From dcf0dfc0bc35896fe670d7a94685d227f45618d2 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Sat, 07 Jul 2007 21:50:13 +0000
Subject: [PATCH] Update the file-based trust manager provider so that it will reject client certificates that are expired or not yet valid. Also update the SSL connection factory used by the client tools so that if an explicit trust store is provided, the validity of the server certificate will also be checked.
---
opends/src/server/org/opends/server/messages/UtilityMessages.java | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 58 insertions(+), 0 deletions(-)
diff --git a/opends/src/server/org/opends/server/messages/UtilityMessages.java b/opends/src/server/org/opends/server/messages/UtilityMessages.java
index da43bc9..c5554c6 100644
--- a/opends/src/server/org/opends/server/messages/UtilityMessages.java
+++ b/opends/src/server/org/opends/server/messages/UtilityMessages.java
@@ -1668,6 +1668,51 @@
CATEGORY_MASK_UTIL | SEVERITY_MASK_SEVERE_ERROR | 158;
+
+ /**
+ * The message ID for the message that will be used if a client certificate is
+ * rejected because it is expired. This takes two arguments, which are the
+ * subject DN of the certificate and a string representation of the notAfter
+ * date.
+ */
+ public static final int MSGID_EXPCHECK_TRUSTMGR_CLIENT_CERT_EXPIRED =
+ CATEGORY_MASK_UTIL | SEVERITY_MASK_SEVERE_ERROR | 159;
+
+
+
+ /**
+ * The message ID for the message that will be used if a client certificate is
+ * rejected because it is not yet valid. This takes two arguments, which are
+ * the subject DN of the certificate and a string representation of the
+ * notBefore date.
+ */
+ public static final int MSGID_EXPCHECK_TRUSTMGR_CLIENT_CERT_NOT_YET_VALID =
+ CATEGORY_MASK_UTIL | SEVERITY_MASK_SEVERE_ERROR | 160;
+
+
+
+ /**
+ * The message ID for the message that will be used if a server certificate is
+ * rejected because it is expired. This takes two arguments, which are the
+ * subject DN of the certificate and a string representation of the notAfter
+ * date.
+ */
+ public static final int MSGID_EXPCHECK_TRUSTMGR_SERVER_CERT_EXPIRED =
+ CATEGORY_MASK_UTIL | SEVERITY_MASK_SEVERE_ERROR | 161;
+
+
+
+ /**
+ * The message ID for the message that will be used if a server certificate is
+ * rejected because it is not yet valid. This takes two arguments, which are
+ * the subject DN of the certificate and a string representation of the
+ * notBefore date.
+ */
+ public static final int MSGID_EXPCHECK_TRUSTMGR_SERVER_CERT_NOT_YET_VALID =
+ CATEGORY_MASK_UTIL | SEVERITY_MASK_SEVERE_ERROR | 162;
+
+
+
/**
* Associates a set of generic messages with the message IDs defined in this
* class.
@@ -2222,6 +2267,19 @@
registerMessage(MSGID_RENAMEFILE_CANNOT_RENAME,
"Failed to rename file %s to %s");
+
+ registerMessage(MSGID_EXPCHECK_TRUSTMGR_CLIENT_CERT_EXPIRED,
+ "Refusing to trust client or issuer certificate '%s' " +
+ "because it expired on %s");
+ registerMessage(MSGID_EXPCHECK_TRUSTMGR_CLIENT_CERT_NOT_YET_VALID,
+ "Refusing to trust client or issuer certificate '%s' " +
+ "because it is not valid until %s");
+ registerMessage(MSGID_EXPCHECK_TRUSTMGR_SERVER_CERT_EXPIRED,
+ "Refusing to trust server or issuer certificate '%s' " +
+ "because it expired on %s");
+ registerMessage(MSGID_EXPCHECK_TRUSTMGR_SERVER_CERT_NOT_YET_VALID,
+ "Refusing to trust server or issuer certificate '%s' " +
+ "because it is not valid until %s");
}
}
--
Gitblit v1.10.0