Accepting request 511645 from home:michalsrb:branches:X11:XOrg
- U_allow_multiple_certs_with_same_dn_in_saved_certs_file.patch, U_handle_certificate_verification_for_saved_certs_correctly.patch * Fix certificate handling in the java client. (bnc#1041847) - Refresh u_tigervnc-add-autoaccept-parameter.patch and apply it last. - Make sure CN in generated certificate doesn't exceed 64 characters. (bnc#1041847) OBS-URL: https://build.opensuse.org/request/show/511645 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/tigervnc?expand=0&rev=114
This commit is contained in:
parent
7da6607028
commit
a8036d64a3
@ -0,0 +1,87 @@
|
|||||||
|
Git-commit: 7fcc8614e1ff8c19fd3a1a275fa5ab6eda28f6bd
|
||||||
|
Author: "Brian P. Hinz" <bphinz@users.sf.net>
|
||||||
|
Subject: Allow multiple certs with same DN in saved certs file.
|
||||||
|
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||||
|
References: bnc#1041847
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||||
|
index 4b20e0bf..08aa1125 100644
|
||||||
|
--- a/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||||
|
+++ b/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||||
|
@@ -218,9 +218,8 @@ public class CSecurityTLS extends CSecurity {
|
||||||
|
Collection<? extends Certificate> cacerts =
|
||||||
|
cf.generateCertificates(caStream);
|
||||||
|
for (Certificate cert : cacerts) {
|
||||||
|
- String dn =
|
||||||
|
- ((X509Certificate)cert).getSubjectX500Principal().getName();
|
||||||
|
- ks.setCertificateEntry(dn, (X509Certificate)cert);
|
||||||
|
+ String thumbprint = getThumbprint((X509Certificate)cert);
|
||||||
|
+ ks.setCertificateEntry(thumbprint, (X509Certificate)cert);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
File cacert = new File(cafile);
|
||||||
|
@@ -229,9 +228,8 @@ public class CSecurityTLS extends CSecurity {
|
||||||
|
Collection<? extends Certificate> cacerts =
|
||||||
|
cf.generateCertificates(caStream);
|
||||||
|
for (Certificate cert : cacerts) {
|
||||||
|
- String dn =
|
||||||
|
- ((X509Certificate)cert).getSubjectX500Principal().getName();
|
||||||
|
- ks.setCertificateEntry(dn, (X509Certificate)cert);
|
||||||
|
+ String thumbprint = getThumbprint((X509Certificate)cert);
|
||||||
|
+ ks.setCertificateEntry(thumbprint, (X509Certificate)cert);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
PKIXBuilderParameters params =
|
||||||
|
@@ -264,19 +262,13 @@ public class CSecurityTLS extends CSecurity {
|
||||||
|
public void checkServerTrusted(X509Certificate[] chain, String authType)
|
||||||
|
throws CertificateException
|
||||||
|
{
|
||||||
|
- MessageDigest md = null;
|
||||||
|
try {
|
||||||
|
- md = MessageDigest.getInstance("SHA-1");
|
||||||
|
verifyHostname(chain[0]);
|
||||||
|
tm.checkServerTrusted(chain, authType);
|
||||||
|
} catch (java.lang.Exception e) {
|
||||||
|
if (e.getCause() instanceof CertPathBuilderException) {
|
||||||
|
Object[] answer = {"YES", "NO"};
|
||||||
|
X509Certificate cert = chain[0];
|
||||||
|
- md.update(cert.getEncoded());
|
||||||
|
- String thumbprint =
|
||||||
|
- DatatypeConverter.printHexBinary(md.digest());
|
||||||
|
- thumbprint = thumbprint.replaceAll("..(?!$)", "$0 ");
|
||||||
|
int ret = JOptionPane.showOptionDialog(null,
|
||||||
|
"This certificate has been signed by an unknown authority\n"+
|
||||||
|
"\n"+
|
||||||
|
@@ -287,7 +279,7 @@ public class CSecurityTLS extends CSecurity {
|
||||||
|
" Signature Algorithm: "+cert.getPublicKey().getAlgorithm()+"\n"+
|
||||||
|
" Not Valid Before: "+cert.getNotBefore()+"\n"+
|
||||||
|
" Not Valid After: "+cert.getNotAfter()+"\n"+
|
||||||
|
- " SHA1 Fingerprint: "+thumbprint+"\n"+
|
||||||
|
+ " SHA1 Fingerprint: "+getThumbprint(cert)+"\n"+
|
||||||
|
"\n"+
|
||||||
|
"Do you want to save it and continue?",
|
||||||
|
"Certificate Issuer Unknown",
|
||||||
|
