From 2e9695e83b916b70287f27f98b4f5f30e6092dd0 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 2 Aug 2024 16:36:49 -0500
Subject: [PATCH] Update JSSTrustManager to support trusted peers

JSSTrustManager has been updated to mimic NSS cert validation
which supports trusted peers. The checkCertChain() has been
modified to check whether the cert chain has P,, trust flags,
and if that's the case the cert chain is considered trusted
so it's not necessary to check the cert issuer anymore.
---
 .../javax/crypto/JSSTrustManager.java         | 25 ++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java b/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
index de188614a..dd4626284 100644
--- a/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
+++ b/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
@@ -59,13 +59,36 @@ public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws
             logger.debug("JSSTrustManager:  - " + cert.getSubjectX500Principal());
         }
 
-        checkIssuerTrusted(certChain);
+        if (!isTrustedPeer(certChain)) {
+            checkIssuerTrusted(certChain);
+        }
 
         checkValidityDates(certChain);
 
         checkKeyUsage(certChain, keyUsage);
     }
 
+    public boolean isTrustedPeer(X509Certificate[] certChain) throws Exception {
+
+        // checking trust flags on leaf cert only
+        X509Certificate leafCert = certChain[certChain.length - 1];
+        logger.debug("JSSTrustManager: Checking trust flags of cert 0x" + leafCert.getSerialNumber().toString(16));
+
+        if (! (leafCert instanceof org.mozilla.jss.crypto.X509Certificate)) {
+            return false;
+        }
+
+        org.mozilla.jss.crypto.X509Certificate jssCert = (org.mozilla.jss.crypto.X509Certificate) leafCert;
+
+        String trustFlags = jssCert.getTrustFlags();
+        logger.debug("JSSTrustManager: - trust flags: " + trustFlags);
+
+        int sslTrust = jssCert.getSSLTrust();
+        return org.mozilla.jss.crypto.X509Certificate.isTrustFlagEnabled(
+                org.mozilla.jss.crypto.X509Certificate.TRUSTED_PEER,
+                sslTrust);
+    }
+
     public void checkIssuerTrusted(X509Certificate[] certChain) throws Exception {
 
         // get CA certs