You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@juddi.apache.org by al...@apache.org on 2013/11/12 04:48:09 UTC
svn commit: r1540937 -
/juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java
Author: alexoree
Date: Tue Nov 12 03:48:09 2013
New Revision: 1540937
URL: http://svn.apache.org/r1540937
Log:
JUDDI-579 revised the DigSigUtil to return all validation errors and not just the first one
Modified:
juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java
Modified: juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java
URL: http://svn.apache.org/viewvc/juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java?rev=1540937&r1=1540936&r2=1540937&view=diff
==============================================================================
--- juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java (original)
+++ juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java Tue Nov 12 03:48:09 2013
@@ -494,14 +494,16 @@ public class DigSigUtil {
Security.setProperty("ocsp.enable", "false");
X509Certificate issuer = FindCertByDN(issuerX500Principal);
if (issuer == null) {
- throw new CertificateException("unable to locate the issuers certificate in the trust store");
- }
- RevocationStatus check = OCSP.check(signingcert, issuer);
- logger.info("certificate " + signingcert.getSubjectDN().toString() + " revocation status is " + check.getCertStatus().toString() + " reason " + check.getRevocationReason().toString());
- if (check.getCertStatus() != RevocationStatus.CertStatus.GOOD) {
- OutErrorMessage.set("Certificate status is " + check.getCertStatus().toString() + " reason " + check.getRevocationReason().toString() + "." + OutErrorMessage.get());
+ OutErrorMessage.set("Unable to verify certificate status from OCSP because the issuer of the certificate is not in the trust store. " + OutErrorMessage.get());
+ //throw new CertificateException("unable to locate the issuers certificate in the trust store");
+ } else {
+ RevocationStatus check = OCSP.check(signingcert, issuer);
+ logger.info("certificate " + signingcert.getSubjectDN().toString() + " revocation status is " + check.getCertStatus().toString() + " reason " + check.getRevocationReason().toString());
+ if (check.getCertStatus() != RevocationStatus.CertStatus.GOOD) {
+ OutErrorMessage.set("Certificate status is " + check.getCertStatus().toString() + " reason " + check.getRevocationReason().toString() + "." + OutErrorMessage.get());
- //throw new CertificateException("Certificate status is " + check.getCertStatus().toString() + " reason " + check.getRevocationReason().toString());
+ //throw new CertificateException("Certificate status is " + check.getCertStatus().toString() + " reason " + check.getRevocationReason().toString());
+ }
}
}
if (map.containsKey(CHECK_REVOCATION_STATUS_CRL) && Boolean.parseBoolean(map.getProperty(CHECK_REVOCATION_STATUS_CRL))) {
@@ -527,28 +529,26 @@ public class DigSigUtil {
}
if (map.containsKey(CHECK_TRUST_CHAIN) && Boolean.parseBoolean(map.getProperty(CHECK_TRUST_CHAIN))) {
logger.info("verifying trust chain X509 public key " + signingcert.getSubjectDN().toString());
- try{
- PKIXParameters params = new PKIXParameters(GetTrustStore());
- params.setRevocationEnabled(false);
- CertPath certPath = cf.generateCertPath(Arrays.asList(signingcert));
+ try {
+ PKIXParameters params = new PKIXParameters(GetTrustStore());
+ params.setRevocationEnabled(false);
+ CertPath certPath = cf.generateCertPath(Arrays.asList(signingcert));
- CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
- CertPathValidatorResult result = certPathValidator.validate(certPath, params);
+ CertPathValidator certPathValidator = CertPathValidator.getInstance(CertPathValidator.getDefaultType());
+ CertPathValidatorResult result = certPathValidator.validate(certPath, params);
- PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult) result;
+ PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult) result;
- TrustAnchor ta = pkixResult.getTrustAnchor();
- X509Certificate cert = ta.getTrustedCert();
+ TrustAnchor ta = pkixResult.getTrustAnchor();
+ X509Certificate cert = ta.getTrustedCert();
- logger.info("trust chain validated X509 public key " + signingcert.getSubjectDN().toString());
- }
- catch (Exception ex){
+ logger.info("trust chain validated X509 public key " + signingcert.getSubjectDN().toString());
+ } catch (Exception ex) {
OutErrorMessage.set("Certificate status Trust validation failed: " + ex.getMessage() + "." + OutErrorMessage.get());
}
}
- boolean b= verifySignature(docElement, signingcert.getPublicKey(), OutErrorMessage);
- if ((OutErrorMessage.get()== null || OutErrorMessage.get().length()==0) && b)
- {
+ boolean b = verifySignature(docElement, signingcert.getPublicKey(), OutErrorMessage);
+ if ((OutErrorMessage.get() == null || OutErrorMessage.get().length() == 0) && b) {
//no error message and its cryptographically valid
return true;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@juddi.apache.org
For additional commands, e-mail: commits-help@juddi.apache.org