From 84fdc1802aeac0c2adad1ca0574edac74766b381 Mon Sep 17 00:00:00 2001
From: CharanSahaj <charana@sahajsoft.com>
Date: Wed, 3 Jul 2019 14:38:02 +0530
Subject: [PATCH] Moving away from self signed for production and also adding
 the cca cert to check against

---
 .../ApplicationConfiguration.java             |   8 ++++++-
 ...igitalCertificateValidatorServiceImpl.java |  22 ++++++++++++------
 src/main/resources/CCAcertificate.pem         | Bin 0 -> 815 bytes
 src/main/resources/application.yml            |   2 ++
 ...alCertificateValidatorServiceImplTest.java |   4 +---
 src/test/resources/CCAcertificate.pem         | Bin 0 -> 815 bytes
 src/test/resources/application.yml            |   2 ++
 7 files changed, 27 insertions(+), 11 deletions(-)
 create mode 100644 src/main/resources/CCAcertificate.pem
 create mode 100644 src/test/resources/CCAcertificate.pem

diff --git a/src/main/java/com/ispirit/digitalsky/configuration/ApplicationConfiguration.java b/src/main/java/com/ispirit/digitalsky/configuration/ApplicationConfiguration.java
index f05d585..ebd6d16 100644
--- a/src/main/java/com/ispirit/digitalsky/configuration/ApplicationConfiguration.java
+++ b/src/main/java/com/ispirit/digitalsky/configuration/ApplicationConfiguration.java
@@ -96,6 +96,12 @@ public class ApplicationConfiguration {
     @Value("${MANUFACTURER_DIGITAL_CERT_VALIDATION_ENABLED:true}")
     private boolean manufacturerDigitalCertValidationEnabled;
 
+    @Value("${self-signed-validity:false}")
+    private String selfSignedValidity;
+
+    @Value("${CCA_CERT_PATH:classpath:CCAcertificate.pem}")
+    private String ccaCertificatePath;
+
     private List<FlightInformationRegion> firs = new ArrayList<>();
 
     @Bean
@@ -257,7 +263,7 @@ DigitalSignatureVerifierService signatureVerifierService(ManufacturerService man
 
     @Bean
     DigitalCertificateValidatorService digitalCertificateValidatorService() {
-        return new DigitalCertificateValidatorServiceImpl();
+        return new DigitalCertificateValidatorServiceImpl(Boolean.valueOf(selfSignedValidity),ccaCertificatePath);
     }
 
     @Bean
diff --git a/src/main/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImpl.java b/src/main/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImpl.java
index 050fb46..f85ee34 100644
--- a/src/main/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImpl.java
+++ b/src/main/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImpl.java
@@ -6,7 +6,6 @@
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.X509TrustedCertificateBlock;
 
 import java.io.*;
 import java.security.*;
@@ -18,8 +17,12 @@
 
 public class DigitalCertificateValidatorServiceImpl implements DigitalCertificateValidatorService {
 
-    public DigitalCertificateValidatorServiceImpl() {
+    private boolean selfSignedValidity;
+    private String ccaCertificatePath;
 
+    public DigitalCertificateValidatorServiceImpl(boolean selfSignedValidity, String ccaCertificatePath) {
+        this.selfSignedValidity=selfSignedValidity;
+        this.ccaCertificatePath = ccaCertificatePath;
     }
 
     @Override
@@ -49,6 +52,13 @@ public boolean isValidCertificate(X509Certificate clientCertificate, String manu
             CertificateFactory cf = CertificateFactory.getInstance("X.509");
             CertPathValidator validator = CertPathValidator.getInstance("PKIX", "BC");
             Set<TrustAnchor> anchors = new HashSet<>();
+            if (!selfSignedValidity){
+                inputstream = new FileInputStream(ccaCertificatePath);
+                certificateChainString = IOUtils.toString(inputstream, "UTF-8");
+                PEMParser rootCaReader = new PEMParser(new StringReader(certificateChainString));
+                X509CertificateHolder rootCertHolder = (X509CertificateHolder) rootCaReader.readObject();
+                anchors.add(new TrustAnchor(new JcaX509CertificateConverter().setProvider( "BC" ).getCertificate( rootCertHolder ),null));
+            }
             for (X509Certificate certif : certs) {
                 anchors.add(new TrustAnchor(certif, null));
             }
@@ -62,10 +72,10 @@ public boolean isValidCertificate(X509Certificate clientCertificate, String manu
                     throw new InvalidDigitalCertificateException();
                 }
                 try {
-                    if (isSelfSigned(trustedCertificate)) {
+                    if (isSelfSigned(trustedCertificate) && selfSignedValidity) {
                         found = true;
                     } else if (!clientCertificate.equals(trustedCertificate)) {
-                        clientCertificate = trustedCertificate;
+                        clientCertificate = trustedCertificate; //todo: figure out why this line exists
                     }
                 } catch (NoSuchProviderException e) {
                     throw new InvalidDigitalCertificateException();
@@ -98,9 +108,7 @@ private boolean isDNMatching(String issuerDNName, String subjectDNName, String a
         return match;
     }
 
-    private boolean isSelfSigned(X509Certificate cert)
-            throws CertificateException, NoSuchAlgorithmException,
-            NoSuchProviderException {
+    private boolean isSelfSigned(X509Certificate cert) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
         try {
             PublicKey key = cert.getPublicKey();
             cert.verify(key);
diff --git a/src/main/resources/CCAcertificate.pem b/src/main/resources/CCAcertificate.pem
new file mode 100644
index 0000000000000000000000000000000000000000..2c89b7e2b0667d28252f33b0f9ac3caf1b0bfed9
GIT binary patch
literal 815
zcmXqLV%9cjViI1!%*4pV#H7B}fR~L^tIebBJ1-+6H!FjIogudYCmVAp3!5;Lr=Ova
zfdGiZCCurWmy(&N5a8`;C~Y7K5@Qw?a&~r9fQTCz7@8^s2lyDsiSrto8W<W`8X6j#
znHWcj^BN&@DK@`}Q3=_}jI0dIO^o~u22G4yOihf84AZZhb=sOc@=dhQR*3&&Rc9R)
ztACiMJ=jKK(TT)jUJkx6xl4HoOT$y|{5v1e#vkRkI;orGRM`867w4@jS-a|&y<^11
z(1HRx*OSr>#eX<Do^%(j;M%GgzF{rbL`SJP@d34K#HCcD6+cYXetzG4jmc;B4IgC>
z3cs(`vpTvmal)pG_>cgb%~7Gr+fEBC&i~E(W!w8_9QPIp>@S;M|LW$ni&qX8GZk)G
zxna#3d2xlM?rzsym@H=QJ1tW2?^*nj`n&lrSGkK!5WFGVa6t4*&w`ncCHc7c&q#61
zxf0CI@Ic;ke^Zms`Pnz}E?*I35X#}NO-T3Z3Ap`9|H016_U6Mehb)<x85tNC8ygrJ
z@B<@BR+y3TKMSh?GmtV61PSo5aItXs2o|jBzbnsfzzq`OXJG-R1~%ki1*QaGure~}
z?&%RdW%AZXLuvQJU{!Cc=_}u=En2eL_cxbN-gDDu>3kB6NoGsW9J(*{G=s6xZ}ZG6
z?xI3-%U&*ACM>(*f9>w@$L}L&pRf+dJeF*=X2HRy6JDff#&|epny<0mefM$bvFnp~
zr#5fU2tTxV<+SCe?)k{g`fs;XPd)B-TDp4c`_)}B#Wfvg-P1nIZ9db||48$Tykq|M
zuZp~1r-TJQ{_|frV*7mNcbfArF>XkjH)XG6Ta@#!tj@*_uVN(HPc=;a{g!dRpw#`T
zBJ1=Xtv@?)!miEghw}w)+~nJ`v?Ql-d%WbCf9iglU1vl{%n3g-sYvMj@+Qlx4+W-k
PwHdg!Ca=i$o%II*P%SZ<

literal 0
HcmV?d00001

diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 6574840..e309457 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -40,3 +40,5 @@ flyway:
 
