From 83a7566eacebec5199f2c3efa77b1e76d1b49c55 Mon Sep 17 00:00:00 2001 From: akila94 Date: Thu, 29 Feb 2024 14:25:36 +0530 Subject: [PATCH] Fix issue with issuer cert selection --- .../CertificateVerificationManager.java | 36 +++++++++++-------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/certificatevalidation/CertificateVerificationManager.java b/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/certificatevalidation/CertificateVerificationManager.java index b55834cbdb..1a5f4226f2 100644 --- a/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/certificatevalidation/CertificateVerificationManager.java +++ b/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/certificatevalidation/CertificateVerificationManager.java @@ -126,6 +126,7 @@ public void verifyCertificateValidity(javax.security.cert.X509Certificate[] peer CRLCache crlCache = CRLCache.getCache(cacheSize, cacheDelayMins); RevocationVerifier[] verifiers = {new OCSPVerifier(ocspCache), new CRLVerifier(crlCache)}; + RevocationStatus revocationStatus = null; for (RevocationVerifier verifier : verifiers) { try { @@ -142,8 +143,8 @@ public void verifyCertificateValidity(javax.security.cert.X509Certificate[] peer CertificatePathValidator pathValidator = new CertificatePathValidator(convertedCertificates, verifier); pathValidator.validatePath(); + return; } else { - if (isCertExpiryValidationEnabled) { log.debug("Validating the client certificate for expiry"); if (isExpired(convertedCertificates)) { @@ -153,9 +154,11 @@ public void verifyCertificateValidity(javax.security.cert.X509Certificate[] peer log.debug("Validating client certificate with the issuer certificate retrieved from" + "the trust store"); - verifier.checkRevocationStatus(peerCert, issuerCert); + revocationStatus = verifier.checkRevocationStatus(peerCert, issuerCert); + if (!RevocationStatus.GOOD.toString().equals(revocationStatus.toString())) { + return; + } } - return; } catch (Exception e) { log.debug("Certificate verification with " + verifier.getClass().getSimpleName() + " failed. ", e); } @@ -237,6 +240,7 @@ public X509Certificate getVerifiedIssuerCertOfPeerCert(X509Certificate peerCert, return cachedIssuerCert; } } else { + boolean isIssuerCertVerified = false; KeyStore trustStore = TrustStoreHolder.getInstance().getClientTrustStore(); Enumeration aliases; X509Certificate issuerCert = null; @@ -263,23 +267,27 @@ public X509Certificate getVerifiedIssuerCertOfPeerCert(X509Certificate peerCert, try { peerCert.verify(issuerCert.getPublicKey()); - - log.debug("Valid issuer certificate found in the client truststore. Caching.."); - - // Store the valid issuer cert in cache for future use - certCache.setCacheValue(peerCert.getSerialNumber().toString(), issuerCert); - if (log.isDebugEnabled()) { - log.debug("Issuer certificate with serial number: " + issuerCert.getSerialNumber() - .toString() + " has been cached against the serial number: " + peerCert - .getSerialNumber().toString() + " of the peer certificate."); - } + isIssuerCertVerified = true; break; } catch (SignatureException | CertificateException | NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException e) { // Unable to verify the signature. Check with the next certificate in the next loop traversal. } } - return issuerCert; + + if (isIssuerCertVerified) { + log.debug("Valid issuer certificate found in the client truststore. Caching.."); + // Store the valid issuer cert in cache for future use + certCache.setCacheValue(peerCert.getSerialNumber().toString(), issuerCert); + if (log.isDebugEnabled()) { + log.debug("Issuer certificate with serial number: " + issuerCert.getSerialNumber() + .toString() + " has been cached against the serial number: " + peerCert + .getSerialNumber().toString() + " of the peer certificate."); + } + return issuerCert; + } else { + throw new CertificateVerificationException("Certificate verification failed."); + } } }