diff --git a/src/main/java/com/ispirit/digitalsky/configuration/ApplicationConfiguration.java b/src/main/java/com/ispirit/digitalsky/configuration/ApplicationConfiguration.java index f05d585..ebd6d16 100644 --- a/src/main/java/com/ispirit/digitalsky/configuration/ApplicationConfiguration.java +++ b/src/main/java/com/ispirit/digitalsky/configuration/ApplicationConfiguration.java @@ -96,6 +96,12 @@ public class ApplicationConfiguration { @Value("${MANUFACTURER_DIGITAL_CERT_VALIDATION_ENABLED:true}") private boolean manufacturerDigitalCertValidationEnabled; + @Value("${self-signed-validity:false}") + private String selfSignedValidity; + + @Value("${CCA_CERT_PATH:classpath:CCAcertificate.pem}") + private String ccaCertificatePath; + private List firs = new ArrayList<>(); @Bean @@ -257,7 +263,7 @@ DigitalSignatureVerifierService signatureVerifierService(ManufacturerService man @Bean DigitalCertificateValidatorService digitalCertificateValidatorService() { - return new DigitalCertificateValidatorServiceImpl(); + return new DigitalCertificateValidatorServiceImpl(Boolean.valueOf(selfSignedValidity),ccaCertificatePath); } @Bean diff --git a/src/main/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImpl.java b/src/main/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImpl.java index 050fb46..f85ee34 100644 --- a/src/main/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImpl.java +++ b/src/main/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImpl.java @@ -6,7 +6,6 @@ import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.openssl.PEMParser; -import org.bouncycastle.openssl.X509TrustedCertificateBlock; import java.io.*; import java.security.*; @@ -18,8 +17,12 @@ public class DigitalCertificateValidatorServiceImpl implements DigitalCertificateValidatorService { - public DigitalCertificateValidatorServiceImpl() { + private boolean selfSignedValidity; + private String ccaCertificatePath; + public DigitalCertificateValidatorServiceImpl(boolean selfSignedValidity, String ccaCertificatePath) { + this.selfSignedValidity=selfSignedValidity; + this.ccaCertificatePath = ccaCertificatePath; } @Override @@ -49,6 +52,13 @@ public boolean isValidCertificate(X509Certificate clientCertificate, String manu CertificateFactory cf = CertificateFactory.getInstance("X.509"); CertPathValidator validator = CertPathValidator.getInstance("PKIX", "BC"); Set anchors = new HashSet<>(); + if (!selfSignedValidity){ + inputstream = new FileInputStream(ccaCertificatePath); + certificateChainString = IOUtils.toString(inputstream, "UTF-8"); + PEMParser rootCaReader = new PEMParser(new StringReader(certificateChainString)); + X509CertificateHolder rootCertHolder = (X509CertificateHolder) rootCaReader.readObject(); + anchors.add(new TrustAnchor(new JcaX509CertificateConverter().setProvider( "BC" ).getCertificate( rootCertHolder ),null)); + } for (X509Certificate certif : certs) { anchors.add(new TrustAnchor(certif, null)); } @@ -62,10 +72,10 @@ public boolean isValidCertificate(X509Certificate clientCertificate, String manu throw new InvalidDigitalCertificateException(); } try { - if (isSelfSigned(trustedCertificate)) { + if (isSelfSigned(trustedCertificate) && selfSignedValidity) { found = true; } else if (!clientCertificate.equals(trustedCertificate)) { - clientCertificate = trustedCertificate; + clientCertificate = trustedCertificate; //todo: figure out why this line exists } } catch (NoSuchProviderException e) { throw new InvalidDigitalCertificateException(); @@ -98,9 +108,7 @@ private boolean isDNMatching(String issuerDNName, String subjectDNName, String a return match; } - private boolean isSelfSigned(X509Certificate cert) - throws CertificateException, NoSuchAlgorithmException, - NoSuchProviderException { + private boolean isSelfSigned(X509Certificate cert) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException { try { PublicKey key = cert.getPublicKey(); cert.verify(key); diff --git a/src/main/resources/CCAcertificate.pem b/src/main/resources/CCAcertificate.pem new file mode 100644 index 0000000..2c89b7e Binary files /dev/null and b/src/main/resources/CCAcertificate.pem differ diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 6574840..e309457 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -40,3 +40,5 @@ flyway: server: port: 9000 + +self-signed-validity: true diff --git a/src/test/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImplTest.java b/src/test/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImplTest.java index f816ccb..d24107b 100644 --- a/src/test/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImplTest.java +++ b/src/test/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImplTest.java @@ -10,8 +10,6 @@ import static junit.framework.TestCase.assertTrue; import static junit.framework.TestCase.fail; -import static org.hamcrest.Matchers.is; -import static org.mockito.Mockito.mock; public class DigitalCertificateValidatorServiceImplTest { @@ -21,7 +19,7 @@ public class DigitalCertificateValidatorServiceImplTest { @Before public void setUp() { - digitalCertificateValidatorService = new DigitalCertificateValidatorServiceImpl(); + digitalCertificateValidatorService = new DigitalCertificateValidatorServiceImpl(true,"/src/test/resources/CCAcertificate.pem"); } @Test diff --git a/src/test/resources/CCAcertificate.pem b/src/test/resources/CCAcertificate.pem new file mode 100644 index 0000000..2c89b7e Binary files /dev/null and b/src/test/resources/CCAcertificate.pem differ diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml index dcebac4..9c0f7d0 100644 --- a/src/test/resources/application.yml +++ b/src/test/resources/application.yml @@ -38,3 +38,5 @@ flyway: user: digitalsky password: digitalsky locations: classpath:/db/migration + +self-signed-validity: true