diff --git a/client/src/main/java/dev/fitko/fitconnect/client/factory/ClientFactory.java b/client/src/main/java/dev/fitko/fitconnect/client/factory/ClientFactory.java
index 8877ce9bda3cc0e051e82f1432be5f8eafa7df36..844828a79813f4cd8da7e562f9ad7d3ce482ff71 100644
--- a/client/src/main/java/dev/fitko/fitconnect/client/factory/ClientFactory.java
+++ b/client/src/main/java/dev/fitko/fitconnect/client/factory/ClientFactory.java
@@ -13,10 +13,10 @@ import dev.fitko.fitconnect.api.services.Subscriber;
import dev.fitko.fitconnect.api.services.auth.OAuthService;
import dev.fitko.fitconnect.api.services.crypto.CryptoService;
import dev.fitko.fitconnect.api.services.crypto.MessageDigestService;
-import dev.fitko.fitconnect.api.services.keys.KeyService;
import dev.fitko.fitconnect.api.services.events.EventLogService;
import dev.fitko.fitconnect.api.services.events.EventLogVerificationService;
import dev.fitko.fitconnect.api.services.events.SecurityEventService;
+import dev.fitko.fitconnect.api.services.keys.KeyService;
import dev.fitko.fitconnect.api.services.schema.SchemaProvider;
import dev.fitko.fitconnect.api.services.submission.SubmissionService;
import dev.fitko.fitconnect.api.services.validation.ValidationService;
@@ -27,11 +27,11 @@ import dev.fitko.fitconnect.core.SubmissionSubscriber;
import dev.fitko.fitconnect.core.auth.DefaultOAuthService;
import dev.fitko.fitconnect.core.crypto.HashService;
import dev.fitko.fitconnect.core.crypto.JWECryptoService;
-import dev.fitko.fitconnect.core.keys.PublicKeyService;
import dev.fitko.fitconnect.core.events.EventLogApiService;
import dev.fitko.fitconnect.core.events.EventLogVerifier;
import dev.fitko.fitconnect.core.events.SecurityEventTokenService;
import dev.fitko.fitconnect.core.http.ProxyConfig;
+import dev.fitko.fitconnect.core.keys.PublicKeyService;
import dev.fitko.fitconnect.core.schema.SchemaResourceProvider;
import dev.fitko.fitconnect.core.submission.SubmissionApiService;
import dev.fitko.fitconnect.core.validation.DefaultValidationService;
@@ -55,6 +55,7 @@ public final class ClientFactory {
private static final String CONFIG_ENV_KEY_NAME = "FIT_CONNECT_CONFIG";
private static final String SET_SCHEMA_DIR = "/set-schema";
private static final String METADATA_SCHEMA_DIR = "/metadata-schema";
+ private static final String PATH_TO_TRUSTED_ROOT_CERTIFICATES = "trusted-test-root-certificates";
private ClientFactory() {
}
@@ -161,7 +162,7 @@ public final class ClientFactory {
}
private static ValidationService getValidationService(final ApplicationConfig config, final SchemaProvider schemaProvider, final MessageDigestService messageDigestService) {
- return new DefaultValidationService(config, messageDigestService, schemaProvider);
+ return new DefaultValidationService(config, messageDigestService, schemaProvider, PATH_TO_TRUSTED_ROOT_CERTIFICATES);
}
private static CryptoService getCryptoService(final MessageDigestService messageDigestService) {
diff --git a/core/src/main/java/dev/fitko/fitconnect/core/validation/DefaultValidationService.java b/core/src/main/java/dev/fitko/fitconnect/core/validation/DefaultValidationService.java
index 1f5e8171c977b6872ee8ab8839e0e54c9ff269f6..abda720f889c757d3f04f06ee70d0249aa15f780 100644
--- a/core/src/main/java/dev/fitko/fitconnect/core/validation/DefaultValidationService.java
+++ b/core/src/main/java/dev/fitko/fitconnect/core/validation/DefaultValidationService.java
@@ -59,16 +59,18 @@ public class DefaultValidationService implements ValidationService {
private static final ObjectMapper MAPPER = new ObjectMapper().setDateFormat(new SimpleDateFormat("yyyy-MM-dd"));
private static final JsonSchemaFactory SCHEMA_FACTORY = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V202012);
private static final String VALID_SCHEMA_URL_EXPRESSION = "https://schema\\.fitko\\.de/fit-connect/metadata/1\\.\\d+\\.\\d+/metadata.schema.json";
- private static final String TRUSTED_ROOT_CERTIFICATE_FOLDER = "trusted-root-certificates";
private final MessageDigestService messageDigestService;
private final SchemaProvider schemaProvider;
private final ApplicationConfig config;
+ private final String pathToTrustedRootCertificates;
- public DefaultValidationService(final ApplicationConfig config, final MessageDigestService messageDigestService, final SchemaProvider schemaProvider) {
+ public DefaultValidationService(final ApplicationConfig config, final MessageDigestService messageDigestService,
+ final SchemaProvider schemaProvider, final String pathToTrustedRootCertificates) {
this.config = config;
this.messageDigestService = messageDigestService;
this.schemaProvider = schemaProvider;
+ this.pathToTrustedRootCertificates = pathToTrustedRootCertificates;
}
@Override
@@ -179,7 +181,7 @@ public class DefaultValidationService implements ValidationService {
return returnValidationResult(SCHEMA_FACTORY.getSchema(schema).validate(inputNode));
}
- private void validateKey(final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException, CertificateEncodingException {
+ private void validateKey(final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException {
if (config.getCurrentEnvironment().isAllowInsecurePublicKey()) {
validateWithoutCertChain(publicKey, purpose);
} else {
@@ -195,7 +197,7 @@ public class DefaultValidationService implements ValidationService {
}
private JWKValidator addLogLevel(final JWKValidatorBuilder.JWKValidatorX5CErrorHandling validator) {
- if (validateSilent()) {
+ if (config.getCurrentEnvironment().isAllowInsecurePublicKey()) {
return validator.withoutThrowingExceptions().withErrorLogLevel(LogLevel.WARN).build();
} else {
return validator.withThrowingExceptions().withErrorLogLevel(LogLevel.ERROR).build();
@@ -204,7 +206,8 @@ public class DefaultValidationService implements ValidationService {
private void validateWithoutCertChain(final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException {
LOGGER.info("Validating public key without XC5 certificate chain");
- withoutX5CValidation().withErrorLogLevel(validateSilent() ? LogLevel.WARN : LogLevel.ERROR).build().validate(publicKey, purpose);
+ withoutX5CValidation().withErrorLogLevel(config.getCurrentEnvironment().isAllowInsecurePublicKey() ?
