1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
|
/* CertInformation.java
Copyright (C) 2012 Red Hat, Inc.
This file is part of IcedTea.
IcedTea is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as published by
the Free Software Foundation, version 2.
IcedTea is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with IcedTea; see the file COPYING. If not, write to
the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA.
Linking this library statically or dynamically with other modules is
making a combined work based on this library. Thus, the terms and
conditions of the GNU General Public License cover the whole
combination.
As a special exception, the copyright holders of this library give you
permission to link this library with independent modules to produce an
executable, regardless of the license terms of these independent
modules, and to copy and distribute the resulting executable under
terms of your choice, provided that you also meet, for each linked
independent module, the terms and conditions of the license of that
module. An independent module is a module which is not derived from
or based on this library. If you modify this library, you may extend
this exception to your version of the library, but you are not
obligated to do so. If you do not wish to do so, delete this
exception statement from your version.
*/
package net.sourceforge.jnlp.tools;
import static net.sourceforge.jnlp.runtime.Translator.R;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import net.sourceforge.jnlp.runtime.JNLPRuntime;
/**
* Maintains information about a CertPath that has signed at least one of the
* entries provided by a jar of the app.
*/
public class CertInformation {
private boolean hasExpiredCert = false;
private boolean hasExpiringCert = false;
private boolean isNotYetValidCert = false;
/* Code signer properties of the certificate. */
private boolean hasBadKeyUsage = false;
private boolean hasBadExtendedKeyUsage = false;
private boolean hasBadNetscapeCertType = false;
private boolean alreadyTrustPublisher = false;
private boolean rootInCacerts = false;
static enum Detail {
TRUSTED (R("STrustedCertificate")),
UNTRUSTED (R("SUntrustedCertificate")),
RUN_WITHOUT_RESTRICTIONS(R("SRunWithoutRestrictions")),
EXPIRED (R("SHasExpiredCert")),
EXPIRING (R("SHasExpiringCert")),
NOT_YET_VALID (R("SNotYetValidCert")),
BAD_KEY_USAGE (R("SBadKeyUsage")),
BAT_EXTENDED_KEY_USAGE (R("SBadExtendedKeyUsage")),
BAD_NETSCAPE_CERT_TYPE (R("SBadNetscapeCertType"));
private final String message;
Detail(String issue) {
message = issue;
}
public String message() {
return message;
}
}
private EnumSet<Detail> details = EnumSet.noneOf(Detail.class);
/** The jars and their number of entries this cert has signed. */
private HashMap<String, Integer> signedJars = new HashMap<String, Integer>();
/**
* Return if there are signing issues with this certificate.
* @return true if there are any issues with expiry, validity or bad key usage.
*/
public boolean hasSigningIssues() {
return hasExpiredCert || isNotYetValidCert || hasBadKeyUsage
|| hasBadExtendedKeyUsage || hasBadNetscapeCertType;
}
/**
* Return whether or not the publisher is already trusted.
*
* @return True if the publisher is trusted already.
*/
public boolean isPublisherAlreadyTrusted() {
return alreadyTrustPublisher;
}
/**
* Set whether or not the publisher is already trusted.
*
*/
public void setAlreadyTrustPublisher() {
alreadyTrustPublisher = true;
}
/**
* Return whether or not the root is in the list of trusted CA certificates.
*
* @return True if the root is in the list of CA certificates.
*/
public boolean isRootInCacerts() {
return rootInCacerts;
}
/**
* Set that this cert's root CA is to be trusted.
*/
public void setRootInCacerts() {
rootInCacerts = true;
details.add(Detail.TRUSTED);
}
/**
* Resets any trust of the root and publisher. Also removes unnecessary
* details from the list of issues.
*/
public void resetForReverification() {
alreadyTrustPublisher = false;
rootInCacerts = false;
removeFromDetails(Detail.UNTRUSTED);
removeFromDetails(Detail.TRUSTED);
}
/**
* Check if this cert is the signer of a jar.
