Add XML Service metadata certificate key validation

changelog.txt

@@ -2,6 +2,7 @@ eDelivery SMP 5.0
 - added new properties:
     smp.truststore.type: Truststore type as JKS/PKCS12
     smp.keystore.type: Keystore type as JKS/PKCS12
+    document.restriction.allowed.certificate.types: allowed certificate JCE key algorithms to be used in service metadata as example RSA|EC|Ed25519|Ed448;
 
 
 eDelivery SMP 4.2

pom.xml

@@ -41,7 +41,7 @@
         <ant-commons-net.version>1.6.5</ant-commons-net.version>
         <aspectj.version>1.9.9.1</aspectj.version>
         <bdmsl.api.version>4.1.1</bdmsl.api.version>
-        <bouncycastle.version>1.70</bouncycastle.version>
+        <bouncycastle.version>1.72</bouncycastle.version>
         <build.helper.maven.version>1.9.1</build.helper.maven.version>
         <commons-beanutils.version>1.9.4</commons-beanutils.version>
         <commons-collections.version>3.2.2</commons-collections.version>

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/model/DBDomain.java

@@ -70,7 +70,7 @@ public class DBDomain extends BaseEntity {
     @ColumnDescription(comment = "SMP ID used for SML integration")
     String smlSmpId;
     @Column(name = "SML_PARTC_IDENT_REGEXP", length = CommonColumnsLengths.MAX_FREE_TEXT_LENGTH)
-    @ColumnDescription(comment = "Reqular expresion for participant ids")
+    @ColumnDescription(comment = "Regular expresion for participant ids")
     String smlParticipantIdentifierRegExp;
     @Column(name = "SML_CLIENT_CERT_HEADER", length = CommonColumnsLengths.MAX_FREE_TEXT_LENGTH)
     @ColumnDescription(comment = "Client-Cert header used behind RP - ClientCertHeader for SML integration")

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java

@@ -357,6 +357,8 @@ public enum SMPPropertyEnum {
 
     CLIENT_CERT_HEADER_ENABLED_DEPRECATED("authentication.blueCoat.enabled", "false", "Property was replaced by property: smp.automation.authentication.external.tls.clientCert.enabled",
             OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, BOOLEAN),
+    DOCUMENT_RESTRICTION_CERT_TYPES("document.restriction.allowed.certificate.types", "", "Allowed certificate types registered when composing service metadata. Empty value means no restrictions, for other values see the java KeyFactory Algorithms as examples: as example RSA|EC|Ed25519|Ed448",
+            OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, LIST_STRING),
     ;
 
     String property;

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java

@@ -148,6 +148,10 @@ public class ConfigurationService {
         return configurationDAO.getCachedPropertyValue(CS_PARTICIPANTS);
     }
 
+    public List<String> getAllowedDocumentCertificateTypes() {
+        return configurationDAO.getCachedPropertyValue(DOCUMENT_RESTRICTION_CERT_TYPES);
+    }
+
     public boolean getParticipantSchemeMandatory() {
         // not mandatory by default
         Boolean value = configurationDAO.getCachedPropertyValue(PARTC_SCH_MANDATORY);

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ServiceMetadataSigner.java

@@ -48,7 +48,7 @@ public final class ServiceMetadataSigner {
 
     private static final SMPLogger LOG = SMPLoggerFactory.getLogger(ServiceMetadataSigner.class);
 
-    private static final String RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+    private static final String RSA_SHA256 = org.apache.xml.security.signature.XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA256;
 
 
     @Autowired
@@ -98,8 +98,6 @@ public final class ServiceMetadataSigner {
         }
     }
 
-
-
     private KeyInfo createKeyInfo(String alias) {
         KeyInfoFactory keyInfoFactory = getDomSigFactory().getKeyInfoFactory();
         List content = new ArrayList();

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIServiceMetadataService.java

 package eu.europa.ec.edelivery.smp.services.ui;
 
+import eu.europa.ec.edelivery.security.utils.X509CertificateUtils;
 import eu.europa.ec.edelivery.smp.conversion.CaseSensitivityNormalizer;
 import eu.europa.ec.edelivery.smp.conversion.ServiceMetadataConverter;
 import eu.europa.ec.edelivery.smp.data.dao.BaseDao;
@@ -13,24 +14,30 @@ import eu.europa.ec.edelivery.smp.data.ui.enums.EntityROStatus;
 import eu.europa.ec.edelivery.smp.exceptions.SMPRuntimeException;
 import eu.europa.ec.edelivery.smp.logging.SMPLogger;
 import eu.europa.ec.edelivery.smp.logging.SMPLoggerFactory;
+import eu.europa.ec.edelivery.smp.services.ConfigurationService;
 import eu.europa.ec.smp.api.exceptions.XmlInvalidAgainstSchemaException;
 import eu.europa.ec.smp.api.validators.BdxSmpOasisValidator;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.exception.ExceptionUtils;
-import org.oasis_open.docs.bdxr.ns.smp._2016._05.DocumentIdentifier;
-import org.oasis_open.docs.bdxr.ns.smp._2016._05.ParticipantIdentifierType;
-import org.oasis_open.docs.bdxr.ns.smp._2016._05.ServiceMetadata;
+import org.oasis_open.docs.bdxr.ns.smp._2016._05.*;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
 import java.io.UnsupportedEncodingException;
 import java.nio.charset.IllegalCharsetNameException;
+import java.security.PublicKey;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
 import java.util.Optional;
 
+import static eu.europa.ec.edelivery.smp.data.ui.enums.SMPPropertyEnum.DOCUMENT_RESTRICTION_CERT_TYPES;
 import static eu.europa.ec.edelivery.smp.exceptions.ErrorCode.INVALID_REQUEST;
 
 /**
- * Serives for managing the Service metadata
+ * Services for managing the Service metadata
  */
 @Service
 public class UIServiceMetadataService extends UIServiceBase<DBServiceMetadata, ServiceMetadataRO> {
@@ -40,12 +47,20 @@ public class UIServiceMetadataService extends UIServiceBase<DBServiceMetadata, S
     protected final ServiceMetadataDao serviceMetadataDao;
     protected final UserDao userDao;
     protected final CaseSensitivityNormalizer caseSensitivityNormalizer;
+    protected final ConfigurationService configurationService;
 
-    public UIServiceMetadataService(DomainDao domainDao, ServiceMetadataDao serviceMetadataDao, UserDao userDao, CaseSensitivityNormalizer caseSensitivityNormalizer) {
+
+    public UIServiceMetadataService(DomainDao domainDao,
+                                    ServiceMetadataDao serviceMetadataDao,
+                                    UserDao userDao,
+                                    CaseSensitivityNormalizer caseSensitivityNormalizer,
+                                    ConfigurationService configurationService) {
         this.domainDao = domainDao;
         this.serviceMetadataDao = serviceMetadataDao;
         this.userDao = userDao;
         this.caseSensitivityNormalizer = caseSensitivityNormalizer;
+        this.configurationService = configurationService;
+
     }
 
     @Override
@@ -152,9 +167,72 @@ public class UIServiceMetadataService extends UIServiceBase<DBServiceMetadata, S
                     return serviceMetadataRO;
                 }
             }
+            try {
+                validateServiceMetadataCertificates(smd);
+            } catch (CertificateException e) {
+                serviceMetadataRO.setErrorMessage(ExceptionUtils.getRootCauseMessage(e));
+                return serviceMetadataRO;
+            }
 