+ LogLevel.WARN : LogLevel.ERROR).build().validate(publicKey, purpose);
}
void validateCertChain(final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException {
@@ -220,7 +223,7 @@ public class DefaultValidationService implements ValidationService {
private List<String> loadTrustedRootCertificates() {
- List<X509Certificate> trustedRootCertificates = FileUtil.loadContentOfFilesInDirectory(TRUSTED_ROOT_CERTIFICATE_FOLDER)
+ List<X509Certificate> trustedRootCertificates = FileUtil.loadContentOfFilesInDirectory(this.pathToTrustedRootCertificates)
.stream().map(FileUtil::convertToX509Certificate).collect(Collectors.toList());
List<String> encodedCertificates = trustedRootCertificates.stream().map(cert -> {
try {
@@ -254,10 +257,6 @@ public class DefaultValidationService implements ValidationService {
.validate(publicKey);
}
- private boolean validateSilent() {
- return config.getCurrentEnvironment().isAllowInsecurePublicKey();
- }
-
private String errorsToSingleString(final Set<ValidationMessage> errors) {
return errors.stream()
.map(ValidationMessage::getMessage)
diff --git a/core/src/test/java/dev/fitko/fitconnect/core/events/SecurityEventTokenServiceTest.java b/core/src/test/java/dev/fitko/fitconnect/core/events/SecurityEventTokenServiceTest.java
index 2500d1e32979e5bfd1c52bbad446e22ce29d3805..50c2f34263b1564fd094fdc2d94be75a9549ba67 100644
--- a/core/src/test/java/dev/fitko/fitconnect/core/events/SecurityEventTokenServiceTest.java
+++ b/core/src/test/java/dev/fitko/fitconnect/core/events/SecurityEventTokenServiceTest.java
@@ -11,8 +11,8 @@ import dev.fitko.fitconnect.api.config.ApplicationConfig;
import dev.fitko.fitconnect.api.config.Environment;
import dev.fitko.fitconnect.api.config.EnvironmentName;
import dev.fitko.fitconnect.api.config.SchemaConfig;
-import dev.fitko.fitconnect.api.domain.model.event.EventPayload;
import dev.fitko.fitconnect.api.domain.model.event.Event;
+import dev.fitko.fitconnect.api.domain.model.event.EventPayload;
import dev.fitko.fitconnect.api.domain.model.event.problems.submission.AttachmentsMismatch;
import dev.fitko.fitconnect.api.domain.model.submission.Submission;
import dev.fitko.fitconnect.api.exceptions.EventCreationException;
@@ -59,7 +59,7 @@ class SecurityEventTokenServiceTest {
final List<String> setSchemas = SchemaConfig.getSetSchemaFilePaths("/set-schema");
final List<String> metadataSchemas = SchemaConfig.getMetadataSchemaFileNames("/metadata-schema");
final SchemaProvider schemaProvider = new SchemaResourceProvider(setSchemas, metadataSchemas);
- this.validationService = new DefaultValidationService(config, new HashService(), schemaProvider);
+ this.validationService = new DefaultValidationService(config, new HashService(), schemaProvider, "trusted-test-root-certificates");
this.underTest = new SecurityEventTokenService(config, this.validationService, this.signingKey);
}
diff --git a/core/src/test/java/dev/fitko/fitconnect/core/validation/DefaultValidationServiceTest.java b/core/src/test/java/dev/fitko/fitconnect/core/validation/DefaultValidationServiceTest.java
index 0bbf98f418326eccdbeba3d5b644748e91faa050..066bcdf12d298d4fada5698ab8220aa3ba87a644 100644
--- a/core/src/test/java/dev/fitko/fitconnect/core/validation/DefaultValidationServiceTest.java
+++ b/core/src/test/java/dev/fitko/fitconnect/core/validation/DefaultValidationServiceTest.java
@@ -28,25 +28,20 @@ import dev.fitko.fitconnect.core.schema.SchemaResourceProvider;
import dev.fitko.fitconnect.core.testutil.LogCaptor;
import dev.fitko.fitconnect.core.util.FileUtil;
import dev.fitko.fitconnect.jwkvalidator.exceptions.JWKValidationException;
-import dev.fitko.fitconnect.jwkvalidator.exceptions.LogLevel;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
import java.io.IOException;
import java.net.URI;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.time.ZonedDateTime;
import java.util.*;
-import java.util.stream.Collectors;
-import static dev.fitko.fitconnect.jwkvalidator.JWKValidator.withX5CValidation;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.*;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.*;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.*;
@@ -64,7 +59,7 @@ class DefaultValidationServiceTest {
final List<String> setSchemas = SchemaConfig.getSetSchemaFilePaths("/set-schema");
final List<String> metadataSchemas = SchemaConfig.getMetadataSchemaFileNames("/metadata-schema");