@@ -351,6 +343,22 @@ public class CSecurityTLS extends CSecurity {
|
||||||
|
return tm.getAcceptedIssuers();
|
||||||
|
}
|
||||||
|
|
||||||
|
+ private String getThumbprint(X509Certificate cert)
|
||||||
|
+ {
|
||||||
|
+ String thumbprint = null;
|
||||||
|
+ try {
|
||||||
|
+ MessageDigest md = MessageDigest.getInstance("SHA-1");
|
||||||
|
+ md.update(cert.getEncoded());
|
||||||
|
+ thumbprint = DatatypeConverter.printHexBinary(md.digest());
|
||||||
|
+ thumbprint = thumbprint.replaceAll("..(?!$)", "$0 ");
|
||||||
|
+ } catch(CertificateEncodingException e) {
|
||||||
|
+ throw new SystemException(e.getMessage());
|
||||||
|
+ } catch(NoSuchAlgorithmException e) {
|
||||||
|
+ throw new SystemException(e.getMessage());
|
||||||
|
+ }
|
||||||
|
+ return thumbprint;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
private void verifyHostname(X509Certificate cert)
|
||||||
|
throws CertificateParsingException
|
||||||
|
{
|
@ -0,0 +1,131 @@
|
|||||||
|
Git-commit: 79314c2f6abef363a83cc406de5d6628410e53e5
|
||||||
|
Author: "Brian P. Hinz" <bphinz@users.sf.net>
|
||||||
|
Subject: Handle certificate verification for saved certs correctly
|
||||||
|
Signed-off-by: Michal Srb <msrb@suse.com>
|
||||||
|
References: bnc#1041847
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||||
|
index 08aa1125..733e97d4 100644
|
||||||
|
--- a/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||||
|
+++ b/java/com/tigervnc/rfb/CSecurityTLS.java
|
||||||
|
@@ -3,7 +3,7 @@
|
||||||
|
* Copyright (C) 2005 Martin Koegler
|
||||||
|
* Copyright (C) 2010 m-privacy GmbH
|
||||||
|
* Copyright (C) 2010 TigerVNC Team
|
||||||
|
- * Copyright (C) 2011-2015 Brian P. Hinz
|
||||||
|
+ * Copyright (C) 2011-2017 Brian P. Hinz
|
||||||
|
* Copyright (C) 2015 D. R. Commander. All Rights Reserved.
|
||||||
|
*
|
||||||
|
* This is free software; you can redistribute it and/or modify
|
||||||
|
@@ -211,17 +211,7 @@ public class CSecurityTLS extends CSecurity {
|
||||||
|
for (TrustManager m : tmf.getTrustManagers())
|
||||||
|
if (m instanceof X509TrustManager)
|
||||||
|
for (X509Certificate c : ((X509TrustManager)m).getAcceptedIssuers())
|
||||||
|
- ks.setCertificateEntry(c.getSubjectX500Principal().getName(), c);
|
||||||
|
- File castore = new File(FileUtils.getVncHomeDir()+"x509_savedcerts.pem");
|
||||||
|
- if (castore.exists() && castore.canRead()) {
|
||||||
|
- InputStream caStream = new MyFileInputStream(castore);
|
||||||
|
- Collection<? extends Certificate> cacerts =
|
||||||
|
- cf.generateCertificates(caStream);
|
||||||
|
- for (Certificate cert : cacerts) {
|
||||||
|
- String thumbprint = getThumbprint((X509Certificate)cert);
|
||||||
|
- ks.setCertificateEntry(thumbprint, (X509Certificate)cert);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ ks.setCertificateEntry(getThumbprint((X509Certificate)c), c);
|
||||||
|
File cacert = new File(cafile);
|
||||||
|
if (cacert.exists() && cacert.canRead()) {
|
||||||
|
InputStream caStream = new MyFileInputStream(cacert);
|
||||||
|
@@ -262,13 +252,25 @@ public class CSecurityTLS extends CSecurity {
|
||||||
|
public void checkServerTrusted(X509Certificate[] chain, String authType)
|
||||||
|
throws CertificateException
|
||||||
|
{
|
||||||
|
+ Collection<? extends Certificate> certs = null;
|
||||||
|
+ X509Certificate cert = chain[0];
|
||||||
|
+ String thumbprint = getThumbprint(cert);
|
||||||
|
+ File vncDir = new File(FileUtils.getVncHomeDir());
|
||||||
|
+ File certFile = new File(vncDir, "x509_savedcerts.pem");
|
||||||
|
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||||
|
+ if (vncDir.exists() && certFile.exists() && certFile.canRead()) {
|
||||||
|
+ InputStream certStream = new MyFileInputStream(certFile);
|
||||||
|
+ certs = cf.generateCertificates(certStream);
|
||||||
|
+ for (Certificate c : certs)
|
||||||
|
