Add Validation of TrustAnchor OR Upload and CSCA Certificate

WorldHealthOrganization · Mar 8, 2022 · 1a38da3 · 1a38da3
1 parent 2e33053
commit 1a38da3
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayConnectorUtils.java b/src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayConnectorUtils.java
@@ -199,6 +199,10 @@ boolean checkTrustAnchorSignature(TrustedIssuerDto trustedIssuer, List<X509Certi
         return trustAnchors.stream().anyMatch(trustAnchor -> parser.getSigningCertificate().equals(trustAnchor));
     }
 
+    boolean checkTrustAnchorSignature(TrustedCertificateTrustListDto trustedCertificate) {
+        return checkTrustAnchorSignature(trustedCertificateMapper.mapToTrustList(trustedCertificate), trustAnchors);
+    }
+
     X509CertificateHolder getCertificateFromTrustListItem(TrustListItem trustListItem) {
         byte[] decodedBytes = Base64.getDecoder().decode(trustListItem.getRawData());
 

diff --git a/src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayDownloadConnector.java b/src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayDownloadConnector.java
@@ -257,7 +257,7 @@ private synchronized void updateIfRequired() {
 
                 if (properties.isEnableDdccSupport()) {
                     // Fetching TrustedCertificates
-                    fetchTrustedCertificatesAndVerifyByCscaAndUpload();
+                    fetchTrustedCertificatesAndVerifyByTrustAnchorOrCscaAndUpload();
 
                     // Fetching TrustedIssuers
                     trustedIssuers = connectorUtils.fetchTrustedIssuersAndVerifyByTrustAnchor(queryParameterMap);
@@ -325,7 +325,7 @@ private void fetchTrustListAndVerifyByCscaAndUpload() throws DgcGatewayConnector
         log.info("Put {} trusted certificates into TrustList", trustedCertificates.size());
     }
 
-    private void fetchTrustedCertificatesAndVerifyByCscaAndUpload() throws
+    private void fetchTrustedCertificatesAndVerifyByTrustAnchorOrCscaAndUpload() throws
         DgcGatewayConnectorUtils.DgcGatewayConnectorException {
         if (!properties.isEnableDdccSupport()) {
             log.info("DDCC Support is disabled, Skipping TrustedCertificate Download.");
@@ -351,8 +351,8 @@ private void fetchTrustedCertificatesAndVerifyByCscaAndUpload() throws
         }
 
         ddccTrustedCertificates = responseEntity.getBody().stream()
-            .filter(this::checkCscaCertificate)
-            .filter(this::checkUploadCertificate)
+            .filter(cert -> (connectorUtils.checkTrustAnchorSignature(cert)
+                || (checkCscaCertificate(cert) && checkUploadCertificate(cert))))
             .map(trustedCertificateMapper::map)
             .collect(Collectors.toList());