Commit 1e55e0dc authored by Guus der Kinderen's avatar Guus der Kinderen

Merge pull request #326 from guusdk/OF-946

OF-946: Help Java to find the correct Security Provider
parents fc648e2b e3908d79
......@@ -49,7 +49,7 @@ public class IdentityStoreConfig extends CertificateStoreConfig
try
{
keyFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm(), PROVIDER );
keyFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
keyFactory.init( store, password.toCharArray() );
}
catch ( UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException ex )
......
......@@ -11,6 +11,7 @@ import java.io.IOException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.*;
import java.util.*;
......@@ -38,8 +39,8 @@ public class TrustStoreConfig extends CertificateStoreConfig
try
{
certPathValidator = CertPathValidator.getInstance( "PKIX", PROVIDER );
certificateFactory = CertificateFactory.getInstance( "X.509", PROVIDER );
certPathValidator = CertPathValidator.getInstance( "PKIX" );
certificateFactory = CertificateFactory.getInstance( "X.509" );
trustFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
trustFactory.init( store );
}
......@@ -106,23 +107,33 @@ public class TrustStoreConfig extends CertificateStoreConfig
return false;
}
try
// For some reason, the default validation fails to iterate over all providers and will fail if the default
// provider does not support the algorithm of the chain. To work around this issue, this code iterates over
// each provider explicitly, returning success when at least one provider validates the chain successfully.
Log.debug( "Iterating over all available security providers in order to validate a certificate chain." );
for (Provider p : Security.getProviders())
{
final Set<TrustAnchor> trustAnchors = getAllValidTrustAnchors();
final CertPath certPath = getCertPath( chain );
try
{
final Set<TrustAnchor> trustAnchors = getAllValidTrustAnchors();
final CertPath certPath = getCertPath( chain );
final PKIXParameters pkixp = new PKIXParameters( trustAnchors );
pkixp.setRevocationEnabled( false ); // TODO: enable revocation list validation.
final PKIXParameters parameters = new PKIXParameters( trustAnchors );
parameters.setRevocationEnabled( false ); // TODO: enable revocation list validation.
parameters.setSigProvider( p.getName() ); // Explicitly iterate over each signature provider. See comment above.
certPathValidator.validate( certPath, pkixp );
}
catch ( Exception ex )
{
Log.info( "Unable to trust certificate chain.", ex );
return false;
certPathValidator.validate( certPath, parameters );
Log.debug( "Provider "+p.getName()+": Able to validate certificate chain." );
return true;
}
catch ( Exception ex )
{
Log.debug( "Provider "+p.getName()+": Unable to validate certificate chain.", ex );
}
}
return true;
return false;
}
/**
......
......@@ -173,7 +173,7 @@
</tr>
<tr>
<td width="1%" nowrap>
<label for="nicknametf"><fmt:message key="user.roster.nickname" />:</label>
<label for="nicknametf"><fmt:message key="user.roster.nickname" />:</label></td>
<td width="99%">
<input type="text" name="nickname" size="30" maxlength="255" value="<%= ((nickname!=null) ? StringUtils.escapeForXML(nickname) : "") %>"
id="nicknametf">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment