From d897a692f7dec9aefa122ff0f8a59b875904f3ce Mon Sep 17 00:00:00 2001 From: Gravit Date: Thu, 17 Oct 2019 20:58:52 +0700 Subject: [PATCH] =?UTF-8?q?[FIX]=20=D0=A4=D0=B8=D0=BA=D1=81=D1=8B=20=D1=81?= =?UTF-8?q?=D0=B8=D1=81=D1=82=D0=B5=D0=BC=D1=8B=20=D1=81=D0=B5=D1=80=D1=82?= =?UTF-8?q?=D0=B8=D1=84=D0=B8=D0=BA=D0=B0=D1=82=D0=BE=D0=B2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../launchserver/LaunchServerStarter.java | 10 +++++-- .../manangers/CertificateManager.java | 30 +++++++++++++++---- .../handlers/NettyServerSocketHandler.java | 29 ------------------ .../modules/impl/SimpleModuleManager.java | 13 ++++++-- .../utils/verify/LauncherTrustManager.java | 6 ++++ 5 files changed, 48 insertions(+), 40 deletions(-) diff --git a/LaunchServer/src/main/java/pro/gravit/launchserver/LaunchServerStarter.java b/LaunchServer/src/main/java/pro/gravit/launchserver/LaunchServerStarter.java index a35e2116..e9619c7d 100644 --- a/LaunchServer/src/main/java/pro/gravit/launchserver/LaunchServerStarter.java +++ b/LaunchServer/src/main/java/pro/gravit/launchserver/LaunchServerStarter.java @@ -32,6 +32,7 @@ import pro.gravit.launchserver.manangers.LaunchServerGsonManager; import pro.gravit.launchserver.modules.impl.LaunchServerModulesManager; import pro.gravit.launchserver.socket.WebSocketService; +import pro.gravit.utils.Version; import pro.gravit.utils.command.CommandHandler; import pro.gravit.utils.command.JLineCommandHandler; import pro.gravit.utils.command.StdCommandHandler; @@ -41,9 +42,8 @@ import pro.gravit.utils.helper.SecurityHelper; import pro.gravit.utils.verify.LauncherTrustManager; -import javax.crypto.Cipher; - public class LaunchServerStarter { + public static boolean allowUnsigned = Boolean.getBoolean("launchserver.allowUnsigned"); public static void main(String[] args) throws Exception { JVMHelper.checkStackTrace(LaunchServerStarter.class); JVMHelper.verifySystemProperties(LaunchServer.class, true); @@ -67,6 +67,12 @@ public static void main(String[] args) throws Exception { } catch (CertificateException e) { throw new IOException(e); } + { + LauncherTrustManager.CheckMode mode = (Version.RELEASE == Version.Type.LTS || Version.RELEASE == Version.Type.STABLE) ? + (allowUnsigned ? LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED : LauncherTrustManager.CheckMode.EXCEPTION_IN_NOT_SIGNED) : + (allowUnsigned ? LauncherTrustManager.CheckMode.NONE_IN_NOT_SIGNED : LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED); + certificateManager.checkClass(LaunchServer.class, mode); + } LaunchServerRuntimeConfig runtimeConfig; LaunchServerConfig config; diff --git a/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java b/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java index c6fafca8..69b76a4a 100644 --- a/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java +++ b/LaunchServer/src/main/java/pro/gravit/launchserver/manangers/CertificateManager.java @@ -8,12 +8,7 @@ import java.nio.file.Path; import java.nio.file.SimpleFileVisitor; import java.nio.file.attribute.BasicFileAttributes; -import java.security.InvalidAlgorithmParameterException; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.PublicKey; +import java.security.*; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; @@ -48,6 +43,8 @@ import org.bouncycastle.util.io.pem.PemWriter; import pro.gravit.utils.helper.IOHelper; +import pro.gravit.utils.helper.JVMHelper; +import pro.gravit.utils.helper.LogHelper; import pro.gravit.utils.helper.SecurityHelper; import pro.gravit.utils.verify.LauncherTrustManager; @@ -207,4 +204,25 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IO }, false); trustManager = new LauncherTrustManager(certificates.toArray(new X509Certificate[0])); } + + public void checkClass(Class clazz, LauncherTrustManager.CheckMode mode) throws SecurityException + { + if(trustManager == null) return; + X509Certificate[] certificates = JVMHelper.getCertificates(clazz); + if(certificates == null) + { + if(mode == LauncherTrustManager.CheckMode.EXCEPTION_IN_NOT_SIGNED) + throw new SecurityException(String.format("Class %s not signed", clazz.getName())); + else if(mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED) + LogHelper.warning("Class %s not signed", clazz.getName()); + return; + } + try { + trustManager.checkCertificate(certificates, (c,s) -> { + + }); + } catch (CertificateException | NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { + throw new SecurityException(e); + } + } } diff --git