123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527 |
- /*
- * Copyright (C) 2004 Red Hat Inc.
- * Copyright (C) 2005 Martin Koegler
- * Copyright (C) 2010 m-privacy GmbH
- * Copyright (C) 2010 TigerVNC Team
- * Copyright (C) 2011-2019 Brian P. Hinz
- * Copyright (C) 2015 D. R. Commander. All Rights Reserved.
- *
- * This is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this software; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
- * USA.
- */
-
- package com.tigervnc.rfb;
-
- import javax.net.ssl.*;
- import java.security.KeyManagementException;
- import java.security.KeyStore;
- import java.security.NoSuchAlgorithmException;
- import java.security.MessageDigest;
- import java.security.cert.*;
- import java.io.BufferedReader;
- import java.io.File;
- import java.io.FileInputStream;
- import java.io.FileNotFoundException;
- import java.io.FileReader;
- import java.io.FileWriter;
- import java.io.InputStream;
- import java.io.IOException;
- import java.nio.ByteBuffer;
- import java.nio.charset.Charset;
- import java.util.ArrayList;
- import java.util.Base64;
- import java.util.Collection;
- import java.util.Collections;
- import java.util.Iterator;
- import java.util.List;
- import javax.naming.InvalidNameException;
- import javax.naming.ldap.LdapName;
- import javax.naming.ldap.Rdn;
- import javax.net.ssl.HostnameVerifier;
- import javax.swing.JOptionPane;
-
- import com.tigervnc.rdr.*;
- import com.tigervnc.network.*;
- import com.tigervnc.vncviewer.*;
-
- import static javax.swing.JOptionPane.*;
-
- public class CSecurityTLS extends CSecurity {
-
- public static StringParameter X509CA
- = new StringParameter("X509CA",
- "X509 CA certificate", "", Configuration.ConfigurationObject.ConfViewer);
- public static StringParameter X509CRL
- = new StringParameter("X509CRL",
- "X509 CRL file", "", Configuration.ConfigurationObject.ConfViewer);
- public static UserMsgBox msg;
-
- private void initGlobal()
- {
- try {
- ctx = SSLContext.getInstance("TLS");
- } catch(NoSuchAlgorithmException e) {
- throw new Exception(e.toString());
- }
- }
-
- public CSecurityTLS(boolean _anon)
- {
- anon = _anon;
- manager = null;
-
- setDefaults();
- cafile = X509CA.getData();
- crlfile = X509CRL.getData();
- }
-
- public static String getDefaultCA() {
- if (UserPreferences.get("viewer", "x509ca") != null)
- return UserPreferences.get("viewer", "x509ca");
- return FileUtils.getVncHomeDir()+"x509_ca.pem";
- }
-
- public static String getDefaultCRL() {
- if (UserPreferences.get("viewer", "x509crl") != null)
- return UserPreferences.get("viewer", "x509crl");
- return FileUtils.getVncHomeDir()+"x509_crl.pem";
- }
-
- public static void setDefaults()
- {
- if (new File(getDefaultCA()).exists())
- X509CA.setDefaultStr(getDefaultCA());
- if (new File(getDefaultCRL()).exists())
- X509CRL.setDefaultStr(getDefaultCRL());
- }
-
- public boolean processMsg(CConnection cc) {
- is = (FdInStream)cc.getInStream();
- os = (FdOutStream)cc.getOutStream();
- client = cc;
-
- initGlobal();
-
- if (manager == null) {
- if (!is.checkNoWait(1))
- return false;
-
- if (is.readU8() == 0) {
- int result = is.readU32();
- String reason;
- if (result == Security.secResultFailed ||
- result == Security.secResultTooMany)
- reason = is.readString();
- else
- reason = new String("Authentication failure (protocol error)");
- throw new AuthFailureException(reason);
- }
-
- setParam();
- }
-
- try {
- manager = new SSLEngineManager(engine, is, os);
- manager.doHandshake();
- } catch(java.lang.Exception e) {
- throw new SystemException(e.toString());
- }
-
- cc.setStreams(new TLSInStream(is, manager),
- new TLSOutStream(os, manager));
- return true;
- }
-
- private void setParam() {
-
- if (anon) {
- try {
- ctx.init(null, null, null);
- } catch(KeyManagementException e) {
- throw new AuthFailureException(e.toString());
- }
- } else {
- try {
- TrustManager[] myTM = new TrustManager[] {
- new MyX509TrustManager()
- };
- ctx.init (null, myTM, null);
- } catch (java.security.GeneralSecurityException e) {
