1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
|
/*******************************************************************************
* Copyright (c) 2008, 2017 IBM Corporation and others.
*
* This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
* https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*
* Contributors:
* IBM Corporation - initial API and implementation
*******************************************************************************/
package org.eclipse.equinox.internal.p2.engine.phases;
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.util.*;
import java.util.Map.Entry;
import java.util.stream.Collectors;
import org.bouncycastle.openpgp.*;
import org.eclipse.core.runtime.IStatus;
import org.eclipse.core.runtime.Status;
import org.eclipse.equinox.internal.p2.artifact.processors.pgp.PGPSignatureVerifier;
import org.eclipse.equinox.internal.p2.engine.*;
import org.eclipse.equinox.p2.core.IProvisioningAgent;
import org.eclipse.equinox.p2.core.UIServices;
import org.eclipse.equinox.p2.core.UIServices.TrustInfo;
import org.eclipse.equinox.p2.engine.IProfile;
import org.eclipse.equinox.p2.engine.IProfileRegistry;
import org.eclipse.equinox.p2.repository.artifact.IArtifactDescriptor;
import org.eclipse.osgi.service.security.TrustEngine;
import org.eclipse.osgi.signedcontent.*;
import org.eclipse.osgi.util.NLS;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceReference;
import org.osgi.util.tracker.ServiceTracker;
/**
* Checks the certificates or PGP signatures on a set of files or artifacts and
* reports back any problems with unsigned artifacts, untrusted certificates, or
* tampered content.
*/
public class CertificateChecker {
private static final String DEBUG_PREFIX = "certificate checker"; //$NON-NLS-1$
public static final String TRUSTED_KEY_STORE_PROPERTY = "pgp.trustedPublicKeys"; //$NON-NLS-1$
/**
* Stores artifacts to check
*/
private Map<IArtifactDescriptor, File> artifacts = new HashMap<>();
private final IProvisioningAgent agent;
private Set<PGPPublicKey> trustedKeys;
public CertificateChecker() {
this(null);
}
public CertificateChecker(IProvisioningAgent agent) {
this.agent = agent;
artifacts = new HashMap<>();
}
public IStatus start() {
final BundleContext context = EngineActivator.getContext();
ServiceReference<SignedContentFactory> contentFactoryRef = context.getServiceReference(SignedContentFactory.class);
SignedContentFactory verifierFactory = context.getService(contentFactoryRef);
try {
return checkCertificates(verifierFactory);
} finally {
context.ungetService(contentFactoryRef);
}
}
private IStatus checkCertificates(SignedContentFactory verifierFactory) {
UIServices serviceUI = agent.getService(UIServices.class);
ArrayList<Certificate> untrustedCertificates = new ArrayList<>();
Map<IArtifactDescriptor, Collection<PGPPublicKey>> untrustedPGPArtifacts = new HashMap<>();
Map<IArtifactDescriptor, File> unsigned = new HashMap<>();
ArrayList<Certificate[]> untrustedChain = new ArrayList<>();
Map<Certificate, Collection<File>> untrustedArtifacts = new HashMap<>();
IStatus status = Status.OK_STATUS;
if (artifacts.isEmpty() || serviceUI == null) {
return status;
}
Set<Long> trustedKeysIds = new HashSet<>();
for (Entry<IArtifactDescriptor, File> artifact : artifacts.entrySet()) {
File artifactFile = artifact.getValue();
try {
SignedContent content = verifierFactory.getSignedContent(artifactFile);
if (content.isSigned()) {
SignerInfo[] signerInfo = content.getSignerInfos();
if (Arrays.stream(signerInfo).noneMatch(SignerInfo::isTrusted)) {
// Only record the untrusted elements if there are no trusted elements.
