From 22ab085c2af1266939a3ab4b932abc3c2d1792ca Mon Sep 17 00:00:00 2001
From: Raven Szewczyk <git@eigenraven.me>
Date: Sun, 19 Nov 2023 15:53:41 +0000
Subject: [PATCH] Switch to ISRG roots

---
 .gitattributes                                |   1 +
 .../dreammaster/coremod/LetsEncryptAdder.java |  20 +++++++++---------
 .../assets/letsencryptroot/isrg-root-x1.der   | Bin 0 -> 1390 bytes
 .../assets/letsencryptroot/isrg-root-x2.der   | Bin 0 -> 543 bytes
 .../lets-encrypt-x3-cross-signed.der          | Bin 1174 -> 0 bytes
 5 files changed, 11 insertions(+), 10 deletions(-)
 create mode 100644 src/main/resources/assets/letsencryptroot/isrg-root-x1.der
 create mode 100644 src/main/resources/assets/letsencryptroot/isrg-root-x2.der
 delete mode 100644 src/main/resources/assets/letsencryptroot/lets-encrypt-x3-cross-signed.der

diff --git a/.gitattributes b/.gitattributes
index fd2792b6c..067247605 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -42,3 +42,4 @@
 *.[pP][sS]1             text eol=crlf
 
 *[aA][uU][tT][oO][gG][eE][nN][eE][rR][aA][tT][eE][dD]* binary
+*.der binary
diff --git a/src/main/java/com/dreammaster/coremod/LetsEncryptAdder.java b/src/main/java/com/dreammaster/coremod/LetsEncryptAdder.java
index d1a9f36fe..8c4fcbff6 100644
--- a/src/main/java/com/dreammaster/coremod/LetsEncryptAdder.java
+++ b/src/main/java/com/dreammaster/coremod/LetsEncryptAdder.java
@@ -8,7 +8,6 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.KeyStore;
-import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.util.Objects;
 import java.util.regex.Matcher;
@@ -58,10 +57,13 @@ public class LetsEncryptAdder {
     private static boolean alreadyAdded = false;
     private static final Logger LOGGER = LogManager.getLogger(LetsEncryptAdder.class);
 
-    private static void trustLetsEncryptX3() throws Exception {
-        InputStream cert = Objects.requireNonNull(
-                LetsEncryptAdder.class.getResourceAsStream("/assets/letsencryptroot/lets-encrypt-x3-cross-signed.der"),
-                "Embedded let's encrypt certificate not found");
+    private static void trustLetsEncryptRoots() throws Exception {
+        final InputStream cert1 = Objects.requireNonNull(
+                LetsEncryptAdder.class.getResourceAsStream("/assets/letsencryptroot/isrg-root-x1.der"),
+                "Embedded let's encrypt certificate X1 not found");
+        final InputStream cert2 = Objects.requireNonNull(
+                LetsEncryptAdder.class.getResourceAsStream("/assets/letsencryptroot/isrg-root-x2.der"),
+                "Embedded let's encrypt certificate X2 not found");
 
         KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
         Path ksPath = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
@@ -69,10 +71,8 @@ private static void trustLetsEncryptX3() throws Exception {
 
         CertificateFactory cf = CertificateFactory.getInstance("X.509");
 
-        InputStream caInput = new BufferedInputStream(cert);
-        Certificate crt = cf.generateCertificate(caInput);
-
-        keyStore.setCertificateEntry("lets-encrypt-x3-cross-signed", crt);
+        keyStore.setCertificateEntry("isrg-root-x1", cf.generateCertificate(new BufferedInputStream(cert1)));
+        keyStore.setCertificateEntry("isrg-root-x2", cf.generateCertificate(new BufferedInputStream(cert2)));
 
         TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         tmf.init(keyStore);
@@ -120,7 +120,7 @@ public static void addLetsEncryptCertificates() {
         String body = "";
         try {
             LOGGER.info("Adding Let's Encrypt certificate...");
-            LetsEncryptAdder.trustLetsEncryptX3();
+            LetsEncryptAdder.trustLetsEncryptRoots();
             LOGGER.info("Done, attempting to connect to https://helloworld.letsencrypt.org...");
             URL url = new URL("https://helloworld.letsencrypt.org");
             URLConnection conn = url.openConnection();
diff --git a/src/main/resources/assets/letsencryptroot/isrg-root-x1.der b/src/main/resources/assets/letsencryptroot/isrg-root-x1.der
new file mode 100644
index 0000000000000000000000000000000000000000..7ee4e98b57db7a4a73e2bde172328be0652fb1e0
GIT binary patch
literal 1390
zcmXqLV$C*aVh&!w%*4pVB*@StaDKxjhsTjF$q#lXH+3@@@Un4gwRyCC=VfH%W@Rw&
zH{>?pWMd9xVH0Kw4K~y?PzQ0igcUsVN>YpRQcDzqQ<F=JGD|8If>Mi96N{2F6x@sQ
zOA8D|4TM2TnT2^ggM-`^g7WiA6e0`_<ivRmO%2QpObiVTOpGm}#CeU8xzx9?iAf3B
zQ;e((%uP)E3<gb1Tue<&j0|gEs1$z@G5<V!o_4r~O#8k&+wWUU=*hEr7QUe3d+DJ?
z|GsABePi&~xP339Eyrc@wvEYuMTD~V%U^nBI9svqqOr{`kFR$t?{D7mU+AOaEboI|
zZH1X$X=yqAbv6b2*J>)UeSUJ_S;M+V-u>HW)=goaf7yL{%}fvF;1?F_{JHX*^)7mb
z_cWAjyQP1@qPLp4KvBB%lYz~z{&jb6C9i%h=6|S9(7WzD_ly5q%k{o&s`h%|Bc#ex
z(95j3;9;=J8{wPpB=-w!_Uf_kT$~tqZ%sS<lrPDJZ}cAJN6%<{*coF|nN#-OdO}j=
zv)fB%>8l;RAn=gy-c5l%vESRjulRoaDHHpQelw1#&mWmj<25Ut_nWV1qwMTG%s)L@
zZ#3Rz-J*5P@#PxEvZ-ABH|}5ED<p5KuOXguX~w}7oGImb?&iDBt%;1wm|I_Tt@9|G
zqo!S?-Ceb>DklY(M=kbokat@+bL(=ez`Qo=d9_8$g;*;h-`WLMh;lRc_g>Iv-DFqo
zCF5PpD)i^rs|NwXHO`YuHlHea-Y3t<alzn9bfMW6_FV@J3}QUCH(AeER-4eZXt8F~
znO%FES)>;=GdnK4#`;nE(6$dNYTB&bR(NQ2+$oz?wqHJLsjX!HYm3h*_fBYYY5f0w
z`;n;A6{QR6u@5W%Njxv;SnK!fX1CR`yXt{?|M#SPHFoxAVrFDuT<m1vV891VuCn}$
zjQ?3!fSH5MfFHyc2Ju-9n1PgmEJ%QlMT|wHa!cg1>TOS-Fcvp(bexci`1W#k9&#cB
z<{V%mV`K=Gk65{9(~5u#JR5IFWh$s^a;!-#jp@q!(eyM^|LV6e@0~k}1tKpiPOp3J
zQ}}z+rG&MXE4W{YD~7dx4B(4=eeOZz%Uvf$-?z=}Z)y1U<mJQ(cf@BWNxObXn|i4x
z|IjPz_wwgYUt6dCapi^+>;Bf(&HAOp^7{YH`d1URl{Sj=^?&LziH^AOhw)^{&K+uJ
zx;l(IeRNxFn(n`w7S6g$XZQCb+mHKMH|;Y#p;TNv>EfY=C6<-~#>!1THuKvyh0c)O
zr`gt{G<)8oZ0m5VrUKtPoX0y)bFus8yol{P`TpGM<GZ(N`?+58x}bLEY0)W;tff;Q
zi!S`W<n2kF_@%%9uhC%A+jqTs_v6Cq31XMo<J^L4%-NlKE+3gT=jzO@S`Vg5HF&J^
zv1C7Y#(hc9RP9|mey_b`99;WU);IU+!i~qB@}D`Vo5n2G*v{Vjyw`ZbbLIKJ1Ljob
zxLw^Mx_Me&-E5v|Ry%@p?XN{Y{LOKw<)6xm#htg-WIdG7+PK0wG5WIn9qZn*Pr5I9
zOYe&t=hz1Su0HJ;|NqXS3yBsFr|no1+iiZm^s4cJnS$%)Ivy-4ZP~}<=oFu>;xXmo
zZ1sKY_B(g@H<koGtlIu|uJWUO53Xvk2-_Gk&%0Zd(|?Rz;#mDX_da`#c`R(_mxh>>
g?|sub`=z+^{pj2A|N7*@7oByOTbHDC>z;%<06(i(qW}N^

literal 0
HcmV?d00001

diff --git a/src/main/resources/assets/letsencryptroot/isrg-root-x2.der b/src/main/resources/assets/letsencryptroot/isrg-root-x2.der
new file mode 100644
index 0000000000000000000000000000000000000000..0f5f95fee95053be45dfff48e6913b0f896b211e
GIT binary patch
literal 543
zcmXqLVv;s!VqCa@nTe5!Nx<>a+>1r8-Ysu9sFU+jzdgu+i;Y98&EuRc3p2BUzah5)
zCmVAp3!5-gXt1HCfjWr8C9L3?SCU$kms+9_oSIx(lvz@#5R_V+npl*aq2OMWUs_-&
zY9I_!$}G&|864!U5R{)^q7Y$ZAScdiWME)vU}69UQR2KnmZhP&p&5uDMSTm)3<TKN
z!Tw=lWMkECWMNQZPGVp=JNxSVhGwoeoL-;ByzFAmm#?{(&dMvxzU_|K@2GB(+m8wp
zj_h)sD%jcgitYY)EisuTJC7bUdcgcZu1Uh8`?~85uB^Og4CTL>0&A6SaOKU4F2Dcb
zm*X4DJEf;G*m>k%Ep{?+FyI4*fGj^F<9`+wU|6#m@PqimAU>-BGmtWn1qtx6h_Q&&
zI89r3&)dWL*Q6iwdd}x|uPid3iX0Qn84L!gOa|4Jer^FRhg{m-q+JXCN6ftU<?oV9
zq01C>ORkyhaa<e_&!`@@WuJN}+j=3r(iy#fm<$=Zzn14*Igz^R0k_UOk-6&TOMV6~
i4Sb^6eEr7+!)T}ZTwnjKW5{^k<H^4*KRR0U({lihI<*b}

literal 0
HcmV?d00001

diff --git a/src/main/resources/assets/letsencryptroot/lets-encrypt-x3-cross-signed.der b/src/main/resources/assets/letsencryptroot/lets-encrypt-x3-cross-signed.der
deleted file mode 100644
index e08466c5a7cc64b2bf97e9e7e658a00543bf3211..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1174
zcmXqLVwq&n#9Xz2nTe5!Nq~#d(TRb9F}Srji@WvBat;GtHcqWJkGAi;jEvl@3<maw
zDh5hy%%Ln?!qP68>6s;oISRp<>3NAIrA4U<Aw{LdB?`{@dWPZ#q99ew!h9~lAqqkH
z`9NVug$QE<IdNV?GXrBob3-!|0~50-ab6=sB(8y%A-4f1NGqE#Q)sZEn1KkyHeR39
z67^yQ*SzGS%7PL@WdlWs`BEt23XY{E8Tmz-C6yq%ni!Rk-OtF%z}&>h&j1wXVrpV!
zWSDcA=R?#}J@@TJvF6R2Gm;HnT{l&eRDHO2pXtYfN&4G&cssJLUOCT{BjU|Qts@!j
z+>0NVK6&<ec~ar7%Ekow>l0_q|9qh$z3@aP-_(ic|2>=eGQq~<Ox-Epav_zu?$S}O
zcfOG`XONk*rg}N+t8-qj_c}f`o3Zos-&~t%8TXa7oF?$Jm874jUpi|?P@;&ied^1m
z_S3h2@r8YB>-^kmKfP`JhC5R4vw5eA)gIAakh*Cmi&<$y_8PCx(i1!@^cPL@*HTc`
zWI0xH;DX`VenX3?V!Kut?{NOOQU0(&{h~@kVOw3ZACLchGS1p*X?S$~kzQWe6fxsf
zzgjf6UEw}(qxSG*CT2zk#>GvHwZIUmG!Oy?sH`v}<9`+o12!PV#K>U42NL54iLn6F
zN1H)C8;3R<BP%OABO^<(L7{;WjBmi$rj}7sQedU8pIKa#u2%v|37IK+`N_ovdYLJy
zd0+v(<osL%Yq%b!Hhrj`#DaoiRAu@_z%)~=pHf@`Vk9S480!_7CmYCv9Hh)5VIbBZ
za%B0&CDl5GzivPDo>2P#h-gA<r+`5SNPz;2uYtD#2OC>@BM&1Jqk%meH_+KEj7|4}
z{$n&SFwld!fr(K}3F?Mqpc6oL=~fu(<)oGrr$UmNUVc%!fepx1c@|RxV*|ql`U`a1
zv|*Zxa?sojOz%Pd{vpne5ys9zK6=STIR>&I-Fz%!EFvqsvXWV9@9uhb(Q^AT*VOl)
zSG-w>oJ4_H446b28SWZi7yO(YVR2VN^fzbdzOt~L1s+Q?-PNlPsc=mC7$xr|q-m~F
z5-5|DvE%I2g7l}~m+bM=2s}Ic#k%&nuWsy$TF5x-&WF2MvROCm!j<POlVeGm_5V8S
zsqOOi2e>@;Oxdt4HR-{@kf)2a)+!u%`E2){6W_KTHd;L6O!<mum8tC7r#1dri3K&D
z3*ym>Z+>x=&G>hD&N+uyM)Tw+#W)@;$%&5TiZ?#vJAaME2mNZDq`5a2Ps~@9)}OFZ
z(#`f;o%FJ*_MMBXawUGLE}hse`rwn8e#8bgeVq)oW8O2)-kQ(zvwp%`XD=Zazx?7V
bjaN%n<yHICw%>hllF4Ox`})Hs(OaAVarCE7