         }
         return serviceMetadataRO;
     }
 
+    /**
+     * Method validates certificates in all endpoints.
+     *
+     * @param smd ServiceMetadata document
+     * @throws CertificateException exception if certificate is not valid or the allowed key type
+     */
+    public void validateServiceMetadataCertificates(ServiceMetadata smd) throws CertificateException {
+        List<EndpointType> endpointTypeList = searchAllEndpoints(smd);
+        for (EndpointType endpointType : endpointTypeList) {
+            validateCertificate(endpointType.getCertificate());
+        }
+    }
+
+    /**
+     * Method returns all EndpointTypes
+     *
+     * @param smd
+     * @return
+     */
+    public List<EndpointType> searchAllEndpoints(ServiceMetadata smd) {
+        List<ProcessType> processTypeList = smd.getServiceInformation() != null ?
+                smd.getServiceInformation().getProcessList().getProcesses() : Collections.emptyList();
+
+        List<EndpointType> endpointTypeList = new ArrayList<>();
+        processTypeList.stream().forEach(processType -> endpointTypeList.addAll(processType.getServiceEndpointList() != null ?
+                processType.getServiceEndpointList().getEndpoints() : Collections.emptyList()));
+
+        return endpointTypeList;
+    }
+
+    /**
+     * Validate the certificate
+     *
+     * @param crtData x509 encoded byte array
+     * @throws CertificateException
+     */
+    public void validateCertificate(byte[] crtData) throws CertificateException {
+        if (crtData == null || crtData.length == 0) {
+            LOG.debug("Skip certificate validation: Empty certificate.");
+            return;
+        }
+        X509Certificate cert = X509CertificateUtils.getX509Certificate(crtData);
+        // validate is certificate is valid
+        cert.checkValidity();
+        // validate if certificate has the right key algorithm
+        PublicKey key = cert.getPublicKey();
+        List<String> allowedKeyAlgs = configurationService.getAllowedDocumentCertificateTypes();
+        if (allowedKeyAlgs == null || allowedKeyAlgs.isEmpty()) {
+            LOG.debug("Ignore the service metadata certificate key type validation (Empty property: [{}]).", DOCUMENT_RESTRICTION_CERT_TYPES.getProperty());
+            return;
+        }
+
+        if (StringUtils.equalsAnyIgnoreCase(key.getAlgorithm(), allowedKeyAlgs.toArray(new String[]{}))) {
+            return;
+        }
+        throw new CertificateException("Certificate does not have allowed key type!");
+    }
 }

smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/services/ui/UIServiceGroupSearchServiceTest.java

@@ -7,9 +7,7 @@ import eu.europa.ec.edelivery.smp.data.ui.ServiceResult;
 import eu.europa.ec.edelivery.smp.services.AbstractServiceIntegrationTest;
 import eu.europa.ec.edelivery.smp.testutil.TestConstants;
 import eu.europa.ec.edelivery.smp.testutil.TestDBUtils;
-import org.junit.Rule;
 import org.junit.Test;
-import org.junit.rules.ExpectedException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.ContextConfiguration;
 
@@ -20,8 +18,6 @@ import static org.junit.Assert.assertNull;
 
 @ContextConfiguration(classes = {UIServiceGroupSearchService.class, UIServiceMetadataService.class})
 public class UIServiceGroupSearchServiceTest extends AbstractServiceIntegrationTest {
-    @Rule
-    public ExpectedException expectedExeption = ExpectedException.none();
 
     @Autowired
     protected UIServiceGroupSearchService testInstance;

smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/services/ui/UIServiceMetadataServiceTest.java

 package eu.europa.ec.edelivery.smp.services.ui;
 
+import eu.europa.ec.edelivery.smp.conversion.CaseSensitivityNormalizer;
+import eu.europa.ec.edelivery.smp.conversion.ServiceMetadataConverter;
+import eu.europa.ec.edelivery.smp.data.dao.DomainDao;
+import eu.europa.ec.edelivery.smp.data.dao.ServiceMetadataDao;
+import eu.europa.ec.edelivery.smp.data.dao.UserDao;
 import eu.europa.ec.edelivery.smp.data.model.DBServiceMetadata;
 import eu.europa.ec.edelivery.smp.data.ui.ServiceMetadataRO;
 import eu.europa.ec.edelivery.smp.data.ui.ServiceMetadataValidationRO;
 import eu.europa.ec.edelivery.smp.services.AbstractServiceIntegrationTest;
+import eu.europa.ec.edelivery.smp.services.ConfigurationService;
 import eu.europa.ec.edelivery.smp.testutil.TestDBUtils;
+import eu.europa.ec.edelivery.smp.testutil.XmlTestUtils;
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.Mockito;
+import org.oasis_open.docs.bdxr.ns.smp._2016._05.*;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.transaction.annotation.Transactional;
 