for (SignerInfo element : signerInfo) {
if (!element.isTrusted()) {
Certificate[] certificateChain = element.getCertificateChain();
if (!untrustedCertificates.contains(certificateChain[0])) {
untrustedCertificates.add(certificateChain[0]);
untrustedChain.add(certificateChain);
}
if (DebugHelper.DEBUG_CERTIFICATE_CHECKER_UNTRUSTED) {
untrustedArtifacts.computeIfAbsent(certificateChain[0], key -> new ArrayList<>())
.add(artifactFile);
}
}
}
}
} else {
Collection<PGPSignature> signatures = PGPSignatureVerifier.getSignatures(artifact.getKey());
if (!signatures.isEmpty()) {
if (trustedKeys == null) {
trustedKeys = buildPGPTrustore();
}
if (trustedKeysIds.isEmpty() && !trustedKeys.isEmpty()) {
trustedKeysIds.addAll(trustedKeys.stream()
.map(PGPPublicKey::getKeyID).map(Long::valueOf).collect(Collectors.toSet()));
}
if (signatures.stream().map(PGPSignature::getKeyID).noneMatch(trustedKeysIds::contains)) {
untrustedPGPArtifacts.put(artifact.getKey(),
signatures.stream().map(PGPSignature::getKeyID)
.map(id -> findKey(id, artifact.getKey()))
.filter(Objects::nonNull)
.collect(Collectors.toList()));
}
} else {
unsigned.put(artifact.getKey(), artifactFile);
}
}
} catch (GeneralSecurityException | PGPException e) {
return new Status(IStatus.ERROR, EngineActivator.ID, Messages.CertificateChecker_SignedContentError, e);
} catch (IOException e) {
return new Status(IStatus.ERROR, EngineActivator.ID, Messages.CertificateChecker_SignedContentIOError, e);
}
}
// log the unsigned artifacts if requested
if (DebugHelper.DEBUG_CERTIFICATE_CHECKER_UNSIGNED && !unsigned.isEmpty()) {
StringBuilder message = new StringBuilder("The following artifacts are unsigned:\n"); //$NON-NLS-1$
for (File file : unsigned.values()) {
message.append(NLS.bind(" {0}\n", file.getPath())); //$NON-NLS-1$
}
DebugHelper.debug(DEBUG_PREFIX, message.toString());
}
// log the untrusted certificates if requested
if (DebugHelper.DEBUG_CERTIFICATE_CHECKER_UNTRUSTED && !untrustedCertificates.isEmpty()) {
StringBuilder message = new StringBuilder("The following certificates are untrusted:\n"); //$NON-NLS-1$
for (Certificate cert : untrustedArtifacts.keySet()) {
message.append(cert.toString() + "\n"); //$NON-NLS-1$
message.append(" used by the following artifacts:\n"); //$NON-NLS-1$
for (File file : untrustedArtifacts.get(cert)) {
message.append(NLS.bind(" {0}\n", file.getPath())); //$NON-NLS-1$
}
}
DebugHelper.debug(DEBUG_PREFIX, message.toString());
}
Set<PGPPublicKey> untrustedPGPKeys = untrustedPGPArtifacts.values().stream().flatMap(Collection::stream)
.collect(Collectors.toSet());
if (DebugHelper.DEBUG_CERTIFICATE_CHECKER_UNTRUSTED && !untrustedPGPKeys.isEmpty()) {
StringBuilder message = new StringBuilder("The following PGP Keys are untrusted:\n"); //$NON-NLS-1$
for (PGPPublicKey untrustedKey : untrustedPGPKeys) {
message.append(Long.toHexString(untrustedKey.getKeyID()) + "\n"); //$NON-NLS-1$
message.append(" used by the following artifacts:\n"); //$NON-NLS-1$
for (Entry<IArtifactDescriptor, Collection<PGPPublicKey>> entry : untrustedPGPArtifacts.entrySet()) {
if (entry.getValue().stream().anyMatch(signer -> signer.getKeyID() == untrustedKey.getKeyID())) {
message.append(NLS.bind(" {0}\n", entry.getKey().getArtifactKey())); //$NON-NLS-1$
}
}
}
DebugHelper.debug(DEBUG_PREFIX, message.toString());
}
String policy = getUnsignedContentPolicy();
//if there is unsigned content and we should never allow it, then fail without further checking certificates
if (!unsigned.isEmpty() && EngineActivator.UNSIGNED_FAIL.equals(policy)) {
return new Status(IStatus.ERROR, EngineActivator.ID, NLS.bind(Messages.CertificateChecker_UnsignedNotAllowed, unsigned));
}
String[] details = EngineActivator.UNSIGNED_ALLOW.equals(policy) || unsigned.isEmpty() ? null
: unsigned.values().stream().map(Object::toString).toArray(String[]::new);
Certificate[][] unTrustedCertificateChains = untrustedCertificates.isEmpty() ? null
: untrustedChain.toArray(Certificate[][]::new);
// If there was no unsigned content, and nothing untrusted, no need to prompt.
