Merge pull request #66 from cconlon/certPathValidatorFIPSFix

CertPathValidator: set PKIXParameters Signature provider if null with wolfCrypt FIPS
wolfSSL · Mar 11, 2024 · 0497ee7 · 0497ee7
2 parents 699b60d + 1140503
commit 0497ee7
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathValidator.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathValidator.java
@@ -653,9 +653,16 @@ public CertPathValidatorResult engineValidate(
         /* If we are in FIPS mode, verify wolfJCE is the Signature provider
          * to help maintain FIPS compliance */
         if (Fips.enabled && pkixParams.getSigProvider() != "wolfJCE") {
-            throw new CertPathValidatorException(
-                "CertPathParameters Signature Provider must be wolfJCE " +
-                "when using wolfCrypt FIPS");
+            if (pkixParams.getSigProvider() == null) {
+                /* Preferred Signature provider not set, set to wolfJCE */
+                pkixParams.setSigProvider("wolfJCE");
+            }
+            else {
+                throw new CertPathValidatorException(
+                    "CertPathParameters Signature Provider must be wolfJCE " +
+                    "when using wolfCrypt FIPS: " +
+                    pkixParams.getSigProvider());
+            }
         }
 
         /* Use wolfSSL CertManager to facilitate chain verification */