Update Certificate#verify to allow nullable params

cashapp · Aug 24, 2023 · 96cd4ed · 96cd4ed
1 parent ecb65ee
commit 96cd4ed
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 13 deletions.
diff --git a/jvm/src/main/kotlin/app/cash/trifle/Certificate.kt b/jvm/src/main/kotlin/app/cash/trifle/Certificate.kt
@@ -47,25 +47,30 @@ data class Certificate internal constructor(
    * - failure value is expressed as a [TrifleErrors]
    */
   fun verify(
-    certificateRequest: CertificateRequest,
+    certificateRequest: CertificateRequest? = null,
     ancestorCertificateChain: List<Certificate>,
-    anchorCertificate: Certificate,
+    anchorCertificate: Certificate? = null,
     date: Date? = null
   ): Result<Unit> {
+    val rootCertificate = anchorCertificate ?: ancestorCertificateChain.last()
     // First check to see if the certificate chain validates
-    val certChainResult = CertChainValidatorFactory.get(anchorCertificate, date)
+    val certChainResult = CertChainValidatorFactory.get(rootCertificate, date)
       .validate(listOf(this) + ancestorCertificateChain)
 
-    return certChainResult.mapCatching {
-      val x509Certificate = X509CertificateHolder(certificate)
-      when (certificateRequest) {
-        is PKCS10Request -> {
-          // Certificate chain matches, check with certificate request.
-          // TODO(dcashman): Check other attributes as well.
-          if (certificateRequest.pkcs10Req.subject != x509Certificate.subject ||
-            certificateRequest.pkcs10Req.subjectPublicKeyInfo != x509Certificate.subjectPublicKeyInfo
-          ) {
-            throw CSRMismatch
+    return if (certificateRequest == null) {
+      certChainResult
+    } else {
+      certChainResult.mapCatching {
+        val x509Certificate = X509CertificateHolder(certificate)
+        when (certificateRequest) {
+          is PKCS10Request -> {
+            // Certificate chain matches, check with certificate request.
+            // TODO(dcashman): Check other attributes as well.
+            if (certificateRequest.pkcs10Req.subject != x509Certificate.subject ||
+              certificateRequest.pkcs10Req.subjectPublicKeyInfo != x509Certificate.subjectPublicKeyInfo
+            ) {
+              throw CSRMismatch
+            }
           }
         }
       }

diff --git a/jvm/src/test/kotlin/app/cash/trifle/CertificateTests.kt b/jvm/src/test/kotlin/app/cash/trifle/CertificateTests.kt
@@ -23,6 +23,14 @@ internal class CertificateTests {
       assertTrue(result.isSuccess)
     }
 
+    @Test
+    fun `test verify() succeeds for a stored issued certificate`() {
+      val result = endEntity.certificate.verify(
+        ancestorCertificateChain = endEntity.certChain.drop(1)
+      )
+      assertTrue(result.isSuccess)
+    }
+
     @Test
     fun `test verify() fails with CSRMismatch for a legitimate certificate from the same CA, but wrong entity`() {
       val result = endEntity.certificate.verify(