I2P Address: [http://git.idk.i2p]

Skip to content
Snippets Groups Projects
Commit 92bb2dbd authored by zzz's avatar zzz
Browse files

Block CNNIC roots also. 

Only log once.
parent 5c4189ab
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
core/java/src/net/i2p/crypto/KeyStoreUtil.java
+ 19
4
View file @ 92bb2dbd
...@@ -32,6 +32,8 @@ import net.i2p.util.SystemVersion; ...@@ -32,6 +32,8 @@ import net.i2p.util.SystemVersion;
*/ */
public class KeyStoreUtil { public class KeyStoreUtil {
public static boolean _blacklistLogged;
public static final String DEFAULT_KEYSTORE_PASSWORD = "changeit"; public static final String DEFAULT_KEYSTORE_PASSWORD = "changeit";
private static final String DEFAULT_KEY_ALGORITHM = "RSA"; private static final String DEFAULT_KEY_ALGORITHM = "RSA";
private static final int DEFAULT_KEY_SIZE = 2048; private static final int DEFAULT_KEY_SIZE = 2048;
...@@ -41,6 +43,10 @@ public class KeyStoreUtil { ...@@ -41,6 +43,10 @@ public class KeyStoreUtil {
* No reports of these in a Java keystore but just to be safe... * No reports of these in a Java keystore but just to be safe...
*/ */
private static final BigInteger[] BLACKLIST_SERIAL = new BigInteger[] { private static final BigInteger[] BLACKLIST_SERIAL = new BigInteger[] {
// CNNIC https://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
new BigInteger("49:33:00:01".replace(":", ""), 16),
// CNNIC EV root https://bugzilla.mozilla.org/show_bug.cgi?id=607208
new BigInteger("48:9f:00:01".replace(":", ""), 16),
// Superfish http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html // Superfish http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
new BigInteger("d2:fc:13:87:a9:44:dc:e7".replace(":", ""), 16), new BigInteger("d2:fc:13:87:a9:44:dc:e7".replace(":", ""), 16),
// eDellRoot https://www.reddit.com/r/technology/comments/3twmfv/dell_ships_laptops_with_rogue_root_ca_exactly/ // eDellRoot https://www.reddit.com/r/technology/comments/3twmfv/dell_ships_laptops_with_rogue_root_ca_exactly/
...@@ -54,6 +60,8 @@ public class KeyStoreUtil { ...@@ -54,6 +60,8 @@ public class KeyStoreUtil {
* to blacklist a cert without an issuer CN. * to blacklist a cert without an issuer CN.
*/ */
private static final String[] BLACKLIST_ISSUER_CN = new String[] { private static final String[] BLACKLIST_ISSUER_CN = new String[] {
"CNNIC ROOT",
"China Internet Network Information Center EV Certificates Root",
"Superfish, Inc.", "Superfish, Inc.",
"eDellRoot" "eDellRoot"
}; };
...@@ -241,10 +249,13 @@ public class KeyStoreUtil { ...@@ -241,10 +249,13 @@ public class KeyStoreUtil {
String name = CertUtil.getIssuerValue(xc, "CN"); String name = CertUtil.getIssuerValue(xc, "CN");
if (BLACKLIST_ISSUER_CN[i].equals(name)) { if (BLACKLIST_ISSUER_CN[i].equals(name)) {
ks.deleteEntry(alias); ks.deleteEntry(alias);
warn("Ignoring blacklisted certificate \"" + alias +
"\" issued by: \"" + name +
"\" s/n: " + serial.toString(16), null);
count++; count++;
if (!_blacklistLogged) {
// should this be a logAlways?
warn("Ignoring blacklisted certificate \"" + alias +
"\" issued by: \"" + name +
"\" s/n: " + serial.toString(16), null);
}
} }
} }
} }
...@@ -252,6 +263,8 @@ public class KeyStoreUtil { ...@@ -252,6 +263,8 @@ public class KeyStoreUtil {
} }
} }
} catch (GeneralSecurityException e) {} } catch (GeneralSecurityException e) {}
if (count > 0)
_blacklistLogged = true;
return count; return count;
} }
...@@ -278,7 +291,8 @@ public class KeyStoreUtil { ...@@ -278,7 +291,8 @@ public class KeyStoreUtil {
String alias = f.getName().toLowerCase(Locale.US); String alias = f.getName().toLowerCase(Locale.US);
if (alias.endsWith(".crt") || alias.endsWith(".pem") || alias.endsWith(".key") || if (alias.endsWith(".crt") || alias.endsWith(".pem") || alias.endsWith(".key") ||
alias.endsWith(".der") || alias.endsWith(".key") || alias.endsWith(".p7b") || alias.endsWith(".der") || alias.endsWith(".key") || alias.endsWith(".p7b") ||
alias.endsWith(".p7c") || alias.endsWith(".pfx") || alias.endsWith(".p12")) alias.endsWith(".p7c") || alias.endsWith(".pfx") || alias.endsWith(".p12") ||
alias.endsWith(".cer"))
alias = alias.substring(0, alias.length() - 4); alias = alias.substring(0, alias.length() - 4);
boolean success = addCert(f, alias, ks); boolean success = addCert(f, alias, ks);
if (success) if (success)
...@@ -605,6 +619,7 @@ public class KeyStoreUtil { ...@@ -605,6 +619,7 @@ public class KeyStoreUtil {
System.out.println("Found " + count + " certs in " + ksf); System.out.println("Found " + count + " certs in " + ksf);
if (count > 0) { if (count > 0) {
// rerun blacklist as a test // rerun blacklist as a test
_blacklistLogged = false;
count = removeBlacklistedCerts(ks); count = removeBlacklistedCerts(ks);
if (count > 0) if (count > 0)
System.out.println("Found " + count + " blacklisted certs in " + ksf); System.out.println("Found " + count + " blacklisted certs in " + ksf);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Base32 Address: [http://7qeve4v2chmjdqlwpa3vl7aojf3nodbku7vepnjwrsxljzqipz6a.b32.i2p] Onion Address: [http://47ggr2fa3vnwfyhvgskzdmr3i32eijwymxohtxsls45dulmriwxszjad.onion]