JCE: use DATE_ERR_OKAY flag when loading expired trust anchors with custom validation date

Author: cconlon

jni/include/com_wolfssl_wolfcrypt_WolfSSLCertManager.h

@@ -281,6 +281,16 @@ static int nativeVerifyCallback(int preverify, WOLFSSL_X509_STORE_CTX* store)
     return (int)result;
 }
 
+JNIEXPORT jint JNICALL
+Java_com_wolfssl_wolfcrypt_WolfSSLCertManager_getWOLFSSL_1LOAD_1FLAG_1DATE_1ERR_1OKAY
+  (JNIEnv* env, jclass jcl)
+{
+    (void)env;
+    (void)jcl;
+
+    return WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY;
+}
+
 JNIEXPORT jlong JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLCertManager_CertManagerNew
   (JNIEnv* env, jclass jcl)
 {
@@ -363,6 +373,31 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLCertManager_CertManager
     return (jint)ret;
 }
 
+JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLCertManager_CertManagerLoadCABufferEx
+  (JNIEnv* env, jclass jcl, jlong cmPtr, jbyteArray in, jlong sz, jint format, jint flags)
+{
+    int ret = 0;
+    word32 buffSz = 0;
+    byte* buff = NULL;
+    WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)(uintptr_t)cmPtr;
+    (void)jcl;
+    (void)sz;
+
+    if (env == NULL || in == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    buff = (byte*)(*env)->GetByteArrayElements(env, in, NULL);
+    buffSz = (*env)->GetArrayLength(env, in);
+
+    ret = wolfSSL_CertManagerLoadCABuffer_ex(cm, buff, buffSz, format, 0,
+        (word32)flags);
+
+    (*env)->ReleaseByteArrayElements(env, in, (jbyte*)buff, JNI_ABORT);
+
+    return (jint)ret;
+}
+
 JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_WolfSSLCertManager_CertManagerUnloadCAs
   (JNIEnv* env, jclass jcl, jlong cmPtr)
 {

jni/jni_wolfssl_cert_manager.c

@@ -569,11 +569,15 @@ private void callCertPathCheckers(X509Certificate cert,
      *
      * @param params PKIXParameters from which to get TrustAnchor Set
      * @param cm WolfSSLCertManager to load TrustAnchors into as trusted roots
+     * @param validationDate custom validation date, or null to use current
+     *                       time. When non-null,
+     *                       WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY is used to allow
+     *                       loading expired/not-yet-valid CAs
      *
      * @throws CertPathValidatorException on failure to load trust anchors
      */
-    private void loadTrustAnchorsIntoCertManager(
-        PKIXParameters params, WolfSSLCertManager cm)
+    private void loadTrustAnchorsIntoCertManager(PKIXParameters params,
+        WolfSSLCertManager cm, Date validationDate)
         throws CertPathValidatorException {
 
         Set<TrustAnchor> trustAnchors = null;
@@ -601,7 +605,12 @@ private void loadTrustAnchorsIntoCertManager(
             X509Certificate anchorCert = anchor.getTrustedCert();
             if (anchorCert != null) {
                 try {
-                    cm.CertManagerLoadCA(anchorCert);
+                    if (validationDate != null) {
+                        cm.CertManagerLoadCA(anchorCert,
+                            WolfSSLCertManager.WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY);
+                    } else {
+                        cm.CertManagerLoadCA(anchorCert);
+                    }
 
                     log("loaded TrustAnchor: " +
                         anchorCert.getSubjectX500Principal().getName());
@@ -1118,7 +1127,8 @@ public CertPathValidatorResult engineValidate(
             /* Load trust anchors into CertManager from PKIXParameters.
              * This must happen before initializing cert path checkers since
              * OCSP validation requires trust anchors to verify responses. */
-            loadTrustAnchorsIntoCertManager(pkixParams, cm);
+            loadTrustAnchorsIntoCertManager(pkixParams, cm,
+                pkixParams.getDate());
 
