From 787b0b448b107c8a008169b58a83f7436d7a305b Mon Sep 17 00:00:00 2001
From: Andreas Scheibal <Andreas.Scheibal@t-systems.com>
Date: Sat, 12 Oct 2024 02:28:37 +0200
Subject: [PATCH 1/2] fix: KID encoding

- removed erroneous double encoding of KID
---
 .../service/did/DidTrustListService.java      | 69 +++++++++----------
 .../service/DidTrustListServiceTest.java      |  8 +--
 2 files changed, 37 insertions(+), 40 deletions(-)

diff --git a/src/main/java/eu/europa/ec/dgc/gateway/service/did/DidTrustListService.java b/src/main/java/eu/europa/ec/dgc/gateway/service/did/DidTrustListService.java
index b62f113a..aa36014e 100644
--- a/src/main/java/eu/europa/ec/dgc/gateway/service/did/DidTrustListService.java
+++ b/src/main/java/eu/europa/ec/dgc/gateway/service/did/DidTrustListService.java
@@ -41,7 +41,6 @@
 import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
-import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.security.PublicKey;
 import java.security.cert.CertificateEncodingException;
@@ -64,7 +63,6 @@
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Service;
 
-
 @Slf4j
 @Service
 @RequiredArgsConstructor
@@ -76,8 +74,8 @@ public class DidTrustListService {
     private static final String SEPARATOR_FRAGMENT = "#";
 
     private static final List<String> DID_CONTEXTS = List.of(
-        "https://www.w3.org/ns/did/v1",
-        "https://w3id.org/security/suites/jws-2020/v1");
+            "https://www.w3.org/ns/did/v1",
+            "https://w3id.org/security/suites/jws-2020/v1");
 
     private final TrustedIssuerService trustedIssuerService;
 
@@ -147,19 +145,19 @@ private String getCountryAsLowerCaseAlpha3(String country) {
         }
 
         return configProperties.getCountryCodeMap().getVirtualCountries()
-            .compute(country, (alpha2, alpha3) -> {
-                if (alpha3 != null) {
-                    return alpha3.toLowerCase();
-                }
-
-                try {
-                    return new Locale("en", alpha2).getISO3Country().toLowerCase();
-                } catch (MissingResourceException e) {
-                    log.error("Country Code to alpha 3 conversion issue for country {} : {}",
-                        country, e.getMessage());
-                    return null;
-                }
-            });
+                .compute(country, (alpha2, alpha3) -> {
+                    if (alpha3 != null) {
+                        return alpha3.toLowerCase();
+                    }
+
+                    try {
+                        return new Locale("en", alpha2).getISO3Country().toLowerCase();
+                    } catch (MissingResourceException e) {
+                        log.error("Country Code to alpha 3 conversion issue for country {} : {}",
+                                country, e.getMessage());
+                        return null;
+                    }
+                });
     }
 
     private String generateTrustList(List<String> countries) throws Exception {
@@ -180,11 +178,10 @@ private String generateTrustList(List<String> countries) throws Exception {
 
         // Add DSC
         List<TrustedCertificateTrustList> certs = trustListService.getTrustedCertificateTrustList(
-            SignerInformationEntity.CertificateType.stringValues(),
-            countries,
-            null,
-            configProperties.getDid().getIncludeFederated()
-        );
+                SignerInformationEntity.CertificateType.stringValues(),
+                countries,
+                null,
+                configProperties.getDid().getIncludeFederated());
 
         for (TrustedCertificateTrustList cert : certs) {
 
@@ -192,24 +189,24 @@ private String generateTrustList(List<String> countries) throws Exception {
 
             if (publicKey instanceof RSAPublicKey rsaPublicKey) {
                 addTrustListEntry(trustList, cert,
-                    new DidTrustListEntryDto.RsaPublicKeyJwk(rsaPublicKey, List.of(cert.getCertificate())));
+                        new DidTrustListEntryDto.RsaPublicKeyJwk(rsaPublicKey, List.of(cert.getCertificate())));
 