schemaProvider = new SchemaResourceProvider(setSchemas, metadataSchemas);
- underTest = new DefaultValidationService(config, hashService, schemaProvider);
+ underTest = new DefaultValidationService(config, hashService, schemaProvider, "trusted-test-root-certificates");
}
@Test
@@ -117,7 +112,7 @@ class DefaultValidationServiceTest {
config.setEnvironments(Map.of(envName, env));
config.setActiveEnvironment(envName);
- final DefaultValidationService underTest = new DefaultValidationService(config, hashService, schemaProvider);
+ final DefaultValidationService underTest = new DefaultValidationService(config, hashService, schemaProvider, "trusted-test-root-certificates");
final RSAKey rsaKey = getRsaKeyWithCertChain();
@@ -133,7 +128,7 @@ class DefaultValidationServiceTest {
// Given
final ApplicationConfig config = getApplicationConfig(true);
- final var underTest = new DefaultValidationService(config, hashService, schemaProvider);
+ final var underTest = new DefaultValidationService(config, hashService, schemaProvider, "trusted-test-root-certificates");
final RSAKey rsaKey = new RSAKeyGenerator(4096)
.keyOperations(Set.of(KeyOperation.WRAP_KEY))
@@ -153,7 +148,7 @@ class DefaultValidationServiceTest {
// Given
final ApplicationConfig config = getApplicationConfig(false);
- final var underTest = new DefaultValidationService(config, hashService, schemaProvider);
+ final var underTest = new DefaultValidationService(config, hashService, schemaProvider, "trusted-test-root-certificates");
final RSAKey rsaKey = new RSAKeyGenerator(4096)
.keyOperations(Set.of(KeyOperation.ENCRYPT))
@@ -405,7 +400,7 @@ class DefaultValidationServiceTest {
when(mockedMessageDigestService.calculateHMAC(anyString(), anyString())).thenReturn("valid");
DefaultValidationService defaultValidationService = new DefaultValidationService(
- new ApplicationConfig(), mockedMessageDigestService, mock(SchemaProvider.class));
+ new ApplicationConfig(), mockedMessageDigestService, mock(SchemaProvider.class), "trusted-test-root-certificates");
ValidationResult validationResult = defaultValidationService.validateCallback(
"valid", ZonedDateTime.now().toInstant().toEpochMilli(), "body", "secret");
@@ -437,34 +432,54 @@ class DefaultValidationServiceTest {
}
@Test
- public void isTransmissionServiceCertificateIsValidAccordingToRootVpki() throws JOSEException, JWKValidationException, CertificateEncodingException, ParseException {
+ @Disabled("will be enabled in scope of https://git.fitko.de/fit-connect/planning/-/issues/901")
+ public void productiveTransmissionServiceCertificateIsValidAccordingToRootCertificates() throws JWKValidationException, ParseException {
- RSAKey rsaKey = RSAKey.parse(FileUtil.loadContentOfFile("certificates/cert-grp-fit-connect-zustelldienst-produktivumgebung.json"));
+ DefaultValidationService defaultValidationService = new DefaultValidationService(
+ getApplicationConfig(false), hashService, schemaProvider, "trusted-root-certificates");
+
+ RSAKey rsaKey = RSAKey.parse(FileUtil.loadContentOfFile("certificates/grp-fit-connect-zustelldienst-produktivumgebung.json"));
- this.underTest.validateCertChain(rsaKey, KeyOperation.VERIFY);
+ defaultValidationService.validateCertChain(rsaKey, KeyOperation.VERIFY);
}
@Test
- public void validateWithLibrary() throws JOSEException, JWKValidationException, ParseException {
-
- /*X509Certificate x509CertificateToCheck = FileUtil.convertToX509Certificate(
- FileUtil.loadContentOfFile("certificates/cert-grp-fit-connect-zustelldienst-produktivumgebung.json"));*/
- RSAKey rsaKey = RSAKey.parse(FileUtil.loadContentOfFile("certificates/cert-grp-fit-connect-zustelldienst-produktivumgebung.json"));
-
- List<X509Certificate> trustedX509RootCertificates = FileUtil.loadContentOfFilesInDirectory("trusted-root-certificates")
- .stream().map(FileUtil::convertToX509Certificate).collect(Collectors.toList());
- List<String> base64EncodedCertificates = trustedX509RootCertificates.stream().map(cert -> {
- try {
- return Base64.encode(cert.getEncoded()).toString();
- } catch (CertificateEncodingException e) {
- throw new RuntimeException(e);
- }
- }).collect(Collectors.toList());
-
- withX5CValidation()
- .withoutProxy()
- .withRootCertificatesAsPEM(base64EncodedCertificates).withoutThrowingExceptions().withErrorLogLevel(LogLevel.ERROR).build()
- .validate(rsaKey);
+ @Disabled("will be enabled in scope of https://git.fitko.de/fit-connect/planning/-/issues/901")
