mirror of
https://github.com/GravitLauncher/Launcher
synced 2024-12-22 16:41:46 +03:00
[FIX] Фиксы системы сертификатов
This commit is contained in:
parent
7c5616ef2b
commit
d897a692f7
5 changed files with 48 additions and 40 deletions
|
@ -32,6 +32,7 @@
|
|||
import pro.gravit.launchserver.manangers.LaunchServerGsonManager;
|
||||
import pro.gravit.launchserver.modules.impl.LaunchServerModulesManager;
|
||||
import pro.gravit.launchserver.socket.WebSocketService;
|
||||
import pro.gravit.utils.Version;
|
||||
import pro.gravit.utils.command.CommandHandler;
|
||||
import pro.gravit.utils.command.JLineCommandHandler;
|
||||
import pro.gravit.utils.command.StdCommandHandler;
|
||||
|
@ -41,9 +42,8 @@
|
|||
import pro.gravit.utils.helper.SecurityHelper;
|
||||
import pro.gravit.utils.verify.LauncherTrustManager;
|
||||
|
||||
import javax.crypto.Cipher;
|
||||
|
||||
public class LaunchServerStarter {
|
||||
public static boolean allowUnsigned = Boolean.getBoolean("launchserver.allowUnsigned");
|
||||
public static void main(String[] args) throws Exception {
|
||||
JVMHelper.checkStackTrace(LaunchServerStarter.class);
|
||||
JVMHelper.verifySystemProperties(LaunchServer.class, true);
|
||||
|
@ -67,6 +67,12 @@ public static void main(String[] args) throws Exception {
|
|||
} catch (CertificateException e) {
|
||||
throw new IOException(e);
|
||||
}
|
||||
{
|
||||
LauncherTrustManager.CheckMode mode = (Version.RELEASE == Version.Type.LTS || Version.RELEASE == Version.Type.STABLE) ?
|
||||
(allowUnsigned ? LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED : LauncherTrustManager.CheckMode.EXCEPTION_IN_NOT_SIGNED) :
|
||||
(allowUnsigned ? LauncherTrustManager.CheckMode.NONE_IN_NOT_SIGNED : LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED);
|
||||
certificateManager.checkClass(LaunchServer.class, mode);
|
||||
}
|
||||
|
||||
LaunchServerRuntimeConfig runtimeConfig;
|
||||
LaunchServerConfig config;
|
||||
|
|
|
@ -8,12 +8,7 @@
|
|||
import java.nio.file.Path;
|
||||
import java.nio.file.SimpleFileVisitor;
|
||||
import java.nio.file.attribute.BasicFileAttributes;
|
||||
import java.security.InvalidAlgorithmParameterException;
|
||||
import java.security.KeyPair;
|
||||
import java.security.KeyPairGenerator;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.PublicKey;
|
||||
import java.security.*;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.CertificateFactory;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
@ -48,6 +43,8 @@
|
|||
import org.bouncycastle.util.io.pem.PemWriter;
|
||||
|
||||
import pro.gravit.utils.helper.IOHelper;
|
||||
import pro.gravit.utils.helper.JVMHelper;
|
||||
import pro.gravit.utils.helper.LogHelper;
|
||||
import pro.gravit.utils.helper.SecurityHelper;
|
||||
import pro.gravit.utils.verify.LauncherTrustManager;
|
||||
|
||||
|
@ -207,4 +204,25 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IO
|
|||
}, false);
|
||||
trustManager = new LauncherTrustManager(certificates.toArray(new X509Certificate[0]));
|
||||
}
|
||||
|
||||
public void checkClass(Class<?> clazz, LauncherTrustManager.CheckMode mode) throws SecurityException
|
||||
{
|
||||
if(trustManager == null) return;
|
||||
X509Certificate[] certificates = JVMHelper.getCertificates(clazz);
|
||||
if(certificates == null)
|
||||
{
|
||||
if(mode == LauncherTrustManager.CheckMode.EXCEPTION_IN_NOT_SIGNED)
|
||||
throw new SecurityException(String.format("Class %s not signed", clazz.getName()));
|
||||
else if(mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED)
|
||||
LogHelper.warning("Class %s not signed", clazz.getName());
|
||||
return;
|
||||
}
|
||||
try {
|
||||
trustManager.checkCertificate(certificates, (c,s) -> {
|
||||
|
||||
});
|
||||
} catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
|
||||
throw new SecurityException(e);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,24 +1,9 @@
|
|||
package pro.gravit.launchserver.socket.handlers;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.net.Socket;
