ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1804971 - /webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
Date Mon, 14 Aug 2017 09:54:57 GMT
Author: coheigea
Date: Mon Aug 14 09:54:57 2017
New Revision: 1804971

URL: http://svn.apache.org/viewvc?rev=1804971&view=rev
Log:
WSS-612 Updates CertificateStore to handle certificate chains. This closes #7.

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>

Modified:
    webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java

Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java?rev=1804971&r1=1804970&r2=1804971&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
(original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
Mon Aug 14 09:54:57 2017
@@ -165,7 +165,7 @@ public class CertificateStore extends Cr
         //
         // FIRST step - Search the trusted certs for the transmitted certificate
         //
-        if (!enableRevocation) {
+        if (certs.length == 1 && !enableRevocation) {
             String issuerString = certs[0].getIssuerX500Principal().getName();
             BigInteger issuerSerial = certs[0].getSerialNumber();
 
@@ -192,25 +192,25 @@ public class CertificateStore extends Cr
         // SECOND step - Search for the issuer cert (chain) of the transmitted certificate
in the
         // keystore or the truststore
         //
-        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
         String issuerString = certs[0].getIssuerX500Principal().getName();
-        cryptoType.setSubjectDN(issuerString);
-        X509Certificate[] foundCerts = getX509Certificates(cryptoType);
-
-        // If the certs have not been found, the issuer is not in the keystore/truststore
-        // As a direct result, do not trust the transmitted certificate
-        if (foundCerts == null || foundCerts.length < 1) {
-            String subjectString = certs[0].getSubjectX500Principal().getName();
-            if (LOG.isDebugEnabled()) {
+        X509Certificate[] foundCerts = new X509Certificate[0];
+        if (certs.length == 1) {
+            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
+            cryptoType.setSubjectDN(issuerString);
+            foundCerts = getX509Certificates(cryptoType);
+
+            // If the certs have not been found, the issuer is not in the keystore/truststore
+            // As a direct result, do not trust the transmitted certificate
+            if (foundCerts == null || foundCerts.length < 1) {
+                String subjectString = certs[0].getSubjectX500Principal().getName();
                 LOG.debug(
-                    "No certs found in keystore for issuer " + issuerString
-                    + " of certificate for " + subjectString
+                    "No certs found in keystore for issuer {} of certificate for {}", issuerString,
subjectString
+                );
+                throw new WSSecurityException(
+                    WSSecurityException.ErrorCode.FAILURE, "certpath",
+                    new Object[] {"No trusted certs found"}
                 );
             }
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.FAILURE, "certpath",
-                new Object[] {"No trusted certs found"}
-            );
         }
 
         //
@@ -223,31 +223,16 @@ public class CertificateStore extends Cr
             );
         }
 
-        //
-        // Form a certificate chain from the transmitted certificate
-        // and the certificate(s) of the issuer from the keystore/truststore
-        //
-        X509Certificate[] x509certs = new X509Certificate[foundCerts.length + 1];
-        x509certs[0] = certs[0];
-        System.arraycopy(foundCerts, 0, x509certs, 1, foundCerts.length);
-
         try {
-            // Generate cert path
-            List<X509Certificate> certList = Arrays.asList(x509certs);
-            CertPath path = getCertificateFactory().generateCertPath(certList);
-
             Set<TrustAnchor> set = new HashSet<>();
             if (trustedCerts != null) {
                 for (X509Certificate cert : trustedCerts) {
                     TrustAnchor anchor =
-                        new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
+                        new TrustAnchor(cert, null);
                     set.add(anchor);
                 }
             }
 
-            PKIXParameters param = new PKIXParameters(set);
-            param.setRevocationEnabled(enableRevocation);
-
             // Verify the trust path using the above settings
             String provider = getCryptoProvider();
             CertPathValidator validator = null;
@@ -256,7 +241,30 @@ public class CertificateStore extends Cr
             } else {
                 validator = CertPathValidator.getInstance("PKIX", provider);
             }
-            validator.validate(path, param);
+
+            PKIXParameters param = new PKIXParameters(set);
+            param.setRevocationEnabled(enableRevocation);
+
+            if (foundCerts.length > 0) {
+                //
+                // Form a certificate chain from the transmitted certificate
+                // and the certificate(s) of the issuer from the keystore/truststore
+                //
+                X509Certificate[] x509certs = new X509Certificate[foundCerts.length + 1];
+                x509certs[0] = certs[0];
+                System.arraycopy(foundCerts, 0, x509certs, 1, foundCerts.length);
+
+                // Generate cert path
+                List<X509Certificate> certList = Arrays.asList(x509certs);
+                CertPath path = getCertificateFactory().generateCertPath(certList);
+
+                validator.validate(path, param);
+            } else {
+                List<X509Certificate> certList = Arrays.asList(certs);
+                CertPath path = getCertificateFactory().generateCertPath(certList);
+
+                validator.validate(path, param);
+            }
         } catch (java.security.NoSuchProviderException | NoSuchAlgorithmException
             | java.security.cert.CertificateException
             | java.security.InvalidAlgorithmParameterException



Mime
View raw message