+import java.io.IOException;
+import java.security.cert.CertificateException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 import java.util.Optional;
 
 import static eu.europa.ec.edelivery.smp.testutil.TestConstants.*;
@@ -20,9 +34,13 @@ import static org.junit.Assert.*;
 @ContextConfiguration(classes = {UIServiceGroupSearchService.class, UIServiceMetadataService.class})
 public class UIServiceMetadataServiceTest extends AbstractServiceIntegrationTest {
 
+    private static final String RES_PATH = "/examples/services/";
+    private static final String RES_PATH_CONV = "/examples/conversion/";
+
     @Autowired
     protected UIServiceMetadataService testInstance;
 
+
     @Before
     @Transactional
     public void prepareDatabase() {
@@ -132,4 +150,70 @@ public class UIServiceMetadataServiceTest extends AbstractServiceIntegrationTest
         smv = testInstance.validateServiceMetadata(smv);
         assertEquals("SAXParseException: Content is not allowed in trailing section.",smv.getErrorMessage());
     }
+
+    @Test
+    public void testSearchAllEndpoints() throws IOException {
+        //given
+        byte[] inputDoc = XmlTestUtils.loadDocumentAsByteArray(RES_PATH + "ServiceMetadataDifferentCertificatesTypes.xml");
+        ServiceMetadata serviceMetadata = ServiceMetadataConverter.unmarshal(inputDoc);
+
+        List<EndpointType> endpointTypeList =  testInstance.searchAllEndpoints(serviceMetadata);
+        assertEquals(3, endpointTypeList.size());
+    }
+
+    @Test
+    public void testSearchAllEndpointsEmptyList() throws IOException {
+        //given
+        byte[] inputDoc = XmlTestUtils.loadDocumentAsByteArray(RES_PATH_CONV + "ServiceMetadataWithRedirect.xml");
+        ServiceMetadata serviceMetadata = ServiceMetadataConverter.unmarshal(inputDoc);
+
+        List<EndpointType> endpointTypeList =  testInstance.searchAllEndpoints(serviceMetadata);
+        assertEquals(0, endpointTypeList.size());
+    }
+
+    @Test
+    public void testValidateServiceMetadataCertificatesEmptyOK() throws IOException, CertificateException {
+        //given
+        byte[] inputDoc = XmlTestUtils.loadDocumentAsByteArray(RES_PATH + "ServiceMetadataDifferentCertificatesTypes.xml");
+        ServiceMetadata serviceMetadata = ServiceMetadataConverter.unmarshal(inputDoc);
+        // then
+        testInstance.validateServiceMetadataCertificates(serviceMetadata);
+        // no error is expected
+    }
+
+    @Test
+    public void testValidateServiceMetadataCertificatesRSAOK() throws IOException, CertificateException {
+        ConfigurationService configurationService = Mockito.mock(ConfigurationService.class);
+        UIServiceMetadataService testInstance = new UIServiceMetadataService(null, null,
+                null, null,
+                configurationService);
+
+        Mockito.doReturn(Arrays.asList("RSA","ED25519","ED448")).when(configurationService).getAllowedDocumentCertificateTypes();
+
+        //given
+        byte[] inputDoc = XmlTestUtils.loadDocumentAsByteArray(RES_PATH + "ServiceMetadataDifferentCertificatesTypes.xml");
+        ServiceMetadata serviceMetadata = ServiceMetadataConverter.unmarshal(inputDoc);
+        // then
+        testInstance.validateServiceMetadataCertificates(serviceMetadata);
+
+    }
+
+    @Test
+    public void testValidateServiceMetadataCertificatesNotAllowed() throws IOException, CertificateException {
+        ConfigurationService configurationService = Mockito.mock(ConfigurationService.class);
+        UIServiceMetadataService testInstance = new UIServiceMetadataService(null, null,
+                null, null,
+                configurationService);
+
+        Mockito.doReturn(Collections.singletonList("testKeyAlg")).when(configurationService).getAllowedDocumentCertificateTypes();
+
+        //given
+        byte[] inputDoc = XmlTestUtils.loadDocumentAsByteArray(RES_PATH + "ServiceMetadataDifferentCertificatesTypes.xml");
+        ServiceMetadata serviceMetadata = ServiceMetadataConverter.unmarshal(inputDoc);
+        // then
+        CertificateException result  = assertThrows(CertificateException.class, () -> testInstance.validateServiceMetadataCertificates(serviceMetadata));
+        // no error is expected
+        assertEquals("Certificate does not have allowed key type!", result.getMessage());
+
+    }
 }
\ No newline at end of file

smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/testutil/TestConstants.java

@@ -62,7 +62,7 @@ public class TestConstants {
     public static final String SIMPLE_EXTENSION_XML ="<Extension xmlns=\"http://docs.oasis-open.org/bdxr/ns/SMP/2016/05\"><ex:dummynode xmlns:ex=\"http://test.eu\">Sample not mandatory extension: %s</ex:dummynode></Extension>";
     //5 parameters: ParticipantScheme, ParticipantIdentifier, DocumentScheme, DocumentIdentifier, custom value
     public static final String SIMPLE_DOCUMENT_XML = "<ServiceMetadata xmlns=\"http://docs.oasis-open.org/bdxr/ns/SMP/2016/05\"><ServiceInformation><ParticipantIdentifier scheme=\"%s\">%s</ParticipantIdentifier><DocumentIdentifier scheme=\"%s\">%s</DocumentIdentifier><ProcessList><Process><ProcessIdentifier scheme=\"cenbii-procid-ubl\">urn:www.cenbii.eu:profile:bii04:ver1.0</ProcessIdentifier><ServiceEndpointList><Endpoint transportProfile=\"bdxr-transport-ebms3-as4-v1p0\"><EndpointURI>http://localhost:8080/domibus-weblogic/services/msh</EndpointURI><RequireBusinessLevelSignature>true</RequireBusinessLevelSignature><ServiceActivationDate>2003-01-01T00:00:00</ServiceActivationDate><ServiceExpirationDate>2099-05-01T00:00:00</ServiceExpirationDate>" +
-            "<Certificate>VGhpcyBpcyB0ZXN0IGNlcnRpZmljYXRlIGlzIHlvdSBiZWxpZXZlIG9yIG5vdC4=</Certificate><ServiceDescription>Sample description of %s</ServiceDescription><TechnicalContactUrl>https://example.com</TechnicalContactUrl></Endpoint></ServiceEndpointList></Process></ProcessList></ServiceInformation></ServiceMetadata>";
+            "<Certificate>MIID7jCCA1egAwIBAgICA+YwDQYJKoZIhvcNAQENBQAwOjELMAkGA1UEBhMCRlIxEzARBgNVBAoMCklIRSBFdXJvcGUxFjAUBgNVBAMMDUlIRSBFdXJvcGUgQ0EwHhcNMTYwNjAxMTQzNTUzWhcNMjYwNjAxMTQzNTUzWjCBgzELMAkGA1UEBhMCUFQxDDAKBgNVBAoMA01vSDENMAsGA1UECwwEU1BNUzENMAsGA1UEKgwESm9hbzEOMAwGA1UEBRMFQ3VuaGExHTAbBgNVBAMMFHFhZXBzb3MubWluLXNhdWRlLnB0MRkwFwYDVQQMDBBTZXJ2aWNlIFByb3ZpZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1eN4qPSSRZqjVFG9TlcPlxf2WiSimQK9L1nf9Z/s0ezeGQjCukDeDq/Wzqd9fpHhaMMq+XSSOtyEtIr5K/As4kFrViONUUkG12J6UllSWogp0NYFwA4wIqKSFiTnQS5/nRTs05oONCCGILCyJNNeO53JzPlaq3/QbPLssuSAr6XucPE8wBBGM8b/TsB2G/zjG8yuSTgGbhaZekq/Vnf9ftj1fr/vJDDAQgH6Yvzd88Z0DACJPHfW1p4F/OWLI386Bq7g/bo1DUPAyEwlf+CkLgJWRKki3yJlOCIZ9enMA5O7rfeG3rXdgYGmWS7tNEgKXxgC+heiYvi7ZWd7M+/SUwIDAQABo4IBMzCCAS8wPgYDVR0fBDcwNTAzoDGgL4YtaHR0cHM6Ly9nYXplbGxlLmloZS5uZXQvcGtpL2NybC82NDMvY2FjcmwuY3JsMDwGCWCGSAGG+EIBBAQvFi1odHRwczovL2dhemVsbGUuaWhlLm5ldC9wa2kvY3JsLzY0My9jYWNybC5jcmwwPAYJYIZIAYb4QgEDBC8WLWh0dHBzOi8vZ2F6ZWxsZS5paGUubmV0L3BraS9jcmwvNjQzL2NhY3JsLmNybDAfBgNVHSMEGDAWgBTsMw4TyCJeouFrr0N7el3Sd3MdfjAdBgNVHQ4EFgQU1GQ/K1ykIwWFgiONzWJLQzufF/8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQENBQADgYEAZ7t1Qkr9wz3q6+WcF6p/YX7Jr0CzVe7w58FvJFk2AsHeYkSlOyO5hxNpQbs1L1v6JrcqziNFrh2QKGT2v6iPdWtdCT8HBLjmuvVWxxnfzYjdQ0J+kdKMAEV6EtWU78OqL60CCtUZKXE/NKJUq7TTUCFP2fwiARy/t1dTD2NZo8c=</Certificate><ServiceDescription>Sample description of %s</ServiceDescription><TechnicalContactUrl>https://example.com</TechnicalContactUrl></Endpoint></ServiceEndpointList></Process></ProcessList></ServiceInformation></ServiceMetadata>";
 
