diff options
Diffstat (limited to 'src/com/isode')
-rw-r--r-- | src/com/isode/stroke/tls/CertificateVerificationError.java | 4 | ||||
-rw-r--r-- | src/com/isode/stroke/tls/java/JSSEContext.java | 4 | ||||
-rw-r--r-- | src/com/isode/stroke/tls/java/JavaTrustManager.java | 68 |
3 files changed, 26 insertions, 50 deletions
diff --git a/src/com/isode/stroke/tls/CertificateVerificationError.java b/src/com/isode/stroke/tls/CertificateVerificationError.java index 0aca027..d76dc00 100644 --- a/src/com/isode/stroke/tls/CertificateVerificationError.java +++ b/src/com/isode/stroke/tls/CertificateVerificationError.java @@ -3,7 +3,7 @@ * All rights reserved. */ /* - * Copyright (c) 2011-2012, Isode Limited, London, England. + * Copyright (c) 2011-2014, Isode Limited, London, England. * All rights reserved. */ package com.isode.stroke.tls; @@ -25,6 +25,8 @@ public class CertificateVerificationError implements Error { InvalidSignature, InvalidCA, InvalidServerIdentity, + Revoked, + RevocationCheckFailed } public CertificateVerificationError(Type type) { diff --git a/src/com/isode/stroke/tls/java/JSSEContext.java b/src/com/isode/stroke/tls/java/JSSEContext.java index 13904e8..aeb9300 100644 --- a/src/com/isode/stroke/tls/java/JSSEContext.java +++ b/src/com/isode/stroke/tls/java/JSSEContext.java @@ -646,12 +646,12 @@ public class JSSEContext extends TLSContext { peerCertificateVerificationError = new CertificateVerificationError(Type.NotYetValid); return; - } - + } if (certificateException instanceof CertificateExpiredException) { peerCertificateVerificationError = new CertificateVerificationError(Type.Expired); return; } + peerCertificateVerificationError = new CertificateVerificationError(Type.UnknownError); } } diff --git a/src/com/isode/stroke/tls/java/JavaTrustManager.java b/src/com/isode/stroke/tls/java/JavaTrustManager.java index c3db11a..e011ce9 100644 --- a/src/com/isode/stroke/tls/java/JavaTrustManager.java +++ b/src/com/isode/stroke/tls/java/JavaTrustManager.java @@ -1,4 +1,4 @@ -/* Copyright (c) 2012, Isode Limited, London, England. +/* Copyright (c) 2012-2014, Isode Limited, London, England. * All rights reserved. * * Acquisition and use of this software and related materials for any @@ -42,18 +42,9 @@ public class JavaTrustManager implements X509TrustManager { this.jsseContext = jsseContext; try { - // create a "default" JSSE X509TrustManager. - - KeyStore ks = KeyStore.getInstance("PKCS12"); - /* - - // This is how you could load trust anchors - ks.load(new FileInputStream("trustedCerts"), - "passphrase".toCharArray()); - */ TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(ks); + tmf.init((KeyStore) null); //Java's default keystore TrustManager tms [] = tmf.getTrustManagers(); @@ -89,46 +80,29 @@ public class JavaTrustManager implements X509TrustManager { // position of checking client certificates. Just delegate to // default trust manager pkixTrustManager.checkClientTrusted(chain, authType); - } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) - throws CertificateException { - CertificateException certificateException = null; - - - // TODO: - // Note that we don't call the superclass method here yet, because - // it will fail with like this until the TrustManagerFactory has - // been initialised with a suitable list of trust anchors - // java.lang.RuntimeException: Unexpected error: - // java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty - - /* - try { - pkixTrustManager.checkServerTrusted(chain, authType); - } catch (CertificateException e) { - certificateException = e; - } - catch (Exception e) { - emitError(e,"checkServerTrusted failed"); - } - */ - - // TODO: The only type of verification done is the certificate validity. - // Need to make "checkServerTrusted" do certificate verification properly - // and pass in an appropriate CertificateException - if (chain != null && chain.length > 0) { - try { - chain[0].checkValidity(); - } - catch (CertificateException e) { - certificateException = e; - } - } - - jsseContext.setPeerCertificateInfo(chain, certificateException); + throws CertificateException { + CertificateException certificateException = null; + + try { + pkixTrustManager.checkServerTrusted(chain, authType); + } catch (CertificateException e) { + certificateException = e; + } + + if (certificateException == null && chain != null && chain.length > 0) { + try { + chain[0].checkValidity(); + } + catch (CertificateException e) { + certificateException = e; + } + } + + jsseContext.setPeerCertificateInfo(chain, certificateException); } |