[vncterm.git] / tigerpatches / trust-manager.patch

 Unfortunately the java certificate store does not correctly access 
 the browser certificate store (firefox, chrome). We also tunnel VNC
 traffic from other cluster nodes.

 So we implement our own trust manager, and allow to pass the server 
 certificate (or CA who signed the server certificate) as applet 
 parameter "PVECert" (newline encoded as '|').

Index: new/java/src/com/tigervnc/vncviewer/X509Tunnel.java
===================================================================
--- new.orig/java/src/com/tigervnc/vncviewer/X509Tunnel.java    2013-04-20 15:24:59.000000000 +0200
+++ new/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2013-04-20 15:28:55.000000000 +0200
@@ -26,13 +26,23 @@
 import javax.net.ssl.*;
 import java.security.*;
 import java.security.cert.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.io.*;
 
 public class X509Tunnel extends TLSTunnelBase
 {
 
-  public X509Tunnel (Socket sock_)
+  Certificate pvecert;
+
+  public X509Tunnel (Socket sock_, String certstr) throws CertificateException
   {
     super (sock_);
+
+    if (certstr != null) {
+      CertificateFactory cf = CertificateFactory.getInstance("X.509");
+      pvecert = cf.generateCertificate(new StringBufferInputStream(certstr));
+    }
   }
 
   protected void setParam (SSLSocket sock)
@@ -52,9 +62,51 @@
   protected void initContext (SSLContext sc) throws java.security.
     GeneralSecurityException
   {
-    TrustManager[] myTM = new TrustManager[]
-    {
-    new MyX509TrustManager ()};
+    TrustManager[] myTM;
+
+    if (pvecert != null) {
+      myTM = new TrustManager[] {
+       new X509TrustManager() {
+         public java.security.cert.X509Certificate[]
+         getAcceptedIssuers() {
+           return null;
+         }
+         public void checkClientTrusted(
+           java.security.cert.X509Certificate[] certs,
+           String authType) throws CertificateException {
+           throw new CertificateException("no clients");
+         }
+         public void checkServerTrusted(
+           java.security.cert.X509Certificate[] certs,
+           String authType) throws CertificateException {
+
+           if (certs == null || certs.length < 1) {
+             throw new CertificateException("no certs");
+           }
+           if (certs == null || certs.length > 1) {
+             throw new CertificateException("cert path too long");
+           }
+           PublicKey cakey = pvecert.getPublicKey();
+
+           boolean ca_match;
+           try {
+             certs[0].verify(cakey);
+             ca_match = true;
+           } catch (Exception e) {
+             ca_match = false;
+           }
+
+           if (!ca_match && !pvecert.equals(certs[0])) {
+             throw new CertificateException("certificate does not match");
+           }
+         }
+       }
+      };
+    } else {
+      myTM = new TrustManager[] {
+       new MyX509TrustManager ()
+      };
+    }
     sc.init (null, myTM, null);
   }
 
@@ -100,4 +152,5 @@
       return tm.getAcceptedIssuers ();
     }
   }
+
 }
Index: new/java/src/com/tigervnc/vncviewer/RfbProto.java
===================================================================
--- new.orig/java/src/com/tigervnc/vncviewer/RfbProto.java      2013-04-20 15:24:59.000000000 +0200
+++ new/java/src/com/tigervnc/vncviewer/RfbProto.java   2013-04-20 15:28:55.000000000 +0200
@@ -411,7 +411,8 @@
     }
 
     void authenticateX509() throws Exception {
-       X509Tunnel tunnel = new X509Tunnel(sock);
+
+      X509Tunnel tunnel = new X509Tunnel(sock, viewer.PVECert);
        tunnel.setup (this);
     }
 
Index: new/java/src/com/tigervnc/vncviewer/VncViewer.java
===================================================================
--- new.orig/java/src/com/tigervnc/vncviewer/VncViewer.java     2013-04-20 15:28:42.000000000 +0200
+++ new/java/src/com/tigervnc/vncviewer/VncViewer.java  2013-04-20 15:29:55.000000000 +0200
@@ -91,6 +91,8 @@
   int debugStatsExcludeUpdates;
   int debugStatsMeasureUpdates;
 
+  String PVECert;
+
   // Reference to this applet for inter-applet communication.
   public static java.applet.Applet refApplet;
 
@@ -263,7 +265,7 @@
        fatalError(e.toString(), e);
       }
     }
-    
+
   }
 
   //
@@ -299,7 +301,7 @@
   // If the rfbThread is being stopped, ignore any exceptions,
   // otherwise rethrow the exception so it can be handled.
   //
- 
+
   void processNormalProtocol() throws Exception {
     try {
       vc.processNormalProtocol();
@@ -842,6 +844,11 @@
 
     // SocketFactory.
     socketFactory = readParameter("SocketFactory", false);
+
+    String tmpcert = readParameter("PVECert", false);
+    if (tmpcert != null) {
+      PVECert = tmpcert.replace('|', '\n');
+    }
   }
 
   //
@@ -991,7 +998,7 @@
   }
 
   synchronized public void fatalError(String str, Exception e) {
- 
+
     if (rfb != null && rfb.closed()) {
       // Not necessary to show error message if the error was caused
       // by I/O problems after the rfb.close() method call.
@@ -1084,11 +1091,11 @@
   public void enableInput(boolean enable) {
     vc.enableInput(enable);
   }
-  
+
   //
   // Resize framebuffer if autoScale is enabled.
   //
-  
+
   public void componentResized(ComponentEvent e) {
     if (e.getComponent() == vncFrame) {
       if (options.autoScale) {
@@ -1100,11 +1107,11 @@
       }
     }
   }
-  
+
   //
   // Ignore component events we're not interested in.
   //
-  
+
   public void componentShown(ComponentEvent e) { }
   public void componentMoved(ComponentEvent e) { }
   public void componentHidden(ComponentEvent e) { }