             /* Initialize all PKIXCertPathCheckers before calling check().
              * Store the returned list so we use the same checker instances

src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathValidator.java

@@ -55,14 +55,22 @@ public class WolfSSLCertManager {
     /* lock around native WOLFSSL_CERT_MANAGER pointer use */
     private final Object cmLock = new Object();
 
+    /** Flag to allow loading certs with date errors */
+    public static final int WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY =
+        getWOLFSSL_LOAD_FLAG_DATE_ERR_OKAY();
+
     /* Verification callback, null if not set */
     private WolfSSLCertManagerVerifyCallback verifyCallback = null;
 
+    private static native int getWOLFSSL_LOAD_FLAG_DATE_ERR_OKAY();
+
     static native long CertManagerNew();
     static native void CertManagerFree(long cm);
     static native int CertManagerLoadCA(long cm, String f, String d);
     static native int CertManagerLoadCABuffer(
         long cm, byte[] in, long sz, int format);
+    static native int CertManagerLoadCABufferEx(
+        long cm, byte[] in, long sz, int format, int flags);
     static native int CertManagerUnloadCAs(long cm);
     static native int CertManagerVerifyBuffer(
         long cm, byte[] in, long sz, int format);
@@ -188,6 +196,66 @@ public synchronized void CertManagerLoadCA(X509Certificate cert)
         }
     }
 
+    /**
+     * Load CA into CertManager from byte array with extended flags.
+     *
+     * @param in byte array holding X.509 certificate to load
+     * @param sz size of input byte array, bytes
+     * @param format format of input certificate, either
+     *               WolfCrypt.SSL_FILETYPE_PEM (PEM formatted) or
+     *               WolfCrypt.SSL_FILETYPE_ASN1 (ASN.1/DER).
+     * @param flags load flags, e.g.
+     *              WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY
+     *
+     * @throws IllegalStateException WolfSSLCertManager has been freed
+     * @throws WolfCryptException on native wolfSSL error
+     */
+    public synchronized void CertManagerLoadCABufferEx(byte[] in, long sz,
+        int format, int flags)
+        throws IllegalStateException, WolfCryptException {
+
+        int ret = 0;
+
+        confirmObjectIsActive();
+
+        synchronized (cmLock) {
+            ret = CertManagerLoadCABufferEx(this.cmPtr, in, sz, format, flags);
+            if (ret != WolfCrypt.WOLFSSL_SUCCESS) {
+                throw new WolfCryptException(ret);
+            }
+        }
+    }
+
+    /**
+     * Load CA into CertManager from X509Certificate object with extended flags.
+     *
+     * @param cert X509Certificate containing CA cert
+     * @param flags load flags, e.g.
+     *              WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY
+     *
+     * @throws IllegalStateException WolfSSLCertManager has been freed
+     * @throws WolfCryptException on native wolfSSL error
+     */
+    public synchronized void CertManagerLoadCA(X509Certificate cert, int flags)
+        throws IllegalStateException, WolfCryptException {
+
+        confirmObjectIsActive();
+
+        if (cert == null) {
+            throw new WolfCryptException("Input X509Certificate is null");
+        }
+
+        synchronized (cmLock) {
+            try {
+                CertManagerLoadCABufferEx(cert.getEncoded(),
+                    cert.getEncoded().length, WolfCrypt.SSL_FILETYPE_ASN1,
+                    flags);
+            } catch (CertificateEncodingException e) {
+                throw new WolfCryptException(e);
+            }
+        }
+    }
+
     /**
      * Loads KeyStore certificates into WolfSSLCertManager object.
      *

src/main/java/com/wolfssl/wolfcrypt/WolfSSLCertManager.java

@@ -4596,8 +4596,7 @@ public void testFallbackBuilderDefersNotBeforeCheckToValidator()
     /**
      * Test end-to-end builder + validator with a valid custom date. Builds a
      * path with expired certs using a date within their validity, then
-     * validates the result. Should succeed on all wolfSSL versions (native or
-     * Java fallback).
+     * validates the result.
      */
     @Test
     public void testBuildThenValidateWithValidCustomDate()