From a576bf16eb9d89149789d0a74b849cf7b6ec1008 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 21 Aug 2024 14:09:01 -0500
Subject: [PATCH] Update JSSTrustManager

The JSSTrustManager has been updated to generate UNKNOWN_ISSUER
instead of UNTRUSTED_ISSUER to match the latest NSS.
---
 .../mozilla/jss/provider/javax/crypto/JSSTrustManager.java  | 6 ++++--
 .../java/org/mozilla/jss/ssl/TestCertApprovalCallback.java  | 2 +-
 .../mozilla/jss/tests/TestCertificateApprovalCallback.java  | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java b/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
index 8f7f2a202..5600863ca 100644
--- a/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
+++ b/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
@@ -198,6 +198,8 @@ public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws
             throw new CertificateExpiredException("Expired certificate: " + subject);
         case ValidityStatus.INADEQUATE_KEY_USAGE:
             throw new CertificateException("Inadequate key usage: " + subject);
+        case ValidityStatus.UNKNOWN_ISSUER:
+            throw new CertificateException("Unknown issuer: " + subject);
         case ValidityStatus.UNTRUSTED_ISSUER:
             throw new CertificateException("Untrusted issuer: " + subject);
         case ValidityStatus.BAD_CERT_DOMAIN:
@@ -290,9 +292,9 @@ public void checkSignature(
         }
 
         if (issuer == null) {
-            logger.debug("JSSTrustManager: Untrusted issuer: " + cert.getIssuerX500Principal());
+            logger.debug("JSSTrustManager: Unknown issuer: " + cert.getIssuerX500Principal());
 
-            status.addReason(ValidityStatus.UNTRUSTED_ISSUER, cert, depth);
+            status.addReason(ValidityStatus.UNKNOWN_ISSUER, cert, depth);
 
             return;
         }
diff --git a/base/src/main/java/org/mozilla/jss/ssl/TestCertApprovalCallback.java b/base/src/main/java/org/mozilla/jss/ssl/TestCertApprovalCallback.java
index eba18d3e8..bf948828d 100644
--- a/base/src/main/java/org/mozilla/jss/ssl/TestCertApprovalCallback.java
+++ b/base/src/main/java/org/mozilla/jss/ssl/TestCertApprovalCallback.java
@@ -47,7 +47,7 @@ public boolean approve(
                     " reason=" + item.getReason() +
                     " depth=" + item.getDepth());
             X509Certificate cert = item.getCert();
-            if (item.getReason() == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
+            if (item.getReason() == SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER) {
                 trust_the_server_cert = true;
             }
 
diff --git a/base/src/test/java/org/mozilla/jss/tests/TestCertificateApprovalCallback.java b/base/src/test/java/org/mozilla/jss/tests/TestCertificateApprovalCallback.java
index 784dd9c1b..86b59fe5e 100644
--- a/base/src/test/java/org/mozilla/jss/tests/TestCertificateApprovalCallback.java
+++ b/base/src/test/java/org/mozilla/jss/tests/TestCertificateApprovalCallback.java
@@ -55,7 +55,7 @@ public boolean approve(
 
             X509Certificate cert = item.getCert();
             if (item.getReason() ==
-                SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
+                SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER) {
                 trust_the_server_cert = true;
             }
             logger.debug(" cert details:");