address PR comments

maxlambrecht · maxlambrecht · commit c2bd5588f932 · 2026-03-25T14:32:47.000-05:00
Signed-off-by: Max Lambrecht &lt;maxlambrecht@gmail.com&gt;
diff --git a/java-spiffe-core/src/main/java/io/spiffe/internal/CertificateUtils.java b/java-spiffe-core/src/main/java/io/spiffe/internal/CertificateUtils.java
@@ -106,22 +106,16 @@ public static void validate(final List<X509Certificate> chain, final Collection<
     /**
      * Extracts the SPIFFE ID from an X.509 certificate.
      * <p>
-     * It iterates over the list of SubjectAlternativesNames, read each entry, takes the value from the index
-     * defined in SAN_VALUE_INDEX and filters the entries that starts with the SPIFFE_PREFIX and returns the first.
+     * It inspects the URI Subject Alternative Name entries and parses the single SPIFFE ID value when present.
      *
      * @param certificate a {@link X509Certificate}
      * @return an instance of a {@link SpiffeId}
-     * @throws CertificateException if the certificate contains multiple SPIFFE IDs, or does not contain any, or
-     *                              the SAN extension cannot be decoded
+     * @throws CertificateException if the certificate contains multiple URI SANs, does not contain a SPIFFE ID
+     *                              in the URI SAN, or the SAN extension cannot be decoded
      */
     public static SpiffeId getSpiffeId(final X509Certificate certificate) throws CertificateException {
         List<String> spiffeIds = getSpiffeIds(certificate);
-
-        if (spiffeIds.size() > 1) {
-            throw new CertificateException("Certificate contains multiple SPIFFE IDs");
-        }
-
-        if (spiffeIds.size() < 1) {
+        if (spiffeIds.isEmpty()) {
             throw new CertificateException("Certificate does not contain SPIFFE ID in the URI SAN");
         }
 
diff --git a/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509Svid.java b/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509Svid.java
@@ -218,7 +218,7 @@ private static X509Svid createX509Svid(final byte[] certsBytes,
         final SpiffeId spiffeId = getSpiffeId(x509Certificates);
 
         try {
-            X509SvidChecks.validateLeafForParsing(x509Certificates.get(0), spiffeId);
+            X509SvidChecks.validateLeafConstraints(x509Certificates.get(0), spiffeId);
 
             // there are intermediate CA certificates
             if (x509Certificates.size() > 1) {
diff --git a/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidChecks.java b/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidChecks.java
@@ -28,12 +28,10 @@ private X509SvidChecks() {
      * Contract:
      * <ul>
      *     <li>The certificate is treated as a leaf and MUST NOT be a CA certificate.</li>
+     *     <li>The certificate MUST set {@code digitalSignature} key usage.</li>
      *     <li>The certificate MUST NOT set {@code keyCertSign} or {@code cRLSign} key usages.</li>
      *     <li>The SPIFFE ID MUST have a non-root path component.</li>
      * </ul>
-     * This method intentionally excludes parse-only requirements (for example, requiring
-     * {@code digitalSignature}, which is defined in section 4.3) so callers can reuse this
-     * baseline policy in multiple contexts.
      *
      * @param leaf     leaf certificate to validate
      * @param spiffeId parsed SPIFFE ID from the leaf certificate
@@ -47,6 +45,9 @@ static void validateLeafConstraints(final X509Certificate leaf, final SpiffeId s
         if (CertificateUtils.isCA(leaf)) {
             throw new CertificateException("Leaf certificate must not have CA flag set to true");
         }
+        if (!CertificateUtils.hasKeyUsageDigitalSignature(leaf)) {
+            throw new CertificateException("Leaf certificate must have 'digitalSignature' as key usage");
+        }
         if (CertificateUtils.hasKeyUsageCertSign(leaf)) {
             throw new CertificateException("Leaf certificate must not have 'keyCertSign' as key usage");
         }
@@ -60,28 +61,6 @@ static void validateLeafConstraints(final X509Certificate leaf, final SpiffeId s
         }
     }
 
