ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-01-29 15:44:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update overloaded validateCertChain to check cert chain consistently

Browse Source
This commit is contained in:
chubtub 2021-08-17 14:41:00 -04:00
parent ef23c68133
commit dc7301e8a6
1 changed files with 34 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
View File

@ -40,6 +40,7 @@ import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
@ -1338,43 +1339,49 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
* @throws SupplyChainValidatorException tried to validate using null certificates
*/
public static String validateCertChain(final X509AttributeCertificateHolder cert,
final Set<X509Certificate> additionalCerts) throws SupplyChainValidatorException {
final Set<X509Certificate> additionalCerts)
throws SupplyChainValidatorException {
if (cert == null || additionalCerts == null) {
throw new SupplyChainValidatorException(
"Certificate or validation certificates are null");
}
final String intCAError = "Intermediate signing cert found, check for CA cert";
String foundRootOfCertChain = "";
Iterator<X509Certificate> certIterator = additionalCerts.iterator();
X509Certificate trustedCert;
boolean issuerMatchesSubject = false;
boolean signatureMatchesPublicKey = false;
X509AttributeCertificateHolder startOfChain = cert;
while (foundRootOfCertChain.isEmpty() && certIterator.hasNext()) {
trustedCert = certIterator.next();
issuerMatchesSubject = issuerMatchesSubjectDN(cert, trustedCert);
signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert);
if (issuerMatchesSubject && signatureMatchesPublicKey) {
if (isSelfSigned(trustedCert)) {
foundRootOfCertChain = "";
LOGGER.info("CA Root found.");
break;
do {
for (X509Certificate trustedCert : additionalCerts) {
boolean issuerMatchesSubject = issuerMatchesSubjectDN(startOfChain, trustedCert);
boolean signatureMatchesPublicKey = signatureMatchesPublicKey(startOfChain,
trustedCert);
if (issuerMatchesSubject && signatureMatchesPublicKey) {
if (isSelfSigned(trustedCert)) {
LOGGER.info("CA Root found.");
return "";
} else {
foundRootOfCertChain = intCAError;
try {
startOfChain = new X509AttributeCertificateHolder(
trustedCert.getEncoded());
} catch (IOException | CertificateEncodingException e) {
LOGGER.error("Error checking cert chain: " + e.getMessage());
throw new SupplyChainValidatorException("Error checking cert chain: "
+ e.getMessage());
}
break;
}
} else {
foundRootOfCertChain = "Intermediate signing cert found. Check for CA Cert: "
+ cert.getIssuer().getNames()[0];
}
} else {
if (!issuerMatchesSubject) {
foundRootOfCertChain = "Issuer DN does not match Subject DN";
}
if (!signatureMatchesPublicKey) {
foundRootOfCertChain = "Certificate signature failed to verify";
if (!issuerMatchesSubject) {
foundRootOfCertChain = "Issuer DN does not match Subject DN";
}
if (!signatureMatchesPublicKey) {
foundRootOfCertChain = "Certificate signature failed to verify";
}
}
}
}
} while (foundRootOfCertChain.equals(intCAError));
if (!foundRootOfCertChain.isEmpty()) {
LOGGER.error(foundRootOfCertChain);
}
LOGGER.error(foundRootOfCertChain);
return foundRootOfCertChain;
}