a/LaunchServer/src/main/java/pro/gravit/launchserver/socket/handlers/NettyServerSocketHandler.java b/LaunchServer/src/main/java/pro/gravit/launchserver/socket/handlers/NettyServerSocketHandler.java index f041aa39..329b3ca1 100644 --- a/LaunchServer/src/main/java/pro/gravit/launchserver/socket/handlers/NettyServerSocketHandler.java +++ b/LaunchServer/src/main/java/pro/gravit/launchserver/socket/handlers/NettyServerSocketHandler.java @@ -1,24 +1,9 @@ package pro.gravit.launchserver.socket.handlers; -import java.io.IOException; import java.net.InetSocketAddress; import java.net.Socket; -import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.SecureRandom; -import java.security.UnrecoverableKeyException; -import java.security.cert.CertificateException; import java.util.Set; - -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; import javax.net.ssl.SSLServerSocketFactory; -import javax.net.ssl.TrustManager; - -import pro.gravit.launcher.ssl.LauncherKeyStore; -import pro.gravit.launcher.ssl.LauncherTrustManager; import pro.gravit.launchserver.LaunchServer; import pro.gravit.launchserver.config.LaunchServerConfig; import pro.gravit.launchserver.socket.LauncherNettyServer; @@ -46,20 +31,6 @@ public void close() { //TODO: Close Impl } - public SSLContext SSLContextInit() throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, KeyManagementException, IOException, CertificateException { - TrustManager[] trustAllCerts = new TrustManager[]{ - new LauncherTrustManager() - }; - KeyStore ks = LauncherKeyStore.getKeyStore("keystore", "PSP1000"); - - KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory - .getDefaultAlgorithm()); - kmf.init(ks, "PSP1000".toCharArray()); - SSLContext sc = SSLContext.getInstance("TLSv1.2"); - sc.init(kmf.getKeyManagers(), trustAllCerts, new SecureRandom()); - return sc; - } - @Override public void run() { /*SSLContext sc = null; diff --git a/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java b/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java index 08c9d1c3..81847cd2 100644 --- a/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java +++ b/LauncherAPI/src/main/java/pro/gravit/launcher/modules/impl/SimpleModuleManager.java @@ -40,6 +40,7 @@ public class SimpleModuleManager implements LauncherModulesManager { protected final Path modulesDir; protected final LauncherTrustManager trustManager; protected LauncherInitContext initContext; + protected LauncherTrustManager.CheckMode checkMode = LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED; protected PublicURLClassLoader classLoader = new PublicURLClassLoader(new URL[]{}); @@ -160,7 +161,7 @@ public LauncherModule loadModule(Path file) throws IOException { classLoader.addURL(file.toUri().toURL()); @SuppressWarnings("unchecked cast") Class clazz = (Class) Class.forName(moduleClass, false, classLoader); - checkModuleClass(clazz); + checkModuleClass(clazz, checkMode); LauncherModule module = clazz.newInstance(); loadModule(module); return module; @@ -171,13 +172,19 @@ public LauncherModule loadModule(Path file) throws IOException { } } - protected void checkModuleClass(Class clazz) throws SecurityException + + + public void checkModuleClass(Class clazz, LauncherTrustManager.CheckMode mode) throws SecurityException { if(trustManager == null) return; X509Certificate[] certificates = JVMHelper.getCertificates(clazz); if(certificates == null) { - LogHelper.warning("Module class %s not signed", clazz.getName()); + if(mode == LauncherTrustManager.CheckMode.EXCEPTION_IN_NOT_SIGNED) + throw new SecurityException(String.format("Class %s not signed", clazz.getName())); + else if(mode == LauncherTrustManager.CheckMode.WARN_IN_NOT_SIGNED) + LogHelper.warning("Class %s not signed", clazz.getName()); + return; } try { trustManager.checkCertificate(certificates, (c,s) -> { diff --git a/LauncherCore/src/main/java/pro/gravit/utils/verify/LauncherTrustManager.java b/LauncherCore/src/main/java/pro/gravit/utils/verify/LauncherTrustManager.java index 2e1debbb..3cfe00b5 100644 --- a/LauncherCore/src/main/java/pro/gravit/utils/verify/LauncherTrustManager.java +++ b/LauncherCore/src/main/java/pro/gravit/utils/verify/LauncherTrustManager.java @@ -37,6 +37,12 @@ public LauncherTrustManager(byte[][] encodedCertificate) throws CertificateExcep } }).toArray(X509Certificate[]::new); } + + public enum CheckMode + { + EXCEPTION_IN_NOT_SIGNED, WARN_IN_NOT_SIGNED, NONE_IN_NOT_SIGNED + } + public interface CertificateChecker { void check(X509Certificate cert, X509Certificate signer) throws CertificateException, SecurityException;