Skip to content

O
Openfire
Commit 61423720 authored by Dave Cridland's avatar Dave Cridland
Browse files
Options

Merge pull request #568 from guusdk/OF-1119 

OF-1119: Do not depend on ordering of chains
parents bff8396b cbcbaa72
Hide whitespace changes
Inline Side-by-side
Showing with 18 additions and 4 deletions
src/java/org/jivesoftware/openfire/keystore/CertificateUtils.java
View file @ 61423720
package org.jivesoftware.openfire.keystore; package org.jivesoftware.openfire.keystore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.security.Principal; import java.security.Principal;
import java.security.cert.*; import java.security.cert.*;
import java.util.*; import java.util.*;
...@@ -11,6 +14,8 @@ import java.util.*; ...@@ -11,6 +14,8 @@ import java.util.*;
*/ */
public class CertificateUtils public class CertificateUtils
{ {
private static final Logger Log = LoggerFactory.getLogger( CertificateUtils.class );
/** /**
* Returns all valid certificates from the provided input, where validity references the notBefore and notAfter * Returns all valid certificates from the provided input, where validity references the notBefore and notAfter
* dates of each certificate. * dates of each certificate.
...@@ -223,7 +228,8 @@ public class CertificateUtils ...@@ -223,7 +228,8 @@ public class CertificateUtils
* part of the same chain (or chain segment). Each certificate in the chain is expected to have issued another * part of the same chain (or chain segment). Each certificate in the chain is expected to have issued another
* certificate from the chain, except for one. That one certificate is returned. * certificate from the chain, except for one. That one certificate is returned.
* *
* This method will throw an exception when no valid chain was provided. * When ordering the chain fails (for example, when the collection of certificates do not belong to one linear list)
* the first certificate from the chain is returned.
* *
* @param chain The chain (possibly incomplete or unordered, but not null, empty or malformed). * @param chain The chain (possibly incomplete or unordered, but not null, empty or malformed).
* @return The end entity certificate (never null). * @return The end entity certificate (never null).
...@@ -231,12 +237,20 @@ public class CertificateUtils ...@@ -231,12 +237,20 @@ public class CertificateUtils
*/ */
public static X509Certificate identifyEndEntityCertificate( Collection<X509Certificate> chain ) throws CertificateException public static X509Certificate identifyEndEntityCertificate( Collection<X509Certificate> chain ) throws CertificateException
{ {
final List<X509Certificate> ordered = order( chain ); if ( chain.isEmpty() )
if (ordered.isEmpty()) { {
throw new CertificateException(); throw new CertificateException();
} }
return ordered.get( 0 ); try
{
return order( chain ).get( 0 );
}
catch ( CertificateException ex )
{
Log.warn( "Unable to order the provided chain. As a fallback, the end entity certificate is assumed to be the first certificate of the input.", ex );
return chain.iterator().next();
}
} }
/** /**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023