             } else if (publicKey instanceof ECPublicKey ecPublicKey) {
                 addTrustListEntry(trustList, cert,
-                    new DidTrustListEntryDto.EcPublicKeyJwk(ecPublicKey, List.of(cert.getCertificate())));
+                        new DidTrustListEntryDto.EcPublicKeyJwk(ecPublicKey, List.of(cert.getCertificate())));
 
             } else {
                 log.error("Public Key is not RSA or EC Public Key for cert {} of country {}",
-                    cert.getThumbprint(),
-                    cert.getCountry());
+                        cert.getThumbprint(),
+                        cert.getCountry());
             }
         }
 
         // Add TrustedIssuer
         trustedIssuerService.search(
                 null, countries, configProperties.getDid().getIncludeFederated()).stream()
-            .filter(trustedIssuer -> trustedIssuer.getUrlType() == TrustedIssuerEntity.UrlType.DID)
-            .forEach(trustedIssuer -> trustList.getVerificationMethod().add(trustedIssuer.getUrl()));
+                .filter(trustedIssuer -> trustedIssuer.getUrlType() == TrustedIssuerEntity.UrlType.DID)
+                .forEach(trustedIssuer -> trustList.getVerificationMethod().add(trustedIssuer.getUrl()));
 
         // Create LD-Proof Document
         JsonWebSignature2020LdSigner signer = new JsonWebSignature2020LdSigner(byteSigner);
@@ -229,7 +226,7 @@ private String generateTrustList(List<String> countries) throws Exception {
             }
 
             try (InputStream inputStream = getClass().getClassLoader().getResourceAsStream(
-                "did_contexts/" + didContextFile)) {
+                    "did_contexts/" + didContextFile)) {
                 if (inputStream != null) {
                     contextMap.put(URI.create(didContext), JsonDocument.of(inputStream));
                 }
@@ -247,14 +244,14 @@ private String generateTrustList(List<String> countries) throws Exception {
     }
 
     private void addTrustListEntry(DidTrustListDto trustList,
-                                   TrustedCertificateTrustList cert,
-                                   DidTrustListEntryDto.PublicKeyJwk publicKeyJwk)
+            TrustedCertificateTrustList cert,
+            DidTrustListEntryDto.PublicKeyJwk publicKeyJwk)
             throws CertificateEncodingException, UnsupportedEncodingException {
         Optional<TrustedCertificateTrustList> csca = searchForIssuer(cert);
 
         if (csca.isPresent()) {
             publicKeyJwk.getEncodedX509Certificates()
-                .add(Base64.getEncoder().encodeToString(csca.get().getParsedCertificate().getEncoded()));
+                    .add(Base64.getEncoder().encodeToString(csca.get().getParsedCertificate().getEncoded()));
         }
 
         DidTrustListEntryDto trustListEntry = new DidTrustListEntryDto();
@@ -263,7 +260,7 @@ private void addTrustListEntry(DidTrustListDto trustList,
                 + SEPARATOR_COLON
                 + getCountryAsLowerCaseAlpha3(cert.getCountry())
                 + SEPARATOR_FRAGMENT
-                + getEncodedKid(cert.getKid()));;
+                + cert.getKid());
         trustListEntry.setController(configProperties.getDid().getTrustListControllerPrefix()
                 + SEPARATOR_COLON + getCountryAsLowerCaseAlpha3(cert.getCountry()));
         trustListEntry.setPublicKeyJwk(publicKeyJwk);
@@ -279,9 +276,9 @@ private Optional<TrustedCertificateTrustList> searchForIssuer(TrustedCertificate
                 List.of(cert.getCountry()),
                 List.of(cert.getDomain()),
                 configProperties.getDid().getIncludeFederated()).stream()
-            .filter(tp -> tp.getParsedCertificate().getSubjectX500Principal()
-                .equals(cert.getParsedCertificate().getIssuerX500Principal()))
-            .findFirst();
+                .filter(tp -> tp.getParsedCertificate().getSubjectX500Principal()
+                        .equals(cert.getParsedCertificate().getIssuerX500Principal()))
+                .findFirst();
     }
 
     private String getEncodedKid(String kid) {
diff --git a/src/test/java/eu/europa/ec/dgc/gateway/service/DidTrustListServiceTest.java b/src/test/java/eu/europa/ec/dgc/gateway/service/DidTrustListServiceTest.java
index 2685f4e2..655a46a8 100644
--- a/src/test/java/eu/europa/ec/dgc/gateway/service/DidTrustListServiceTest.java
+++ b/src/test/java/eu/europa/ec/dgc/gateway/service/DidTrustListServiceTest.java
@@ -221,11 +221,11 @@ void testTrustList(boolean isEcAlgorithm) throws Exception {
         Assertions.assertEquals("b", parsed.getController());
         Assertions.assertEquals(6, parsed.getVerificationMethod().size());
 
