Hello community, here is the log from the commit of package tigervnc for openSUSE:Factory checked in at 2017-08-08 11:57:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tigervnc (Old) and /work/SRC/openSUSE:Factory/.tigervnc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "tigervnc" Tue Aug 8 11:57:50 2017 rev:42 rq:511646 version:1.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/tigervnc/tigervnc.changes 2017-06-16 10:53:29.710379631 +0200 +++ /work/SRC/openSUSE:Factory/.tigervnc.new/tigervnc.changes 2017-08-08 11:57:50.383853443 +0200 @@ -1,0 +2,19 @@ +Thu Jul 20 07:49:41 UTC 2017 - msrb@suse.com + +- U_allow_multiple_certs_with_same_dn_in_saved_certs_file.patch, + U_handle_certificate_verification_for_saved_certs_correctly.patch + * Fix certificate handling in the java client. (bnc#1041847) + +- Refresh u_tigervnc-add-autoaccept-parameter.patch and apply it + last. + +- Make sure CN in generated certificate doesn't exceed 64 + characters. (bnc#1041847) + +------------------------------------------------------------------- +Fri Jul 7 08:06:00 UTC 2017 - msrb@suse.com + +- Change with-vnc-key.sh to generate TLS certificate using current + hostname. (bnc#1041847) + +------------------------------------------------------------------- New: ---- U_allow_multiple_certs_with_same_dn_in_saved_certs_file.patch U_handle_certificate_verification_for_saved_certs_correctly.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tigervnc.spec ++++++ --- /var/tmp/diff_new_pack.s02rYR/_old 2017-08-08 11:57:51.935634886 +0200 +++ /var/tmp/diff_new_pack.s02rYR/_new 2017-08-08 11:57:51.955632069 +0200 @@ -116,10 +116,12 @@ Patch3: u_tigervnc-ignore-epipe-on-write.patch Patch4: n_tigervnc-date-time.patch Patch5: u_tigervnc-cve-2014-8240.patch -Patch6: u_tigervnc-add-autoaccept-parameter.patch -Patch7: u_tigervnc_update_default_vncxstartup.patch -Patch8: u_build_libXvnc_as_separate_library.patch -Patch9: u_tigervnc-show-unencrypted-warning.patch +Patch6: u_tigervnc_update_default_vncxstartup.patch +Patch7: u_build_libXvnc_as_separate_library.patch +Patch8: u_tigervnc-show-unencrypted-warning.patch +Patch9: U_allow_multiple_certs_with_same_dn_in_saved_certs_file.patch +Patch10: U_handle_certificate_verification_for_saved_certs_correctly.patch +Patch11: u_tigervnc-add-autoaccept-parameter.patch %description TigerVNC is a high-performance, platform-neutral implementation of VNC (Virtual Network Computing), @@ -143,6 +145,8 @@ Requires: xkbcomp Requires: xkeyboard-config Requires: xorg-x11-fonts-core +# For the with-vnc-key.sh script +Requires: /bin/hostname Provides: xorg-x11-Xvnc:/usr/lib/vnc/with-vnc-key.sh Summary: TigerVNC implementation of Xvnc Group: System/X11/Servers/XF86_4 @@ -178,6 +182,8 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 pushd unix/xserver patch -p1 < ../xserver119.patch ++++++ U_allow_multiple_certs_with_same_dn_in_saved_certs_file.patch ++++++ Git-commit: 7fcc8614e1ff8c19fd3a1a275fa5ab6eda28f6bd Author: "Brian P. Hinz" <bphinz@users.sf.net> Subject: Allow multiple certs with same DN in saved certs file. Signed-off-by: Michal Srb <msrb@suse.com> References: bnc#1041847 diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java index 4b20e0bf..08aa1125 100644 --- a/java/com/tigervnc/rfb/CSecurityTLS.java +++ b/java/com/tigervnc/rfb/CSecurityTLS.java @@ -218,9 +218,8 @@ public class CSecurityTLS extends CSecurity { Collection<? extends Certificate> cacerts = cf.generateCertificates(caStream); for (Certificate cert : cacerts) { - String dn = - ((X509Certificate)cert).getSubjectX500Principal().getName(); - ks.setCertificateEntry(dn, (X509Certificate)cert); + String thumbprint = getThumbprint((X509Certificate)cert); + ks.setCertificateEntry(thumbprint, (X509Certificate)cert); } } File cacert = new File(cafile); @@ -229,9 +228,8 @@ public class CSecurityTLS extends CSecurity { Collection<? extends Certificate> cacerts = cf.generateCertificates(caStream); for (Certificate cert : cacerts) { - String dn = - ((X509Certificate)cert).getSubjectX500Principal().getName(); - ks.setCertificateEntry(dn, (X509Certificate)cert); + String thumbprint = getThumbprint((X509Certificate)cert); + ks.setCertificateEntry(thumbprint, (X509Certificate)cert); } } PKIXBuilderParameters params = @@ -264,19 +262,13 @@ public class CSecurityTLS extends CSecurity { public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { - MessageDigest md = null; try { - md = MessageDigest.getInstance("SHA-1"); verifyHostname(chain[0]); tm.checkServerTrusted(chain, authType); } catch (java.lang.Exception e) { if (e.getCause() instanceof CertPathBuilderException) { Object[] answer = {"YES", "NO"}; X509Certificate cert = chain[0]; - md.update(cert.getEncoded()); - String thumbprint = - DatatypeConverter.printHexBinary(md.digest()); - thumbprint = thumbprint.replaceAll("..(?!$)", "$0 "); int ret = JOptionPane.showOptionDialog(null, "This certificate has been signed by an unknown authority\n"+ "\n"+ @@ -287,7 +279,7 @@ public class CSecurityTLS extends CSecurity { " Signature Algorithm: "+cert.getPublicKey().getAlgorithm()+"\n"+ " Not Valid Before: "+cert.getNotBefore()+"\n"+ " Not Valid After: "+cert.getNotAfter()+"\n"+ - " SHA1 Fingerprint: "+thumbprint+"\n"+ + " SHA1 Fingerprint: "+getThumbprint(cert)+"\n"+ "\n"+ "Do you want to save it and continue?", "Certificate Issuer Unknown", @@ -351,6 +343,22 @@ public class CSecurityTLS extends CSecurity { return tm.getAcceptedIssuers(); } + private String getThumbprint(X509Certificate cert) + { + String thumbprint = null; + try { + MessageDigest md = MessageDigest.getInstance("SHA-1"); + md.update(cert.getEncoded()); + thumbprint = DatatypeConverter.printHexBinary(md.digest()); + thumbprint = thumbprint.replaceAll("..(?!$)", "$0 "); + } catch(CertificateEncodingException e) { + throw new SystemException(e.getMessage()); + } catch(NoSuchAlgorithmException e) { + throw new SystemException(e.getMessage()); + } + return thumbprint; + } + private void verifyHostname(X509Certificate cert) throws CertificateParsingException { ++++++ U_handle_certificate_verification_for_saved_certs_correctly.patch ++++++ Git-commit: 79314c2f6abef363a83cc406de5d6628410e53e5 Author: "Brian P. Hinz" <bphinz@users.sf.net> Subject: Handle certificate verification for saved certs correctly Signed-off-by: Michal Srb <msrb@suse.com> References: bnc#1041847 diff --git a/java/com/tigervnc/rfb/CSecurityTLS.java b/java/com/tigervnc/rfb/CSecurityTLS.java index 08aa1125..733e97d4 100644 --- a/java/com/tigervnc/rfb/CSecurityTLS.java +++ b/java/com/tigervnc/rfb/CSecurityTLS.java @@ -3,7 +3,7 @@ * Copyright (C) 2005 Martin Koegler * Copyright (C) 2010 m-privacy GmbH * Copyright (C) 2010 TigerVNC Team - * Copyright (C) 2011-2015 Brian P. Hinz + * Copyright (C) 2011-2017 Brian P. Hinz * Copyright (C) 2015 D. R. Commander. All Rights Reserved. * * This is free software; you can redistribute it and/or modify @@ -211,17 +211,7 @@ public class CSecurityTLS extends CSecurity { for (TrustManager m : tmf.getTrustManagers()) if (m instanceof X509TrustManager) for (X509Certificate c : ((X509TrustManager)m).getAcceptedIssuers()) - ks.setCertificateEntry(c.getSubjectX500Principal().getName(), c); - File castore = new File(FileUtils.getVncHomeDir()+"x509_savedcerts.pem"); - if (castore.exists() && castore.canRead()) { - InputStream caStream = new MyFileInputStream(castore); - Collection<? extends Certificate> cacerts = - cf.generateCertificates(caStream); - for (Certificate cert : cacerts) { - String thumbprint = getThumbprint((X509Certificate)cert); - ks.setCertificateEntry(thumbprint, (X509Certificate)cert); - } - } + ks.setCertificateEntry(getThumbprint((X509Certificate)c), c); File cacert = new File(cafile); if (cacert.exists() && cacert.canRead()) { InputStream caStream = new MyFileInputStream(cacert); @@ -262,13 +252,25 @@ public class CSecurityTLS extends CSecurity { public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { + Collection<? extends Certificate> certs = null; + X509Certificate cert = chain[0]; + String thumbprint = getThumbprint(cert); + File vncDir = new File(FileUtils.getVncHomeDir()); + File certFile = new File(vncDir, "x509_savedcerts.pem"); + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + if (vncDir.exists() && certFile.exists() && certFile.canRead()) { + InputStream certStream = new MyFileInputStream(certFile); + certs = cf.generateCertificates(certStream); + for (Certificate c : certs) + if (thumbprint.equals(getThumbprint((X509Certificate)c))) + return; + } try { - verifyHostname(chain[0]); + verifyHostname(cert); tm.checkServerTrusted(chain, authType); } catch (java.lang.Exception e) { if (e.getCause() instanceof CertPathBuilderException) { Object[] answer = {"YES", "NO"}; - X509Certificate cert = chain[0]; int ret = JOptionPane.showOptionDialog(null, "This certificate has been signed by an unknown authority\n"+ "\n"+ @@ -286,13 +288,10 @@ public class CSecurityTLS extends CSecurity { JOptionPane.YES_NO_OPTION, JOptionPane.WARNING_MESSAGE, null, answer, answer[0]); if (ret == JOptionPane.YES_OPTION) { - Collection<? extends X509Certificate> cacerts = null; - File vncDir = new File(FileUtils.getVncHomeDir()); - File caFile = new File(vncDir, "x509_savedcerts.pem"); try { if (!vncDir.exists()) vncDir.mkdir(); - if (!caFile.createNewFile()) { + if (!certFile.exists() && !certFile.createNewFile()) { vlog.error("Certificate save failed."); return; } @@ -301,31 +300,24 @@ public class CSecurityTLS extends CSecurity { vlog.error("Certificate save failed: "+ioe.getMessage()); return; } - InputStream caStream = new MyFileInputStream(caFile); - CertificateFactory cf = - CertificateFactory.getInstance("X.509"); - cacerts = - (Collection <? extends X509Certificate>)cf.generateCertificates(caStream); - for (int i = 0; i < chain.length; i++) { - if (cacerts == null || !cacerts.contains(chain[i])) { - byte[] der = chain[i].getEncoded(); - String pem = DatatypeConverter.printBase64Binary(der); - pem = pem.replaceAll("(.{64})", "$1\n"); - FileWriter fw = null; + if (certs == null || !certs.contains(cert)) { + byte[] der = cert.getEncoded(); + String pem = DatatypeConverter.printBase64Binary(der); + pem = pem.replaceAll("(.{64})", "$1\n"); + FileWriter fw = null; + try { + fw = new FileWriter(certFile.getAbsolutePath(), true); + fw.write("-----BEGIN CERTIFICATE-----\n"); + fw.write(pem+"\n"); + fw.write("-----END CERTIFICATE-----\n"); + } catch (IOException ioe) { + throw new Exception(ioe.getMessage()); + } finally { try { - fw = new FileWriter(caFile.getAbsolutePath(), true); - fw.write("-----BEGIN CERTIFICATE-----\n"); - fw.write(pem+"\n"); - fw.write("-----END CERTIFICATE-----\n"); - } catch (IOException ioe) { - throw new Exception(ioe.getMessage()); - } finally { - try { - if (fw != null) - fw.close(); - } catch(IOException ioe2) { - throw new Exception(ioe2.getMessage()); - } + if (fw != null) + fw.close(); + } catch(IOException ioe2) { + throw new Exception(ioe2.getMessage()); } } } ++++++ u_tigervnc-add-autoaccept-parameter.patch ++++++ --- /var/tmp/diff_new_pack.s02rYR/_old 2017-08-08 11:57:52.359575177 +0200 +++ /var/tmp/diff_new_pack.s02rYR/_new 2017-08-08 11:57:52.363574614 +0200 @@ -20,19 +20,18 @@ } public static String getDefaultCA() { -@@ -277,6 +281,11 @@ public class CSecurityTLS extends CSecur - String thumbprint = - DatatypeConverter.printHexBinary(md.digest()); - thumbprint = thumbprint.replaceAll("..(?!$)", "$0 "); -+ +@@ -270,6 +274,10 @@ public class CSecurityTLS extends CSecur + tm.checkServerTrusted(chain, authType); + } catch (java.lang.Exception e) { + if (e.getCause() instanceof CertPathBuilderException) { + if (certautoaccept != null && thumbprint.equalsIgnoreCase(certautoaccept)) { + return; + } + + Object[] answer = {"YES", "NO"}; int ret = JOptionPane.showOptionDialog(null, "This certificate has been signed by an unknown authority\n"+ - "\n"+ -@@ -466,7 +475,7 @@ public class CSecurityTLS extends CSecur +@@ -466,7 +474,7 @@ public class CSecurityTLS extends CSecur private SSLEngineManager manager; private boolean anon; ++++++ with-vnc-key.sh ++++++ --- /var/tmp/diff_new_pack.s02rYR/_old 2017-08-08 11:57:52.651534057 +0200 +++ /var/tmp/diff_new_pack.s02rYR/_new 2017-08-08 11:57:52.667531803 +0200 @@ -24,7 +24,9 @@ # If the cert file doesn't exist, generate it. if ! test -e $TLSCERT ; then - CN="Automatically generated certificate for the VNC service" + # Keeping it short, because hostname could be long and max CN is 64 characters + CN="VNC service on `hostname`" + CN=${CN:0:64} openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/" chown vnc:vnc $TLSCERT fi