     public static final String SIMPLE_REDIRECT_DOCUMENT_XML ="<ServiceMetadata xmlns=\"http://docs.oasis-open.org/bdxr/ns/SMP/2016/05\">" +
             "   <Redirect href=\"%s\">" +

smp-server-library/src/test/resources/examples/services/ServiceMetadataDifferentCertificatesTypes.xml

+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<ServiceMetadata xmlns="http://docs.oasis-open.org/bdxr/ns/SMP/2016/05">
+    <ServiceInformation>
+        <ParticipantIdentifier scheme="eHealth-participantId-qns">urn:Poland:ncpb</ParticipantIdentifier>
+        <DocumentIdentifier scheme="eHealth-resId-qns">DocId.007</DocumentIdentifier>
+        <ProcessList>
+            <Process>
+                <ProcessIdentifier scheme="ehealth-procid-qns">urn:epsosPatientService::List</ProcessIdentifier>
+                <ServiceEndpointList>
+                    <Endpoint transportProfile="urn:rsa">
+                        <EndpointURI>http://poland.pl/ncp/patient/list</EndpointURI>
+                        <RequireBusinessLevelSignature>false</RequireBusinessLevelSignature>
+                        <MinimumAuthenticationLevel>urn:epSOS:loa:1</MinimumAuthenticationLevel>
+                        <ServiceActivationDate>2016-06-06T11:06:02.000+02:00</ServiceActivationDate>
+                        <ServiceExpirationDate>2126-06-06T11:06:02+02:00</ServiceExpirationDate>
+                        <Certificate>MIIFMTCCAxmgAwIBAgICEBAwDQYJKoZIhvcNAQELBQAwgbwxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCZWxnaXVtMRowGAYDVQQKDBFDb25uZWN0aXZpdHkgVGVzdDEjMCEGA1UECwwaQ29ubmVjdGluZyBFdXJvcGUgRmFjaWxpdHkxJzAlBgNVBAMMHkNvbm5lY3Rpdml0eSBUZXN0IENvbXBvbmVudCBDQTExMC8GCSqGSIb3DQEJARYiQ0VGLUVERUxJVkVSWS1TVVBQT1JUQGVjLmV1cm9wYS5ldTAeFw0xNzEwMTIxMjU3NDJaFw0yODAxMTgxMjU3NDJaMIG1MQswCQYDVQQGEwJQTDEsMCoGA1UECgwjREXhup7Dn8OEw6RQTMW8w7PFgsSHTk/DhsOmw5jDuMOFw6UxeDB2BgNVBAMMb3NsYXNoL2JhY2tzbGFzaFxxdW90ZSJjb2xvbjpfcmZjMjI1M3NwZWNpYWxfYW1wZXJzYW5kJmNvbW1hLGVxdWFscz1wbHVzK2xlc3N0aGFuPGdyZWF0ZXJ0aGFuPmhhc2gjc2VtaWNvbG9uO2VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAudajaE8sHeL7qWied2Nf0dEreOLu+cDIluWBczKF7hxmRJ4VJ3y/TN/SilBN1gqBCJtsiGhsf66w5dIPJFNHj68YL5Evi5lkfLqMNRbKN08