added constraint check on "only*Certs" fields plus test for same. Relates to github #2051.

dghgit · dghgit · commit 7ec58ff6ee4a · 2025-04-11T23:29:24.000+10:00
diff --git a/core/src/main/java/org/bouncycastle/asn1/x509/IssuingDistributionPoint.java b/core/src/main/java/org/bouncycastle/asn1/x509/IssuingDistributionPoint.java
@@ -84,6 +84,12 @@ public IssuingDistributionPoint(
         boolean indirectCRL,
         boolean onlyContainsAttributeCerts)
     {
+        if ((onlyContainsCACerts && (onlyContainsUserCerts || onlyContainsAttributeCerts))
+            || (onlyContainsUserCerts && onlyContainsAttributeCerts))
+        {
+            throw new IllegalArgumentException("only one of onlyContainsCACerts, onlyContainsUserCerts, or onlyContainsAttributeCerts can be true");
+        }
+
         this.distributionPoint = distributionPoint;
         this.indirectCRL = indirectCRL;
         this.onlyContainsAttributeCerts = onlyContainsAttributeCerts;
diff --git a/core/src/test/java/org/bouncycastle/asn1/test/IssuingDistributionPointUnitTest.java b/core/src/test/java/org/bouncycastle/asn1/test/IssuingDistributionPointUnitTest.java
@@ -27,7 +27,9 @@ public void performTest()
                                               new GeneralNames(new GeneralName(new X500Name("cn=test"))));
         ReasonFlags reasonFlags = new ReasonFlags(ReasonFlags.cACompromise);
 
-        checkPoint(6, name, true, true, reasonFlags, true, true);
+        checkOnlyException(name, true, true, reasonFlags, true, true);
+        checkOnlyException(name, true, true, reasonFlags, true, false);
+        checkOnlyException(name, true, false, reasonFlags, true, true);
 
         checkPoint(2, name, false, false, reasonFlags, false, false);
 
@@ -45,6 +47,26 @@ public void performTest()
         }
     }
 
+    private void checkOnlyException(
+        DistributionPointName distributionPoint,
+        boolean onlyContainsUserCerts,
+        boolean onlyContainsCACerts,
+        ReasonFlags onlySomeReasons,
+        boolean indirectCRL,
+        boolean onlyContainsAttributeCerts)
+        throws IOException
+    {
+        try
+        {
+            new IssuingDistributionPoint(distributionPoint, onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL, onlyContainsAttributeCerts);
+            fail("no exception");
+        }
+        catch (IllegalArgumentException e)
+        {
+            isEquals("only one of onlyContainsCACerts, onlyContainsUserCerts, or onlyContainsAttributeCerts can be true", e.getMessage());
+        }
+    }
+
     private void checkPoint(
         int size,
         DistributionPointName distributionPoint,
