X-Git-Url: https://git.proxmox.com/?p=vncterm.git;a=blobdiff_plain;f=tigerpatches%2Ftrust-manager.patch;fp=tigerpatches%2Ftrust-manager.patch;h=0000000000000000000000000000000000000000;hp=e8158d56a418edbe77eaaf7bb567083ff23ea91c;hb=bdbcef679d80c86f68208520368d709ef21d406e;hpb=0704718295f3507ebbf0d7976a95a8541aa6be53 diff --git a/tigerpatches/trust-manager.patch b/tigerpatches/trust-manager.patch deleted file mode 100644 index e8158d5..0000000 --- a/tigerpatches/trust-manager.patch +++ /dev/null @@ -1,190 +0,0 @@ - - Unfortunately the java certificate store does not correctly access - the browser certificate store (firefox, chrome). We also tunnel VNC - traffic from other cluster nodes. - - So we implement our own trust manager, and allow to pass the server - certificate (or CA who signed the server certificate) as applet - parameter "PVECert" (newline encoded as '|'). - -Index: tigervnc/java/src/com/tigervnc/vncviewer/X509Tunnel.java -=================================================================== ---- tigervnc.orig/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2013-06-03 08:17:17.000000000 +0200 -+++ tigervnc/java/src/com/tigervnc/vncviewer/X509Tunnel.java 2013-06-03 08:22:52.000000000 +0200 -@@ -26,13 +26,23 @@ - import javax.net.ssl.*; - import java.security.*; - import java.security.cert.*; -+import java.security.cert.Certificate; -+import java.security.cert.CertificateFactory; -+import java.io.*; - - public class X509Tunnel extends TLSTunnelBase - { - -- public X509Tunnel (Socket sock_) -+ Certificate pvecert; -+ -+ public X509Tunnel (Socket sock_, String certstr) throws CertificateException - { - super (sock_); -+ -+ if (certstr != null) { -+ CertificateFactory cf = CertificateFactory.getInstance("X.509"); -+ pvecert = cf.generateCertificate(new StringBufferInputStream(certstr)); -+ } - } - - protected void setParam (SSLSocket sock) -@@ -52,9 +62,48 @@ - protected void initContext (SSLContext sc) throws java.security. - GeneralSecurityException - { -- TrustManager[] myTM = new TrustManager[] -- { -- new MyX509TrustManager ()}; -+ TrustManager[] myTM; -+ -+ if (pvecert != null) { -+ myTM = new TrustManager[] { -+ new X509TrustManager() { -+ public java.security.cert.X509Certificate[] -+ getAcceptedIssuers() { -+ return null; -+ } -+ public void checkClientTrusted( -+ java.security.cert.X509Certificate[] certs, -+ String authType) throws CertificateException { -+ throw new CertificateException("no clients"); -+ } -+ public void checkServerTrusted( -+ java.security.cert.X509Certificate[] certs, -+ String authType) throws CertificateException { -+ -+ if (certs == null || certs.length < 1) { -+ throw new CertificateException("no certs"); -+ } -+ PublicKey cakey = pvecert.getPublicKey(); -+ -+ boolean ca_match; -+ try { -+ certs[0].verify(cakey); -+ ca_match = true; -+ } catch (Exception e) { -+ ca_match = false; -+ } -+ -+ if (!ca_match && !pvecert.equals(certs[0])) { -+ throw new CertificateException("certificate does not match"); -+ } -+ } -+ } -+ }; -+ } else { -+ myTM = new TrustManager[] { -+ new MyX509TrustManager () -+ }; -+ } - sc.init (null, myTM, null); - } - -@@ -100,4 +149,5 @@ - return tm.getAcceptedIssuers (); - } - } -+ - } -Index: tigervnc/java/src/com/tigervnc/vncviewer/RfbProto.java -=================================================================== ---- tigervnc.orig/java/src/com/tigervnc/vncviewer/RfbProto.java 2013-06-03 08:17:17.000000000 +0200 -+++ tigervnc/java/src/com/tigervnc/vncviewer/RfbProto.java 2013-06-03 08:19:05.000000000 +0200 -@@ -411,7 +411,8 @@ - } - - void authenticateX509() throws Exception { -- X509Tunnel tunnel = new X509Tunnel(sock); -+ -+ X509Tunnel tunnel = new X509Tunnel(sock, viewer.PVECert); - tunnel.setup (this); - } - -Index: tigervnc/java/src/com/tigervnc/vncviewer/VncViewer.java -=================================================================== ---- tigervnc.orig/java/src/com/tigervnc/vncviewer/VncViewer.java 2013-06-03 08:19:03.000000000 +0200 -+++ tigervnc/java/src/com/tigervnc/vncviewer/VncViewer.java 2013-06-03 08:19:05.000000000 +0200 -@@ -91,6 +91,8 @@ - int debugStatsExcludeUpdates; - int debugStatsMeasureUpdates; - -+ String PVECert; -+ - // Reference to this applet for inter-applet communication. - public static java.applet.Applet refApplet; - -@@ -263,7 +265,7 @@ - fatalError(e.toString(), e); - } - } -- -+ - } - - // -@@ -299,7 +301,7 @@ - // If the rfbThread is being stopped, ignore any exceptions, - // otherwise rethrow the exception so it can be handled. - // -- -+ - void processNormalProtocol() throws Exception { - try { - vc.processNormalProtocol(); -@@ -842,6 +844,11 @@ - - // SocketFactory. - socketFactory = readParameter("SocketFactory", false); -+ -+ String tmpcert = readParameter("PVECert", false); -+ if (tmpcert != null) { -+ PVECert = tmpcert.replace('|', '\n'); -+ } - } - - // -@@ -991,7 +998,7 @@ - } - - synchronized public void fatalError(String str, Exception e) { -- -+ - if (rfb != null && rfb.closed()) { - // Not necessary to show error message if the error was caused - // by I/O problems after the rfb.close() method call. -@@ -1084,11 +1091,11 @@ - public void enableInput(boolean enable) { - vc.enableInput(enable); - } -- -+ - // - // Resize framebuffer if autoScale is enabled. - // -- -+ - public void componentResized(ComponentEvent e) { - if (e.getComponent() == vncFrame) { - if (options.autoScale) { -@@ -1100,11 +1107,11 @@ - } - } - } -- -+ - // - // Ignore component events we're not interested in. - // -- -+ - public void componentShown(ComponentEvent e) { } - public void componentMoved(ComponentEvent e) { } - public void componentHidden(ComponentEvent e) { }