Skip to content

Commit

Permalink
Add Connector for ValidationRules, ValueSets and CountryList
Browse files Browse the repository at this point in the history
  • Loading branch information
f11h authored Jun 23, 2021
2 parents 842924f + c1ef7ed commit cdd10ea
Show file tree
Hide file tree
Showing 16 changed files with 1,754 additions and 77 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -20,26 +20,73 @@

package eu.europa.ec.dgc.gateway.connector;

import eu.europa.ec.dgc.gateway.connector.client.DgcGatewayConnectorRestClient;
import eu.europa.ec.dgc.gateway.connector.config.DgcGatewayConnectorConfigProperties;
import eu.europa.ec.dgc.gateway.connector.dto.CertificateTypeDto;
import eu.europa.ec.dgc.gateway.connector.dto.TrustListItemDto;
import eu.europa.ec.dgc.signing.SignedCertificateMessageParser;
import eu.europa.ec.dgc.utils.CertificateUtils;
import feign.FeignException;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.annotation.PostConstruct;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.bouncycastle.cert.CertException;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentVerifierProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.RuntimeOperatorException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Service;

@Service
@Slf4j
@ConditionalOnProperty("dgc.gateway.connector.enabled")
@RequiredArgsConstructor
class DgcGatewayConnectorUtils {

private final CertificateUtils certificateUtils;

private final DgcGatewayConnectorRestClient dgcGatewayConnectorRestClient;

private final DgcGatewayConnectorConfigProperties properties;

@Qualifier("trustAnchor")
private final KeyStore trustAnchorKeyStore;

private X509CertificateHolder trustAnchor;


@PostConstruct
void init() throws KeyStoreException, CertificateEncodingException, IOException {
Security.addProvider(new BouncyCastleProvider());

String trustAnchorAlias = properties.getTrustAnchor().getAlias();
X509Certificate trustAnchorCert = (X509Certificate) trustAnchorKeyStore.getCertificate(trustAnchorAlias);

if (trustAnchorCert == null) {
log.error("Could not find TrustAnchor Certificate in Keystore");
throw new KeyStoreException("Could not find TrustAnchor Certificate in Keystore");
}
trustAnchor = certificateUtils.convertCertificate(trustAnchorCert);
}

public boolean trustListItemSignedByCa(TrustListItemDto certificate, X509CertificateHolder ca) {
ContentVerifierProvider verifier;
try {
Expand Down Expand Up @@ -95,4 +142,39 @@ X509CertificateHolder getCertificateFromTrustListItem(TrustListItemDto trustList
return null;
}
}

public List<X509CertificateHolder> fetchCertificatesAndVerifyByTrustAnchor(CertificateTypeDto type) {
ResponseEntity<List<TrustListItemDto>> downloadedCertificates;
try {
downloadedCertificates = dgcGatewayConnectorRestClient.getTrustedCertificates(type);
} catch (FeignException e) {
log.error("Failed to Download certificates from DGC Gateway. Type: {}, status code: {}", type, e.status());
return Collections.emptyList();
}

if (downloadedCertificates.getStatusCode() != HttpStatus.OK || downloadedCertificates.getBody() == null) {
log.error("Failed to Download certificates from DGC Gateway, Type: {}, Status Code: {}",
type, downloadedCertificates.getStatusCodeValue());
return Collections.emptyList();
}

return downloadedCertificates.getBody().stream()
.filter(this::checkThumbprintIntegrity)
.filter(c -> this.checkTrustAnchorSignature(c, trustAnchor))
.map(this::getCertificateFromTrustListItem)
.filter(Objects::nonNull)
.collect(Collectors.toList());
}

private boolean checkThumbprintIntegrity(TrustListItemDto trustListItem) {
byte[] certificateRawData = Base64.getDecoder().decode(trustListItem.getRawData());
try {
return trustListItem.getThumbprint().equals(
certificateUtils.getCertThumbprint(new X509CertificateHolder(certificateRawData)));

} catch (IOException e) {
log.error("Could not parse certificate raw data");
return false;
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
/*-
* ---license-start
* EU Digital Green Certificate Gateway Service / dgc-lib
* ---
* Copyright (C) 2021 T-Systems International GmbH and all other contributors
* ---
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* ---license-end
*/

package eu.europa.ec.dgc.gateway.connector;

import eu.europa.ec.dgc.gateway.connector.client.DgcGatewayConnectorRestClient;
import eu.europa.ec.dgc.gateway.connector.config.DgcGatewayConnectorConfigProperties;
import feign.FeignException;
import java.security.Security;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.annotation.PostConstruct;
import lombok.Getter;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.springframework.beans.factory.config.ConfigurableBeanFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Lazy;
import org.springframework.context.annotation.Scope;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.scheduling.annotation.EnableScheduling;
import org.springframework.stereotype.Service;

@ConditionalOnProperty("dgc.gateway.connector.enabled")
@Lazy
@Service
@Scope(ConfigurableBeanFactory.SCOPE_SINGLETON)
@RequiredArgsConstructor
@EnableScheduling
@Slf4j
public class DgcGatewayCountryListDownloadConnector {

private final DgcGatewayConnectorRestClient dgcGatewayConnectorRestClient;

private final DgcGatewayConnectorConfigProperties properties;

@Getter
private LocalDateTime lastUpdated = null;

private List<String> countryList = new ArrayList<>();

@PostConstruct
void init() {
Security.addProvider(new BouncyCastleProvider());
}

/**
* Gets the list of downloaded Country Codes.
* This call will return a cached list if caching is enabled.
* If cache is outdated a refreshed list will be returned.
*
* @return List of {@link String}
*/
public List<String> getCountryList() {
updateIfRequired();
return Collections.unmodifiableList(countryList);
}

private synchronized void updateIfRequired() {
if (lastUpdated == null
|| ChronoUnit.SECONDS.between(lastUpdated, LocalDateTime.now()) >= properties.getMaxCacheAge()) {
log.info("Maximum age of cache reached. Fetching new CountryList from DGCG.");

countryList = new ArrayList<>();
fetchCountryList();
log.info("CountryList contains {} country codes.", countryList.size());
} else {
log.debug("Cache needs no refresh.");
}
}

private void fetchCountryList() {
log.info("Fetching CountryList from DGCG");

ResponseEntity<List<String>> responseEntity;
try {
responseEntity = dgcGatewayConnectorRestClient.downloadCountryList();
} catch (FeignException e) {
log.error("Download of CountryList failed. DGCG responded with status code: {}",
e.status());
return;
}

List<String> downloadedCountries = responseEntity.getBody();

if (responseEntity.getStatusCode() != HttpStatus.OK || downloadedCountries == null) {
log.error("Download of CountryList failed. DGCG responded with status code: {}",
responseEntity.getStatusCode());
return;
} else {
log.info("Got Response from DGCG, Downloaded Countries: {}", downloadedCountries.size());
}

countryList = downloadedCountries;

lastUpdated = LocalDateTime.now();
log.info("Put {} country codes CountryList", countryList.size());
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -27,29 +27,20 @@
import eu.europa.ec.dgc.gateway.connector.mapper.TrustListMapper;
import eu.europa.ec.dgc.gateway.connector.model.TrustListItem;
import eu.europa.ec.dgc.signing.SignedCertificateMessageParser;
import eu.europa.ec.dgc.utils.CertificateUtils;
import feign.FeignException;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.annotation.PostConstruct;
import lombok.Getter;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.config.ConfigurableBeanFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Lazy;
Expand All @@ -70,19 +61,12 @@ public class DgcGatewayDownloadConnector {

private final DgcGatewayConnectorUtils connectorUtils;

private final CertificateUtils certificateUtils;

private final DgcGatewayConnectorRestClient dgcGatewayConnectorRestClient;

private final DgcGatewayConnectorConfigProperties properties;

private final TrustListMapper trustListMapper;

@Qualifier("trustAnchor")
private final KeyStore trustAnchorKeyStore;

private X509CertificateHolder trustAnchor;

@Getter
private LocalDateTime lastUpdated = null;

Expand All @@ -92,17 +76,8 @@ public class DgcGatewayDownloadConnector {
private List<X509CertificateHolder> trustedUploadCertificates = new ArrayList<>();

@PostConstruct
void init() throws KeyStoreException, CertificateEncodingException, IOException {
void init() {
Security.addProvider(new BouncyCastleProvider());

String trustAnchorAlias = properties.getTrustAnchor().getAlias();
X509Certificate trustAnchorCert = (X509Certificate) trustAnchorKeyStore.getCertificate(trustAnchorAlias);

if (trustAnchorCert == null) {
log.error("Could not find TrustAnchor Certificate in Keystore");
throw new KeyStoreException("Could not find TrustAnchor Certificate in Keystore");
}
trustAnchor = certificateUtils.convertCertificate(trustAnchorCert);
}

