fix(Certificate): Use DN of issuer's subject, not DN of issuer's issuer

relaycorp · Jul 23, 2020 · dba2673 · dba2673
1 parent caedc6c
commit dba2673
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 5 deletions.
diff --git a/src/main/kotlin/tech/relaycorp/relaynet/wrappers/x509/Certificate.kt b/src/main/kotlin/tech/relaycorp/relaynet/wrappers/x509/Certificate.kt
@@ -60,12 +60,9 @@ class Certificate constructor(val certificateHolder: X509CertificateHolder) {
             }
 
             val subjectDistinguishedName = buildDistinguishedName(subjectCommonName)
-            val issuerDistinguishedName = if (issuerCertificate != null)
-                issuerCertificate.certificateHolder.issuer
-            else
-                subjectDistinguishedName
+            val issuerDistinguishedName =
+                issuerCertificate?.certificateHolder?.subject ?: subjectDistinguishedName
             val subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.encoded)
-
             val builder = X509v3CertificateBuilder(
                 issuerDistinguishedName,
                 generateRandomBigInteger(),

diff --git a/src/test/kotlin/tech/relaycorp/relaynet/wrappers/x509/CertificateTest.kt b/src/test/kotlin/tech/relaycorp/relaynet/wrappers/x509/CertificateTest.kt
@@ -190,12 +190,25 @@ class CertificateTest {
 
             @Test
             fun `Issuer DN should be set to subject of issuer certificate`() {
+                // Use an intermediate CA as the issuer because its subject and issuer would be
+                // different. If we use a root/self-signed CA, its subject and issuer would be
+                // the same, which would make it hard to see why the test passed.
+                val rootCAKeyPair = generateRSAKeyPair()
+                val rootCACert = Certificate.issue(
+                    "root",
+                    rootCAKeyPair.public,
+                    rootCAKeyPair.private,
+                    stubValidityEndDate,
+                    isCA = true,
+                    pathLenConstraint = 1
+                )
                 val issuerCommonName = "The issuer"
                 val issuerCertificate = Certificate.issue(
                     issuerCommonName,
                     issuerKeyPair.public,
                     issuerKeyPair.private,
                     stubValidityEndDate,
+                    rootCACert,
                     isCA = true
                 )
                 val subjectCertificate = Certificate.issue(