JCE: throw InvalidAlgorithmParameterException for non-X509CertSelector target

Author: cconlon

src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathBuilder.java

@@ -115,6 +115,14 @@ private void sanitizeCertPathParameters(CertPathParameters params)
             throw new InvalidAlgorithmParameterException(
                 "params not of type PKIXBuilderParameters");
         }
+
+        /* Target constraints must be X509CertSelector if set */
+        PKIXBuilderParameters pkixParams = (PKIXBuilderParameters)params;
+        CertSelector selector = pkixParams.getTargetCertConstraints();
+        if ((selector != null) && !(selector instanceof X509CertSelector)) {
+            throw new InvalidAlgorithmParameterException(
+                "Target certificate constraints must be X509CertSelector");
+        }
     }
 
     /**
@@ -317,7 +325,8 @@ private X509Certificate findTargetCertificate(PKIXBuilderParameters params)
 
         if (!(selector instanceof X509CertSelector)) {
             throw new CertPathBuilderException(
-                "Target certificate constraints must be X509CertSelector");
+                "Target certificate constraints must be " +
+                "X509CertSelector");
         }
 
         x509Selector = (X509CertSelector)selector;

src/test/java/com/wolfssl/provider/jce/test/WolfCryptPKIXCertPathBuilderTest.java

@@ -62,6 +62,7 @@
 import java.security.cert.CertificateException;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509CertSelector;
+import java.security.cert.CertSelector;
 import java.security.cert.CertStore;
 import java.security.cert.CollectionCertStoreParameters;
 import java.lang.IllegalArgumentException;
@@ -4478,5 +4479,47 @@ public void testBuildWithNoCertStoresFindsAnchor()
         assertNotNull("CertPathBuilderResult should not be null", result);
         checkPKIXCertPathBuilderResult(result, caCert, caCert.getPublicKey());
     }
+
+    /**
+     * Test that building with a non-X509CertSelector target constraint
+     * throws InvalidAlgorithmParameterException.
+     */
+    @Test
+    public void testNonX509CertSelectorThrowsInvalidAlgParam()
+        throws Exception {
+
+        X509Certificate caCert = loadCertFromFile(caCertDer);
+        TrustAnchor anchor = new TrustAnchor(caCert, null);
+
+        /* Custom CertSelector that is not X509CertSelector */
+        CertSelector oddSelector = new CertSelector() {
+            public boolean match(Certificate cert) {
+                return false;
+            }
+            public Object clone() {
+                try {
+                    return super.clone();
+                } catch (CloneNotSupportedException e) {
+                    throw new RuntimeException(e);
+                }
+            }
+        };
+
+        PKIXBuilderParameters params = new PKIXBuilderParameters(
+            Collections.singleton(anchor), oddSelector);
+        params.setRevocationEnabled(false);
+
+        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX", provider);
+
+        try {
+            cpb.build(params);
+            fail("Expected InvalidAlgorithmParameterException for " +
+                "non-X509CertSelector");
+        } catch (InvalidAlgorithmParameterException e) {
+            /* Expected */
+            assertNotNull("Exception message should not be null",
+                e.getMessage());
+        }
+    }
 }