Merge pull request wolfSSL#198 from cconlon/certPathBuilderDateFix

rlm2002 · web-flow · commit 55040a9136fe · 2026-02-11T10:23:37.000-07:00
Fix for CertPathBuilder `setDate()` custom date validation and add boundary tests
diff --git a/IDE/Android/app/src/main/cpp/CMakeLists.txt b/IDE/Android/app/src/main/cpp/CMakeLists.txt
@@ -255,8 +255,14 @@ aux_source_directory(${wolfssl_DIR}/src TLS_SOURCES)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/bio.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/conf.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk_ec.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/pk_rsa.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_bn.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_cert.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_crl_ocsp.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_api_pk.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_asn1.c)
+list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_ech.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_certman.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_crypto.c)
 list(REMOVE_ITEM TLS_SOURCES ${wolfssl_DIR}/src/ssl_load.c)
@@ -271,6 +277,7 @@ if ("${WOLFSSL_PKG_TYPE}" MATCHES "normal")
         # Add crypto sources to CRYPTO_SOURCES, remove files that are included inline by other files
         aux_source_directory(${wolfssl_DIR}/wolfcrypt/src CRYPTO_SOURCES)
         list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp.c)
+        list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp_pk.c)
         list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/misc.c)
 
 elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready")
diff --git a/jni/jni_wolfssl_x509_store_ctx.c b/jni/jni_wolfssl_x509_store_ctx.c
@@ -447,6 +447,16 @@ JNIEXPORT jobjectArray JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLX509StoreCtx_wo
         return NULL;
     }
 
+    /* When USE_CHECK_TIME is set (custom verification date), clear
+     * NO_CHECK_TIME from ctx->param so X509StoreVerifyCertDate()
+     * validates cert dates against check_time. NO_CHECK_TIME is still set on
+     * store->param so X509StoreAddCa() can still accept expired certs
+     * into the store. */
+    if (ctx->param != NULL &&
+        (ctx->param->flags & WOLFSSL_USE_CHECK_TIME) != 0) {
+        ctx->param->flags &= (unsigned long)(~WOLFSSL_NO_CHECK_TIME);
+    }
+
     /* Set max path length if specified.
      * Depth = max intermediates + 1 for root CA.
      * Check for overflow when adding 1 to maxPathLength. */
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathBuilder.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathBuilder.java
@@ -59,7 +59,6 @@
 
 import com.wolfssl.wolfcrypt.Fips;
 import com.wolfssl.wolfcrypt.WolfCrypt;
-import com.wolfssl.wolfcrypt.WolfSSLCertManager;
 import com.wolfssl.wolfcrypt.WolfSSLX509StoreCtx;
 import com.wolfssl.wolfcrypt.WolfCryptException;
 
@@ -524,77 +523,6 @@ private TrustAnchor findPathTrustAnchor(List<X509Certificate> path,
         return anchor;
     }
 
-    /**
-     * Validate the built certificate path.
-     *
-     * @param path the certificate path to validate
-     * @param params the PKIX builder parameters
-     * @param anchor the trust anchor
-     *
-     * @throws CertPathBuilderException if validation fails
-     */
-    private void validatePath(List<X509Certificate> path,
-        PKIXBuilderParameters params, TrustAnchor anchor)
-        throws CertPathBuilderException {
-
-        WolfSSLCertManager cm = null;
-
-        log("validating built path (" + path.size() + " certificates)");
-
-        if (path == null || anchor == null) {
-            throw new CertPathBuilderException(
-                "Path or TrustAnchor is null");
-        }
-
-        try {
-            cm = new WolfSSLCertManager();
-
-            /* Load trust anchor as CA */
-            X509Certificate anchorCert = anchor.getTrustedCert();
-            if (anchorCert != null) {
-                cm.CertManagerLoadCA(anchorCert);
-                log("loaded trust anchor: " +
-                    anchorCert.getSubjectX500Principal().getName());
-            }
-
-            /* Verify certificates from top (closest to anchor) to target */
-            for (int i = path.size() - 1; i >= 0; i--) {
-                X509Certificate cert = path.get(i);
-
-                try {
-                    cm.CertManagerVerify(cert);
-                    log("verified: " +
-                        cert.getSubjectX500Principal().getName());
-
-                } catch (WolfCryptException e) {
-                    throw new CertPathBuilderException(
-                        "Certificate verification failed: " +
-                        cert.getSubjectX500Principal().getName(), e);
-                }
-
-                /* Load verified cert as CA for next verification */
-                if (i > 0 && cert.getBasicConstraints() >= 0) {
-                    try {
-                        cm.CertManagerLoadCA(cert);
-
-                    } catch (WolfCryptException e) {
-                        /* continue */
-                        log("Warning: failed to load verified cert as CA");
-                    }
-                }
-            }
-
-        } catch (WolfCryptException e) {
-            throw new CertPathBuilderException(
-                "Failed to create or use WolfSSLCertManager", e);
-
-        } finally {
-            if (cm != null) {
-                cm.free();
-            }
-        }
-    }
-
     /**
      * Helper class to hold chain building result with trust anchor.
      */
diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathBuilderTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathBuilderTest.java
@@ -3450,6 +3450,52 @@ private X509Certificate loadCertFromPEM(String pem)
         return (X509Certificate) cf.generateCertificate(bis);
     }
 
