From 77959428b7f4150569dda9fac35becf7e10b96c7 Mon Sep 17 00:00:00 2001 From: Gurmeen Bindra Date: Mon, 4 Aug 2014 14:00:00 +0100 Subject: Stroke to use default Trust Store provided by Java for Trust Anchors Until now, Stroke would not do trust anchor checking because there was no suitable way to getting to a default trust store. This patch makes stroke use JDK's default trust store for looking up trust anchors. If it can find the trust anchor in JDK's store, it proceeds to do validy check. If any check fails, an error is set and it is upto the client to decide if client is happy with certificate. Test-information: I tested with with an XMPP client MLC. I got prompted with cert for server whose CA was not in Java Trust Store. After adding the CA to JDK trust store, no prompt was seen I then renewed the certificte with validity = 2 minutes. On doing a connection, MLC prompted me because the certificate was expired even though the CA was in the trust store. Change-Id: Id3fc86d85641f07814ff8621b8bf038cde406063 Reviewer: Nick Hudson Reviewer: Kevin Smith diff --git a/src/com/isode/stroke/tls/CertificateVerificationError.java b/src/com/isode/stroke/tls/CertificateVerificationError.java index 0aca027..d76dc00 100644 --- a/src/com/isode/stroke/tls/CertificateVerificationError.java +++ b/src/com/isode/stroke/tls/CertificateVerificationError.java @@ -3,7 +3,7 @@ * All rights reserved. */ /* - * Copyright (c) 2011-2012, Isode Limited, London, England. + * Copyright (c) 2011-2014, Isode Limited, London, England. * All rights reserved. */ package com.isode.stroke.tls; @@ -25,6 +25,8 @@ public class CertificateVerificationError implements Error { InvalidSignature, InvalidCA, InvalidServerIdentity, + Revoked, + RevocationCheckFailed } public CertificateVerificationError(Type type) { diff --git a/src/com/isode/stroke/tls/java/JSSEContext.java b/src/com/isode/stroke/tls/java/JSSEContext.java index 13904e8..aeb9300 100644 --- a/src/com/isode/stroke/tls/java/JSSEContext.java +++ b/src/com/isode/stroke/tls/java/JSSEContext.java @@ -646,12 +646,12 @@ public class JSSEContext extends TLSContext { peerCertificateVerificationError = new CertificateVerificationError(Type.NotYetValid); return; - } - + } if (certificateException instanceof CertificateExpiredException) { peerCertificateVerificationError = new CertificateVerificationError(Type.Expired); return; } + peerCertificateVerificationError = new CertificateVerificationError(Type.UnknownError); } } diff --git a/src/com/isode/stroke/tls/java/JavaTrustManager.java b/src/com/isode/stroke/tls/java/JavaTrustManager.java index c3db11a..e011ce9 100644 --- a/src/com/isode/stroke/tls/java/JavaTrustManager.java +++ b/src/com/isode/stroke/tls/java/JavaTrustManager.java @@ -1,4 +1,4 @@ -/* Copyright (c) 2012, Isode Limited, London, England. +/* Copyright (c) 2012-2014, Isode Limited, London, England. * All rights reserved. * * Acquisition and use of this software and related materials for any @@ -42,18 +42,9 @@ public class JavaTrustManager implements X509TrustManager { this.jsseContext = jsseContext; try { - // create a "default" JSSE X509TrustManager. - - KeyStore ks = KeyStore.getInstance("PKCS12"); - /* - - // This is how you could load trust anchors - ks.load(new FileInputStream("trustedCerts"), - "passphrase".toCharArray()); - */ TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - tmf.init(ks); + tmf.init((KeyStore) null); //Java's default keystore TrustManager tms [] = tmf.getTrustManagers(); @@ -89,46 +80,29 @@ public class JavaTrustManager implements X509TrustManager { // position of checking client certificates. Just delegate to // default trust manager pkixTrustManager.checkClientTrusted(chain, authType); - } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) - throws CertificateException { - CertificateException certificateException = null; - - - // TODO: - // Note that we don't call the superclass method here yet, because - // it will fail with like this until the TrustManagerFactory has - // been initialised with a suitable list of trust anchors - // java.lang.RuntimeException: Unexpected error: - // java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty - - /* - try { - pkixTrustManager.checkServerTrusted(chain, authType); - } catch (CertificateException e) { - certificateException = e; - } - catch (Exception e) { - emitError(e,"checkServerTrusted failed"); - } - */ - - // TODO: The only type of verification done is the certificate validity. - // Need to make "checkServerTrusted" do certificate verification properly - // and pass in an appropriate CertificateException - if (chain != null && chain.length > 0) { - try { - chain[0].checkValidity(); - } - catch (CertificateException e) { - certificateException = e; - } - } - - jsseContext.setPeerCertificateInfo(chain, certificateException); + throws CertificateException { + CertificateException certificateException = null; + + try { + pkixTrustManager.checkServerTrusted(chain, authType); + } catch (CertificateException e) { + certificateException = e; + } + + if (certificateException == null && chain != null && chain.length > 0) { + try { + chain[0].checkValidity(); + } + catch (CertificateException e) { + certificateException = e; + } + } + + jsseContext.setPeerCertificateInfo(chain, certificateException); } -- cgit v0.10.2-6-g49f6