Commit fea65b9b authored by Guus der Kinderen's avatar Guus der Kinderen

Adding debug logging to trust manager.

parent bdd91418
...@@ -168,6 +168,8 @@ public class OpenfireX509TrustManager implements X509TrustManager ...@@ -168,6 +168,8 @@ public class OpenfireX509TrustManager implements X509TrustManager
throw new IllegalArgumentException( "Argument 'chain' cannot be null or an empty array."); throw new IllegalArgumentException( "Argument 'chain' cannot be null or an empty array.");
} }
Log.debug( "Attempting to verify a chain of {} certificates.", chain.length );
// The set of trusted issuers (for this invocation), based on the issuers from the truststore. // The set of trusted issuers (for this invocation), based on the issuers from the truststore.
final Set<X509Certificate> trustedIssuers = new HashSet<>(); final Set<X509Certificate> trustedIssuers = new HashSet<>();
trustedIssuers.addAll( this.trustedIssuers ); trustedIssuers.addAll( this.trustedIssuers );
...@@ -177,11 +179,18 @@ public class OpenfireX509TrustManager implements X509TrustManager ...@@ -177,11 +179,18 @@ public class OpenfireX509TrustManager implements X509TrustManager
// as expiration checking. // as expiration checking.
if ( acceptSelfSigned && chain.length == 1 ) if ( acceptSelfSigned && chain.length == 1 )
{ {
Log.debug( "Attempting to accept the self-signed certificate of this chain of length one, as instructed by configuration." );
final X509Certificate cert = chain[0]; final X509Certificate cert = chain[0];
if ( cert.getSubjectDN().equals( cert.getIssuerDN() ) ) if ( cert.getSubjectDN().equals( cert.getIssuerDN() ) )
{ {
Log.debug( "Chain of one appears to be self-signed. Adding it to the set of trusted issuers." );
trustedIssuers.add( cert ); trustedIssuers.add( cert );
} }
else
{
Log.debug( "Chain of one is not self-signed. Not adding it to the set of trusted issuers." );
}
} }
// Turn trusted into accepted issuers. // Turn trusted into accepted issuers.
...@@ -208,6 +217,8 @@ public class OpenfireX509TrustManager implements X509TrustManager ...@@ -208,6 +217,8 @@ public class OpenfireX509TrustManager implements X509TrustManager
// Validity checks are enabled by default in the CertPathBuilder implementation. // Validity checks are enabled by default in the CertPathBuilder implementation.
if ( !checkValidity ) if ( !checkValidity )
{ {
Log.debug( "Attempting to ignore any validity (expiry) issues, as instructed by configuration." );
// There is no way to configure the pathBuilder to ignore date validity. When validity checks are to be // There is no way to configure the pathBuilder to ignore date validity. When validity checks are to be
// ignored, try to find a point in time where all certificates in the chain are valid. // ignored, try to find a point in time where all certificates in the chain are valid.
final Date validPointInTime = CertificateUtils.findValidPointInTime( chain ); final Date validPointInTime = CertificateUtils.findValidPointInTime( chain );
...@@ -233,7 +244,6 @@ public class OpenfireX509TrustManager implements X509TrustManager ...@@ -233,7 +244,6 @@ public class OpenfireX509TrustManager implements X509TrustManager
Log.debug( "Validating chain with {} certificates, using {} trust anchors.", chain.length, trustAnchors.size() ); Log.debug( "Validating chain with {} certificates, using {} trust anchors.", chain.length, trustAnchors.size() );
// Try to use BouncyCastle - if that doesn't work, pick one. // Try to use BouncyCastle - if that doesn't work, pick one.
CertPathBuilder pathBuilder; CertPathBuilder pathBuilder;
try try
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment