Merge pull request #379 from nsacyber/issue-345

[#345] Refactor recursion in SupplyChainCredentialValidator.validateCertChain
2025-02-22 02:16:39 +00:00 · 2021-07-07 07:03:42 -04:00 · 2021-07-07 07:03:42 -04:00 · 495b2c2aa3
commit 495b2c2aa3
parent e7cdba07c4 6e849d601c
1 changed files with 25 additions and 27 deletions
--- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
+++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
@ -1399,38 +1399,36 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
            throw new SupplyChainValidatorException(
                    "Certificate or validation certificates are null");
        }
        final String intCAError = "Intermediate signing cert found, check for CA cert";
        String foundRootOfCertChain = "";
-        Iterator<X509Certificate> certIterator = additionalCerts.iterator();
+        X509Certificate startOfChain = cert;
        X509Certificate trustedCert;
        boolean issuerMatchesSubject = false;
        boolean signatureMatchesPublicKey = false;
-        while (certIterator.hasNext()) {
+        do {
-            trustedCert = certIterator.next();
+            for (X509Certificate trustedCert : additionalCerts) {
-            issuerMatchesSubject = issuerMatchesSubjectDN(cert, trustedCert);
+                boolean issuerMatchesSubject = issuerMatchesSubjectDN(startOfChain, trustedCert);
-            signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert);
+                boolean signatureMatchesPublicKey = signatureMatchesPublicKey(startOfChain,
-            if (issuerMatchesSubject && signatureMatchesPublicKey) {
+                                                                                trustedCert);
-                if (isSelfSigned(trustedCert)) {
+                if (issuerMatchesSubject && signatureMatchesPublicKey) {
-                    foundRootOfCertChain = "";
+                    if (isSelfSigned(trustedCert)) {
-                    LOGGER.info("CA Root found.");
+                        LOGGER.info("CA Root found.");
-                    break;
+                        return "";
-                } else if (!cert.equals(trustedCert)) {
+                    } else {
-                    foundRootOfCertChain = "Intermediate signing cert found, check for CA cert "
+                        foundRootOfCertChain = intCAError;
-                            + cert.getIssuerDN().getName();
+                        startOfChain = trustedCert;
-                }
+                        break;
-            } else {
+                    }
-                if (!issuerMatchesSubject) {
+                } else {
-                    foundRootOfCertChain = "Issuer DN does not match Subject DN";
+                    if (!issuerMatchesSubject) {
-                }
+                        foundRootOfCertChain = "Issuer DN does not match Subject DN";
-                if (!signatureMatchesPublicKey) {
+                    }
-                    foundRootOfCertChain = "Certificate signature failed to verify";
+                    if (!signatureMatchesPublicKey) {
                        foundRootOfCertChain = "Certificate signature failed to verify";
                    }
                }
            }
-        }
+        } while (foundRootOfCertChain.equals(intCAError));
-        if (!foundRootOfCertChain.isEmpty()) {
+        LOGGER.error(foundRootOfCertChain);
            LOGGER.error(foundRootOfCertChain);
        }
        return foundRootOfCertChain;
    }