SD-1822: Use certificates rather than public keys

[nt-gt]

User description

As a side-effect of this, we can now support EC keys instead of only RSA keys (without having to manually parse and understand the DER/ASN.1 format).

---

PR Type

enhancement

---

Description

• Enhanced the PayloadSignerFactory to support EC keys in addition to RSA keys, allowing for more flexible cryptographic operations.
• Implemented functionality to generate self-signed certificates, replacing the previous reliance on public keys.
• Updated the RSAPayloadSigner to handle X509 certificates.
• Added methods for parsing EC private keys and encoding certificates in PEM format.

---

Changes walkthrough 📝

Relevant files

Enhancement

PayloadSignerFactory.java Add support for EC keys and certificate handling                  ebl/src/main/java/org/dcsa/conformance/standards/ebl/crypto/PayloadSignerFactory.java Added support for EC keys alongside RSA keys. Introduced methods to parse and handle EC private keys. Implemented self-signed certificate generation. Replaced public key handling with certificate handling. +110/-65 RSAPayloadSigner.java Use X509 certificates instead of RSA public keys                  ebl/src/main/java/org/dcsa/conformance/standards/ebl/crypto/impl/RSAPayloadSigner.java Replaced RSA public key with X509 certificate handling. Updated method to return certificate in PEM format. +6/-6

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[qodo-merge-pro]

PR-Agent was enabled for this repository. To continue using it, please link your git user with your CodiumAI identity here.

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 No relevant tests

🔒 Security concerns Certificate validation: The code does not appear to implement certificate chain validation or revocation checking when verifying signatures. This could potentially allow the use of compromised or revoked certificates. Consider adding proper certificate validation mechanisms.

⚡ Recommended focus areas for review Security Configuration The self-signed certificate generation uses hardcoded validity period of 2500 days which may be too long for security best practices. Consider making this configurable or using a shorter period. Error Handling Generic exception handling in verifierFromPemEncodedPublicKey() may mask specific errors. Consider handling different types of exceptions separately. Code Design The RSAPayloadSigner class name is now misleading since it handles both RSA and EC keys. Consider renaming to reflect its more general purpose.

[jkosternl]

Thanks for your improvements NT! While looking at the code, it is hard to judge if it actually works. I guess you've verified this yourself. Would/can you consider adding some unit tests, to verify this keeps working in the future as well? Also when somebody else needs to change something.

[jkosternl]

Can you add a comment behind it, of what you're actually suppressing? I can guess, but I'd rather read it.

[nt-gt]

Thanks for your improvements NT! While looking at the code, it is hard to judge if it actually works. I guess you've verified this yourself. Would/can you consider adding some unit tests, to verify this keeps working in the future as well? Also when somebody else needs to change something.

You cannot start any of the PINT scenarios without this code working, so there are already integration tests for this.