Skip to content

O
Openfire
Commit 6587a3c8 authored by Guus der Kinderen's avatar Guus der Kinderen
Browse files
Options

Chain ordering should not fail on self-signed CA root certificate.

parent 9978b4b0
Show whitespace changes
Inline Side-by-side
Showing with 22 additions and 5 deletions
src/java/org/jivesoftware/openfire/keystore/CertificateUtils.java
View file @ 6587a3c8
...@@ -154,9 +154,26 @@ public class CertificateUtils ...@@ -154,9 +154,26 @@ public class CertificateUtils
final Principal issuer = certificate.getIssuerDN(); final Principal issuer = certificate.getIssuerDN();
final Principal subject = certificate.getSubjectDN(); final Principal subject = certificate.getSubjectDN();
if ( byIssuer.put( issuer, certificate ) != null ) { // By issuer
if ( issuer.equals( subject ))
{
// self-signed: use null key.
final X509Certificate sameIssuer = byIssuer.put( null, certificate );
if ( sameIssuer != null )
{
throw new CertificateException( "The provided input should not contain multiple root CA certificates. Issuer of first detected Root CA certificate: " + issuer + " Issuer of second detected Root CA certificate: : " + sameIssuer );
}
}
else
{
// regular issuer
if ( byIssuer.put( issuer, certificate ) != null )
{
throw new CertificateException( "The provided input should not contain multiple certificates with identical issuerDN values. Offending value: " + issuer ); throw new CertificateException( "The provided input should not contain multiple certificates with identical issuerDN values. Offending value: " + issuer );
} }
}
// By subject
if ( bySubject.put( subject, certificate ) != null ) { if ( bySubject.put( subject, certificate ) != null ) {
throw new CertificateException( "The provided input should not contain multiple certificates with identical subjectDN values. Offending value: " + subject ); throw new CertificateException( "The provided input should not contain multiple certificates with identical subjectDN values. Offending value: " + subject );
} }
...@@ -178,16 +195,16 @@ public class CertificateUtils ...@@ -178,16 +195,16 @@ public class CertificateUtils
} }
if (first == null) { if (first == null) {
throw new CertificateException( "The provided input should contain a certificates that has a subjectDN value that's not equal to the issuerDN value of any other certificate." ); throw new CertificateException( "The provided input should contain a certificate that has a subjectDN value that's not equal to the issuerDN value of any other certificate." );
} }
orderedResult.add( first ); orderedResult.add( first );
// With the first certificate in hand, every following certificate should have a subject that's equal to the previous issuer value. // With the first certificate in hand, every following certificate should have a subject that's equal to the previous issuer value.
X509Certificate next = bySubject.get( first.getIssuerDN() ); X509Certificate next = bySubject.remove( first.getIssuerDN() );
while (next != null) { while (next != null) {
orderedResult.add( next ); orderedResult.add( next );
next = bySubject.get( next.getIssuerDN() ); next = bySubject.remove( next.getIssuerDN() );
} }
// final check // final check
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023