/**
Expand All @@ -122,10 +97,11 @@ private synchronized void updateIfRequired() {
|| ChronoUnit.SECONDS.between(lastUpdated, LocalDateTime.now()) >= properties.getMaxCacheAge()) {
log.info("Maximum age of cache reached. Fetching new TrustList from DGCG.");

trustedCscaCertificates = fetchCertificatesAndVerifyByTrustAnchor(CertificateTypeDto.CSCA);
trustedCscaCertificates = connectorUtils.fetchCertificatesAndVerifyByTrustAnchor(CertificateTypeDto.CSCA);
log.info("CSCA TrustStore contains {} trusted certificates.", trustedCscaCertificates.size());

trustedUploadCertificates = fetchCertificatesAndVerifyByTrustAnchor(CertificateTypeDto.UPLOAD);
trustedUploadCertificates =
connectorUtils.fetchCertificatesAndVerifyByTrustAnchor(CertificateTypeDto.UPLOAD);
log.info("Upload TrustStore contains {} trusted certificates.", trustedUploadCertificates.size());

fetchTrustListAndVerifyByCscaAndUpload();
Expand All @@ -135,29 +111,6 @@ private synchronized void updateIfRequired() {
}
}

private List<X509CertificateHolder> fetchCertificatesAndVerifyByTrustAnchor(CertificateTypeDto type) {
ResponseEntity<List<TrustListItemDto>> downloadedCertificates;
try {
downloadedCertificates = dgcGatewayConnectorRestClient.getTrustedCertificates(type);
} catch (FeignException e) {
log.error("Failed to Download certificates from DGC Gateway. Type: {}, status code: {}", type, e.status());
return Collections.emptyList();
}

if (downloadedCertificates.getStatusCode() != HttpStatus.OK || downloadedCertificates.getBody() == null) {
log.error("Failed to Download certificates from DGC Gateway, Type: {}, Status Code: {}",
type, downloadedCertificates.getStatusCodeValue());
return Collections.emptyList();
}

return downloadedCertificates.getBody().stream()
.filter(this::checkThumbprintIntegrity)
.filter(c -> connectorUtils.checkTrustAnchorSignature(c, trustAnchor))
.map(connectorUtils::getCertificateFromTrustListItem)
.filter(Objects::nonNull)
.collect(Collectors.toList());
}

private void fetchTrustListAndVerifyByCscaAndUpload() {
log.info("Fetching TrustList from DGCG");

Expand Down Expand Up @@ -190,18 +143,6 @@ private void fetchTrustListAndVerifyByCscaAndUpload() {
log.info("Put {} trusted certificates into TrustList", trustedCertificates.size());
}

private boolean checkThumbprintIntegrity(TrustListItemDto trustListItem) {
byte[] certificateRawData = Base64.getDecoder().decode(trustListItem.getRawData());
try {
return trustListItem.getThumbprint().equals(
certificateUtils.getCertThumbprint(new X509CertificateHolder(certificateRawData)));

} catch (IOException e) {
log.error("Could not parse certificate raw data");
return false;
}
}

private boolean checkCscaCertificate(TrustListItemDto trustListItem) {
boolean result = trustedCscaCertificates
.stream()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ public void uploadTrustedCertificate(X509Certificate certificate) throws DgcCert
public void uploadTrustedCertificate(X509CertificateHolder certificate) throws DgcCertificateUploadException {

String payload = new SignedCertificateMessageBuilder()
.withPayloadCertificate(certificate)
.withPayload(certificate)
.withSigningCertificate(uploadCertificateHolder, uploadCertificatePrivateKey)
.buildAsString();

Expand Down Expand Up @@ -169,7 +169,7 @@ public void deleteTrustedCertificate(X509Certificate certificate) throws DgcCert
public void deleteTrustedCertificate(X509CertificateHolder certificate) throws DgcCertificateUploadException {

String payload = new SignedCertificateMessageBuilder()
.withPayloadCertificate(certificate)
.withPayload(certificate)
.withSigningCertificate(uploadCertificateHolder, uploadCertificatePrivateKey)
.buildAsString();

Expand Down
Loading

0 comments on commit cdd10ea

Please sign in to comment.