oLN6T2aIEcg+/T4OLyonNLrUMtOkpAi3swKTanOLwOqp/cu53Vgi94FfvCzCtkgkCAwEAAaOBxTCBwjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQWBBR3wx7TpvKZzhO3cWBTSkXrcJVPfjAfBgNVHSMEGDAWgBS96Nd21/ujY1YLoaLGA7dspLBPLTAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQAoVlGu/1u1HSmPDnn1dJalBG2yfBpcmiu163FSCiF4o5PDZfSEMbIMVkw1HsA3b78uhfduP/yaGICzqqCEKBA4dYeFiFCkkuJZD/c3MeFp8h646BzwFrAOWXOEhtg+Afl5fRAJQ64zJ8igGybP4GsrHt1282waKkfE+DRWTvU81tyA98GpG/gRJY8VvCyu3Is9za2xr9RtGjXWI1cdwIkTXk6GoLjUaH6QIb9ewuYGEVNPZmV6qFqqfCU54z7lPw5G7wvE86ggIszixbpUK2IGKLNonpyKe0UFUB9uhRbcynCYbJWpVykZLQ1noRna4XMkfEvmknzA7bJd6WBX82yDXYE6omFqJ5JB6iNt/yswF7cZ2sRKwbsl6P1Z3Lhj2qYYdEt73TQwztY9ZBwpriG5E4RaZzolpTzZ3GkzLPv1kww+MFCW4H7M6M1sMpOYDq+hCw8EGzTn2QTuqtzPJr9n3tlTkKif78h1mooxHlyDjuky4Fhh3tzjblLf+e9lZh8H8XTBCHvG7nilKwhY93RipP2av6hw1l+l1vqj/1KM9DFWuWZhp3koyBw4RuyH5OPgHBBczft/XmLeuFjw+bv7Qle5ObxcLbaJzusgKgl5D1982YejA8Tnw4bbMXk0WmFiaEA39keusEjKG4JGAy1RZdJuDISR6pANGDENYsFSPw==</Certificate>
+                        <ServiceDescription>Standard RSA Certificate</ServiceDescription>
+                        <TechnicalContactUrl>http://poland.pl/contact</TechnicalContactUrl>
+                        <TechnicalInformationUrl>http://poland.pl/contact</TechnicalInformationUrl>
+                    </Endpoint>
+                </ServiceEndpointList>
+            </Process>
+            <Process>
+                <ProcessIdentifier scheme="ehealth-procid-qns">urn:epsosPatientService::with new EC cryptography</ProcessIdentifier>
+                <ServiceEndpointList>
+                    <Endpoint transportProfile="urn:Ed25519">
+                        <EndpointURI>http://poland.pl/ncp/patient/list</EndpointURI>
+                        <RequireBusinessLevelSignature>false</RequireBusinessLevelSignature>
+                        <MinimumAuthenticationLevel>urn:epSOS:loa:1</MinimumAuthenticationLevel>
+                        <ServiceActivationDate>2016-06-06T11:06:02.000+02:00</ServiceActivationDate>
+                        <ServiceExpirationDate>2126-06-06T11:06:02+02:00</ServiceExpirationDate>
