diff --git a/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java b/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java index 0e6412c5..749c0ab8 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java +++ b/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java @@ -241,6 +241,7 @@ public class ReferenceManifestValidator { if (embeddedCert != null) { if (isCertChainValid(embeddedCert)) { context = new DOMValidateContext(new X509KeySelector(), nodes.item(0)); + subjectKeyIdentifier = getCertificateSubjectKeyIdentifier(embeddedCert); } } } else { @@ -465,6 +466,10 @@ public class ReferenceManifestValidator { for (X509Certificate trustedCert : trustStore) { boolean isIssuer = areYouMyIssuer(chainCert, trustedCert); boolean isSigner = areYouMySigner(chainCert, trustedCert); + boolean itIsMe = areYouMe(chainCert, trustedCert); + if (itIsMe) { + continue; + } if (isIssuer && isSigner) { if (isSelfSigned(trustedCert)) { log.info("Root CA found."); @@ -490,6 +495,21 @@ public class ReferenceManifestValidator { return false; } + /** + * This method checks if cert's issuerDN matches issuer's subjectDN. + * @param cert the signed certificate + * @param issuer the signing certificate + * @return true if they match, false if not + * @throws Exception if either argument is null + */ + private boolean areYouMe(final X509Certificate cert, final X509Certificate issuer) + throws Exception { + if (cert == null || issuer == null) { + throw new Exception("Cannot verify issuer, null certificate received"); + } + return Arrays.equals(cert.getEncoded(), issuer.getEncoded()); + } + /** * This method checks if cert's issuerDN matches issuer's subjectDN. * @param cert the signed certificate