MOSIP-40926: building chain for partner certificate for 1.1.5.5 branch (#367)

* MOSIP-40926: building chain for partner certificate for 1.1.5.5 branch

Signed-off-by: nagendra0721 <nagendra0718@gmail.com>

* MOSIP-40926: upload certificate bug fix in 1.1.5.5 branch

Signed-off-by: nagendra0721 <nagendra0718@gmail.com>

* MOSIP-40926: update the roles

Signed-off-by: nagendra0721 <nagendra0718@gmail.com>

---------

Signed-off-by: nagendra0721 <nagendra0718@gmail.com>

Author: nagendra0721

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/constant/PartnerCertManagerConstants.java

@@ -76,4 +76,9 @@ public interface PartnerCertManagerConstants {
 	String HASH_SHA2 = "SHA2";
 
 	int YEAR_DAYS = 365;
+
+	String FTM_PARTNER_DOMAIN = "FTM";
+
+	String ROOT_APP_ID = "ROOT";
+
 }

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java

@@ -3,6 +3,7 @@
 import javax.validation.Valid;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -50,8 +51,7 @@ public class PartnerCertManagerController {
 	 * @param caCertRequestDto {@link CACertificateRequestDto} request
 	 * @return {@link CACertficateResponseDto} Upload Success
 	 */
-		// @PreAuthorize("hasAnyRole('ZONAL_ADMIN','GLOBAL_ADMIN','INDIVIDUAL',
-		// 'PMS_ADMIN')")
+	@PreAuthorize("hasAnyRole('ZONAL_ADMIN','GLOBAL_ADMIN','INDIVIDUAL','PMS_ADMIN','PARTNER_ADMIN','POLICYMANAGER')")
 	@ResponseFilter
 	@PostMapping(value = "/uploadCACertificate", produces = "application/json")
 	public ResponseWrapper<CACertificateResponseDto> uploadCACertificate(
@@ -68,8 +68,7 @@ public ResponseWrapper<CACertificateResponseDto> uploadCACertificate(
 	 * @param partnerCertRequestDto {@link PartnerCertificateRequestDto} request
 	 * @return {@link PartnerCertificateResponseDto} signed certificate response
 	 */
-	// @PreAuthorize("hasAnyRole('ZONAL_ADMIN','GLOBAL_ADMIN','INDIVIDUAL',
-	// 'ID_AUTHENTICATION', 'PMS_USER')")
+	@PreAuthorize("hasAnyRole('ZONAL_ADMIN','GLOBAL_ADMIN','INDIVIDUAL','ID_AUTHENTICATION','PMS_USER','PMS_ADMIN','PARTNER_ADMIN','POLICYMANAGER')")
 	@ResponseFilter
 	@PostMapping(value = "/uploadPartnerCertificate", produces = "application/json")
 	public ResponseWrapper<PartnerCertificateResponseDto> uploadPartnerCertificate(
@@ -80,14 +79,30 @@ public ResponseWrapper<PartnerCertificateResponseDto> uploadPartnerCertificate(
 		return response;
 	}
 
+	/**
+	 * To Upload Partner Certificate.
+	 * 
+	 * @param partnerCertRequestDto {@link PartnerCertificateRequestDto} request
+	 * @return {@link PartnerCertificateResponseDto} signed certificate response
+	 */
+	@PreAuthorize("hasAnyRole('ZONAL_ADMIN','GLOBAL_ADMIN','INDIVIDUAL','ID_AUTHENTICATION','PMS_USER','PMS_ADMIN','PARTNER_ADMIN','POLICYMANAGER')")
+	@ResponseFilter
+	@PostMapping(value = "/v2/uploadPartnerCertificate", produces = "application/json")
+	public ResponseWrapper<PartnerCertificateResponseDto> uploadPartnerCertificateV2(
+			@ApiParam("Upload Partner Certificates.") @RequestBody @Valid RequestWrapper<PartnerCertificateRequestDto> partnerCertRequestDto) {
+
+		ResponseWrapper<PartnerCertificateResponseDto> response = new ResponseWrapper<>();
+		response.setResponse(partnerCertManagerService.uploadPartnerCertificateV2(partnerCertRequestDto.getRequest()));
+		return response;
+	}
+
     /**
 	 * To Download Partner Certificate.
 	 * 
 	 * @param certDownloadRequestDto {@link PartnerCertDownloadRequestDto} request
 	 * @return {@link PartnerCertDownloadResponeDto} encrypted Data
 	 */
-	// @PreAuthorize("hasAnyRole('ZONAL_ADMIN','GLOBAL_ADMIN','INDIVIDUAL',
-	// 'ID_AUTHENTICATION', 'PMS_USER')")
+	@PreAuthorize("hasAnyRole('ZONAL_ADMIN','GLOBAL_ADMIN','INDIVIDUAL','ID_AUTHENTICATION','PMS_USER','PMS_ADMIN','PARTNER_ADMIN','POLICYMANAGER')")
 	@ResponseFilter
 	@GetMapping(value = "/getPartnerCertificate/{partnerCertId}")
 	public ResponseWrapper<PartnerCertDownloadResponeDto> getPartnerCertificate(
@@ -105,8 +120,7 @@ public ResponseWrapper<PartnerCertDownloadResponeDto> getPartnerCertificate(
 	 * @param certificateTrustRequestDto {@CertificateTrustRequestDto CertificateTrustDto} request
 	 * @return {@link CertificateTrustResponeDto} certificate verify response
 	 */
-	// @PreAuthorize("hasAnyRole('ZONAL_ADMIN','GLOBAL_ADMIN','INDIVIDUAL',
-	// 'ID_AUTHENTICATION', 'PMS_USER')")
+	@PreAuthorize("hasAnyRole('ZONAL_ADMIN','GLOBAL_ADMIN','INDIVIDUAL','ID_AUTHENTICATION','PMS_USER','PMS_ADMIN','PARTNER_ADMIN','POLICYMANAGER')")
 	@ResponseFilter
 	@PostMapping(value = "/verifyCertificateTrust", produces = "application/json")
 	public ResponseWrapper<CertificateTrustResponeDto> verifyCertificateTrust(

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/helper/PartnerCertManagerDBHelper.java

@@ -3,6 +3,7 @@
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.time.LocalDateTime;
+import java.time.ZoneId;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -115,16 +116,24 @@ public Map<String, Set<?>> getTrustAnchors(String partnerDomain) {
         return hashMap;
     }
 
-
     public String getIssuerCertId(String certIssuerDn) {
         LocalDateTime currentDateTime = DateUtils.getUTCCurrentDateTime();
+
         List<CACertificateStore> certificates = caCertificateStoreRepository.findByCertSubject(certIssuerDn)
                         .stream().filter(cert -> PartnerCertificateManagerUtil.isValidTimestamp(currentDateTime, cert))
                         .collect(Collectors.toList());
 
+        if (certificates.size() == 0) {
+            LocalDateTime curDateTime = LocalDateTime.now(ZoneId.systemDefault());
+            certificates = caCertificateStoreRepository.findByCertSubject(certIssuerDn)
+                    .stream().filter(cert -> PartnerCertificateManagerUtil.isValidTimestamp(curDateTime, cert))
+                    .collect(Collectors.toList());
+        }
+
         if (certificates.size() == 1) {
             return certificates.get(0).getCertId();
         }
+
         List<CACertificateStore> sortedCerts = certificates.stream()
                                                .sorted((cert1, cert2) -> cert1.getCertNotBefore().compareTo(cert2.getCertNotBefore()))
                                                .collect(Collectors.toList());

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java

@@ -4,21 +4,10 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
-import java.security.cert.CertPathBuilder;
-import java.security.cert.CertPathBuilderException;
-import java.security.cert.CertStore;
-import java.security.cert.CollectionCertStoreParameters;
-import java.security.cert.PKIXBuilderParameters;
-import java.security.cert.TrustAnchor;
-import java.security.cert.X509CertSelector;
-import java.security.cert.X509Certificate;
+import java.security.cert.*;
 import java.time.LocalDateTime;
 import java.time.temporal.ChronoUnit;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Optional;
-import java.util.Set;
-import java.util.UUID;
+import java.util.*;
 import java.util.stream.Stream;
 import java.util.concurrent.TimeUnit;
 
@@ -90,6 +79,9 @@ public class PartnerCertificateManagerServiceImpl implements PartnerCertificateM
 
     @Value("${mosip.kernel.partner.issuer.certificate.allowed.grace.duration:30}")
     private int gracePeriod;
+
+    @Value("${mosip.kernel.partner.resign.ftm.domain.certs:false}")
+    private boolean resignFTMDomainCerts;
 
     /**
      * Utility to generate Metadata
@@ -254,6 +246,45 @@ private boolean validateCertificatePath(X509Certificate reqX509Cert, String part
         return false;
     }
 
