Fix/x5c Field corrected (#35)

* X5C Array inserted

* Certificate Chain from Keystore refactored.

Author: SchulzeStTSI

src/main/java/eu/europa/ec/dgc/validation/decorator/dto/IdentityResponse.java

@@ -53,7 +53,7 @@ public static final class VerificationIdentityResponse {
     @Data
     public static final class PublicKeyJwkIdentityResponse {
 
-        private String x5c;
+        private String[] x5c;
 
         private String kid;
 

src/main/java/eu/europa/ec/dgc/validation/decorator/entity/ValidationServiceIdentityResponse.java

@@ -48,7 +48,7 @@ public static final class VerificationMethod {
     @Data
     public static final class PublicKeyJwk {
 
-        private String x5c;
+        private String[] x5c;
 
         private String kid;
 

src/main/java/eu/europa/ec/dgc/validation/decorator/service/AccessTokenService.java

@@ -119,9 +119,8 @@ public String buildAccessToken(final AccessTokenPayload payload) {
      */
     public Map<String, Object> parseAccessToken(final String token) {
         final String activeSignKey = this.keyProvider.getActiveSignKey();
-        final PublicKey publicKey = this.keyProvider.receiveCertificate(activeSignKey).getPublicKey();
+        final PublicKey publicKey = this.keyProvider.receiveCertificate(activeSignKey)[0].getPublicKey();
         final String issuer = this.properties.getToken().getIssuer();
-
         final Map<String, Object> body = this.parseAccessToken(token, publicKey, issuer);
         if (!body.containsKey("sub")) {
             throw new DccException("Token invalid: subjet not found");

src/main/java/eu/europa/ec/dgc/validation/decorator/service/BackendService.java

@@ -111,7 +111,7 @@ private PublicKey getSignPublicKey(final ServiceProperties service, final String
     }
 
     private PublicKey toPublicKey(final PublicKeyJwk publicKeyJwk) {
-        final byte[] encoded = Base64.getDecoder().decode(publicKeyJwk.getX5c());
+        final byte[] encoded = Base64.getDecoder().decode(publicKeyJwk.getX5c()[0]);
         try (ByteArrayInputStream encStream = new ByteArrayInputStream(encoded)) {
             return CertificateFactory.getInstance("X.509").generateCertificate(encStream).getPublicKey();
         } catch (CertificateException e) {

src/main/java/eu/europa/ec/dgc/validation/decorator/service/IdentityService.java

@@ -32,6 +32,7 @@
 import io.vavr.collection.Stream;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
+import java.util.ArrayList;
 import java.util.Base64;
 import java.util.List;
 import java.util.stream.Collectors;
@@ -123,10 +124,18 @@ private List<ServiceIdentityResponse> getServices(final String element, final St
     }
 
     private PublicKeyJwkIdentityResponse buildPublicKey(String keyName) {
-        final Certificate certificate = keyProvider.receiveCertificate(keyName);
+        final Certificate[] certificate = keyProvider.receiveCertificate(keyName);
+        if (certificate == null) {
+            return null;
+        }
         try {
             final PublicKeyJwkIdentityResponse publicKeyJwk = new PublicKeyJwkIdentityResponse();
-            publicKeyJwk.setX5c(Base64.getEncoder().encodeToString(certificate.getEncoded()));
+            List<String> x5c = new ArrayList<String>();
+            for (Certificate cert : certificate) {
+                x5c.add(Base64.getEncoder().encodeToString(cert.getEncoded()));
+            }
+
+            publicKeyJwk.setX5c(x5c.toArray(new String[0]));                                       
             publicKeyJwk.setKid(keyProvider.getKid(keyName));
             publicKeyJwk.setAlg(keyProvider.getAlg(keyName));
             publicKeyJwk.setUse(keyProvider.getKeyUse(keyName).name().toLowerCase());

src/main/java/eu/europa/ec/dgc/validation/decorator/service/KeyProvider.java

@@ -28,7 +28,7 @@
 
 public interface KeyProvider {
 
-    Certificate receiveCertificate(String keyName);
+    Certificate[] receiveCertificate(String keyName);
 
     PrivateKey receivePrivateKey(String keyName);
 

src/main/java/eu/europa/ec/dgc/validation/decorator/service/KeyStoreKeyProvider.java

@@ -42,6 +42,8 @@
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -58,7 +60,7 @@ public class KeyStoreKeyProvider implements KeyProvider {
 
     private final DgcProperties dgcConfigProperties;
 
-    private final Map<String, Certificate> certificates = new HashMap<>();
+    private final Map<String, Certificate[]> certificates = new HashMap<>();
 
     private final Map<String, PrivateKey> privateKeys = new HashMap<>();
 
