Commit e62e7bd6 authored by Jay Kline's avatar Jay Kline Committed by jay

* Implemented OCSP support

* Use of CRLs is optional
* Improved PKIX certificate path checking logic
* Fixed IndexOutOfBoundsException in SASLAuthentication when no principals are found in a certificate



git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@10467 b35dd754-fafc-0310-a699-88a17e54d16e
parent 77633afa
...@@ -58,6 +58,11 @@ public class ClientTrustManager implements X509TrustManager { ...@@ -58,6 +58,11 @@ public class ClientTrustManager implements X509TrustManager {
*/ */
private long crlLastUpdated = 0; private long crlLastUpdated = 0;
/**
* Should CRL checking be done
*/
private boolean useCRLs = false;
public ClientTrustManager(KeyStore trustTrust) { public ClientTrustManager(KeyStore trustTrust) {
super(); super();
...@@ -85,15 +90,19 @@ public class ClientTrustManager implements X509TrustManager { ...@@ -85,15 +90,19 @@ public class ClientTrustManager implements X509TrustManager {
File crlFile = new File(JiveGlobals.getProperty("xmpp.client.certificate.crl", File crlFile = new File(JiveGlobals.getProperty("xmpp.client.certificate.crl",
"resources" + File.separator + "security" + File.separator + "crl.pem")); "resources" + File.separator + "security" + File.separator + "crl.pem"));
if (!crlFile.isFile()) { if (!crlFile.isFile()) {
//dosnt exist or is something weird, skip it Log.debug("ClientTrustmanager: crl file not found "+crlFile.toString());
useCRLs = false;
return; return;
} }
long modified = crlFile.lastModified(); long modified = crlFile.lastModified();
if (modified > crlLastUpdated) { if (modified > crlLastUpdated) {
crlLastUpdated = modified; crlLastUpdated = modified;
Log.debug("ClientTrustManager: Updating CRLs"); Log.debug("ClientTrustManager: Updating CRLs");
useCRLs = false;
try { try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");; CertificateFactory cf = CertificateFactory.getInstance("X.509");;
...@@ -108,6 +117,7 @@ public class ClientTrustManager implements X509TrustManager { ...@@ -108,6 +117,7 @@ public class ClientTrustManager implements X509TrustManager {
Log.debug("ClientTrustManager: adding CRL for "+crl.getIssuerDN()); Log.debug("ClientTrustManager: adding CRL for "+crl.getIssuerDN());
crls.add(crl); crls.add(crl);
} }
useCRLs = true;
} }
catch(FileNotFoundException e) { catch(FileNotFoundException e) {
// Its ok if the file wasnt found- maybe we dont have any CRL's // Its ok if the file wasnt found- maybe we dont have any CRL's
...@@ -239,13 +249,22 @@ public class ClientTrustManager implements X509TrustManager { ...@@ -239,13 +249,22 @@ public class ClientTrustManager implements X509TrustManager {
CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector(); X509CertSelector certSelector = new X509CertSelector();
certSelector.setSubject(x509Certificates[0].getIssuerX500Principal()); certSelector.setCertificate(x509Certificates[0]);
PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,new X509CertSelector()); PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore,certSelector);
if(crlStore != null) if(useCRLs) {
params.addCertStore(crlStore); params.addCertStore(crlStore);
} else {
Log.debug("ClientTrustManager: no CRL's found, so setRevocationEnabled(false)");
params.setRevocationEnabled(false);
}
CertPathBuilderResult cpbr = cpb.build(params); CertPathBuilderResult cpbr = cpb.build(params);
CertPath cp = cpbr.getCertPath(); CertPath cp = cpbr.getCertPath();
if(JiveGlobals.getBooleanProperty("ocsp.enable",false)) {
Log.debug("ClientTrustManager: OCSP requested");
OCSPChecker ocspChecker = new OCSPChecker(cp,params);
params.addCertPathChecker(ocspChecker);
}
PKIXCertPathValidatorResult cpvResult = (PKIXCertPathValidatorResult) cpv.validate(cp, params); PKIXCertPathValidatorResult cpvResult = (PKIXCertPathValidatorResult) cpv.validate(cp, params);
X509Certificate trustedCert = (X509Certificate) cpvResult.getTrustAnchor().getTrustedCert(); X509Certificate trustedCert = (X509Certificate) cpvResult.getTrustAnchor().getTrustedCert();
if(trustedCert == null) { if(trustedCert == null) {
...@@ -255,42 +274,18 @@ public class ClientTrustManager implements X509TrustManager { ...@@ -255,42 +274,18 @@ public class ClientTrustManager implements X509TrustManager {
} }
} }
catch(CertPathBuilderException e) { catch(CertPathBuilderException e) {
Log.debug("ClientTrustManager:",e);
throw new CertificateException("certificate path failed: "+e.getMessage()); throw new CertificateException("certificate path failed: "+e.getMessage());
} }
catch(CertPathValidatorException e) { catch(CertPathValidatorException e) {
Log.debug("ClientTrustManager:",e);
throw new CertificateException("certificate path failed: "+e.getMessage()); throw new CertificateException("certificate path failed: "+e.getMessage());
} }
catch(KeyStoreException e) { catch(Exception e) {
Log.debug("ClientTrustManager: ",e); Log.debug("ClientTrustManager:",e);
} throw new CertificateException("unexpected error: "+e.getMessage());
catch(InvalidAlgorithmParameterException e) {
Log.debug("ClientTrustManager: ",e);
}
catch(NoSuchAlgorithmException e) {
Log.debug("ClientTrustManager: ",e);
} }
//If we did not get any CRL's, we have nothing more to do.
if(crlStore == null)
return;
try {
X509CRLSelector crlSelector = new X509CRLSelector();
crlSelector.addIssuerName(x509Certificates[0].getIssuerDN().getName());
crlSelector.setDateAndTime(new Date()); //right now
Collection<X509CRL> selectedCrls = (Collection<X509CRL>) crlStore.getCRLs(crlSelector);
for(X509CRL crl : selectedCrls) {
if(crl.isRevoked(x509Certificates[0])) {
throw new CertificateException("certificate is revoked: "+peerIdentities);
}
}
}
catch(CertStoreException e) {
Log.error("ClientTrustManager: ",e);
}
catch(IOException e) {
Log.error("ClientTrustManager: ",e);
}
} }
} }
......
This diff is collapsed.
...@@ -469,8 +469,14 @@ public class SASLAuthentication { ...@@ -469,8 +469,14 @@ public class SASLAuthentication {
Log.warn("Error retrieving client certificates of: " + session, e); Log.warn("Error retrieving client certificates of: " + session, e);
} }
if(principals.size() == 1) {
principal = principals.get(0); principal = principals.get(0);
} else if(principals.size() > 1) {
Log.debug("SASLAuthentication: EXTERNAL authentication: more than one principal found, using first.");
principal = principals.get(0);
} else {
Log.debug("SASLAuthentication: EXTERNAL authentication: No principals found.");
}
if (username == null || username.length() == 0) { if (username == null || username.length() == 0) {
// No username was provided, according to XEP-0178 we need to: // No username was provided, according to XEP-0178 we need to:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment