Implement configuration option to automatically trust certificate when user changes it.

c746fe9c · Joze RIHTARSIC · c46cee52 · c746fe9c · c746fe9c · c746fe9c
Commit c746fe9c authored 2 years ago by Joze RIHTARSIC
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java
@@ -48,6 +48,8 @@ public enum SMPPropertyEnum {
    KEYSTORE_FILENAME("smp.keystore.filename", "smp-keystore.jks", "Keystore filename ", true, false, false, FILENAME),
    TRUSTSTORE_PASSWORD("smp.truststore.password", "", "Encrypted truststore password ", false, true, false, STRING),
    TRUSTSTORE_FILENAME("smp.truststore.filename", "", "Truststore filename ", false, false, false, FILENAME),
+    TRUSTSTORE_ADD_CERT_ON_USER_UPDATE("smp.truststore.add.cert.onUserRegistration",
+            "false", "Automatically add certificate to truststore when assigned to user.", false, false, false, BOOLEAN),
    CERTIFICATE_CRL_FORCE("smp.certificate.crl.force", "false", "If false then if CRL is not reachable ignore CRL validation", false, false, false, BOOLEAN),
    CONFIGURATION_DIR("configuration.dir", "smp", "Path to the folder containing all the configuration files (keystore and encryption key)", true, false, true, PATH),
    ENCRYPTION_FILENAME("encryption.key.filename", "encryptionPrivateKey.private", "Key filename to encrypt passwords", false, false, true, FILENAME),

--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java
@@ -239,13 +239,18 @@ public class ConfigurationService {
        return value != null && value;
    }
    public boolean smlDisableCNCheck() {
        Boolean value = (Boolean) configurationDAO.getCachedPropertyValue(SML_TLS_DISABLE_CN_CHECK);
        // by default is not forced
        return value != null && value;
    }
+    public boolean trustCertificateOnUserRegistration() {
+        Boolean value = (Boolean) configurationDAO.getCachedPropertyValue(TRUSTSTORE_ADD_CERT_ON_USER_UPDATE);
+        // by default is not forced
+        return value != null && value;
+    }
    public File getConfigurationFolder() {
        return (File) configurationDAO.getCachedPropertyValue(CONFIGURATION_DIR);
    }

--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIUserService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIUserService.java
@@ -127,7 +127,7 @@ public class UIUserService extends UIServiceBase<DBUser, UserRO> {
        Boolean testMode = configurationService.isSMPStartupInDevMode();
        AccessTokenRO token = SecurityUtils.generateAccessToken(testMode);
        OffsetDateTime generatedTime = token.getGeneratedOn();
-        token.setExpireOn(adminUpdate ? null :generatedTime.plusDays(configurationService.getAccessTokenPolicyValidDays()));
+        token.setExpireOn(adminUpdate ? null : generatedTime.plusDays(configurationService.getAccessTokenPolicyValidDays()));
        dbUserToUpdate.setAccessTokenIdentifier(token.getIdentifier());
        dbUserToUpdate.setAccessToken(BCryptPasswordHash.hashPassword(token.getValue()));
        dbUserToUpdate.setAccessTokenGeneratedOn(generatedTime);
@@ -195,22 +195,29 @@ public class UIUserService extends UIServiceBase<DBUser, UserRO> {
        if (user.getCertificate() != null && (dbUser.getCertificate() == null
                || !StringUtils.equals(dbUser.getCertificate().getCertificateId(), user.getCertificate().getCertificateId()))) {
            CertificateRO certRo = user.getCertificate();
-            LOG.info(certRo.getEncodedValue());
-            if (user.getCertificate().getEncodedValue() != null) {
-                String certificateAlias;
-                try {
-                    X509Certificate x509Certificate = X509CertificateUtils.getX509Certificate(Base64.getMimeDecoder().decode(certRo.getEncodedValue()));
-                    certificateAlias = truststoreService.addCertificate(certRo.getAlias(), x509Certificate);
-                } catch (NoSuchAlgorithmException | KeyStoreException | IOException | CertificateException e) {
-                    LOG.error("Error occurred while adding certificate to truststore.", e);
-                    throw new SMPRuntimeException(ErrorCode.INTERNAL_ERROR, "AddUserCertificate", ExceptionUtils.getRootCauseMessage(e));
-                }
-                certRo.setAlias(certificateAlias);
-            }
-            // first
            DBCertificate certificate = conversionService.convert(user.getCertificate(), DBCertificate.class);
            dbUser.setCertificate(certificate);
+            if (user.getCertificate().getEncodedValue() == null) {
+                LOG.debug("User has certificate data without certificate bytearray. ");
+                return;
+            }
+            if (!configurationService.trustCertificateOnUserRegistration()) {
+                LOG.debug("User certificate is not automatically trusted! Certificate is not added to truststore!");
+                return;
+            }
+            String certificateAlias;
+            try {
+                X509Certificate x509Certificate = X509CertificateUtils.getX509Certificate(Base64.getMimeDecoder().decode(certRo.getEncodedValue()));
+                certificateAlias = truststoreService.addCertificate(certRo.getAlias(), x509Certificate);
+                LOG.debug("User certificate is added to truststore!");
+            } catch (NoSuchAlgorithmException | KeyStoreException | IOException | CertificateException e) {
+                LOG.error("Error occurred while adding certificate to truststore.", e);
+                throw new SMPRuntimeException(ErrorCode.INTERNAL_ERROR, "AddUserCertificate", ExceptionUtils.getRootCauseMessage(e));
+            }
+            certRo.setAlias(certificateAlias);
        }
    }