JCE: allow CertPathBuilder to work without CertStores provided

cconlon · cconlon · commit 3bfa591d9827 · 2026-02-16T17:25:08.000-07:00
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathBuilder.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathBuilder.java
@@ -284,8 +284,11 @@ private void checkSignerKeyConstraints(
     /**
      * Find the target certificate based on the X509CertSelector in params.
      *
-     * Searches through all CertStores for a certificate matching the
-     * target constraints.
+     * Searches for a certificate matching the target constraints in the
+     * following order:
+     *   1. Directly set in the selector via setCertificate()
+     *   2. In CertStores attached to the parameters
+     *   3. Among trust anchor certificates
      *
      * @param params PKIXBuilderParameters containing target selector
      *
@@ -302,8 +305,7 @@ private X509Certificate findTargetCertificate(PKIXBuilderParameters params)
         List<CertStore> certStores = null;
 
         if (params == null) {
-            throw new CertPathBuilderException(
-                "PKIXBuilderParameters is null");
+            throw new CertPathBuilderException("PKIXBuilderParameters is null");
         }
 
         selector = params.getTargetCertConstraints();
@@ -319,7 +321,8 @@ private X509Certificate findTargetCertificate(PKIXBuilderParameters params)
         }
 
         x509Selector = (X509CertSelector)selector;
-        log("searching for target certificate with selector: " + x509Selector);
+        log("searching for target certificate with selector: " +
+            x509Selector);
 
         /* Check if target cert is directly set in selector */
         targetCert = x509Selector.getCertificate();
@@ -330,32 +333,42 @@ private X509Certificate findTargetCertificate(PKIXBuilderParameters params)
 
         /* Search through CertStores for matching certificate */
         certStores = params.getCertStores();
-        if (certStores == null || certStores.isEmpty()) {
-            throw new CertPathBuilderException(
-                "No CertStores provided in PKIXBuilderParameters");
-        }
+        if (certStores != null) {
+            for (CertStore store : certStores) {
+                try {
+                    Collection<? extends Certificate> certs =
+                        store.getCertificates(x509Selector);
 
-        for (CertStore store : certStores) {
-            try {
-                Collection<? extends Certificate> certs =
-                    store.getCertificates(x509Selector);
-
-                if (certs != null && !certs.isEmpty()) {
-                    /* Return first matching certificate */
-                    targetCert = (X509Certificate) certs.iterator().next();
-                    log("found target certificate: " +
-                        targetCert.getSubjectX500Principal().getName());
-                    return targetCert;
+                    if (certs != null && !certs.isEmpty()) {
+                        targetCert = (X509Certificate)certs.iterator().next();
+                        log("found target certificate in CertStore: " +
+                            targetCert.getSubjectX500Principal().getName());
+                        return targetCert;
+                    }
+
+                } catch (CertStoreException e) {
+                    log("error searching CertStore: " + e.getMessage());
+                    /* Continue to next store */
                 }
+            }
+        }
 
-            } catch (CertStoreException e) {
-                log("error searching CertStore: " + e.getMessage());
-                /* Continue to next store */
+        /* Search trust anchor certificates as fallback */
+        Set<TrustAnchor> anchors = params.getTrustAnchors();
+        if (anchors != null) {
+            for (TrustAnchor anchor : anchors) {
+                X509Certificate anchorCert = anchor.getTrustedCert();
+                if ((anchorCert != null) && x509Selector.match(anchorCert)) {
+
+                    log("found target certificate in trust anchors: " +
+                        anchorCert.getSubjectX500Principal().getName());
+                    return anchorCert;
+                }
             }
         }
 
         throw new CertPathBuilderException(
-            "Target certificate not found in CertStores");
+            "Target certificate not found matching selector");
     }
 
     /**
diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathBuilderTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathBuilderTest.java
@@ -66,6 +66,7 @@
 import java.security.cert.CollectionCertStoreParameters;
 import java.lang.IllegalArgumentException;
 import java.util.Calendar;
+import java.util.Collections;
 import java.util.Date;
 
 import com.wolfssl.wolfcrypt.WolfCrypt;
@@ -4407,5 +4408,75 @@ public void testAlgorithmConstraintsAllowValidChain()
             }
         }
     }
+
+    /**
+     * Test that building a cert path with no CertStores fails gracefully with
+     * CertPathBuilderException instead of throwing an early error about
+     * missing CertStores. Uses a non-matching subject selector so the target
+     * cert cannot be found.
+     */
+    @Test
+    public void testBuildWithNoCertStoresFailsGracefully()
+        throws Exception {
+
+        X509Certificate caCert = null;
+        TrustAnchor anchor = null;
+
+        caCert = loadCertFromFile(caCertDer);
+        anchor = new TrustAnchor(caCert, null);
+
+        /* Selector with non-matching subject, no CertStores */
+        X509CertSelector selector = new X509CertSelector();
+        selector.setSubject("CN=NonExistent, O=NoOrg, C=US");
+
+        PKIXBuilderParameters params =
+            new PKIXBuilderParameters(Collections.singleton(anchor), selector);
+        params.setRevocationEnabled(false);
+
+        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider);
+
+        try {
+            cpb.build(params);
+            fail("Expected CertPathBuilderException when target cert " +
+                "not found");
+        } catch (CertPathBuilderException e) {
+            /* Expected: should fail because target cert can't be found,
+             * not because of missing CertStores */
+            assertNotNull("Exception message should not be null",
+                e.getMessage());
+            assertTrue("Exception should mention target not found, got: " +
+                e.getMessage(), e.getMessage().contains("not found"));
+        }
+    }
+
+    /**
+     * Test that building a cert path with no CertStores succeeds when the
+     * target cert matches a trust anchor. The builder should find the target
+     * among trust anchors as a fallback.
+     */
+    @Test
+    public void testBuildWithNoCertStoresFindsAnchor()
+        throws Exception {
+
+        X509Certificate caCert = null;
+        TrustAnchor anchor = null;
+
+        caCert = loadCertFromFile(caCertDer);
+        anchor = new TrustAnchor(caCert, null);
+
+        /* Selector matching the trust anchor cert, no CertStores */
+        X509CertSelector selector = new X509CertSelector();
+        selector.setCertificate(caCert);
+
+        PKIXBuilderParameters params =
+            new PKIXBuilderParameters(Collections.singleton(anchor), selector);
+        params.setRevocationEnabled(false);
+
+        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider);
+        CertPathBuilderResult result = cpb.build(params);
+
+        assertNotNull("CertPathBuilderResult should not be null", result);
+        checkPKIXCertPathBuilderResult(result, caCert, caCert.getPublicKey());
+    }
 }
 