+    private List<? extends Certificate> getCertificateTrustPath(X509Certificate reqX509Cert, String partnerDomain) {
+
+        try {
+            Map<String, Set<?>> trustStoreMap = (Map<String, Set<?>>) caCertTrustStore.get(partnerDomain); //certDBHelper.getTrustAnchors(partnerDomain);
+            Set<TrustAnchor> rootTrustAnchors = (Set<TrustAnchor>) trustStoreMap
+                    .get(PartnerCertManagerConstants.TRUST_ROOT);
+            Set<X509Certificate> interCerts = (Set<X509Certificate>) trustStoreMap
+                    .get(PartnerCertManagerConstants.TRUST_INTER);
+
+            X509CertSelector certToVerify = new X509CertSelector();
+            certToVerify.setCertificate(reqX509Cert);
+
+            PKIXBuilderParameters pkixBuilderParams = new PKIXBuilderParameters(rootTrustAnchors, certToVerify);
+            pkixBuilderParams.setRevocationEnabled(false);
+
+            CertStore interCertStore = CertStore.getInstance("Collection",
+                    new CollectionCertStoreParameters(interCerts));
+            pkixBuilderParams.addCertStore(interCertStore);
+
+            // Building the cert path and verifying the certification chain
+            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
+            //certPathBuilder.build(pkixBuilderParams);
+            PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) certPathBuilder.build(pkixBuilderParams);
+            X509Certificate rootCert = result.getTrustAnchor().getTrustedCert();
+            List<? extends Certificate> certList = result.getCertPath().getCertificates();
+            List<Certificate> trustCertList = new ArrayList<>();
+            certList.stream().forEach(cert -> {
+                trustCertList.add(cert);
+            });
+            trustCertList.add(rootCert);
+            return trustCertList;
+        } catch (CertPathBuilderException | InvalidAlgorithmParameterException | NoSuchAlgorithmException exp) {
+            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT,
+                    PartnerCertManagerConstants.EMPTY,
+                    "Ignore this exception, the exception thrown when trust validation failed.");
+        }
+        return null;
+    }
+
     @Override
     public PartnerCertificateResponseDto uploadPartnerCertificate(PartnerCertificateRequestDto partnerCertRequesteDto) {
 
@@ -290,6 +321,63 @@ public PartnerCertificateResponseDto uploadPartnerCertificate(PartnerCertificate
         return responseDto;
     }
 
+    @Override
+    public PartnerCertificateResponseDto uploadPartnerCertificateV2(PartnerCertificateRequestDto partnerCertRequesteDto) {
+
+        String certificateData = partnerCertRequesteDto.getCertificateData();
+        if (!keymanagerUtil.isValidCertificateData(certificateData)) {
+            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT,
+                    PartnerCertManagerConstants.EMPTY,
+                    "Invalid Certificate Data provided to upload the partner certificate.");
+            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorCode(),
+                    PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorMessage());
+        }
+        X509Certificate reqX509Cert = (X509Certificate) keymanagerUtil.convertToCertificate(certificateData);
+        String certThumbprint = PartnerCertificateManagerUtil.getCertificateThumbprint(reqX509Cert);
+        String reqOrgName = partnerCertRequesteDto.getOrganizationName();
+        String partnerDomain = validateAllowedDomains(partnerCertRequesteDto.getPartnerDomain());
+
+        validateBasicPartnerCertParams(reqX509Cert, certThumbprint, reqOrgName, partnerDomain);
+
+        List<? extends Certificate>certList = getCertificateTrustPath(reqX509Cert, partnerDomain);
+        if (Objects.isNull(certList)) {
+            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT,
+                    PartnerCertManagerConstants.EMPTY,
+                    "Partner Certificate not allowed to upload as root CA/Intermediate CAs are not found in trust cert path.");
+            throw new PartnerCertManagerException(
+                    PartnerCertManagerErrorConstants.ROOT_INTER_CA_NOT_FOUND.getErrorCode(),
+                    PartnerCertManagerErrorConstants.ROOT_INTER_CA_NOT_FOUND.getErrorMessage());
+        }
+
+        String certSubject = PartnerCertificateManagerUtil
+                .formatCertificateDN(reqX509Cert.getSubjectX500Principal().getName());
+        String certIssuer = PartnerCertificateManagerUtil
+                .formatCertificateDN(reqX509Cert.getIssuerX500Principal().getName());
+        String issuerId = certDBHelper.getIssuerCertId(certIssuer);
+        String certId = UUID.randomUUID().toString();
+
+        X509Certificate rootCert = (X509Certificate) keymanagerUtil.convertToCertificate(
+                                    keymanagerService.getCertificate(PartnerCertManagerConstants.ROOT_APP_ID,
+                                            Optional.of(PartnerCertManagerConstants.EMPTY)).getCertificate());
+        String timestamp = DateUtils.getUTCCurrentDateTimeString();
+        SignatureCertificate certificateResponse = keymanagerService.getSignatureCertificate(masterSignKeyAppId,
+                                                Optional.of(PartnerCertManagerConstants.EMPTY), timestamp);
+        X509Certificate pmsCert = certificateResponse.getCertificateEntry().getChain()[0];
+
+        X509Certificate resignedCert = reSignPartnerKey(reqX509Cert);
+        String signedCertData = keymanagerUtil.getPEMFormatedData(resignedCert);
+        certDBHelper.storePartnerCertificate(certId, certSubject, certIssuer, issuerId, reqX509Cert, certThumbprint,
+                reqOrgName, partnerDomain, signedCertData);
+
+        String p7bCertChain = PartnerCertificateManagerUtil.buildP7BCertificateChain(certList, resignedCert,
+                partnerDomain, resignFTMDomainCerts, rootCert, pmsCert);
+        PartnerCertificateResponseDto responseDto = new PartnerCertificateResponseDto();
+        responseDto.setCertificateId(certId);
+        responseDto.setSignedCertificateData(p7bCertChain);
+        responseDto.setTimestamp(DateUtils.getUTCCurrentDateTime());
+        return responseDto;
+    }
+
     private void validateBasicPartnerCertParams(X509Certificate reqX509Cert, String certThumbprint, String reqOrgName,
             String partnerDomain) {
         boolean certExist = certDBHelper.isPartnerCertificateExist(certThumbprint, partnerDomain);

