Fix issue with issuer cert selection

wso2 · Feb 29, 2024 · 83a7566 · 83a7566
1 parent fef11b1
commit 83a7566
Showing 1 changed file with 22 additions and 14 deletions.
diff --git a/...va/org/apache/synapse/transport/certificatevalidation/CertificateVerificationManager.java b/...va/org/apache/synapse/transport/certificatevalidation/CertificateVerificationManager.java
@@ -126,6 +126,7 @@ public void verifyCertificateValidity(javax.security.cert.X509Certificate[] peer
         CRLCache crlCache = CRLCache.getCache(cacheSize, cacheDelayMins);
 
         RevocationVerifier[] verifiers = {new OCSPVerifier(ocspCache), new CRLVerifier(crlCache)};
+        RevocationStatus revocationStatus = null;
 
         for (RevocationVerifier verifier : verifiers) {
             try {
@@ -142,8 +143,8 @@ public void verifyCertificateValidity(javax.security.cert.X509Certificate[] peer
                     CertificatePathValidator pathValidator = new CertificatePathValidator(convertedCertificates,
                             verifier);
                     pathValidator.validatePath();
+                    return;
                 } else {
-
                     if (isCertExpiryValidationEnabled) {
                         log.debug("Validating the client certificate for expiry");
                         if (isExpired(convertedCertificates)) {
@@ -153,9 +154,11 @@ public void verifyCertificateValidity(javax.security.cert.X509Certificate[] peer
 
                     log.debug("Validating client certificate with the issuer certificate retrieved from" +
                             "the trust store");
-                    verifier.checkRevocationStatus(peerCert, issuerCert);
+                    revocationStatus = verifier.checkRevocationStatus(peerCert, issuerCert);
+                    if (!RevocationStatus.GOOD.toString().equals(revocationStatus.toString())) {
+                        return;
+                    }
                 }
-                return;
             } catch (Exception e) {
                 log.debug("Certificate verification with " + verifier.getClass().getSimpleName() + " failed. ", e);
             }
@@ -237,6 +240,7 @@ public X509Certificate getVerifiedIssuerCertOfPeerCert(X509Certificate peerCert,
                 return cachedIssuerCert;
             }
         } else {
+            boolean isIssuerCertVerified = false;
             KeyStore trustStore = TrustStoreHolder.getInstance().getClientTrustStore();
             Enumeration<String> aliases;
             X509Certificate issuerCert = null;
@@ -263,23 +267,27 @@ public X509Certificate getVerifiedIssuerCertOfPeerCert(X509Certificate peerCert,
 
                 try {
                     peerCert.verify(issuerCert.getPublicKey());
-
-                    log.debug("Valid issuer certificate found in the client truststore. Caching..");
-
-                    // Store the valid issuer cert in cache for future use
-                    certCache.setCacheValue(peerCert.getSerialNumber().toString(), issuerCert);
-                    if (log.isDebugEnabled()) {
-                        log.debug("Issuer certificate with serial number: " + issuerCert.getSerialNumber()
-                                .toString() + " has been cached against the serial number:  " + peerCert
-                                .getSerialNumber().toString() + " of the peer certificate.");
-                    }
+                    isIssuerCertVerified = true;
                     break;
                 } catch (SignatureException | CertificateException | NoSuchAlgorithmException |
                          InvalidKeyException | NoSuchProviderException e) {
                     // Unable to verify the signature. Check with the next certificate in the next loop traversal.
                 }
             }
-            return issuerCert;
+
+            if (isIssuerCertVerified) {
+                log.debug("Valid issuer certificate found in the client truststore. Caching..");
+                // Store the valid issuer cert in cache for future use
+                certCache.setCacheValue(peerCert.getSerialNumber().toString(), issuerCert);
+                if (log.isDebugEnabled()) {
+                    log.debug("Issuer certificate with serial number: " + issuerCert.getSerialNumber()
+                            .toString() + " has been cached against the serial number:  " + peerCert
+                            .getSerialNumber().toString() + " of the peer certificate.");
+                }
+                return issuerCert;
+            } else {
+               throw new CertificateVerificationException("Certificate verification failed.");
+            }
         }
     }