Merge pull request #178 from cconlon/pkixImprovements

PKIX Improvements and WolfSSLKeyStore engineProbe()

Author: rlm2002

src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathValidator.java

@@ -733,28 +733,56 @@ public TrustAnchor findTrustAnchor(PKIXParameters params,
         return anchorFound;
     }
 
+    /**
+     * Throw CertPathValidatorException for undetermined revocation status.
+     *
+     * Used when revocation checking is enabled but no CRLs are available
+     * and no PKIXRevocationChecker is configured to handle OCSP.
+     *
+     * @param message error message describing the revocation failure
+     * @param certPath the CertPath being validated (for exception reporting)
+     * @param certs list of certificates from certPath
+     *
+     * @throws CertPathValidatorException always thrown with
+     *         UNDETERMINED_REVOCATION_STATUS reason
+     */
+    private void throwUndeterminedRevocationStatus(String message,
+        CertPath certPath, List<X509Certificate> certs)
+        throws CertPathValidatorException {
+
+        /* Report index of last cert in path (closest to trust anchor)
+         * to match SunJCE behavior. */
+        int failIndex = 0;
+        if (certs != null && certs.size() > 1) {
+            failIndex = certs.size() - 1;
+        }
+        throw new CertPathValidatorException(message, null, certPath,
+            failIndex, BasicReason.UNDETERMINED_REVOCATION_STATUS);
+    }
+
     /**
      * Check if revocation has been enabled in PKIXParameters, and if so
      * find and load any CRLs in params.getCertStores().
      *
      * When a PKIXRevocationChecker has been registered via
      * addCertPathChecker(), that checker handles revocation checking. CRL
      * checking in the native CertManager is only enabled if:
-     *   - No PKIXRevocationChecker is present (default CRL behavior), OR
+     *   - No PKIXRevocationChecker is present (default CRL behavior), or
      *   - PKIXRevocationChecker has PREFER_CRLS option set
      *
      * @param params parameters used to check if revocation is enabled
-     *        and if so load any CRLs available
+     *        and, if so load any CRLs available
      * @param cm WolfSSLCertManager to load CRLs into
-     * @param targetCert peer/leaf cert used to find matching CRL
+     * @param certPath the CertPath being validated (for exception reporting)
+     * @param certs list of certificates from certPath
      * @param pathCheckers list of registered CertPathCheckers
      *
      * @throws CertPathValidatorException if error is encountered during
      *        revocation checking or CRL loading
      */
     private void checkRevocationEnabledAndLoadCRLs(
         PKIXParameters params, WolfSSLCertManager cm,
-        X509Certificate targetCert,
+        CertPath certPath, List<X509Certificate> certs,
         List<PKIXCertPathChecker> pathCheckers)
         throws CertPathValidatorException {
 
@@ -810,12 +838,22 @@ private void checkRevocationEnabledAndLoadCRLs(
 
             /* Enable CRL in native WolfSSLCertManager */
             cm.CertManagerEnableCRL(WolfCrypt.WOLFSSL_CRL_CHECK);
-
             log("CRL support enabled in native WolfSSLCertManager");
 
             stores = params.getCertStores();
             if (stores == null || stores.isEmpty()) {
                 log("no CertStores in PKIXParameters to load CRLs");
+
+                /* If revocation is enabled but no CRLs and no
+                 * PKIXRevocationChecker to handle OCSP, we cannot determine
+                 * revocation status. Per RFC 5280, this should fail. */
+                if (!hasRevocationChecker) {
+                    throwUndeterminedRevocationStatus(
+                        "Revocation checking enabled but no CRLs available " +
+                        "and no PKIXRevocationChecker configured for OCSP",
+                        certPath, certs);
+                }
+
                 return;
             }
 
@@ -850,7 +888,7 @@ private void checkRevocationEnabledAndLoadCRLs(
 
             /* Create CRL selector to help match target X509Certificate */
             X509CRLSelector selector = new X509CRLSelector();
-            selector.setCertificateChecking(targetCert);
+            selector.setCertificateChecking(certs.get(0));
 
             try {
                 /* Find and load any matching CRLs */
@@ -868,6 +906,16 @@ private void checkRevocationEnabledAndLoadCRLs(
             }
 
             log("loaded " + loadedCount + " CRLs into WolfSSLCertManager");
+
+            /* If no CRLs were loaded and no PKIXRevocationChecker is handling
+             * OCSP, we cannot determine revocation status. */
+            if (loadedCount == 0 && !hasRevocationChecker) {
+                throwUndeterminedRevocationStatus(
+                    "Revocation checking enabled but no CRLs found in " +
+                    "CertStores and no PKIXRevocationChecker configured " +
+                    "for OCSP",
+                    certPath, certs);
+            }
         }
         else {
             log("revocation not enabled in PKIXParameters");
@@ -953,6 +1001,31 @@ public CertPathValidatorResult engineValidate(
             }
         }
 
+        /* Zero-length cert paths are valid per RFC 5280. This occurs when
+         * CertPathBuilder determines the trust anchor itself is the target
+         * (no intermediate certificates needed). Return success with the
+         * trust anchor's public key. No need to create CertManager. */
+        if (certPath.getCertificates().isEmpty()) {
+            Set<TrustAnchor> anchors = pkixParams.getTrustAnchors();
+            if (anchors == null || anchors.isEmpty()) {
+                throw new CertPathValidatorException(
+                    "No TrustAnchors in PKIXParameters");
+            }
+
+            /* Return first trust anchor for zero-length path */
+            TrustAnchor anchor = anchors.iterator().next();
+            X509Certificate anchorCert = anchor.getTrustedCert();
+            if (anchorCert == null) {
+                throw new CertPathValidatorException(
+                    "TrustAnchor has no certificate for zero-length path");
+            }
+            log("Zero-length cert path, returning trust anchor: " +
+                anchorCert.getSubjectX500Principal().getName());
+
+            return new PKIXCertPathValidatorResult(anchor, null,
+                anchorCert.getPublicKey());
+        }
+
         /* Use wolfSSL CertManager to do chain verification */
         try {
             cm = new WolfSSLCertManager();
@@ -972,10 +1045,6 @@ public CertPathValidatorResult engineValidate(
                     certs.add((X509Certificate) cert);
                 }
             }
-            if (certs.size() == 0) {
-                throw new CertPathValidatorException(
-                    "No Certificate objects in CertPath");
-            }
 
             /* Register verify callback to override date validation if
              * PKIXParameters specifies an override date */
@@ -1019,7 +1088,7 @@ public CertPathValidatorResult engineValidate(
              * will try to find/verify CRL against trusted roots on load.
              * Pass pathCheckers so we can skip CRL setup when a
              * PKIXRevocationChecker is handling revocation via OCSP. */
-            checkRevocationEnabledAndLoadCRLs(pkixParams, cm, certs.get(0),
+            checkRevocationEnabledAndLoadCRLs(pkixParams, cm, certPath, certs,
                 pathCheckers);
 
             /* Verify cert chain */

src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXRevocationChecker.java

@@ -545,11 +545,16 @@ public void setOcspResponses(Map<X509Certificate, byte[]> responses) {
     /**
      * Get pre-loaded OCSP responses.
      *
+     * Returns the internal mutable map, not an unmodifiable copy.
+     * JDK sun.security.validator.PKIXValidator.addResponses() expects
+     * to be able to add OCSP responses to this map when using the internal
+     * Validator API.
+     *
      * @return Map of certificates to OCSP response bytes
      */
     @Override
     public Map<X509Certificate, byte[]> getOcspResponses() {
-        return Collections.unmodifiableMap(this.ocspResponses);
+        return this.ocspResponses;
     }
 
     /**

src/main/java/com/wolfssl/provider/jce/WolfSSLKeyStore.java

@@ -1808,6 +1808,62 @@ public synchronized void engineLoad(InputStream stream, char[] password)
         return;
     }
 
+    /**
+     * Probes the specified input stream to determine if it contains a
+     * keystore that is supported by this implementation.
+     *
+     * This method is used by KeyStore.getInstance(File, char[]) and similar
+     * methods to auto-detect the keystore type without requiring explicit
+     * type specification.
+     *
+     * Note: engineProbe() was added in JDK 9. No @Override annotation to
+     * maintain Java 8 compatibility. On JDK 9+ this method is called by
+     * KeyStore for auto-detection; on Java 8 it is simply unused.
+     *
+     * @param stream the keystore data to be probed. The stream must support
+     *        mark/reset so the caller can rewind after probing.
+     *
+     * @return true if the keystore data is supported (has WKS magic number),
+     *         otherwise false
+     *
+     * @throws IOException if there is an I/O problem with the keystore data
+     * @throws NullPointerException if the stream is null
+     */
+    public boolean engineProbe(InputStream stream) throws IOException {
+
+        int magic = 0;
+        DataInputStream dis = null;
+
+        if (stream == null) {
+            throw new NullPointerException("InputStream cannot be null");
+        }
+
+        /* Read first 4 bytes to check magic number */
+        stream.mark(4);
+        dis = new DataInputStream(stream);
+
+        try {
+            magic = dis.readInt();
+            if (magic == WKS_MAGIC_NUMBER) {
+                return true;
+            }
+        }
+        catch (IOException e) {
+            /* Could not read 4 bytes, not a valid WKS file, swallow
+             * exception and return false below. */
+        }
+        finally {
+            try {
+                stream.reset();
+            }
+            catch (IOException e) {
+                /* Reset failed, stream may not support mark/reset */
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Internal method for logging output.
      *