From 3f80965236a3cc5bc2a7b97ebe780b8dbca3f60b Mon Sep 17 00:00:00 2001 From: nagendra0721 Date: Fri, 13 Dec 2024 22:35:28 +0530 Subject: [PATCH] MOSIP-36530: updated error msg and cert list (#332) -s Signed-off-by: nagendra0721 --- .../PartnerCertManagerErrorConstants.java | 6 +- .../PartnerCertManagerController.java | 4 +- .../dto/CaCertTypeListRequestDto.java | 8 +- .../dto/CaCertTypeListResponseDto.java | 6 ++ .../helper/CACertificateStoreSpec.java | 6 +- .../PartnerCertificateManagerServiceImpl.java | 78 +++++++++++++------ .../util/PartnerCertificateManagerUtil.java | 14 +++- 7 files changed, 87 insertions(+), 35 deletions(-) diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerErrorConstants.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerErrorConstants.java index 476d25b8..b6e3b1e7 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerErrorConstants.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerErrorConstants.java @@ -43,9 +43,11 @@ public enum PartnerCertManagerErrorConstants { CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED("KER-PCM-017","The CA Certificate validity is less than required minimum validity."), - INVALID_CA_CERTIFICATE_TYPE("KER-PCM-017", "Invalid Certificate Type"), + INVALID_CA_CERTIFICATE_TYPE("KER-PCM-018", "Invalid Certificate Type"), - CA_CERT_ID_NOT_FOUND("KER-PMS-017", "CA Certificate not found for the given ID."), + CA_CERT_ID_NOT_FOUND("KER-PMS-019", "CA Certificate not found for the given ID."), + + FUTURE_DATED_CERT_NOT_ALLOWED("KER-PMS-020", "Future Dated Certificate not allowed to upload."), ; /** diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java index dd081e9b..0fd12c30 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java @@ -175,7 +175,7 @@ public ResponseWrapper getPartnerSignedCer * @return {@link CaCertTypeListRequestDto} Cetificate List data */ @Operation(summary = "To Download CA Type Certificate List.", - description = "To Download CA Type Certificate List.", tags = { "cacertmanager" }) + description = "To Download CA Type Certificate List.", tags = { "partnercertmanager" }) @ApiResponses(value = { @ApiResponse(responseCode = "200", description = "Success or you may find errors in error array in response"), @ApiResponse(responseCode = "401", description = "Unauthorized", content = @Content(schema = @Schema(hidden = true))), @@ -200,7 +200,7 @@ public ResponseWrapper getCaCertificateList( * @return {@link CACertificateTrustPathResponseDto} p7b data */ @Operation(summary = "To Download p7b file for a CA / Intermediate CA certificate along with the trust chain.", - description = "To Download p7b file for a CA / Intermediate CA certificate along with the trust chain.", tags = { "cacertmanager" }) + description = "To Download p7b file for a CA / Intermediate CA certificate along with the trust chain.", tags = { "partnercertmanager" }) @ApiResponses(value = { @ApiResponse(responseCode = "200", description = "Success or you may find errors in error array in response"), @ApiResponse(responseCode = "401", description = "Unauthorized", content = @Content(schema = @Schema(hidden = true))), diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListRequestDto.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListRequestDto.java index f738513e..09185d9f 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListRequestDto.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListRequestDto.java @@ -28,13 +28,13 @@ public class CaCertTypeListRequestDto { * Certificate Type */ @ApiModelProperty(notes = "Partner Certificate Type", required = false) - String caCertificateType; + private String caCertificateType; /** * Domain Name */ @ApiModelProperty(notes = "Domain Name", required = false) - String partnerDomain; + private String partnerDomain; @ApiModelProperty(notes = "Flag to force exclude the mosip CA Certificates", example = "false", required = false) private Boolean excludeMosipCA; @@ -49,14 +49,14 @@ public class CaCertTypeListRequestDto { */ @ApiModelProperty(notes = "Page Number", required = false) @NotNull(message = KeymanagerConstant.INVALID_REQUEST) - int pageNumber; + private int pageNumber; /** * Number of Certificate */ @ApiModelProperty(notes = "Number of Certificate", required = false) @NotNull(message = KeymanagerConstant.INVALID_REQUEST) - int pageSize; + private int pageSize; /** * CA Certificate Id diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListResponseDto.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListResponseDto.java index edb4b687..37f6506f 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListResponseDto.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CaCertTypeListResponseDto.java @@ -49,6 +49,12 @@ public class CaCertTypeListResponseDto { @ApiModelProperty(notes = "Issued By", required = true) private String issuedBy; + /** + * Certificate Thumbprint + */ + @ApiModelProperty(notes = "Certificate Thumbprint", required = true) + private String certThumbprint; + /** * Ca Certificate Valid From */ diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/helper/CACertificateStoreSpec.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/helper/CACertificateStoreSpec.java index 4b03dd39..951e160a 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/helper/CACertificateStoreSpec.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/helper/CACertificateStoreSpec.java @@ -31,13 +31,13 @@ public static Specification filterCertificates( predicates.add(criteriaBuilder.equal(root.get("partnerDomain"), partnerDomain)); } if (certId != null) { - predicates.add(criteriaBuilder.equal(root.get("certId"), certId)); + predicates.add(criteriaBuilder.like(criteriaBuilder.lower(root.get("certId")), "%" + certId.toLowerCase() + "%")); } if (issuedTo != null) { - predicates.add(criteriaBuilder.like(root.get("certSubject"), "%" + issuedTo + "%")); + predicates.add(criteriaBuilder.like(criteriaBuilder.lower(root.get("certSubject")), "%" + issuedTo.toLowerCase() + "%")); } if (issuedBy != null) { - predicates.add(criteriaBuilder.like(root.get("certIssuer"), "%" + issuedBy + "%")); + predicates.add(criteriaBuilder.like(criteriaBuilder.lower(root.get("certIssuer")), "%" + issuedBy.toLowerCase() + "%")); } if (validFrom != null) { predicates.add(criteriaBuilder.equal(root.get("certNotBefore"), validFrom)); diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java index f5adae49..42c25385 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java @@ -480,6 +480,16 @@ private void validateBasicPartnerCertParams(X509Certificate reqX509Cert, String PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorMessage()); */ } + boolean futureDated = PartnerCertificateManagerUtil.isFutureDatedCertificate(reqX509Cert); + if (!futureDated) { + LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, + PartnerCertManagerConstants.EMPTY, "Certificate is Future Dated."); + throw new PartnerCertManagerException( + PartnerCertManagerErrorConstants.FUTURE_DATED_CERT_NOT_ALLOWED.getErrorCode(), + PartnerCertManagerErrorConstants.FUTURE_DATED_CERT_NOT_ALLOWED.getErrorMessage() + ); + } + boolean validDates = PartnerCertificateManagerUtil.isCertificateDatesValid(reqX509Cert); if (!validDates) { LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, @@ -506,6 +516,15 @@ private void validateBasicPartnerCertParams(X509Certificate reqX509Cert, String PartnerCertManagerErrorConstants.SELF_SIGNED_CERT_NOT_ALLOWED.getErrorCode(), PartnerCertManagerErrorConstants.SELF_SIGNED_CERT_NOT_ALLOWED.getErrorMessage()); } + + boolean minimumValidity = PartnerCertificateManagerUtil.isMinValidityCertificate(reqX509Cert, minValidity); + if (!minimumValidity) { + LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, + PartnerCertManagerConstants.EMPTY, "Certificate expire before the minimum validity."); + throw new PartnerCertManagerException( + PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorCode(), + PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorMessage()); + } } private boolean validateBasicCaCertificateParams(X509Certificate reqX509Cert, String certThumbprint, int certsCount, @@ -523,28 +542,39 @@ private boolean validateBasicCaCertificateParams(X509Certificate reqX509Cert, St foundError = true; } - boolean validDates = PartnerCertificateManagerUtil.isCertificateDatesValid(reqX509Cert); - if (!validDates) { - LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, - PartnerCertManagerConstants.EMPTY, "Certificate Dates are not valid."); - if(certsCount == 1) { - throw new PartnerCertManagerException( - PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(), - PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage()); - } - foundError = true; + boolean futureDated = PartnerCertificateManagerUtil.isFutureDatedCertificate(reqX509Cert); + if (!futureDated) { + LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, + PartnerCertManagerConstants.EMPTY, "Future