summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGurmeen Bindra <gurmeen.bindra@isode.com>2014-08-04 13:00:00 (GMT)
committerGurmeen Bindra <gurmeen.bindra@isode.com>2014-08-04 15:26:08 (GMT)
commit77959428b7f4150569dda9fac35becf7e10b96c7 (patch)
treea4dec421da2ef0537239b0bc679568e4d43db576
parente21b855abf977fd0acdf6173db82f805e512f347 (diff)
downloadstroke-77959428b7f4150569dda9fac35becf7e10b96c7.zip
stroke-77959428b7f4150569dda9fac35becf7e10b96c7.tar.bz2
Stroke to use default Trust Store provided by Java for Trust Anchors
Until now, Stroke would not do trust anchor checking because there was no suitable way to getting to a default trust store. This patch makes stroke use JDK's default trust store for looking up trust anchors. If it can find the trust anchor in JDK's store, it proceeds to do validy check. If any check fails, an error is set and it is upto the client to decide if client is happy with certificate. Test-information: I tested with with an XMPP client MLC. I got prompted with cert for server whose CA was not in Java Trust Store. After adding the CA to JDK trust store, no prompt was seen I then renewed the certificte with validity = 2 minutes. On doing a connection, MLC prompted me because the certificate was expired even though the CA was in the trust store. Change-Id: Id3fc86d85641f07814ff8621b8bf038cde406063 Reviewer: Nick Hudson <nick.hudson@isode.com> Reviewer: Kevin Smith <kevin.smith@isode.com>
-rw-r--r--src/com/isode/stroke/tls/CertificateVerificationError.java4
-rw-r--r--src/com/isode/stroke/tls/java/JSSEContext.java4
-rw-r--r--src/com/isode/stroke/tls/java/JavaTrustManager.java68
3 files changed, 26 insertions, 50 deletions
diff --git a/src/com/isode/stroke/tls/CertificateVerificationError.java b/src/com/isode/stroke/tls/CertificateVerificationError.java
index 0aca027..d76dc00 100644
--- a/src/com/isode/stroke/tls/CertificateVerificationError.java
+++ b/src/com/isode/stroke/tls/CertificateVerificationError.java
@@ -3,7 +3,7 @@
* All rights reserved.
*/
/*
- * Copyright (c) 2011-2012, Isode Limited, London, England.
+ * Copyright (c) 2011-2014, Isode Limited, London, England.
* All rights reserved.
*/
package com.isode.stroke.tls;
@@ -25,6 +25,8 @@ public class CertificateVerificationError implements Error {
InvalidSignature,
InvalidCA,
InvalidServerIdentity,
+ Revoked,
+ RevocationCheckFailed
}
public CertificateVerificationError(Type type) {
diff --git a/src/com/isode/stroke/tls/java/JSSEContext.java b/src/com/isode/stroke/tls/java/JSSEContext.java
index 13904e8..aeb9300 100644
--- a/src/com/isode/stroke/tls/java/JSSEContext.java
+++ b/src/com/isode/stroke/tls/java/JSSEContext.java
@@ -646,12 +646,12 @@ public class JSSEContext extends TLSContext {
peerCertificateVerificationError = new CertificateVerificationError(Type.NotYetValid);
return;
- }
-
+ }
if (certificateException instanceof CertificateExpiredException) {
peerCertificateVerificationError = new CertificateVerificationError(Type.Expired);
return;
}
+ peerCertificateVerificationError = new CertificateVerificationError(Type.UnknownError);
}
}
diff --git a/src/com/isode/stroke/tls/java/JavaTrustManager.java b/src/com/isode/stroke/tls/java/JavaTrustManager.java
index c3db11a..e011ce9 100644
--- a/src/com/isode/stroke/tls/java/JavaTrustManager.java
+++ b/src/com/isode/stroke/tls/java/JavaTrustManager.java
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012, Isode Limited, London, England.
+/* Copyright (c) 2012-2014, Isode Limited, London, England.
* All rights reserved.
*
* Acquisition and use of this software and related materials for any
@@ -42,18 +42,9 @@ public class JavaTrustManager implements X509TrustManager {
this.jsseContext = jsseContext;
try {
- // create a "default" JSSE X509TrustManager.
-
- KeyStore ks = KeyStore.getInstance("PKCS12");
- /*
-
- // This is how you could load trust anchors
- ks.load(new FileInputStream("trustedCerts"),
- "passphrase".toCharArray());
- */
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- tmf.init(ks);
+ tmf.init((KeyStore) null); //Java's default keystore
TrustManager tms [] = tmf.getTrustManagers();
@@ -89,46 +80,29 @@ public class JavaTrustManager implements X509TrustManager {
// position of checking client certificates. Just delegate to
// default trust manager
pkixTrustManager.checkClientTrusted(chain, authType);
-
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
- throws CertificateException {
- CertificateException certificateException = null;
-
-
- // TODO:
- // Note that we don't call the superclass method here yet, because
- // it will fail with like this until the TrustManagerFactory has
- // been initialised with a suitable list of trust anchors
- // java.lang.RuntimeException: Unexpected error:
- // java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
-
- /*
- try {
- pkixTrustManager.checkServerTrusted(chain, authType);
- } catch (CertificateException e) {
- certificateException = e;
- }
- catch (Exception e) {
- emitError(e,"checkServerTrusted failed");
- }
- */
-
- // TODO: The only type of verification done is the certificate validity.
- // Need to make "checkServerTrusted" do certificate verification properly
- // and pass in an appropriate CertificateException
- if (chain != null && chain.length > 0) {
- try {
- chain[0].checkValidity();
- }
- catch (CertificateException e) {
- certificateException = e;
- }
- }
-
- jsseContext.setPeerCertificateInfo(chain, certificateException);
+ throws CertificateException {
+ CertificateException certificateException = null;
+
+ try {
+ pkixTrustManager.checkServerTrusted(chain, authType);
+ } catch (CertificateException e) {
+ certificateException = e;
+ }
+
+ if (certificateException == null && chain != null && chain.length > 0) {
+ try {
+ chain[0].checkValidity();
+ }
+ catch (CertificateException e) {
+ certificateException = e;
+ }
+ }
+
+ jsseContext.setPeerCertificateInfo(chain, certificateException);
}