Feature/808 validate root certificates

core/src/main/java/dev/fitko/fitconnect/core/validation/DefaultValidationService.java

@@ -23,16 +23,7 @@ import dev.fitko.fitconnect.api.domain.model.event.problems.data.DataHashMismatc
 import dev.fitko.fitconnect.api.domain.model.event.problems.data.DataJsonSyntaxViolation;
 import dev.fitko.fitconnect.api.domain.model.event.problems.data.DataXmlSyntaxViolation;
 import dev.fitko.fitconnect.api.domain.model.event.problems.data.IncorrectDataAuthenticationTag;
-import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.AttachmentsMismatch;
-import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.IncorrectMetadataAuthenticationTag;
-import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.MetadataJsonSyntaxViolation;
-import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.MetadataSchemaViolation;
-import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.MissingData;
-import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.ServiceMismatch;
-import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.UnsupportedDataSchema;
-import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.UnsupportedMetadataSchema;
-import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.UnsupportedReplyChannel;
-import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.UnsupportedService;
+import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.*;
 import dev.fitko.fitconnect.api.domain.model.metadata.Metadata;
 import dev.fitko.fitconnect.api.domain.model.metadata.attachment.ApiAttachment;
 import dev.fitko.fitconnect.api.domain.model.metadata.attachment.AttachmentForValidation;
@@ -43,11 +34,14 @@ import dev.fitko.fitconnect.api.domain.model.replychannel.ReplyChannel;
 import dev.fitko.fitconnect.api.domain.model.submission.Submission;
 import dev.fitko.fitconnect.api.domain.validation.ValidationResult;
 import dev.fitko.fitconnect.api.exceptions.DataIntegrityException;
+import dev.fitko.fitconnect.api.exceptions.RootCertificateException;
 import dev.fitko.fitconnect.api.exceptions.SchemaNotFoundException;
 import dev.fitko.fitconnect.api.exceptions.ValidationException;
 import dev.fitko.fitconnect.api.services.crypto.MessageDigestService;
 import dev.fitko.fitconnect.api.services.schema.SchemaProvider;
 import dev.fitko.fitconnect.api.services.validation.ValidationService;
+import dev.fitko.fitconnect.core.util.FileUtil;
+import dev.fitko.fitconnect.core.util.Strings;
 import dev.fitko.fitconnect.jwkvalidator.JWKValidator;
 import dev.fitko.fitconnect.jwkvalidator.JWKValidatorBuilder;
 import dev.fitko.fitconnect.jwkvalidator.exceptions.JWKValidationException;
@@ -60,7 +54,6 @@ import org.xml.sax.XMLReader;
 
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
-
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.net.InetSocketAddress;
@@ -73,13 +66,7 @@ import java.text.SimpleDateFormat;
 import java.time.Instant;
 import java.time.ZoneId;
 import java.time.ZonedDateTime;
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Set;
-import java.util.UUID;
+import java.util.*;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -99,21 +86,23 @@ public class DefaultValidationService implements ValidationService {
     private final MessageDigestService messageDigestService;
     private final SchemaProvider schemaProvider;
     private final ApplicationConfig config;
+    private final List<String> rootCertificates;
 
-    public DefaultValidationService(final ApplicationConfig config, final MessageDigestService messageDigestService, final SchemaProvider schemaProvider) {
+    public DefaultValidationService(final ApplicationConfig config, final MessageDigestService messageDigestService,
+                                    final SchemaProvider schemaProvider, final List<String> rootCertificates) {
         this.config = config;
         this.messageDigestService = messageDigestService;
         this.schemaProvider = schemaProvider;
+        this.rootCertificates = rootCertificates;
     }
 
     @Override
     public ValidationResult validatePublicKey(final RSAKey publicKey, final KeyOperation keyOperation) {
         try {
-            validateKey(publicKey, keyOperation);
+            return validateKey(publicKey, keyOperation);
         } catch (final Exception e) {
             return ValidationResult.error(e);
         }
-        return ValidationResult.ok();
     }
 
     @Override
@@ -362,11 +351,11 @@ public class DefaultValidationService implements ValidationService {
         return returnValidationResult(SCHEMA_FACTORY_DRAFT_2020.getSchema(schema).validate(inputNode));
     }
 
-    private void validateKey(final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException, CertificateEncodingException {
+    private ValidationResult validateKey(final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException {
         if (config.getCurrentEnvironment().isAllowInsecurePublicKey()) {
-            validateWithoutCertChain(publicKey, purpose);
+            return validateWithoutCertChain(publicKey, purpose);
         } else {
-            validateCertChain(publicKey, purpose);
+            return validateCertChain(publicKey, purpose);
         }
     }
 
@@ -377,65 +366,69 @@ public class DefaultValidationService implements ValidationService {
         return ValidationResult.withErrorAndProblem(new ValidationException(errorsToSingleString(errors)), new MetadataSchemaViolation());
     }
 