+ if (thumbprint.equals(getThumbprint((X509Certificate)c)))
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
try {
|
||||||
|
- verifyHostname(chain[0]);
|
||||||
|
+ verifyHostname(cert);
|
||||||
|
tm.checkServerTrusted(chain, authType);
|
||||||
|
} catch (java.lang.Exception e) {
|
||||||
|
if (e.getCause() instanceof CertPathBuilderException) {
|
||||||
|
Object[] answer = {"YES", "NO"};
|
||||||
|
- X509Certificate cert = chain[0];
|
||||||
|
int ret = JOptionPane.showOptionDialog(null,
|
||||||
|
"This certificate has been signed by an unknown authority\n"+
|
||||||
|
"\n"+
|
||||||
|
@@ -286,13 +288,10 @@ public class CSecurityTLS extends CSecurity {
|
||||||
|
JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE,
|
||||||
|
null, answer, answer[0]);
|
||||||
|
if (ret == JOptionPane.YES_OPTION) {
|
||||||
|
- Collection<? extends X509Certificate> cacerts = null;
|
||||||
|
- File vncDir = new File(FileUtils.getVncHomeDir());
|
||||||
|
- File caFile = new File(vncDir, "x509_savedcerts.pem");
|
||||||
|
try {
|
||||||
|
if (!vncDir.exists())
|
||||||
|
vncDir.mkdir();
|
||||||
|
- if (!caFile.createNewFile()) {
|
||||||
|
+ if (!certFile.exists() && !certFile.createNewFile()) {
|
||||||
|
vlog.error("Certificate save failed.");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
@@ -301,31 +300,24 @@ public class CSecurityTLS extends CSecurity {
|
||||||
|
vlog.error("Certificate save failed: "+ioe.getMessage());
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
- InputStream caStream = new MyFileInputStream(caFile);
|
||||||
|
- CertificateFactory cf =
|
||||||
|
- CertificateFactory.getInstance("X.509");
|
||||||
|
- cacerts =
|
||||||
|
- (Collection <? extends X509Certificate>)cf.generateCertificates(caStream);
|
||||||
|
- for (int i = 0; i < chain.length; i++) {
|
||||||
|
- if (cacerts == null || !cacerts.contains(chain[i])) {
|
||||||
|
- byte[] der = chain[i].getEncoded();
|
||||||
|
- String pem = DatatypeConverter.printBase64Binary(der);
|
||||||
|
- pem = pem.replaceAll("(.{64})", "$1\n");
|
||||||
|
- FileWriter fw = null;
|
||||||
|
+ if (certs == null || !certs.contains(cert)) {
|
||||||
|
+ byte[] der = cert.getEncoded();
|
||||||
|
+ String pem = DatatypeConverter.printBase64Binary(der);
|
||||||
|
+ pem = pem.replaceAll("(.{64})", "$1\n");
|
||||||
|
+ FileWriter fw = null;
|
||||||
|
+ try {
|
||||||
|
+ fw = new FileWriter(certFile.getAbsolutePath(), true);
|
||||||
|
+ fw.write("-----BEGIN CERTIFICATE-----\n");
|
||||||
|
+ fw.write(pem+"\n");
|
||||||
|
+ fw.write("-----END CERTIFICATE-----\n");
|
||||||
|
+ } catch (IOException ioe) {
|
||||||
|
+ throw new Exception(ioe.getMessage());
|
||||||
|
+ } finally {
|
||||||
|
try {
|
||||||
|
- fw = new FileWriter(caFile.getAbsolutePath(), true);
|
||||||
|
- fw.write("-----BEGIN CERTIFICATE-----\n");
|
||||||
|
- fw.write(pem+"\n");
|
||||||
|
- fw.write("-----END CERTIFICATE-----\n");
|
||||||
|
- } catch (IOException ioe) {
|
||||||
|
- throw new Exception(ioe.getMessage());
|
||||||
|
- } finally {
|
||||||
|
- try {
|
||||||
|
- if (fw != null)
|
||||||
|
- fw.close();
|
||||||
|
- } catch(IOException ioe2) {
|
||||||
|
- throw new Exception(ioe2.getMessage());
|
||||||
|
- }
|
||||||
|
+ if (fw != null)
|
||||||
|
+ fw.close();
|
||||||
|
+ } catch(IOException ioe2) {
|
||||||
|
+ throw new Exception(ioe2.getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -1,3 +1,16 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 20 07:49:41 UTC 2017 - msrb@suse.com
|
||||||
|
|
||||||
|
- U_allow_multiple_certs_with_same_dn_in_saved_certs_file.patch,
|
||||||
|
U_handle_certificate_verification_for_saved_certs_correctly.patch
|
||||||
|
* Fix certificate handling in the java client. (bnc#1041847)
|
||||||
|
|
||||||
|
- Refresh u_tigervnc-add-autoaccept-parameter.patch and apply it
|
||||||
|
last.
