manage-certificates check usability improvement

Updated the manage-certificates check-certificate-usability command to add an additional check to see whether the certificate at the root of the chain is found in the JVM's set of trusted issuer certificates. If the CA certificate is not found in the JVM's default trust store, a notice will be displayed, but the tool will still complete with a success result.
pingidentity · Nov 13, 2019 · f2bf477 · f2bf477
1 parent 5e7e907
commit f2bf477
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 0 deletions.
diff --git a/docs/release-notes.html b/docs/release-notes.html
@@ -56,6 +56,15 @@ <h3>Version 4.0.13</h3>
                   <br><br>
                 </li>
 
+                <li>
+                  Updated the manage-certificates check-certificate-usability command to add an
+                  additional check to see whether the certificate at the root of the chain is
+                  found in the JVM's set of trusted issuer certificates.  If the CA certificate
+                  is not found in the JVM's default trust store, a notice will be displayed, but
+                  the tool will still complete with a success result.
+                  <br><br>
+                </li>
+
                 <li>
                   Made the <tt>ManageCertificates.readCertificatesFromFile</tt> method public so
                   that it can be used outside of the LDAP SDK.  This method can be used to read a

diff --git a/messages/unboundid-ldapsdk-cert.properties b/messages/unboundid-ldapsdk-cert.properties
@@ -2086,6 +2086,16 @@ ERR_MANAGE_CERTS_CHECK_USABILITY_CHAIN_ISSUER_MISMATCH=ERROR:  The \
 INFO_MANAGE_CERTS_CHECK_USABILITY_CHAIN_COMPLETE=OK:  The certificate chain \
   is complete.  Each subsequent certificate is the issuer for the previous \
   certificate in the chain, and the chain ends with a self-signed certificate.
+INFO_MANAGE_CERTS_CHECK_USABILITY_CA_TRUSTED_OK=OK:  CA certificate ''{0}'' \
+  was found in the JVM's default set of trusted certificates.  Most clients \
+  will likely trust this issuer.
+NOTE_MANAGE_CERTS_CHECK_USABILITY_CA_NOT_IN_JVM_DEFAULT_TS=NOTICE:  CA \
+  certificate ''{0}'' was not found in the JVM's default set of trusted \
+  certificates.  Clients will likely need special configuration to trust this \
+  certificate chain. 
+WARN_MANAGE_CERTS_CHECK_USABILITY_CHECK_CA_IN_TS_ERROR=WARNING:  An error \
+  occurred while attempting to determine whether CA certificate ''{0}'' is \
+  contained in the JVM-default trust store:  {1}
 INFO_MANAGE_CERTS_CHECK_USABILITY_CERT_SIGNATURE_VALID=OK:  Certificate \
   ''{0}'' has a valid signature.
 ERR_MANAGE_CERTS_CHECK_USABILITY_END_CERT_NOT_YET_VALID=ERROR:  Certificate \

diff --git a/src/com/unboundid/util/ssl/cert/ManageCertificates.java b/src/com/unboundid/util/ssl/cert/ManageCertificates.java
@@ -8294,6 +8294,73 @@ else if ((chain.length == 1) || (! chain[chain.length - 1].isSelfSigned()))
     }
 
 
+    // If there are multiple certificates in the chain, and if the last
+    // certificate in the chain is self-signed, then check to see if it is
+    // contained in the JVM-default trust manager.  If it isn't, then we'll
+    // display a notice, but we won't consider it a warning in and of itself.
+    if ((chain.length > 1) && chain[chain.length-1].isSelfSigned())
+    {
+      final X509Certificate caCert = chain[chain.length-1];
+
+      try
+      {
+        final String jvmDefaultTrustStoreType =
+             inferKeystoreType(JVM_DEFAULT_CACERTS_FILE);
+        final KeyStore jvmDefaultTrustStore =
+             KeyStore.getInstance(jvmDefaultTrustStoreType);
+        try (FileInputStream inputStream =
+                  new FileInputStream(JVM_DEFAULT_CACERTS_FILE))
+        {
+          jvmDefaultTrustStore.load(inputStream, null);
+        }
+
+        boolean found = false;
+        final Enumeration<String> aliases = jvmDefaultTrustStore.aliases();
+        while (aliases.hasMoreElements())
+        {
+          final String jvmDefaultCertAlias = aliases.nextElement();
+          if (jvmDefaultTrustStore.isCertificateEntry(jvmDefaultCertAlias))
+          {
+            final Certificate c =
+                 jvmDefaultTrustStore.getCertificate(jvmDefaultCertAlias);
+            final X509Certificate xc = new X509Certificate(c.getEncoded());
+            if ((caCert.getSubjectDN().equals(xc.getSubjectDN())) &&
+                 Arrays.equals(caCert.getSignatureValue().getBits(),
+                      xc.getSignatureValue().getBits()))
+            {
+              found = true;
+              break;
+            }
+          }
+        }
+
+        if (found)
+        {
+          out();
+          wrapOut(0, WRAP_COLUMN,
+               INFO_MANAGE_CERTS_CHECK_USABILITY_CA_TRUSTED_OK.get(
+                    caCert.getSubjectDN()));
+        }
+        else
+        {
+          out();
+          wrapOut(0, WRAP_COLUMN,
+               NOTE_MANAGE_CERTS_CHECK_USABILITY_CA_NOT_IN_JVM_DEFAULT_TS.get(
+                    caCert.getSubjectDN()));
+        }
+      }
+      catch (final Exception e)
+      {
+        Debug.debugException(e);
+        err();
+        wrapErr(0, WRAP_COLUMN,
+             WARN_MANAGE_CERTS_CHECK_USABILITY_CHECK_CA_IN_TS_ERROR.get(
+                  caCert.getSubjectDN(), StaticUtils.getExceptionMessage(e)));
+        numWarnings++;
+      }
+    }
+
+
     // Make sure that the signature is valid for each certificate in the
     // chain.  If any certificate has an invalid signature, then that's an
     // error.