|
@@ -76,12 +76,6 @@ public class CertificateManager implements X509TrustManager {
|
76
|
76
|
private final AggregateConfigProvider config;
|
77
|
77
|
/** The set of CAs from the global cacert file. */
|
78
|
78
|
private final Set<X509Certificate> globalTrustedCAs = new HashSet<>();
|
79
|
|
- /** Whether or not to the issue and expiry dates of the certificate. */
|
80
|
|
- private final boolean checkDate;
|
81
|
|
- /** Whether or not to the issuer of the certificate. */
|
82
|
|
- private final boolean checkIssuer;
|
83
|
|
- /** Whether or not to the hostname of the certificate. */
|
84
|
|
- private final boolean checkHost;
|
85
|
79
|
/** Used to synchronise the manager with the certificate dialog. */
|
86
|
80
|
private final Semaphore actionSem = new Semaphore(0);
|
87
|
81
|
/** The event bus to post errors to. */
|
|
@@ -114,9 +108,6 @@ public class CertificateManager implements X509TrustManager {
|
114
|
108
|
this.connection = connection;
|
115
|
109
|
this.serverName = serverName;
|
116
|
110
|
this.config = config;
|
117
|
|
- this.checkDate = config.getOptionBool("ssl", "checkdate");
|
118
|
|
- this.checkIssuer = config.getOptionBool("ssl", "checkissuer");
|
119
|
|
- this.checkHost = config.getOptionBool("ssl", "checkhost");
|
120
|
111
|
this.userSettings = userSettings;
|
121
|
112
|
this.eventBus = eventBus;
|
122
|
113
|
this.keyStoreLocator = new KeyStoreLocator();
|
|
@@ -331,26 +322,22 @@ public class CertificateManager implements X509TrustManager {
|
331
|
322
|
for (X509Certificate cert : chain) {
|
332
|
323
|
final TrustResult trustResult = isTrusted(cert);
|
333
|
324
|
|
334
|
|
- if (checkDate) {
|
335
|
|
- // Check that the certificate is in-date
|
336
|
|
- try {
|
337
|
|
- cert.checkValidity();
|
338
|
|
- } catch (CertificateException ex) {
|
339
|
|
- problems.add(ex);
|
340
|
|
- }
|
|
325
|
+ // Check that the certificate is in-date
|
|
326
|
+ try {
|
|
327
|
+ cert.checkValidity();
|
|
328
|
+ } catch (CertificateException ex) {
|
|
329
|
+ problems.add(ex);
|
341
|
330
|
}
|
342
|
331
|
|
343
|
|
- if (checkIssuer) {
|
344
|
|
- // Check that we trust an issuer
|
345
|
|
- verified |= trustResult.isTrusted();
|
346
|
|
- }
|
|
332
|
+ // Check that we trust an issuer
|
|
333
|
+ verified |= trustResult.isTrusted();
|
347
|
334
|
|
348
|
335
|
if (trustResult == TrustResult.TRUSTED_MANUALLY) {
|
349
|
336
|
manual = true;
|
350
|
337
|
}
|
351
|
338
|
}
|
352
|
339
|
|
353
|
|
- if (!verified && checkIssuer) {
|
|
340
|
+ if (!verified) {
|
354
|
341
|
problems.add(new CertificateNotTrustedException("Issuer is not trusted"));
|
355
|
342
|
}
|
356
|
343
|
return manual;
|
|
@@ -362,12 +349,10 @@ public class CertificateManager implements X509TrustManager {
|
362
|
349
|
* @param chain The chain of certificates to check.
|
363
|
350
|
*/
|
364
|
351
|
private void checkHost(final X509Certificate... chain) {
|
365
|
|
- if (checkHost) {
|
366
|
|
- // Check that the cert is issued to the correct host
|
367
|
|
- if (!isValidHost(chain[0])) {
|
368
|
|
- problems.add(new CertificateDoesntMatchHostException(
|
369
|
|
- "Certificate was not issued to " + serverName));
|
370
|
|
- }
|
|
352
|
+ // Check that the cert is issued to the correct host
|
|
353
|
+ if (!isValidHost(chain[0])) {
|
|
354
|
+ problems.add(new CertificateDoesntMatchHostException(
|
|
355
|
+ "Certificate was not issued to " + serverName));
|
371
|
356
|
}
|
372
|
357
|
}
|
373
|
358
|
|