-        assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(), "c" + ":deu" + "#" + getEncodedKid(certDscDeKid)),
+        assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(), "c" + ":deu" + "#" + certDscDeKid),
             certDscDeKid, certDscDe, certCscaDe, "deu");
-        assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(), "c" + ":xeu" + "#" + getEncodedKid("kid2")),
+        assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(), "c" + ":xeu" + "#" + "kid2"),
                 "kid2", certDscEu, certCscaEu, "xeu");
-        assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(), "c" + ":xex" + "#" + getEncodedKid("kid3")),
+        assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(), "c" + ":xex" + "#" + "kid3"),
                 "kid3", federatedCertDscEx, null, "xex");
 
         Assertions.assertTrue(parsed.getVerificationMethod().contains("did:trusted:DE:issuer"));
@@ -262,7 +262,7 @@ private void assertVerificationMethod(Object in, String kid, X509Certificate dsc
         LinkedHashMap jsonNode = (LinkedHashMap) in;
         Assertions.assertEquals("JsonWebKey2020", jsonNode.get("type"));
         Assertions.assertEquals("d" + ":" + country, jsonNode.get("controller"));
-        Assertions.assertEquals("c" + ":" + country + "#" + getEncodedKid(kid), jsonNode.get("id"));
+        Assertions.assertEquals("c" + ":" + country + "#" + kid, jsonNode.get("id"));
 
         LinkedHashMap publicKeyJwk = (LinkedHashMap) jsonNode.get("publicKeyJwk");
 

From e53dadccd654803bab9833088fbf974f7396d6c8 Mon Sep 17 00:00:00 2001
From: Andreas Scheibal <Andreas.Scheibal@t-systems.com>
Date: Sat, 12 Oct 2024 02:43:52 +0200
Subject: [PATCH 2/2] fix: KID encoding

- removed erroneous double encoding of KID
- removed unnecessary enconding method
---
 .../ec/dgc/gateway/service/did/DidTrustListService.java       | 4 ----
 .../ec/dgc/gateway/service/DidTrustListServiceTest.java       | 4 ----
 2 files changed, 8 deletions(-)

diff --git a/src/main/java/eu/europa/ec/dgc/gateway/service/did/DidTrustListService.java b/src/main/java/eu/europa/ec/dgc/gateway/service/did/DidTrustListService.java
index aa36014e..4ad565c6 100644
--- a/src/main/java/eu/europa/ec/dgc/gateway/service/did/DidTrustListService.java
+++ b/src/main/java/eu/europa/ec/dgc/gateway/service/did/DidTrustListService.java
@@ -280,8 +280,4 @@ private Optional<TrustedCertificateTrustList> searchForIssuer(TrustedCertificate
                         .equals(cert.getParsedCertificate().getIssuerX500Principal()))
                 .findFirst();
     }
-
-    private String getEncodedKid(String kid) {
-        return Base64URL.encode(kid).toString();
-    }
 }
diff --git a/src/test/java/eu/europa/ec/dgc/gateway/service/DidTrustListServiceTest.java b/src/test/java/eu/europa/ec/dgc/gateway/service/DidTrustListServiceTest.java
index 655a46a8..afbe5b28 100644
--- a/src/test/java/eu/europa/ec/dgc/gateway/service/DidTrustListServiceTest.java
+++ b/src/test/java/eu/europa/ec/dgc/gateway/service/DidTrustListServiceTest.java
@@ -314,8 +314,4 @@ private static class LDProof {
 
         }
     }
-
-    private String getEncodedKid(String kid) {
-        return Base64URL.encode(kid).toString();
-    }
 }