+    /**
+     * Helper to create PKIXBuilderParameters for expired cert tests.
+     *
+     * Loads expired test certificates (valid May 2014 - April 2016)
+     * and sets up trust anchors, CertStore, and target selector.
+     *
+     * @param dateMillis custom validation date in epoch millis,
+     *                   or -1 to use current system time
+     *
+     * @return configured PKIXBuilderParameters
+     */
+    private PKIXBuilderParameters createExpiredCertParams(long dateMillis)
+        throws CertificateException, InvalidAlgorithmParameterException,
+               NoSuchAlgorithmException {
+
+        X509Certificate rootCert =
+            loadCertFromPEM(EXPIRED_ROOT_PEM);
+        X509Certificate intermediateCert =
+            loadCertFromPEM(EXPIRED_INTERMEDIATE_PEM);
+        X509Certificate userCert =
+            loadCertFromPEM(EXPIRED_USER_PEM);
+
+        Set<TrustAnchor> anchors = new HashSet<>();
+        anchors.add(new TrustAnchor(rootCert, null));
+
+        Collection<Certificate> certs = new ArrayList<>();
+        certs.add(userCert);
+        certs.add(intermediateCert);
+        CertStore certStore = CertStore.getInstance("Collection",
+            new CollectionCertStoreParameters(certs));
+
+        X509CertSelector selector = new X509CertSelector();
+        selector.setCertificate(userCert);
+
+        PKIXBuilderParameters params =
+            new PKIXBuilderParameters(anchors, selector);
+        params.setRevocationEnabled(false);
+        params.addCertStore(certStore);
+
+        if (dateMillis >= 0) {
+            params.setDate(new Date(dateMillis));
+        }
+
+        return params;
+    }
+
     /**
      * Test building a cert path with expired certificates using
      * a custom validation date set via PKIXBuilderParameters.setDate().
@@ -3473,47 +3519,34 @@ public void testExpiredCertsWithCustomValidationDate()
             "this wolfSSL version",
             WolfSSLX509StoreCtx.isStoreCheckTimeSupported());
 
-        /* Load expired test certificates */
-        X509Certificate rootCert = loadCertFromPEM(EXPIRED_ROOT_PEM);
+        /* Load certs separately for result assertions below */
+        X509Certificate rootCert =
+            loadCertFromPEM(EXPIRED_ROOT_PEM);
         X509Certificate intermediateCert =
             loadCertFromPEM(EXPIRED_INTERMEDIATE_PEM);
-        X509Certificate userCert = loadCertFromPEM(EXPIRED_USER_PEM);
-
-        /* Set up trust anchors with the expired root */
-        Set<TrustAnchor> anchors = new HashSet<>();
-        anchors.add(new TrustAnchor(rootCert, null));
-
-        /* Set up CertStore with intermediate and target certs */
-        Collection<Certificate> certs = new ArrayList<>();
-        certs.add(userCert);
-        certs.add(intermediateCert);
-        CertStore certStore = CertStore.getInstance("Collection",
-            new CollectionCertStoreParameters(certs));
+        X509Certificate userCert =
+            loadCertFromPEM(EXPIRED_USER_PEM);
 
