OF-1119: Do not depend on ordering of chains

When validating a certificate chain, the provided chain aught to be ordered. If our own ordering fails, we should use the first certifcate of the (unordered) chain, instead of failing completely.

OF-1119: Do not depend on ordering of chains
When validating a certificate chain, the provided chain aught to be ordered. If our own ordering fails, we should use the first certifcate of the (unordered) chain, instead of failing completely.
32f2861a · Guus der Kinderen · 5af02aba · 32f2861a
Commit 32f2861a authored Mar 25, 2016 by Guus der Kinderen
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 4 deletions

CertificateUtils.java .../org/jivesoftware/openfire/keystore/CertificateUtils.java +18 -4

No files found.
--- a/src/java/org/jivesoftware/openfire/keystore/CertificateUtils.java
+++ b/src/java/org/jivesoftware/openfire/keystore/CertificateUtils.java
 package org.jivesoftware.openfire.keystore;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import java.security.Principal;
 import java.security.cert.*;
 import java.util.*;
@@ -11,6 +14,8 @@ import java.util.*;
 */
 public class CertificateUtils
 {
+    private static final Logger Log = LoggerFactory.getLogger( CertificateUtils.class );
    /**
     * Returns all valid certificates from the provided input, where validity references the notBefore and notAfter
     * dates of each certificate.
@@ -223,7 +228,8 @@ public class CertificateUtils
     * part of the same chain (or chain segment). Each certificate in the chain is expected to have issued another
     * certificate from the chain, except for one. That one certificate is returned.
     *
-     * This method will throw an exception when no valid chain was provided.
+     * When ordering the chain fails (for example, when the collection of certificates do not belong to one linear list)
+     * the first certificate from the chain is returned.
     *
     * @param chain The chain (possibly incomplete or unordered, but not null, empty or malformed).
     * @return The end entity certificate (never null).
@@ -231,12 +237,20 @@ public class CertificateUtils
     */
    public static X509Certificate identifyEndEntityCertificate( Collection<X509Certificate> chain ) throws CertificateException
    {
-        final List<X509Certificate> ordered = order( chain );
+        if ( chain.isEmpty() )
-        if (ordered.isEmpty()) {
+        {
            throw new CertificateException();
        }
-        return ordered.get( 0 );
+        try
+        {
+            return order( chain ).get( 0 );
+        }
+        catch ( CertificateException ex )
+        {
+            Log.warn( "Unable to order the provided chain. As a fallback, the end entity certificate is assumed to be the first certificate of the input.", ex );
+            return chain.iterator().next();
+        }
    }
    /**