Commit 1134e0be authored by Gaston Dombiak's avatar Gaston Dombiak Committed by gato

Improved logic to detect self-signed certificates and certificates ready to generate a CSR. JM-1204

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@9653 b35dd754-fafc-0310-a699-88a17e54d16e
parent 2a2337ee
...@@ -44,6 +44,7 @@ import java.util.regex.Pattern; ...@@ -44,6 +44,7 @@ import java.util.regex.Pattern;
public class CertificateManager { public class CertificateManager {
private static Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)"); private static Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");
private static Pattern valuesPattern = Pattern.compile("(?i)(=)([^,]*)");
private static Provider provider = new BouncyCastleProvider(); private static Provider provider = new BouncyCastleProvider();
...@@ -305,6 +306,42 @@ public class CertificateManager { ...@@ -305,6 +306,42 @@ public class CertificateManager {
return false; return false;
} }
/**
* Returns true if the specified certificate is a self-signed certificate.
*
* @param keyStore key store that holds the certificate to verify.
* @param alias alias of the certificate in the key store.
* @return true if the specified certificate is a self-signed certificate.
* @throws KeyStoreException if an error happens while usign the keystore
*/
public static boolean isSelfSignedCertificate(KeyStore keyStore, String alias) throws KeyStoreException {
// Get certificate chain
java.security.cert.Certificate[] certificateChain = keyStore.getCertificateChain(alias);
// Verify that the chain is empty or was signed by himself
return certificateChain == null || certificateChain.length == 1;
}
/**
* Returns true if the specified certificate is ready to be signed by a Certificate Authority. Self-signed
* certificates need to get their issuer information entered to be able to generate a Certificate
* Signing Request (CSR).
*
* @param keyStore key store that holds the certificate to verify.
* @param alias alias of the certificate in the key store.
* @return true if the specified certificate is ready to be signed by a Certificate Authority.
* @throws KeyStoreException if an error happens while usign the keystore
*/
public static boolean isSigningRequestPending(KeyStore keyStore, String alias) throws KeyStoreException {
// Verify that this is a self-signed certificate
if (!isSelfSignedCertificate(keyStore, alias)) {
return false;
}
// Verify that the issuer information has been entered
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(alias);
Matcher matcher = valuesPattern.matcher(certificate.getIssuerDN().toString());
return matcher.find() && matcher.find();
}
/** /**
* Creates and returns the content of a new singing request for the specified certificate. Signing * Creates and returns the content of a new singing request for the specified certificate. Signing
* requests are required by Certificate Authorities as part of their signing process. The signing request * requests are required by Certificate Authorities as part of their signing process. The signing request
......
...@@ -285,10 +285,9 @@ ...@@ -285,10 +285,9 @@
identities.setLength(identities.length() - 2); identities.setLength(identities.length() - 2);
} }
// Self-signed certs are certs generated by Openfire whose IssueDN equals SubjectDN // Self-signed certs are certs generated by Openfire whose IssueDN equals SubjectDN
boolean isSelfSigned = c.getSubjectDN().equals(c.getIssuerDN()); boolean isSelfSigned = CertificateManager.isSelfSignedCertificate(keyStore, a);
// Signing Request pending = not self signed certs whose chain has only 1 cert (the same cert) // Signing Request pending = not self signed certs whose chain has only 1 cert (the same cert)
java.security.cert.Certificate[] certificateChain = keyStore.getCertificateChain(a); boolean isSigningPending = CertificateManager.isSigningRequestPending(keyStore, a);
boolean isSigningPending = !isSelfSigned && (certificateChain == null || certificateChain.length == 1);
offerUpdateIssuer = offerUpdateIssuer || isSelfSigned || isSigningPending; offerUpdateIssuer = offerUpdateIssuer || isSelfSigned || isSigningPending;
if (isSigningPending) { if (isSigningPending) {
...@@ -312,7 +311,7 @@ ...@@ -312,7 +311,7 @@
</font> </font>
<% } %> <% } %>
</td> </td>
<% if (isSelfSigned) { %> <% if (isSelfSigned && !isSigningPending) { %>
<td width="1%"><img src="images/certificate_warning-16x16.png" width="16" height="16" border="0" title="<fmt:message key="ssl.certificates.self-signed.info" />"></td> <td width="1%"><img src="images/certificate_warning-16x16.png" width="16" height="16" border="0" title="<fmt:message key="ssl.certificates.self-signed.info" />"></td>
<td width="1%" nowrap> <td width="1%" nowrap>
<fmt:message key="ssl.certificates.self-signed" /> <fmt:message key="ssl.certificates.self-signed" />
......
...@@ -73,12 +73,8 @@ ...@@ -73,12 +73,8 @@
for (Enumeration<String> certAliases = keyStore.aliases(); certAliases.hasMoreElements();) { for (Enumeration<String> certAliases = keyStore.aliases(); certAliases.hasMoreElements();) {
String alias = certAliases.nextElement(); String alias = certAliases.nextElement();
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(alias); X509Certificate certificate = (X509Certificate) keyStore.getCertificate(alias);
// Self-signed certs are certs generated by Openfire whose IssueDN equals SubjectDN // Update only Self-signed certs
boolean isSelfSigned = certificate.getSubjectDN().equals(certificate.getIssuerDN()); if (CertificateManager.isSelfSignedCertificate(keyStore, alias)) {
// Signing Request pending = not self signed certs whose chain has only 1 cert (the same cert)
java.security.cert.Certificate[] certificateChain = keyStore.getCertificateChain(alias);
boolean isSigningPending = !isSelfSigned && (certificateChain == null || certificateChain.length == 1);
if (isSelfSigned || isSigningPending) {
if (CertificateManager.isDSACertificate(certificate)) { if (CertificateManager.isDSACertificate(certificate)) {
CertificateManager.createDSACert(keyStore, SSLConfig.getKeyPassword(), alias, CertificateManager.createDSACert(keyStore, SSLConfig.getKeyPassword(), alias,
issuerDN.toString(), subjectDN.toString(), "*." + domain); issuerDN.toString(), subjectDN.toString(), "*." + domain);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment