+++ /dev/null
-
- Unfortunately the java certificate store does not correctly access
- the browser certificate store (firefox, chrome). We also tunnel VNC
- traffic from other cluster nodes.
-
- So we implement our own trust manager, and allow to pass the server
- certificate (or CA who signed the server certificate) as applet
- parameter "PVECert" (newline encoded as '|').
-
-Index: tigervnc/java/src/com/tigervnc/vncviewer/X509Tunnel.java
-===================================================================
---- tigervnc.orig/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2013-06-03 08:17:17.000000000 +0200
-+++ tigervnc/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2013-06-03 08:22:52.000000000 +0200
-@@ -26,13 +26,23 @@
- import javax.net.ssl.*;
- import java.security.*;
- import java.security.cert.*;
-+import java.security.cert.Certificate;
-+import java.security.cert.CertificateFactory;
-+import java.io.*;
-
- public class X509Tunnel extends TLSTunnelBase
- {
-
-- public X509Tunnel (Socket sock_)
-+ Certificate pvecert;
-+
-+ public X509Tunnel (Socket sock_, String certstr) throws CertificateException
- {
- super (sock_);
-+
-+ if (certstr != null) {
-+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
-+ pvecert = cf.generateCertificate(new StringBufferInputStream(certstr));
-+ }
- }
-
- protected void setParam (SSLSocket sock)
-@@ -52,9 +62,48 @@
- protected void initContext (SSLContext sc) throws java.security.
- GeneralSecurityException
- {
-- TrustManager[] myTM = new TrustManager[]
-- {
-- new MyX509TrustManager ()};
-+ TrustManager[] myTM;
-+
-+ if (pvecert != null) {
-+ myTM = new TrustManager[] {
-+ new X509TrustManager() {
-+ public java.security.cert.X509Certificate[]
-+ getAcceptedIssuers() {
-+ return null;
-+ }
-+ public void checkClientTrusted(
-+ java.security.cert.X509Certificate[] certs,
-+ String authType) throws CertificateException {
-+ throw new CertificateException("no clients");
-+ }
-+ public void checkServerTrusted(
-+ java.security.cert.X509Certificate[] certs,
-+ String authType) throws CertificateException {
-+
-+ if (certs == null || certs.length < 1) {
-+ throw new CertificateException("no certs");
-+ }
-+ PublicKey cakey = pvecert.getPublicKey();
-+
-+ boolean ca_match;
-+ try {
-+ certs[0].verify(cakey);
-+ ca_match = true;
-+ } catch (Exception e) {
-+ ca_match = false;
-+ }
-+
-+ if (!ca_match && !pvecert.equals(certs[0])) {
-+ throw new CertificateException("certificate does not match");
-+ }
-+ }
-+ }
-+ };
-+ } else {
-+ myTM = new TrustManager[] {
-+ new MyX509TrustManager ()
-+ };
-+ }
- sc.init (null, myTM, null);
- }
-
-@@ -100,4 +149,5 @@
- return tm.getAcceptedIssuers ();
- }
- }
-+
- }
-Index: tigervnc/java/src/com/tigervnc/vncviewer/RfbProto.java
-===================================================================
---- tigervnc.orig/java/src/com/tigervnc/vncviewer/RfbProto.java 2013-06-03 08:17:17.000000000 +0200
-+++ tigervnc/java/src/com/tigervnc/vncviewer/RfbProto.java 2013-06-03 08:19:05.000000000 +0200
-@@ -411,7 +411,8 @@
- }
-
- void authenticateX509() throws Exception {
-- X509Tunnel tunnel = new X509Tunnel(sock);
-+
-+ X509Tunnel tunnel = new X509Tunnel(sock, viewer.PVECert);
- tunnel.setup (this);
- }
-
-Index: tigervnc/java/src/com/tigervnc/vncviewer/VncViewer.java
-===================================================================
---- tigervnc.orig/java/src/com/tigervnc/vncviewer/VncViewer.java 2013-06-03 08:19:03.000000000 +0200
-+++ tigervnc/java/src/com/tigervnc/vncviewer/VncViewer.java 2013-06-03 08:19:05.000000000 +0200
-@@ -91,6 +91,8 @@
- int debugStatsExcludeUpdates;
- int debugStatsMeasureUpdates;
-
-+ String PVECert;
-+
- // Reference to this applet for inter-applet communication.
- public static java.applet.Applet refApplet;
-
-@@ -263,7 +265,7 @@
- fatalError(e.toString(), e);
- }
- }
--
-+
- }
-
- //
-@@ -299,7 +301,7 @@
- // If the rfbThread is being stopped, ignore any exceptions,
- // otherwise rethrow the exception so it can be handled.
- //
--
-+
- void processNormalProtocol() throws Exception {
- try {
- vc.processNormalProtocol();
-@@ -842,6 +844,11 @@
-
- // SocketFactory.
- socketFactory = readParameter("SocketFactory", false);
-+
-+ String tmpcert = readParameter("PVECert", false);
-+ if (tmpcert != null) {
-+ PVECert = tmpcert.replace('|', '\n');
-+ }
- }
-
- //
-@@ -991,7 +998,7 @@
- }
-
- synchronized public void fatalError(String str, Exception e) {
--
-+
- if (rfb != null && rfb.closed()) {
- // Not necessary to show error message if the error was caused
- // by I/O problems after the rfb.close() method call.
-@@ -1084,11 +1091,11 @@
- public void enableInput(boolean enable) {
- vc.enableInput(enable);
- }
--
-+
- //
- // Resize framebuffer if autoScale is enabled.
- //
--
-+
- public void componentResized(ComponentEvent e) {
- if (e.getComponent() == vncFrame) {
- if (options.autoScale) {
-@@ -1100,11 +1107,11 @@
- }
- }
- }
--
-+
- //
- // Ignore component events we're not interested in.
- //
--
-+
- public void componentShown(ComponentEvent e) { }
- public void componentMoved(ComponentEvent e) { }
- public void componentHidden(ComponentEvent e) { }