-    /**
-     * Validates leaf-certificate requirements for {@link X509Svid} parsing.
-     * <p>
-     * Contract:
-     * <ul>
-     *     <li>Applies all checks from {@link #validateLeafConstraints(X509Certificate, SpiffeId)}.</li>
-     *     <li>Additionally requires {@code digitalSignature} key usage to be set (section 4.3).</li>
-     * </ul>
-     * This parse-time contract is intentionally stricter than authentication-time baseline checks.
-     *
-     * @param leaf     leaf certificate to validate
-     * @param spiffeId parsed SPIFFE ID from the leaf certificate
-     * @throws CertificateException if any parse-time leaf requirement is violated
-     */
-    static void validateLeafForParsing(final X509Certificate leaf, final SpiffeId spiffeId)
-            throws CertificateException {
-        if (!CertificateUtils.hasKeyUsageDigitalSignature(leaf)) {
-            throw new CertificateException("Leaf certificate must have 'digitalSignature' as key usage");
-        }
-        validateLeafConstraints(leaf, spiffeId);
-    }
-
     static void validateSigningCertificate(final X509Certificate cert) throws CertificateException {
         Objects.requireNonNull(cert, "cert must not be null");
 
diff --git a/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java b/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java
@@ -117,7 +117,7 @@ void verifySpiffeId_givenAnEmptySupplier_throwsCertificateException() {
 
     @Test
     void verifySpiffeId_leafWithCaFlagSetToTrue_throwsCertificateException() throws Exception {
-        X509Certificate certificate = mockLeafCertificate("spiffe://example.org/test", false, false, true);
+        X509Certificate certificate = mockLeafCertificate("spiffe://example.org/test", true, false, false, true);
         try {
             X509SvidValidator.verifySpiffeId(certificate, () -> Sets.newHashSet(SpiffeId.parse("spiffe://example.org/test")));
             fail("Should have thrown CertificateException");
@@ -126,9 +126,20 @@ void verifySpiffeId_leafWithCaFlagSetToTrue_throwsCertificateException() throws
         }
     }
 
+    @Test
+    void verifySpiffeId_leafWithoutDigitalSignature_throwsCertificateException() throws Exception {
+        X509Certificate certificate = mockLeafCertificate("spiffe://example.org/test", false, false, false, false);
+        try {
+            X509SvidValidator.verifySpiffeId(certificate, () -> Sets.newHashSet(SpiffeId.parse("spiffe://example.org/test")));
+            fail("Should have thrown CertificateException");
+        } catch (CertificateException e) {
+            assertEquals("Leaf certificate must have 'digitalSignature' as key usage", e.getMessage());
+        }
+    }
+
     @Test
     void verifySpiffeId_leafWithKeyCertSign_throwsCertificateException() throws Exception {
-        X509Certificate certificate = mockLeafCertificate("spiffe://example.org/test", true, false, false);
+        X509Certificate certificate = mockLeafCertificate("spiffe://example.org/test", true, true, false, false);
         try {
             X509SvidValidator.verifySpiffeId(certificate, () -> Sets.newHashSet(SpiffeId.parse("spiffe://example.org/test")));
             fail("Should have thrown CertificateException");
@@ -139,7 +150,7 @@ void verifySpiffeId_leafWithKeyCertSign_throwsCertificateException() throws Exce
 
     @Test
     void verifySpiffeId_leafWithCRLSign_throwsCertificateException() throws Exception {
-        X509Certificate certificate = mockLeafCertificate("spiffe://example.org/test", false, true, false);
+        X509Certificate certificate = mockLeafCertificate("spiffe://example.org/test", true, false, true, false);
         try {
             X509SvidValidator.verifySpiffeId(certificate, () -> Sets.newHashSet(SpiffeId.parse("spiffe://example.org/test")));
             fail("Should have thrown CertificateException");
@@ -150,7 +161,7 @@ void verifySpiffeId_leafWithCRLSign_throwsCertificateException() throws Exceptio
 
     @Test
     void verifySpiffeId_leafSpiffeIdWithoutPath_throwsCertificateException() throws Exception {
-        X509Certificate certificate = mockLeafCertificate("spiffe://example.org", false, false, false);
+        X509Certificate certificate = mockLeafCertificate("spiffe://example.org", true, false, false, false);
         try {
             X509SvidValidator.verifySpiffeId(certificate, () -> Sets.newHashSet(SpiffeId.parse("spiffe://example.org")));
             fail("Should have thrown CertificateException");
@@ -219,11 +230,15 @@ void verifyChain_nullBundleSource_throwsNullPointerException() throws Certificat
         }
     }
 
-    private X509Certificate mockLeafCertificate(String uriSan, boolean keyCertSign, boolean crlSign, boolean isCa)
+    private X509Certificate mockLeafCertificate(String uriSan,
+                                                boolean digitalSignature,
+                                                boolean keyCertSign,
+                                                boolean crlSign,
+                                                boolean isCa)
             throws Exception {
         X509Certificate certificate = Mockito.mock(X509Certificate.class);
         boolean[] keyUsage = new boolean[9];
-        keyUsage[0] = true;
+        keyUsage[0] = digitalSignature;
         keyUsage[5] = keyCertSign;
         keyUsage[6] = crlSign;
 
