MOSIP-36530: updated error msg and cert list (#332)

-s Signed-off-by: nagendra0721 <[email protected]>
mosip · Dec 13, 2024 · 3f80965 · 3f80965
1 parent 31b066a
commit 3f80965
Show file tree

Hide file tree

Showing 7 changed files with 87 additions and 35 deletions.
diff --git a/...in/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerErrorConstants.java b/...in/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerErrorConstants.java
@@ -43,9 +43,11 @@ public enum PartnerCertManagerErrorConstants {
 
 	CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED("KER-PCM-017","The CA Certificate validity is less than required minimum validity."),
 
-	INVALID_CA_CERTIFICATE_TYPE("KER-PCM-017", "Invalid Certificate Type"),
+	INVALID_CA_CERTIFICATE_TYPE("KER-PCM-018", "Invalid Certificate Type"),
 
-	CA_CERT_ID_NOT_FOUND("KER-PMS-017", "CA Certificate not found for the given ID."),
+	CA_CERT_ID_NOT_FOUND("KER-PMS-019", "CA Certificate not found for the given ID."),
+
+	FUTURE_DATED_CERT_NOT_ALLOWED("KER-PMS-020", "Future Dated Certificate not allowed to upload."),
     ;
 
 	/**

diff --git a/...main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java b/...main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java
@@ -175,7 +175,7 @@ public ResponseWrapper<PartnerSignedCertDownloadResponseDto> getPartnerSignedCer
 	 * @return {@link CaCertTypeListRequestDto} Cetificate List data
 	 */
 	@Operation(summary = "To Download CA Type Certificate List.",
-			description = "To Download CA Type Certificate List.", tags = { "cacertmanager" })
+			description = "To Download CA Type Certificate List.", tags = { "partnercertmanager" })
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "Success or you may find errors in error array in response"),
 			@ApiResponse(responseCode = "401", description = "Unauthorized", content = @Content(schema = @Schema(hidden = true))),
@@ -200,7 +200,7 @@ public ResponseWrapper<CaCertificateChainResponseDto> getCaCertificateList(
 	 * @return {@link CACertificateTrustPathResponseDto} p7b data
 	 */
 	@Operation(summary = "To Download p7b file for a CA / Intermediate CA certificate along with the trust chain.",
-			description = "To Download p7b file for a CA / Intermediate CA certificate along with the trust chain.", tags = { "cacertmanager" })
+			description = "To Download p7b file for a CA / Intermediate CA certificate along with the trust chain.", tags = { "partnercertmanager" })
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "Success or you may find errors in error array in response"),
 			@ApiResponse(responseCode = "401", description = "Unauthorized", content = @Content(schema = @Schema(hidden = true))),

diff --git a/...ervice/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListRequestDto.java b/...ervice/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListRequestDto.java
@@ -28,13 +28,13 @@ public class CaCertTypeListRequestDto {
      * Certificate Type
      */
     @ApiModelProperty(notes = "Partner Certificate Type", required = false)
-    String caCertificateType;
+    private String caCertificateType;
 
     /**
      * Domain Name
      */
     @ApiModelProperty(notes = "Domain Name", required = false)
-    String partnerDomain;
+    private String partnerDomain;
 
     @ApiModelProperty(notes = "Flag to force exclude the mosip CA Certificates", example = "false", required = false)
     private Boolean excludeMosipCA;
@@ -49,14 +49,14 @@ public class CaCertTypeListRequestDto {
      */
     @ApiModelProperty(notes = "Page Number", required = false)
     @NotNull(message = KeymanagerConstant.INVALID_REQUEST)
-    int pageNumber;
+    private int pageNumber;
 
     /**
      * Number of Certificate
      */
     @ApiModelProperty(notes = "Number of Certificate", required = false)
     @NotNull(message = KeymanagerConstant.INVALID_REQUEST)
-    int pageSize;
+    private int pageSize;
 
     /**
      * CA Certificate Id

diff --git a/...rvice/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListResponseDto.java b/...rvice/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListResponseDto.java
@@ -49,6 +49,12 @@ public class CaCertTypeListResponseDto {
     @ApiModelProperty(notes = "Issued By", required = true)
     private String issuedBy;
 
