Merge pull request #66 from cconlon/certPathValidatorFIPSFix

CertPathValidator: set PKIXParameters Signature provider if null with wolfCrypt FIPS
2024-03-11 16:29:57 -04:00 · 2024-03-11 16:29:57 -04:00 · 0497ee767c
parent 699b60d025 1140503101
commit 0497ee767c
1 changed files with 10 additions and 3 deletions
--- a/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathValidator.java
+++ b/src/main/java/com/wolfssl/provider/jce/WolfCryptPKIXCertPathValidator.java
@ -653,9 +653,16 @@ public class WolfCryptPKIXCertPathValidator extends CertPathValidatorSpi {
        /* If we are in FIPS mode, verify wolfJCE is the Signature provider
         * to help maintain FIPS compliance */
        if (Fips.enabled && pkixParams.getSigProvider() != "wolfJCE") {
-            throw new CertPathValidatorException(
-                "CertPathParameters Signature Provider must be wolfJCE " +
-                "when using wolfCrypt FIPS");
+            if (pkixParams.getSigProvider() == null) {
+                /* Preferred Signature provider not set, set to wolfJCE */
+                pkixParams.setSigProvider("wolfJCE");
+            }
+            else {
+                throw new CertPathValidatorException(
+                    "CertPathParameters Signature Provider must be wolfJCE " +
+                    "when using wolfCrypt FIPS: " +
+                    pkixParams.getSigProvider());
+            }
        }

        /* Use wolfSSL CertManager to facilitate chain verification */