diff options
author | Gurmeen Bindra <gurmeen.bindra@isode.com> | 2014-08-04 13:00:00 (GMT) |
---|---|---|
committer | Gurmeen Bindra <gurmeen.bindra@isode.com> | 2014-08-04 15:26:08 (GMT) |
commit | 77959428b7f4150569dda9fac35becf7e10b96c7 (patch) | |
tree | a4dec421da2ef0537239b0bc679568e4d43db576 /src/com/isode | |
parent | e21b855abf977fd0acdf6173db82f805e512f347 (diff) | |
download | stroke-77959428b7f4150569dda9fac35becf7e10b96c7.zip stroke-77959428b7f4150569dda9fac35becf7e10b96c7.tar.bz2 |
Stroke to use default Trust Store provided by Java for Trust Anchors
Until now, Stroke would not do trust anchor checking because there was
no suitable way to getting to a default trust store.
This patch makes stroke use JDK's default trust store for looking up
trust anchors. If it can find the trust anchor in JDK's store, it
proceeds to do validy check. If any check fails, an error is set
and it is upto the client to decide if client is happy with certificate.
Test-information:
I tested with with an XMPP client MLC.
I got prompted with cert for server whose CA was not in Java Trust Store.
After adding the CA to JDK trust store, no prompt was seen
I then renewed the certificte with validity = 2 minutes.
On doing a connection, MLC prompted me because the certificate was expired
even though the CA was in the trust store.
Change-Id: Id3fc86d85641f07814ff8621b8bf038cde406063
Reviewer: Nick Hudson <nick.hudson@isode.com>
Reviewer: Kevin Smith <kevin.smith@isode.com>
Diffstat (limited to 'src/com/isode')
-rw-r--r-- | src/com/isode/stroke/tls/CertificateVerificationError.java | 4 | ||||
-rw-r--r-- | src/com/isode/stroke/tls/java/JSSEContext.java | 4 | ||||
-rw-r--r-- | src/com/isode/stroke/tls/java/JavaTrustManager.java | 68 |
3 files changed, 26 insertions, 50 deletions
diff --git a/src/com/isode/stroke/tls/CertificateVerificationError.java b/src/com/isode/stroke/tls/CertificateVerificationError.java index 0aca027..d76dc00 100644 --- a/src/com/isode/stroke/tls/CertificateVerificationError.java +++ b/src/com/isode/stroke/tls/CertificateVerificationError.java @@ -3,7 +3,7 @@ * All rights reserved. */ /* - * Copyright (c) 2011-2012, Isode Limited, London, England. + * Copyright (c) 2011-2014, Isode Limited, London, England. * All rights reserved. */ package com.isode.stroke.tls; @@ -25,6 +25,8 @@ public class CertificateVerificationError implements Error { InvalidSignature, InvalidCA, InvalidServerIdentity, + Revoked, + RevocationCheckFailed } public CertificateVerificationError(Type type) { diff --git a/src/com/isode/stroke/tls/java/JSSEContext.java b/src/com/isode/stroke/tls/java/JSSEContext.java index 13904e8..aeb9300 100644 --- a/src/com/isode/stroke/tls/java/JSSEContext.java +++ b/src/com/isode/stroke/tls/java/JSSEContext.java @@ -646,12 +646,12 @@ public class JSSEContext extends TLSContext { peerCertificateVerificationError = new CertificateVerificationError(Type.NotYetValid); return; - } - + } if (certificateException instanceof CertificateExpiredException) { peerCertificateVerificationError = new CertificateVerificationError(Type.Expired); return; } + peerCertificateVerificationError = new CertificateVerificationError(Type.UnknownError); } } diff --git a/src/com/isode/stroke/tls/java/JavaTrustManager.java b/src/com/isode/stroke/tls/java/JavaTrustManager.java index c3db11a..e011ce9 100644 --- a/src/com/isode/stroke/tls/java/JavaTrustManager.java +++ b/src/com/isode/stroke/tls/java/JavaTrustManager.java @@ -1,4 +1,4 @@ -/* Copyright (c) 2012, Isode Limited, London, England. +/* Copyright (c) 2012-2014, Isode Limited, London, England. * All rights reserved. * * Acquisition and use of this software and related materials for any @@ -42,18 +42,9 @@ public class JavaTrustManager implements X509TrustManager { this.jsseContext = jsseContext; try { - // create a "default" JSSE X509TrustManager. - - KeyStore ks = KeyStore.getInstance("PKCS12"); - /* - - // This is how you could load trust anchors - ks.load(new FileInputStream("trustedCerts"), - "passphrase".toCharArray()); - */ TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(ks); + tmf.init((KeyStore) null); //Java's default keystore TrustManager tms [] = tmf.getTrustManagers(); @@ -89,46 +80,29 @@ public class JavaTrustManager implements X509TrustManager { // position of checking client certificates. Just delegate to // default trust manager pkixTrustManager.checkClientTrusted(chain, authType); - } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) - throws CertificateException { - CertificateException certificateException = null; - - - // TODO: - // Note that we don't call the superclass method here yet, because - // it will fail with like this until the TrustManagerFactory has - // been initialised with a suitable list of trust anchors - // java.lang.RuntimeException: Unexpected error: - // java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty - - /* - try { - pkixTrustManager.checkServerTrusted(chain, authType); - } catch (CertificateException e) { - certificateException = e; - } - catch (Exception e) { - emitError(e,"checkServerTrusted failed"); - } - */ - - // TODO: The only type of verification done is the certificate validity. - // Need to make "checkServerTrusted" do certificate verification properly - // and pass in an appropriate CertificateException - if (chain != null && chain.length > 0) { - try { - chain[0].checkValidity(); - } - catch (CertificateException e) { - certificateException = e; - } - } - - jsseContext.setPeerCertificateInfo(chain, certificateException); + throws CertificateException { + CertificateException certificateException = null; + + try { + pkixTrustManager.checkServerTrusted(chain, authType); + } catch (CertificateException e) { + certificateException = e; + } + + if (certificateException == null && chain != null && chain.length > 0) { + try { + chain[0].checkValidity(); + } + catch (CertificateException e) { + certificateException = e; + } + } + + jsseContext.setPeerCertificateInfo(chain, certificateException); } |