[Git][debian-gis-team/josm][master] 3 commits: Add verbose & debug options to ant.
Bas Couwenberg
gitlab at salsa.debian.org
Tue Jul 3 06:38:17 BST 2018
Bas Couwenberg pushed to branch master at Debian GIS Project / josm
Commits:
a53a2ef7 by Bas Couwenberg at 2018-07-02T14:12:53+02:00
Add verbose & debug options to ant.
- - - - -
776431da by Bas Couwenberg at 2018-07-03T07:26:03+02:00
Add upstream patch to disable HTTPS support in remote control.
ant (1.10.3-2) broke inclusion of sun.security classes.
See: https://josm.openstreetmap.de/ticket/16451
- - - - -
1f5d297d by Bas Couwenberg at 2018-07-03T07:26:03+02:00
Set distribution to unstable.
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/remove_https_remote_control2.patch
- debian/patches/series
- debian/rules
Changes:
=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,12 @@
-josm (0.0.svn13996+dfsg-1) UNRELEASED; urgency=medium
+josm (0.0.svn13996+dfsg-1) unstable; urgency=medium
* New tested snapshot.
* Refresh patches.
+ * Add upstream patch to disable HTTPS support in remote control.
+ ant (1.10.3-2) broke inclusion of sun.security classes.
+ See: https://josm.openstreetmap.de/ticket/16451
- -- Bas Couwenberg <sebastic at debian.org> Mon, 02 Jul 2018 07:21:11 +0200
+ -- Bas Couwenberg <sebastic at debian.org> Tue, 03 Jul 2018 07:11:36 +0200
josm (0.0.svn13878+dfsg-1) unstable; urgency=medium
=====================================
debian/patches/remove_https_remote_control2.patch
=====================================
--- /dev/null
+++ b/debian/patches/remove_https_remote_control2.patch
@@ -0,0 +1,1180 @@
+Description: Remove HTTPS remote control support.
+Author: Don-vip
+Origin: https://josm.openstreetmap.de/attachment/ticket/10033/remove_https_remote_control2.diff
+Bug: https://josm.openstreetmap.de/ticket/16451
+
+--- a/build.xml
++++ b/build.xml
+@@ -199,7 +199,7 @@ Debian-Release: ${debian.version}
+ <attribute name="Debian-Release" value="${debian.version}"/>
+ <attribute name="Class-Path" value="${classpathprop}"/>
+ <!-- Java 9 stuff. Entries are safely ignored by Java 8 -->
+- <attribute name="Add-Exports" value="java.base/sun.security.util java.base/sun.security.x509 java.desktop/com.apple.eawt java.desktop/com.sun.imageio.spi javafx.graphics/com.sun.javafx.application jdk.deploy/com.sun.deploy.config" />
++ <attribute name="Add-Exports" value="java.desktop/com.apple.eawt java.desktop/com.sun.imageio.spi javafx.graphics/com.sun.javafx.application jdk.deploy/com.sun.deploy.config" />
+ <attribute name="Add-Opens" value="java.base/java.lang java.base/java.nio java.base/jdk.internal.loader java.base/jdk.internal.ref java.desktop/javax.imageio.spi java.desktop/javax.swing.text.html java.prefs/java.util.prefs" />
+ </manifest>
+ <service type="java.text.spi.DecimalFormatSymbolsProvider" provider="org.openstreetmap.josm.tools.JosmDecimalFormatSymbolsProvider" />
+@@ -378,10 +378,6 @@ Debian-Release: ${debian.version}
+ <bottom><![CDATA[<a href="https://josm.openstreetmap.de/">JOSM</a>]]></bottom>
+ <arg value="-html5" if:set="isJava9" />
+ <arg value="--add-exports" if:set="isJava9" />
+- <arg value="java.base/sun.security.util=ALL-UNNAMED" if:set="isJava9" />
+- <arg value="--add-exports" if:set="isJava9" />
+- <arg value="java.base/sun.security.x509=ALL-UNNAMED" if:set="isJava9" />
+- <arg value="--add-exports" if:set="isJava9" unless:set="noJavaFX" />
+ <arg value="javafx.graphics/com.sun.javafx.application=ALL-UNNAMED" if:set="isJava9" unless:set="noJavaFX" />
+ <excludepackage name="org/openstreetmap/josm/io/audio/fx" if:set="noJavaFX" />
+ </javadoc>
+@@ -474,10 +470,6 @@ Debian-Release: ${debian.version}
+ <jvmarg value="--add-modules" if:set="isJava9" unless:set="isJava11" />
+ <jvmarg value="java.activation,java.se.ee" if:set="isJava9" unless:set="isJava11" />
+ <jvmarg value="--add-exports" if:set="isJava9" />
+- <jvmarg value="java.base/sun.security.util=ALL-UNNAMED" if:set="isJava9" />
+- <jvmarg value="--add-exports" if:set="isJava9" />
+- <jvmarg value="java.base/sun.security.x509=ALL-UNNAMED" if:set="isJava9" />
+- <jvmarg value="--add-exports" if:set="isJava9" unless:set="noJavaFX" />
+ <jvmarg value="javafx.graphics/com.sun.javafx.application=ALL-UNNAMED" if:set="isJava9" unless:set="noJavaFX" />
+ <jvmarg value="--add-exports" if:set="isJava9" unless:set="isJava11" />
+ <jvmarg value="jdk.deploy/com.sun.deploy.config=ALL-UNNAMED" if:set="isJava9" unless:set="isJava11" />
+--- a/src/org/openstreetmap/josm/data/Preferences.java
++++ b/src/org/openstreetmap/josm/data/Preferences.java
+@@ -79,6 +79,8 @@ import org.xml.sax.SAXException;
+ public class Preferences extends AbstractPreferences {
+
+ private static final String[] OBSOLETE_PREF_KEYS = {
++ "remotecontrol.https.enabled", /* remove entry after Dec. 2018 */
++ "remotecontrol.https.port", /* remove entry after Dec. 2018 */
+ };
+
+ private static final long MAX_AGE_DEFAULT_PREFERENCES = TimeUnit.DAYS.toSeconds(50);
+--- a/src/org/openstreetmap/josm/gui/MainApplication.java
++++ b/src/org/openstreetmap/josm/gui/MainApplication.java
+@@ -27,12 +27,9 @@ import java.nio.file.Paths;
+ import java.security.AllPermission;
+ import java.security.CodeSource;
+ import java.security.GeneralSecurityException;
+-import java.security.KeyStoreException;
+-import java.security.NoSuchAlgorithmException;
+ import java.security.PermissionCollection;
+ import java.security.Permissions;
+ import java.security.Policy;
+-import java.security.cert.CertificateException;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+ import java.util.Collection;
+@@ -1094,17 +1091,6 @@ public class MainApplication extends Mai
+
+ SwingUtilities.invokeLater(new GuiFinalizationWorker(args, proxySelector));
+
+- if (Main.isPlatformWindows()) {
+- try {
+- // Check for insecure certificates to remove.
+- // This is Windows-dependant code but it can't go to preStartupHook (need i18n)
+- // neither startupHook (need to be called before remote control)
+- PlatformHookWindows.removeInsecureCertificates();
+- } catch (NoSuchAlgorithmException | CertificateException | KeyStoreException | IOException e) {
+- Logging.error(e);
+- }
+- }
+-
+ if (RemoteControl.PROP_REMOTECONTROL_ENABLED.get()) {
+ RemoteControl.start();
+ }
+--- a/src/org/openstreetmap/josm/gui/preferences/remotecontrol/RemoteControlPreference.java
++++ b/src/org/openstreetmap/josm/gui/preferences/remotecontrol/RemoteControlPreference.java
+@@ -7,26 +7,17 @@ import java.awt.Color;
+ import java.awt.Font;
+ import java.awt.GridBagLayout;
+ import java.awt.event.ActionListener;
+-import java.io.IOException;
+-import java.security.GeneralSecurityException;
+-import java.security.KeyStore;
+-import java.security.KeyStoreException;
+-import java.security.NoSuchAlgorithmException;
+-import java.security.cert.CertificateException;
+ import java.util.LinkedHashMap;
+ import java.util.Map;
+ import java.util.Map.Entry;
+
+ import javax.swing.BorderFactory;
+ import javax.swing.Box;
+-import javax.swing.JButton;
+ import javax.swing.JCheckBox;
+ import javax.swing.JLabel;
+-import javax.swing.JOptionPane;
+ import javax.swing.JPanel;
+ import javax.swing.JSeparator;
+
+-import org.openstreetmap.josm.Main;
+ import org.openstreetmap.josm.gui.help.HelpUtil;
+ import org.openstreetmap.josm.gui.preferences.DefaultTabPreferenceSetting;
+ import org.openstreetmap.josm.gui.preferences.PreferenceSetting;
+@@ -36,12 +27,9 @@ import org.openstreetmap.josm.gui.util.G
+ import org.openstreetmap.josm.gui.widgets.VerticallyScrollablePanel;
+ import org.openstreetmap.josm.io.remotecontrol.PermissionPrefWithDefault;
+ import org.openstreetmap.josm.io.remotecontrol.RemoteControl;
+-import org.openstreetmap.josm.io.remotecontrol.RemoteControlHttpsServer;
+ import org.openstreetmap.josm.io.remotecontrol.handler.RequestHandler;
+ import org.openstreetmap.josm.spi.preferences.Config;
+ import org.openstreetmap.josm.tools.GBC;
+-import org.openstreetmap.josm.tools.Logging;
+-import org.openstreetmap.josm.tools.PlatformHookWindows;
+
+ /**
+ * Preference settings for Remote Control.
+@@ -72,10 +60,6 @@ public final class RemoteControlPreferen
+
+ private final Map<PermissionPrefWithDefault, JCheckBox> prefs = new LinkedHashMap<>();
+ private JCheckBox enableRemoteControl;
+- private JCheckBox enableHttpsSupport;
+-
+- private JButton installCertificate;
+- private JButton uninstallCertificate;
+
+ private final JCheckBox loadInNewLayer = new JCheckBox(tr("Download as new layer"));
+ private final JCheckBox alwaysAskUserConfirm = new JCheckBox(tr("Confirm all Remote Control actions manually"));
+@@ -92,10 +76,9 @@ public final class RemoteControlPreferen
+ remote.add(descLabel, GBC.eol().insets(5, 5, 0, 10).fill(GBC.HORIZONTAL));
+
+ final JLabel portLabel = new JLabel("<html>"
+- + tr("JOSM will always listen at <b>port {0}</b> (http) and <b>port {1}</b> (https) on localhost."
+- + "<br>These ports are not configurable because they are referenced by external applications talking to JOSM.",
+- Config.getPref().get("remote.control.port", "8111"),
+- Config.getPref().get("remote.control.https.port", "8112")) + "</html>");
++ + tr("JOSM will always listen at <b>port {0}</b> (http) on localhost."
++ + "<br>This port is not configurable because it is referenced by external applications talking to JOSM.",
++ Config.getPref().get("remote.control.port", "8111")) + "</html>");
+ portLabel.setFont(portLabel.getFont().deriveFont(Font.PLAIN));
+ remote.add(portLabel, GBC.eol().insets(5, 5, 0, 10).fill(GBC.HORIZONTAL));
+
+@@ -107,54 +90,6 @@ public final class RemoteControlPreferen
+
+ remote.add(wrapper, GBC.eol().fill(GBC.HORIZONTAL).insets(5, 5, 5, 5));
+
+- boolean https = RemoteControl.PROP_REMOTECONTROL_HTTPS_ENABLED.get();
+-
+- enableHttpsSupport = new JCheckBox(tr("Enable HTTPS support"), https);
+- wrapper.add(enableHttpsSupport, GBC.eol().fill(GBC.HORIZONTAL));
+-
+- // Certificate installation only available on Windows for now, see #10033
+- if (Main.isPlatformWindows()) {
+- installCertificate = new JButton(tr("Install..."));
+- uninstallCertificate = new JButton(tr("Uninstall..."));
+- installCertificate.setToolTipText(tr("Install JOSM localhost certificate to system/browser root keystores"));
+- uninstallCertificate.setToolTipText(tr("Uninstall JOSM localhost certificate from system/browser root keystores"));
+- wrapper.add(new JLabel(tr("Certificate:")), GBC.std().insets(15, 5, 0, 0));
+- wrapper.add(installCertificate, GBC.std().insets(5, 5, 0, 0));
+- wrapper.add(uninstallCertificate, GBC.eol().insets(5, 5, 0, 0));
+- enableHttpsSupport.addActionListener(e -> installCertificate.setEnabled(enableHttpsSupport.isSelected()));
+- installCertificate.addActionListener(e -> {
+- try {
+- boolean changed = RemoteControlHttpsServer.setupPlatform(
+- RemoteControlHttpsServer.loadJosmKeystore());
+- String msg = changed ?
+- tr("Certificate has been successfully installed.") :
+- tr("Certificate is already installed. Nothing to do.");
+- Logging.info(msg);
+- JOptionPane.showMessageDialog(wrapper, msg);
+- } catch (IOException | GeneralSecurityException ex) {
+- Logging.error(ex);
+- }
+- });
+- uninstallCertificate.addActionListener(e -> {
+- try {
+- String msg;
+- KeyStore ks = PlatformHookWindows.getRootKeystore();
+- if (ks.containsAlias(RemoteControlHttpsServer.ENTRY_ALIAS)) {
+- Logging.info(tr("Removing certificate {0} from root keystore.", RemoteControlHttpsServer.ENTRY_ALIAS));
+- ks.deleteEntry(RemoteControlHttpsServer.ENTRY_ALIAS);
+- msg = tr("Certificate has been successfully uninstalled.");
+- } else {
+- msg = tr("Certificate is not installed. Nothing to do.");
+- }
+- Logging.info(msg);
+- JOptionPane.showMessageDialog(wrapper, msg);
+- } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException ex) {
+- Logging.error(ex);
+- }
+- });
+- installCertificate.setEnabled(https);
+- }
+-
+ wrapper.add(new JSeparator(), GBC.eop().fill(GBC.HORIZONTAL).insets(15, 5, 15, 5));
+
+ wrapper.add(new JLabel(tr("Permitted actions:")), GBC.eol().insets(5, 0, 0, 0));
+@@ -175,16 +110,6 @@ public final class RemoteControlPreferen
+
+ ActionListener remoteControlEnabled = e -> {
+ GuiHelper.setEnabledRec(wrapper, enableRemoteControl.isSelected());
+- enableHttpsSupport.setEnabled(RemoteControl.supportsHttps());
+- // 'setEnabled(false)' does not work for JLabel with html text, so do it manually
+- // FIXME: use QuadStateCheckBox to make checkboxes unset when disabled
+- if (installCertificate != null && uninstallCertificate != null) {
+- // Install certificate button is enabled if HTTPS is also enabled
+- installCertificate.setEnabled(enableRemoteControl.isSelected()
+- && enableHttpsSupport.isSelected() && RemoteControl.supportsHttps());
+- // Uninstall certificate button is always enabled
+- uninstallCertificate.setEnabled(RemoteControl.supportsHttps());
+- }
+ };
+ enableRemoteControl.addActionListener(remoteControlEnabled);
+ remoteControlEnabled.actionPerformed(null);
+@@ -194,9 +119,7 @@ public final class RemoteControlPreferen
+ @Override
+ public boolean ok() {
+ boolean enabled = enableRemoteControl.isSelected();
+- boolean httpsEnabled = enableHttpsSupport.isSelected();
+ boolean changed = RemoteControl.PROP_REMOTECONTROL_ENABLED.put(enabled);
+- boolean httpsChanged = RemoteControl.PROP_REMOTECONTROL_HTTPS_ENABLED.put(httpsEnabled);
+ if (enabled) {
+ for (Entry<PermissionPrefWithDefault, JCheckBox> p : prefs.entrySet()) {
+ Config.getPref().putBoolean(p.getKey().pref, p.getValue().isSelected());
+@@ -210,12 +133,6 @@ public final class RemoteControlPreferen
+ } else {
+ RemoteControl.stop();
+ }
+- } else if (httpsChanged) {
+- if (httpsEnabled) {
+- RemoteControlHttpsServer.restartRemoteControlHttpsServer();
+- } else {
+- RemoteControlHttpsServer.stopRemoteControlHttpsServer();
+- }
+ }
+ return false;
+ }
+--- a/src/org/openstreetmap/josm/io/remotecontrol/RemoteControl.java
++++ b/src/org/openstreetmap/josm/io/remotecontrol/RemoteControl.java
+@@ -10,7 +10,6 @@ import java.net.UnknownHostException;
+ import org.openstreetmap.josm.data.preferences.BooleanProperty;
+ import org.openstreetmap.josm.io.remotecontrol.handler.RequestHandler;
+ import org.openstreetmap.josm.spi.preferences.Config;
+-import org.openstreetmap.josm.tools.Logging;
+
+ /**
+ * Manager class for remote control operations.
+@@ -27,14 +26,6 @@ public class RemoteControl {
+ public static final BooleanProperty PROP_REMOTECONTROL_ENABLED = new BooleanProperty("remotecontrol.enabled", false);
+
+ /**
+- * If the remote control feature is enabled or disabled for HTTPS. If disabled,
+- * only HTTP access will be available.
+- * @since 7335
+- */
+- public static final BooleanProperty PROP_REMOTECONTROL_HTTPS_ENABLED = new BooleanProperty(
+- "remotecontrol.https.enabled", false);
+-
+- /**
+ * RemoteControl HTTP protocol version. Change minor number for compatible
+ * interface extensions. Change major number in case of incompatible
+ * changes.
+@@ -47,9 +38,6 @@ public class RemoteControl {
+ */
+ public static void start() {
+ RemoteControlHttpServer.restartRemoteControlHttpServer();
+- if (supportsHttps()) {
+- RemoteControlHttpsServer.restartRemoteControlHttpsServer();
+- }
+ }
+
+ /**
+@@ -58,23 +46,6 @@ public class RemoteControl {
+ */
+ public static void stop() {
+ RemoteControlHttpServer.stopRemoteControlHttpServer();
+- if (supportsHttps()) {
+- RemoteControlHttpsServer.stopRemoteControlHttpsServer();
+- }
+- }
+-
+- /**
+- * Determines if the current JVM support HTTPS remote control.
+- * @return {@code true} if the JVM provides {@code sun.security.x509} classes
+- * @since 12703
+- */
+- public static boolean supportsHttps() {
+- try {
+- return Class.forName("sun.security.x509.GeneralName") != null;
+- } catch (ClassNotFoundException | SecurityException e) {
+- Logging.trace(e);
+- return false;
+- }
+ }
+
+ /**
+--- a/src/org/openstreetmap/josm/io/remotecontrol/RemoteControlHttpsServer.java
++++ b/src/org/openstreetmap/josm/io/remotecontrol/RemoteControlHttpsServer.java
+@@ -1,436 +0,0 @@
+-// License: GPL. For details, see LICENSE file.
+-package org.openstreetmap.josm.io.remotecontrol;
+-
+-import static org.openstreetmap.josm.tools.I18n.marktr;
+-
+-import java.io.IOException;
+-import java.io.InputStream;
+-import java.io.OutputStream;
+-import java.math.BigInteger;
+-import java.net.ServerSocket;
+-import java.net.Socket;
+-import java.net.SocketException;
+-import java.nio.file.Files;
+-import java.nio.file.Path;
+-import java.nio.file.Paths;
+-import java.nio.file.StandardOpenOption;
+-import java.security.GeneralSecurityException;
+-import java.security.KeyPair;
+-import java.security.KeyPairGenerator;
+-import java.security.KeyStore;
+-import java.security.KeyStoreException;
+-import java.security.NoSuchAlgorithmException;
+-import java.security.PrivateKey;
+-import java.security.SecureRandom;
+-import java.security.cert.Certificate;
+-import java.security.cert.CertificateException;
+-import java.security.cert.X509Certificate;
+-import java.util.Arrays;
+-import java.util.Date;
+-import java.util.Enumeration;
+-import java.util.Locale;
+-import java.util.Vector;
+-
+-import javax.net.ssl.KeyManagerFactory;
+-import javax.net.ssl.SSLContext;
+-import javax.net.ssl.SSLServerSocket;
+-import javax.net.ssl.SSLServerSocketFactory;
+-import javax.net.ssl.SSLSocket;
+-import javax.net.ssl.TrustManagerFactory;
+-
+-import org.openstreetmap.josm.Main;
+-import org.openstreetmap.josm.data.preferences.StringProperty;
+-import org.openstreetmap.josm.spi.preferences.Config;
+-import org.openstreetmap.josm.tools.Logging;
+-
+-import sun.security.util.ObjectIdentifier;
+-import sun.security.x509.AlgorithmId;
+-import sun.security.x509.BasicConstraintsExtension;
+-import sun.security.x509.CertificateAlgorithmId;
+-import sun.security.x509.CertificateExtensions;
+-import sun.security.x509.CertificateSerialNumber;
+-import sun.security.x509.CertificateValidity;
+-import sun.security.x509.CertificateVersion;
+-import sun.security.x509.CertificateX509Key;
+-import sun.security.x509.DNSName;
+-import sun.security.x509.ExtendedKeyUsageExtension;
+-import sun.security.x509.GeneralName;
+-import sun.security.x509.GeneralNameInterface;
+-import sun.security.x509.GeneralNames;
+-import sun.security.x509.IPAddressName;
+-import sun.security.x509.OIDName;
+-import sun.security.x509.SubjectAlternativeNameExtension;
+-import sun.security.x509.URIName;
+-import sun.security.x509.X500Name;
+-import sun.security.x509.X509CertImpl;
+-import sun.security.x509.X509CertInfo;
+-
+-/**
+- * Simple HTTPS server that spawns a {@link RequestProcessor} for every secure connection.
+- *
+- * @since 6941
+- */
+-public class RemoteControlHttpsServer extends Thread {
+-
+- /** The server socket */
+- private final ServerSocket server;
+-
+- /** The server instance for IPv4 */
+- private static volatile RemoteControlHttpsServer instance4;
+- /** The server instance for IPv6 */
+- private static volatile RemoteControlHttpsServer instance6;
+-
+- /** SSL context information for connections */
+- private SSLContext sslContext;
+-
+- /* the default port for HTTPS remote control */
+- private static final int HTTPS_PORT = 8112;
+-
+- /**
+- * JOSM keystore file name.
+- * @since 7337
+- */
+- public static final String KEYSTORE_FILENAME = "josm.keystore";
+-
+- /**
+- * Preference for keystore password (automatically generated by JOSM).
+- * @since 7335
+- */
+- public static final StringProperty KEYSTORE_PASSWORD = new StringProperty("remotecontrol.https.keystore.password", "");
+-
+- /**
+- * Preference for certificate password (automatically generated by JOSM).
+- * @since 7335
+- */
+- public static final StringProperty KEYENTRY_PASSWORD = new StringProperty("remotecontrol.https.keyentry.password", "");
+-
+- /**
+- * Unique alias used to store JOSM localhost entry, both in JOSM keystore and system/browser keystores.
+- * @since 7343
+- */
+- public static final String ENTRY_ALIAS = "josm_localhost";
+-
+- /**
+- * Creates a GeneralNameInterface object from known types.
+- * @param t one of 4 known types
+- * @param v value
+- * @return which one
+- * @throws IOException if any I/O error occurs
+- */
+- private static GeneralNameInterface createGeneralNameInterface(String t, String v) throws IOException {
+- switch (t.toLowerCase(Locale.ENGLISH)) {
+- case "uri": return new URIName(v);
+- case "dns": return new DNSName(v);
+- case "ip": return new IPAddressName(v);
+- default: return new OIDName(v);
+- }
+- }
+-
+- /**
+- * Create a self-signed X.509 Certificate.
+- * @param dn the X.509 Distinguished Name, eg "CN=localhost, OU=JOSM, O=OpenStreetMap"
+- * @param pair the KeyPair
+- * @param days how many days from now the Certificate is valid for
+- * @param algorithm the signing algorithm, eg "SHA256withRSA"
+- * @param san SubjectAlternativeName extension (optional)
+- * @return the self-signed X.509 Certificate
+- * @throws GeneralSecurityException if any security error occurs
+- * @throws IOException if any I/O error occurs
+- */
+- private static X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm, String san)
+- throws GeneralSecurityException, IOException {
+- X509CertInfo info = new X509CertInfo();
+- Date from = new Date();
+- Date to = new Date(from.getTime() + days * 86_400_000L);
+- CertificateValidity interval = new CertificateValidity(from, to);
+- BigInteger sn = new BigInteger(64, new SecureRandom());
+- X500Name owner = new X500Name(dn);
+-
+- info.set(X509CertInfo.VALIDITY, interval);
+- info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
+- info.set(X509CertInfo.SUBJECT, owner);
+- info.set(X509CertInfo.ISSUER, owner);
+-
+- info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
+- info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
+- AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
+- info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
+-
+- CertificateExtensions ext = new CertificateExtensions();
+- // Critical: Not CA, max path len 0
+- ext.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(Boolean.TRUE, false, 0));
+- // Critical: only allow TLS ("serverAuth" = 1.3.6.1.5.5.7.3.1)
+- ext.set(ExtendedKeyUsageExtension.NAME, new ExtendedKeyUsageExtension(Boolean.TRUE,
+- new Vector<>(Arrays.asList(new ObjectIdentifier("1.3.6.1.5.5.7.3.1")))));
+-
+- if (san != null) {
+- int colonpos;
+- String[] ps = san.split(",");
+- GeneralNames gnames = new GeneralNames();
+- for (String item: ps) {
+- colonpos = item.indexOf(':');
+- if (colonpos < 0) {
+- throw new IllegalArgumentException("Illegal item " + item + " in " + san);
+- }
+- String t = item.substring(0, colonpos);
+- String v = item.substring(colonpos+1);
+- gnames.add(new GeneralName(createGeneralNameInterface(t, v)));
+- }
+- // Non critical
+- ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(Boolean.FALSE, gnames));
+- }
+-
+- info.set(X509CertInfo.EXTENSIONS, ext);
+-
+- // Sign the cert to identify the algorithm that's used.
+- PrivateKey privkey = pair.getPrivate();
+- X509CertImpl cert = new X509CertImpl(info);
+- cert.sign(privkey, algorithm);
+-
+- // Update the algorithm, and resign.
+- algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
+- info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
+- cert = new X509CertImpl(info);
+- cert.sign(privkey, algorithm);
+- return cert;
+- }
+-
+- /**
+- * Setup the JOSM internal keystore, used to store HTTPS certificate and private key.
+- * @return Path to the (initialized) JOSM keystore
+- * @throws IOException if an I/O error occurs
+- * @throws GeneralSecurityException if a security error occurs
+- * @since 7343
+- */
+- public static Path setupJosmKeystore() throws IOException, GeneralSecurityException {
+-
+- Path dir = Paths.get(RemoteControl.getRemoteControlDir());
+- Path path = dir.resolve(KEYSTORE_FILENAME);
+- Files.createDirectories(dir);
+-
+- if (!path.toFile().exists()) {
+- Logging.debug("No keystore found, creating a new one");
+-
+- // Create new keystore like previous one generated with JDK keytool as follows:
+- // keytool -genkeypair -storepass josm_ssl -keypass josm_ssl -alias josm_localhost -dname "CN=localhost, OU=JOSM, O=OpenStreetMap"
+- // -ext san=ip:127.0.0.1 -keyalg RSA -validity 1825
+-
+- KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
+- generator.initialize(2048);
+- KeyPair pair = generator.generateKeyPair();
+-
+- X509Certificate cert = generateCertificate("CN=localhost, OU=JOSM, O=OpenStreetMap", pair, 1825, "SHA256withRSA",
+- "dns:localhost,ip:127.0.0.1,ip:::1,uri:https://127.0.0.1:"+HTTPS_PORT+",uri:https://::1:"+HTTPS_PORT);
+-
+- KeyStore ks = KeyStore.getInstance("JKS");
+- ks.load(null, null);
+-
+- // Generate new passwords. See https://stackoverflow.com/a/41156/2257172
+- SecureRandom random = new SecureRandom();
+- KEYSTORE_PASSWORD.put(new BigInteger(130, random).toString(32));
+- KEYENTRY_PASSWORD.put(new BigInteger(130, random).toString(32));
+-
+- char[] storePassword = KEYSTORE_PASSWORD.get().toCharArray();
+- char[] entryPassword = KEYENTRY_PASSWORD.get().toCharArray();
+-
+- ks.setKeyEntry(ENTRY_ALIAS, pair.getPrivate(), entryPassword, new Certificate[]{cert});
+- try (OutputStream out = Files.newOutputStream(path, StandardOpenOption.CREATE)) {
+- ks.store(out, storePassword);
+- }
+- }
+- return path;
+- }
+-
+- /**
+- * Loads the JOSM keystore.
+- * @return the (initialized) JOSM keystore
+- * @throws IOException if an I/O error occurs
+- * @throws GeneralSecurityException if a security error occurs
+- * @since 7343
+- */
+- public static KeyStore loadJosmKeystore() throws IOException, GeneralSecurityException {
+- try (InputStream in = Files.newInputStream(setupJosmKeystore())) {
+- KeyStore ks = KeyStore.getInstance("JKS");
+- ks.load(in, KEYSTORE_PASSWORD.get().toCharArray());
+-
+- if (Logging.isDebugEnabled()) {
+- for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements();) {
+- Logging.debug("Alias in JOSM keystore: {0}", aliases.nextElement());
+- }
+- }
+- return ks;
+- }
+- }
+-
+- /**
+- * Initializes the TLS basics.
+- * @throws IOException if an I/O error occurs
+- * @throws GeneralSecurityException if a security error occurs
+- */
+- private void initialize() throws IOException, GeneralSecurityException {
+- KeyStore ks = loadJosmKeystore();
+-
+- KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+- kmf.init(ks, KEYENTRY_PASSWORD.get().toCharArray());
+-
+- TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+- tmf.init(ks);
+-
+- sslContext = SSLContext.getInstance("TLSv1.2");
+- sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+-
+- if (Logging.isTraceEnabled()) {
+- Logging.trace("SSL Context protocol: {0}", sslContext.getProtocol());
+- Logging.trace("SSL Context provider: {0}", sslContext.getProvider());
+- }
+-
+- setupPlatform(ks);
+- }
+-
+- /**
+- * Setup the platform-dependant certificate stuff.
+- * @param josmKs The JOSM keystore, containing localhost certificate and private key.
+- * @return {@code true} if something has changed as a result of the call (certificate installation, etc.)
+- * @throws KeyStoreException if the keystore has not been initialized (loaded)
+- * @throws NoSuchAlgorithmException in case of error
+- * @throws CertificateException in case of error
+- * @throws IOException in case of error
+- * @since 7343
+- */
+- public static boolean setupPlatform(KeyStore josmKs) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
+- Enumeration<String> aliases = josmKs.aliases();
+- if (aliases.hasMoreElements()) {
+- return Main.platform.setupHttpsCertificate(ENTRY_ALIAS,
+- new KeyStore.TrustedCertificateEntry(josmKs.getCertificate(aliases.nextElement())));
+- }
+- return false;
+- }
+-
+- /**
+- * Starts or restarts the HTTPS server
+- */
+- public static void restartRemoteControlHttpsServer() {
+- stopRemoteControlHttpsServer();
+- if (RemoteControl.PROP_REMOTECONTROL_HTTPS_ENABLED.get()) {
+- int port = Config.getPref().getInt("remote.control.https.port", HTTPS_PORT);
+- try {
+- instance4 = new RemoteControlHttpsServer(port, false);
+- instance4.start();
+- } catch (IOException | GeneralSecurityException ex) {
+- Logging.debug(ex);
+- Logging.warn(marktr("Cannot start IPv4 remotecontrol https server on port {0}: {1}"),
+- Integer.toString(port), ex.getLocalizedMessage());
+- }
+- try {
+- instance6 = new RemoteControlHttpsServer(port, true);
+- instance6.start();
+- } catch (IOException | GeneralSecurityException ex) {
+- /* only show error when we also have no IPv4 */
+- if (instance4 == null) {
+- Logging.debug(ex);
+- Logging.warn(marktr("Cannot start IPv6 remotecontrol https server on port {0}: {1}"),
+- Integer.toString(port), ex.getLocalizedMessage());
+- }
+- }
+- }
+- }
+-
+- /**
+- * Stops the HTTPS server
+- */
+- public static void stopRemoteControlHttpsServer() {
+- if (instance4 != null) {
+- try {
+- instance4.stopServer();
+- } catch (IOException ioe) {
+- Logging.error(ioe);
+- }
+- instance4 = null;
+- }
+- if (instance6 != null) {
+- try {
+- instance6.stopServer();
+- } catch (IOException ioe) {
+- Logging.error(ioe);
+- }
+- instance6 = null;
+- }
+- }
+-
+- /**
+- * Constructs a new {@code RemoteControlHttpsServer}.
+- * @param port The port this server will listen on
+- * @param ipv6 Whether IPv6 or IPv4 server should be started
+- * @throws IOException when connection errors
+- * @throws GeneralSecurityException in case of SSL setup errors
+- * @since 8339
+- */
+- public RemoteControlHttpsServer(int port, boolean ipv6) throws IOException, GeneralSecurityException {
+- super("RemoteControl HTTPS Server");
+- this.setDaemon(true);
+-
+- initialize();
+-
+- // Create SSL Server factory
+- SSLServerSocketFactory factory = sslContext.getServerSocketFactory();
+- if (Logging.isTraceEnabled()) {
+- Logging.trace("SSL factory - Supported Cipher suites: {0}", Arrays.toString(factory.getSupportedCipherSuites()));
+- }
+-
+- this.server = factory.createServerSocket(port, 1, ipv6 ?
+- RemoteControl.getInet6Address() : RemoteControl.getInet4Address());
+-
+- if (Logging.isTraceEnabled() && server instanceof SSLServerSocket) {
+- SSLServerSocket sslServer = (SSLServerSocket) server;
+- Logging.trace("SSL server - Enabled Cipher suites: {0}", Arrays.toString(sslServer.getEnabledCipherSuites()));
+- Logging.trace("SSL server - Enabled Protocols: {0}", Arrays.toString(sslServer.getEnabledProtocols()));
+- Logging.trace("SSL server - Enable Session Creation: {0}", sslServer.getEnableSessionCreation());
+- Logging.trace("SSL server - Need Client Auth: {0}", sslServer.getNeedClientAuth());
+- Logging.trace("SSL server - Want Client Auth: {0}", sslServer.getWantClientAuth());
+- Logging.trace("SSL server - Use Client Mode: {0}", sslServer.getUseClientMode());
+- }
+- }
+-
+- /**
+- * The main loop, spawns a {@link RequestProcessor} for each connection.
+- */
+- @Override
+- public void run() {
+- Logging.info(marktr("RemoteControl::Accepting secure remote connections on {0}:{1}"),
+- server.getInetAddress(), Integer.toString(server.getLocalPort()));
+- while (true) {
+- try {
+- @SuppressWarnings("resource")
+- Socket request = server.accept();
+- if (Logging.isTraceEnabled() && request instanceof SSLSocket) {
+- SSLSocket sslSocket = (SSLSocket) request;
+- Logging.trace("SSL socket - Enabled Cipher suites: {0}", Arrays.toString(sslSocket.getEnabledCipherSuites()));
+- Logging.trace("SSL socket - Enabled Protocols: {0}", Arrays.toString(sslSocket.getEnabledProtocols()));
+- Logging.trace("SSL socket - Enable Session Creation: {0}", sslSocket.getEnableSessionCreation());
+- Logging.trace("SSL socket - Need Client Auth: {0}", sslSocket.getNeedClientAuth());
+- Logging.trace("SSL socket - Want Client Auth: {0}", sslSocket.getWantClientAuth());
+- Logging.trace("SSL socket - Use Client Mode: {0}", sslSocket.getUseClientMode());
+- Logging.trace("SSL socket - Session: {0}", sslSocket.getSession());
+- }
+- RequestProcessor.processRequest(request);
+- } catch (SocketException e) {
+- if (!server.isClosed()) {
+- Logging.error(e);
+- }
+- } catch (IOException ioe) {
+- Logging.error(ioe);
+- }
+- }
+- }
+-
+- /**
+- * Stops the HTTPS server.
+- *
+- * @throws IOException if any I/O error occurs
+- */
+- public void stopServer() throws IOException {
+- Logging.info(marktr("RemoteControl::Server {0}:{1} stopped."),
+- server.getInetAddress(), Integer.toString(server.getLocalPort()));
+- server.close();
+- }
+-}
+--- a/src/org/openstreetmap/josm/tools/PlatformHook.java
++++ b/src/org/openstreetmap/josm/tools/PlatformHook.java
+@@ -9,7 +9,6 @@ import java.io.File;
+ import java.io.IOException;
+ import java.io.InputStreamReader;
+ import java.nio.charset.StandardCharsets;
+-import java.security.KeyStore;
+ import java.security.KeyStoreException;
+ import java.security.NoSuchAlgorithmException;
+ import java.security.cert.CertificateException;
+@@ -186,23 +185,6 @@ public interface PlatformHook {
+ }
+
+ /**
+- * Setup system keystore to add JOSM HTTPS certificate (for remote control).
+- * @param entryAlias The entry alias to use
+- * @param trustedCert the JOSM certificate for localhost
+- * @return {@code true} if something has changed as a result of the call (certificate installation, etc.)
+- * @throws KeyStoreException in case of error
+- * @throws IOException in case of error
+- * @throws CertificateException in case of error
+- * @throws NoSuchAlgorithmException in case of error
+- * @since 7343
+- */
+- default boolean setupHttpsCertificate(String entryAlias, KeyStore.TrustedCertificateEntry trustedCert)
+- throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
+- // TODO setup HTTPS certificate on Unix and OS X systems
+- return false;
+- }
+-
+- /**
+ * Returns the {@code X509Certificate} matching the given certificate amendment information.
+ * @param certAmend certificate amendment
+ * @return the {@code X509Certificate} matching the given certificate amendment information, or {@code null}
+--- a/src/org/openstreetmap/josm/tools/PlatformHookWindows.java
++++ b/src/org/openstreetmap/josm/tools/PlatformHookWindows.java
+@@ -30,7 +30,6 @@ import static org.openstreetmap.josm.too
+ import static org.openstreetmap.josm.tools.Utils.getSystemProperty;
+ import static org.openstreetmap.josm.tools.WinRegistry.HKEY_LOCAL_MACHINE;
+
+-import java.awt.GraphicsEnvironment;
+ import java.io.BufferedWriter;
+ import java.io.File;
+ import java.io.IOException;
+@@ -45,20 +44,13 @@ import java.nio.file.FileSystems;
+ import java.nio.file.Files;
+ import java.nio.file.InvalidPathException;
+ import java.nio.file.Path;
+-import java.security.InvalidKeyException;
+-import java.security.KeyFactory;
+ import java.security.KeyStore;
+ import java.security.KeyStoreException;
+ import java.security.MessageDigest;
+ import java.security.NoSuchAlgorithmException;
+-import java.security.NoSuchProviderException;
+-import java.security.PublicKey;
+-import java.security.SignatureException;
+ import java.security.cert.Certificate;
+ import java.security.cert.CertificateException;
+ import java.security.cert.X509Certificate;
+-import java.security.spec.InvalidKeySpecException;
+-import java.security.spec.X509EncodedKeySpec;
+ import java.text.ParseException;
+ import java.util.ArrayList;
+ import java.util.Arrays;
+@@ -72,8 +64,6 @@ import java.util.concurrent.TimeUnit;
+ import java.util.regex.Matcher;
+ import java.util.regex.Pattern;
+
+-import javax.swing.JOptionPane;
+-
+ import org.openstreetmap.josm.Main;
+ import org.openstreetmap.josm.data.StructUtils;
+ import org.openstreetmap.josm.data.StructUtils.StructEntry;
+@@ -133,33 +123,6 @@ public class PlatformHookWindows impleme
+ }
+ }
+
+- private static final byte[] INSECURE_PUBLIC_KEY = new byte[] {
+- 0x30, (byte) 0x82, 0x1, 0x22, 0x30, 0xd, 0x6, 0x9, 0x2a, (byte) 0x86, 0x48,
+- (byte) 0x86, (byte) 0xf7, 0xd, 0x1, 0x1, 0x1, 0x5, 0x0, 0x3, (byte) 0x82, 0x1, 0xf, 0x0,
+- 0x30, (byte) 0x82, 0x01, 0x0a, 0x02, (byte) 0x82, 0x01, 0x01, 0x00, (byte) 0x95, (byte) 0x95, (byte) 0x88,
+- (byte) 0x84, (byte) 0xc8, (byte) 0xd9, 0x6b, (byte) 0xc5, (byte) 0xda, 0x0b, 0x69, (byte) 0xbf, (byte) 0xfc,
+- 0x7e, (byte) 0xb9, (byte) 0x96, 0x2c, (byte) 0xeb, (byte) 0x8f, (byte) 0xbc, 0x6e, 0x40, (byte) 0xe6, (byte) 0xe2,
+- (byte) 0xfc, (byte) 0xf1, 0x7f, 0x73, (byte) 0xa7, (byte) 0x9d, (byte) 0xde, (byte) 0xc7, (byte) 0x88, 0x57, 0x51,
+- (byte) 0x84, (byte) 0xed, (byte) 0x96, (byte) 0xfb, (byte) 0xe1, 0x38, (byte) 0xef, 0x08, 0x2b, (byte) 0xf3,
+- (byte) 0xc7, (byte) 0xc3, 0x5d, (byte) 0xfe, (byte) 0xf9, 0x51, (byte) 0xe6, 0x29, (byte) 0xfc, (byte) 0xe5, 0x0d,
+- (byte) 0xa1, 0x0d, (byte) 0xa8, (byte) 0xb4, (byte) 0xae, 0x26, 0x18, 0x19, 0x4d, 0x6c, 0x0c, 0x3b, 0x12, (byte) 0xba,
+- (byte) 0xbc, 0x5f, 0x32, (byte) 0xb3, (byte) 0xbe, (byte) 0x9d, 0x17, 0x0d, 0x4d, 0x2f, 0x1a, 0x48, (byte) 0xb7,
+- (byte) 0xac, (byte) 0xf7, 0x1a, 0x43, 0x01, (byte) 0x97, (byte) 0xf4, (byte) 0xf8, 0x4c, (byte) 0xbb, 0x6a, (byte) 0xbc,
+- 0x33, (byte) 0xe1, 0x73, 0x1e, (byte) 0x86, (byte) 0xfb, 0x2e, (byte) 0xb1, 0x63, 0x75, (byte) 0x85, (byte) 0xdc,
+- (byte) 0x82, 0x6c, 0x28, (byte) 0xf1, (byte) 0xe3, (byte) 0x90, 0x63, (byte) 0x9d, 0x3d, 0x48, (byte) 0x8a, (byte) 0x8c,
+- 0x47, (byte) 0xe2, 0x10, 0x0b, (byte) 0xef, (byte) 0x91, (byte) 0x94, (byte) 0xb0, 0x6c, 0x4c, (byte) 0x80, 0x76, 0x03,
+- (byte) 0xe1, (byte) 0xb6, (byte) 0x90, (byte) 0x87, (byte) 0xd9, (byte) 0xae, (byte) 0xf4, (byte) 0x8e, (byte) 0xe0,
+- (byte) 0x9f, (byte) 0xe7, 0x3a, 0x2c, 0x2f, 0x21, (byte) 0xd4, 0x46, (byte) 0xba, (byte) 0x95, 0x70, (byte) 0xa9, 0x5b,
+- 0x20, 0x2a, (byte) 0xfa, 0x52, 0x3e, (byte) 0x9d, (byte) 0xd9, (byte) 0xef, 0x28, (byte) 0xc5, (byte) 0xd1, 0x60,
+- (byte) 0x89, 0x68, 0x6e, 0x7f, (byte) 0xd7, (byte) 0x9e, (byte) 0x89, 0x4c, (byte) 0xeb, 0x4d, (byte) 0xd2, (byte) 0xc6,
+- (byte) 0xf4, 0x2d, 0x02, 0x5d, (byte) 0xda, (byte) 0xde, 0x33, (byte) 0xfe, (byte) 0xc1, 0x7e, (byte) 0xde, 0x4f, 0x1f,
+- (byte) 0x9b, 0x6e, 0x6f, 0x0f, 0x66, 0x71, 0x19, (byte) 0xe9, 0x43, 0x3c, (byte) 0x83, 0x0a, 0x0f, 0x28, 0x21, (byte) 0xc8,
+- 0x38, (byte) 0xd3, 0x4e, 0x48, (byte) 0xdf, (byte) 0xd4, (byte) 0x99, (byte) 0xb5, (byte) 0xc6, (byte) 0x8d, (byte) 0xd4,
+- (byte) 0xc1, 0x69, 0x58, 0x79, (byte) 0x82, 0x32, (byte) 0x82, (byte) 0xd4, (byte) 0x86, (byte) 0xe2, 0x04, 0x08, 0x63,
+- (byte) 0x87, (byte) 0xf0, 0x2a, (byte) 0xf6, (byte) 0xec, 0x3e, 0x51, 0x0f, (byte) 0xda, (byte) 0xb4, 0x67, 0x19, 0x5e,
+- 0x16, 0x02, (byte) 0x9f, (byte) 0xf1, 0x19, 0x0c, 0x3e, (byte) 0xb8, 0x04, 0x49, 0x07, 0x53, 0x02, 0x03, 0x01, 0x00, 0x01
+- };
+-
+ private static final String WINDOWS_ROOT = "Windows-ROOT";
+
+ private static final String CURRENT_VERSION = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion";
+@@ -348,104 +311,6 @@ public class PlatformHookWindows impleme
+ return ks;
+ }
+
+- /**
+- * Removes potential insecure certificates installed with previous versions of JOSM on Windows.
+- * @throws NoSuchAlgorithmException on unsupported signature algorithms
+- * @throws CertificateException if any of the certificates in the Windows keystore could not be loaded
+- * @throws KeyStoreException if no Provider supports a KeyStoreSpi implementation for the type "Windows-ROOT"
+- * @throws IOException if there is an I/O or format problem with the keystore data, if a password is required but not given
+- * @since 7335
+- */
+- public static void removeInsecureCertificates() throws NoSuchAlgorithmException, CertificateException, KeyStoreException, IOException {
+- // We offered before a public private key we need now to remove from Windows PCs as it might be a huge security risk (see #10230)
+- PublicKey insecurePubKey = null;
+- try {
+- insecurePubKey = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(INSECURE_PUBLIC_KEY));
+- } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
+- Logging.error(e);
+- return;
+- }
+- KeyStore ks = getRootKeystore();
+- Enumeration<String> en = ks.aliases();
+- Collection<String> insecureCertificates = new ArrayList<>();
+- while (en.hasMoreElements()) {
+- String alias = en.nextElement();
+- // Look for certificates associated with a private key
+- if (ks.isKeyEntry(alias)) {
+- try {
+- ks.getCertificate(alias).verify(insecurePubKey);
+- // If no exception, this is a certificate signed with the insecure key -> remove it
+- insecureCertificates.add(alias);
+- } catch (InvalidKeyException | NoSuchProviderException | SignatureException e) {
+- // If exception this is not a certificate related to JOSM, just trace it
+- Logging.trace(alias + " --> " + e.getClass().getName());
+- Logging.trace(e);
+- }
+- }
+- }
+- // Remove insecure certificates
+- if (!insecureCertificates.isEmpty()) {
+- StringBuilder message = new StringBuilder("<html>");
+- message.append(tr("A previous version of JOSM has installed a custom certificate "+
+- "in order to provide HTTPS support for Remote Control:"))
+- .append("<br><ul>");
+- for (String alias : insecureCertificates) {
+- message.append("<li>")
+- .append(alias)
+- .append("</li>");
+- }
+- message.append("</ul>")
+- .append(tr("It appears it could be an important <b>security risk</b>.<br><br>"+
+- "You are now going to be prompted by Windows to remove this insecure certificate.<br>"+
+- "For your own safety, <b>please click Yes</b> in next dialog."))
+- .append("</html>");
+- JOptionPane.showMessageDialog(Main.parent, message.toString(), tr("Warning"), JOptionPane.WARNING_MESSAGE);
+- for (String alias : insecureCertificates) {
+- Logging.warn(tr("Removing insecure certificate from {0} keystore: {1}", WINDOWS_ROOT, alias));
+- try {
+- ks.deleteEntry(alias);
+- } catch (KeyStoreException e) {
+- Logging.log(Logging.LEVEL_ERROR, tr("Unable to remove insecure certificate from keystore: {0}", e.getMessage()), e);
+- }
+- }
+- }
+- }
+-
+- @Override
+- public boolean setupHttpsCertificate(String entryAlias, KeyStore.TrustedCertificateEntry trustedCert)
+- throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
+- KeyStore ks = getRootKeystore();
+- // Look for certificate to install
+- try {
+- String alias = ks.getCertificateAlias(trustedCert.getTrustedCertificate());
+- if (alias != null) {
+- // JOSM certificate found, return
+- Logging.debug(tr("JOSM localhost certificate found in {0} keystore: {1}", WINDOWS_ROOT, alias));
+- return false;
+- }
+- } catch (ArrayIndexOutOfBoundsException e) {
+- // catch error of JDK-8172244 as bug seems to not be fixed anytime soon
+- Logging.log(Logging.LEVEL_ERROR, "JDK-8172244 occured. Abort HTTPS setup", e);
+- return false;
+- }
+- if (!GraphicsEnvironment.isHeadless()) {
+- // JOSM certificate not found, warn user
+- StringBuilder message = new StringBuilder("<html>");
+- message.append(tr("Remote Control is configured to provide HTTPS support.<br>"+
+- "This requires to add a custom certificate generated by JOSM to the Windows Root CA store.<br><br>"+
+- "You are now going to be prompted by Windows to confirm this operation.<br>"+
+- "To enable proper HTTPS support, <b>please click Yes</b> in next dialog.<br><br>"+
+- "If unsure, you can also click No then disable HTTPS support in Remote Control preferences."))
+- .append("</html>");
+- JOptionPane.showMessageDialog(Main.parent, message.toString(),
+- tr("HTTPS support in Remote Control"), JOptionPane.INFORMATION_MESSAGE);
+- }
+- // install it to Windows-ROOT keystore, used by IE, Chrome and Safari, but not by Firefox
+- Logging.info(tr("Adding JOSM localhost certificate to {0} keystore", WINDOWS_ROOT));
+- ks.setEntry(entryAlias, trustedCert, null);
+- return true;
+- }
+-
+ @Override
+ public X509Certificate getX509Certificate(NativeCertAmend certAmend)
+ throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
+--- a/test/unit/org/openstreetmap/josm/io/remotecontrol/RemoteControlTest.java
++++ b/test/unit/org/openstreetmap/josm/io/remotecontrol/RemoteControlTest.java
+@@ -10,26 +10,13 @@ import java.io.InputStreamReader;
+ import java.net.HttpURLConnection;
+ import java.net.URL;
+ import java.nio.charset.StandardCharsets;
+-import java.nio.file.Files;
+-import java.nio.file.Paths;
+ import java.security.GeneralSecurityException;
+-import java.security.SecureRandom;
+-import java.security.cert.X509Certificate;
+-
+-import javax.net.ssl.HostnameVerifier;
+-import javax.net.ssl.HttpsURLConnection;
+-import javax.net.ssl.SSLContext;
+-import javax.net.ssl.TrustManager;
+-import javax.net.ssl.X509TrustManager;
+
+ import org.junit.After;
+ import org.junit.Before;
+ import org.junit.Test;
+ import org.openstreetmap.josm.JOSMFixture;
+ import org.openstreetmap.josm.spi.preferences.Config;
+-import org.openstreetmap.josm.tools.Logging;
+-
+-import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+
+ /**
+ * Unit tests for Remote Control
+@@ -37,7 +24,6 @@ import edu.umd.cs.findbugs.annotations.S
+ public class RemoteControlTest {
+
+ private String httpBase;
+- private String httpsBase;
+
+ /**
+ * Starts Remote control before testing requests.
+@@ -46,65 +32,9 @@ public class RemoteControlTest {
+ @Before
+ public void setUp() throws GeneralSecurityException {
+ JOSMFixture.createUnitTestFixture().init();
+- RemoteControl.PROP_REMOTECONTROL_HTTPS_ENABLED.put(true);
+- deleteKeystore();
+
+ RemoteControl.start();
+- disableCertificateValidation();
+ httpBase = "http://127.0.0.1:"+Config.getPref().getInt("remote.control.port", 8111);
+- httpsBase = "https://127.0.0.1:"+Config.getPref().getInt("remote.control.https.port", 8112);
+- }
+-
+- /**
+- * Deletes JOSM keystore, if it exists.
+- */
+- public static void deleteKeystore() {
+- try {
+- Files.deleteIfExists(Paths.get(
+- RemoteControl.getRemoteControlDir()).resolve(RemoteControlHttpsServer.KEYSTORE_FILENAME));
+- } catch (IOException e) {
+- Logging.error(e);
+- }
+- }
+-
+- /**
+- * Disable all HTTPS validation mechanisms as described
+- * <a href="http://stackoverflow.com/a/2893932/2257172">here</a> and
+- * <a href="http://stackoverflow.com/a/19542614/2257172">here</a>
+- * @throws GeneralSecurityException if a security error occurs
+- */
+- public void disableCertificateValidation() throws GeneralSecurityException {
+- // Create a trust manager that does not validate certificate chains
+- TrustManager[] trustAllCerts = new TrustManager[] {
+- new X509TrustManager() {
+- @Override
+- @SuppressFBWarnings(value = "WEAK_TRUST_MANAGER")
+- public X509Certificate[] getAcceptedIssuers() {
+- return new X509Certificate[0];
+- }
+-
+- @Override
+- @SuppressFBWarnings(value = "WEAK_TRUST_MANAGER")
+- public void checkClientTrusted(X509Certificate[] certs, String authType) {
+- }
+-
+- @Override
+- @SuppressFBWarnings(value = "WEAK_TRUST_MANAGER")
+- public void checkServerTrusted(X509Certificate[] certs, String authType) {
+- }
+- }
+- };
+-
+- // Install the all-trusting trust manager
+- SSLContext sc = SSLContext.getInstance("TLS");
+- sc.init(null, trustAllCerts, new SecureRandom());
+- HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+-
+- // Create all-trusting host name verifier
+- HostnameVerifier allHostsValid = (hostname, session) -> true;
+-
+- // Install the all-trusting host verifier
+- HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
+ }
+
+ /**
+@@ -124,15 +54,6 @@ public class RemoteControlTest {
+ testListOfCommands(httpBase);
+ }
+
+- /**
+- * Tests that sending an HTTPS request without command results in HTTP 400, with all available commands in error message.
+- * @throws Exception if an error occurs
+- */
+- @Test
+- public void testHttpsListOfCommands() throws Exception {
+- testListOfCommands(httpsBase);
+- }
+-
+ private void testListOfCommands(String url) throws IOException, ReflectiveOperationException {
+ HttpURLConnection connection = (HttpURLConnection) new URL(url).openConnection();
+ connection.connect();
+--- a/test/unit/org/openstreetmap/josm/tools/PlatformHookOsxTest.java
++++ b/test/unit/org/openstreetmap/josm/tools/PlatformHookOsxTest.java
+@@ -40,15 +40,6 @@ public class PlatformHookOsxTest {
+ }
+
+ /**
+- * Test method for {@code PlatformHookOsx#setupHttpsCertificate}
+- * @throws Exception if an error occurs
+- */
+- @Test
+- public void testSetupHttpsCertificate() throws Exception {
+- assertFalse(hook.setupHttpsCertificate(null, null));
+- }
+-
+- /**
+ * Test method for {@code PlatformHookOsx#afterPrefStartupHook}
+ */
+ @Test
+--- a/test/unit/org/openstreetmap/josm/tools/PlatformHookWindowsTest.java
++++ b/test/unit/org/openstreetmap/josm/tools/PlatformHookWindowsTest.java
+@@ -10,8 +10,6 @@ import static org.junit.Assert.fail;
+
+ import java.io.File;
+ import java.io.IOException;
+-import java.security.KeyStore;
+-import java.security.KeyStore.TrustedCertificateEntry;
+ import java.security.KeyStoreException;
+ import java.util.Collection;
+
+@@ -19,8 +17,6 @@ import org.junit.BeforeClass;
+ import org.junit.Test;
+ import org.openstreetmap.josm.JOSMFixture;
+ import org.openstreetmap.josm.Main;
+-import org.openstreetmap.josm.io.remotecontrol.RemoteControlHttpsServer;
+-import org.openstreetmap.josm.io.remotecontrol.RemoteControlTest;
+
+ /**
+ * Unit tests of {@link PlatformHookWindows} class.
+@@ -60,45 +56,6 @@ public class PlatformHookWindowsTest {
+ fail("Expected KeyStoreException");
+ } catch (KeyStoreException e) {
+ Logging.info(e.getMessage());
+- }
+- }
+- }
+-
+- /**
+- * Test method for {@code PlatformHookWindows#removeInsecureCertificates}
+- * @throws Exception if an error occurs
+- */
+- @Test
+- public void testRemoveInsecureCertificates() throws Exception {
+- if (Main.isPlatformWindows()) {
+- PlatformHookWindows.removeInsecureCertificates();
+- } else {
+- try {
+- PlatformHookWindows.removeInsecureCertificates();
+- fail("Expected KeyStoreException");
+- } catch (KeyStoreException e) {
+- Logging.info(e.getMessage());
+- }
+- }
+- }
+-
+- /**
+- * Test method for {@code PlatformHookWindows#setupHttpsCertificate}
+- * @throws Exception if an error occurs
+- */
+- @Test
+- public void testSetupHttpsCertificate() throws Exception {
+- RemoteControlTest.deleteKeystore();
+- KeyStore ks = RemoteControlHttpsServer.loadJosmKeystore();
+- TrustedCertificateEntry trustedCert = new KeyStore.TrustedCertificateEntry(ks.getCertificate(ks.aliases().nextElement()));
+- if (Main.isPlatformWindows()) {
+- hook.setupHttpsCertificate(RemoteControlHttpsServer.ENTRY_ALIAS, trustedCert);
+- } else {
+- try {
+- hook.setupHttpsCertificate(RemoteControlHttpsServer.ENTRY_ALIAS, trustedCert);
+- fail("Expected KeyStoreException");
+- } catch (KeyStoreException e) {
+- Logging.info(e.getMessage());
+ }
+ }
+ }
+--- a/josm-latest.jnlp
++++ b/josm-latest.jnlp
+@@ -19,7 +19,7 @@
+ <all-permissions/>
+ </security>
+ <resources>
+- <java version="1.8+" max-heap-size="2048m" java-vm-args="--add-modules=java.activation,java.se.ee --add-exports=java.base/sun.security.util=ALL-UNNAMED --add-exports=java.base/sun.security.x509=ALL-UNNAMED --add-exports=java.desktop/com.apple.eawt=ALL-UNNAMED --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED --add-exports=javafx.graphics/com.sun.javafx.application=ALL-UNNAMED --add-exports=jdk.deploy/com.sun.deploy.config=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED --add-opens=java.base/jdk.internal.ref=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.spi=ALL-UNNAMED --add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED"/>
++ <java version="1.8+" max-heap-size="2048m" java-vm-args="--add-modules=java.activation,java.se.ee --add-exports=java.desktop/com.apple.eawt=ALL-UNNAMED --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED --add-exports=javafx.graphics/com.sun.javafx.application=ALL-UNNAMED --add-exports=jdk.deploy/com.sun.deploy.config=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED --add-opens=java.base/jdk.internal.ref=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.spi=ALL-UNNAMED --add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED"/>
+ <jar href="josm-latest.jar"/>
+ <property name="java.util.Arrays.useLegacyMergeSort" value="true"/>
+ </resources>
+--- a/josm.jnlp
++++ b/josm.jnlp
+@@ -19,7 +19,7 @@
+ <all-permissions/>
+ </security>
+ <resources>
+- <java version="1.8+" max-heap-size="2048m" java-vm-args="--add-modules=java.activation,java.se.ee --add-exports=java.base/sun.security.util=ALL-UNNAMED --add-exports=java.base/sun.security.x509=ALL-UNNAMED --add-exports=java.desktop/com.apple.eawt=ALL-UNNAMED --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED --add-exports=javafx.graphics/com.sun.javafx.application=ALL-UNNAMED --add-exports=jdk.deploy/com.sun.deploy.config=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED --add-opens=java.base/jdk.internal.ref=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.spi=ALL-UNNAMED --add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED"/>
++ <java version="1.8+" max-heap-size="2048m" java-vm-args="--add-modules=java.activation,java.se.ee --add-exports=java.desktop/com.apple.eawt=ALL-UNNAMED --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED --add-exports=javafx.graphics/com.sun.javafx.application=ALL-UNNAMED --add-exports=jdk.deploy/com.sun.deploy.config=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/jdk.internal.loader=ALL-UNNAMED --add-opens=java.base/jdk.internal.ref=ALL-UNNAMED --add-opens=java.desktop/javax.imageio.spi=ALL-UNNAMED --add-opens=java.desktop/javax.swing.text.html=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED"/>
+ <jar href="josm-tested.jar"/>
+ <property name="java.util.Arrays.useLegacyMergeSort" value="true"/>
+ </resources>
=====================================
debian/patches/series
=====================================
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@
07-use_system_fonts.patch
08-use_noto_font.patch
09-no-java-8.patch
+remove_https_remote_control2.patch
=====================================
debian/rules
=====================================
--- a/debian/rules
+++ b/debian/rules
@@ -31,7 +31,7 @@ override_dh_auto_build:
# Move translation causing build failure out of the way
mv i18n/po/ca at valencia.po .
- dh_auto_build -- -Ddebian.version=${DEB_VERSION} -DnoJavaFX=true dist
+ dh_auto_build -- -v -d -Ddebian.version=${DEB_VERSION} -DnoJavaFX=true dist
mv ca at valencia.po i18n/po/
View it on GitLab: https://salsa.debian.org/debian-gis-team/josm/compare/745221afbdc04b0a7952d75bd1931bf4734386b5...1f5d297dce3b09bf5deead98c7222075bbac7911
--
View it on GitLab: https://salsa.debian.org/debian-gis-team/josm/compare/745221afbdc04b0a7952d75bd1931bf4734386b5...1f5d297dce3b09bf5deead98c7222075bbac7911
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20180703/a7762c6f/attachment-0001.html>
More information about the Pkg-grass-devel
mailing list