From 3f932f86528cff1c001c92f21f7057eff7cb38a7 Mon Sep 17 00:00:00 2001
From: RIHTARSIC Joze <joze.rihtarsic@ext.ec.europa.eu>
Date: Thu, 1 Jun 2023 20:04:21 +0200
Subject: [PATCH] Fix TLS authetication validation when truststore is empty

---
 .../ec/edelivery/smp/services/CredentialService.java   |  2 +-
 .../edelivery/smp/services/ui/UITruststoreService.java | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/CredentialService.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/CredentialService.java
index 9edf83db6..b17526a1c 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/CredentialService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/CredentialService.java
@@ -216,7 +216,7 @@ public class CredentialService {
             try {
                 truststoreService.validateCertificateWithTruststore(x509Certificate);
             } catch (CertificateException e) {
-                String message = "Certificate is not trusted!";
+                String message = "Certificate is not trusted! Error: " + ExceptionUtils.getRootCauseMessage(e);
                 LOG.securityWarn(SMPMessageCode.SEC_USER_CERT_INVALID, certificateIdentifier, message
                         + " The cert chain is not in truststore or either subject regexp or allowed cert policies does not match");
                 throw new BadCredentialsException(message);
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java
index 9c64132b3..3e9b33144 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java
@@ -208,6 +208,7 @@ public class UITruststoreService extends BasicKeystoreService {
     public void validateCertificate(X509Certificate cert, CertificateRO cro) {
         validateCertificate(cert, cro, true);
     }
+
     public void validateCertificate(X509Certificate cert, CertificateRO cro, boolean validateDuplicate) {
         // first expect the worst
         cro.setInvalid(true);
@@ -253,6 +254,15 @@ public class UITruststoreService extends BasicKeystoreService {
             return;
         }
 
+        try {
+            if (truststore.size() == 0) {
+                LOG.warn("Truststore is empty! Skip trust validation against the truststore!");
+                return;
+            }
+        } catch (KeyStoreException e) {
+            throw new CertificateException("Error occurred when reading the truststore!", e);
+        }
+
         Pattern subjectRegExp = configurationService.getCertificateSubjectRegularExpression();
         List<String> allowedCertificatePolicies = configurationService.getAllowedCertificatePolicies();
         CertificateValidator certificateValidator = new CertificateValidator(
-- 
GitLab