summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/com/isode/stroke/tls/CertificateVerificationError.java4
-rw-r--r--src/com/isode/stroke/tls/java/JSSEContext.java4
-rw-r--r--src/com/isode/stroke/tls/java/JavaTrustManager.java68
3 files changed, 26 insertions, 50 deletions
diff --git a/src/com/isode/stroke/tls/CertificateVerificationError.java b/src/com/isode/stroke/tls/CertificateVerificationError.java
index 0aca027..d76dc00 100644
--- a/src/com/isode/stroke/tls/CertificateVerificationError.java
+++ b/src/com/isode/stroke/tls/CertificateVerificationError.java
@@ -3,7 +3,7 @@
* All rights reserved.
*/
/*
- * Copyright (c) 2011-2012, Isode Limited, London, England.
+ * Copyright (c) 2011-2014, Isode Limited, London, England.
* All rights reserved.
*/
package com.isode.stroke.tls;
@@ -25,6 +25,8 @@ public class CertificateVerificationError implements Error {
InvalidSignature,
InvalidCA,
InvalidServerIdentity,
+ Revoked,
+ RevocationCheckFailed
}
public CertificateVerificationError(Type type) {
diff --git a/src/com/isode/stroke/tls/java/JSSEContext.java b/src/com/isode/stroke/tls/java/JSSEContext.java
index 13904e8..aeb9300 100644
--- a/src/com/isode/stroke/tls/java/JSSEContext.java
+++ b/src/com/isode/stroke/tls/java/JSSEContext.java
@@ -646,12 +646,12 @@ public class JSSEContext extends TLSContext {
peerCertificateVerificationError = new CertificateVerificationError(Type.NotYetValid);
return;
- }
-
+ }
if (certificateException instanceof CertificateExpiredException) {
peerCertificateVerificationError = new CertificateVerificationError(Type.Expired);
return;
}
+ peerCertificateVerificationError = new CertificateVerificationError(Type.UnknownError);
}
}
diff --git a/src/com/isode/stroke/tls/java/JavaTrustManager.java b/src/com/isode/stroke/tls/java/JavaTrustManager.java
index c3db11a..e011ce9 100644
--- a/src/com/isode/stroke/tls/java/JavaTrustManager.java
+++ b/src/com/isode/stroke/tls/java/JavaTrustManager.java
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012, Isode Limited, London, England.
+/* Copyright (c) 2012-2014, Isode Limited, London, England.
* All rights reserved.
*
* Acquisition and use of this software and related materials for any
@@ -42,18 +42,9 @@ public class JavaTrustManager implements X509TrustManager {
this.jsseContext = jsseContext;
try {
- // create a "default" JSSE X509TrustManager.
-
- KeyStore ks = KeyStore.getInstance("PKCS12");
- /*
-
- // This is how you could load trust anchors
- ks.load(new FileInputStream("trustedCerts"),
- "passphrase".toCharArray());
- */
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init(ks);
+ tmf.init((KeyStore) null); //Java's default keystore
TrustManager tms [] = tmf.getTrustManagers();
@@ -89,46 +80,29 @@ public class JavaTrustManager implements X509TrustManager {
// position of checking client certificates. Just delegate to
// default trust manager
pkixTrustManager.checkClientTrusted(chain, authType);
-
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- CertificateException certificateException = null;
-
-
- // TODO:
- // Note that we don't call the superclass method here yet, because
- // it will fail with like this until the TrustManagerFactory has
- // been initialised with a suitable list of trust anchors
- // java.lang.RuntimeException: Unexpected error:
- // java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
-
- /*
- try {
- pkixTrustManager.checkServerTrusted(chain, authType);
- } catch (CertificateException e) {
- certificateException = e;
- }
- catch (Exception e) {
- emitError(e,"checkServerTrusted failed");
- }
- */
-
- // TODO: The only type of verification done is the certificate validity.
- // Need to make "checkServerTrusted" do certificate verification properly
- // and pass in an appropriate CertificateException
- if (chain != null && chain.length > 0) {
- try {
- chain[0].checkValidity();
- }
- catch (CertificateException e) {
- certificateException = e;
- }
- }
-
- jsseContext.setPeerCertificateInfo(chain, certificateException);
+ throws CertificateException {
+ CertificateException certificateException = null;
+
+ try {
+ pkixTrustManager.checkServerTrusted(chain, authType);
+ } catch (CertificateException e) {
+ certificateException = e;
+ }
+
+ if (certificateException == null && chain != null && chain.length > 0) {
+ try {
+ chain[0].checkValidity();
+ }
+ catch (CertificateException e) {
+ certificateException = e;
+ }
+ }
+
+ jsseContext.setPeerCertificateInfo(chain, certificateException);
}