Add certificate revocation checking options to TLS configuration panel

13 years ago · aad6f7cb26
parent b5bbadd2bc
commit aad6f7cb26
4 changed files with 78 additions and 19 deletions
--- a/resources/languages/resources.properties
+++ b/resources/languages/resources.properties
@ -1639,6 +1639,9 @@ plugin.certconfig.FILE_TYPE_DESCRIPTION=Certificate stores (PKCS#11 Module, PKCS
 plugin.certconfig.ALIAS_LOAD_EXCEPTION=Unable to obtain aliases from keystore ({0}).
 plugin.certconfig.INVALID_KEYSTORE_TYPE=The selected Keystore type seems to be invalid ({0}).
 plugin.certconfig.BROWSE_KEYSTORE=Open KeyStore
+plugin.certconfig.REVOCATION_TITLE=Certificate revocation options
+plugin.certconfig.REVOCATION_CHECK_ENABLED=CRL (Certificate Revocation List) check enabled
+plugin.certconfig.REVOCATION_OCSP_ENABLED=OCSP (Online Certificate Status Protocol) check enabled

 #Phone number contact source plugin
 plugin.phonenumbercontactsource.DISPLAY_NAME=Phone numbers
--- a/src/net/java/sip/communicator/impl/certificate/CertificateServiceImpl.java
+++ b/src/net/java/sip/communicator/impl/certificate/CertificateServiceImpl.java
@ -154,6 +154,13 @@ public CertificateServiceImpl()
    {
        setTrustStore();
        config.addPropertyChangeListener(PNAME_TRUSTSTORE_TYPE, this);
+
+        System.setProperty("com.sun.security.enableCRLDP",
+            config.getString(PNAME_REVOCATION_CHECK_ENABLED, "false"));
+        System.setProperty("com.sun.net.ssl.checkRevocation",
+            config.getString(PNAME_REVOCATION_CHECK_ENABLED, "false"));
+        Security.setProperty("ocsp.enable",
+            config.getString(PNAME_OCSP_ENABLED, "false"));
    }

    public void propertyChange(PropertyChangeEvent evt)
@ -166,17 +173,7 @@ private void setTrustStore()
        String tsType = (String)config.getProperty(PNAME_TRUSTSTORE_TYPE);
        String tsFile = (String)config.getProperty(PNAME_TRUSTSTORE_FILE);
        String tsPassword = credService.loadPassword(PNAME_TRUSTSTORE_PASSWORD);
-
-        //TODO remove this as soon as we ship with JRE 1.7
-        //remove windows root from x64 on Java < 1.7
-        if (!(OSUtils.IS_WINDOWS32
-                || (OSUtils.IS_WINDOWS
-                    && System.getProperty("java.version").startsWith("1.7"))))
-        {
-            tsType = null;
-            config.removeProperty(CertificateService.PNAME_TRUSTSTORE_TYPE);
-        }
-
+
        if(tsType != null)
            System.setProperty("javax.net.ssl.trustStoreType", tsType);
        else
--- a/src/net/java/sip/communicator/plugin/certconfig/CertConfigPanel.java
+++ b/src/net/java/sip/communicator/plugin/certconfig/CertConfigPanel.java
@ -8,6 +8,7 @@

 import java.awt.*;
 import java.awt.event.*;
+import java.security.*;

 import javax.swing.*;
 import javax.swing.border.*;
@ -45,7 +46,8 @@ public class CertConfigPanel
    private JTable tblCertList;
    private JRadioButton rdoUseWindows;
    private JRadioButton rdoUseJava;
-
+    private SIPCommCheckBox chkEnableRevocationCheck;
+    private SIPCommCheckBox chkEnableOcsp;

    // ------------------------------------------------------------------------
    // initialization
@ -63,17 +65,15 @@ public CertConfigPanel()

    private void initComponents()
    {
-        this.setLayout(new BorderLayout());
+        this.setLayout(new BoxLayout(this, BoxLayout.Y_AXIS));

-        //TODO change to OSUtils.IS_WINDOWS as soon as we ship with JRE 1.7
-        if (OSUtils.IS_WINDOWS32
-            || (OSUtils.IS_WINDOWS
-                && System.getProperty("java.version").startsWith("1.7")))
+        // trusted root CA source selection
+        if (OSUtils.IS_WINDOWS)
        {
            JPanel pnlCertConfig = new TransparentPanel(new GridLayout(2, 1));
            pnlCertConfig.setBorder(BorderFactory.createTitledBorder(
                R.getI18NString("plugin.certconfig.TRUSTSTORE_CONFIG")));
-            add(pnlCertConfig, BorderLayout.NORTH);
+            add(pnlCertConfig);

            ButtonGroup grpTrustStore = new ButtonGroup();

@ -102,10 +102,33 @@ private void initComponents()
            }
        }

+        // revocation options
+        JPanel pnlRevocation = new TransparentPanel(new GridLayout(2, 1));
+        pnlRevocation.setBorder(BorderFactory.createTitledBorder(
+            R.getI18NString("plugin.certconfig.REVOCATION_TITLE")));
+        add(pnlRevocation);
+
+        chkEnableRevocationCheck = new SIPCommCheckBox(
+            R.getI18NString("plugin.certconfig.REVOCATION_CHECK_ENABLED"));
+        chkEnableRevocationCheck.addActionListener(this);
+        chkEnableRevocationCheck.setSelected(
+            "true".equals(
+                System.getProperty("com.sun.net.ssl.checkRevocation")));
+        pnlRevocation.add(chkEnableRevocationCheck);
+
+        chkEnableOcsp = new SIPCommCheckBox(
+            R.getI18NString("plugin.certconfig.REVOCATION_OCSP_ENABLED"));
+        chkEnableOcsp.addActionListener(this);
+        chkEnableOcsp.setSelected(
+            "true".equals(Security.getProperty("ocsp.enable")));
+        chkEnableOcsp.setEnabled(chkEnableRevocationCheck.isSelected());
+        pnlRevocation.add(chkEnableOcsp);
+
+        // Client certificate authentication list
        JPanel pnlCertList = new TransparentPanel(new BorderLayout());
        pnlCertList.setBorder(BorderFactory.createTitledBorder(
            R.getI18NString("plugin.certconfig.CERT_LIST_TITLE")));
-        add(pnlCertList, BorderLayout.CENTER);
+        add(pnlCertList);

        JLabel lblNote = new JLabel();
        lblNote.setText(
@ -192,6 +215,27 @@ public void actionPerformed(ActionEvent e)
            CertConfigActivator.getCredService().removePassword(
                CertificateService.PNAME_TRUSTSTORE_PASSWORD);
        }
+        if (e.getSource() == chkEnableRevocationCheck)
+        {
+            CertConfigActivator.getConfigService().setProperty(
+                CertificateService.PNAME_REVOCATION_CHECK_ENABLED,
+                chkEnableRevocationCheck.isSelected());
+
+            String enabled = new Boolean(
+                chkEnableRevocationCheck.isSelected()).toString();
+            System.setProperty("com.sun.security.enableCRLDP", enabled);
+            System.setProperty("com.sun.net.ssl.checkRevocation", enabled);
+            chkEnableOcsp.setEnabled(chkEnableRevocationCheck.isSelected());
+        }
+        if (e.getSource() == chkEnableOcsp)
+        {
+            CertConfigActivator.getConfigService().setProperty(
+                CertificateService.PNAME_OCSP_ENABLED,
+                chkEnableOcsp.isSelected());
+
+            Security.setProperty("ocsp.enable",
+                new Boolean(chkEnableOcsp.isSelected()).toString());
+        }
    }

    // ------------------------------------------------------------------------
--- a/src/net/java/sip/communicator/service/certificate/CertificateService.java
+++ b/src/net/java/sip/communicator/service/certificate/CertificateService.java
@ -67,6 +67,21 @@ public interface CertificateService
    public static final String PNAME_TRUSTSTORE_PASSWORD =
        "net.java.sip.communicator.service.cert.truststore.password";

+    /**
+     * Property that is being applied to the system properties
+     * <tt>com.sun.net.ssl.checkRevocation</tt> and
+     * <tt>com.sun.security.enableCRLDP</tt>
+     */
+    public static final String PNAME_REVOCATION_CHECK_ENABLED =
+        "net.java.sip.communicator.service.cert.revocation.enabled";
+
+    /**
+     * Property that is being applied to the Security property
+     * <tt>ocsp.enable</tt>
+     */
+    public static final String PNAME_OCSP_ENABLED =
+        "net.java.sip.communicator.service.cert.ocsp.enabled";
+
    // ------------------------------------------------------------------------
    // constants
    // ------------------------------------------------------------------------