-        /* Create target selector for user cert */
-        X509CertSelector selector = new X509CertSelector();
-        selector.setCertificate(userCert);
-
-        /* Create PKIXBuilderParameters with custom validation date.
-         * Date is March 15, 2015 (within cert validity period 2014-2016).
-         * Epoch time 1426399200000L = Sun Mar 15 2015 06:00:00 GMT */
+        /* Date is March 15, 2015 (within cert validity 2014-2016).
+         * Epoch time 1426399200000L = Sun Mar 15 2015 06:00:00 */
         PKIXBuilderParameters params =
-            new PKIXBuilderParameters(anchors, selector);
-        params.setRevocationEnabled(false);
-        params.addCertStore(certStore);
-        params.setDate(new Date(1426399200000L));
+            createExpiredCertParams(1426399200000L);
 
         /* Build cert path - should succeed with custom date */
-        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider);
+        CertPathBuilder cpb =
+            CertPathBuilder.getInstance("PKIX", provider);
         CertPathBuilderResult result = cpb.build(params);
 
         /* Verify result */
-        assertNotNull("CertPathBuilderResult should not be null", result);
-        PKIXCertPathBuilderResult pResult = (PKIXCertPathBuilderResult) result;
+        assertNotNull(
+            "CertPathBuilderResult should not be null", result);
+        PKIXCertPathBuilderResult pResult =
+            (PKIXCertPathBuilderResult) result;
 
         /* Verify trust anchor is the root cert */
         assertEquals("Trust anchor should be the root cert",
-            rootCert, pResult.getTrustAnchor().getTrustedCert());
+            rootCert,
+            pResult.getTrustAnchor().getTrustedCert());
 
         /* Verify path contains user and intermediate certs
          * (root/trust anchor is not included in the path) */
@@ -3525,60 +3558,118 @@ public void testExpiredCertsWithCustomValidationDate()
         /* Verify path order: user -> intermediate */
         assertEquals("First cert in path should be user cert",
             userCert, path.getCertificates().get(0));
-        assertEquals("Second cert in path should be intermediate cert",
+        assertEquals(
+            "Second cert in path should be intermediate cert",
             intermediateCert, path.getCertificates().get(1));
     }
 
     /**
-     * Test that expired certs fail validation when no custom date
-     * is set (using current system time).
+     * Test that setDate() with a date after cert expiry still fails.
      *
-     * This test verifies that wolfJCE properly rejects expired certificates
-     * when validating against the current system time.
+     * Uses expired certificates (valid 2014-2016) and sets a validation
+     * date of March 15, 2017 (after the certificates expired). This
+     * verifies that setDate() properly validates against the custom date.
      */
     @Test
-    public void testExpiredCertsFailWithoutCustomDate()
+    public void testExpiredCertsFailWithDateAfterExpiry()
         throws CertificateException, InvalidAlgorithmParameterException,
                NoSuchAlgorithmException, NoSuchProviderException {
 
-        /* Load expired test certificates */
-        X509Certificate rootCert = loadCertFromPEM(EXPIRED_ROOT_PEM);
-        X509Certificate intermediateCert =
-            loadCertFromPEM(EXPIRED_INTERMEDIATE_PEM);
-        X509Certificate userCert = loadCertFromPEM(EXPIRED_USER_PEM);
+        Assume.assumeTrue("X509_STORE check_time support not available in " +
+            "this wolfSSL version",
+            WolfSSLX509StoreCtx.isStoreCheckTimeSupported());
 
-        /* Set up trust anchors with the expired root */
-        Set<TrustAnchor> anchors = new HashSet<>();
-        anchors.add(new TrustAnchor(rootCert, null));
+        /* Date is March 15, 2017 (certs expired April 30, 2016).
+         * Epoch time 1489561200000L = Wed Mar 15 2017 06:00:00 */
+        PKIXBuilderParameters params = createExpiredCertParams(1489561200000L);
 
-        /* Set up CertStore with intermediate and target certs */
-        Collection<Certificate> certs = new ArrayList<>();
-        certs.add(userCert);
-        certs.add(intermediateCert);
-        CertStore certStore = CertStore.getInstance("Collection",
-            new CollectionCertStoreParameters(certs));
+        /* Build cert path, should fail because custom date after cert expiry */
+        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider);
+        try {
+            cpb.build(params);
+            fail("Expected CertPathBuilderException when custom " +
+                 "date is after cert expiry");
+        } catch (CertPathBuilderException e) {
+            /* Expected, date is after cert validity */
+            assertNotNull("Exception message should not be null",
+                e.getMessage());
+            assertTrue("Exception should indicate cert expired, got: " +
+                e.getMessage(), e.getMessage().contains("expired"));
+        }
+    }
 
-        /* Create target selector for user cert */
-        X509CertSelector selector = new X509CertSelector();
-        selector.setCertificate(userCert);
+    /**
+     * Test that setDate() with a date before cert validity still fails.
+     *
+     * Uses expired certificates (valid May 1, 2014 - April 30, 2016)
+     * and sets a validation date of January 1, 2014 (before notBefore).
+     * This verifies that setDate() also checks the notBefore boundary.
+     */
+    @Test
+    public void testExpiredCertsFailWithDateBeforeValidity()
+        throws CertificateException, InvalidAlgorithmParameterException,
+               NoSuchAlgorithmException, NoSuchProviderException {
 
-        /* Create PKIXBuilderParameters WITHOUT custom date.
-         * This will use current system time for validation. */
+        Assume.assumeTrue(
+            "X509_STORE check_time support not available in " +
+            "this wolfSSL version",
+            WolfSSLX509StoreCtx.isStoreCheckTimeSupported());
+
+        /* Date is January 1, 2014 (certs valid from May 1, 2014).
+         * Epoch time 1388534400000L = Wed Jan 01 2014 00:00:00 */
         PKIXBuilderParameters params =
-            new PKIXBuilderParameters(anchors, selector);
-        params.setRevocationEnabled(false);
-        params.addCertStore(certStore);
-        /* Note: NOT calling params.setDate() - uses current time */
+            createExpiredCertParams(1388534400000L);
+
+        /* Build cert path - should FAIL because custom date is
+         * before cert notBefore */
+        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider);
+        try {
+            cpb.build(params);
+            fail("Expected CertPathBuilderException when custom " +
+                 "date is before cert notBefore");
+        } catch (CertPathBuilderException e) {
+            /* Expected, date is before cert validity */
+            assertNotNull("Exception message should not be null",
+                e.getMessage());
+            assertTrue("Exception should indicate cert not yet valid" +
+                ", got: " + e.getMessage(),
+                e.getMessage().contains("not yet valid"));
+        }
+    }
+
+    /**
+     * Test that expired certs fail validation when no custom date
+     * is set (using current system time).
+     *
+     * This test verifies that wolfJCE properly rejects expired certificates
+     * when validating against the current system time.
+     */
+    @Test
+    public void testExpiredCertsFailWithoutCustomDate()
+        throws CertificateException, InvalidAlgorithmParameterException,
+               NoSuchAlgorithmException, NoSuchProviderException {
+
+        /* No custom date (-1), uses current system time */
+        PKIXBuilderParameters params = createExpiredCertParams(-1);
 
         /* Build cert path - should FAIL because certs are expired */
         CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider);
         try {
             cpb.build(params);
-            fail("Expected CertPathBuilderException for expired certificates");
+            fail("Expected CertPathBuilderException for " +
+                 "expired certificates");
         } catch (CertPathBuilderException e) {
-            /* Expected - certificates are expired */
-            assertTrue("Exception message should indicate certificate issue",
-                e.getMessage() != null);
+            /* Expected, certificates are expired. May fail
+             * during store addition ("Failed to add certificate")
+             * or during verification ("expired"), depending on
+             * wolfSSL version and configuration. */
+            assertNotNull("Exception message should not be null",
+                e.getMessage());
+            assertTrue("Exception should indicate cert date issue" +
+                ", got: " + e.getMessage(),
+                e.getMessage().contains("expired") ||
+                e.getMessage().contains(
+                    "Failed to add certificate"));
         }
     }
 }
