Merge pull request #192 from cconlon/pkixBuilderSetDate

Add PKIXBuilderParameters.setDate() support for CertPathBuilder

Author: rlm2002

README_JCE.md

@@ -624,10 +624,29 @@ TrustAnchor trustAnchor = result.getTrustAnchor();
 - Target certificate selection by certificate or subject name
 - Target certificate as trust anchor (returns empty path)
 
+#### Date Override with PKIXBuilderParameters.setDate()
+
+The `PKIXBuilderParameters.setDate()` method allows applications to validate
+certificate paths as if the current date were the specified date. This is
+useful for testing with expired certificates or validating certificates at a
+specific point in time.
+
+wolfJCE supports `PKIXBuilderParameters.setDate()` for certificate validity
+checking during chain verification. When a date override is set:
+
+1. Date validation is skipped when adding certificates to the internal store
+2. The custom date is used during chain verification via wolfSSL's
+   `wolfSSL_X509_verify_cert()` function
+
+This allows testing with expired certificates by specifying a date when the
+certificates were valid.
+
+**Note:** See "CertPathBuilder Certificate Date Validation Timing" in the
+"Behavior Discrepancies with SunJCE" section for details on how this differs
+from SunJCE behavior.
+
 #### Limitations
 
-- **Date Override**: `PKIXBuilderParameters.setDate()` is not passed to native
-  wolfSSL verification. Certificates are validated against current system time.
 - **TrustAnchor Name Constraints**: Name constraints on TrustAnchors are not
   supported. An `InvalidAlgorithmParameterException` is thrown if any
   TrustAnchor has name constraints set.
@@ -717,6 +736,38 @@ constraint violation will pass validation in wolfJCE.
 If this behavior is needed, please submit a feature request to
 support@wolfssl.com.
 
+#### CertPathBuilder Certificate Date Validation Timing
+
+When building certificate paths, SunJCE and wolfJCE differ in **when**
+certificate date validation occurs:
+
+**SunJCE behavior:**
+- Trust anchors are loaded without date validation
+- Date validation occurs only during path verification
+- The date from `PKIXBuilderParameters.getDate()` (or current time if not set)
+  is used for all date checks
+
+**wolfJCE behavior:**
+- Native wolfSSL validates certificate dates when certificates are added to
+  the internal `X509_STORE` via `wolfSSL_X509_STORE_add_cert()`
+- This validation uses the current system time, not a custom date
+- If no custom date is specified via `PKIXBuilderParameters.setDate()`,
+  certificates are validated against the current system time at both add time
+  and verification time
+- If a custom date is specified, wolfJCE skips date validation at add time
+  and performs date validation during chain verification using the custom date
+
+**Practical impact:**
+- Without a date override: Expired certificates will be rejected when added
+  to the store (stricter than SunJCE)
+- With a date override: Behavior matches SunJCE - expired certificates can be
+  added and will be validated against the custom date during verification
+
+This difference exists because wolfSSL's `wolfSSL_X509_STORE_add_cert()`
+function validates certificate dates at addition time and does not support
+passing a custom validation date. The wolfJCE implementation works around
+this by skipping add-time validation when a custom date is specified.
+
 ### Support
 ---------
 

jni/include/com_wolfssl_wolfcrypt_WolfSSLX509StoreCtx.h

@@ -67,6 +67,66 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLX509StoreCtx_isCertPath
     return 0;
 }
 
+/* Check if wolfSSL supports custom verification time (check_time)
+ * in WOLFSSL_X509_STORE. This was added in wolfSSL after 5.8.4 and is
+ * needed for PKIXBuilderParameters.setDate() support.
+ *
+ * To detect support, we set check_time on a WOLFSSL_X509_STORE, init a
+ * WOLFSSL_X509_STORE_CTX from it, and verify that check_time was propagated
+ * to the context. Older wolfSSL versions do not propagate. */
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLX509StoreCtx_isNativeStoreCheckTimeSupported
+  (JNIEnv* env, jclass jcl)
+{
+#ifdef OPENSSL_EXTRA
+    WOLFSSL_X509_STORE* store = NULL;
+    WOLFSSL_X509_STORE_CTX* ctx = NULL;
+    int supported = 0;
+
+    (void)env;
+    (void)jcl;
+
+    if (!isCertPathBuilderAvailable()) {
+        return 0;
+    }
+
+    store = wolfSSL_X509_STORE_new();
+    if (store == NULL) {
+        return 0;
+    }
+
+    ctx = wolfSSL_X509_STORE_CTX_new();
+    if (ctx == NULL) {
+        wolfSSL_X509_STORE_free(store);
+        return 0;
+    }
+
+    /* Set a test check_time on the store, using 1000000 just to test */
+    if (store->param != NULL) {
+        store->param->check_time = (time_t)1000000;
+        store->param->flags |= WOLFSSL_USE_CHECK_TIME;
+    }
+
+    /* Init ctx with the store and check if check_time
+     * was propagated from store->param to ctx->param */
+    if (wolfSSL_X509_STORE_CTX_init(ctx, store, NULL, NULL) ==
+        WOLFSSL_SUCCESS) {
+        if (ctx->param != NULL &&
+            ctx->param->check_time == (time_t)1000000) {
+            supported = 1;
+        }
+    }
+
+    wolfSSL_X509_STORE_CTX_free(ctx);
+    wolfSSL_X509_STORE_free(store);
+
+    return supported;
+#else
+    (void)env;
+    (void)jcl;
+    return 0;
+#endif
+}
+
 JNIEXPORT jlong JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLX509StoreCtx_wolfSSL_1X509_1STORE_1new
   (JNIEnv* env, jclass jcl)
 {
@@ -90,6 +150,71 @@ JNIEXPORT jlong JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLX509StoreCtx_wolfSSL_1
     return (jlong)(uintptr_t)store;
 }
 
