Skip to content

Commit

Permalink
Remove unnecessary KeyUsage checks against issuer certificates (#1209)
Browse files Browse the repository at this point in the history
fixes #1206
  • Loading branch information
kevinherron authored Jan 22, 2024
1 parent 71940fe commit 25796f8
Show file tree
Hide file tree
Showing 3 changed files with 0 additions and 83 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -348,19 +348,6 @@ private static void checkAnchorValidity(
);
}
}
} else {
try {
checkIssuerKeyUsage(anchorCert);
} catch (UaException e) {
if (validationChecks.contains(ValidationCheck.KEY_USAGE_ISSUER)) {
throw e;
} else {
LOGGER.warn(
"check suppressed: certificate failed issuer KeyUsage check: {}",
anchorCert.getSubjectX500Principal().getName()
);
}
}
}
}

Expand Down Expand Up @@ -613,42 +600,6 @@ public static void checkEndEntityExtendedKeyUsage(
}
}

public static void checkIssuerKeyUsage(X509Certificate certificate) throws UaException {
boolean[] keyUsage = certificate.getKeyUsage();

if (keyUsage == null) {
throw new UaException(
StatusCodes.Bad_CertificateIssuerUseNotAllowed,
"KeyUsage extension not found"
);
}

boolean digitalSignature = keyUsage[0];
boolean keyCertSign = keyUsage[5];
boolean crlSign = keyUsage[6];

if (!digitalSignature) {
throw new UaException(
StatusCodes.Bad_CertificateIssuerUseNotAllowed,
"required KeyUsage 'digitalSignature' not found"
);
}

if (!keyCertSign) {
throw new UaException(
StatusCodes.Bad_CertificateIssuerUseNotAllowed,
"required KeyUsage 'keyCertSign' not found"
);
}

if (!crlSign) {
throw new UaException(
StatusCodes.Bad_CertificateIssuerUseNotAllowed,
"required KeyUsage 'cRLSign' not found"
);
}
}

/**
* Validate that the application URI matches the SubjectAltName URI in the given certificate.
*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -125,33 +125,6 @@ public void check(Certificate cert, Collection<String> unresolvedCritExts) throw
);
}
}
} else {
try {
CertificateValidationUtil.checkIssuerKeyUsage((X509Certificate) cert);

LOGGER.debug(
"validated KeyUsage for issuer: {}",
((X509Certificate) cert).getSubjectX500Principal().getName()
);
} catch (UaException e) {
if (validationChecks.contains(ValidationCheck.KEY_USAGE_ISSUER) ||
criticalExtensions.contains(KEY_USAGE_OID)
) {

throw new CertPathValidatorException(
e.getMessage(),
e,
certPath,
certPath.getCertificates().indexOf(cert),
PKIXReason.INVALID_KEY_USAGE
);
} else {
LOGGER.warn(
"check suppressed: certificate failed issuer usage check: {}",
((X509Certificate) cert).getSubjectX500Principal().getName()
);
}
}
}

if (unresolvedCritExts != null && !unresolvedCritExts.isEmpty()) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,6 @@ public enum ValidationCheck {
*/
EXTENDED_KEY_USAGE_END_ENTITY,

/**
* The KeyUsage extension must be present and checked for CA certificates.
* <p>
* This check does not apply to self-signed end-entity certificates.
*/
KEY_USAGE_ISSUER,

/**
* Revocation checking must happen.
*/
Expand Down

0 comments on commit 25796f8

Please sign in to comment.