Update JSSTrustManager

The JSSTrustManager has been updated to generate UNKNOWN_ISSUER instead of UNTRUSTED_ISSUER to match the latest NSS.
dogtagpki · Aug 21, 2024 · a576bf1 · a576bf1
1 parent 6ee1d08
commit a576bf1
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java b/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
@@ -198,6 +198,8 @@ public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws
  throw new CertificateExpiredException("Expired certificate: " + subject);
  case ValidityStatus.INADEQUATE_KEY_USAGE:
  throw new CertificateException("Inadequate key usage: " + subject);
+ case ValidityStatus.UNKNOWN_ISSUER:
+ throw new CertificateException("Unknown issuer: " + subject);
  case ValidityStatus.UNTRUSTED_ISSUER:
  throw new CertificateException("Untrusted issuer: " + subject);
  case ValidityStatus.BAD_CERT_DOMAIN:
@@ -290,9 +292,9 @@ public void checkSignature(
  }
 
  if (issuer == null) {
- logger.debug("JSSTrustManager: Untrusted issuer: " + cert.getIssuerX500Principal());
+ logger.debug("JSSTrustManager: Unknown issuer: " + cert.getIssuerX500Principal());
 
- status.addReason(ValidityStatus.UNTRUSTED_ISSUER, cert, depth);
+ status.addReason(ValidityStatus.UNKNOWN_ISSUER, cert, depth);
 
  return;
  }

diff --git a/base/src/main/java/org/mozilla/jss/ssl/TestCertApprovalCallback.java b/base/src/main/java/org/mozilla/jss/ssl/TestCertApprovalCallback.java
@@ -47,7 +47,7 @@ public boolean approve(
  " reason=" + item.getReason() +
  " depth=" + item.getDepth());
  X509Certificate cert = item.getCert();
- if (item.getReason() == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
+ if (item.getReason() == SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER) {
  trust_the_server_cert = true;
  }
 

diff --git a/base/src/test/java/org/mozilla/jss/tests/TestCertificateApprovalCallback.java b/base/src/test/java/org/mozilla/jss/tests/TestCertificateApprovalCallback.java
@@ -55,7 +55,7 @@ public boolean approve(
 
  X509Certificate cert = item.getCert();
  if (item.getReason() ==
- SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
+ SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER) {
  trust_the_server_cert = true;
  }
  logger.debug(" cert details:");