Commit 918b21b5 authored by Guus der Kinderen's avatar Guus der Kinderen

OF-946: Help Java to find the correct Security Provider

For some reason, the default validation fails to iterate over all providers and will fail if the default
provider does not support the algorithm of the chain. To work around this issue, the code now iterates over
each provider explicitly, returning success when at least one provider validates the chain successfully.
This replaces an earlier attempt to fix this issue by explicitly naming one (and just one) provider.
parent 25c09adb
...@@ -49,7 +49,7 @@ public class IdentityStoreConfig extends CertificateStoreConfig ...@@ -49,7 +49,7 @@ public class IdentityStoreConfig extends CertificateStoreConfig
try try
{ {
keyFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm(), PROVIDER ); keyFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
keyFactory.init( store, password.toCharArray() ); keyFactory.init( store, password.toCharArray() );
} }
catch ( UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException ex ) catch ( UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException ex )
......
...@@ -11,6 +11,7 @@ import java.io.IOException; ...@@ -11,6 +11,7 @@ import java.io.IOException;
import java.security.KeyStoreException; import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.Provider; import java.security.Provider;
import java.security.Security;
import java.security.cert.*; import java.security.cert.*;
import java.util.*; import java.util.*;
...@@ -38,8 +39,8 @@ public class TrustStoreConfig extends CertificateStoreConfig ...@@ -38,8 +39,8 @@ public class TrustStoreConfig extends CertificateStoreConfig
try try
{ {
certPathValidator = CertPathValidator.getInstance( "PKIX", PROVIDER ); certPathValidator = CertPathValidator.getInstance( "PKIX" );
certificateFactory = CertificateFactory.getInstance( "X.509", PROVIDER ); certificateFactory = CertificateFactory.getInstance( "X.509" );
trustFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() ); trustFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
trustFactory.init( store ); trustFactory.init( store );
} }
...@@ -106,23 +107,33 @@ public class TrustStoreConfig extends CertificateStoreConfig ...@@ -106,23 +107,33 @@ public class TrustStoreConfig extends CertificateStoreConfig
return false; return false;
} }
// For some reason, the default validation fails to iterate over all providers and will fail if the default
// provider does not support the algorithm of the chain. To work around this issue, this code iterates over
// each provider explicitly, returning success when at least one provider validates the chain successfully.
Log.debug( "Iterating over all available security providers in order to validate a certificate chain." );
for (Provider p : Security.getProviders())
{
try try
{ {
final Set<TrustAnchor> trustAnchors = getAllValidTrustAnchors(); final Set<TrustAnchor> trustAnchors = getAllValidTrustAnchors();
final CertPath certPath = getCertPath( chain ); final CertPath certPath = getCertPath( chain );
final PKIXParameters pkixp = new PKIXParameters( trustAnchors ); final PKIXParameters parameters = new PKIXParameters( trustAnchors );
pkixp.setRevocationEnabled( false ); // TODO: enable revocation list validation. parameters.setRevocationEnabled( false ); // TODO: enable revocation list validation.
parameters.setSigProvider( p.getName() ); // Explicitly iterate over each signature provider. See comment above.
certPathValidator.validate( certPath, parameters );
certPathValidator.validate( certPath, pkixp ); Log.debug( "Provider "+p.getName()+": Able to validate certificate chain." );
return true;
} }
catch ( Exception ex ) catch ( Exception ex )
{ {
Log.info( "Unable to trust certificate chain.", ex ); Log.debug( "Provider "+p.getName()+": Unable to validate certificate chain.", ex );
return false; }
} }
return true; return false;
} }
/** /**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment