From 2bc7bdba8a18a871510a997dc46f9ecf9b190798 Mon Sep 17 00:00:00 2001
From: huanghongxun <i@huangyuhui.net>
Date: Mon, 16 Mar 2020 22:44:58 +0800
Subject: [PATCH] fix: lets encrypt, no longer require 8u101

---
 .../main/java/org/jackhuang/hmcl/Main.java    |  44 ++++++++++++++++--
 HMCL/src/main/resources/assets/lekeystore.jks | Bin 0 -> 2347 bytes
 2 files changed, 40 insertions(+), 4 deletions(-)
 create mode 100644 HMCL/src/main/resources/assets/lekeystore.jks

diff --git a/HMCL/src/main/java/org/jackhuang/hmcl/Main.java b/HMCL/src/main/java/org/jackhuang/hmcl/Main.java
index 9fc6ddfdb..8928cb620 100644
--- a/HMCL/src/main/java/org/jackhuang/hmcl/Main.java
+++ b/HMCL/src/main/java/org/jackhuang/hmcl/Main.java
@@ -20,15 +20,21 @@ package org.jackhuang.hmcl;
 import org.jackhuang.hmcl.upgrade.UpdateHandler;
 import org.jackhuang.hmcl.util.Logging;
 
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
+import javax.net.ssl.*;
 import javax.swing.*;
 import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Collections;
 import java.util.logging.Level;
 
 import static org.jackhuang.hmcl.util.Lang.thread;
@@ -46,7 +52,10 @@ public final class Main {
         checkDirectoryPath();
 
         // This environment check will take ~300ms
-        thread(Main::checkDSTRootCAX3, "CA Certificate Check", true);
+        thread(() -> {
+            fixLetsEncrypt();
+            checkDSTRootCAX3();
+        }, "CA Certificate Check", true);
 
         Logging.start(Metadata.HMCL_DIRECTORY.resolve("logs"));
 
@@ -115,4 +124,31 @@ public final class Main {
         JOptionPane.showMessageDialog(null, message, "Warning", JOptionPane.WARNING_MESSAGE);
     }
 
+    static void fixLetsEncrypt() {
+        try {
+            KeyStore defaultKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+            Path ksPath = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
+            defaultKeyStore.load(Files.newInputStream(ksPath), "changeit".toCharArray());
+
+            KeyStore letsEncryptKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+            InputStream letsEncryptFile = Main.class.getResourceAsStream("/assets/lekeystore.jks");
+            letsEncryptKeyStore.load(letsEncryptFile, "supersecretpassword".toCharArray());
+
+            KeyStore merged = KeyStore.getInstance(KeyStore.getDefaultType());
+            merged.load(null, new char[0]);
+            for (String alias : Collections.list(letsEncryptKeyStore.aliases()))
+                merged.setCertificateEntry(alias, letsEncryptKeyStore.getCertificate(alias));
+            for (String alias : Collections.list(defaultKeyStore.aliases()))
+                merged.setCertificateEntry(alias, defaultKeyStore.getCertificate(alias));
+
+            TrustManagerFactory instance = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            instance.init(merged);
+            SSLContext tls = SSLContext.getInstance("TLS");
+            tls.init(null, instance.getTrustManagers(), null);
+            HttpsURLConnection.setDefaultSSLSocketFactory(tls.getSocketFactory());
+            LOG.info("Added Lets Encrypt root certificates as additional trust");
+        } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | KeyManagementException e) {
+            LOG.log(Level.SEVERE, "Failed to load lets encrypt certificate. Expect problems", e);
+        }
+    }
 }
diff --git a/HMCL/src/main/resources/assets/lekeystore.jks b/HMCL/src/main/resources/assets/lekeystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..12749d786bed22441a0d81d2aca0e36ee95945fe
GIT binary patch
literal 2347
zcmb`Hc{J4f8^>oc#%>sUVMq*W`i>!Mmbe*4wowdP#3W0DSuEF*Moq@<7GWY$zx1<|
zeJRA1B`)G}?Q3=_74D6==H7Ge?cDq4@At>&e9rqh&pFTMyg$$Dy}P!%1_FT~e;q*|
zFEWKrWzguMI1mVYWu!k&9t3m2=m7d45Y!f6LahNNL@O5x0Ye}Ni>J?`2lLhH*nmC@
z^Q);JAk53J!NRk)gu!4K3<Q{9RRCpP=ouaX<N*sGZy&mcKZ@w%P4S>JsAQBAcMQrr
z0E3kVB)MHsq=*I43FR0NuwOPqx!?c=X<+~W^l^X|7ORETca;{_!g3{68^B_9T>tk0
zOtA8|j|Rg)P$pOu1Tet@5GEK5ntZx+*PbuNxuWY5c{7E%+SY%>4|wgiI{af~n`x7b
zMEukuF4#(A)<ntbc9E^fQ)7H5`Q1*xk|?=PV^}LWVQwqrnRs|*+Dmr+le#q;=6fMt
zt(d&1I0@h<vD|45z1lDV>{t8xX!2yWgJ(?pOsvN;!Q=X>qhD>_3_%WkAD^EiG{T=`
zER9hZM@_o5YQz;{>H~{k3CbN#p;KRl`xa^s0_?rHE68vs!S=zDRo8nzD4g&rPiUQN
z>@W*lm7)%)uIio9H}Bo~D&uates^Uci<2l{H*&bPb!f6l5@Jv|LRmM)Y`F8?Ga8KX
zd5hr4YE-E^&(59T-2VVM2Z4e?;QW(-DImK4L-I&4c#j7LK=&^|gj*2h7I^lzfftbH
zY7rhO9*LI6r4Pf81brEuCZsU-S|l&tWFx+Hd4DzbT?T{l<&JQqLGDi!-k~q+8Z^eV
znGk;D&rL&}n;j-u^cf2q*T)fZ>5AP5<~_Qcd{l<qcqfujj<R^0y41B3`DoO4Zg>9c
zl<jym$e=RN>gmV170CJ<NW5(49fR}u78wN>*$WB~*AGJLrNvLiNUV6uQtAfl^_SYq
zxc`#ex@R6s(JVVPyE32Y;(KP#5;l57g{WG$T0dAkCsMDPZ>Zw49KEYu3U|GOgF;7z
z^Ug{j^;NJp^9mrYfaUbKJ^TfPKLxbn<#~}K^&+-Ie7-L-HU75~T8ZR}rHE4J;N@3U
zX#GY>^1=4akaS;x#1O%uR6(93_^5i7z`Jawjt=4v>csrXbQ+oBNev66`_QP~q1ZpT
z3#p0yi#u2Vz=Zkjvq$`sJ24Ow(etd&be3e{IrZF=84vo_UBP|u?686WKNl%pB;*Vc
zs}87fg#Z#|MWK_a6fzw}BzrQbKJ+k@Bbi3_pn6_GSyBTSfmlfZ$!&!qg{+8<mVdJ7
zg5`pU)d7wJ+E^^0jnmr)5%;b9{|{tB{tYIC3npYAOb8fMyr@F^ETQ{}lcVX3K6tBP
zta?%}C4piz@0=UD#c0mk-SDMsg6z<v6IWRN7PqTPJ-<qb`!y=|En_)KQEzZYb@+|(
zu*ve8J@Iv=EJ9NpE6B(C@@4<zD5Jo}Vs&NSPj6q&N0-bHlB+YL?m+MNTi%Vx#2+Fq
z>Xq0D1jJz8SUD#|)2l{~_39;tLj#o#Fg^lCUy@74M?4Exr0klL#0XJ6f{S~VA(+o)
z;nq_&;)jI-6QSz4(?pe3<nTM$Mnt)Ff(bj{!(pQ67W~d<&!APzOn_U)^=Y=dc9?(g
zd&87VVe_L8vyQ30>P1Y8ObjEEq_(TK3bxwjAn=Uj<9ulgGrH-*#~C@>BGgiO&I{;o
zR<NP#<FE>iL9?YIaB!M{=+NXqy||*zF|@RQUq({_zgGywQn#+Vh;;r+_BHAt`xUR5
zx-rRkTy;aGL+r6@zKyBksRx;rj}06sEW?~g>SJ+OC~3{uAyiTjnw;2s3|3|wZheqI
zgNg67E>GDbBg}8p%U{zMk`%#wy}-|ILB}iLbxi=^j<04KX8b4eVq9LnI<u>;K8EK&
zUJTUi!60n?Ky%fHf(Vx3sRF!4>{xJCaHFE{qZ6{pD|(;2CfYTH1<-q2qcf5xe^%~Q
zJ2xG+E3*(7TWmW&9B<G%uI515d*QW#Gq?LYnEshV{|c(VgDI?nG#_3y_ZCcx=8J8Y
zbJ<+tQ2v1ql)GGK6kVRYC@Zk<6)GK)^FgVp^A&k8+~X*}GUt4b4Q!qz)Yi}tq<*El
zQ42Of+hu(hi}ecxm!*}?-dwjAA+2;zk(TN@B;T{LlW#<CzFkU98I$H*I`G|x%V~WP
z0nN*X?-hGG2TRn}pFC?X`5GCO^+lOyWpDV}a;m0sskBJ)$2e^_m!TbShf{5hYFAt=
zj%{=Fh7oh}UAi-@?#T14mg+WJLuLcEU71Gv;Z1Y&Lw$V&?hw<)=sv6LOon`eIx9h$
zlQZLI=xo3YJUzzW#_kk=pY~rom(=mTyRhwfrKat7gVw#OU31jee7=v;W+fkNJzVQJ
za^cbTUJ)9CY4|1l`D{>lic~-R{3&9DF8pLde@ptkfy_#csWiE0e2I-dyt~Wtp<|k6
zUCnlJAC4F~Cx80tz=P7ZlL7OlYC7)u=xTW4LLx3@;n4kU`+H&jrv@q{%hM@Q9HDfB
z8poq1gKpE?e9bp@RSNRiBSpT`G8&}?<{obSierX}!5@z<CNd_aasDTW+u@yN7xu>T
zdOh@}(`$;(#q0jU7{I;E6f4O#Yoao4G(gNwUhr1I-+9APYk-^7*4SOAJ4}CHy_S7w
zreSIT&4V<;LUYEy_fKwx%d}pbuuL*R=kW0MJaW<wsb6JtmZZ%m-9|6$CMh`Q{bZUQ
fbxC<-LPo9m_|-C}*_Q6RvODccnXegYZ8+-hJX*<i

literal 0
HcmV?d00001