SPARK-1966, SPARK-1952, SPARK-1969, SPARK-1970, SPARK-1971 and partially SPARK-1968 #356
Conversation
|
@Alameyo It would be good for your commit message to actually have the SPARK-???? nomenclature for each issue so that the Jira auto-linking works / this commit gets associated with the proper Jira issue. |
Alameyo
changed the title
|
@akrherz Ok, title was generated from commit comment and I forgot to add SPARK |
Alameyo
changed the title
Alameyo
force-pushed
the
SSLContext
branch
7 times, most recently
from
81e4228 to
81ba4c9
Compare
Alameyo
changed the title
|
Now also SPARK-1975 as Self Signed certificates can be accepted. |
|
That last commit did not have SPARK-1975 in it either. :) You can (and should!) rewrite those commit messages. There are a couple of options, see: https://help.github.com/articles/changing-a-commit-message/ |
|
|
||
| // check if certificate isn't self signed, self signed certificate still have to be in TrustStore to be | ||
| // accepted | ||
| if (chain.length > 1) { |
There was a problem hiding this comment.
Chain length is not a safe way to determine if the certificate in the chain is self-signed. The chain could be incomplete (it might depend on certificates that are in the truststore, without including those certificates), and chains might contain certificates that are not part of the chain at all (and are unused). You should find a better way to identify "self-signed"
|
Added support for SPARK-1977 OCSP. |
| * Return true if the certificate chain contain only one Self Signed certificate | ||
| */ | ||
| private boolean isSelfSigned(X509Certificate[] chain) { | ||
| if(chain[0].getIssuerX500Principal().getName().equals(chain[0].getSubjectX500Principal().getName())){ |
There was a problem hiding this comment.
Perhaps replace by: return chain[0].getIssuerX500Principal().getName().equals(chain[0].getSubjectX500Principal().getName()) (there's no need for the if/else)?
| @@ -187,6 +188,17 @@ public void checkServerTrusted(X509Certificate[] chain, String authType) throws | |||
| } | |||
|
|
|||
| /** | |||
| * Return true if the certificate chain contain only one Self Signed certificate | |||
| */ | |||
| private boolean isSelfSigned(X509Certificate[] chain) { | |||
There was a problem hiding this comment.
This code assumes that the first certificate is the self-signed one, which could lead to several problems. For example, a certificate chain should, but is not always ordered (and if it is, I think it's typically the last certificate that's self-signed).
Perhaps you should consider changing the argument to this method: instead of passing a chain, you might want to pass a single certificate. That way, this method's responsibility is very well defined. If needed, you could add additional methods that check if the entire chain represents a self-signed certificate (by checking if the chain size is equal to 1, and by passing that certificate to this method).
There was a problem hiding this comment.
I added check if chain length equals 1. If it is true together as well as same subject issuer requirement then certificate is self signed. This way in case when chain would be reversed there will be no problems about that.
One note: I don't worry here about standard root CA at the end of certificate path but about situation when server send only one self signed certificate for it's identification. If chain is longer than 1 then it is standard path building.
| PKIXRevocationChecker checker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker(); | ||
| // soft fail option mean that OCSP or CRL must pass validation, in case when OCSP cannot be | ||
| // validated it will validate CRL and then if both cannot be checked it will fail | ||
| checker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.SOFT_FAIL)); |
There was a problem hiding this comment.
Should this be configurable? Perhaps the end-user should control if SOFT_FAIL should apply.
… subject name and issuer name (have to be equal).
…PKIX validator to use default one.
…and some other minor changes.
|
|
||
|
|
||
| if (securityMode != ConnectionConfiguration.SecurityMode.disabled && !useOldSSL) { | ||
| builder.setPort(5222); |
There was a problem hiding this comment.
Does this take into account that the user can also set another port than 5222? If that's done, we should not hard-code to 5222.
There was a problem hiding this comment.
Changed. I digged into that a bit more and while 5222 is recommended because other ports might be blocked by firewalls, there is no general prohibition against using other ports. Though so far I cannot connect without using "automatically discover host and port".
| @@ -277,6 +284,22 @@ protected XMPPTCPConnectionConfiguration retrieveConnectionConfiguration() { | |||
| builder.setProxyInfo( proxyInfo ); | |||
| } | |||
|
|
|||
| if (securityMode != ConnectionConfiguration.SecurityMode.disabled && !useOldSSL) { | |||
There was a problem hiding this comment.
(same as before - can you get rid of this code duplication?) Does this take into account that the user can also set another port than 5222? If that's done, we should not hard-code to 5222.
There was a problem hiding this comment.
Indeed this two classes share a bunch of the similar code, tomorrow I will try to reduce some of its redundancy.
| ResourceUtils.resButton(acceptSelfSigned, Res.getString("checkbox.accept.self.signed")); | ||
| ResourceUtils.resButton(checkCRL, Res.getString("checkbox.check.crl")); | ||
| ResourceUtils.resButton(checkOCSP, Res.getString("checkbox.check.ocsp")); | ||
| ResourceUtils.resButton(showCert, Res.getString("button.show.certificate")); | ||
| ResourceUtils.resButton(fileButton, Res.getString("label.choose.file")); | ||
|
|
||
|
|
There was a problem hiding this comment.
Small bug: when I open the "certificates" tab and the "accept all" option is already checked, then the others are not disabled. It works when I unselect and reselect again.
Alameyo
force-pushed
the
SSLContext
branch
2 times, most recently
from
c6edac8 to
034cb63
Compare
Added setUp method to SPARKSSLContext, removed acceptAll from Security tab as there is already Accept All checkbox in certificates tab.
Generally trust managers, checking CRL and some minor things. Still TO-DO: accepting self signed certificates, make use of blacklist keystore and do OCSP.