JCE: support zero-length cert paths in PKIXCertPathValidator

cconlon · cconlon · commit 99415db2e8e3 · 2025-12-08T11:47:59.000-07:00
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathValidator.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathValidator.java
@@ -953,6 +953,31 @@ public CertPathValidatorResult engineValidate(
             }
         }
 
+        /* Zero-length cert paths are valid per RFC 5280. This occurs when
+         * CertPathBuilder determines the trust anchor itself is the target
+         * (no intermediate certificates needed). Return success with the
+         * trust anchor's public key. No need to create CertManager. */
+        if (certPath.getCertificates().isEmpty()) {
+            Set<TrustAnchor> anchors = pkixParams.getTrustAnchors();
+            if (anchors == null || anchors.isEmpty()) {
+                throw new CertPathValidatorException(
+                    "No TrustAnchors in PKIXParameters");
+            }
+
+            /* Return first trust anchor for zero-length path */
+            TrustAnchor anchor = anchors.iterator().next();
+            X509Certificate anchorCert = anchor.getTrustedCert();
+            if (anchorCert == null) {
+                throw new CertPathValidatorException(
+                    "TrustAnchor has no certificate for zero-length path");
+            }
+            log("Zero-length cert path, returning trust anchor: " +
+                anchorCert.getSubjectX500Principal().getName());
+
+            return new PKIXCertPathValidatorResult(anchor, null,
+                anchorCert.getPublicKey());
+        }
+
         /* Use wolfSSL CertManager to do chain verification */
         try {
             cm = new WolfSSLCertManager();
@@ -972,10 +997,6 @@ public CertPathValidatorResult engineValidate(
                     certs.add((X509Certificate) cert);
                 }
             }
-            if (certs.size() == 0) {
-                throw new CertPathValidatorException(
-                    "No Certificate objects in CertPath");
-            }
 
             /* Register verify callback to override date validation if
              * PKIXParameters specifies an override date */
diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathValidatorTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathValidatorTest.java
@@ -1674,5 +1674,108 @@ public void testAlgorithmConstraintsWithSHAVariant() throws Exception {
             }
         }
     }
+
+    /**
+     * Test that zero-length cert paths are valid per RFC 5280. This occurs
+     * when CertPathBuilder determines the trust anchor itself is the target.
+     */
+    @Test
+    public void testZeroLengthCertPath()
+        throws CertificateException, NoSuchAlgorithmException,
+               InvalidAlgorithmParameterException, CertPathValidatorException,
+               NoSuchProviderException {
+
+        FileInputStream fis = null;
+        X509Certificate caCert = null;
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        /* Use CA cert from examples as trust anchor */
+        try {
+            fis = new FileInputStream(caCertDer);
+            caCert = (X509Certificate)cf.generateCertificate(fis);
+            fis.close();
+        } catch (Exception e) {
+            fail("Failed to load CA cert: " + e.getMessage());
+        }
+
+        /* Create trust anchor from CA cert */
+        TrustAnchor anchor = new TrustAnchor(caCert, null);
+        Set<TrustAnchor> anchors = new HashSet<>();
+        anchors.add(anchor);
+
+        /* Create empty cert path (zero-length) */
+        List<Certificate> emptyCertList = new ArrayList<>();
+        CertPath emptyPath = cf.generateCertPath(emptyCertList);
+        assertEquals(0, emptyPath.getCertificates().size());
+
+        /* Create PKIXParameters with the trust anchor */
+        PKIXParameters params = new PKIXParameters(anchors);
+        params.setRevocationEnabled(false);
+
+        /* Validate zero-length path - should succeed */
+        CertPathValidator cpv =
+            CertPathValidator.getInstance("PKIX", provider);
+        PKIXCertPathValidatorResult result =
+            (PKIXCertPathValidatorResult)cpv.validate(emptyPath, params);
+
+        /* Verify result contains trust anchor and its public key */
+        assertNotNull(result);
+        assertNotNull(result.getTrustAnchor());
+        assertEquals(anchor.getTrustedCert(),
+            result.getTrustAnchor().getTrustedCert());
+        assertNotNull(result.getPublicKey());
+        assertEquals(caCert.getPublicKey(), result.getPublicKey());
+    }
+
+    /**
+     * Test that zero-length cert path with TrustAnchor that has no
+     * certificate throws CertPathValidatorException.
+     */
+    @Test
+    public void testZeroLengthCertPathAnchorNoCertificate()
+        throws CertificateException, NoSuchAlgorithmException,
+               InvalidAlgorithmParameterException, NoSuchProviderException {
+
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        /* Create empty cert path (zero-length) */
+        List<Certificate> emptyCertList = new ArrayList<>();
+        CertPath emptyPath = cf.generateCertPath(emptyCertList);
+
+        /* Load CA cert to get its name and public key */
+        FileInputStream fis = null;
+        X509Certificate caCert = null;
+        try {
+            fis = new FileInputStream(caCertDer);
+            caCert = (X509Certificate)cf.generateCertificate(fis);
+            fis.close();
+        } catch (Exception e) {
+            fail("Failed to load CA cert: " + e.getMessage());
+        }
+
+        /* Create TrustAnchor without certificate (using CA name and key).
+         * This is valid for normal cert paths but not for zero-length
+         * paths where we need to return the anchor's certificate. */
+        TrustAnchor anchorWithoutCert = new TrustAnchor(
+            caCert.getSubjectX500Principal(), caCert.getPublicKey(), null);
+        Set<TrustAnchor> anchors = new HashSet<>();
+        anchors.add(anchorWithoutCert);
+
+        PKIXParameters params = new PKIXParameters(anchors);
+        params.setRevocationEnabled(false);
+
+        /* Validate zero-length path with anchor that has no cert */
+        CertPathValidator cpv =
+            CertPathValidator.getInstance("PKIX", provider);
+
+        try {
+            cpv.validate(emptyPath, params);
+            fail("Expected CertPathValidatorException for zero-length " +
+                 "path with TrustAnchor that has no certificate");
+        } catch (CertPathValidatorException e) {
+            assertTrue("Exception message should mention no certificate",
+                e.getMessage().contains("no certificate"));
+        }
+    }
 }
 
