Stop checking if every certificate in the local certificate chain is...

Stop checking if every certificate in the local certificate chain is self-signed. Only the first certificate from the chain is the local certificate. The rest of them are CA's (OF-405). git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@12235 b35dd754-fafc-0310-a699-88a17e54d16e

Stop checking if every certificate in the local certificate chain is...
Stop checking if every certificate in the local certificate chain is self-signed. Only the first certificate from the chain is the local certificate. The rest of them are CA's (OF-405). git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@12235 b35dd754-fafc-0310-a699-88a17e54d16e
c29a3358 · guus · ba8d7621 · c29a3358 · c29a3358 · c29a3358
Commit c29a3358 authored Apr 09, 2011 by guus
3 changed files
--- a/src/java/org/jivesoftware/openfire/Connection.java
+++ b/src/java/org/jivesoftware/openfire/Connection.java
@@ -98,16 +98,21 @@ public interface Connection {
    public String getHostName() throws UnknownHostException;

 	/**
-     * Returns the local underlying {@link javax.security.cert.X509Certificate} for the connection.
+	 * Returns the local underlying {@link javax.security.cert.X509Certificate}
+	 * chain for the connection.
 	 * 
-     * @return <tt>null</tt> if no {@link javax.security.cert.X509Certificate} is present for the connection.
+	 * @return an ordered array of certificates, with the local certificate
+	 *         first followed by any certificate authorities. If no certificates
+	 *         is present for the connection, then <tt>null</tt> is returned.
 	 */
    public Certificate[] getLocalCertificates();

 	/**
-     * Returns the underlying {@link javax.security.cert.X509Certificate} for the connection of the peer.
+	 * Returns the underlying {@link javax.security.cert.X509Certificate} for
+	 * the connection of the peer.
 	 * 
-     * @return <tt>null</tt> if no {@link javax.security.cert.X509Certificate} is present for the connection.
+	 * @return an ordered array of peer certificates, with the peer's own
+	 *         certificate first followed by any certificate authorities.
 	 */
    public Certificate[] getPeerCertificates();


--- a/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
+++ b/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
@@ -20,8 +20,10 @@

 package org.jivesoftware.openfire.net;

+import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.UnknownHostException;
+import java.security.KeyStoreException;
 import java.security.Security;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
@@ -119,7 +121,6 @@ public class SASLAuthentication {
        }
    }

-    @SuppressWarnings({"UnnecessarySemicolon"})  // Support for QDox Parser
    public enum Status {
        /**
         * Entity needs to respond last challenge. Session is still negotiating
@@ -153,20 +154,24 @@ public class SASLAuthentication {
        StringBuilder sb = new StringBuilder(195);
        sb.append("<mechanisms xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">");
        if (session instanceof IncomingServerSession) {
-            // Server connections dont follow the same rules as clients
+            // Server connections don't follow the same rules as clients
            if (session.isSecure()) {
-                boolean usingSelfSigned = false;
-                Certificate[] certificates = session.getConnection().getLocalCertificates();
-                for (Certificate certificate : certificates) {
+                boolean usingSelfSigned;
+                final Certificate[] chain = session.getConnection().getLocalCertificates();
+                if (chain == null || chain.length == 0) {
+                	usingSelfSigned = true;
+                } else {
                	try {
-                        if (CertificateManager
-                                .isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) certificate)) {
+						usingSelfSigned = CertificateManager.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) chain[0]);
+					} catch (KeyStoreException ex) {
+						Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
 						usingSelfSigned = true;
-                        }
-                    } catch (Exception e) {
+					} catch (IOException ex) {
+						Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
 						usingSelfSigned = true;
 					}
                }
+                
                if (!usingSelfSigned) {
                    // Offer SASL EXTERNAL only if TLS has already been negotiated and we are not
                    // using a self-signed certificate

--- a/src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java
+++ b/src/java/org/jivesoftware/openfire/session/LocalIncomingServerSession.java
@@ -20,6 +20,7 @@
 package org.jivesoftware.openfire.session;

 import java.io.IOException;
+import java.security.KeyStoreException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
@@ -363,27 +364,34 @@ public class LocalIncomingServerSession extends LocalSession implements Incoming
    @Override
 	public String getAvailableStreamFeatures() {
        StringBuilder sb = new StringBuilder();
+        
        // Include Stream Compression Mechanism
        if (conn.getCompressionPolicy() != Connection.CompressionPolicy.disabled &&
                !conn.isCompressed()) {
            sb.append("<compression xmlns=\"http://jabber.org/features/compress\"><method>zlib</method></compression>");
        }
-        // Offer server dialback if using self-signed certificaftes and no authentication has been done yet
-        boolean usingSelfSigned = false;
-        Certificate[] certificates = conn.getLocalCertificates();
-        for (Certificate certificate : certificates) {
+        
+        // Offer server dialback if using self-signed certificates and no authentication has been done yet
+        boolean usingSelfSigned;
+        final Certificate[] chain = conn.getLocalCertificates();
+        if (chain == null || chain.length == 0) {
+        	usingSelfSigned = true;
+        } else {
        	try {
-                if (CertificateManager
-                        .isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) certificate)) {
+				usingSelfSigned = CertificateManager.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) chain[0]);
+			} catch (KeyStoreException ex) {
+				Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
+				usingSelfSigned = true;
+			} catch (IOException ex) {
+				Log.warn("Exception occurred while trying to determine whether local certificate is self-signed. Proceeding as if it is.", ex);
 				usingSelfSigned = true;
-                }
-            } catch (Exception e) {
-                // Ignore
 			}
        }
+        
        if (usingSelfSigned && ServerDialback.isEnabledForSelfSigned() && validatedDomains.isEmpty()) {
            sb.append("<dialback xmlns=\"urn:xmpp:features:dialback\"/>");
        }
+        
        return sb.toString();
    }
 }