+    /**
+     * Certificate Thumbprint
+     */
+    @ApiModelProperty(notes = "Certificate Thumbprint", required = true)
+    private String certThumbprint;
+
     /**
      * Ca Certificate Valid From
      */

diff --git a/...rvice/src/main/java/io/mosip/kernel/partnercertservice/helper/CACertificateStoreSpec.java b/...rvice/src/main/java/io/mosip/kernel/partnercertservice/helper/CACertificateStoreSpec.java
@@ -31,13 +31,13 @@ public static Specification<CACertificateStore> filterCertificates(
                 predicates.add(criteriaBuilder.equal(root.get("partnerDomain"), partnerDomain));
             }
             if (certId != null) {
-                predicates.add(criteriaBuilder.equal(root.get("certId"), certId));
+                predicates.add(criteriaBuilder.like(criteriaBuilder.lower(root.get("certId")), "%" + certId.toLowerCase() + "%"));
             }
             if (issuedTo != null) {
-                predicates.add(criteriaBuilder.like(root.get("certSubject"), "%" + issuedTo + "%"));
+                predicates.add(criteriaBuilder.like(criteriaBuilder.lower(root.get("certSubject")), "%" + issuedTo.toLowerCase() + "%"));
             }
             if (issuedBy != null) {
-                predicates.add(criteriaBuilder.like(root.get("certIssuer"), "%" + issuedBy + "%"));
+                predicates.add(criteriaBuilder.like(criteriaBuilder.lower(root.get("certIssuer")), "%" + issuedBy.toLowerCase() + "%"));
             }
             if (validFrom != null) {
                 predicates.add(criteriaBuilder.equal(root.get("certNotBefore"), validFrom));

diff --git a/...io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java b/...io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java
@@ -480,6 +480,16 @@ private void validateBasicPartnerCertParams(X509Certificate reqX509Cert, String
                     PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorMessage()); */
         }
 
+        boolean futureDated = PartnerCertificateManagerUtil.isFutureDatedCertificate(reqX509Cert);
+        if (!futureDated) {
+            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
+                    PartnerCertManagerConstants.EMPTY, "Certificate is Future Dated.");
+            throw new PartnerCertManagerException(
+                    PartnerCertManagerErrorConstants.FUTURE_DATED_CERT_NOT_ALLOWED.getErrorCode(),
+                    PartnerCertManagerErrorConstants.FUTURE_DATED_CERT_NOT_ALLOWED.getErrorMessage()
+            );
+        }
+
         boolean validDates = PartnerCertificateManagerUtil.isCertificateDatesValid(reqX509Cert);
         if (!validDates) {
             LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT,
@@ -506,6 +516,15 @@ private void validateBasicPartnerCertParams(X509Certificate reqX509Cert, String
                         PartnerCertManagerErrorConstants.SELF_SIGNED_CERT_NOT_ALLOWED.getErrorCode(),
                         PartnerCertManagerErrorConstants.SELF_SIGNED_CERT_NOT_ALLOWED.getErrorMessage());
         }
+
+        boolean minimumValidity = PartnerCertificateManagerUtil.isMinValidityCertificate(reqX509Cert, minValidity);
+        if (!minimumValidity) {
+            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
+                    PartnerCertManagerConstants.EMPTY, "Certificate expire before the minimum validity.");
+            throw new PartnerCertManagerException(
+                    PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorCode(),
+                    PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorMessage());
+        }
     }
 
     private boolean validateBasicCaCertificateParams(X509Certificate reqX509Cert, String certThumbprint, int certsCount,
@@ -523,28 +542,39 @@ private boolean validateBasicCaCertificateParams(X509Certificate reqX509Cert, St
                 foundError = true;
             }
 
-            boolean validDates = PartnerCertificateManagerUtil.isCertificateDatesValid(reqX509Cert);
-            if (!validDates) {
-                LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
-                        PartnerCertManagerConstants.EMPTY, "Certificate Dates are not valid.");
-                if(certsCount == 1) {
-                    throw new PartnerCertManagerException(
-                            PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(),
-                            PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage());
-                }
-                foundError = true;
+        boolean futureDated = PartnerCertificateManagerUtil.isFutureDatedCertificate(reqX509Cert);
+        if (!futureDated) {
+            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
+                    PartnerCertManagerConstants.EMPTY, "Future Dated Certificate.");
+            if (certsCount == 1) {
+                throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.FUTURE_DATED_CERT_NOT_ALLOWED.getErrorCode(),
+                        PartnerCertManagerErrorConstants.FUTURE_DATED_CERT_NOT_ALLOWED.getErrorMessage());
             }
+            foundError = true;
+        }
 
-            boolean minimumValidity = PartnerCertificateManagerUtil.isMinValidityCertificate(reqX509Cert, minValidity);
-            if(!minimumValidity) {
-                LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
-                        PartnerCertManagerConstants.EMPTY, "Certificate expire before the minimum validity.");
-                if (certsCount == 1) {
-                    throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorCode(),
-                            PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorMessage());
-                }
-                foundError = true;
+        boolean validDates = PartnerCertificateManagerUtil.isCertificateDatesValid(reqX509Cert);
+        if (!validDates) {
+            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
+                    PartnerCertManagerConstants.EMPTY, "Certificate Dates are not valid.");
+            if(certsCount == 1) {
+                throw new PartnerCertManagerException(
+                        PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(),
+                        PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage());
+            }
+            foundError = true;
+        }
+
+        boolean minimumValidity = PartnerCertificateManagerUtil.isMinValidityCertificate(reqX509Cert, minValidity);
+        if(!minimumValidity) {
+            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
+                    PartnerCertManagerConstants.EMPTY, "Certificate expire before the minimum validity.");
+            if (certsCount == 1) {
+                throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorCode(),
+                        PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorMessage());
             }
+            foundError = true;
+        }
 
         int certVersion = reqX509Cert.getVersion();
         if (certVersion != 3) {
@@ -727,13 +757,14 @@ public CACertificateTrustPathResponseDto getCACertificateTrustPath(CACertificate
         String partnerDomain = caCertificateStore.getPartnerDomain();
         LocalDateTime timestamp = DateUtils.getUTCCurrentDateTime();
         List<? extends Certificate> certList = null;
-        if (!PartnerCertificateManagerUtil.isSelfSignedCertificate(caCertificate)){
+        List<Certificate> chain = new ArrayList<>();
+
+        if (PartnerCertificateManagerUtil.isSelfSignedCertificate(caCertificate)){
+            chain.add(caCertificate);
+        } else {
             certList = getCertificateTrustPath(caCertificate, partnerDomain);
         }
 
-
-        List<Certificate> chain = new ArrayList<>();
-        chain.add(caCertificate);
         if (certList != null) {
             chain.addAll(certList);
         }
@@ -827,6 +858,7 @@ public CaCertificateChainResponseDto getCaCertificateChain(CaCertTypeListRequest
                     certResponseDto.setCertId(certificate.getCertId());
                     certResponseDto.setIssuedTo(certificate.getCertSubject());
                     certResponseDto.setIssuedBy(certificate.getCertIssuer());
+                    certResponseDto.setCertThumbprint(certificate.getCertThumbprint());
                     certResponseDto.setValidFromDate(certificate.getCertNotBefore());
                     certResponseDto.setValidTillDate(certificate.getCertNotAfter());
                     certResponseDto.setUploadTime(certificate.getCreatedtimes());

diff --git a/.../src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java b/.../src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java
@@ -81,14 +81,26 @@ public static boolean isMinValidityCertificate(X509Certificate x509Certificate,
         try {
             LocalDateTime timeStamp = DateUtils.getUTCCurrentDateTime().plusMonths(minimumValidity);
             LocalDateTime expiredate = x509Certificate.getNotAfter().toInstant().atZone(ZoneId.of("UTC")).toLocalDateTime();
-            return  !expiredate.isBefore(timeStamp);
+            return !expiredate.isBefore(timeStamp);
         } catch (Exception exp) {
             LOGGER.debug(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
                     PartnerCertManagerConstants.PCM_UTIL, "Error minimum Validity of Certificate: " + exp.getMessage());
             return false;
         }
     }
 
+    public static boolean isFutureDatedCertificate(X509Certificate x509Certificate) {
+        try {
+            LocalDateTime timeStamp = DateUtils.getUTCCurrentDateTime();
+            LocalDateTime createdDate = x509Certificate.getNotBefore().toInstant().atZone(ZoneId.of("UTC")).toLocalDateTime();
+            return !createdDate.isAfter(timeStamp);
+        } catch (Exception exp) {
+            LOGGER.debug(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
+                    PartnerCertManagerConstants.PCM_UTIL, "Future Dated Certificated Not allowed to upload.");
+        }
+        return false;
+    }
+
     /**
      * Function to format X500Principal of certificate.
      *