diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java index e157a774..90d4327b 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java @@ -40,6 +40,7 @@ import java.security.NoSuchProviderException; import java.security.PublicKey; import java.security.Security; import java.security.SignatureException; +import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateNotYetValidException; @@ -1338,43 +1339,49 @@ public final class SupplyChainCredentialValidator implements CredentialValidator * @throws SupplyChainValidatorException tried to validate using null certificates */ public static String validateCertChain(final X509AttributeCertificateHolder cert, - final Set additionalCerts) throws SupplyChainValidatorException { + final Set additionalCerts) + throws SupplyChainValidatorException { if (cert == null || additionalCerts == null) { throw new SupplyChainValidatorException( "Certificate or validation certificates are null"); } + final String intCAError = "Intermediate signing cert found, check for CA cert"; String foundRootOfCertChain = ""; - Iterator certIterator = additionalCerts.iterator(); - X509Certificate trustedCert; - boolean issuerMatchesSubject = false; - boolean signatureMatchesPublicKey = false; + X509AttributeCertificateHolder startOfChain = cert; - while (foundRootOfCertChain.isEmpty() && certIterator.hasNext()) { - trustedCert = certIterator.next(); - issuerMatchesSubject = issuerMatchesSubjectDN(cert, trustedCert); - signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert); - if (issuerMatchesSubject && signatureMatchesPublicKey) { - if (isSelfSigned(trustedCert)) { - foundRootOfCertChain = ""; - LOGGER.info("CA Root found."); - break; + do { + for (X509Certificate trustedCert : additionalCerts) { + boolean issuerMatchesSubject = issuerMatchesSubjectDN(startOfChain, trustedCert); + boolean signatureMatchesPublicKey = signatureMatchesPublicKey(startOfChain, + trustedCert); + if (issuerMatchesSubject && signatureMatchesPublicKey) { + if (isSelfSigned(trustedCert)) { + LOGGER.info("CA Root found."); + return ""; + } else { + foundRootOfCertChain = intCAError; + try { + startOfChain = new X509AttributeCertificateHolder( + trustedCert.getEncoded()); + } catch (IOException | CertificateEncodingException e) { + LOGGER.error("Error checking cert chain: " + e.getMessage()); + throw new SupplyChainValidatorException("Error checking cert chain: " + + e.getMessage()); + } + break; + } } else { - foundRootOfCertChain = "Intermediate signing cert found. Check for CA Cert: " - + cert.getIssuer().getNames()[0]; - } - } else { - if (!issuerMatchesSubject) { - foundRootOfCertChain = "Issuer DN does not match Subject DN"; - } - if (!signatureMatchesPublicKey) { - foundRootOfCertChain = "Certificate signature failed to verify"; + if (!issuerMatchesSubject) { + foundRootOfCertChain = "Issuer DN does not match Subject DN"; + } + if (!signatureMatchesPublicKey) { + foundRootOfCertChain = "Certificate signature failed to verify"; + } } } - } + } while (foundRootOfCertChain.equals(intCAError)); - if (!foundRootOfCertChain.isEmpty()) { - LOGGER.error(foundRootOfCertChain); - } + LOGGER.error(foundRootOfCertChain); return foundRootOfCertChain; }