|
||||
import java.security.KeyManagementException;
|
||||
import java.security.KeyStore;
|
||||
import java.security.KeyStoreException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.SecureRandom;
|
||||
import java.security.UnrecoverableKeyException;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLServerSocketFactory;
|
||||
import javax.net.ssl.TrustManager;
|
||||
|
||||
import pro.gravit.launcher.ssl.LauncherKeyStore;
|
||||
import pro.gravit.launcher.ssl.LauncherTrustManager;
|
||||
import pro.gravit.launchserver.LaunchServer;
|
||||
import pro.gravit.launchserver.config.LaunchServerConfig;
|
||||
import pro.gravit.launchserver.socket.LauncherNettyServer;
|
||||
|
@ -46,20 +31,6 @@ public void close() {
|
|||
//TODO: Close Impl
|
||||
}
|
||||
|
||||
public SSLContext SSLContextInit() throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, KeyManagementException, IOException, CertificateException {
|
||||
TrustManager[] trustAllCerts = new TrustManager[]{
|
||||
new LauncherTrustManager()
|
||||
};
|
||||
KeyStore ks = LauncherKeyStore.getKeyStore("keystore", "PSP1000");
|
||||
|
||||
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
|
||||
.getDefaultAlgorithm());
|
||||
kmf.init(ks, "PSP1000".toCharArray());
|
||||
SSLContext sc = SSLContext.getInstance("TLSv1.2");
|
||||
sc.init(kmf.getKeyManagers(), trustAllCerts, new SecureRandom());
|
||||
return sc;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void run() {
|
||||
/*SSLContext sc = null;
|
||||
|
|
|
@ -40,6 +40,7 @@ public class SimpleModuleManager implements LauncherModulesManager {
|
|||
protected final Path modulesDir;
|
||||
protected final LauncherTrustManager trustManager;
|
||||
protected LauncherInitContext initContext;
|
||||
protected LauncherTrustManager.CheckMode checkMode = LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED;
|
||||
|
||||
protected PublicURLClassLoader classLoader = new PublicURLClassLoader(new URL[]{});
|
||||
|
||||
|
@ -160,7 +161,7 @@ public LauncherModule loadModule(Path file) throws IOException {
|
|||
classLoader.addURL(file.toUri().toURL());
|
||||
@SuppressWarnings("unchecked cast")
|
||||
Class<? extends LauncherModule> clazz = (Class<? extends LauncherModule>) Class.forName(moduleClass, false, classLoader);
|
||||
checkModuleClass(clazz);
|
||||
checkModuleClass(clazz, checkMode);
|
||||
LauncherModule module = clazz.newInstance();
|
||||
loadModule(module);
|
||||
return module;
|
||||
|
@ -171,13 +172,19 @@ public LauncherModule loadModule(Path file) throws IOException {
|
|||
}
|
||||
}
|
||||
|
||||
protected void checkModuleClass(Class<? extends LauncherModule> clazz) throws SecurityException
|
||||
|
||||
|
||||
public void checkModuleClass(Class<? extends LauncherModule> clazz, LauncherTrustManager.CheckMode mode) throws SecurityException
|
||||
{
|
||||
if(trustManager == null) return;
|
||||
X509Certificate[] certificates = JVMHelper.getCertificates(clazz);
|
||||
if(certificates == null)
|
||||
{
|
||||
LogHelper.warning("Module class %s not signed", clazz.getName());
|
||||
if(mode == LauncherTrustManager.CheckMode.EXCEPTION_IN_NOT_SIGNED)
|
||||
throw new SecurityException(String.format("Class %s not signed", clazz.getName()));
|
||||
else if(mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED)
|
||||
LogHelper.warning("Class %s not signed", clazz.getName());
|
||||
return;
|
||||
}
|
||||
try {
|
||||
trustManager.checkCertificate(certificates, (c,s) -> {
|
||||
|
|
|
@ -37,6 +37,12 @@ public LauncherTrustManager(byte[][] encodedCertificate) throws CertificateExcep
|
|||
}
|
||||
}).toArray(X509Certificate[]::new);
|
||||
}
|
||||
|
||||
public enum CheckMode
|
||||
{
|
||||
EXCEPTION_IN_NOT_SIGNED, WARN_IN_NOT_SIGNED, NONE_IN_NOT_SIGNED
|
||||
}
|
||||
|
||||
public interface CertificateChecker
|
||||
{
|
||||
void check(X509Certificate cert, X509Certificate signer) throws CertificateException, SecurityException;
|
||||
|
|
Loading…
Reference in a new issue