reject CAs from the truststore if their issuer is not already in it

nuts-foundation · Nov 4, 2024 · 166a04e · 166a04e
1 parent e19ac56
commit 166a04e
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 7 deletions.
diff --git a/pki/interface.go b/pki/interface.go
@@ -75,6 +75,7 @@ type Validator interface {
 
 	// AddTruststore adds all CAs to the truststore for validation of CRL signatures. It also adds all CRL Distribution Endpoints found in the chain.
 	// CRL Distribution Points encountered during operation, such as on end user certificates, are only added to the monitored CRLs if their issuer is in the truststore.
+	// This fails if any of the issuers mentioned in the chain is not also in the chain or already in the truststore
 	AddTruststore(chain []*x509.Certificate) error
 
 	// SubscribeDenied registers a callback that is triggered everytime the denylist is updated.

diff --git a/pki/validator.go b/pki/validator.go
@@ -249,13 +249,7 @@ func (v *validator) AddTruststore(chain []*x509.Certificate) error {
 	for _, certificate = range chain {
 		issuer, ok := v.getCert(certificate.Issuer.String())
 		if !ok {
-			err = fmt.Errorf("certificate's issuer is not in the trust store: subject=%s, issuer=%s", certificate.Subject.String(), certificate.Issuer.String())
-			if !v.softfail {
-				return fmt.Errorf("pki: %w", err)
-			}
-			// Can happen if the intermediate CA issuing end entity (EE) certificates is added, but not its issuer. EE wil be checked for revocation, CA revocation is not.
-			logger().WithError(err).Warn("Did not add CRL Distribution Points")
-			continue
+			return fmt.Errorf("pki: certificate's issuer is not in the trust store: subject=%s, issuer=%s", certificate.Subject.String(), certificate.Issuer.String())
 		}
 		err = v.addEndpoints(issuer, certificate.CRLDistributionPoints)
 		if err != nil {