Build #260

Plan branch:
Builds Spark (minus the Install4j distributables) after every change to the code.

Build: #260 was successful Changes by wroot <wrooot@users.noreply.github.com> and Guus der Kinderen

Code commits

Spark (master)

  • wroot <wrooot@users.noreply.github.com>

    wroot <wrooot@users.noreply.github.com> 8fcf060f0000985f32014e318322f1c30d3ba0a1

    Merge pull request #550 from guusdk/fix-certchain-validation
    Fix certchain validation

  • Guus der Kinderen

    Guus der Kinderen ade68fa13ce36785d6356c3512ffc7fb89d1215b

    SPARK-2187: Do not offer to add a cert to truststore on unrelated error
    The go-to response for Spark is to add a certificate that failed validation to the truststore. That's fine for certs that it does not recognize, but if validation failed because of another reason, Spark should not (re)add the certificate. Instead, an error should be shown that explains what the issue is.

    • core/src/main/java/org/jivesoftware/LoginDialog.java (version ade68fa13ce36785d6356c3512ffc7fb89d1215b)
    • core/src/main/java/org/jivesoftware/sparkimpl/certificates/GeneralTrustManager.java (version ade68fa13ce36785d6356c3512ffc7fb89d1215b)
    • core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version ade68fa13ce36785d6356c3512ffc7fb89d1215b)
  • Guus der Kinderen

    Guus der Kinderen 81bb9b12dfd63cdad067e2700b9d1cc1350610e5

    SPARK-2188: Exclude TrustAnchor from Certification Path to not confuse validation
    As documented in its javadoc, the CertPath instance should not include the root CA certificate. If it does, validation errors can occur.

    • core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version 81bb9b12dfd63cdad067e2700b9d1cc1350610e5)
  • Guus der Kinderen

    Guus der Kinderen 163bd6de37860bb1bd313643fae949215e770889

    SPARK-2185: Add safeguard against validating an empty chain
    This exposes an issue with the existing code (which unintentionally validates an empty object, instead of a properly populated CarthPath object).

    • core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version 163bd6de37860bb1bd313643fae949215e770889)
  • Guus der Kinderen

    Guus der Kinderen 2d66d651e49a5d2dd13366b76153d8a6e596a234

    Refactoring, should not functionally change anything.

    • core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version 2d66d651e49a5d2dd13366b76153d8a6e596a234)
  • Guus der Kinderen

    Guus der Kinderen 407deb01f80aefd9a0d35e358d8e95cac3577141

    SPARK-2184: Fix the validation of Basic Constraints in the cert chain
    The old code seems to have this backwards. All certificates in the chain, except for the leaf (end-entity) should have Basic Constraints.

    When validating a certificate chain, Spark should make sure that the pathLen attribute of the Basic Constraint extension is valid and the cA field is set to TRUE for each non-leaf certificate.

    • core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version 407deb01f80aefd9a0d35e358d8e95cac3577141)
  • Guus der Kinderen

    Guus der Kinderen 78de7ddca29468c4d2dd7344333051d8299b8521

    SPARK-2185: Construct a CertPath object representing the chain to be validated

    • core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version 78de7ddca29468c4d2dd7344333051d8299b8521)
  • Guus der Kinderen

    Guus der Kinderen cf4185ca98a3146363b72227e028e05961b34402

    SPARK-2186: Target the end-entity cert for validation

    • core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version cf4185ca98a3146363b72227e028e05961b34402)