matthiasblaesing commented on a change in pull request #3207:
URL: https://github.com/apache/netbeans/pull/3207#discussion_r721667706
##########
File path:
ide/xml.retriever/src/org/netbeans/modules/xml/retriever/impl/SecureURLResourceRetriever.java
##########
@@ -119,45 +139,48 @@ public void checkServerTrusted(X509Certificate[] certs,
String authType)
}
}
};
+ TrustManager[] combinedTrustManagers = (TrustManager[])
Stream.of(defaultTrustManagers, trustAllCerts)
+ .flatMap(Stream::of)
+ .toArray(size -> new TrustManager[size]);
+
+ KeyManager[] keyManagersFromSystemProperties = null;
+ try {
+ KeyStore keyStoreFromSystemProperties = null;
+ char[] keyStorePassword =
System.getProperty("javax.net.ssl.keyStorePassword", "").toCharArray();
+ if (System.getProperty("javax.net.ssl.keyStore") != null) {
+ File keyStoreFile = new
File(System.getProperty("javax.net.ssl.keyStore"));
+ if (keyStoreFile.exists()) {
+ KeyStore keyStore =
KeyStore.getInstance(System.getProperty("javax.net.ssl.keyStoreType",
KeyStore.getDefaultType()));
+ try ( InputStream keyStoreStream = new
FileInputStream(keyStoreFile)) {
+ keyStore.load(keyStoreStream, keyStorePassword);
+ }
- // #208324: proper key managers need to be passed, so let's configure
at least the defaults...
- KeyManager[] mgrs;
- if (System.getProperty("javax.net.ssl.keyStorePassword") != null &&
// NOI18N
- System.getProperty("javax.net.ssl.keyStore") != null) { // NOI18N
- try {
- KeyStore ks = KeyStore.getInstance("JKS"); // NOI18N
- ks.load(new
FileInputStream(System.getProperty("javax.net.ssl.keyStore")), //NOI18N
-
System.getProperty("javax.net.ssl.keyStorePassword").toCharArray() //NOI18N
- );
- // Set up key manager factory to use our key store
- KeyManagerFactory kmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-
kmf.init(ks,System.getProperty("javax.net.ssl.keyStorePassword").toCharArray());
// NOI18N
- mgrs = kmf.getKeyManagers();
- } catch (IOException ex) {
- // this is somewhat expected, i.e. JKS file not present
- mgrs = null;
- } catch (java.security.GeneralSecurityException e) {
- ErrorManager.getDefault().notify(e);
- return;
+ keyStoreFromSystemProperties = keyStore;
+ }
}
- } else {
- mgrs = null;
+
+ KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ keyManagerFactory.init(keyStoreFromSystemProperties,
keyStorePassword);
+ keyManagersFromSystemProperties =
keyManagerFactory.getKeyManagers();
+ } catch (GeneralSecurityException | IOException ex) {
+ keyManagersFromSystemProperties = new KeyManager[0];
}
+
try {
SSLContext sslContext = SSLContext.getInstance("SSL"); //NOI18N
- sslContext.init(mgrs, trustAllCerts, new
java.security.SecureRandom());
+ sslContext.init(keyManagersFromSystemProperties,
combinedTrustManagers, new java.security.SecureRandom());
con.setSSLSocketFactory(sslContext.getSocketFactory());
- con.setHostnameVerifier(new HostnameVerifier() {
- public boolean verify(String string, SSLSession sSLSession) {
- // accept all hosts
- return true;
- }
- });
- } catch (java.security.GeneralSecurityException e) {
+ con.setHostnameVerifier(this::acceptAllHosts);
+ } catch (GeneralSecurityException e) {
ErrorManager.getDefault().notify(e);
}
}
-
+
+ private boolean acceptAllHosts(String host, SSLSession sslSession) {
+ return true;
Review comment:
Depends on which certificates you want to support. There are:
1. trusted certificates with the CN or SAN holding the right hostname/IP
2. trusted certificates used with the wrong hostname
3. untrusted certificates, whose CN or SAN entries match the hostname
4. untrusted certificates, whose CN or SAN entries do not match the hostname
Without the hostname checker configured, the system only accepts cases 1+ 3,
with the Hostname checker accepting all certificates also allows cases 2+4 to
work (though is less save).
Slightly not directly related to this, maybe it is time, to create a
platform module, that adds certificate handling to the IDE. I created this
Plugin in the past:
https://plugins.netbeans.apache.org/catalogue/?id=20
https://github.com/nb-ldap-explorer/nb-ldap-explorer/tree/master/ssl_certificate_exception
https://github.com/nb-ldap-explorer/nb-ldap-explorer/blob/master/ssl_certificate_exception/src/main/java/com/google/code/nb_ldap_explorer/ssl_certificate_exception/TrustManagerImpl.java
https://github.com/nb-ldap-explorer/nb-ldap-explorer/blob/master/ssl_certificate_exception/src/main/java/com/google/code/nb_ldap_explorer/ssl_certificate_exception/HostnameVerifierImpl.java
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