 server:
   port: 9000
+
+self-signed-validity: true
diff --git a/src/test/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImplTest.java b/src/test/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImplTest.java
index f816ccb..d24107b 100644
--- a/src/test/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImplTest.java
+++ b/src/test/java/com/ispirit/digitalsky/service/DigitalCertificateValidatorServiceImplTest.java
@@ -10,8 +10,6 @@
 
 import static junit.framework.TestCase.assertTrue;
 import static junit.framework.TestCase.fail;
-import static org.hamcrest.Matchers.is;
-import static org.mockito.Mockito.mock;
 
 public class DigitalCertificateValidatorServiceImplTest {
 
@@ -21,7 +19,7 @@ public class DigitalCertificateValidatorServiceImplTest {
 
     @Before
     public void setUp() {
-        digitalCertificateValidatorService = new DigitalCertificateValidatorServiceImpl();
+        digitalCertificateValidatorService = new DigitalCertificateValidatorServiceImpl(true,"/src/test/resources/CCAcertificate.pem");
     }
 
     @Test
diff --git a/src/test/resources/CCAcertificate.pem b/src/test/resources/CCAcertificate.pem
new file mode 100644
index 0000000000000000000000000000000000000000..2c89b7e2b0667d28252f33b0f9ac3caf1b0bfed9
GIT binary patch
literal 815
zcmXqLV%9cjViI1!%*4pV#H7B}fR~L^tIebBJ1-+6H!FjIogudYCmVAp3!5;Lr=Ova
zfdGiZCCurWmy(&N5a8`;C~Y7K5@Qw?a&~r9fQTCz7@8^s2lyDsiSrto8W<W`8X6j#
znHWcj^BN&@DK@`}Q3=_}jI0dIO^o~u22G4yOihf84AZZhb=sOc@=dhQR*3&&Rc9R)
ztACiMJ=jKK(TT)jUJkx6xl4HoOT$y|{5v1e#vkRkI;orGRM`867w4@jS-a|&y<^11
z(1HRx*OSr>#eX<Do^%(j;M%GgzF{rbL`SJP@d34K#HCcD6+cYXetzG4jmc;B4IgC>
z3cs(`vpTvmal)pG_>cgb%~7Gr+fEBC&i~E(W!w8_9QPIp>@S;M|LW$ni&qX8GZk)G
zxna#3d2xlM?rzsym@H=QJ1tW2?^*nj`n&lrSGkK!5WFGVa6t4*&w`ncCHc7c&q#61
zxf0CI@Ic;ke^Zms`Pnz}E?*I35X#}NO-T3Z3Ap`9|H016_U6Mehb)<x85tNC8ygrJ
z@B<@BR+y3TKMSh?GmtV61PSo5aItXs2o|jBzbnsfzzq`OXJG-R1~%ki1*QaGure~}
z?&%RdW%AZXLuvQJU{!Cc=_}u=En2eL_cxbN-gDDu>3kB6NoGsW9J(*{G=s6xZ}ZG6
z?xI3-%U&*ACM>(*f9>w@$L}L&pRf+dJeF*=X2HRy6JDff#&|epny<0mefM$bvFnp~
zr#5fU2tTxV<+SCe?)k{g`fs;XPd)B-TDp4c`_)}B#Wfvg-P1nIZ9db||48$Tykq|M
zuZp~1r-TJQ{_|frV*7mNcbfArF>XkjH)XG6Ta@#!tj@*_uVN(HPc=;a{g!dRpw#`T
zBJ1=Xtv@?)!miEghw}w)+~nJ`v?Ql-d%WbCf9iglU1vl{%n3g-sYvMj@+Qlx4+W-k
PwHdg!Ca=i$o%II*P%SZ<

literal 0
HcmV?d00001

diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml
index dcebac4..9c0f7d0 100644
--- a/src/test/resources/application.yml
+++ b/src/test/resources/application.yml
@@ -38,3 +38,5 @@ flyway:
   user: digitalsky
   password: digitalsky
   locations: classpath:/db/migration
+
+self-signed-validity: true