How to enable revocation checking in springboot application?

858 Views Asked by At

I am developing a springboot application with AdoptOpenJDK 11. I want to understand how I can enable revocation checking. By default PKIXCertPathValidator is being used and revocation check is disabled. I have already set -Dcom.sun.security.enableCRLDP=true -Dcom.sun.net.ssl.checkRevocation=true as VM arguments and Security.setProperty("ocsp.enable", "true") but they doesn't seem to have any effect in revocation checking which is still disabled.

A quick help is appreciated.

1

There are 1 best solutions below

0
On

I have got two ways -

One way -

@Configuration public class ContainerCustomizer {

//Spring properties
@Value("${isRevocationCheckEnabled}")
private String isRevocationCheckEnabled;

//Other Spring properties here

@Bean
@Autowired
public TomcatServletWebServerFactory containerFactory() {
    TomcatServletWebServerFactory  tomcat = new TomcatServletWebServerFactory ();
    tomcat.addAdditionalTomcatConnectors(createSSLConnector(keyStore, keyStorePassword, keyAlias, keyStoreType, clientAuth,
            protocol, enabledProtocol, trustStoreType, trustStore, trustStorePassword, ciphers, port, Boolean.parseBoolean(isRevocationCheckEnabled)));
    return tomcat;
}

private Connector createSSLConnector(String keyStore, String keyStorePassword, String keyAlias, String keyStoreType, 
        String clientAuth, String protocol, String enabledProtocol, String trustStoreType, String trustStore, 
        String trustStorePassword, String ciphers, int port, boolean isRevocationCheckEnabled) {
    Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
    Http11NioProtocol http11NioProtocol = (Http11NioProtocol) connector.getProtocolHandler();
    SSLHostConfig sslHostConfig = new SSLHostConfig();
    sslHostConfig.setRevocationEnabled(isRevocationCheckEnabled);
    http11NioProtocol.addSslHostConfig(sslHostConfig);
    File keystore = new File(keyStore);
    File truststore = new File(trustStore);
    connector.setScheme("https");
    connector.setSecure(true);
    connector.setPort(port);

    http11NioProtocol.setKeystoreType(keyStoreType);
    http11NioProtocol.setKeystoreFile(keystore.getAbsolutePath());
    http11NioProtocol.setKeystorePass(keyStorePassword);
    http11NioProtocol.setKeyAlias(keyAlias);
    http11NioProtocol.setSSLEnabled(true);

    http11NioProtocol.setTruststoreFile(truststore.getAbsolutePath());
    http11NioProtocol.setTruststorePass(trustStorePassword);
    http11NioProtocol.setClientAuth(Boolean.TRUE.toString());
    
    http11NioProtocol.setCiphers(ciphers);
    http11NioProtocol.setSslEnabledProtocols(enabledProtocol);
    return connector;
}}

Second way -

@Controller public class ContainerCustomizer implements TomcatConnectorCustomizer {
 //spring properties
 @Value{"isRevocationCheckEnabled"}
 private String isRevocationCheckBoolean;

 @Override
 public void customize(Connector connector){
    Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
    SSLHostConfig[] sslConfigs = protocol.findSslHostConfigs();
    for (SSLHostConfig sslHostConfig : sslConfigs) {
       
   sslHostConfig.setRevocationEnabled(Boolean.parseBoolean(isRevocationCheckEnabled));
    }
 }}