-    private void validateWithX509AndProxy(final List<String> pemCerts, final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException {
-        final var proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(config.getHttpProxyHost(), config.getHttpProxyPort()));
-        LOGGER.info("Using proxy {} for key validation", proxy);
-        addLogLevel(withX5CValidation()
-                .withProxy(proxy)
-                .withRootCertificatesAsPEM(pemCerts))
-                .validate(publicKey, purpose);
-    }
-
-
-    private void validateWithX509AndWithoutProxy(final List<String> pemCerts, final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException {
-        LOGGER.info("No proxy set for validation");
-        addLogLevel(withX5CValidation()
-                .withoutProxy()
-                .withRootCertificatesAsPEM(pemCerts))
-                .validate(publicKey, purpose);
-    }
-
     private JWKValidator addLogLevel(final JWKValidatorBuilder.JWKValidatorX5CErrorHandling validator) {
-        if (validateSilent()) {
-            return validator.withoutThrowingExceptions().withErrorLogLevel(LogLevel.WARN).build();
-        } else {
-            return validator.withThrowingExceptions().withErrorLogLevel(LogLevel.ERROR).build();
-        }
+        return validator.withThrowingExceptions().withErrorLogLevel(LogLevel.ERROR).build();
     }
 
-    private void validateWithoutCertChain(final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException {
+    private ValidationResult validateWithoutCertChain(final RSAKey publicKey, final KeyOperation purpose) {
         LOGGER.info("Validating public key without XC5 certificate chain");
-        withoutX5CValidation().withErrorLogLevel(validateSilent() ? LogLevel.WARN : LogLevel.ERROR).build().validate(publicKey, purpose);
+        try {
+            withoutX5CValidation().withErrorLogLevel(config.getCurrentEnvironment().isAllowInsecurePublicKey() ?
+                    LogLevel.WARN : LogLevel.ERROR).build().validate(publicKey, purpose);
+        } catch (JWKValidationException exception) {
+            return ValidationResult.error(exception);
+        }
+        return ValidationResult.ok();
     }
 
-    private void validateCertChain(final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException, CertificateEncodingException {
+    ValidationResult validateCertChain(final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException {
         final List<X509Certificate> x509CertChain = publicKey.getParsedX509CertChain();
         if (x509CertChain == null) {
             throw new IllegalStateException("public key with id '" + publicKey.getKeyID() + "' does not contain a certificate chain");
         }
-        final List<String> pemCerts = getPemCerts(x509CertChain);
+        final List<String> trustedRootCertificates = this.loadTrustedRootCertificates();
         LOGGER.info("Validation public key with XC5 certificate chain checks");
-        if (config.isProxySet()) {
-            validateWithX509AndProxy(pemCerts, publicKey, purpose);
+        if (isProxySet()) {
+            return validateWithX509AndProxy(trustedRootCertificates, publicKey, purpose);
         } else {
-            validateWithX509AndWithoutProxy(pemCerts, publicKey, purpose);
+            return validateWithX509AndWithoutProxy(trustedRootCertificates, publicKey, purpose);
         }
     }
 
-    private List<String> getPemCerts(final List<X509Certificate> certChain) throws CertificateEncodingException {
-        final List<String> pemCerts = new ArrayList<>();
-        for (final X509Certificate cert : certChain) {
-            pemCerts.add(getEncodedString(cert));
-        }
-        return pemCerts;
+    private List<String> loadTrustedRootCertificates() {
+
+        return rootCertificates.stream()
+                .map(FileUtil::convertToX509Certificate)
+                .map(cert -> {
+                    try {
+                        return Base64.encode(cert.getEncoded()).toString();
+                    } catch (CertificateEncodingException e) {
+                        throw new RootCertificateException(e);
+                    }
+                }).collect(Collectors.toList());
     }
 
-    private String getEncodedString(final X509Certificate x509Certificate) throws CertificateEncodingException {
-        return Base64.encode(x509Certificate.getEncoded()).toString();
+    private boolean isProxySet() {
+        return config.getHttpProxyPort() != null && Strings.isNotNullOrEmpty(config.getHttpProxyHost());
     }
 
-    private boolean validateSilent() {
-        return config.getCurrentEnvironment().isAllowInsecurePublicKey();
+    private ValidationResult validateWithX509AndProxy(final List<String> trustedRootCertificates, final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException {
+        final var proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(config.getHttpProxyHost(), config.getHttpProxyPort()));
+        LOGGER.info("Using proxy {} for key validation", proxy);
+        addLogLevel(withX5CValidation()
+                .withProxy(proxy)
+                .withRootCertificatesAsPEM(trustedRootCertificates))
+                .validate(publicKey);
+        return ValidationResult.ok();
+    }
+
+    private ValidationResult validateWithX509AndWithoutProxy(final List<String> trustedRootCertificates, final RSAKey publicKey, final KeyOperation purpose) throws JWKValidationException {
+        LOGGER.info("No proxy set for validation");
+        addLogLevel(withX5CValidation()
+                .withoutProxy()
+                .withRootCertificatesAsPEM(trustedRootCertificates))
+                .validate(publicKey);
+        return ValidationResult.ok();
     }
 
     private String errorsToSingleString(final Set<ValidationMessage> errors) {