+ public void fitConnectTestCertificateIsValidAccordingToTestRootCertificates() throws JWKValidationException, ParseException {
+
+ DefaultValidationService defaultValidationService = new DefaultValidationService(
+ getApplicationConfig(false), hashService, schemaProvider, "trusted-test-root-certificates");
+
+ RSAKey rsaKey = RSAKey.parse(FileUtil.loadContentOfFile("certificates/grp-fitko-testzertifikat-fit-connect-1.json"));
+
+ defaultValidationService.validateCertChain(rsaKey, KeyOperation.VERIFY);
+ }
+
+ @Test
+ @Disabled("will be enabled in scope of https://git.fitko.de/fit-connect/planning/-/issues/901")
+ public void revokedFitConnectTestCertificateIsInvalidAccordingToTestRootCertificates() throws JWKValidationException, ParseException {
+
+ DefaultValidationService defaultValidationService = new DefaultValidationService(
+ getApplicationConfig(false), hashService, schemaProvider, "trusted-test-root-certificates");
+
+ RSAKey rsaKey = RSAKey.parse(FileUtil.loadContentOfFile("certificates/grp-fitko-testzertifikat-fit-connect-2.json"));
+
+ defaultValidationService.validateCertChain(rsaKey, KeyOperation.VERIFY);
+ }
+
+ @Test
+ public void fitConnectTestCertificateIsInvalidAccordingToRootCertificates() throws ParseException {
+
+ DefaultValidationService defaultValidationService = new DefaultValidationService(
+ getApplicationConfig(false), hashService, schemaProvider, "trusted-root-certificates");
+
+ RSAKey rsaKey = RSAKey.parse(FileUtil.loadContentOfFile("certificates/grp-fitko-testzertifikat-fit-connect-1.json"));
+
+ Exception exception = assertThrows(JWKValidationException.class, () -> {
+ defaultValidationService.validateCertChain(rsaKey, KeyOperation.VERIFY);
+ });
+
+ assertThat(exception.getMessage(), is("JWK with id LM0FPR9i-Yg1Cks-f_HG4dHocwLc2MU3rigME-Uc1Lc-wrapKey has invalid certificate chain"));
}
private String getResource(final String filename) throws IOException {
diff --git a/core/src/main/resources/certificates/cert-grp-fit-connect-zustelldienst-produktivumgebung.json b/core/src/test/resources/certificates/grp-fit-connect-zustelldienst-produktivumgebung.json
similarity index 100%
rename from core/src/main/resources/certificates/cert-grp-fit-connect-zustelldienst-produktivumgebung.json
rename to core/src/test/resources/certificates/grp-fit-connect-zustelldienst-produktivumgebung.json
diff --git a/core/src/test/resources/certificates/grp-fitko-testzertifikat-fit-connect-1.json b/core/src/test/resources/certificates/grp-fitko-testzertifikat-fit-connect-1.json
new file mode 100644
index 0000000000000000000000000000000000000000..c26e9bddf01acd396b7f971c76a90b403ca2a714
--- /dev/null
+++ b/core/src/test/resources/certificates/grp-fitko-testzertifikat-fit-connect-1.json
@@ -0,0 +1,15 @@
+{
+ "alg": "RSA-OAEP-256",
+ "e": "AQAB",
+ "key_ops": [
+ "wrapKey"
+ ],
+ "kid": "LM0FPR9i-Yg1Cks-f_HG4dHocwLc2MU3rigME-Uc1Lc-wrapKey",
+ "kty": "RSA",
+ "n": "oSi83-NRxxJ2LG7cWt623K8d1TTc32b2zMOEeBYTvYY9fbPOo-qUpM00e_Q23GajPWkQkZSHllvFXz0E4e9LWc2LVkewDqQc3Usy34NjLLQ6zBr6TZoBwZQv2X65ll8e7nSL9JZyfX_Gde37_wtK5waO483Pwk7cg_zA4XwuxpdKaexErRay7Kd7W3v9Gn61BplFV3zaQ3FIWHMLyj8GyH33UVYnCw7iIUuvGrQG2vEac3Ivx7ObdQ-gRS75n6G3AEouerayFdNkXW12Hz2MDR9QvlA7ZZtQ0_Dq8YgHYqh6A-hXgcXtqrW87l-bph18Zi5RtIPv39VgKgELYm9nnZbVavnfhIt2mJRFjfYnW1GD1E8rkC58-CV4lgzZ5ntQahGOhpsCAckJGlEviefe2HpQ0JEb-pfp-LTe1bycRmkcqaBhfl0Acoayfu48wsZgL9EAUG-1RzFK07EgyMFkpppYpa62Np47gbPJI5vlLY6zRcVGR6y6V2b67X_F-tCLte4XaCHbD0EH59t7ITp44q5qdSP6fMcsG3pSGTU5VoTkpc8BJ43dvufhVJaBL73U32VMBzOTVg6w0nSAuXx8FL4v6lSLfPCDqSEzQl0QKIgF9F2g8sVzhaRKPapRXEcAI9Y2_6WPjVCe7QBcWmI6jGhLQGYy42n1fgI7NyNHkF8",
+ "x5c": [
+ "MIIHqzCCBZOgAwIBAgIBTzANBgkqhkiG9w0BAQ0FADBMMQswCQYDVQQGEwJERTERMA8GA1UEChMIVEVTVC1QS0kxETAPBgNVBAsTCFRFU1QtUEtJMRcwFQYDVQQDEw5ET0kgVGVzdC1DQSAxMDAeFw0yMTA2MDIxMjQ4MDdaFw0yNDA2MDIyMzU5NTlaMIHMMQswCQYDVQQGEwJERTEgMB4GA1UEChMXT2VmZmVudGxpY2hlIFZlcndhbHR1bmcxETAPBgNVBAsTCERPSS1PU0NJMS4wLAYDVQQLDCVGSVRLTyBBw7ZSIChGw7ZkZXJhbGUgSVQtS29vcGVyYXRpb24pMRowGAYDVQQHExFGcmFua2Z1cnQgYW0gTWFpbjEwMC4GA1UEAxMnR1JQOiBGSVRLTyBUZXN0emVydGlmaWthdCBGSVQtQ29ubmVjdCAxMQowCAYDVQQFEwExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoSi83+NRxxJ2LG7cWt623K8d1TTc32b2zMOEeBYTvYY9fbPOo+qUpM00e/Q23GajPWkQkZSHllvFXz0E4e9LWc2LVkewDqQc3Usy34NjLLQ6zBr6TZoBwZQv2X65ll8e7nSL9JZyfX/Gde37/wtK5waO483Pwk7cg/zA4XwuxpdKaexErRay7Kd7W3v9Gn61BplFV3zaQ3FIWHMLyj8GyH33UVYnCw7iIUuvGrQG2vEac3Ivx7ObdQ+gRS75n6G3AEouerayFdNkXW12Hz2MDR9QvlA7ZZtQ0/Dq8YgHYqh6A+hXgcXtqrW87l+bph18Zi5RtIPv39VgKgELYm9nnZbVavnfhIt2mJRFjfYnW1GD1E8rkC58+CV4lgzZ5ntQahGOhpsCAckJGlEviefe2HpQ0JEb+pfp+LTe1bycRmkcqaBhfl0Acoayfu48wsZgL9EAUG+1RzFK07EgyMFkpppYpa62Np47gbPJI5vlLY6zRcVGR6y6V2b67X/F+tCLte4XaCHbD0EH59t7ITp44q5qdSP6fMcsG3pSGTU5VoTkpc8BJ43dvufhVJaBL73U32VMBzOTVg6w0nSAuXx8FL4v6lSLfPCDqSEzQl0QKIgF9F2g8sVzhaRKPapRXEcAI9Y2/6WPjVCe7QBcWmI6jGhLQGYy42n1fgI7NyNHkF8CAwEAAaOCAhUwggIRMGEGA1UdIwRaMFiAFOo1H0iCdCR6kxJc5bttXQ/DnxohoTmkNzA1MQswCQYDVQQGEwJERTERMA8GA1UEChMIVEVTVC1QS0kxEzARBgNVBAMTClRFU1QtUENBMjCCBQDr3GGZMB8GA1UdEQQYMBaBFGZpdC1jb25uZWN0QGZpdGtvLmRlMIIBHgYDVR0fBIIBFTCCAREwggENoIIBCaCCAQWGa2xkYXA6Ly9sZGFwLmRvaS50ZXN0LnRlbGVzZWMuZGUvQ049RE9JJTIwVGVzdC1DQSUyMDEwLE9VPVRFU1QtUEtJLE89VEVTVC1QS0ksQz1ERT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0hoGVaHR0cDovL2RvaS50ZXN0LnRlbGVzZWMuZGUvZG9pL2Rvd25sb2FkL2Rvd25sb2FkLmNybD9wYXRoPUNOJTNERE9JJTIwVGVzdC1DQSUyMDEwJTJDT1UlM0RURVNULVBLSSUyQ08lM0RURVNULVBLSSUyQ0MlM0RERSUzRmNlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3QwFgYDVR0gBA8wDTALBgkrBgEEAb10AQEwDgYDVR0PAQH/BAQDAgXgMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL29jc3AuZG9pLnRlc3QudGVsZXNlYy5kZS9vY3NwcjANBgkqhkiG9w0BAQ0FAAOCAgEAlMsjiIqQ1/P/eWq6n+hREwWUsnQf/pMp5PL1JahgdN2te1HS3h4GF2Fg2TImucMhTPEx1BAmDppb21LtoefWBcS9+p+aV3sWxIpmdjx8RTXiCaq58h+b8XWhf5LJqfzCK9eyTso9fZ4+qqjt1vo5WeYxulwVAPmkjgglVSuuLZlB8/hKbu2aaKIq4eEQgxn2m5GzfywXKMHr5Q7p2VcGxrap03dJiN5+eaYcQ1ugYSuN/GJwIQgvHK2N8lXhHbmSc5KatxzCTwiEzghsxzcxx8BxIwL0djhFp7o4g4VCIDmEbRGoq9RuPrGtSmznRNIYVk2607UUm99Je89zsORP1ANG+TjzeH1vtByWva+Q+uJ3ca0ItrmyYEhCiysfgg9RSvwDx10kW0vTQI9gRfatSRqRGFKE2QOc2MwS3lVsTbjbr/VWvJI5OO9UWUcO5LDcr6dXEhvAOy4gGD7BPMd5nY35lKtCDdfR6/Cn+0lW5M7mXlxsz8CfsK/QslVcv8PNH6agwrL0tOUgUp2fW1QKQMZ5mmkUllxxJjfKSLL8E14AsEeZm9doTdzp17Vq4JOVM3bFe8tmike2F4HlHEDh/kzAicg0f4oSckNj/enF+slPPCvwXcuSx6NP2I0HxYBlnQeiR2VHiRsEJeC7n1s8peOrNWn8uylntn36Tj1COvU=",
+ "MIIGnDCCBISgAwIBAgIFAOvcYZkwDQYJKoZIhvcNAQELBQAwNTELMAkGA1UEBhMCREUxETAPBgNVBAoTCFRFU1QtUEtJMRMwEQYDVQQDEwpURVNULVBDQTIwMB4XDTIwMTAwMTAwMDAwMFoXDTI2MTAwMTIzNTk1OVowTDELMAkGA1UEBhMCREUxETAPBgNVBAoTCFRFU1QtUEtJMREwDwYDVQQLEwhURVNULVBLSTEXMBUGA1UEAxMORE9JIFRlc3QtQ0EgMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDd05QR+vF4k6uujeL95TGxEej8bdh4eDS5TnaXq6JvP5rDhP/ropCr5Tzb/R6HNINin8rH6BScTA5Jqy4UnLs5oRX+Ofa0aN5HlFyo1Hcu5snbT1klVVq+/GYsSaL0V6C2n0wFNapdogi4Wt+tyCRKsEQINKR7zb1zIuxj2yPc4tUsXA2EwOlSMHAdtfzZL3ohTHAWkkY12wKGzpQwMDdUK6WKcf3vzLMk4rkYbd8bOBH1E7u4SX1IXTE8XJu4AJtsUkTZywZE54excobKPdWK0gwhXdBdPfWMJ6I55U2cxsOH2mMhifKS32vQnfSqA48pL72JswsXa/owBN4BhmqjBAfb5rJAYkNFUvDx1kJr9Uj9V3fN0PdNDc2V0SMHusUNsiUgePe+Sknh/KKZhqEXOqbIk0AEeLi0pdVAv5mm2aKCHI8G3jWY/5c/9/aiNwITO4Zg80fyWlIenxOX+OelRsDV64txY9rRC7VclL9mAC1eBEnRz3gQSAuZ434CDJ+xnYQA4AQ2jJXTd3a/7Sey/zb7HPve4ONkeQZoL9JVfhF6nvpG5E7VRQB1rDRF6iX411CA3/1Sa0zVWO/r2qbg7w45QBmj2rikNb1oY2ewrVm8pYQKxAyUHmKhD0r5c4tihA4MzDdhhHRMjT3HFmZrUxeO4SzcXQu3/iXpi5Ob2QIDAQABo4IBmjCCAZYwEgYDVR0TAQH/BAgwBgEB/wIBAzA/BgNVHSAEODA2MDQGCysGAQQBswEBAgUDMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vd3d3LmJzaS5idW5kLmRlMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU6jUfSIJ0JHqTElzlu21dD8OfGiEwYQYDVR0jBFowWIAU2Erw8gRwgq+js4JuK5TuLHKjLMGhOaQ3MDUxCzAJBgNVBAYTAkRFMREwDwYDVQQKEwhURVNULVBLSTETMBEGA1UEAxMKVEVTVC1QQ0EyMIIFAJhujJQwgawGA1UdHwSBpDCBoTBWoFSgUoZQbGRhcDovL3Rlc3QteDUwMC5idW5kLmRlL0NOPVRFU1QtUENBMjAsTz1URVNULVBLSSxDPURFP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3QwR6BFoEOGQWh0dHA6Ly90ZXN0LXg1MDAuYnVuZC5kZS9jZ2ktYmluL3Nob3dfYXR0cj9jbj1URVNULVBDQTIwJmF0dHI9Y3JsMA0GCSqGSIb3DQEBCwUAA4ICAQCLxvm6QwYZT5vLYNs7hPiq/DbWZb4yzVHKkxh+GpwzujHDBATK15Xz6zAVlbvkwF2tdxUk0pugIY26XoIRDMBsedX/lQTug1THx7jNGTgMXmVUuKCpx9Dl4HfQyvQlOxvwPTt92VEOhhuRAulB7KsP2K3TZsLY6JPAyI3ULl59S++VuTxvhkA40jU53n1R3rSaC/MKiWgDa9pWvSsxo3PZcFK31mw8kY5DriXgjl05DyQ2h85PVxis/Y1WgLirkKBmuyU2+nZPy+KIsWldE2ISb+NkxxJ22/aKYDjo5d9H/60ivYYNMzXlIsRN1nz/iqGqy4LJoSUN+sIM5Eh7Xgq7N7O0Zh6NErFxy/XI7gIOUygR2fFWoMromwA+DXAOIBMB7pVuGQXmyL7URFFslP82xNOHkbz/rQD42wtA5POPPa2XpRCZPTTp1DN/NksNG7YDyMtypjO+CAk+z52hvWQ2cSXdS/Z4TYeZx9gKUPd0VB2HMQkjzBR4BL9jR4RHOJxmNKVD9+beB9Itso6nW76FskS6BPLwVPCU1R9FK9hRUWs8Lf1/4k4E/rrkbktY79rpWSiSljaD+kBpo9yd8tiqOW/Zy9tfWiups+3DF3Crykv9jBd/OyCmd5u3n+WUYWEmYgsM8yOunfy3mRlJXgdJ0jTJW5M1RJwh8F+a3t149Q==",
+ "MIIGVjCCBD6gAwIBAgIFAJhujJQwDQYJKoZIhvcNAQELBQAwNTELMAkGA1UEBhMCREUxETAPBgNVBAoTCFRFU1QtUEtJMRMwEQYDVQQDEwpURVNULVBDQTIwMB4XDTE5MTIwMTAwMDAwMFoXDTI5MTIzMTIzNTk1OVowNTELMAkGA1UEBhMCREUxETAPBgNVBAoTCFRFU1QtUEtJMRMwEQYDVQQDEwpURVNULVBDQTIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoAo7xDpvHSqSOJGW1rtalhZayl0IZGAtmF1f7Ssvlq9DsJxEu6lRhTwGHPzPEXZ4EMdHwHGnw3Zv4XL4Uc/FcsBOzVKFb6D2WLWXoJ/9D6rHpG+iC9148JcYTPLIrBIfPKpLdC2vKqVubqSUvLZl8fjmME1elAuqwu6qDmelbTa5iO+fV0awZkx0KrlCA88a6amldCqFfeert/XKqsrk74ihVzaUiTCW9aKNBxucQbKHhU1W8jgzpQi3x758dRtoDqChbPFkTLNoQhLP8pPa3MynbXUC0XfF7h63zQNpNBvqnUjBl5oTbimoUFLdh8Wo0Bs0ifzu6WC0fEkI7ZQVOBjHEvMvN+rqAecsG/BvCDVLVK27T+HC3zAZcusKa6/X73Sa3uO1EySOG6jwSmjTctCTx4qDjJrZZqZEZgSmzQqWTyWyo5LCIx3cPce+kafAJqufasT/WZS5vQ/65fUt/tEzZUFG34Pl6sFhtfe+91adDlOYioLnPC8EcWcSDP4DRh8CbEEqu/oLEj/UhAmcJGWutHtNKmr59j/SO06LbZpSGgy4OU+aCiWn3N8S1wwBYpWqn0S1r876OQIofKdHshWPhg8/KXh/yjgx6a5/HMuKPQVH1FmFeWlnsbkpdMNPSDHM5LjjIwEm6dy2TwP35jSoYw/leIB4izaz6pEOMKUCAwEAAaOCAWswggFnMA8GA1UdEwEB/wQFMAMBAf8wPwYDVR0gBDgwNjA0BgsrBgEEAbMBAQIBAzAlMCMGCCsGAQUFBwIBFhdodHRwczovL3d3dy5ic2kuYnVuZC5kZTCBrAYDVR0fBIGkMIGhMFagVKBShlBsZGFwOi8vdGVzdC14NTAwLmJ1bmQuZGUvQ049VEVTVC1QQ0EyMCxPPVRFU1QtUEtJLEM9REU/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDBHoEWgQ4ZBaHR0cDovL3Rlc3QteDUwMC5idW5kLmRlL2NnaS1iaW4vc2hvd19hdHRyP2NuPVRFU1QtUENBMjAmYXR0cj1jcmwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTYSvDyBHCCr6Ozgm4rlO4scqMswTA1BgNVHREELjAsgRFWLVBLSUBic2kuYnVuZC5kZYYXaHR0cHM6Ly93d3cuYnNpLmJ1bmQuZGUwDQYJKoZIhvcNAQELBQADggIBADK29j9Tkm6SjI0PNmYFbOl/8FsjVsN4pZ0g67z4Ro1egbldCbV9pst7PB9TSjaKUBClS9fJUU5izOpxj4LxSehpJeJZNs47sXuMkePPCQdKv7WmwvWLYY2wiMJ7qF4PyvtIqX6Wyy8y0nhuAb0KpO4jBG0kbuuxvt5oe6PAVLfvXiVJSIjlOmjxNV50ryVWb0/nEISvrOdAno9vY5jIAfBQQauCAy4XgMR/6uyEaB/aGcb5Qbc8HlDS8tqRGQklRJ4XX6mDU2w8tU2szHQoSJt41p6UyQt0BN0bLKtVmZr8RlsZERUk4m8x37VmoltNxgkUV6SARORNmqKPrvSgu/FgbKayJ/+8h0qEKhvhCQmbqsjlDxvAcv7jPelmEmNwKEdvToxpMzPpQKCvXelgxANDHPdVqnQpBeqb53VFr5oKCIfYK4KaTPIzntmaLnS8JbM3Bb36tyCvh+HX5IcWCskRAmh10k5FmB4xBcz394gjJDYrOEqVeuNduSFVLwxZq8K/0MC6gacrxytnfnChjBdd+7gE8TDbHjA2xd8mbHDC5c1VrrHxs9coPr+nSZP2dltg/OMCPRBuOXL/vwjfh7Wc6Rl4LBn+H1Ql/J52s3b1aukMiL3pSJOElvThgBKsPlf6ftwIANzr/v6m3iOt0ifNLVMsPpYM2c9nj8QcvFcu"
+ ]
+}
\ No newline at end of file
diff --git a/core/src/test/resources/certificates/grp-fitko-testzertifikat-fit-connect-2.json b/core/src/test/resources/certificates/grp-fitko-testzertifikat-fit-connect-2.json
new file mode 100644
index 0000000000000000000000000000000000000000..b4f001045a83fcddae2cc0d4f2b796354dbf33ce
--- /dev/null
+++ b/core/src/test/resources/certificates/grp-fitko-testzertifikat-fit-connect-2.json
@@ -0,0 +1,15 @@
+{
+ "alg": "RSA-OAEP-256",
+ "e": "AQAB",
+ "key_ops": [
+ "wrapKey"
+ ],
+ "kid": "rRaGt35McGycD4MeRyHZSLFo7dda2PEJscBuPT1KJdE-wrapKey",
+ "kty": "RSA",
+ "n": "q3HY4MdeI9x1_R3nxqqtwFvkp5P3aWWEIIPet1OWsJNBNtbG-Z0LhM3RX0oJne93m2bMFqwvo5akdJmpeLg-Sl0WBUZt_0UMI55I7S0qWVYOnqQncVJcHIp8FU0SuHNuSDWTPXIxrLuJFm8TkYfpWOvwo1wXZcqCI2vMKLTB5L8D_3z8CqZgSeB_7tXM3QESIt7vRoSCn66Ws5NpvAwJiBCvHJAMJ7D2y2lAFPCweB3c1v6RaR8pX8xFLSxRbKlUEo9sW0HFoMfA8Vq15wgWdVGugopxKe3ySXErCYo1rP4qtS9n8jlyxUHD307KUcKoLBM-qxaIL4xZEFBb2fQ7NF5H1BeyrYQbZp0l5whobo_XuSaW8HwnlHqVna4pLS4o2QSp--5g-IVeO0heEjcQPvWvKy38hYu5AKv1HLhK-SHw0XplrIRYzXc31j5PlE0rBAWhQlVUZr-MtjY19-Oaxlo0D56_Xzrct3PUp8f9pOh1OwzeitO0n4m3bVGcQKa8J6ulB24HndzQBiCB9hxofvvdYNJZB6YKlQzogYKevTVSN24p4Y-CD4AVmDnmDiLe6eFReGRNgXQ5taCmRgQ7Jx1duA18jHQoi9dSlB6JBScuOemwFOYxvUFI-ISBhHv7NQttfCZzb3LL9bsn7ze6Kn2wFuZvsHGT5eZBMDTt-2c",
+ "x5c": [
+ "MIIHqzCCBZOgAwIBAgIBUDANBgkqhkiG9w0BAQ0FADBMMQswCQYDVQQGEwJERTERMA8GA1UEChMIVEVTVC1QS0kxETAPBgNVBAsTCFRFU1QtUEtJMRcwFQYDVQQDEw5ET0kgVGVzdC1DQSAxMDAeFw0yMTA2MDIxMjQ4MzdaFw0yNDA2MDIyMzU5NTlaMIHMMQswCQYDVQQGEwJERTEgMB4GA1UEChMXT2VmZmVudGxpY2hlIFZlcndhbHR1bmcxETAPBgNVBAsTCERPSS1PU0NJMS4wLAYDVQQLDCVGSVRLTyBBw7ZSIChGw7ZkZXJhbGUgSVQtS29vcGVyYXRpb24pMRowGAYDVQQHExFGcmFua2Z1cnQgYW0gTWFpbjEwMC4GA1UEAxMnR1JQOiBGSVRLTyBUZXN0emVydGlmaWthdCBGSVQtQ29ubmVjdCAyMQowCAYDVQQFEwExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3HY4MdeI9x1/R3nxqqtwFvkp5P3aWWEIIPet1OWsJNBNtbG+Z0LhM3RX0oJne93m2bMFqwvo5akdJmpeLg+Sl0WBUZt/0UMI55I7S0qWVYOnqQncVJcHIp8FU0SuHNuSDWTPXIxrLuJFm8TkYfpWOvwo1wXZcqCI2vMKLTB5L8D/3z8CqZgSeB/7tXM3QESIt7vRoSCn66Ws5NpvAwJiBCvHJAMJ7D2y2lAFPCweB3c1v6RaR8pX8xFLSxRbKlUEo9sW0HFoMfA8Vq15wgWdVGugopxKe3ySXErCYo1rP4qtS9n8jlyxUHD307KUcKoLBM+qxaIL4xZEFBb2fQ7NF5H1BeyrYQbZp0l5whobo/XuSaW8HwnlHqVna4pLS4o2QSp++5g+IVeO0heEjcQPvWvKy38hYu5AKv1HLhK+SHw0XplrIRYzXc31j5PlE0rBAWhQlVUZr+MtjY19+Oaxlo0D56/Xzrct3PUp8f9pOh1OwzeitO0n4m3bVGcQKa8J6ulB24HndzQBiCB9hxofvvdYNJZB6YKlQzogYKevTVSN24p4Y+CD4AVmDnmDiLe6eFReGRNgXQ5taCmRgQ7Jx1duA18jHQoi9dSlB6JBScuOemwFOYxvUFI+ISBhHv7NQttfCZzb3LL9bsn7ze6Kn2wFuZvsHGT5eZBMDTt+2cCAwEAAaOCAhUwggIRMGEGA1UdIwRaMFiAFOo1H0iCdCR6kxJc5bttXQ/DnxohoTmkNzA1MQswCQYDVQQGEwJERTERMA8GA1UEChMIVEVTVC1QS0kxEzARBgNVBAMTClRFU1QtUENBMjCCBQDr3GGZMB8GA1UdEQQYMBaBFGZpdC1jb25uZWN0QGZpdGtvLmRlMIIBHgYDVR0fBIIBFTCCAREwggENoIIBCaCCAQWGa2xkYXA6Ly9sZGFwLmRvaS50ZXN0LnRlbGVzZWMuZGUvQ049RE9JJTIwVGVzdC1DQSUyMDEwLE9VPVRFU1QtUEtJLE89VEVTVC1QS0ksQz1ERT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0hoGVaHR0cDovL2RvaS50ZXN0LnRlbGVzZWMuZGUvZG9pL2Rvd25sb2FkL2Rvd25sb2FkLmNybD9wYXRoPUNOJTNERE9JJTIwVGVzdC1DQSUyMDEwJTJDT1UlM0RURVNULVBLSSUyQ08lM0RURVNULVBLSSUyQ0MlM0RERSUzRmNlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3QwFgYDVR0gBA8wDTALBgkrBgEEAb10AQEwDgYDVR0PAQH/BAQDAgXgMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL29jc3AuZG9pLnRlc3QudGVsZXNlYy5kZS9vY3NwcjANBgkqhkiG9w0BAQ0FAAOCAgEAtqVwGbsvXQI4/yctLKAW2AFf8vXkB2UrWsnEasYGjWzrDIDuI5+9mP/idR2W0+Vi0E8xzyWtosYZwK+gWYSrtoKlMuNLBzHPy/kdlZFHgTyvPcfwNF6c67//tb++5g2EYd1ZsMfdBMA/O4zATOyROtsyqt8GjuoYcKr9/aNHiRhvdVf1BaPCfxd1O+asvajzGeLqiGCGQUuiQnYtotfbnvLWaebPprt/TNkX7JWWD9GkkR20/fZt8EgoGRtbEL/Y8tOTsbZ0RSjSETanFHtNMMo8IxmIj0p2y5dHlVPUyHHWLipr8HZhX6fMfYFk+EOBvgSAYX18VXAfBqmRQuunuC+WNzyJL42aUAjX/VYWvpMjoshR2V+TdY5wcr5soMoXWFhpGKnOpOZHEQ+Tst7H369OV7e1eZWyiQbMCA+LK73SlZnzizQ8tftVRDxaPWSuayHwa8nbrDxXbClNiNDYYT6i5LqTYVJOvd4V3iTkTOESpRFoq7zwOjrv7ny38qV8BeKrNP7P4FOtvzi0qT1FwdzSpq5yHTAETai27uaJ9rGyPCQzZmMnn7A4PsIKr/MrEh8ywlXSdWHaKLoPfLnOT6cuqy5OdYakHOcCKwEvmvy9tstHHu2vf1gKm41E/q3W03kmGTwbVzxMe2qQdYbsPTez9qImnwUyfp7P5uoRaPI=",
+ "MIIGnDCCBISgAwIBAgIFAOvcYZkwDQYJKoZIhvcNAQELBQAwNTELMAkGA1UEBhMCREUxETAPBgNVBAoTCFRFU1QtUEtJMRMwEQYDVQQDEwpURVNULVBDQTIwMB4XDTIwMTAwMTAwMDAwMFoXDTI2MTAwMTIzNTk1OVowTDELMAkGA1UEBhMCREUxETAPBgNVBAoTCFRFU1QtUEtJMREwDwYDVQQLEwhURVNULVBLSTEXMBUGA1UEAxMORE9JIFRlc3QtQ0EgMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDd05QR+vF4k6uujeL95TGxEej8bdh4eDS5TnaXq6JvP5rDhP/ropCr5Tzb/R6HNINin8rH6BScTA5Jqy4UnLs5oRX+Ofa0aN5HlFyo1Hcu5snbT1klVVq+/GYsSaL0V6C2n0wFNapdogi4Wt+tyCRKsEQINKR7zb1zIuxj2yPc4tUsXA2EwOlSMHAdtfzZL3ohTHAWkkY12wKGzpQwMDdUK6WKcf3vzLMk4rkYbd8bOBH1E7u4SX1IXTE8XJu4AJtsUkTZywZE54excobKPdWK0gwhXdBdPfWMJ6I55U2cxsOH2mMhifKS32vQnfSqA48pL72JswsXa/owBN4BhmqjBAfb5rJAYkNFUvDx1kJr9Uj9V3fN0PdNDc2V0SMHusUNsiUgePe+Sknh/KKZhqEXOqbIk0AEeLi0pdVAv5mm2aKCHI8G3jWY/5c/9/aiNwITO4Zg80fyWlIenxOX+OelRsDV64txY9rRC7VclL9mAC1eBEnRz3gQSAuZ434CDJ+xnYQA4AQ2jJXTd3a/7Sey/zb7HPve4ONkeQZoL9JVfhF6nvpG5E7VRQB1rDRF6iX411CA3/1Sa0zVWO/r2qbg7w45QBmj2rikNb1oY2ewrVm8pYQKxAyUHmKhD0r5c4tihA4MzDdhhHRMjT3HFmZrUxeO4SzcXQu3/iXpi5Ob2QIDAQABo4IBmjCCAZYwEgYDVR0TAQH/BAgwBgEB/wIBAzA/BgNVHSAEODA2MDQGCysGAQQBswEBAgUDMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vd3d3LmJzaS5idW5kLmRlMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU6jUfSIJ0JHqTElzlu21dD8OfGiEwYQYDVR0jBFowWIAU2Erw8gRwgq+js4JuK5TuLHKjLMGhOaQ3MDUxCzAJBgNVBAYTAkRFMREwDwYDVQQKEwhURVNULVBLSTETMBEGA1UEAxMKVEVTVC1QQ0EyMIIFAJhujJQwgawGA1UdHwSBpDCBoTBWoFSgUoZQbGRhcDovL3Rlc3QteDUwMC5idW5kLmRlL0NOPVRFU1QtUENBMjAsTz1URVNULVBLSSxDPURFP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3QwR6BFoEOGQWh0dHA6Ly90ZXN0LXg1MDAuYnVuZC5kZS9jZ2ktYmluL3Nob3dfYXR0cj9jbj1URVNULVBDQTIwJmF0dHI9Y3JsMA0GCSqGSIb3DQEBCwUAA4ICAQCLxvm6QwYZT5vLYNs7hPiq/DbWZb4yzVHKkxh+GpwzujHDBATK15Xz6zAVlbvkwF2tdxUk0pugIY26XoIRDMBsedX/lQTug1THx7jNGTgMXmVUuKCpx9Dl4HfQyvQlOxvwPTt92VEOhhuRAulB7KsP2K3TZsLY6JPAyI3ULl59S++VuTxvhkA40jU53n1R3rSaC/MKiWgDa9pWvSsxo3PZcFK31mw8kY5DriXgjl05DyQ2h85PVxis/Y1WgLirkKBmuyU2+nZPy+KIsWldE2ISb+NkxxJ22/aKYDjo5d9H/60ivYYNMzXlIsRN1nz/iqGqy4LJoSUN+sIM5Eh7Xgq7N7O0Zh6NErFxy/XI7gIOUygR2fFWoMromwA+DXAOIBMB7pVuGQXmyL7URFFslP82xNOHkbz/rQD42wtA5POPPa2XpRCZPTTp1DN/NksNG7YDyMtypjO+CAk+z52hvWQ2cSXdS/Z4TYeZx9gKUPd0VB2HMQkjzBR4BL9jR4RHOJxmNKVD9+beB9Itso6nW76FskS6BPLwVPCU1R9FK9hRUWs8Lf1/4k4E/rrkbktY79rpWSiSljaD+kBpo9yd8tiqOW/Zy9tfWiups+3DF3Crykv9jBd/OyCmd5u3n+WUYWEmYgsM8yOunfy3mRlJXgdJ0jTJW5M1RJwh8F+a3t149Q==",