- throw new AuthFailureException(e.toString());
- }
- }
- SSLSocketFactory sslfactory = ctx.getSocketFactory();
- engine = ctx.createSSLEngine(client.getServerName(),
- client.getServerPort());
- engine.setUseClientMode(true);
-
- String[] supported = engine.getSupportedProtocols();
- ArrayList<String> enabled = new ArrayList<String>();
- for (int i = 0; i < supported.length; i++)
- if (supported[i].matches("TLS.*"))
- enabled.add(supported[i]);
- engine.setEnabledProtocols(enabled.toArray(new String[0]));
-
- if (anon) {
- supported = engine.getSupportedCipherSuites();
- enabled = new ArrayList<String>();
- // prefer ECDH over DHE
- for (int i = 0; i < supported.length; i++)
- if (supported[i].matches("TLS_ECDH_anon.*"))
- enabled.add(supported[i]);
- for (int i = 0; i < supported.length; i++)
- if (supported[i].matches("TLS_DH_anon.*"))
- enabled.add(supported[i]);
- engine.setEnabledCipherSuites(enabled.toArray(new String[0]));
- } else {
- engine.setEnabledCipherSuites(engine.getSupportedCipherSuites());
- }
-
- }
-
- class MyX509TrustManager implements X509TrustManager
- {
-
- X509TrustManager tm;
-
- MyX509TrustManager() throws java.security.GeneralSecurityException
- {
- KeyStore ks = KeyStore.getInstance("JKS");
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- try {
- ks.load(null, null);
- String a = TrustManagerFactory.getDefaultAlgorithm();
- TrustManagerFactory tmf = TrustManagerFactory.getInstance(a);
- tmf.init((KeyStore)null);
- for (TrustManager m : tmf.getTrustManagers())
- if (m instanceof X509TrustManager)
- for (X509Certificate c : ((X509TrustManager)m).getAcceptedIssuers())
- ks.setCertificateEntry(getThumbprint((X509Certificate)c), c);
- File cacert = new File(cafile);
- if (cacert.exists() && cacert.canRead()) {
- InputStream caStream = new MyFileInputStream(cacert);
- Collection<? extends Certificate> cacerts =
- cf.generateCertificates(caStream);
- for (Certificate cert : cacerts) {
- String thumbprint = getThumbprint((X509Certificate)cert);
- ks.setCertificateEntry(thumbprint, (X509Certificate)cert);
- }
- }
- PKIXBuilderParameters params =
- new PKIXBuilderParameters(ks, new X509CertSelector());
- File crlcert = new File(crlfile);
- if (!crlcert.exists() || !crlcert.canRead()) {
- params.setRevocationEnabled(false);
- } else {
- InputStream crlStream = new FileInputStream(crlfile);
- Collection<? extends CRL> crls = cf.generateCRLs(crlStream);
- CertStoreParameters csp = new CollectionCertStoreParameters(crls);
- CertStore store = CertStore.getInstance("Collection", csp);
- params.addCertStore(store);
- params.setRevocationEnabled(true);
- }
- tmf = TrustManagerFactory.getInstance("PKIX");
- tmf.init(new CertPathTrustManagerParameters(params));
- tm = (X509TrustManager)tmf.getTrustManagers()[0];
- } catch (java.lang.Exception e) {
- throw new Exception(e.getMessage());
- }
- }
-
- public void checkClientTrusted(X509Certificate[] chain, String authType)
- throws CertificateException
- {
- tm.checkClientTrusted(chain, authType);
- }
-
- private final char[] hexCode = "0123456789ABCDEF".toCharArray();
-
- private String printHexBinary(byte[] data)
- {
- StringBuilder r = new StringBuilder(data.length*2);
- for (byte b : data) {
- r.append(hexCode[(b >> 4) & 0xF]);
- r.append(hexCode[(b & 0xF)]);
- }
- return r.toString();
- }
-
- public void checkServerTrusted(X509Certificate[] chain, String authType)
- throws CertificateException
- {
- Collection<? extends Certificate> certs = null;
- X509Certificate cert = chain[0];
- String pk =
- Base64.getEncoder().encodeToString(cert.getPublicKey().getEncoded());
- try {
- cert.checkValidity();
- verifyHostname(cert);
- } catch(CertificateParsingException e) {
- throw new SystemException(e.getMessage());
- } catch(CertificateNotYetValidException e) {
- throw new AuthFailureException("server certificate has not been activated");
- } catch(CertificateExpiredException e) {
- if (!msg.showMsgBox(YES_NO_OPTION, "certificate has expired",
- "The certificate of the server has expired, "+
- "do you want to continue?"))
- throw new AuthFailureException("server certificate has expired");
- }
- File vncDir = new File(FileUtils.getVncHomeDir());
- if (!vncDir.exists())
- throw new AuthFailureException("Could not obtain VNC home directory "+
- "path for known hosts storage");
- File dbPath = new File(vncDir, "x509_known_hosts");
- String info =
- " Subject: "+cert.getSubjectX500Principal().getName()+"\n"+
- " Issuer: "+cert.getIssuerX500Principal().getName()+"\n"+
- " Serial Number: "+cert.getSerialNumber()+"\n"+
- " Version: "+cert.getVersion()+"\n"+
- " Signature Algorithm: "+cert.getPublicKey().getAlgorithm()+"\n"+
- " Not Valid Before: "+cert.getNotBefore()+"\n"+
- " Not Valid After: "+cert.getNotAfter()+"\n"+
- " SHA-1 Fingerprint: "+getThumbprint(cert)+"\n";
- try {
- if (dbPath.exists()) {
- FileReader db = new FileReader(dbPath);
- BufferedReader dbBuf = new BufferedReader(db);
- String line;
- String server = client.getServerName().toLowerCase();
- while ((line = dbBuf.readLine())!=null) {
- String fields[] = line.split("\\|");
- if (fields.length==6) {
- if (server.equals(fields[2]) && pk.equals(fields[5])) {
- vlog.debug("Server certificate found in known hosts file");
- dbBuf.close();
- return;
- } else if (server.equals(fields[2]) && !pk.equals(fields[5]) ||
- !server.equals(fields[2]) && pk.equals(fields[5])) {
- throw new CertStoreException();
- }
- }
- }
- dbBuf.close();
- }
- tm.checkServerTrusted(chain, authType);
- } catch (IOException e) {
- throw new AuthFailureException("Could not load known hosts database");
- } catch (CertStoreException e) {
- vlog.debug("Server host key mismatch");
- vlog.debug(info);
- String text =
- "This host is previously known with a different "+
- "certificate, and the new certificate has been "+
- "signed by an unknown authority\n"+
- "\n"+info+"\n"+
- "Someone could be trying to impersonate the site and you should not continue.\n"+
- "\n"+
- "Do you want to make an exception for this server?";
- if (!msg.showMsgBox(YES_NO_OPTION, "Unexpected certificate issuer", text))
- throw new AuthFailureException("Unexpected certificate issuer");
- store_pubkey(dbPath, client.getServerName().toLowerCase(), pk);
- } catch (java.lang.Exception e) {
- if (e.getCause() instanceof CertPathBuilderException) {
- vlog.debug("Server host not previously known");
- vlog.debug(info);
- String text =
- "This certificate has been signed by an unknown authority\n"+
- "\n"+info+"\n"+
- "Someone could be trying to impersonate the site and you should not continue.\n"+
- "\n"+
- "Do you want to make an exception for this server?";
- if (!msg.showMsgBox(YES_NO_OPTION, "Unknown certificate issuer", text))
- throw new AuthFailureException("Unknown certificate issuer");
- store_pubkey(dbPath, client.getServerName().toLowerCase(), pk);
- } else {
- throw new SystemException(e.getMessage());
- }
- }
- }
-
- private void store_pubkey(File dbPath, String serverName, String pk)
- {
- ArrayList<String> lines = new ArrayList<String>();
- File vncDir = new File(FileUtils.getVncHomeDir());
- try {
- if (dbPath.exists()) {
- FileReader db = new FileReader(dbPath);
- BufferedReader dbBuf = new BufferedReader(db);
- String line;
- while ((line = dbBuf.readLine())!=null) {
- String fields[] = line.split("\\|");
- if (fields.length==6)
- if (!serverName.equals(fields[2]) && !pk.equals(fields[5]))
- lines.add(line);
- }
- dbBuf.close();
- }
- } catch (IOException e) {
- throw new AuthFailureException("Could not load known hosts database");
- }
- try {
- if (!dbPath.exists())
- dbPath.createNewFile();
- FileWriter fw = new FileWriter(dbPath.getAbsolutePath(), false);
- Iterator i = lines.iterator();
- while (i.hasNext())
- fw.write((String)i.next()+"\n");
- fw.write("|g0|"+serverName+"|*|0|"+pk+"\n");
- fw.close();
- } catch (IOException e) {
- vlog.error("Failed to store server certificate to known hosts database");
- }
- }
-
- public X509Certificate[] getAcceptedIssuers ()
- {
- return tm.getAcceptedIssuers();
