From dcf0dfc0bc35896fe670d7a94685d227f45618d2 Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Sat, 07 Jul 2007 21:50:13 +0000
Subject: [PATCH] Update the file-based trust manager provider so that it will reject client certificates that are expired or not yet valid. Also update the SSL connection factory used by the client tools so that if an explicit trust store is provided, the validity of the server certificate will also be checked.
---
opends/src/server/org/opends/server/tools/SSLConnectionFactory.java | 14 ++++++++++++--
1 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/opends/src/server/org/opends/server/tools/SSLConnectionFactory.java b/opends/src/server/org/opends/server/tools/SSLConnectionFactory.java
index 146c6be..57f0dbc 100644
--- a/opends/src/server/org/opends/server/tools/SSLConnectionFactory.java
+++ b/opends/src/server/org/opends/server/tools/SSLConnectionFactory.java
@@ -39,8 +39,10 @@
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
import org.opends.server.extensions.BlindTrustManagerProvider;
+import org.opends.server.util.ExpirationCheckTrustManager;
import org.opends.server.util.SelectableCertificateKeyManager;
import static org.opends.server.messages.ToolMessages.*;
@@ -107,8 +109,16 @@
trustManagers = PromptTrustManager.getTrustManagers();
} else
{
- trustManagers = getTrustManagers(KeyStore.getDefaultType(),
- null, trustStorePath, trustStorePassword);
+ TrustManager[] tmpTrustManagers =
+ getTrustManagers(KeyStore.getDefaultType(), null, trustStorePath,
+ trustStorePassword);
+ trustManagers = new TrustManager[tmpTrustManagers.length];
+ for (int i=0; i < trustManagers.length; i++)
+ {
+ trustManagers[i] =
+ new ExpirationCheckTrustManager((X509TrustManager)
+ tmpTrustManagers[i]);
+ }
}
if(keyStorePath != null)
{
--
Gitblit v1.10.0