Ensure there is not several certificates with same subject in truststore

eclipse-californium · May 7, 2020 · 863438a · 863438a
1 parent 0061b11
commit 863438a
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/scandium-core/src/main/java/org/eclipse/californium/scandium/config/DtlsConnectorConfig.java b/scandium-core/src/main/java/org/eclipse/californium/scandium/config/DtlsConnectorConfig.java
@@ -42,7 +42,11 @@
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
+
+import javax.security.auth.x500.X500Principal;
 
 import org.eclipse.californium.elements.DtlsEndpointContext;
 import org.eclipse.californium.elements.util.CertPathUtil;
@@ -1692,6 +1696,10 @@ public Builder setIdentity(PrivateKey privateKey, Certificate[] certificateChain
 		 * intermediate CA certificates may fail, if the other peer send a
 		 * certificate chain, which doesn't end at one of the provided CAs.
 		 * 
+		 * {@code trustedCerts} MUST NOT contain several certificates with same
+		 * subject. If you need that you should consider to use
+		 * {@link #setCertificateVerifier(CertificateVerifier)} instead.
+		 * 
 		 * This method must not be called, if
 		 * {@link #setCertificateVerifier(CertificateVerifier)} is already set.
 		 * 
@@ -1701,7 +1709,7 @@ public Builder setIdentity(PrivateKey privateKey, Certificate[] certificateChain
 		 * @return this builder for command chaining
 		 * @throws NullPointerException if the given array is <code>null</code>
 		 * @throws IllegalArgumentException if the array contains a non-X.509
-		 *             certificate
+		 *             certificate or several certificates with same subjects
 		 * @throws IllegalStateException if
 		 *             {@link #setCertificateVerifier(CertificateVerifier)} is
 		 *             already set.
@@ -1715,7 +1723,9 @@ public Builder setTrustStore(Certificate[] trustedCerts) {
 			} else if (config.certificateVerifier != null) {
 				throw new IllegalStateException("Trust store must not be used after certificate verifier is set!");
 			} else {
-				config.trustStore = SslContextUtil.asX509Certificates(trustedCerts);
+				X509Certificate[] certificates = SslContextUtil.asX509Certificates(trustedCerts);
+				checkTrustStore(certificates);
+				config.trustStore = certificates;
 			}
 			return this;
 		}
@@ -2487,5 +2497,17 @@ private void determineCipherSuitesFromConfig() {
 
 			config.supportedCipherSuites = ciphers;
 		}
+
+		private void checkTrustStore(X509Certificate[] store) {
+			List<X500Principal> subjects = CertPathUtil.toSubjects(Arrays.asList(store));
+
+			// Search for duplicates
+			Set<X500Principal> set = new HashSet<>();
+			for (X500Principal subject : subjects) {
+				if (!set.add(subject)) {
+					throw new IllegalStateException("Truststore contains 2 certificates with same subject: " + subject);
+				}
+			}
+		}
 	}
 }
diff --git a/...m-core/src/test/java/org/eclipse/californium/scandium/config/DtlsConnectorConfigTest.java b/...m-core/src/test/java/org/eclipse/californium/scandium/config/DtlsConnectorConfigTest.java
@@ -339,4 +339,12 @@ public void testAntiReplayFilterDefaultWithWindowFilter() throws Exception {
 		assertThat(config.useAntiReplayFilter(), is(false));
 		assertThat(config.useWindowFilter(), is(true));
 	}
+
+	@Test(expected = IllegalStateException.class)
+	public void testTrustStoreDoNotContainDuplicateSubject() {
+		X509Certificate[] trustedCertificates = new X509Certificate[2];
+		trustedCertificates[0] = DtlsTestTools.getTrustedRootCA();
+		trustedCertificates[1] = DtlsTestTools.getTrustedRootCA();
+		builder.setTrustStore(trustedCertificates);
+	}
 }