Skip to content

Commit

Permalink
Moving away from self signed for production and also adding the cca c…
Browse files Browse the repository at this point in the history 
…ert to check against
  • Loading branch information
@CharanSahaj
CharanSahaj committed Jul 3, 2019
1 parent 6593e31 commit 84fdc18
Show file tree
Hide file tree
Showing 7 changed files with 27 additions and 11 deletions.
8 changes: 7 additions & 1 deletion src/main/java/com/ispirit/digitalsky/configuration/ApplicationConfiguration.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,12 @@ public class ApplicationConfiguration {
@Value("${MANUFACTURER_DIGITAL_CERT_VALIDATION_ENABLED:true}")
private boolean manufacturerDigitalCertValidationEnabled;

@Value("${self-signed-validity:false}")
private String selfSignedValidity;

@Value("${CCA_CERT_PATH:classpath:CCAcertificate.pem}")
private String ccaCertificatePath;

private List<FlightInformationRegion> firs = new ArrayList<>();

@Bean
Expand Down Expand Up @@ -257,7 +263,7 @@ DigitalSignatureVerifierService signatureVerifierService(ManufacturerService man

@Bean
DigitalCertificateValidatorService digitalCertificateValidatorService() {
return new DigitalCertificateValidatorServiceImpl();
return new DigitalCertificateValidatorServiceImpl(Boolean.valueOf(selfSignedValidity),ccaCertificatePath);
}

@Bean
Expand Down
22 changes: 15 additions & 7 deletions src/main/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.X509TrustedCertificateBlock;

import java.io.*;
import java.security.*;
Expand All @@ -18,8 +17,12 @@

public class DigitalCertificateValidatorServiceImpl implements DigitalCertificateValidatorService {

public DigitalCertificateValidatorServiceImpl() {
private boolean selfSignedValidity;
private String ccaCertificatePath;

public DigitalCertificateValidatorServiceImpl(boolean selfSignedValidity, String ccaCertificatePath) {
this.selfSignedValidity=selfSignedValidity;
this.ccaCertificatePath = ccaCertificatePath;
}

@Override
Expand Down Expand Up @@ -49,6 +52,13 @@ public boolean isValidCertificate(X509Certificate clientCertificate, String manu
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPathValidator validator = CertPathValidator.getInstance("PKIX", "BC");
Set<TrustAnchor> anchors = new HashSet<>();
if (!selfSignedValidity){
inputstream = new FileInputStream(ccaCertificatePath);
certificateChainString = IOUtils.toString(inputstream, "UTF-8");
PEMParser rootCaReader = new PEMParser(new StringReader(certificateChainString));
X509CertificateHolder rootCertHolder = (X509CertificateHolder) rootCaReader.readObject();
anchors.add(new TrustAnchor(new JcaX509CertificateConverter().setProvider( "BC" ).getCertificate( rootCertHolder ),null));
}
for (X509Certificate certif : certs) {
anchors.add(new TrustAnchor(certif, null));
}
Expand All @@ -62,10 +72,10 @@ public boolean isValidCertificate(X509Certificate clientCertificate, String manu
throw new InvalidDigitalCertificateException();
}
try {
if (isSelfSigned(trustedCertificate)) {
if (isSelfSigned(trustedCertificate) && selfSignedValidity) {
found = true;
} else if (!clientCertificate.equals(trustedCertificate)) {
clientCertificate = trustedCertificate;
clientCertificate = trustedCertificate; //todo: figure out why this line exists
}
} catch (NoSuchProviderException e) {
throw new InvalidDigitalCertificateException();
Expand Down Expand Up @@ -98,9 +108,7 @@ private boolean isDNMatching(String issuerDNName, String subjectDNName, String a
return match;
}

private boolean isSelfSigned(X509Certificate cert)
throws CertificateException, NoSuchAlgorithmException,
NoSuchProviderException {
private boolean isSelfSigned(X509Certificate cert) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
try {
PublicKey key = cert.getPublicKey();
cert.verify(key);
Expand Down
Binary file added src/main/resources/CCAcertificate.pem
View file
Binary file not shown.
2 changes: 2 additions & 0 deletions src/main/resources/application.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,5 @@ flyway:

server:
port: 9000

self-signed-validity: true
4 changes: 1 addition & 3 deletions src/test/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImplTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@

import static junit.framework.TestCase.assertTrue;
import static junit.framework.TestCase.fail;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.mock;

public class DigitalCertificateValidatorServiceImplTest {

Expand All @@ -21,7 +19,7 @@ public class DigitalCertificateValidatorServiceImplTest {

@Before
public void setUp() {
digitalCertificateValidatorService = new DigitalCertificateValidatorServiceImpl();
digitalCertificateValidatorService = new DigitalCertificateValidatorServiceImpl(true,"/src/test/resources/CCAcertificate.pem");
}

@Test
Expand Down
Binary file added src/test/resources/CCAcertificate.pem
View file
Binary file not shown.
2 changes: 2 additions & 0 deletions src/test/resources/application.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,5 @@ flyway:
user: digitalsky
password: digitalsky
locations: classpath:/db/migration

self-signed-validity: true

0 comments on commit 84fdc18

Please sign in to comment.