You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/09/10 11:36:14 UTC
svn commit: r1521402 - in /cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src: main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java

Author: coheigea
Date: Tue Sep 10 09:36:14 2013
New Revision: 1521402

URL: http://svn.apache.org/r1521402
Log:
Fixing XKMS CRL checking

Modified:
    cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
    cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java

Modified: cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java?rev=1521402&r1=1521401&r2=1521402&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java (original)
+++ cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java Tue Sep 10 09:36:14 2013
@@ -21,8 +21,11 @@ package org.apache.cxf.xkms.x509.validat
 
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertPath;
 import java.security.cert.CertPathBuilder;
 import java.security.cert.CertPathBuilderException;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertStore;
 import java.security.cert.CertStoreParameters;
 import java.security.cert.CollectionCertStoreParameters;
@@ -72,16 +75,22 @@ public class TrustedAuthorityValidator i
             Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
             CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
             CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
-            CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
             PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
             pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
             pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
-            pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
-            if (crls.isEmpty()) {
-                pkixParams.setRevocationEnabled(false);
-            }
+            pkixParams.setRevocationEnabled(false);
+            
             CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
-            builder.build(pkixParams);
+            CertPath certPath = builder.build(pkixParams).getCertPath();
+            
+            // Now validate the CertPath including CRL checking
+            if (!crls.isEmpty()) {
+                pkixParams.setRevocationEnabled(true);
+                CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
+                pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
+                CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+                validator.validate(certPath, pkixParams);
+            }
         } catch (InvalidAlgorithmParameterException e) {
             throw new RuntimeException(e);
         } catch (NoSuchAlgorithmException e) {
@@ -89,6 +98,9 @@ public class TrustedAuthorityValidator i
         } catch (CertPathBuilderException e) {
             LOG.log(Level.INFO, e.getMessage(), e);
             return false;
+        } catch (CertPathValidatorException e) {
+            LOG.log(Level.INFO, e.getMessage(), e);
+            return false;
         }
         return true;
     }

Modified: cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java?rev=1521402&r1=1521401&r2=1521402&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java (original)
+++ cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java Tue Sep 10 09:36:14 2013
@@ -34,7 +34,6 @@ import org.apache.cxf.xkms.model.xkms.Us
 import org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo;
 import org.junit.Assert;
 import org.junit.Before;
-import org.junit.Ignore;
 import org.junit.Test;
 
 public class TrustedAuthorityValidatorCRLTest extends BasicValidationTest {
@@ -83,11 +82,7 @@ public class TrustedAuthorityValidatorCR
         certificateRepo.saveCRL(crl, crlKey);
     }
 
-    /**
-     * FIXME Does not work on JDK 7
-     */
     @Test
-    @Ignore
     public void testIsCertChainValid() throws CertificateException {
         TrustedAuthorityValidator validator = new TrustedAuthorityValidator(certificateRepo);
         Assert.assertTrue("Root should be valid",