Commit 8c9a189c authored by guus's avatar guus

OF-517: Don't be verbose about unknown certificate sections.

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@12970 b35dd754-fafc-0310-a699-88a17e54d16e
parent 73a1c427
...@@ -260,12 +260,17 @@ public class CertificateManager { ...@@ -260,12 +260,17 @@ public class CertificateManager {
} }
// Get identity string // Get identity string
try {
DERUTF8String derStr = DERUTF8String.getInstance(otherNameSeq.getObjectAt(1)); DERUTF8String derStr = DERUTF8String.getInstance(otherNameSeq.getObjectAt(1));
String identity = derStr.getString(); String identity = derStr.getString();
if (identity != null && identity.length() > 0) { if (identity != null && identity.length() > 0) {
// Add the decoded server name to the list of identities // Add the decoded server name to the list of identities
identities.add(identity); identities.add(identity);
} }
} catch (IllegalArgumentException ex) {
// OF-517: othername formats are extensible. If we don't recognize the format, skip it.
Log.debug("Cannot parse altName, likely because of unknown record format.", ex);
}
} }
catch (UnsupportedEncodingException e) { catch (UnsupportedEncodingException e) {
// Ignore // Ignore
...@@ -324,7 +329,7 @@ public class CertificateManager { ...@@ -324,7 +329,7 @@ public class CertificateManager {
} }
/** /**
* Returns true if a certificate with the specifed configuration was found in the key store. * Returns true if a certificate with the specified configuration was found in the key store.
* *
* @param ksKeys the keystore to use for searching the certificate. * @param ksKeys the keystore to use for searching the certificate.
* @param domain the domain present in the subjectAltName or "*" if anything is accepted. * @param domain the domain present in the subjectAltName or "*" if anything is accepted.
...@@ -333,24 +338,27 @@ public class CertificateManager { ...@@ -333,24 +338,27 @@ public class CertificateManager {
* @throws KeyStoreException * @throws KeyStoreException
*/ */
private static boolean isCertificate(KeyStore ksKeys, String domain, String algorithm) throws KeyStoreException { private static boolean isCertificate(KeyStore ksKeys, String domain, String algorithm) throws KeyStoreException {
boolean result = false;
for (Enumeration<String> aliases = ksKeys.aliases(); aliases.hasMoreElements();) { for (Enumeration<String> aliases = ksKeys.aliases(); aliases.hasMoreElements();) {
X509Certificate certificate = (X509Certificate) ksKeys.getCertificate(aliases.nextElement()); X509Certificate certificate = (X509Certificate) ksKeys.getCertificate(aliases.nextElement());
if ("*".equals(domain)) { if ("*".equals(domain)) {
// Any domain certified by the certificate is accepted // Any domain certified by the certificate is accepted
if (certificate.getPublicKey().getAlgorithm().equals(algorithm)) { if (certificate.getPublicKey().getAlgorithm().equals(algorithm)) {
return true; result = true;
} }
} }
else { else {
// Only accept certified domains that match the specified domain // Only accept certified domains that match the specified domain
for (String identity : getPeerIdentities(certificate)) { for (String identity : getPeerIdentities(certificate)) {
if (identity.endsWith(domain) && certificate.getPublicKey().getAlgorithm().equals(algorithm)) { if (identity.endsWith(domain) && certificate.getPublicKey().getAlgorithm().equals(algorithm)) {
return true; result = true;
} }
} }
} }
} }
return false;
Log.info("Check for certificate for '{}' using algorithm {} returned: ", new Object[] { domain, algorithm, result} );
return result;
} }
/** /**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment