Skip to content

O
Openfire
Commit e22dbfce authored by guus's avatar guus
Browse files
Options

Adding more debug logging. 

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@13340 b35dd754-fafc-0310-a699-88a17e54d16e
parent c19c3bcb
Hide whitespace changes
Inline Side-by-side
Showing with 20 additions and 7 deletions
src/java/org/jivesoftware/openfire/net/ServerTrustManager.java
View file @ e22dbfce
...@@ -103,10 +103,18 @@ public class ServerTrustManager implements X509TrustManager { ...@@ -103,10 +103,18 @@ public class ServerTrustManager implements X509TrustManager {
boolean verify = JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify", true); boolean verify = JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify", true);
if (verify) { if (verify) {
int nSize = x509Certificates.length; int nSize = x509Certificates.length;
if (Log.isDebugEnabled()) {
Log.debug("Certificate chain:");
for (int i=1; i<= nSize; i++) {
Log.debug("Certificate " + i + ": " + x509Certificates[i-1].toString());
}
}
List<String> peerIdentities = CertificateManager.getPeerIdentities(x509Certificates[0]); List<String> peerIdentities = CertificateManager.getPeerIdentities(x509Certificates[0]);
if (JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.chain", true)) { if (JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.chain", true)) {
Log.debug("Verifying certificate chain...");
// Working down the chain, for every certificate in the chain, // Working down the chain, for every certificate in the chain,
// verify that the subject of the certificate is the issuer of the // verify that the subject of the certificate is the issuer of the
// next certificate in the chain. // next certificate in the chain.
...@@ -115,6 +123,7 @@ public class ServerTrustManager implements X509TrustManager { ...@@ -115,6 +123,7 @@ public class ServerTrustManager implements X509TrustManager {
X509Certificate x509certificate = x509Certificates[i]; X509Certificate x509certificate = x509Certificates[i];
Principal principalIssuer = x509certificate.getIssuerDN(); Principal principalIssuer = x509certificate.getIssuerDN();
Principal principalSubject = x509certificate.getSubjectDN(); Principal principalSubject = x509certificate.getSubjectDN();
Log.debug("Certificate " + (i+1) + " issuer: '" + principalIssuer + "' subject: '" + principalSubject + "'");
if (principalLast != null) { if (principalLast != null) {
if (principalIssuer.equals(principalLast)) { if (principalIssuer.equals(principalLast)) {
try { try {
...@@ -124,12 +133,14 @@ public class ServerTrustManager implements X509TrustManager { ...@@ -124,12 +133,14 @@ public class ServerTrustManager implements X509TrustManager {
} }
catch (GeneralSecurityException generalsecurityexception) { catch (GeneralSecurityException generalsecurityexception) {
throw new CertificateException( throw new CertificateException(
"signature verification failed of " + peerIdentities); "signature verification failed of " + peerIdentities, generalsecurityexception);
} }
} }
else { else {
throw new CertificateException( throw new CertificateException(
"subject/issuer verification failed of " + peerIdentities); "subject/issuer verification failed of " + peerIdentities + ". In certificate "
+ (i+1) + " of the chain, I expected the issuer to be '" + principalLast
+"' but was '"+principalIssuer+"'.");
} }
} }
principalLast = principalSubject; principalLast = principalSubject;
...@@ -137,6 +148,7 @@ public class ServerTrustManager implements X509TrustManager { ...@@ -137,6 +148,7 @@ public class ServerTrustManager implements X509TrustManager {
} }
if (JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.root", true)) { if (JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.root", true)) {
Log.debug("Verifying certificate chain root certificate...");
// Verify that the the last certificate in the chain was issued // Verify that the the last certificate in the chain was issued
// by a third-party that the client trusts. // by a third-party that the client trusts.
boolean trusted = false; boolean trusted = false;
...@@ -179,16 +191,17 @@ public class ServerTrustManager implements X509TrustManager { ...@@ -179,16 +191,17 @@ public class ServerTrustManager implements X509TrustManager {
if (!found) { if (!found) {
throw new CertificateException("target verification failed of " + peerIdentities); throw new CertificateException("target verification failed of " + peerIdentities);
} }
if (JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.validity", true)) { if (JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.validity", true)) {
Log.debug("Verifying certificate chain validity (by date)...");
// For every certificate in the chain, verify that the certificate // For every certificate in the chain, verify that the certificate
// is valid at the current time. // is valid at the current time.
Date date = new Date(); Date date = new Date();
for (int i = 0; i < nSize; i++) { for (X509Certificate x509Certificate : x509Certificates) {
try { try {
x509Certificates[i].checkValidity(date); x509Certificate.checkValidity(date);
} } catch (GeneralSecurityException generalsecurityexception) {
catch (GeneralSecurityException generalsecurityexception) {
throw new CertificateException("invalid date of " + peerIdentities); throw new CertificateException("invalid date of " + peerIdentities);
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023