+ "MIIGVjCCBD6gAwIBAgIFAJhujJQwDQYJKoZIhvcNAQELBQAwNTELMAkGA1UEBhMCREUxETAPBgNVBAoTCFRFU1QtUEtJMRMwEQYDVQQDEwpURVNULVBDQTIwMB4XDTE5MTIwMTAwMDAwMFoXDTI5MTIzMTIzNTk1OVowNTELMAkGA1UEBhMCREUxETAPBgNVBAoTCFRFU1QtUEtJMRMwEQYDVQQDEwpURVNULVBDQTIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoAo7xDpvHSqSOJGW1rtalhZayl0IZGAtmF1f7Ssvlq9DsJxEu6lRhTwGHPzPEXZ4EMdHwHGnw3Zv4XL4Uc/FcsBOzVKFb6D2WLWXoJ/9D6rHpG+iC9148JcYTPLIrBIfPKpLdC2vKqVubqSUvLZl8fjmME1elAuqwu6qDmelbTa5iO+fV0awZkx0KrlCA88a6amldCqFfeert/XKqsrk74ihVzaUiTCW9aKNBxucQbKHhU1W8jgzpQi3x758dRtoDqChbPFkTLNoQhLP8pPa3MynbXUC0XfF7h63zQNpNBvqnUjBl5oTbimoUFLdh8Wo0Bs0ifzu6WC0fEkI7ZQVOBjHEvMvN+rqAecsG/BvCDVLVK27T+HC3zAZcusKa6/X73Sa3uO1EySOG6jwSmjTctCTx4qDjJrZZqZEZgSmzQqWTyWyo5LCIx3cPce+kafAJqufasT/WZS5vQ/65fUt/tEzZUFG34Pl6sFhtfe+91adDlOYioLnPC8EcWcSDP4DRh8CbEEqu/oLEj/UhAmcJGWutHtNKmr59j/SO06LbZpSGgy4OU+aCiWn3N8S1wwBYpWqn0S1r876OQIofKdHshWPhg8/KXh/yjgx6a5/HMuKPQVH1FmFeWlnsbkpdMNPSDHM5LjjIwEm6dy2TwP35jSoYw/leIB4izaz6pEOMKUCAwEAAaOCAWswggFnMA8GA1UdEwEB/wQFMAMBAf8wPwYDVR0gBDgwNjA0BgsrBgEEAbMBAQIBAzAlMCMGCCsGAQUFBwIBFhdodHRwczovL3d3dy5ic2kuYnVuZC5kZTCBrAYDVR0fBIGkMIGhMFagVKBShlBsZGFwOi8vdGVzdC14NTAwLmJ1bmQuZGUvQ049VEVTVC1QQ0EyMCxPPVRFU1QtUEtJLEM9REU/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDBHoEWgQ4ZBaHR0cDovL3Rlc3QteDUwMC5idW5kLmRlL2NnaS1iaW4vc2hvd19hdHRyP2NuPVRFU1QtUENBMjAmYXR0cj1jcmwwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTYSvDyBHCCr6Ozgm4rlO4scqMswTA1BgNVHREELjAsgRFWLVBLSUBic2kuYnVuZC5kZYYXaHR0cHM6Ly93d3cuYnNpLmJ1bmQuZGUwDQYJKoZIhvcNAQELBQADggIBADK29j9Tkm6SjI0PNmYFbOl/8FsjVsN4pZ0g67z4Ro1egbldCbV9pst7PB9TSjaKUBClS9fJUU5izOpxj4LxSehpJeJZNs47sXuMkePPCQdKv7WmwvWLYY2wiMJ7qF4PyvtIqX6Wyy8y0nhuAb0KpO4jBG0kbuuxvt5oe6PAVLfvXiVJSIjlOmjxNV50ryVWb0/nEISvrOdAno9vY5jIAfBQQauCAy4XgMR/6uyEaB/aGcb5Qbc8HlDS8tqRGQklRJ4XX6mDU2w8tU2szHQoSJt41p6UyQt0BN0bLKtVmZr8RlsZERUk4m8x37VmoltNxgkUV6SARORNmqKPrvSgu/FgbKayJ/+8h0qEKhvhCQmbqsjlDxvAcv7jPelmEmNwKEdvToxpMzPpQKCvXelgxANDHPdVqnQpBeqb53VFr5oKCIfYK4KaTPIzntmaLnS8JbM3Bb36tyCvh+HX5IcWCskRAmh10k5FmB4xBcz394gjJDYrOEqVeuNduSFVLwxZq8K/0MC6gacrxytnfnChjBdd+7gE8TDbHjA2xd8mbHDC5c1VrrHxs9coPr+nSZP2dltg/OMCPRBuOXL/vwjfh7Wc6Rl4LBn+H1Ql/J52s3b1aukMiL3pSJOElvThgBKsPlf6ftwIANzr/v6m3iOt0ifNLVMsPpYM2c9nj8QcvFcu"
+ ]
+}
\ No newline at end of file
diff --git a/core/src/test/resources/trusted-test-root-certificates/TEST-PCA20.pem b/core/src/test/resources/trusted-test-root-certificates/TEST-PCA20.pem
new file mode 100644
index 0000000000000000000000000000000000000000..0c5c8b31bfcf8050ba3737dde617dc642f53a13c
--- /dev/null
+++ b/core/src/test/resources/trusted-test-root-certificates/TEST-PCA20.pem
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGVjCCBD6gAwIBAgIFAJhujJQwDQYJKoZIhvcNAQELBQAwNTELMAkGA1UEBhMC
+REUxETAPBgNVBAoTCFRFU1QtUEtJMRMwEQYDVQQDEwpURVNULVBDQTIwMB4XDTE5
+MTIwMTAwMDAwMFoXDTI5MTIzMTIzNTk1OVowNTELMAkGA1UEBhMCREUxETAPBgNV
+BAoTCFRFU1QtUEtJMRMwEQYDVQQDEwpURVNULVBDQTIwMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAoAo7xDpvHSqSOJGW1rtalhZayl0IZGAtmF1f7Ssv
+lq9DsJxEu6lRhTwGHPzPEXZ4EMdHwHGnw3Zv4XL4Uc/FcsBOzVKFb6D2WLWXoJ/9
+D6rHpG+iC9148JcYTPLIrBIfPKpLdC2vKqVubqSUvLZl8fjmME1elAuqwu6qDmel
+bTa5iO+fV0awZkx0KrlCA88a6amldCqFfeert/XKqsrk74ihVzaUiTCW9aKNBxuc
+QbKHhU1W8jgzpQi3x758dRtoDqChbPFkTLNoQhLP8pPa3MynbXUC0XfF7h63zQNp
+NBvqnUjBl5oTbimoUFLdh8Wo0Bs0ifzu6WC0fEkI7ZQVOBjHEvMvN+rqAecsG/Bv
+CDVLVK27T+HC3zAZcusKa6/X73Sa3uO1EySOG6jwSmjTctCTx4qDjJrZZqZEZgSm
+zQqWTyWyo5LCIx3cPce+kafAJqufasT/WZS5vQ/65fUt/tEzZUFG34Pl6sFhtfe+
+91adDlOYioLnPC8EcWcSDP4DRh8CbEEqu/oLEj/UhAmcJGWutHtNKmr59j/SO06L
+bZpSGgy4OU+aCiWn3N8S1wwBYpWqn0S1r876OQIofKdHshWPhg8/KXh/yjgx6a5/
+HMuKPQVH1FmFeWlnsbkpdMNPSDHM5LjjIwEm6dy2TwP35jSoYw/leIB4izaz6pEO
+MKUCAwEAAaOCAWswggFnMA8GA1UdEwEB/wQFMAMBAf8wPwYDVR0gBDgwNjA0Bgsr
+BgEEAbMBAQIBAzAlMCMGCCsGAQUFBwIBFhdodHRwczovL3d3dy5ic2kuYnVuZC5k
+ZTCBrAYDVR0fBIGkMIGhMFagVKBShlBsZGFwOi8vdGVzdC14NTAwLmJ1bmQuZGUv
+Q049VEVTVC1QQ0EyMCxPPVRFU1QtUEtJLEM9REU/Y2VydGlmaWNhdGVSZXZvY2F0
+aW9uTGlzdDBHoEWgQ4ZBaHR0cDovL3Rlc3QteDUwMC5idW5kLmRlL2NnaS1iaW4v
+c2hvd19hdHRyP2NuPVRFU1QtUENBMjAmYXR0cj1jcmwwDgYDVR0PAQH/BAQDAgEG
+MB0GA1UdDgQWBBTYSvDyBHCCr6Ozgm4rlO4scqMswTA1BgNVHREELjAsgRFWLVBL
+SUBic2kuYnVuZC5kZYYXaHR0cHM6Ly93d3cuYnNpLmJ1bmQuZGUwDQYJKoZIhvcN
+AQELBQADggIBADK29j9Tkm6SjI0PNmYFbOl/8FsjVsN4pZ0g67z4Ro1egbldCbV9
+pst7PB9TSjaKUBClS9fJUU5izOpxj4LxSehpJeJZNs47sXuMkePPCQdKv7WmwvWL
+YY2wiMJ7qF4PyvtIqX6Wyy8y0nhuAb0KpO4jBG0kbuuxvt5oe6PAVLfvXiVJSIjl
+OmjxNV50ryVWb0/nEISvrOdAno9vY5jIAfBQQauCAy4XgMR/6uyEaB/aGcb5Qbc8
+HlDS8tqRGQklRJ4XX6mDU2w8tU2szHQoSJt41p6UyQt0BN0bLKtVmZr8RlsZERUk
+4m8x37VmoltNxgkUV6SARORNmqKPrvSgu/FgbKayJ/+8h0qEKhvhCQmbqsjlDxvA
+cv7jPelmEmNwKEdvToxpMzPpQKCvXelgxANDHPdVqnQpBeqb53VFr5oKCIfYK4Ka
+TPIzntmaLnS8JbM3Bb36tyCvh+HX5IcWCskRAmh10k5FmB4xBcz394gjJDYrOEqV
+euNduSFVLwxZq8K/0MC6gacrxytnfnChjBdd+7gE8TDbHjA2xd8mbHDC5c1VrrHx
+s9coPr+nSZP2dltg/OMCPRBuOXL/vwjfh7Wc6Rl4LBn+H1Ql/J52s3b1aukMiL3p
+SJOElvThgBKsPlf6ftwIANzr/v6m3iOt0ifNLVMsPpYM2c9nj8QcvFcu
+-----END CERTIFICATE-----