Commit 81d23401 authored by Dele Olajide's avatar Dele Olajide

Upgrade bouncycstle from 1.50 to 1.51

parent b41dc3f6
...@@ -3,9 +3,9 @@ Name | Version ...@@ -3,9 +3,9 @@ Name | Version
ant.jar | Jetty 6.1.0 (1.6.5) | Apache 2.0 ant.jar | Jetty 6.1.0 (1.6.5) | Apache 2.0
ant-contrib.jar | 1.0b1 | Apache 2.0 ant-contrib.jar | 1.0b1 | Apache 2.0
ant-subdirtask.jar | Revision 1.4 (CVS) | ant-subdirtask.jar | Revision 1.4 (CVS) |
bcpg-jdk15on.jar | 1.50 | See http://www.bouncycastle.org/licence.html bcpg-jdk15on.jar | 1.51 | See http://www.bouncycastle.org/licence.html
bcpkix-jdk15on.jar | 1.50 | See http://www.bouncycastle.org/licence.html bcpkix-jdk15on.jar | 1.51 | See http://www.bouncycastle.org/licence.html
bcprov-jdk15on.jar | 1.50 | See http://www.bouncycastle.org/licence.html bcprov-jdk15on.jar | 1.51 | See http://www.bouncycastle.org/licence.html
cglib.jar | 2.1.3 (JMock 2.1.0) | cglib.jar | 2.1.3 (JMock 2.1.0) |
commons-lang.jar | 2.3 | Apache 2.0 commons-lang.jar | 2.3 | Apache 2.0
commons-logging.jar | Jetty 5.1.10 | Apache 2.0 commons-logging.jar | Jetty 5.1.10 | Apache 2.0
......
...@@ -32,6 +32,7 @@ import java.security.cert.PKIXParameters; ...@@ -32,6 +32,7 @@ import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor; import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector; import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.Iterator; import java.util.Iterator;
...@@ -40,21 +41,25 @@ import java.util.Set; ...@@ -40,21 +41,25 @@ import java.util.Set;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import org.bouncycastle.ocsp.BasicOCSPResp; import org.bouncycastle.cert.ocsp.BasicOCSPResp;
import org.bouncycastle.ocsp.CertificateID; import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.ocsp.CertificateStatus; import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.ocsp.OCSPReq; import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.ocsp.OCSPReqGenerator; import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
import org.bouncycastle.ocsp.OCSPResp; import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.ocsp.SingleResp; import org.bouncycastle.cert.ocsp.SingleResp;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.jivesoftware.util.JiveGlobals; import org.jivesoftware.util.JiveGlobals;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
/** /**
* A <code>PKIXCertPathChecker</code> that uses * A <code>PKIXCertPathChecker</code> that uses
* Online Certificate Status Protocol (OCSP) * Online Certificate Status Protocol (OCSP)
* *
* See <a href="http://www.ietf.org/rfc/rfc2560.txt">RFC 2560</a>. * See <a href="http://www.ietf.org/rfc/rfc2560.txt">RFC 2560</a>.
* *
* @author Jay Kline * @author Jay Kline
...@@ -185,7 +190,7 @@ public class OCSPChecker extends PKIXCertPathChecker { ...@@ -185,7 +190,7 @@ public class OCSPChecker extends PKIXCertPathChecker {
} }
} }
} }
if (issuerCert == null) { if (issuerCert == null) {
//No trust anchor was found matching the issuer //No trust anchor was found matching the issuer
throw new CertPathValidatorException("No trusted certificate for " + currCert.getIssuerDN()); throw new CertPathValidatorException("No trusted certificate for " + currCert.getIssuerDN());
...@@ -194,11 +199,11 @@ public class OCSPChecker extends PKIXCertPathChecker { ...@@ -194,11 +199,11 @@ public class OCSPChecker extends PKIXCertPathChecker {
// Check cert stores if responder cert has not yet been found // Check cert stores if responder cert has not yet been found
if (!haveResponderCert) { if (!haveResponderCert) {
Log.debug("OCSPChecker: Searching cert stores for responder's certificate"); Log.debug("OCSPChecker: Searching cert stores for responder's certificate");
if (responderSubjectName != null) { if (responderSubjectName != null) {
X509CertSelector filter = new X509CertSelector(); X509CertSelector filter = new X509CertSelector();
filter.setSubject(responderSubjectName.getName()); filter.setSubject(responderSubjectName.getName());
List<CertStore> certStores = pkixParams.getCertStores(); List<CertStore> certStores = pkixParams.getCertStores();
for (CertStore certStore : certStores) { for (CertStore certStore : certStores) {
Iterator i = certStore.getCertificates(filter).iterator(); Iterator i = certStore.getCertificates(filter).iterator();
...@@ -218,11 +223,11 @@ public class OCSPChecker extends PKIXCertPathChecker { ...@@ -218,11 +223,11 @@ public class OCSPChecker extends PKIXCertPathChecker {
} }
// Construct an OCSP Request // Construct an OCSP Request
OCSPReqGenerator gen = new OCSPReqGenerator(); OCSPReqBuilder gen = new OCSPReqBuilder();
CertificateID certID = new CertificateID(CertificateID.HASH_SHA1, issuerCert, currCert.getSerialNumber()); CertificateID certID = new CertificateID(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build().get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCert.getEncoded()), currCert.getSerialNumber());
gen.addRequest(certID); gen.addRequest(certID);
OCSPReq ocspRequest = gen.generate(); OCSPReq ocspRequest = gen.build();
URL url; URL url;
...@@ -261,10 +266,10 @@ public class OCSPChecker extends PKIXCertPathChecker { ...@@ -261,10 +266,10 @@ public class OCSPChecker extends PKIXCertPathChecker {
BigInteger serialNumber = currCert.getSerialNumber(); BigInteger serialNumber = currCert.getSerialNumber();
BasicOCSPResp brep = (BasicOCSPResp) ocspResponse.getResponseObject(); BasicOCSPResp brep = (BasicOCSPResp) ocspResponse.getResponseObject();
try { try {
if( ! brep.verify(responderCert.getPublicKey(),"BC")) { if( ! brep.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(responderCert.getPublicKey()))) {
throw new CertPathValidatorException("OCSP response is not verified"); throw new CertPathValidatorException("OCSP response is not verified");
} }
} catch (NoSuchProviderException e) { } catch (Exception e) {
throw new CertPathValidatorException("OCSP response could not be verified ("+e.getMessage()+")" ,null, cp, certIndex); throw new CertPathValidatorException("OCSP response could not be verified ("+e.getMessage()+")" ,null, cp, certIndex);
} }
SingleResp[] singleResp = brep.getResponses(); SingleResp[] singleResp = brep.getResponses();
...@@ -278,11 +283,11 @@ public class OCSPChecker extends PKIXCertPathChecker { ...@@ -278,11 +283,11 @@ public class OCSPChecker extends PKIXCertPathChecker {
serialNumber.toString() + ") is: good"); serialNumber.toString() + ") is: good");
foundResponse = true; foundResponse = true;
break; break;
} else if (status instanceof org.bouncycastle.ocsp.RevokedStatus) { } else if (status instanceof org.bouncycastle.cert.ocsp.RevokedStatus) {
Log.debug("OCSPChecker: Status of certificate (with serial number " + Log.debug("OCSPChecker: Status of certificate (with serial number " +
serialNumber.toString() + ") is: revoked"); serialNumber.toString() + ") is: revoked");
throw new CertPathValidatorException("Certificate has been revoked", null, cp, certIndex); throw new CertPathValidatorException("Certificate has been revoked", null, cp, certIndex);
} else if (status instanceof org.bouncycastle.ocsp.UnknownStatus) { } else if (status instanceof org.bouncycastle.cert.ocsp.UnknownStatus) {
Log.debug("OCSPChecker: Status of certificate (with serial number " + Log.debug("OCSPChecker: Status of certificate (with serial number " +
serialNumber.toString() + ") is: unknown"); serialNumber.toString() + ") is: unknown");
throw new CertPathValidatorException("Certificate's revocation status is unknown", null, cp, certIndex); throw new CertPathValidatorException("Certificate's revocation status is unknown", null, cp, certIndex);
......
...@@ -72,6 +72,7 @@ import org.bouncycastle.asn1.ASN1InputStream; ...@@ -72,6 +72,7 @@ import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1TaggedObject; import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.DERSequence; import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERObjectIdentifier; import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROutputStream; import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.ASN1Sequence; import org.bouncycastle.asn1.ASN1Sequence;
...@@ -386,7 +387,7 @@ public class CertificateManager { ...@@ -386,7 +387,7 @@ public class CertificateManager {
ASN1Sequence otherNameSeq = (ASN1Sequence) decoder.readObject(); ASN1Sequence otherNameSeq = (ASN1Sequence) decoder.readObject();
// Check the object identifier // Check the object identifier
DERObjectIdentifier objectId = (DERObjectIdentifier) otherNameSeq.getObjectAt(0); ASN1ObjectIdentifier objectId = (ASN1ObjectIdentifier) otherNameSeq.getObjectAt(0);
Log.debug("Parsing otherName for subject alternative names: " + objectId.toString() ); Log.debug("Parsing otherName for subject alternative names: " + objectId.toString() );
if ( !OTHERNAME_XMPP_OID.equals(objectId.getId())) { if ( !OTHERNAME_XMPP_OID.equals(objectId.getId())) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment