Build: #260 was successful Changes by wroot <wrooot@users.noreply.github.com> and Guus der Kinderen
Code commits
Spark (master)
-
wroot <wrooot@users.noreply.github.com> 8fcf060f0000985f32014e318322f1c30d3ba0a1
Merge pull request #550 from guusdk/fix-certchain-validation
Fix certchain validation -
Guus der Kinderen ade68fa13ce36785d6356c3512ffc7fb89d1215b
SPARK-2187: Do not offer to add a cert to truststore on unrelated error
The go-to response for Spark is to add a certificate that failed validation to the truststore. That's fine for certs that it does not recognize, but if validation failed because of another reason, Spark should not (re)add the certificate. Instead, an error should be shown that explains what the issue is.- core/src/main/java/org/jivesoftware/LoginDialog.java (version ade68fa13ce36785d6356c3512ffc7fb89d1215b)
- core/src/main/java/org/jivesoftware/sparkimpl/certificates/GeneralTrustManager.java (version ade68fa13ce36785d6356c3512ffc7fb89d1215b)
- core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version ade68fa13ce36785d6356c3512ffc7fb89d1215b)
-
Guus der Kinderen 81bb9b12dfd63cdad067e2700b9d1cc1350610e5
SPARK-2188: Exclude TrustAnchor from Certification Path to not confuse validation
As documented in its javadoc, the CertPath instance should not include the root CA certificate. If it does, validation errors can occur.- core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version 81bb9b12dfd63cdad067e2700b9d1cc1350610e5)
-
Guus der Kinderen 163bd6de37860bb1bd313643fae949215e770889
SPARK-2185: Add safeguard against validating an empty chain
This exposes an issue with the existing code (which unintentionally validates an empty object, instead of a properly populated CarthPath object).- core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version 163bd6de37860bb1bd313643fae949215e770889)
-
Guus der Kinderen 2d66d651e49a5d2dd13366b76153d8a6e596a234
Refactoring, should not functionally change anything.
- core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version 2d66d651e49a5d2dd13366b76153d8a6e596a234)
-
Guus der Kinderen 407deb01f80aefd9a0d35e358d8e95cac3577141
SPARK-2184: Fix the validation of Basic Constraints in the cert chain
The old code seems to have this backwards. All certificates in the chain, except for the leaf (end-entity) should have Basic Constraints.
When validating a certificate chain, Spark should make sure that the pathLen attribute of the Basic Constraint extension is valid and the cA field is set to TRUE for each non-leaf certificate.- core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version 407deb01f80aefd9a0d35e358d8e95cac3577141)
-
Guus der Kinderen 78de7ddca29468c4d2dd7344333051d8299b8521
SPARK-2185: Construct a CertPath object representing the chain to be validated
- core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version 78de7ddca29468c4d2dd7344333051d8299b8521)
-
Guus der Kinderen cf4185ca98a3146363b72227e028e05961b34402
SPARK-2186: Target the end-entity cert for validation
- core/src/main/java/org/jivesoftware/sparkimpl/certificates/SparkTrustManager.java (version cf4185ca98a3146363b72227e028e05961b34402)