- }
-
- private String getThumbprint(X509Certificate cert)
- {
- String thumbprint = null;
- try {
- MessageDigest md = MessageDigest.getInstance("SHA-1");
- md.update(cert.getEncoded());
- thumbprint = printHexBinary(md.digest());
- thumbprint = thumbprint.replaceAll("..(?!$)", "$0 ");
- } catch(CertificateEncodingException e) {
- throw new SystemException(e.getMessage());
- } catch(NoSuchAlgorithmException e) {
- throw new SystemException(e.getMessage());
- }
- return thumbprint;
- }
-
- private void verifyHostname(X509Certificate cert)
- throws CertificateParsingException
- {
- try {
- Collection sans = cert.getSubjectAlternativeNames();
- if (sans == null) {
- String dn = cert.getSubjectX500Principal().getName();
- LdapName ln = new LdapName(dn);
- for (Rdn rdn : ln.getRdns()) {
- if (rdn.getType().equalsIgnoreCase("CN")) {
- String peer = client.getServerName().toLowerCase();
- if (peer.equals(((String)rdn.getValue()).toLowerCase()))
- return;
- }
- }
- } else {
- Iterator i = sans.iterator();
- while (i.hasNext()) {
- List nxt = (List)i.next();
- if (((Integer)nxt.get(0)).intValue() == 2) {
- String peer = client.getServerName().toLowerCase();
- if (peer.equals(((String)nxt.get(1)).toLowerCase()))
- return;
- } else if (((Integer)nxt.get(0)).intValue() == 7) {
- String peer = ((CConn)client).getSocket().getPeerAddress();
- if (peer.equals(((String)nxt.get(1)).toLowerCase()))
- return;
- }
- }
- }
- Object[] answer = {"YES", "NO"};
- int ret = JOptionPane.showOptionDialog(null,
- "Hostname ("+client.getServerName()+") does not match the"+
- " server certificate, do you want to continue?",
- "Certificate hostname mismatch",
- JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE,
- null, answer, answer[0]);
- if (ret != JOptionPane.YES_OPTION)
- throw new WarningException("Certificate hostname mismatch.");
- } catch (CertificateParsingException e) {
- throw new SystemException(e.getMessage());
- } catch (InvalidNameException e) {
- throw new SystemException(e.getMessage());
- }
- }
-
- private class MyFileInputStream extends InputStream {
- // Blank lines in a certificate file will cause Java 6 to throw a
- // "DerInputStream.getLength(): lengthTag=127, too big" exception.
- ByteBuffer buf;
-
- public MyFileInputStream(String name) {
- this(new File(name));
- }
-
- public MyFileInputStream(File file) {
- StringBuffer sb = new StringBuffer();
- BufferedReader reader = null;
- try {
- reader = new BufferedReader(new FileReader(file));
- String l;
- while ((l = reader.readLine()) != null) {
- if (l.trim().length() > 0 )
- sb.append(l+"\n");
- }
- } catch (java.lang.Exception e) {
- throw new Exception(e.toString());
- } finally {
- try {
- if (reader != null)
- reader.close();
- } catch(IOException ioe) {
- throw new Exception(ioe.getMessage());
- }
- }
- Charset utf8 = Charset.forName("UTF-8");
- buf = ByteBuffer.wrap(sb.toString().getBytes(utf8));
- buf.limit(buf.capacity());
- }
-
- @Override
- public int read(byte[] b) throws IOException {
- return this.read(b, 0, b.length);
- }
-
- @Override
- public int read(byte[] b, int off, int len) throws IOException {
- if (!buf.hasRemaining())
- return -1;
- len = Math.min(len, buf.remaining());
- buf.get(b, off, len);
- return len;
- }
-
- @Override
- public int read() throws IOException {
- if (!buf.hasRemaining())
- return -1;
- return buf.get() & 0xFF;
- }
- }
- }
-
- public final int getType() { return anon ? Security.secTypeTLSNone : Security.secTypeX509None; }
- public final String description()
- { return anon ? "TLS Encryption without VncAuth" : "X509 Encryption without VncAuth"; }
- public boolean isSecure() { return !anon; }
-
- protected CConnection client;
-
- private SSLContext ctx;
- private SSLEngine engine;
- private SSLEngineManager manager;
- private boolean anon;
-
- private String cafile, crlfile;
- private FdInStream is;
- private FdOutStream os;
-
- static LogWriter vlog = new LogWriter("CSecurityTLS");
- }
|