Stop checking if every certificate in the local certificate chain is...

Stop checking if every certificate in the local certificate chain is self-signed. Only the first certificate from the chain is the local certificate. The rest of them are CA's (OF-405). git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@12235 b35dd754-fafc-0310-a699-88a17e54d16e

Stop checking if every certificate in the local certificate chain is...
Stop checking if every certificate in the local certificate chain is self-signed. Only the first certificate from the chain is the local certificate. The rest of them are CA's (OF-405). git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@12235 b35dd754-fafc-0310-a699-88a17e54d16e
c29a3358 · guus · ba8d7621 · c29a3358 · c29a3358 · c29a3358
Commit c29a3358 authored Apr 09, 2011 by guus
3 changed files
--- a/src/java/org/jivesoftware/openfire/Connection.java
+++ b/src/java/org/jivesoftware/openfire/Connection.java
@@ -97,18 +97,23 @@ public interface Connection {
     */
    public String getHostName() throws UnknownHostException;
-    /**
+	/**
-     * Returns the local underlying {@link javax.security.cert.X509Certificate} for the connection.
+	 * Returns the local underlying {@link javax.security.cert.X509Certificate}
-     *
+	 * chain for the connection.
-     * @return <tt>null</tt> if no {@link javax.security.cert.X509Certificate} is present for the connection.
+	 * 
-     */
+	 * @return an ordered array of certificates, with the local certificate
+	 *         first followed by any certificate authorities. If no certificates
+	 *         is present for the connection, then <tt>null</tt> is returned.
+	 */
    public Certificate[] getLocalCertificates();
-    /**
+	/**
-     * Returns the underlying {@link javax.security.cert.X509Certificate} for the connection of the peer.
+	 * Returns the underlying {@link javax.security.cert.X509Certificate} for
-     *
+	 * the connection of the peer.
-     * @return <tt>null</tt> if no {@link javax.security.cert.X509Certificate} is present for the connection.
+	 * 
-     */
+	 * @return an ordered array of peer certificates, with the peer's own
+	 *         certificate first followed by any certificate authorities.
+	 */
    public Certificate[] getPeerCertificates();
    /**

--- a/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
+++ b/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
@@ -20,8 +20,10 @@
 package org.jivesoftware.openfire.net;
+import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.UnknownHostException;
+import java.security.KeyStoreException;
 import java.security.Security;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
@@ -119,7 +121,6 @@ public class SASLAuthentication {
        }
    }
-    @SuppressWarnings({"UnnecessarySemicolon"})  // Support for QDox Parser
    public enum Status {
        /**
         * Entity needs to respond last challenge. Session is still negotiating
@@ -153,20 +154,24 @@ public class SASLAuthentication {
        StringBuilder sb = new StringBuilder(195);
        sb.append("<mechanisms xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">");
        if (session instanceof IncomingServerSession) {
-            // Server connections dont follow the same rules as clients
+            // Server connections don't follow the same rules as clients
            if (session.isSecure()) {
-                boolean usingSelfSigned = false;
+                boolean usingSelfSigned;
-                Certificate[] certificates = session.getConnection().getLocalCertificates();
+                final Certificate[] chain = session.getConnection().getLocalCertificates();
-                for (Certificate certificate : certificates) {
+                if (chain == null || chain.length == 0) {
-                    try {
+                	usingSelfSigned = true;
-                        if (CertificateManager
+                } else {
-                                .isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) certificate)) {
+                	try {
-                            usingSelfSigned = true;
+						usingSelfSigned = CertificateManager.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) chain[0]);
-                        }
+					} catch (KeyStoreException ex) {
-                    } catch (Exception e) {
+						Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
-                        usingSelfSigned = true;
+						usingSelfSigned = true;
-                    }
+					} catch (IOException ex) {
+						Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
+						usingSelfSigned = true;
+					}
                }
                if (!usingSelfSigned) {
                    // Offer SASL EXTERNAL only if TLS has already been negotiated and we are not
                    // using a self-signed certificate

--- a/src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java
+++ b/src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java
@@ -20,6 +20,7 @@
 package org.jivesoftware.openfire.session;
 import java.io.IOException;
+import java.security.KeyStoreException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
@@ -363,27 +364,34 @@ public class LocalIncomingServerSession extends LocalSession implements Incoming
    @Override
 	public String getAvailableStreamFeatures() {
        StringBuilder sb = new StringBuilder();
        // Include Stream Compression Mechanism
        if (conn.getCompressionPolicy() != Connection.CompressionPolicy.disabled &&
                !conn.isCompressed()) {
            sb.append("<compression xmlns=\"http://jabber.org/features/compress\"><method>zlib</method></compression>");
        }
-        // Offer server dialback if using self-signed certificaftes and no authentication has been done yet
-        boolean usingSelfSigned = false;
+        // Offer server dialback if using self-signed certificates and no authentication has been done yet
-        Certificate[] certificates = conn.getLocalCertificates();
+        boolean usingSelfSigned;
-        for (Certificate certificate : certificates) {
+        final Certificate[] chain = conn.getLocalCertificates();
-            try {
+        if (chain == null || chain.length == 0) {
-                if (CertificateManager
+        	usingSelfSigned = true;
-                        .isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) certificate)) {
+        } else {
-                    usingSelfSigned = true;
+        	try {
-                }
+				usingSelfSigned = CertificateManager.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) chain[0]);
-            } catch (Exception e) {
+			} catch (KeyStoreException ex) {
-                // Ignore
+				Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
-            }
+				usingSelfSigned = true;
+			} catch (IOException ex) {
+				Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
+				usingSelfSigned = true;
+			}
        }
        if (usingSelfSigned && ServerDialback.isEnabledForSelfSigned() && validatedDomains.isEmpty()) {
            sb.append("<dialback xmlns=\"urn:xmpp:features:dialback\"/>");
        }
        return sb.toString();
    }
 }