From 3b621770d522d0a638ff833b120c4f84d16a120e Mon Sep 17 00:00:00 2001
From: chubtub <43381989+chubtub@users.noreply.github.com>
Date: Thu, 1 Jul 2021 10:50:53 -0400
Subject: [PATCH] Modify SupplyChainCredentialValidator.validateCertChain to
 thoroughly validate cert path.

---
 .../SupplyChainCredentialValidator.java       | 52 +++++++++----------
 1 file changed, 25 insertions(+), 27 deletions(-)

diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
index 3bf33049..db85f6af 100644
--- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
+++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
@@ -1399,38 +1399,36 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
             throw new SupplyChainValidatorException(
                     "Certificate or validation certificates are null");
         }
+        final String intCAError = "Intermediate signing cert found, check for CA cert";
         String foundRootOfCertChain = "";
-        Iterator<X509Certificate> certIterator = additionalCerts.iterator();
-        X509Certificate trustedCert;
-        boolean issuerMatchesSubject = false;
-        boolean signatureMatchesPublicKey = false;
+        X509Certificate startOfChain = cert;
 
-        while (foundRootOfCertChain.isEmpty() && certIterator.hasNext()) {
-            trustedCert = certIterator.next();
-            issuerMatchesSubject = issuerMatchesSubjectDN(cert, trustedCert);
-            signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert);
-            if (issuerMatchesSubject && signatureMatchesPublicKey) {
-                if (isSelfSigned(trustedCert)) {
-                    foundRootOfCertChain = "";
-                    LOGGER.info("CA Root found.");
-                    break;
-                } else if (!cert.equals(trustedCert)) {
-                    foundRootOfCertChain = "Intermediate signing cert found, check for CA cert "
-                            + cert.getIssuerDN().getName();
-                }
-            } else {
-                if (!issuerMatchesSubject) {
-                    foundRootOfCertChain = "Issuer DN does not match Subject DN";
-                }
-                if (!signatureMatchesPublicKey) {
-                    foundRootOfCertChain = "Certificate signature failed to verify";
+        do {
+            for (X509Certificate trustedCert : additionalCerts) {
+                boolean issuerMatchesSubject = issuerMatchesSubjectDN(startOfChain, trustedCert);
+                boolean signatureMatchesPublicKey = signatureMatchesPublicKey(startOfChain,
+                                                                                trustedCert);
+                if (issuerMatchesSubject && signatureMatchesPublicKey) {
+                    if (isSelfSigned(trustedCert)) {
+                        LOGGER.info("CA Root found.");
+                        return "";
+                    } else {
+                        foundRootOfCertChain = intCAError;
+                        startOfChain = trustedCert;
+                        break;
+                    }
+                } else {
+                    if (!issuerMatchesSubject) {
+                        foundRootOfCertChain = "Issuer DN does not match Subject DN";
+                    }
+                    if (!signatureMatchesPublicKey) {
+                        foundRootOfCertChain = "Certificate signature failed to verify";
+                    }
                 }
             }
-        }
+        } while (foundRootOfCertChain.equals(intCAError));
 
-        if (!foundRootOfCertChain.isEmpty()) {
-            LOGGER.error(foundRootOfCertChain);
-        }
+        LOGGER.error(foundRootOfCertChain);
         return foundRootOfCertChain;
     }