Issue #1468 Configure PKIX Revocation Checker for SslContextFactory

2017-06-01 13:57:20 +02:00 · 2017-06-01 13:57:20 +02:00 · 80e964ef35
parent 9e44508cda
commit 80e964ef35
3 changed files with 83 additions and 30 deletions
--- a/jetty-server/src/main/config/etc/jetty-ssl-context.xml
+++ b/jetty-server/src/main/config/etc/jetty-ssl-context.xml
@ -28,4 +28,26 @@
  <Set name="sslSessionTimeout"><Property name="jetty.sslContext.sslSessionTimeout" default="-1"/></Set>
  <Set name="RenegotiationAllowed"><Property name="jetty.sslContext.renegotiationAllowed" default="true"/></Set>
  <Set name="RenegotiationLimit"><Property name="jetty.sslContext.renegotiationLimit" default="5"/></Set>
+ 
+  <!-- Example of how to configure a PKIX Certificate Path revocation Checker
+  <Call id="pkixPreferCrls" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>PREFER_CRLS</Arg></Call>
+  <Call id="pkixSoftFail" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>SOFT_FAIL</Arg></Call>
+  <Call id="pkixNoFallback" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>NO_FALLBACK</Arg></Call>
+  <Call class="java.security.cert.CertPathBuilder" name="getInstance">
+    <Arg>PKIX</Arg>
+    <Call id="pkixRevocationChecker" name="getRevocationChecker">
+      <Call name="setOptions">
+        <Arg>
+          <Call class="java.util.EnumSet" name="of">
+            <Arg><Ref refid="pkixPreferCrls"/></Arg>
+            <Arg><Ref refid="pkixSoftFail"/></Arg>
+            <Arg><Ref refid="pkixNoFallback"/></Arg>
+          </Call>
+        </Arg>
+      </Call>
+    </Call>
+  </Call>
+  <Set name="PkixCertPathChecker"><Ref refid="pkixRevocationChecker"/></Set>
+  -->
+  
 </Configure>
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@ -31,6 +31,7 @@ import java.security.cert.CertStore;
 import java.security.cert.Certificate;
 import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@ -167,6 +168,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
    private boolean _renegotiationAllowed = true;
    private int _renegotiationLimit = 5;
    private Factory _factory;
+    private PKIXCertPathChecker _pkixCertPathChecker;

    /**
     * Construct an instance of SslContextFactory
@ -1005,6 +1007,16 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
        _endpointIdentificationAlgorithm = endpointIdentificationAlgorithm;
    }

+    public PKIXCertPathChecker getPkixCertPathChecker()
+    {
+        return _pkixCertPathChecker;
+    }
+
+    public void setPkixCertPathChecker(PKIXCertPathChecker pkixCertPatchChecker)
+    {
+        _pkixCertPathChecker = pkixCertPatchChecker;
+    }
+
    /**
     * Override this method to provide alternate way to load a keystore.
     *
@ -1105,36 +1117,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
            // Revocation checking is only supported for PKIX algorithm
            if (isValidatePeerCerts() && "PKIX".equalsIgnoreCase(getTrustManagerFactoryAlgorithm()))
            {
-                PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
-
-                // Set maximum certification path length
-                pbParams.setMaxPathLength(_maxCertPathLength);
-
-                // Make sure revocation checking is enabled
-                pbParams.setRevocationEnabled(true);
-
-                if (crls != null && !crls.isEmpty())
-                {
-                    pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
-                }
-
-                if (_enableCRLDP)
-                {
-                    // Enable Certificate Revocation List Distribution Points (CRLDP) support
-                    System.setProperty("com.sun.security.enableCRLDP", "true");
-                }
-
-                if (_enableOCSP)
-                {
-                    // Enable On-Line Certificate Status Protocol (OCSP) support
-                    Security.setProperty("ocsp.enable", "true");
-
-                    if (_ocspResponderURL != null)
-                    {
-                        // Override location of OCSP Responder
-                        Security.setProperty("ocsp.responderURL", _ocspResponderURL);
-                    }
-                }
+                PKIXBuilderParameters pbParams = newPKIXBuilderParameters(trustStore, crls);

                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
                trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
@ -1153,6 +1136,45 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
        return managers;
    }

+    protected PKIXBuilderParameters newPKIXBuilderParameters(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
+    {
+        PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
+
+        // Set maximum certification path length
+        pbParams.setMaxPathLength(_maxCertPathLength);
+
+        // Make sure revocation checking is enabled
+        pbParams.setRevocationEnabled(true);
+        
+        if (_pkixCertPathChecker!=null)
+        pbParams.addCertPathChecker(_pkixCertPathChecker);
+
+        if (crls != null && !crls.isEmpty())
+        {
+            pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(crls)));
+        }
+
+        if (_enableCRLDP)
+        {
+            // Enable Certificate Revocation List Distribution Points (CRLDP) support
+            System.setProperty("com.sun.security.enableCRLDP", "true");
+        }
+
+        if (_enableOCSP)
+        {
+            // Enable On-Line Certificate Status Protocol (OCSP) support
+            Security.setProperty("ocsp.enable", "true");
+
+            if (_ocspResponderURL != null)
+            {
+                // Override location of OCSP Responder
+                Security.setProperty("ocsp.responderURL", _ocspResponderURL);
+            }
+        }
+        
+        return pbParams;
+    }
+    
    /**
     * Select protocols to be used by the connector
     * based on configured inclusion and exclusion lists
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
@ -52,6 +52,15 @@ public class SslContextFactoryTest
    public void setUp() throws Exception
    {
        cf = new SslContextFactory();
+        
+        java.security.cert.CertPathBuilder certPathBuilder = java.security.cert.CertPathBuilder.getInstance("PKIX");
+        java.security.cert.PKIXRevocationChecker revocationChecker = (java.security.cert.PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
+        revocationChecker.setOptions(java.util.EnumSet.of(
+            java.security.cert.PKIXRevocationChecker.Option.valueOf("PREFER_CRLS"),
+            java.security.cert.PKIXRevocationChecker.Option.valueOf("SOFT_FAIL"),
+            java.security.cert.PKIXRevocationChecker.Option.valueOf("NO_FALLBACK")));
+        cf.setPkixCertPathChecker(revocationChecker);
+        
    }

    @Test