diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java
index f9df10dafe9ce74c11e173f28f1ff1af371efd1b..909cb67bc4af7fa74114d179aa891c05eac2627b 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java
@@ -48,6 +48,8 @@ public enum SMPPropertyEnum {
KEYSTORE_FILENAME("smp.keystore.filename", "smp-keystore.jks", "Keystore filename ", true, false, false, FILENAME),
TRUSTSTORE_PASSWORD("smp.truststore.password", "", "Encrypted truststore password ", false, true, false, STRING),
TRUSTSTORE_FILENAME("smp.truststore.filename", "", "Truststore filename ", false, false, false, FILENAME),
+ TRUSTSTORE_ADD_CERT_ON_USER_UPDATE("smp.truststore.add.cert.onUserRegistration",
+ "false", "Automatically add certificate to truststore when assigned to user.", false, false, false, BOOLEAN),
CERTIFICATE_CRL_FORCE("smp.certificate.crl.force", "false", "If false then if CRL is not reachable ignore CRL validation", false, false, false, BOOLEAN),
CONFIGURATION_DIR("configuration.dir", "smp", "Path to the folder containing all the configuration files (keystore and encryption key)", true, false, true, PATH),
ENCRYPTION_FILENAME("encryption.key.filename", "encryptionPrivateKey.private", "Key filename to encrypt passwords", false, false, true, FILENAME),
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java
index 88e24641d7a75165e9d5db0643e9667450eeaf27..834d0f61982cd4875275669c36eb915327925156 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java
@@ -239,13 +239,18 @@ public class ConfigurationService {
return value != null && value;
}
-
public boolean smlDisableCNCheck() {
Boolean value = (Boolean) configurationDAO.getCachedPropertyValue(SML_TLS_DISABLE_CN_CHECK);
// by default is not forced
return value != null && value;
}
+ public boolean trustCertificateOnUserRegistration() {
+ Boolean value = (Boolean) configurationDAO.getCachedPropertyValue(TRUSTSTORE_ADD_CERT_ON_USER_UPDATE);
+ // by default is not forced
+ return value != null && value;
+ }
+
public File getConfigurationFolder() {
return (File) configurationDAO.getCachedPropertyValue(CONFIGURATION_DIR);
}
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIUserService.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIUserService.java
index 49a48b1c2cb1fa6b7012ceda9b973c8156b4e9bd..07fe28485237288e51af9efa66b36f6a68af34b7 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIUserService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIUserService.java
@@ -127,7 +127,7 @@ public class UIUserService extends UIServiceBase<DBUser, UserRO> {
Boolean testMode = configurationService.isSMPStartupInDevMode();
AccessTokenRO token = SecurityUtils.generateAccessToken(testMode);
OffsetDateTime generatedTime = token.getGeneratedOn();
- token.setExpireOn(adminUpdate ? null :generatedTime.plusDays(configurationService.getAccessTokenPolicyValidDays()));
+ token.setExpireOn(adminUpdate ? null : generatedTime.plusDays(configurationService.getAccessTokenPolicyValidDays()));
dbUserToUpdate.setAccessTokenIdentifier(token.getIdentifier());
dbUserToUpdate.setAccessToken(BCryptPasswordHash.hashPassword(token.getValue()));
dbUserToUpdate.setAccessTokenGeneratedOn(generatedTime);
@@ -195,22 +195,29 @@ public class UIUserService extends UIServiceBase<DBUser, UserRO> {
if (user.getCertificate() != null && (dbUser.getCertificate() == null
|| !StringUtils.equals(dbUser.getCertificate().getCertificateId(), user.getCertificate().getCertificateId()))) {
CertificateRO certRo = user.getCertificate();
- LOG.info(certRo.getEncodedValue());
- if (user.getCertificate().getEncodedValue() != null) {
-
- String certificateAlias;
- try {
- X509Certificate x509Certificate = X509CertificateUtils.getX509Certificate(Base64.getMimeDecoder().decode(certRo.getEncodedValue()));
- certificateAlias = truststoreService.addCertificate(certRo.getAlias(), x509Certificate);
- } catch (NoSuchAlgorithmException | KeyStoreException | IOException | CertificateException e) {
- LOG.error("Error occurred while adding certificate to truststore.", e);
- throw new SMPRuntimeException(ErrorCode.INTERNAL_ERROR, "AddUserCertificate", ExceptionUtils.getRootCauseMessage(e));
- }
- certRo.setAlias(certificateAlias);
- }
- // first
DBCertificate certificate = conversionService.convert(user.getCertificate(), DBCertificate.class);
dbUser.setCertificate(certificate);
+
+ if (user.getCertificate().getEncodedValue() == null) {
+ LOG.debug("User has certificate data without certificate bytearray. ");
+ return;
+ }
+
+ if (!configurationService.trustCertificateOnUserRegistration()) {
+ LOG.debug("User certificate is not automatically trusted! Certificate is not added to truststore!");
+ return;
+ }
+
+ String certificateAlias;
+ try {
+ X509Certificate x509Certificate = X509CertificateUtils.getX509Certificate(Base64.getMimeDecoder().decode(certRo.getEncodedValue()));
+ certificateAlias = truststoreService.addCertificate(certRo.getAlias(), x509Certificate);
+ LOG.debug("User certificate is added to truststore!");
+ } catch (NoSuchAlgorithmException | KeyStoreException | IOException | CertificateException e) {
+ LOG.error("Error occurred while adding certificate to truststore.", e);
+ throw new SMPRuntimeException(ErrorCode.INTERNAL_ERROR, "AddUserCertificate", ExceptionUtils.getRootCauseMessage(e));
+ }
+ certRo.setAlias(certificateAlias);
}
}