Merge branch 'main' into dep/sb_309

.gitignore

@@ -43,4 +43,4 @@ build/
 !/tools/*.sh
 
 certs/*
-.DS_Store
+**/.DS_Store

CODEOWNERS

@@ -5,5 +5,4 @@
 # For more details, read the following article on GitHub: https://help.github.com/articles/about-codeowners/.
 
 # These are the default owners for the whole content of this repository. The default owners are automatically added as reviewers when you open a pull request, unless different owners are specified in the file.
-* @eu-digital-green-certificates/dgc-gateway-members
-* @ascheibal @f11h @litlfred
+* @ascheibal @f11h @litlfred @tence

docker-compose.yml

@@ -1,39 +1,42 @@
 version: '3'
 
 services:
-  mysql:
-    image: mysql/mysql-server:5.7
+  postgres:
+    image: postgres
     ports:
-      - 3306:3306
+      - 5432:5432
     environment:
-      - MYSQL_DATABASE=dgc
-      - MYSQL_ROOT_PASSWORD=admin # do not use this for production deployments
-      - MYSQL_USER=dgc_adm
-      - MYSQL_PASSWORD=admin # do not use this for production deployments
+      - POSTGRES_PASSWORD=admin  # do not use this for production deployments
+      - PGPASSWORD=admin  # do not use this for production deployments
+      - POSTGRES_USER=postgres
+      - POSTGRES_DB=postgres
     networks:
       persistence:
 
   ddcc-gateway:
     build: .
-    image: world-health-organization/ddcc-gateway
+    image: smarttrustnetworkgateway:latest
     volumes:
       - ./certs:/ec/prod/app/san/dgc
       - ./logs:/logs
     ports:
       - 8080:8080
     environment:
       - SERVER_PORT=8080
-      - SPRING_PROFILES_ACTIVE=mysql,docker
-      - SPRING_DATASOURCE_URL=jdbc:mysql://mysql:3306/dgc
-      - SPRING_DATASOURCE_USERNAME=dgc_adm
+      - SPRING_PROFILES_ACTIVE=log2console,local
+      - SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/postgres
+      - SPRING_DATASOURCE_DRIVERCLASSNAME=org.postgresql.Driver
+      - SPRING_DATASOURCE_JNDI_NAME=false
+      - SPRING_JPA_DATABASEPLATFORM=org.hibernate.dialect.PostgreSQLDialect
+      - SPRING_DATASOURCE_USERNAME=postgres
       - SPRING_DATASOURCE_PASSWORD=admin # do not use this for production deployments
       - DGC_TRUSTANCHOR_KEYSTOREPATH=/ec/prod/app/san/dgc/ta.jks
       - DGC_TRUSTANCHOR_KEYSTOREPASS=dgcg-p4ssw0rd # do not use this for production deployments
       - DGC_TRUSTANCHOR_CERTIFICATEALIAS=dgcg_trust_anchor
       - DGC_FEDERATION_KEYSTOREPATH=/ec/prod/app/san/dgc/ta.jks #TODO: change to federation.jks
       - DGC_FEDERATION_KEYSTOREPASSWORD=dgcg-p4ssw0rd # do not use this for production deployments
     depends_on:
-      - mysql
+      - postgres
     networks:
       backend:
       persistence:

owasp/suppressions.xml

@@ -44,4 +44,9 @@
         <cve>CVE-2023-1370</cve>
         <cve>CVE-2023-24998</cve>
     </suppress>
+    <suppress>
+        <notes>No Fix available</notes>
+        <cve>CVE-2023-36414</cve>
+        <cve>CVE-2023-36415</cve>
+    </suppress>
 </suppressions>

src/main/java/eu/europa/ec/dgc/gateway/config/DgcConfigProperties.java

@@ -52,6 +52,8 @@ public class DgcConfigProperties {
 
     private CloudmersiveConfig cloudmersive = new CloudmersiveConfig();
 
+    private CountryCodeMap countryCodeMap = new CountryCodeMap();
+
     @Getter
     @Setter
     public static class DidConfig {
@@ -170,4 +172,10 @@ public static class Federation {
     public static class SignerInformation {
         private int deleteThreshold = 14;
     }
+
+    @Getter
+    @Setter
+    public static class CountryCodeMap {
+        private Map<String, String> virtualCountries = new HashMap<>();
+    }
 }

src/main/java/eu/europa/ec/dgc/gateway/entity/FederatedEntity.java

@@ -41,7 +41,7 @@ public abstract class FederatedEntity {
     @JoinColumn(name = "source_gateway_id", referencedColumnName = "gateway_id")
     private FederationGatewayEntity sourceGateway;
 
-    @Column(name = "domain", columnDefinition = "varchar(10) DEFAULT 'DCC'")
+    @Column(name = "domain", columnDefinition = "varchar(32) DEFAULT 'DCC'")
     String domain = "DCC";
 
     @Column(name = "version", columnDefinition = "int default 1", nullable = false)

src/main/java/eu/europa/ec/dgc/gateway/entity/RevocationBatchEntity.java

@@ -28,13 +28,14 @@
 import jakarta.persistence.GenerationType;
 import jakarta.persistence.Id;
 import jakarta.persistence.Index;
-import jakarta.persistence.Lob;
 import jakarta.persistence.Table;
 import java.time.ZonedDateTime;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
+import org.hibernate.annotations.JdbcType;
+import org.hibernate.type.descriptor.jdbc.LongVarcharJdbcType;
 
 @Getter
 @Setter
@@ -97,7 +98,7 @@ public class RevocationBatchEntity {
      * The Signed CMS with the batch.
      */
     @Column(name = "signed_batch", length = 1_024_000)
-    @Lob
+    @JdbcType(LongVarcharJdbcType.class)
     private String signedBatch;
 
     /**

src/main/java/eu/europa/ec/dgc/gateway/entity/ValuesetEntity.java

@@ -23,12 +23,14 @@
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
 import jakarta.persistence.Id;
-import jakarta.persistence.Lob;
 import jakarta.persistence.Table;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
+import org.hibernate.annotations.JdbcType;
+import org.hibernate.type.descriptor.jdbc.LongVarcharJdbcType;
+
 
 @Getter
 @Setter
@@ -45,8 +47,8 @@ public class ValuesetEntity {
     /**
      * Signature of the TrustAnchor.
      */
-    @Column(name = "json", nullable = false, length = 1024000)
-    @Lob
+    @Column(name = "json", nullable = false, length = 1_024_000)
+    @JdbcType(LongVarcharJdbcType.class)
     String json;
 
 }

src/main/java/eu/europa/ec/dgc/gateway/model/TrustedCertificateTrustList.java

@@ -20,6 +20,7 @@
 
 package eu.europa.ec.dgc.gateway.model;
 
+import java.security.cert.X509Certificate;
 import java.time.ZonedDateTime;
 import lombok.AllArgsConstructor;
 import lombok.Data;
@@ -52,4 +53,6 @@ public class TrustedCertificateTrustList {
 
     private Integer version;
 
+    private X509Certificate parsedCertificate;
+
 }

src/main/java/eu/europa/ec/dgc/gateway/repository/SignerInformationRepository.java

@@ -30,8 +30,6 @@
 
 public interface SignerInformationRepository extends JpaRepository<SignerInformationEntity, Long> {
 
-    List<SignerInformationEntity> getAllBySourceGatewayIsNullAndDomainIs(String domain);
-
     @Query("SELECT s FROM SignerInformationEntity s WHERE "
         + "(:ignoreGroup = true OR s.certificateType IN (:group)) AND "
         + "(:ignoreCountry = true OR s.country IN (:country)) AND "

src/main/java/eu/europa/ec/dgc/gateway/repository/TrustedPartyRepository.java

@@ -30,7 +30,8 @@
 
 public interface TrustedPartyRepository extends JpaRepository<TrustedPartyEntity, Long> {
 
