Modify SupplyChainCredentialValidator.validateCertChain to thoroughly validate cert path.

2025-04-07 11:26:51 +00:00 · 2021-07-01 10:50:53 -04:00 · 2021-07-01 10:50:53 -04:00 · 3b621770d5
commit 3b621770d5
parent 0f8d41e78f
1 changed files with 25 additions and 27 deletions
--- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
+++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
@ -1399,38 +1399,36 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
            throw new SupplyChainValidatorException(
                    "Certificate or validation certificates are null");
        }
+        final String intCAError = "Intermediate signing cert found, check for CA cert";
        String foundRootOfCertChain = "";
-        Iterator<X509Certificate> certIterator = additionalCerts.iterator();
-        X509Certificate trustedCert;
-        boolean issuerMatchesSubject = false;
-        boolean signatureMatchesPublicKey = false;
+        X509Certificate startOfChain = cert;

-        while (foundRootOfCertChain.isEmpty() && certIterator.hasNext()) {
-            trustedCert = certIterator.next();
-            issuerMatchesSubject = issuerMatchesSubjectDN(cert, trustedCert);
-            signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert);
-            if (issuerMatchesSubject && signatureMatchesPublicKey) {
-                if (isSelfSigned(trustedCert)) {
-                    foundRootOfCertChain = "";
-                    LOGGER.info("CA Root found.");
-                    break;
-                } else if (!cert.equals(trustedCert)) {
-                    foundRootOfCertChain = "Intermediate signing cert found, check for CA cert "
-                            + cert.getIssuerDN().getName();
-                }
-            } else {
-                if (!issuerMatchesSubject) {
-                    foundRootOfCertChain = "Issuer DN does not match Subject DN";
-                }
-                if (!signatureMatchesPublicKey) {
-                    foundRootOfCertChain = "Certificate signature failed to verify";
+        do {
+            for (X509Certificate trustedCert : additionalCerts) {
+                boolean issuerMatchesSubject = issuerMatchesSubjectDN(startOfChain, trustedCert);
+                boolean signatureMatchesPublicKey = signatureMatchesPublicKey(startOfChain,
+                                                                                trustedCert);
+                if (issuerMatchesSubject && signatureMatchesPublicKey) {
+                    if (isSelfSigned(trustedCert)) {
+                        LOGGER.info("CA Root found.");
+                        return "";
+                    } else {
+                        foundRootOfCertChain = intCAError;
+                        startOfChain = trustedCert;
+                        break;
+                    }
+                } else {
+                    if (!issuerMatchesSubject) {
+                        foundRootOfCertChain = "Issuer DN does not match Subject DN";
+                    }
+                    if (!signatureMatchesPublicKey) {
+                        foundRootOfCertChain = "Certificate signature failed to verify";
+                    }
                }
            }
-        }
+        } while (foundRootOfCertChain.equals(intCAError));

-        if (!foundRootOfCertChain.isEmpty()) {
-            LOGGER.error(foundRootOfCertChain);
-        }
+        LOGGER.error(foundRootOfCertChain);
        return foundRootOfCertChain;
    }