Skip to content

O
Openfire
Commit 4d04c5b3 authored by Jay Kline's avatar Jay Kline Committed by jay
Browse files
Options

Better CRL handling- will notice updates 


git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10450 b35dd754-fafc-0310-a699-88a17e54d16e
parent 06a489e6
Show whitespace changes
Inline Side-by-side
Showing with 68 additions and 37 deletions
src/java/org/jivesoftware/openfire/net/ClientTrustManager.java
View file @ 4d04c5b3
...@@ -14,6 +14,7 @@ import org.jivesoftware.util.Log; ...@@ -14,6 +14,7 @@ import org.jivesoftware.util.Log;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.X509TrustManager;
import java.io.BufferedInputStream; import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.FileNotFoundException; import java.io.FileNotFoundException;
import java.io.IOException; import java.io.IOException;
...@@ -47,24 +48,61 @@ public class ClientTrustManager implements X509TrustManager { ...@@ -47,24 +48,61 @@ public class ClientTrustManager implements X509TrustManager {
*/ */
private CertStore crlStore = null; private CertStore crlStore = null;
/**
* Holds the actual CRL's
*/
private Collection<X509CRL> crls = null;
/**
* Last time the CRL file was updated
*/
private long crlLastUpdated = 0;
public ClientTrustManager(KeyStore trustTrust) { public ClientTrustManager(KeyStore trustTrust) {
super(); super();
this.trustStore = trustTrust; this.trustStore = trustTrust;
//Note: A reference of the Collection is used in the CertStore, so we can add CRL's //Note: A reference of the Collection is used in the CertStore, so we can add CRL's
// after creating the CertStore. // after creating the CertStore.
Collection<X509CRL> crls = new ArrayList<X509CRL>(); crls = new ArrayList<X509CRL>();
CollectionCertStoreParameters params = new CollectionCertStoreParameters(crls); CollectionCertStoreParameters params = new CollectionCertStoreParameters(crls);
X509CRL crl;
CertificateFactory cf;
try { try {
crlStore = CertStore.getInstance("Collection",params); crlStore = CertStore.getInstance("Collection", params);
}
catch (InvalidAlgorithmParameterException ex) {
Log.warn("ClientTrustManager: ",ex);
} catch (NoSuchAlgorithmException ex) {
Log.warn("ClientTrustManager: ",ex);
}
loadCRL();
FileInputStream crlFile = new FileInputStream(JiveGlobals.getProperty("xmpp.client.certificate.crl","/tmp/crl.pem")); }
BufferedInputStream crlBuffer = new BufferedInputStream(crlFile);
cf = CertificateFactory.getInstance("X.509"); private void loadCRL() {
File crlFile = new File(JiveGlobals.getProperty("xmpp.client.certificate.crl",
"resources" + File.separator + "security" + File.separator + "crl.pem"));
if (!crlFile.isFile()) {
//dosnt exist or is something weird, skip it
return;
}
long modified = crlFile.lastModified();
if (modified > crlLastUpdated) {
crlLastUpdated = modified;
Log.debug("ClientTrustManager: Updating CRLs");
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");;
X509CRL crl;
FileInputStream crlStream = new FileInputStream(crlFile);
BufferedInputStream crlBuffer = new BufferedInputStream(crlStream);
crls.clear(); //remove existing CRLs
while (crlBuffer.available() > 0) { while (crlBuffer.available() > 0) {
crl = (X509CRL)cf.generateCRL(crlBuffer); crl = (X509CRL)cf.generateCRL(crlBuffer);
Log.debug("ClientTrustManager: adding CRL for "+crl.getIssuerDN()); Log.debug("ClientTrustManager: adding CRL for "+crl.getIssuerDN());
...@@ -73,7 +111,7 @@ public class ClientTrustManager implements X509TrustManager { ...@@ -73,7 +111,7 @@ public class ClientTrustManager implements X509TrustManager {
} }
catch(FileNotFoundException e) { catch(FileNotFoundException e) {
// Its ok if the file wasnt found- maybe we dont have any CRL's // Its ok if the file wasnt found- maybe we dont have any CRL's
Log.debug("ClientTrustManager: CRL file not found: "+JiveGlobals.getProperty("xmpp.client.certificate.crl","/tmp/crl.pem")); Log.debug("ClientTrustManager: CRL file not found: "+crlFile.toString());
} }
catch(IOException e) { catch(IOException e) {
//Thrown bot the input streams //Thrown bot the input streams
...@@ -86,21 +124,14 @@ public class ClientTrustManager implements X509TrustManager { ...@@ -86,21 +124,14 @@ public class ClientTrustManager implements X509TrustManager {
catch(CRLException e) { catch(CRLException e) {
Log.error("ClientTrustManager: CRLException while parsing CRLs", e); Log.error("ClientTrustManager: CRLException while parsing CRLs", e);
} }
catch(InvalidAlgorithmParameterException e) {
Log.error("ClientTrustManager: ",e);
}
catch(NoSuchAlgorithmException e) {
Log.error("ClientTrustManager: ",e);
} }
} }
public void checkClientTrusted(X509Certificate[] x509Certificates, String string) public void checkClientTrusted(X509Certificate[] x509Certificates, String string)
throws CertificateException { throws CertificateException {
Log.debug("ClientTrustManager: checkClientTrusted(x509Certificates,"+string+") called"); Log.debug("ClientTrustManager: checkClientTrusted(x509Certificates,"+string+") called");
loadCRL();
ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>(); ArrayList<X509Certificate> certs = new ArrayList<X509Certificate>();
for(int i = 0; i < x509Certificates.length ; i++) { for(int i = 0; i < x509Certificates.length ; i++) {
certs.add(x509Certificates[i]); certs.add(x509Certificates[i]);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023