Commit fb17cf39 authored by Gaston Dombiak's avatar Gaston Dombiak Committed by gato

Fixed "null cert chain" error. JM-796

git-svn-id: http://svn.igniterealtime.org/svn/repos/wildfire/trunk@4817 b35dd754-fafc-0310-a699-88a17e54d16e
parent 6c504ac7
...@@ -12,6 +12,7 @@ ...@@ -12,6 +12,7 @@
package org.jivesoftware.wildfire.net; package org.jivesoftware.wildfire.net;
import org.bouncycastle.asn1.*; import org.bouncycastle.asn1.*;
import org.jivesoftware.util.JiveGlobals;
import org.jivesoftware.util.Log; import org.jivesoftware.util.Log;
import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngine;
...@@ -30,7 +31,10 @@ import java.nio.channels.SelectionKey; ...@@ -30,7 +31,10 @@ import java.nio.channels.SelectionKey;
import java.nio.channels.WritableByteChannel; import java.nio.channels.WritableByteChannel;
import java.security.cert.CertificateParsingException; import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.*; import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
...@@ -122,16 +126,15 @@ public class TLSStreamHandler { ...@@ -122,16 +126,15 @@ public class TLSStreamHandler {
private static List<String> getSubjectAlternativeNames(X509Certificate certificate) { private static List<String> getSubjectAlternativeNames(X509Certificate certificate) {
List<String> identities = new ArrayList<String>(); List<String> identities = new ArrayList<String>();
try { try {
Collection altNames = certificate.getSubjectAlternativeNames(); Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();
// Check that the certificate includes the SubjectAltName extension // Check that the certificate includes the SubjectAltName extension
if (altNames == null) { if (altNames == null) {
return Collections.emptyList(); return Collections.emptyList();
} }
// Use the type OtherName to search for the certified server name // Use the type OtherName to search for the certified server name
for (Iterator lists=altNames.iterator(); lists.hasNext();) { for (List item : altNames) {
List item = (List) lists.next();
Integer type = (Integer) item.get(0); Integer type = (Integer) item.get(0);
if (type.intValue() == 0) { if (type == 0) {
// Type OtherName found so return the associated value // Type OtherName found so return the associated value
try { try {
// Value is encoded using ASN.1 so decode it to get the server's identity // Value is encoded using ASN.1 so decode it to get the server's identity
...@@ -144,8 +147,12 @@ public class TLSStreamHandler { ...@@ -144,8 +147,12 @@ public class TLSStreamHandler {
// Add the decoded server name to the list of identities // Add the decoded server name to the list of identities
identities.add(identity); identities.add(identity);
} }
catch (UnsupportedEncodingException e) {} catch (UnsupportedEncodingException e) {
catch (IOException e) {} // Ignore
}
catch (IOException e) {
// Ignore
}
catch (Exception e) { catch (Exception e) {
Log.error("Error decoding subjectAltName", e); Log.error("Error decoding subjectAltName", e);
} }
...@@ -213,8 +220,21 @@ public class TLSStreamHandler { ...@@ -213,8 +220,21 @@ public class TLSStreamHandler {
tlsEngine.beginHandshake(); tlsEngine.beginHandshake();
} }
else if (needClientAuth) { else if (needClientAuth) {
// Only REQUIRE client authentication if we are fully verifying certificates
if (JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify", true) &&
JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.chain", true) &&
!JiveGlobals
.getBooleanProperty("xmpp.server.certificate.accept-selfsigned", false))
{
tlsEngine.setNeedClientAuth(true); tlsEngine.setNeedClientAuth(true);
} }
else {
// Just indicate that we would like to authenticate the client but if client
// certificates are self-signed or have no certificate chain then we are still
// good
tlsEngine.setWantClientAuth(true);
}
}
} }
public InputStream getInputStream(){ public InputStream getInputStream(){
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment