Return-Path: 
 <commits-return-28912-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 22270103F0
	for <apmail-cxf-commits-archive@www.apache.org>;
 Mon,  9 Sep 2013 16:10:56 +0000 (UTC)
Received: (qmail 73841 invoked by uid 500); 9 Sep 2013 16:10:55 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 73697 invoked by uid 500); 9 Sep 2013 16:10:53 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 73643 invoked by uid 99); 9 Sep 2013 16:10:52 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Sep 2013 16:10:52 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Sep 2013 16:10:49 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id 6DA2C2388A4A;
	Mon,  9 Sep 2013 16:10:28 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1521174 - in
 /cxf/trunk/services/xkms/xkms-x509-handlers/src:
 main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
 test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
Date: Mon, 09 Sep 2013 16:10:28 -0000
To: commits@cxf.apache.org
From: coheigea@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20130909161028.6DA2C2388A4A@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: coheigea
Date: Mon Sep  9 16:10:27 2013
New Revision: 1521174

URL: http://svn.apache.org/r1521174
Log:
Fixing XKMS CRL checking in JDK 1.7 + re-enabling test

Modified:
    cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
    cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java

Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java?rev=1521174&r1=1521173&r2=1521174&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java (original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java Mon Sep  9 16:10:27 2013
@@ -21,8 +21,11 @@ package org.apache.cxf.xkms.x509.validat
 
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertPath;
 import java.security.cert.CertPathBuilder;
 import java.security.cert.CertPathBuilderException;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertStore;
 import java.security.cert.CertStoreParameters;
 import java.security.cert.CollectionCertStoreParameters;
@@ -72,16 +75,22 @@ public class TrustedAuthorityValidator i
             Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
             CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
             CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
-            CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
             PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
             pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
             pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
-            pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
-            if (crls.isEmpty()) {
-                pkixParams.setRevocationEnabled(false);
-            }
+            pkixParams.setRevocationEnabled(false);
+            
             CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
-            builder.build(pkixParams);
+            CertPath certPath = builder.build(pkixParams).getCertPath();
+            
+            // Now validate the CertPath including CRL checking
+            if (!crls.isEmpty()) {
+                pkixParams.setRevocationEnabled(true);
+                CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
+                pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
+                CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+                validator.validate(certPath, pkixParams);
+            }
         } catch (InvalidAlgorithmParameterException e) {
             throw new RuntimeException(e);
         } catch (NoSuchAlgorithmException e) {
@@ -89,6 +98,9 @@ public class TrustedAuthorityValidator i
         } catch (CertPathBuilderException e) {
             LOG.log(Level.INFO, e.getMessage(), e);
             return false;
+        } catch (CertPathValidatorException e) {
+            LOG.log(Level.INFO, e.getMessage(), e);
+            return false;
         }
         return true;
     }

Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java?rev=1521174&r1=1521173&r2=1521174&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java (original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java Mon Sep  9 16:10:27 2013
@@ -34,7 +34,6 @@ import org.apache.cxf.xkms.model.xkms.Us
 import org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo;
 import org.junit.Assert;
 import org.junit.Before;
-import org.junit.Ignore;
 import org.junit.Test;
 
 public class TrustedAuthorityValidatorCRLTest extends BasicValidationTest {
@@ -83,11 +82,7 @@ public class TrustedAuthorityValidatorCR
         certificateRepo.saveCRL(crl, crlKey);
     }
 
-    /**
-     * FIXME Fails on JDK 7
-     */
     @Test
-    @Ignore
     public void testIsCertChainValid() throws CertificateException {
         TrustedAuthorityValidator validator = new TrustedAuthorityValidator(certificateRepo);
         Assert.assertTrue("Root should be valid",