SV.CERT.INVALID

Certificate must be validated by constructing certification path.

Klocwork reports an SV.CERT.INVALID defect when an X509 certificate is not validated and then generated by using Trust Anchors.

Vulnerability and risk

Informed trust decisions require path validation. Without path validation, the relying party cannot trust a certificate when it is presented.

A trust anchor is an authoritative entity represented via a public key and its associated data. A trust anchor is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, generally the top entity to be trusted becomes the trust anchor.

A Certification Authority (CA), for example, can be a trust anchor. A certification path begins with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.

Mitigation and prevention

The requirement that certificates must be validated by constructing a certification path ensures that a certification path to an accepted trust anchor is used for certificate validation and that the certification path includes status information. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses.

Vulnerable code example

Copy

1
2
3
4
5
6
7
8
import java.security.cert.*;
import java.io.*;
public class Test {
   public static void generateClientCertificate(final byte[] certEncoded) throws CertificateException{
    CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
    X509Certificate x509Cert = (X509Certificate) certFactory.generateCertificate(new ByteArrayInputStream(certEncoded));
 }
}

Klocwork reports an SV.IL.SESSION.CLIENT defect on line 6, indicating, "When utilizing PKI-based authentication, application must validate certificates by constructing a certification path."

Fixed code example 1

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import java.security.cert.*;
public class Test {
  public static void validatePath(List<X509Certificate> certs, Set<TrustAnchor> trustAnchors) throws GeneralSecurityException {
   CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
   PKIXParameters params = new PKIXParameters(trustAnchors);
   params.setRevocationEnabled(false);
 
   CertificateFactory cf = CertificateFactory.getInstance("X509");
   CertPath path = cf.generateCertPath(certs);
   PKIXCertPathValidatorResult pkixResult = (PKIXCertPathValidatorResult) cpv.validate(path, params);
   TrustAnchor ta = pkixResult.getTrustAnchor();
   X509Certificate cert = ta.getTrustedCert();
  }
}

Klockwork no longer reports a defect because the certificate is generated by using a Trust Anchor after validation.

External guidance

V-222550 (APSC-DV-001810): The application, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.