
void check(X509Certificate cert, X509Certificate signer) throws CertificateException, SecurityException;