Commit 93a49fe9 authored by Guus der Kinderen's avatar Guus der Kinderen

Merge pull request #526 from guusdk/aberenguel-certificate-issues

Aberenguel certificate issues
parents 8c7a56f4 436da497
package org.jivesoftware.openfire.keystore; package org.jivesoftware.openfire.keystore;
import org.bouncycastle.operator.OperatorCreationException;
import org.jivesoftware.openfire.XMPPServer; import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.net.DNSUtil; import org.jivesoftware.openfire.net.DNSUtil;
import org.jivesoftware.util.CertificateManager; import org.jivesoftware.util.CertificateManager;
...@@ -99,7 +100,7 @@ public class IdentityStore extends CertificateStore ...@@ -99,7 +100,7 @@ public class IdentityStore extends CertificateStore
return pemCSR; return pemCSR;
} }
catch ( IOException | NoSuchProviderException | SignatureException | InvalidKeyException | KeyStoreException | UnrecoverableKeyException | NoSuchAlgorithmException e ) catch ( IOException | KeyStoreException | UnrecoverableKeyException | NoSuchAlgorithmException | OperatorCreationException e )
{ {
throw new CertificateStoreConfigException( "Cannot generate CSR for alias '"+ alias +"'", e ); throw new CertificateStoreConfigException( "Cannot generate CSR for alias '"+ alias +"'", e );
} }
...@@ -194,7 +195,7 @@ public class IdentityStore extends CertificateStore ...@@ -194,7 +195,7 @@ public class IdentityStore extends CertificateStore
final X509Certificate x509Certificate = (X509Certificate) certificate; final X509Certificate x509Certificate = (X509Certificate) certificate;
// First certificate in the chain should correspond with the certificate in the store // First certificate in the chain should correspond with the certificate in the store
if ( !x509Certificate.getSerialNumber().equals( certificates.get( 0 ).getSerialNumber() ) ) if ( !x509Certificate.getPublicKey().equals(certificates.get(0).getPublicKey()) )
{ {
return false; return false;
} }
...@@ -402,8 +403,7 @@ public class IdentityStore extends CertificateStore ...@@ -402,8 +403,7 @@ public class IdentityStore extends CertificateStore
final String name = JiveGlobals.getProperty( "xmpp.domain" ).toLowerCase(); final String name = JiveGlobals.getProperty( "xmpp.domain" ).toLowerCase();
final String alias = name + "_" + algorithm.toLowerCase(); final String alias = name + "_" + algorithm.toLowerCase();
final String distinctName = "cn=" + name; final int validityInDays = 5*365;
final int validityInDays = 60;
Log.info( "Generating a new private key and corresponding self-signed certificate for domain name '{}', using the {} algorithm (sign-algorithm: {} with a key size of {} bits). Certificate will be valid for {} days.", name, algorithm, signAlgorithm, keySize, validityInDays ); Log.info( "Generating a new private key and corresponding self-signed certificate for domain name '{}', using the {} algorithm (sign-algorithm: {} with a key size of {} bits). Certificate will be valid for {} days.", name, algorithm, signAlgorithm, keySize, validityInDays );
// Generate public and private keys // Generate public and private keys
...@@ -412,7 +412,7 @@ public class IdentityStore extends CertificateStore ...@@ -412,7 +412,7 @@ public class IdentityStore extends CertificateStore
final KeyPair keyPair = generateKeyPair( algorithm.toUpperCase(), keySize ); final KeyPair keyPair = generateKeyPair( algorithm.toUpperCase(), keySize );
// Create X509 certificate with keys and specified domain // Create X509 certificate with keys and specified domain
final X509Certificate cert = CertificateManager.createX509V3Certificate( keyPair, validityInDays, distinctName, distinctName, name, signAlgorithm ); final X509Certificate cert = CertificateManager.createX509V3Certificate( keyPair, validityInDays, name, name, name, signAlgorithm );
// Store new certificate and private key in the key store // Store new certificate and private key in the key store
store.setKeyEntry( alias, keyPair.getPrivate(), configuration.getPassword(), new X509Certificate[]{cert} ); store.setKeyEntry( alias, keyPair.getPrivate(), configuration.getPassword(), new X509Certificate[]{cert} );
......
...@@ -20,7 +20,6 @@ ...@@ -20,7 +20,6 @@
package org.jivesoftware.openfire.session; package org.jivesoftware.openfire.session;
import java.io.IOException; import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException; import java.security.KeyStoreException;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
...@@ -36,7 +35,6 @@ import org.jivesoftware.openfire.SessionManager; ...@@ -36,7 +35,6 @@ import org.jivesoftware.openfire.SessionManager;
import org.jivesoftware.openfire.StreamID; import org.jivesoftware.openfire.StreamID;
import org.jivesoftware.openfire.XMPPServer; import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.auth.UnauthorizedException; import org.jivesoftware.openfire.auth.UnauthorizedException;
import org.jivesoftware.openfire.keystore.CertificateStoreManager;
import org.jivesoftware.openfire.net.SASLAuthentication; import org.jivesoftware.openfire.net.SASLAuthentication;
import org.jivesoftware.openfire.net.SocketConnection; import org.jivesoftware.openfire.net.SocketConnection;
import org.jivesoftware.openfire.server.ServerDialback; import org.jivesoftware.openfire.server.ServerDialback;
...@@ -371,8 +369,7 @@ public class LocalIncomingServerSession extends LocalServerSession implements In ...@@ -371,8 +369,7 @@ public class LocalIncomingServerSession extends LocalServerSession implements In
usingSelfSigned = true; usingSelfSigned = true;
} else { } else {
try { try {
final KeyStore keyStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore( ConnectionType.SOCKET_S2S ).getStore(); usingSelfSigned = CertificateManager.isSelfSignedCertificate((X509Certificate) chain[0]);
usingSelfSigned = CertificateManager.isSelfSignedCertificate(keyStore, (X509Certificate) chain[0]);
} catch (KeyStoreException ex) { } catch (KeyStoreException ex) {
Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex); Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
usingSelfSigned = true; usingSelfSigned = true;
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment