Merge pull request #326 from guusdk/OF-946

OF-946: Help Java to find the correct Security Provider

src/java/org/jivesoftware/openfire/keystore/IdentityStoreConfig.java

@@ -49,7 +49,7 @@ public class IdentityStoreConfig extends CertificateStoreConfig
 
         try
         {
-            keyFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm(), PROVIDER );
+            keyFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
             keyFactory.init( store, password.toCharArray() );
         }
         catch ( UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException ex )

src/java/org/jivesoftware/openfire/keystore/TrustStoreConfig.java

@@ -11,6 +11,7 @@ import java.io.IOException;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
+import java.security.Security;
 import java.security.cert.*;
 import java.util.*;
 
@@ -38,8 +39,8 @@ public class TrustStoreConfig extends CertificateStoreConfig
 
         try
         {
-            certPathValidator = CertPathValidator.getInstance( "PKIX", PROVIDER );
-            certificateFactory = CertificateFactory.getInstance( "X.509", PROVIDER );
+            certPathValidator = CertPathValidator.getInstance( "PKIX" );
+            certificateFactory = CertificateFactory.getInstance( "X.509" );
             trustFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
             trustFactory.init( store );
         }
@@ -106,23 +107,33 @@ public class TrustStoreConfig extends CertificateStoreConfig
             return false;
         }
 
+        // For some reason, the default validation fails to iterate over all providers and will fail if the default
+        // provider does not support the algorithm of the chain. To work around this issue, this code iterates over
+        // each provider explicitly, returning success when at least one provider validates the chain successfully.
+        Log.debug( "Iterating over all available security providers in order to validate a certificate chain." );
+        for (Provider p : Security.getProviders())
+        {
             try
             {
                 final Set<TrustAnchor> trustAnchors = getAllValidTrustAnchors();
                 final CertPath certPath = getCertPath( chain );
 
-            final PKIXParameters pkixp = new PKIXParameters( trustAnchors );
-            pkixp.setRevocationEnabled( false ); // TODO: enable revocation list validation.
+                final PKIXParameters parameters = new PKIXParameters( trustAnchors );
+                parameters.setRevocationEnabled( false ); // TODO: enable revocation list validation.
+                parameters.setSigProvider( p.getName() ); // Explicitly iterate over each signature provider. See comment above.
+
+                certPathValidator.validate( certPath, parameters );
 
-            certPathValidator.validate( certPath, pkixp );
+                Log.debug( "Provider "+p.getName()+": Able to validate certificate chain." );
+                return true;
             }
             catch ( Exception ex )
             {
-            Log.info( "Unable to trust certificate chain.", ex );
-            return false;
+                Log.debug( "Provider "+p.getName()+": Unable to validate certificate chain.", ex );
+            }
         }
 
-        return true;
+        return false;
     }
 
     /**

src/web/user-roster-add.jsp

@@ -173,7 +173,7 @@
 		</tr>
 		<tr>
 			<td width="1%" nowrap>
-				<label for="nicknametf"><fmt:message key="user.roster.nickname" />:</label>
+				<label for="nicknametf"><fmt:message key="user.roster.nickname" />:</label></td>
 			<td width="99%">
 				<input type="text" name="nickname" size="30" maxlength="255" value="<%= ((nickname!=null) ? StringUtils.escapeForXML(nickname) : "") %>"
 				 id="nicknametf">