@@ -98,23 +100,31 @@ public void createKeys() throws NoSuchAlgorithmException, IOException, Certifica
             final char[] privateKeyPassword = this.dgcConfigProperties.getPrivateKeyPassword().toCharArray();
             keyStore.load(is, privateKeyPassword);
             final KeyStore.PasswordProtection keyPassword = new KeyStore.PasswordProtection(keyStorePassword);
-
-            for (final String alias : this.getKeyNames(KeyType.ALL)) {
+            String[] keyNames = this.getKeyNames(KeyType.ALL).toArray(new String[0]);
+            Arrays.sort(keyNames);
+            for (final String alias :keyNames) {
                 if (keyStore.isKeyEntry(alias)) {
                     final PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry) keyStore.getEntry(alias, keyPassword);
                     if (privateKeyEntry != null) {
                         final PrivateKey privateKey = privateKeyEntry.getPrivateKey();
                         this.privateKeys.put(alias, privateKey);
                     }
                 }
-                final X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias);
-                this.handleCertificate(alias, cert);
+                final Certificate cert = keyStore.getCertificate(alias);
+                List<Certificate> certificates = new ArrayList<Certificate>();
+                if (keyStore.getCertificateChain(alias) != null) {
+                    certificates.addAll(Arrays.asList(keyStore.getCertificateChain(alias)));
+                } else {
+                    certificates.add(cert);
+                }  
+                this.handleCertificate(alias, certificates.toArray(new X509Certificate[0]));
             }
         }
     }
 
-    private void handleCertificate(final String alias, final X509Certificate cert) {
-        this.certificates.put(alias, cert);
+    private void handleCertificate(final String alias, final Certificate[] certs) {
+        X509Certificate cert = (X509Certificate)certs[0];
+        this.certificates.put(alias,certs);
 
         final String kid = new CertificateUtils().getCertKid((X509Certificate) cert);
         this.kids.put(alias, kid);
@@ -132,7 +142,7 @@ private void handleCertificate(final String alias, final X509Certificate cert) {
     }
 
     @Override
-    public Certificate receiveCertificate(final String keyName) {
+    public Certificate[] receiveCertificate(final String keyName) {
         return this.certificates.get(keyName);
     }
 

src/main/java/eu/europa/ec/dgc/validation/decorator/service/ValidationStatusService.java

@@ -187,7 +187,7 @@ private PublicKey getSignPublicKey(final ServiceProperties service, final String
     }
 
     private PublicKey toPublicKey(final PublicKeyJwk publicKeyJwk) {
-        final byte[] encoded = Base64.getDecoder().decode(publicKeyJwk.getX5c());
+        final byte[] encoded = Base64.getDecoder().decode(publicKeyJwk.getX5c()[0]);
         try (ByteArrayInputStream encStream = new ByteArrayInputStream(encoded)) {
             return CertificateFactory.getInstance("X.509").generateCertificate(encStream).getPublicKey();
         } catch (CertificateException e) {

src/test/java/eu/europa/ec/dgc/validation/decorator/util/TestHelper.java

@@ -89,7 +89,7 @@ public static ValidationServiceIdentityResponse buildValidationServiceIdentity()
         publicKeyJwk.setUse("sig");
         publicKeyJwk.setAlg("ES256");
         publicKeyJwk.setKid("MFkwEwYHKu+=");
-        publicKeyJwk.setX5c("MIIB4DCCAYegAwIBAgIUVuls/1X3r1LY9+KcbRnX1ixbl8YwCgYIKoZIzj0EAwIw"
+        publicKeyJwk.setX5c(new String[]{"MIIB4DCCAYegAwIBAgIUVuls/1X3r1LY9+KcbRnX1ixbl8YwCgYIKoZIzj0EAwIw"
                 + "RTELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu"
                 + "dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yMTA5MjMwODMxMDRaGA8yMTIwMDQx"
                 + "NzA4MzEwNFowRTELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf"
@@ -99,7 +99,7 @@ public static ValidationServiceIdentityResponse buildValidationServiceIdentity()
                 + "G+x2DPISjaXTWsTOdDAfBgNVHSMEGDAWgBSaqFjzps1qG+x2DPISjaXTWsTOdDAP"
                 + "BgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIC/VAxhYH0HGDgcHIJwJ"
                 + "QXgThit8ZVqAxwzcK2/CUZPRAiASv2PY68vYaHSUZSICg80zO3puKPfum9126fmU"
-                + "4LlytA==");
+                + "4LlytA=="});
 
         final VerificationMethod sig = new VerificationMethod();
         sig.setType("JsonWebKey2020");