Dated Certificate."); + if (certsCount == 1) { + throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.FUTURE_DATED_CERT_NOT_ALLOWED.getErrorCode(), + PartnerCertManagerErrorConstants.FUTURE_DATED_CERT_NOT_ALLOWED.getErrorMessage()); } + foundError = true; + } - boolean minimumValidity = PartnerCertificateManagerUtil.isMinValidityCertificate(reqX509Cert, minValidity); - if(!minimumValidity) { - LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, - PartnerCertManagerConstants.EMPTY, "Certificate expire before the minimum validity."); - if (certsCount == 1) { - throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorCode(), - PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorMessage()); - } - foundError = true; + boolean validDates = PartnerCertificateManagerUtil.isCertificateDatesValid(reqX509Cert); + if (!validDates) { + LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, + PartnerCertManagerConstants.EMPTY, "Certificate Dates are not valid."); + if(certsCount == 1) { + throw new PartnerCertManagerException( + PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(), + PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage()); + } + foundError = true; + } + + boolean minimumValidity = PartnerCertificateManagerUtil.isMinValidityCertificate(reqX509Cert, minValidity); + if(!minimumValidity) { + LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, + PartnerCertManagerConstants.EMPTY, "Certificate expire before the minimum validity."); + if (certsCount == 1) { + throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorCode(), + PartnerCertManagerErrorConstants.CERT_VALIDITY_LESS_THAN_MIN_VALIDITY_NOT_ALLOWED.getErrorMessage()); } + foundError = true; + } int certVersion = reqX509Cert.getVersion(); if (certVersion != 3) { @@ -727,13 +757,14 @@ public CACertificateTrustPathResponseDto getCACertificateTrustPath(CACertificate String partnerDomain = caCertificateStore.getPartnerDomain(); LocalDateTime timestamp = DateUtils.getUTCCurrentDateTime(); List certList = null; - if (!PartnerCertificateManagerUtil.isSelfSignedCertificate(caCertificate)){ + List chain = new ArrayList<>(); + + if (PartnerCertificateManagerUtil.isSelfSignedCertificate(caCertificate)){ + chain.add(caCertificate); + } else { certList = getCertificateTrustPath(caCertificate, partnerDomain); } - - List chain = new ArrayList<>(); - chain.add(caCertificate); if (certList != null) { chain.addAll(certList); } @@ -827,6 +858,7 @@ public CaCertificateChainResponseDto getCaCertificateChain(CaCertTypeListRequest certResponseDto.setCertId(certificate.getCertId()); certResponseDto.setIssuedTo(certificate.getCertSubject()); certResponseDto.setIssuedBy(certificate.getCertIssuer()); + certResponseDto.setCertThumbprint(certificate.getCertThumbprint()); certResponseDto.setValidFromDate(certificate.getCertNotBefore()); certResponseDto.setValidTillDate(certificate.getCertNotAfter()); certResponseDto.setUploadTime(certificate.getCreatedtimes()); diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java index 1c21f3bd..f56952c2 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java @@ -81,7 +81,7 @@ public static boolean isMinValidityCertificate(X509Certificate x509Certificate, try { LocalDateTime timeStamp = DateUtils.getUTCCurrentDateTime().plusMonths(minimumValidity); LocalDateTime expiredate = x509Certificate.getNotAfter().toInstant().atZone(ZoneId.of("UTC")).toLocalDateTime(); - return !expiredate.isBefore(timeStamp); + return !expiredate.isBefore(timeStamp); } catch (Exception exp) { LOGGER.debug(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, PartnerCertManagerConstants.PCM_UTIL, "Error minimum Validity of Certificate: " + exp.getMessage()); @@ -89,6 +89,18 @@ public static boolean isMinValidityCertificate(X509Certificate x509Certificate, } } + public static boolean isFutureDatedCertificate(X509Certificate x509Certificate) { + try { + LocalDateTime timeStamp = DateUtils.getUTCCurrentDateTime(); + LocalDateTime createdDate = x509Certificate.getNotBefore().toInstant().atZone(ZoneId.of("UTC")).toLocalDateTime(); + return !createdDate.isAfter(timeStamp); + } catch (Exception exp) { + LOGGER.debug(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, + PartnerCertManagerConstants.PCM_UTIL, "Future Dated Certificated Not allowed to upload."); + } + return false; + } + /** * Function to format X500Principal of certificate. *