You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/09/10 11:36:14 UTC
svn commit: r1521402 - in
/cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src:
main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
Author: coheigea
Date: Tue Sep 10 09:36:14 2013
New Revision: 1521402
URL: http://svn.apache.org/r1521402
Log:
Fixing XKMS CRL checking
Modified:
cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
Modified: cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java?rev=1521402&r1=1521401&r2=1521402&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java (original)
+++ cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java Tue Sep 10 09:36:14 2013
@@ -21,8 +21,11 @@ package org.apache.cxf.xkms.x509.validat
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreParameters;
import java.security.cert.CollectionCertStoreParameters;
@@ -72,16 +75,22 @@ public class TrustedAuthorityValidator i
Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
- CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
- pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
- if (crls.isEmpty()) {
- pkixParams.setRevocationEnabled(false);
- }
+ pkixParams.setRevocationEnabled(false);
+
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
- builder.build(pkixParams);
+ CertPath certPath = builder.build(pkixParams).getCertPath();
+
+ // Now validate the CertPath including CRL checking
+ if (!crls.isEmpty()) {
+ pkixParams.setRevocationEnabled(true);
+ CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
+ pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
+ CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+ validator.validate(certPath, pkixParams);
+ }
} catch (InvalidAlgorithmParameterException e) {
throw new RuntimeException(e);
} catch (NoSuchAlgorithmException e) {
@@ -89,6 +98,9 @@ public class TrustedAuthorityValidator i
} catch (CertPathBuilderException e) {
LOG.log(Level.INFO, e.getMessage(), e);
return false;
+ } catch (CertPathValidatorException e) {
+ LOG.log(Level.INFO, e.getMessage(), e);
+ return false;
}
return true;
}
Modified: cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java?rev=1521402&r1=1521401&r2=1521402&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java (original)
+++ cxf/branches/2.7.x-fixes/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java Tue Sep 10 09:36:14 2013
@@ -34,7 +34,6 @@ import org.apache.cxf.xkms.model.xkms.Us
import org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo;
import org.junit.Assert;
import org.junit.Before;
-import org.junit.Ignore;
import org.junit.Test;
public class TrustedAuthorityValidatorCRLTest extends BasicValidationTest {
@@ -83,11 +82,7 @@ public class TrustedAuthorityValidatorCR
certificateRepo.saveCRL(crl, crlKey);
}
- /**
- * FIXME Does not work on JDK 7
- */
@Test
- @Ignore
public void testIsCertChainValid() throws CertificateException {
TrustedAuthorityValidator validator = new TrustedAuthorityValidator(certificateRepo);
Assert.assertTrue("Root should be valid",