if (details == null && unTrustedCertificateChains == null && untrustedPGPArtifacts.isEmpty()) {
return status;
}
TrustInfo trustInfo = serviceUI.getTrustInfo(unTrustedCertificateChains,
untrustedPGPKeys,
details);
// If user doesn't trust unsigned content, cancel the operation
if (!unsigned.isEmpty() && !trustInfo.trustUnsignedContent()) {
return Status.CANCEL_STATUS;
}
Certificate[] trustedCertificates = trustInfo.getTrustedCertificates();
// If we had untrusted chains and nothing was trusted, cancel the operation
if (unTrustedCertificateChains != null && trustedCertificates == null) {
return new Status(IStatus.CANCEL, EngineActivator.ID, Messages.CertificateChecker_CertificateRejected);
}
// Anything that was trusted should be removed from the untrusted list
if (trustedCertificates != null) {
for (Certificate trustedCertificate : trustedCertificates) {
untrustedCertificates.remove(trustedCertificate);
}
}
trustedKeysIds
.addAll(trustInfo.getTrustedPGPKeys().stream().map(PGPPublicKey::getKeyID).collect(Collectors.toSet()));
untrustedPGPArtifacts.values().removeIf(
pgpKeys -> pgpKeys.stream().anyMatch(untrusted -> trustedKeysIds.contains(untrusted.getKeyID())));
// If there is still untrusted content, cancel the operation
if (!untrustedCertificates.isEmpty() || !untrustedPGPArtifacts.isEmpty()) {
return new Status(IStatus.CANCEL, EngineActivator.ID, Messages.CertificateChecker_CertificateRejected);
}
// If we should persist the trusted certificates, add them to the trust engine
if (trustInfo.persistTrust()) {
return persistTrustedCertificates(trustedCertificates);
// do not persist PGP key at the moment
}
return status;
}
private PGPPublicKey findKey(long id, IArtifactDescriptor artifact) {
PGPPublicKey key = PGPSignatureVerifier.keystore.getKey(id);
if (key != null) {
return key;
}
// in case keys from artifact were not imported yet in keystore, add them
PGPSignatureVerifier.keystore.addKeys(artifact.getProperty(PGPSignatureVerifier.PGP_SIGNER_KEYS_PROPERTY_NAME));
return PGPSignatureVerifier.keystore.getKey(id);
}
private IStatus persistTrustedCertificates(Certificate[] trustedCertificates) {
if (trustedCertificates == null)
// I'm pretty sure this would be a bug; trustedCertificates should never be null here.
return new Status(IStatus.INFO, EngineActivator.ID, Messages.CertificateChecker_CertificateRejected);
ServiceTracker<TrustEngine, TrustEngine> trustEngineTracker = new ServiceTracker<>(EngineActivator.getContext(), TrustEngine.class, null);
trustEngineTracker.open();
Object[] trustEngines = trustEngineTracker.getServices();
try {
if (trustEngines == null)
return null;
for (Certificate trustedCertificate : trustedCertificates) {
for (Object engine : trustEngines) {
TrustEngine trustEngine = (TrustEngine) engine;
if (trustEngine.isReadOnly())
continue;
try {
trustEngine.addTrustAnchor(trustedCertificate, trustedCertificate.toString());
// this should mean we added an anchor successfully; continue to next certificate
break;
} catch (IOException e) {
//just return an INFO so the user can proceed with the install
return new Status(IStatus.INFO, EngineActivator.ID, Messages.CertificateChecker_KeystoreConnectionError, e);
} catch (GeneralSecurityException e) {
return new Status(IStatus.INFO, EngineActivator.ID, Messages.CertificateChecker_CertificateError, e);
}
}
}
} finally {
trustEngineTracker.close();
}
return Status.OK_STATUS;
}
/**
* Return the policy on unsigned content.
*/
private String getUnsignedContentPolicy() {
String policy = EngineActivator.getContext().getProperty(EngineActivator.PROP_UNSIGNED_POLICY);
if (policy == null)
policy = EngineActivator.UNSIGNED_PROMPT;
return policy;
}
public void add(Map<IArtifactDescriptor, File> toAdd) {
artifacts.putAll(toAdd);
}
public Set<PGPPublicKey> buildPGPTrustore() {
IProfile profile = agent.getService(IProfileRegistry.class).getProfile(IProfileRegistry.SELF);
Set<PGPPublicKey> store = new HashSet<>(
PGPSignatureVerifier.readPublicKeys(profile.getProperty(TRUSTED_KEY_STORE_PROPERTY)));
//// SECURITY ISSUE: next lines become an attack vector as we have no guarantee
//// the metadata of those IUs is safe/were signed.
//// https://bugs.eclipse.org/bugs/show_bug.cgi?id=576705#c4
// profile.query(QueryUtil.ALL_UNITS, new NullProgressMonitor()).forEach(
// iu ->
// store.addAll(PGPSignatureVerifier.readPublicKeys(iu.getProperty(TRUSTED_KEY_STORE_PROPERTY))));
store.forEach(PGPSignatureVerifier.keystore::addKey);
return store;
}
}
|
