Merge pull request #190 from cconlon/certPathBuilder

Add JCE PKIX CertPathBuilder implementation

Author: rlm2002

IDE/Android/app/src/main/cpp/CMakeLists.txt

@@ -373,6 +373,7 @@ add_library(wolfcryptjni SHARED
         ${wolfcryptjni_DIR}/jni/jni_wolfcrypt.c
         ${wolfcryptjni_DIR}/jni/jni_wolfobject.c
         ${wolfcryptjni_DIR}/jni/jni_wolfssl_cert_manager.c
+        ${wolfcryptjni_DIR}/jni/jni_wolfssl_x509_store_ctx.c
 )
 
 # set_target_properties(wolfcryptjni PROPERTIES LIBRARY_OUTPUT_DIRECTORY

IDE/WIN/wolfcryptjni.vcxproj

@@ -104,6 +104,7 @@
     <ClCompile Include="..\..\jni\jni_wolfcrypt.c" />
     <ClCompile Include="..\..\jni\jni_wolfobject.c" />
     <ClCompile Include="..\..\jni\jni_wolfssl_cert_manager.c" />
+    <ClCompile Include="..\..\jni\jni_wolfssl_x509_store_ctx.c" />
   </ItemGroup>
   <PropertyGroup Label="Globals">
     <VCProjectVersion>16.0</VCProjectVersion>

IDE/WIN/wolfcryptjni.vcxproj.filters

@@ -215,6 +215,9 @@
     <ClCompile Include="..\..\jni\jni_wolfssl_cert_manager.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\jni\jni_wolfssl_x509_store_ctx.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
     <ClCompile Include="..\..\jni\jni_jce_wolfsslkeystore.c">
       <Filter>Source Files</Filter>
     </ClCompile>

README_JCE.md

@@ -239,6 +239,9 @@ The JCE provider currently supports the following algorithms:
     CertPathValidator Class
         PKIX (with PKIXRevocationChecker via getRevocationChecker())
 
+    CertPathBuilder Class
+        PKIX
+
     SecretKeyFactory
         PBKDF2WithHmacSHA1
         PBKDF2WithHmacSHA224
@@ -563,6 +566,77 @@ Applications should use TrustAnchors without explicit name constraints; if
 name constraint enforcement is needed, the constraints should be embedded in
 the trust anchor certificate itself.
 
+### CertPathBuilder (PKIX) Implementation Notes
+---------
+
+wolfJCE provides a PKIX CertPathBuilder implementation that builds and
+validates certificate chains using native wolfSSL's
+`wolfSSL_X509_verify_cert()` function.
+
+#### Native Chain Building with Backtracking
+
+The CertPathBuilder uses native wolfSSL `X509_STORE` APIs for certificate chain
+building. This provides automatic backtracking when a candidate issuer fails
+verification. wolfSSL will try alternative issuers until a valid path is found
+or all possibilities are exhausted.
+
+#### Usage Example
+
+```java
+/* Load certificates */
+X509Certificate targetCert = ...;
+X509Certificate intermediateCert = ...;
+X509Certificate rootCACert = ...;
+
+/* Set up trust anchors */
+Set<TrustAnchor> anchors = new HashSet<>();
+anchors.add(new TrustAnchor(rootCACert, null));
+
+/* Set up CertStore with available certificates */
+Collection<Certificate> certs = new ArrayList<>();
+certs.add(targetCert);
+certs.add(intermediateCert);
+CertStore certStore = CertStore.getInstance("Collection",
+    new CollectionCertStoreParameters(certs));
+
+/* Configure parameters */
+X509CertSelector selector = new X509CertSelector();
+selector.setCertificate(targetCert);
+PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, selector);
+params.setRevocationEnabled(false);
+params.addCertStore(certStore);
+
+/* Build certificate path */
+CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", "wolfJCE");
+PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) cpb.build(params);
+
+CertPath certPath = result.getCertPath();
+TrustAnchor trustAnchor = result.getTrustAnchor();
+```
+
+#### Supported Features
+
+- RSA and ECC certificate chains
+- Multiple intermediate certificates
+- Multiple trust anchors (correct one selected automatically)
+- Multiple CertStores
+- `maxPathLength` constraint enforcement
+- Target certificate selection by certificate or subject name
+- Target certificate as trust anchor (returns empty path)
+
+#### Limitations
+
+- **Date Override**: `PKIXBuilderParameters.setDate()` is not passed to native
+  wolfSSL verification. Certificates are validated against current system time.
+- **TrustAnchor Name Constraints**: Name constraints on TrustAnchors are not
+  supported. An `InvalidAlgorithmParameterException` is thrown if any
+  TrustAnchor has name constraints set.
+- **Policy Processing**: Certificate policy processing is not supported.
+  `PKIXCertPathBuilderResult.getPolicyTree()` returns null.
+- **Revocation Checking**: Revocation checking during path building is not
+  currently integrated. Use `CertPathValidator` with `PKIXRevocationChecker`
+  for revocation checking after path building.
+
 ### Behavior Discrepancies with SunJCE
 ---------