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/spi/PartnerCertificateManagerService.java

@@ -35,6 +35,14 @@ public interface PartnerCertificateManagerService {
     */
     public PartnerCertificateResponseDto uploadPartnerCertificate(PartnerCertificateRequestDto partnerCertResponseDto);
 
+    /**
+     * Function to Upload Partner certificates
+     * 
+     * @param PartnerCertificateRequestDto partnerCertResponseDto
+     * @return {@link PartnerCertificateResponseDto} instance
+    */
+    public PartnerCertificateResponseDto uploadPartnerCertificateV2(PartnerCertificateRequestDto partnerCertResponseDto);
+
     /**
      * Function to Download Partner certificates
      * 

kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java

@@ -1,21 +1,22 @@
 package io.mosip.kernel.partnercertservice.util;
 
+import java.io.IOException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.SignatureException;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
-import java.security.cert.X509Certificate;
+import java.security.cert.*;
 import java.time.LocalDateTime;
 import java.time.ZoneId;
 import java.time.temporal.ChronoUnit;
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Date;
+import java.util.List;
 
 import javax.security.auth.x500.X500Principal;
 
+import io.mosip.kernel.core.util.CryptoUtil;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.x500.RDN;
@@ -31,6 +32,8 @@
 import io.mosip.kernel.partnercertservice.constant.PartnerCertManagerConstants;
 import io.mosip.kernel.partnercertservice.constant.PartnerCertManagerErrorConstants;
 import io.mosip.kernel.partnercertservice.exception.PartnerCertManagerException;
+import org.bouncycastle.cert.jcajce.JcaCertStore;
+import org.bouncycastle.cms.*;
 
 /**
  * Utility class for Partner Certificate Management
@@ -195,4 +198,36 @@ private static String getAttributeValueIfExist(X500Name x500Name, ASN1ObjectIden
         }
         return IETFUtils.valueToString((rdns[0]).getFirst().getValue());
     }
+
+    public static String buildP7BCertificateChain(List<? extends Certificate> certList, X509Certificate resignedCert,
+                                                  String partnerDomain, boolean resignFTMDomainCerts, X509Certificate rootCert, X509Certificate pmsCert) {
+
+        if (partnerDomain.toUpperCase().equals(PartnerCertManagerConstants.FTM_PARTNER_DOMAIN) && !resignFTMDomainCerts) {
+            return buildCertChain(certList.toArray(new Certificate[0]));
+        }
+
+        List<Certificate> chain = new ArrayList<>();
+        chain.add(resignedCert);
+        chain.add(pmsCert);
+        chain.add(rootCert);
+        return buildCertChain(chain.toArray(new Certificate[0]));
+    }
+
+    private static String buildCertChain(Certificate[] chain) {
+        try {
+            CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
+            JcaCertStore jcaStore = new JcaCertStore(Arrays.asList(chain));
+            generator.addCertificates(jcaStore);
+
+            CMSTypedData cmsTypedData = new CMSAbsentContent();
+            CMSSignedData cmsSignedData = generator.generate(cmsTypedData);
+            return CryptoUtil.encodeBase64(cmsSignedData.getEncoded());
+        } catch (CertificateEncodingException | CMSException | IOException e) {
+            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT,
+                    PartnerCertManagerConstants.PCM_UTIL, "Error generating p7b certificates chain.");
+            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERTIFICATE_THUMBPRINT_ERROR.getErrorCode(),
+                    PartnerCertManagerErrorConstants.CERTIFICATE_THUMBPRINT_ERROR.getErrorMessage(), e);
+        }
+    }
+
 }