* @param jarName The absolute path of the jar this certificate has signed.
* @return true if this cert has signed the jar found at jarName.
*/
public boolean isSignerOfJar(String jarName) {
return signedJars.containsKey(jarName);
}
/**
* Add a jar to the list of jars this certificate has signed along with the
* number of entries it has signed in the jar.
*
* @param jarName The absolute path of the jar this certificate has signed.
* @param signedEntriesCount The number of entries this cert has signed in jarName.
*/
public void setNumJarEntriesSigned(String jarName, int signedEntriesCount) {
if (signedJars.containsKey(jarName)) {
if (JNLPRuntime.isDebug())
System.err.println("WARNING: A jar that has already been "
+ "verified is being yet again verified: " + jarName);
} else {
signedJars.put(jarName, signedEntriesCount);
}
}
/**
* Find the number of entries this cert has signed in the specified jar.
* @param jarName The absolute path of the jar this certificate has signed.
* @return The number of entries this cert has signed in jarName.
*/
public int getNumJarEntriesSigned(String jarName) {
return signedJars.get(jarName);
}
/**
* Get all the jars this cert has signed along with the number of entries
* in each jar.
* @return
*/
public Map<String, Integer> getSignedJars() {
return signedJars;
}
/**
* Get the details regarding issue(s) with this certificate.
*
* @return A list of all the details/issues with this app.
*/
public List<String> getDetailsAsStrings() {
List<String> detailsToStr = new ArrayList<String>();
for (Detail issue : details) {
detailsToStr.add(issue.message());
}
return detailsToStr;
}
/**
* Remove an issue from the list of details of issues with this certificate.
* List is unchanged if detail was not present.
*
* @param detail The issue to be removed regarding this certificate.
*/
private void removeFromDetails(Detail detail) {
details.remove(detail);
}
/**
* Set that this cert is expired and add this issue to the list of details.
*/
public void setHasExpiredCert() {
hasExpiredCert = true;
details.add(Detail.RUN_WITHOUT_RESTRICTIONS);
details.add(Detail.EXPIRED);
}
/**
* Set that this cert is expiring within 6 months and add this issue to
* the list of details.
*/
public void setHasExpiringCert() {
hasExpiringCert = true;
details.add(Detail.RUN_WITHOUT_RESTRICTIONS);
details.add(Detail.EXPIRING);
}
/**
* Get whether or not this cert will expire within 6 months.
* @return true if the cert will be expired after 6 months.
*/
public boolean hasExpiringCert() {
return hasExpiringCert;
}
/**
* Set that this cert is not yet valid
* and add this issue to the list of details.
*/
public void setNotYetValidCert() {
isNotYetValidCert = true;
details.add(Detail.RUN_WITHOUT_RESTRICTIONS);
details.add(Detail.NOT_YET_VALID);
}
/**
* Set that this cert has bad key usage
* and add this issue to the list of details.
*/
public void setBadKeyUsage() {
hasBadKeyUsage = true;
details.add(Detail.RUN_WITHOUT_RESTRICTIONS);
details.add(Detail.BAD_KEY_USAGE);
}
/**
* Set that this cert has bad extended key usage
* and add this issue to the list of details.
*/
public void setBadExtendedKeyUsage() {
hasBadExtendedKeyUsage = true;
details.add(Detail.RUN_WITHOUT_RESTRICTIONS);
details.add(Detail.BAT_EXTENDED_KEY_USAGE);
}
/**
* Set that this cert has a bad netscape cert type
* and add this issue to the list of details.
*/
public void setBadNetscapeCertType() {
hasBadNetscapeCertType = true;
details.add(Detail.RUN_WITHOUT_RESTRICTIONS);
details.add(Detail.BAD_NETSCAPE_CERT_TYPE);
}
/**
* Set that this cert and all of its CAs are untrusted so far.
*/
public void setUntrusted() {
details.add(Detail.UNTRUSTED);
}
}
|
