Skip to content

Commit

Permalink
Update JSSTrustManager to support trusted peers
Browse files Browse the repository at this point in the history
JSSTrustManager has been updated to mimic NSS cert validation
which supports trusted peers. The checkCertChain() has been
modified to check whether the cert chain has P,, trust flags,
and if that's the case the cert chain is considered trusted
so it's not necessary to check the cert issuer anymore.
  • Loading branch information
edewata committed Aug 7, 2024
1 parent 4b7c3b5 commit 2e9695e
Showing 1 changed file with 24 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -59,13 +59,36 @@ public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws
logger.debug("JSSTrustManager: - " + cert.getSubjectX500Principal());
}

checkIssuerTrusted(certChain);
if (!isTrustedPeer(certChain)) {
checkIssuerTrusted(certChain);
}

checkValidityDates(certChain);

checkKeyUsage(certChain, keyUsage);
}

public boolean isTrustedPeer(X509Certificate[] certChain) throws Exception {

// checking trust flags on leaf cert only
X509Certificate leafCert = certChain[certChain.length - 1];
logger.debug("JSSTrustManager: Checking trust flags of cert 0x" + leafCert.getSerialNumber().toString(16));

if (! (leafCert instanceof org.mozilla.jss.crypto.X509Certificate)) {
return false;
}

org.mozilla.jss.crypto.X509Certificate jssCert = (org.mozilla.jss.crypto.X509Certificate) leafCert;

String trustFlags = jssCert.getTrustFlags();
logger.debug("JSSTrustManager: - trust flags: " + trustFlags);

int sslTrust = jssCert.getSSLTrust();
return org.mozilla.jss.crypto.X509Certificate.isTrustFlagEnabled(
org.mozilla.jss.crypto.X509Certificate.TRUSTED_PEER,
sslTrust);
}

public void checkIssuerTrusted(X509Certificate[] certChain) throws Exception {

// get CA certs
Expand Down

0 comments on commit 2e9695e

Please sign in to comment.