You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/05/01 10:20:46 UTC
[cxf] 02/02: CXF-8275 - Support CRL/OCSP cert extensions in the
XKMS TrustedAuthorityValidator
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit e4b7097b19388124883191bc32300ee6562849b4
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri May 1 11:17:16 2020 +0100
CXF-8275 - Support CRL/OCSP cert extensions in the XKMS TrustedAuthorityValidator
---
.../xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml | 2 +-
.../org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java | 4 ++--
.../cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java | 1 +
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml b/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
index 7dd6461..d75c706 100644
--- a/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
+++ b/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
@@ -16,7 +16,7 @@
<cm:property name="xkms.logExceptions" value="false"/>
<cm:property name="xkms.certificate.repo" value="file"/>
<cm:property name="xkms.file.storageDir" value="data/xkms/certificates"/>
- <cm:property name="xkms.enableRevocation" value="true"/>
+ <cm:property name="xkms.enableRevocation" value="false"/>
</cm:default-properties>
</cm:property-placeholder>
<service interface="org.apache.cxf.xkms.x509.repo.CertificateRepo" activation="eager">
diff --git a/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java b/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
index 9b31102..f13e9f9 100644
--- a/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
+++ b/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
@@ -53,7 +53,7 @@ public class TrustedAuthorityValidator implements Validator {
private static final Logger LOG = LogUtils.getL7dLogger(TrustedAuthorityValidator.class);
final CertificateRepo certRepo;
- boolean enableRevocation = true;
+ boolean enableRevocation;
public TrustedAuthorityValidator(CertificateRepo certRepo) {
this.certRepo = certRepo;
@@ -84,10 +84,10 @@ public class TrustedAuthorityValidator implements Validator {
CertPath certPath = builder.build(pkixParams).getCertPath();
// Now validate the CertPath (including CRL checking)
+ pkixParams.setRevocationEnabled(enableRevocation);
if (enableRevocation) {
List<X509CRL> crls = certRepo.getCRLs();
if (!crls.isEmpty()) {
- pkixParams.setRevocationEnabled(true);
CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
}
diff --git a/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java b/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
index a34b5a6..e759f77 100644
--- a/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
+++ b/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
@@ -86,6 +86,7 @@ public class TrustedAuthorityValidatorCRLTest extends BasicValidationTest {
@Test
public void testIsCertChainValid() throws CertificateException {
TrustedAuthorityValidator validator = new TrustedAuthorityValidator(certificateRepo);
+ validator.setEnableRevocation(true);
Assert.assertTrue("Root should be valid",
validator.isCertificateChainValid(Arrays.asList(certificateRoot)));
Assert.assertTrue("wss40rev should not be valid",