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLX509StoreCtx_wolfSSL_1X509_1STORE_1set_1flags
+  (JNIEnv* env, jclass jcl, jlong storePtr, jlong flags)
+{
+    int ret = 0;
+#ifdef OPENSSL_EXTRA
+    WOLFSSL_X509_STORE* store = (WOLFSSL_X509_STORE*)(uintptr_t)storePtr;
+
+    (void)env;
+    (void)jcl;
+
+    if (store == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (store->param == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* Set flags directly on store->param->flags for NO_CHECK_TIME */
+    store->param->flags |= (unsigned long)flags;
+
+#else
+    (void)env;
+    (void)jcl;
+    (void)storePtr;
+    (void)flags;
+    ret = NOT_COMPILED_IN;
+#endif
+
+    return ret;
+}
+
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLX509StoreCtx_wolfSSL_1X509_1STORE_1set_1time
+  (JNIEnv* env, jclass jcl, jlong storePtr, jlong epochSeconds)
+{
+    int ret = 0;
+#ifdef OPENSSL_EXTRA
+    WOLFSSL_X509_STORE* store = (WOLFSSL_X509_STORE*)(uintptr_t)storePtr;
+
+    (void)env;
+    (void)jcl;
+
+    if (store == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    if (store->param == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    /* Set custom check time and enable the flag */
+    store->param->check_time = (time_t)epochSeconds;
+    store->param->flags |= WOLFSSL_USE_CHECK_TIME;
+
+#else
+    (void)env;
+    (void)jcl;
+    (void)storePtr;
+    (void)epochSeconds;
+    ret = NOT_COMPILED_IN;
+#endif
+
+    return ret;
+}
+
 JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLX509StoreCtx_wolfSSL_1X509_1STORE_1free
   (JNIEnv* env, jclass jcl, jlong storePtr)
 {

jni/jni_wolfssl_x509_store_ctx.c

@@ -689,9 +689,10 @@ private NativeChainResult buildAndVerifyPathNative(
         Set<TrustAnchor> anchors = null;
         List<CertStore> certStores = null;
         int maxPathLength = 0;
+        Date validationDate = null;
+        WolfSSLX509StoreCtx storeCtx = null;
 
-        log("building and verifying path using native wolfSSL X509_STORE");
-
+        log("building and verifying path using native WOLFSSL_X509_STORE");
 
         if (targetCert == null || params == null) {
             throw new CertPathBuilderException(
@@ -701,11 +702,36 @@ private NativeChainResult buildAndVerifyPathNative(
         anchors = params.getTrustAnchors();
         certStores = params.getCertStores();
         maxPathLength = params.getMaxPathLength();
+        validationDate = params.getDate();
 
-        WolfSSLX509StoreCtx storeCtx = null;
         try {
             storeCtx = new WolfSSLX509StoreCtx();
 
+            /* If a custom validation date is specified, we skip date
+             * validation when adding certificates, then set the custom
+             * verification time for chain verification.
+             *
+             * This allows for testing/use of expired certs if desired,
+             * or validating against a specific date.
+             *
+             * SunJCE only validates expiration dates on chain verification,
+             * not cert loading, so our default behavior already does some
+             * extra validation here in the case when a custom date is not
+             * set. */
+            if (validationDate != null) {
+                if (!WolfSSLX509StoreCtx.isStoreCheckTimeSupported()) {
+                    throw new CertPathBuilderException(
+                        "PKIXBuilderParameters.setDate() requires " +
+                        "a wolfSSL version that supports X509_STORE " +
+                        "check_time propagation (> 5.8.4)");
+                }
+                log("using custom validation date: " + validationDate);
+                storeCtx.setFlags(
+                    WolfSSLX509StoreCtx.WOLFSSL_NO_CHECK_TIME);
+                storeCtx.setVerificationTime(
+                    validationDate.getTime() / 1000);
+            }
+
             /* Add trust anchors to the store */
             for (TrustAnchor anchor : anchors) {