fix(x509): enforce leaf SVID validation and reject multiple URI SANs

maxlambrecht · maxlambrecht · commit ad79293e2297 · 2026-03-25T14:16:32.000-05:00
Signed-off-by: Max Lambrecht &lt;maxlambrecht@gmail.com&gt;
diff --git a/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidChecks.java b/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidChecks.java
@@ -0,0 +1,95 @@
+package io.spiffe.svid.x509svid;
+
+import io.spiffe.internal.CertificateUtils;
+import io.spiffe.spiffeid.SpiffeId;
+
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Objects;
+
+/**
+ * Shared validation checks for X.509-SVID certificates.
+ * <p>
+ * References:
+ * <ul>
+ *     <li>SPIFFE X.509-SVID specification, section 5.2 (Leaf Validation)</li>
+ *     <li>SPIFFE X.509-SVID specification, section 4.3 (Key Usage)</li>
+ * </ul>
+ */
+final class X509SvidChecks {
+
+    private X509SvidChecks() {
+    }
+
+    /**
+     * Validates the leaf-certificate constraints that are shared across parse-time and authentication-time
+     * validation paths.
+     * <p>
+     * Contract:
+     * <ul>
+     *     <li>The certificate is treated as a leaf and MUST NOT be a CA certificate.</li>
+     *     <li>The certificate MUST NOT set {@code keyCertSign} or {@code cRLSign} key usages.</li>
+     *     <li>The SPIFFE ID MUST have a non-root path component.</li>
+     * </ul>
+     * This method intentionally excludes parse-only requirements (for example, requiring
+     * {@code digitalSignature}, which is defined in section 4.3) so callers can reuse this
+     * baseline policy in multiple contexts.
+     *
+     * @param leaf     leaf certificate to validate
+     * @param spiffeId parsed SPIFFE ID from the leaf certificate
+     * @throws CertificateException if any shared leaf constraint is violated
+     */
+    static void validateLeafConstraints(final X509Certificate leaf, final SpiffeId spiffeId)
+            throws CertificateException {
+        Objects.requireNonNull(leaf, "leaf must not be null");
+        Objects.requireNonNull(spiffeId, "spiffeId must not be null");
+
+        if (CertificateUtils.isCA(leaf)) {
+            throw new CertificateException("Leaf certificate must not have CA flag set to true");
+        }
+        if (CertificateUtils.hasKeyUsageCertSign(leaf)) {
+            throw new CertificateException("Leaf certificate must not have 'keyCertSign' as key usage");
+        }
+        if (CertificateUtils.hasKeyUsageCRLSign(leaf)) {
+            throw new CertificateException("Leaf certificate must not have 'cRLSign' as key usage");
+        }
+
+        final String path = spiffeId.getPath();
+        if (path == null || path.isEmpty()) {
+            throw new CertificateException("Leaf certificate SPIFFE ID must have a non-root path");
+        }
+    }
+
+    /**
+     * Validates leaf-certificate requirements for {@link X509Svid} parsing.
+     * <p>
+     * Contract:
+     * <ul>
+     *     <li>Applies all checks from {@link #validateLeafConstraints(X509Certificate, SpiffeId)}.</li>
+     *     <li>Additionally requires {@code digitalSignature} key usage to be set (section 4.3).</li>
+     * </ul>
+     * This parse-time contract is intentionally stricter than authentication-time baseline checks.
+     *
+     * @param leaf     leaf certificate to validate
+     * @param spiffeId parsed SPIFFE ID from the leaf certificate
+     * @throws CertificateException if any parse-time leaf requirement is violated
+     */
+    static void validateLeafForParsing(final X509Certificate leaf, final SpiffeId spiffeId)
+            throws CertificateException {
+        if (!CertificateUtils.hasKeyUsageDigitalSignature(leaf)) {
+            throw new CertificateException("Leaf certificate must have 'digitalSignature' as key usage");
+        }
+        validateLeafConstraints(leaf, spiffeId);
+    }
+
+    static void validateSigningCertificate(final X509Certificate cert) throws CertificateException {
+        Objects.requireNonNull(cert, "cert must not be null");
+
+        if (!CertificateUtils.isCA(cert)) {
+            throw new CertificateException("Signing certificate must have CA flag set to true");
+        }
+        if (!CertificateUtils.hasKeyUsageCertSign(cert)) {
+            throw new CertificateException("Signing certificate must have 'keyCertSign' as key usage");
+        }
+    }
+}