|
||||||
|
|
||||||
|
- Make sure CN in generated certificate doesn't exceed 64
|
||||||
|
characters. (bnc#1041847)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Jul 7 08:06:00 UTC 2017 - msrb@suse.com
|
Fri Jul 7 08:06:00 UTC 2017 - msrb@suse.com
|
||||||
|
|
||||||
|
@ -116,10 +116,12 @@ Patch2: tigervnc-clean-pressed-key-on-exit.patch
|
|||||||
Patch3: u_tigervnc-ignore-epipe-on-write.patch
|
Patch3: u_tigervnc-ignore-epipe-on-write.patch
|
||||||
Patch4: n_tigervnc-date-time.patch
|
Patch4: n_tigervnc-date-time.patch
|
||||||
Patch5: u_tigervnc-cve-2014-8240.patch
|
Patch5: u_tigervnc-cve-2014-8240.patch
|
||||||
Patch6: u_tigervnc-add-autoaccept-parameter.patch
|
Patch6: u_tigervnc_update_default_vncxstartup.patch
|
||||||
Patch7: u_tigervnc_update_default_vncxstartup.patch
|
Patch7: u_build_libXvnc_as_separate_library.patch
|
||||||
Patch8: u_build_libXvnc_as_separate_library.patch
|
Patch8: u_tigervnc-show-unencrypted-warning.patch
|
||||||
Patch9: u_tigervnc-show-unencrypted-warning.patch
|
Patch9: U_allow_multiple_certs_with_same_dn_in_saved_certs_file.patch
|
||||||
|
Patch10: U_handle_certificate_verification_for_saved_certs_correctly.patch
|
||||||
|
Patch11: u_tigervnc-add-autoaccept-parameter.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing),
|
TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing),
|
||||||
@ -180,6 +182,8 @@ cp -r /usr/src/xserver/* unix/xserver/
|
|||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
|
||||||
pushd unix/xserver
|
pushd unix/xserver
|
||||||
patch -p1 < ../xserver119.patch
|
patch -p1 < ../xserver119.patch
|
||||||
|
@ -20,19 +20,18 @@ Index: tigervnc-1.8.0/java/com/tigervnc/rfb/CSecurityTLS.java
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static String getDefaultCA() {
|
public static String getDefaultCA() {
|
||||||
@@ -277,6 +281,11 @@ public class CSecurityTLS extends CSecur
|
@@ -270,6 +274,10 @@ public class CSecurityTLS extends CSecur
|
||||||
String thumbprint =
|
tm.checkServerTrusted(chain, authType);
|
||||||
DatatypeConverter.printHexBinary(md.digest());
|
} catch (java.lang.Exception e) {
|
||||||
thumbprint = thumbprint.replaceAll("..(?!$)", "$0 ");
|
if (e.getCause() instanceof CertPathBuilderException) {
|
||||||
+
|
|
||||||
+ if (certautoaccept != null && thumbprint.equalsIgnoreCase(certautoaccept)) {
|
+ if (certautoaccept != null && thumbprint.equalsIgnoreCase(certautoaccept)) {
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
|
Object[] answer = {"YES", "NO"};
|
||||||
int ret = JOptionPane.showOptionDialog(null,
|
int ret = JOptionPane.showOptionDialog(null,
|
||||||
"This certificate has been signed by an unknown authority\n"+
|
"This certificate has been signed by an unknown authority\n"+
|
||||||
"\n"+
|
@@ -466,7 +474,7 @@ public class CSecurityTLS extends CSecur
|
||||||
@@ -466,7 +475,7 @@ public class CSecurityTLS extends CSecur
|
|
||||||
private SSLEngineManager manager;
|
private SSLEngineManager manager;
|
||||||
private boolean anon;
|
private boolean anon;
|
||||||
|
|
||||||
|
@ -26,6 +26,7 @@ fi
|
|||||||
if ! test -e $TLSCERT ; then
|
if ! test -e $TLSCERT ; then
|
||||||
# Keeping it short, because hostname could be long and max CN is 64 characters
|
# Keeping it short, because hostname could be long and max CN is 64 characters
|
||||||
CN="VNC service on `hostname`"
|
CN="VNC service on `hostname`"
|
||||||
|
CN=${CN:0:64}
|
||||||
openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/"
|
openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/"
|
||||||
chown vnc:vnc $TLSCERT
|
chown vnc:vnc $TLSCERT
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user