+                        <Certificate>MIIBDzCBwqADAgECAgInEDAFBgMrZXAwMTESMBAGA1UEAwwJRWQyNTUxOU9VMQ4wDAYDVQQKDAVESUdJVDELMAkGA1UEBhMCRVUwHhcNMjIxMTEwMDY0MDU2WhcNMzIxMTA4MDY0MDU2WjAxMRIwEAYDVQQDDAlFZDI1NTE5T1UxDjAMBgNVBAoMBURJR0lUMQswCQYDVQQGEwJFVTAqMAUGAytlcAMhACV5KjHOUQNfSDrRH2jYaWLDRenGEwPw3LfuNTeX9MeKMAUGAytlcANBAIey/CoiU7vLRy//4n8yyQK5nNKQjZIvMrMlP+m1gjEaPat0JK7REji2+dx9IKpfPQbGNsfERQGe6rKO09mbwgQ=</Certificate>
+                        <ServiceDescription>Ed25519 Certificate</ServiceDescription>
+                        <TechnicalContactUrl>http://poland.pl/contact</TechnicalContactUrl>
+                        <TechnicalInformationUrl>http://poland.pl/contact</TechnicalInformationUrl>
+                    </Endpoint>
+                    <Endpoint transportProfile="urn:Ed448">
+                        <EndpointURI>http://poland.pl/ncp/patient/list</EndpointURI>
+                        <RequireBusinessLevelSignature>false</RequireBusinessLevelSignature>
+                        <MinimumAuthenticationLevel>urn:epSOS:loa:1</MinimumAuthenticationLevel>
+                        <ServiceActivationDate>2016-06-06T11:06:02.000+02:00</ServiceActivationDate>
+                        <ServiceExpirationDate>2126-06-06T11:06:02+02:00</ServiceExpirationDate>
+                        <Certificate>MIIBVjCB16ADAgECAgInEDAFBgMrZXEwLzEQMA4GA1UEAwwHRWQ0NDhPVTEOMAwGA1UECgwFRElHSVQxCzAJBgNVBAYTAkVVMB4XDTIyMTExMDA2NDA1NVoXDTMyMTEwODA2NDA1NVowLzEQMA4GA1UEAwwHRWQ0NDhPVTEOMAwGA1UECgwFRElHSVQxCzAJBgNVBAYTAkVVMEMwBQYDK2VxAzoAwI2wUoTacfINA2X1SFc0tGGaWuXKOAHmAqkChKvvP4uoSKUh+gr/FThAFCWwh06IozLIr7MI924AMAUGAytlcQNzAJqlqdSgE/6w4YxKFnJsbYdTkTTTVZ+uudr976NsInRNJdOo8KdUBq0JSQ5OFMYqWB0gDn2ha55kgE+531iLljpGBUezKTpW6x7S/Crx3fTtX3T0v2+785Zc0ShsuIYR0atOFldA9VJbh3osnRlAJ/E5AA==</Certificate>
+                        <ServiceDescription>Ed25519 Certificate</ServiceDescription>
+                        <TechnicalContactUrl>http://poland.pl/contact</TechnicalContactUrl>
+                        <TechnicalInformationUrl>http://poland.pl/contact</TechnicalInformationUrl>
+                    </Endpoint>
+                </ServiceEndpointList>
+            </Process>
+        </ProcessList>
+    </ServiceInformation>
+</ServiceMetadata>
\ No newline at end of file