OF-1501: Prefer NewSunX509 KeyManager implementation.

a602718a · Guus der Kinderen · akrherz · 2c3920de · a602718a · a602718a
Commit a602718a authored Mar 05, 2018 by Guus der Kinderen Committed by akrherz Mar 08, 2018
Showing with 27 additions and 2 deletions

IdentityStore.java ...ava/org/jivesoftware/openfire/keystore/IdentityStore.java +14 -1

EncryptionArtifactFactory.java .../jivesoftware/openfire/spi/EncryptionArtifactFactory.java +13 -1

No files found.
--- a/src/java/org/jivesoftware/openfire/keystore/IdentityStore.java
+++ b/src/java/org/jivesoftware/openfire/keystore/IdentityStore.java
@@ -43,7 +43,20 @@ public class IdentityStore extends CertificateStore

        try
        {
-            final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
+            KeyManagerFactory keyManagerFactory;
+            try
+            {
+                // OF-1501: If multiple certificates are available, the 'NewSunX509' implementation in the SunJSSE
+                // provider makes the effort to pick a certificate with the appropriate key usage and prefers valid
+                // to expired certificates.
+                keyManagerFactory = KeyManagerFactory.getInstance( "NewSunX509" );
+            }
+            catch ( NoSuchAlgorithmException e )
+            {
+                Log.info( "Unable to load the 'NewSunX509' KeyManager implementation. Will fall back to the default." );
+                keyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
+            }
+
            keyManagerFactory.init( this.getStore(), configuration.getPassword() );
        }
        catch ( NoSuchAlgorithmException | UnrecoverableKeyException | KeyStoreException ex )

--- a/src/java/org/jivesoftware/openfire/spi/EncryptionArtifactFactory.java
+++ b/src/java/org/jivesoftware/openfire/spi/EncryptionArtifactFactory.java
@@ -53,7 +53,19 @@ public class EncryptionArtifactFactory
        {
            if ( keyManagerFactory == null )
            {
-                keyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
+                try
+                {
+                    // OF-1501: If multiple certificates are available, the 'NewSunX509' implementation in the SunJSSE
+                    // provider makes the effort to pick a certificate with the appropriate key usage and prefers valid
+                    // to expired certificates.
+                    keyManagerFactory = KeyManagerFactory.getInstance( "NewSunX509" );
+                }
+                catch ( NoSuchAlgorithmException e )
+                {
+                    Log.info( "Unable to load the 'NewSunX509' KeyManager implementation. Will fall back to the default." );
+                    keyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
+                }
+
                keyManagerFactory.init( configuration.getIdentityStore().getStore(), configuration.getIdentityStoreConfiguration().getPassword() );
            }