OF-405 Addressing comments from Tom Evans

- Always check validity of EE Cert - Change variable name (and flip sense).

OF-405 Addressing comments from Tom Evans
- Always check validity of EE Cert - Change variable name (and flip sense).
b1c84166 · Dave Cridland · a17da995 · b1c84166 · b1c84166
Commit b1c84166 authored Jun 05, 2014 by Dave Cridland
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 4 deletions

SASLAuthentication.java ...ava/org/jivesoftware/openfire/net/SASLAuthentication.java +3 -4

CertificateManager.java src/java/org/jivesoftware/util/CertificateManager.java +7 -0

No files found.
--- a/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
+++ b/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
@@ -196,15 +196,14 @@ public class SASLAuthentication {
        if (session instanceof IncomingServerSession) {
            // Server connections don't follow the same rules as clients
            if (session.isSecure()) {
-                boolean usingSelfSigned = true;
+                boolean haveTrustedCertificate = false;
                try {
                    X509Certificate trusted = CertificateManager.getEndEntityCertificate(((LocalSession)session).getConnection().getPeerCertificates(), SSLConfig.getKeyStore(), SSLConfig.gets2sTrustStore());
-                    usingSelfSigned = trusted == null;
+                    haveTrustedCertificate = trusted != null;
                } catch (IOException ex) {
                    Log.warn("Exception occurred while trying to determine whether remote certificate is trusted. Treating as untrusted.", ex);
-                    usingSelfSigned = true;
                }
-                if (!usingSelfSigned) {
+                if (haveTrustedCertificate) {
                    // Offer SASL EXTERNAL only if TLS has already been negotiated and the peer has a trusted cert.
                    Element mechanism = mechs.addElement("mechanism");
                    mechanism.setText("EXTERNAL");

--- a/src/java/org/jivesoftware/util/CertificateManager.java
+++ b/src/java/org/jivesoftware/util/CertificateManager.java
@@ -44,6 +44,7 @@ import java.security.cert.CertPathValidator;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertStore;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.CollectionCertStoreParameters;
@@ -235,6 +236,12 @@ public class CertificateManager {
            return null;
        }
        X509Certificate first = (X509Certificate) chain[0];
+        try {
+            first.checkValidity();
+        } catch(CertificateException e) {
+            Log.warn("EE Certificate not valid: " + e.getMessage());
+            return null;
+        }
        if (chain.length == 1
                && first.getSubjectX500Principal().equals(first.getIssuerX500Principal())) {
            // Chain is single cert, and self-signed.