Skip to content

Comments

CertPathBuilder fixes for disabledAlgorithms, date handling, and edge cases#200

Merged
rlm2002 merged 7 commits intowolfSSL:masterfrom
cconlon:certPathBuilderFixes
Feb 20, 2026
Merged

CertPathBuilder fixes for disabledAlgorithms, date handling, and edge cases#200
rlm2002 merged 7 commits intowolfSSL:masterfrom
cconlon:certPathBuilderFixes

Conversation

@cconlon
Copy link
Member

@cconlon cconlon commented Feb 16, 2026
edited
Loading

This PR includes fixes and improvements to CertPathBuilder including:

  • Enforcing jdk.certpath.disabledAlgorithms in CertPathBuilder (signature algo, public key algo/size) and fixes trust anchor key constraint checking in CertPathValidator
  • Removes Java-level date verification from CertPathBuilder; on wolfSSL versions without native check_time support, fall back to Java based chain building and defer date validation to CertPathValidator
  • Allow CertPathBuilder to work when no CertStores are provided (target found among trust anchors)
  • Throw InvalidAlgorithmParameterException for non X509CertSelector targets

And some adjustments to CertPathValidator:

  • Adds CertManagerLoadCABufferEx() JNI wrapper for wolfSSL_CertManagerLoadCABuffer_ex(), exposing the flags parameter
  • CertPathValidator now passes WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY when loading trust anchors (per RFC 5280, trust anchors should not be date-validated) and verified intermediate CAs. Log and continue on load errors that may be caused by trusted peer cert loading on older wolfSSL builds.
  • The native verify callback now passes DER-encoded certificate bytes from the WOLFSSL_X509_STORE_CTX to Java via a new default 4-arg verify() method on WolfSSLCertManagerVerifyCallback.
  • Adds OcspResponseStatus JNI wrapper for parsing OCSP response status from raw DER bytes.

This fixes the following SunJCE tests:

security/Provider/certpath/DisabledAlgorithms/CPBuilder.java
security/cert/CertPathBuilder/targetConstraints/BuildOddSel.java
security/cert/CertPathBuilder/zeroLengthPath/ZeroLengthPath.java
security/validator/ConstructorTest.java

@cconlon cconlon self-assigned this Feb 16, 2026
@cconlon cconlon requested a review from Copilot February 16, 2026 23:34
Copilot AI reviewed Feb 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the WolfCrypt JCE provider's certificate path building and validation to properly enforce Java security constraints and improve edge case handling. The changes ensure compliance with jdk.certpath.disabledAlgorithms security property, fix date handling for different wolfSSL versions, and improve robustness when CertStores are absent.

Changes:

  • Added enforcement of jdk.certpath.disabledAlgorithms in both CertPathBuilder and CertPathValidator for signature algorithms, public key algorithms, and key sizes
  • Modified date handling in CertPathBuilder to use native wolfSSL date checking when available, falling back to Java-based chain building with deferred date validation otherwise
  • Enhanced CertPathBuilder to find target certificates among trust anchors when no CertStores are provided
  • Added validation to reject non-X509CertSelector target constraints with InvalidAlgorithmParameterException
  • Fixed trust anchor public key constraint checking in CertPathValidator

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.

File Description
src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathBuilder.java Implements algorithm constraint checking for certificates, trust anchors, and signer keys; adds fallback path for wolfSSL versions without native date checking; enhances target certificate finding to search trust anchors; filters intermediates based on disabled algorithms
src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathValidator.java Adds trust anchor public key constraint checking for both normal and zero-length cert paths
src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathBuilderTest.java Adds comprehensive test coverage for algorithm constraints (signature algorithms, key algorithms, key sizes, algorithm variants), trust anchor constraints, date handling with custom dates, intermediate filtering, zero-length paths, and non-X509CertSelector rejection
src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathValidatorTest.java Adds tests for trust anchor public key constraints on both normal and zero-length cert paths

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cconlon cconlon force-pushed the certPathBuilderFixes branch 2 times, most recently from 8f1586e to d1f5fe2 Compare February 19, 2026 19:31
@cconlon cconlon requested a review from Copilot February 19, 2026 19:31
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 9 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cconlon cconlon force-pushed the certPathBuilderFixes branch from d1f5fe2 to 790f6ac Compare February 19, 2026 21:32
@cconlon cconlon assigned rlm2002 and unassigned cconlon Feb 19, 2026
@rlm2002 rlm2002 merged commit ae366dd into wolfSSL:master Feb 20, 2026
78 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rlm2002 rlm2002 rlm2002 approved these changes

Assignees

@rlm2002 rlm2002

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cconlon @rlm2002