Skip to content

Commit

Permalink
Update JSSTrustManager
Browse files Browse the repository at this point in the history
The JSSTrustManager has been updated to generate UNKNOWN_ISSUER
instead of UNTRUSTED_ISSUER to match the latest NSS.
  • Loading branch information
edewata committed Aug 21, 2024
1 parent 6ee1d08 commit a576bf1
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,8 @@ public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws
throw new CertificateExpiredException("Expired certificate: " + subject);
case ValidityStatus.INADEQUATE_KEY_USAGE:
throw new CertificateException("Inadequate key usage: " + subject);
case ValidityStatus.UNKNOWN_ISSUER:
throw new CertificateException("Unknown issuer: " + subject);
case ValidityStatus.UNTRUSTED_ISSUER:
throw new CertificateException("Untrusted issuer: " + subject);
case ValidityStatus.BAD_CERT_DOMAIN:
Expand Down Expand Up @@ -290,9 +292,9 @@ public void checkSignature(
}

if (issuer == null) {
logger.debug("JSSTrustManager: Untrusted issuer: " + cert.getIssuerX500Principal());
logger.debug("JSSTrustManager: Unknown issuer: " + cert.getIssuerX500Principal());

status.addReason(ValidityStatus.UNTRUSTED_ISSUER, cert, depth);
status.addReason(ValidityStatus.UNKNOWN_ISSUER, cert, depth);

return;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ public boolean approve(
" reason=" + item.getReason() +
" depth=" + item.getDepth());
X509Certificate cert = item.getCert();
if (item.getReason() == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
if (item.getReason() == SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER) {
trust_the_server_cert = true;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ public boolean approve(

X509Certificate cert = item.getCert();
if (item.getReason() ==
SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER) {
trust_the_server_cert = true;
}
logger.debug(" cert details:");
Expand Down

0 comments on commit a576bf1

Please sign in to comment.