-    List<TrustedPartyEntity> getBySourceGatewayIsNullAndDomainIs(String domain);
+    List<TrustedPartyEntity> getBySourceGatewayIsNullAndDomainIsAndCertificateTypeIsIn(
+        String domain, List<TrustedPartyEntity.CertificateType> types);
 
     List<TrustedPartyEntity> getByCountryAndCertificateType(String country, TrustedPartyEntity.CertificateType type);
 

src/main/java/eu/europa/ec/dgc/gateway/restapi/dto/did/DidTrustListDto.java

@@ -21,10 +21,12 @@
 package eu.europa.ec.dgc.gateway.restapi.dto.did;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
 import java.util.List;
 import lombok.Data;
 
 @Data
+@JsonPropertyOrder({"@context", "id", "controller", "verificationMethod"})
 public class DidTrustListDto {
 
     @JsonProperty("@context")

src/main/java/eu/europa/ec/dgc/gateway/restapi/dto/did/DidTrustListEntryDto.java

@@ -21,9 +21,16 @@
 package eu.europa.ec.dgc.gateway.restapi.dto.did;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
+import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.ArrayList;
+import java.util.Base64;
 import java.util.List;
 import lombok.Data;
-import lombok.experimental.SuperBuilder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+import org.bouncycastle.jce.spec.ECNamedCurveSpec;
 
 @Data
 public class DidTrustListEntryDto {
@@ -36,18 +43,24 @@ public class DidTrustListEntryDto {
 
     private PublicKeyJwk publicKeyJwk;
 
-    @Data
-    @SuperBuilder
-    private abstract static class PublicKeyJwk {
+    @NoArgsConstructor
+    @Setter
+    @Getter
+    public abstract static class PublicKeyJwk {
         @JsonProperty("kty")
         private String keyType;
 
         @JsonProperty("x5c")
         private List<String> encodedX509Certificates;
+
+        private PublicKeyJwk(String keyType, List<String> encodedX509Certificates) {
+            this.keyType = keyType;
+            this.encodedX509Certificates = new ArrayList<>(encodedX509Certificates);
+        }
     }
 
-    @Data
-    @SuperBuilder
+    @Getter
+    @Setter
     public static class EcPublicKeyJwk extends PublicKeyJwk {
 
         @JsonProperty("crv")
@@ -58,6 +71,51 @@ public static class EcPublicKeyJwk extends PublicKeyJwk {
 
         @JsonProperty("y")
         private String valueY;
+
+        /**
+         * Instantiate EC PublicKey JWK Class.
+         *
+         * @param ecPublicKey EC Public Key that should be wrapped.
+         * @param base64EncodedCertificates List of Base64 encoded Certificates assigned to provided Public Key.
+         *                                   They will be added within x5c property of JWK.
+         */
+        public EcPublicKeyJwk(ECPublicKey ecPublicKey, List<String> base64EncodedCertificates) {
+            super("EC", base64EncodedCertificates);
+            valueX = Base64.getEncoder().encodeToString(ecPublicKey.getW().getAffineX().toByteArray());
+            valueY = Base64.getEncoder().encodeToString(ecPublicKey.getW().getAffineY().toByteArray());
+
+            ECNamedCurveSpec curveSpec = (ECNamedCurveSpec) ecPublicKey.getParams();
+            switch (curveSpec.getName()) {
+                case "prime256v1" -> curve = "P-256";
+                case "prime384v1" -> curve = "P-384";
+                case "prime521v1" -> curve = "P-521";
+                default -> curve = "UNKNOWN CURVE";
+            }
+        }
+    }
+
+    @Getter
+    @Setter
+    public static class RsaPublicKeyJwk extends PublicKeyJwk {
+
+        @JsonProperty("e")
+        private String valueE;
+
+        @JsonProperty("n")
+        private String valueN;
+
+        /**
+         * Instantiate RSA PublicKey JWK Class.
+         *
+         * @param rsaPublicKey RSA Public Key that should be wrapped.
+         * @param base64EncodedCertificates List of Base64 encoded Certificates assigned to provided Public Key.
+         *                                   They will be added within x5c property of JWK.
+         */
+        public RsaPublicKeyJwk(RSAPublicKey rsaPublicKey, List<String> base64EncodedCertificates) {
+            super("RSA", base64EncodedCertificates);
+            valueN = Base64.getEncoder().encodeToString(rsaPublicKey.getModulus().toByteArray());
+            valueE = Base64.getEncoder().encodeToString(rsaPublicKey.getPublicExponent().toByteArray());
+        }
     }
 
 }

src/main/java/eu/europa/ec/dgc/gateway/service/SignerInformationService.java

@@ -70,24 +70,15 @@ public class SignerInformationService {
     private static final String MDC_PROP_UPLOAD_CERT_THUMBPRINT = "uploadCertThumbprint";
     private static final String MDC_PROP_CSCA_CERT_THUMBPRINT = "cscaCertThumbprint";
 
-    /**
-     * Method to query persistence layer for all stored non federated SignerInformation.
-     *
-     * @return List of SignerInformation
-     */
-    public List<SignerInformationEntity> getNonFederatedSignerInformation() {
-        return signerInformationRepository.getAllBySourceGatewayIsNullAndDomainIs("DCC");
-    }
 
     /**
-     * Method to query persistence layer for SignerInformation filtered by Type.
+     * Method to query persistence layer for SignerInformation filtered by Type = DSC.
      *
-     * @param type type to filter for
      * @return List of SignerInformation
      */
-    public List<SignerInformationEntity> getNonFederatedSignerInformation(
-        SignerInformationEntity.CertificateType type) {
-        return signerInformationRepository.getByCertificateTypeAndSourceGatewayIsNullAndDomainIs(type, "DCC");
+    public List<SignerInformationEntity> getNonFederatedEuDscSignerInformation() {
+        return signerInformationRepository.getByCertificateTypeAndSourceGatewayIsNullAndDomainIs(
+            SignerInformationEntity.CertificateType.DSC, "DCC");
     }
 
     /**

src/main/java/eu/europa/ec/dgc/gateway/service/TrustListService.java

@@ -53,8 +53,8 @@ public class TrustListService {
      */
     public List<TrustList> getTrustList() {
         return mergeAndConvert(
-            trustedPartyService.getNonFederatedTrustedParties(),
-            signerInformationService.getNonFederatedSignerInformation()
+            trustedPartyService.getNonFederatedEuDscTrustedParties(),
+            signerInformationService.getNonFederatedEuDscSignerInformation()
         );
     }
 
@@ -68,11 +68,11 @@ public List<TrustList> getTrustList(TrustListType type) {
         if (type == TrustListType.DSC) {
             return mergeAndConvert(
                 Collections.emptyList(),
-                signerInformationService.getNonFederatedSignerInformation(SignerInformationEntity.CertificateType.DSC)
+                signerInformationService.getNonFederatedEuDscSignerInformation()
             );
         } else {
             return mergeAndConvert(
-                trustedPartyService.getNonFederatedTrustedParties(map(type)),
+                trustedPartyService.getNonFederatedEuDscTrustedParties(map(type)),
                 Collections.emptyList()
             );
         }
@@ -156,7 +156,8 @@ private TrustedCertificateTrustList convertTrustedCertificate(TrustedPartyEntity
                 ? trustedPartyEntity.getSourceGateway().getGatewayId() : null,
             trustedPartyEntity.getUuid(),
             trustedPartyEntity.getDomain(),
-            trustedPartyEntity.getVersion()
+            trustedPartyEntity.getVersion(),
+            trustedPartyService.getX509CertificateFromEntity(trustedPartyEntity)
         );
     }
 
@@ -174,7 +175,8 @@ private TrustedCertificateTrustList convertTrustedCertificate(SignerInformationE
                 ? signerInformationEntity.getSourceGateway().getGatewayId() : null,
             signerInformationEntity.getUuid(),
             signerInformationEntity.getDomain(),
-            signerInformationEntity.getVersion()
+            signerInformationEntity.getVersion(),
+            signerInformationService.getX509CertificateFromEntity(signerInformationEntity)
         );
     }