From ad204989c376320105d81f8162acff5c288171a9 Mon Sep 17 00:00:00 2001
From: dvasunin <dmitrii.vasiunin@t-systems.com>
Date: Fri, 12 May 2023 12:12:59 +0300
Subject: [PATCH] fix #33 Recalculate SKI to check if the extension contains
 correct value before creating new registration

---
 CHANGELOG.md                                              | 1 +
 .../org/eclipse/tractusx/dapsreg/service/DapsManager.java | 3 +++
 .../java/org/eclipse/tractusx/dapsreg/util/Certutil.java  | 8 ++++++++
 .../java/org/eclipse/tractusx/dapsreg/DapsUtilTests.java  | 5 ++++-
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3cdcbb0..f563016 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Changed 
 - make DapsManager methods synchronized
 - check if a client was registered before creating new registration
+- check if SKI was spoofed before creating a new registration
 
 ### Added
 - add attributes validation
diff --git a/src/main/java/org/eclipse/tractusx/dapsreg/service/DapsManager.java b/src/main/java/org/eclipse/tractusx/dapsreg/service/DapsManager.java
index 8e62159..f1f4941 100644
--- a/src/main/java/org/eclipse/tractusx/dapsreg/service/DapsManager.java
+++ b/src/main/java/org/eclipse/tractusx/dapsreg/service/DapsManager.java
@@ -68,6 +68,9 @@ public synchronized ResponseEntity<Map<String, Object>> createClientPost(String
                                                  String securityProfile) {
         var cert = Certutil.loadCertificate(new String(file.getBytes()));
         var clientId = Certutil.getClientId(cert);
+        if (!Certutil.createSki(cert).equals(Certutil.getSki(cert))) {
+            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Certificate problem");
+        }
         if (dapsClient.getClient(clientId).isPresent()) {
             throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Client exists");
         }
diff --git a/src/main/java/org/eclipse/tractusx/dapsreg/util/Certutil.java b/src/main/java/org/eclipse/tractusx/dapsreg/util/Certutil.java
index 2cf2648..6ee6ec5 100644
--- a/src/main/java/org/eclipse/tractusx/dapsreg/util/Certutil.java
+++ b/src/main/java/org/eclipse/tractusx/dapsreg/util/Certutil.java
@@ -25,11 +25,13 @@
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
 import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.StringWriter;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -56,6 +58,12 @@ public static String getSki(X509Certificate cert) {
         return BaseEncoding.base16().upperCase().withSeparator(":", 2).encode(keyIdentifier);
     }
 
+    public static String createSki(X509Certificate cert) throws NoSuchAlgorithmException {
+        var publicKey = cert.getPublicKey();
+        var r = new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKey).getKeyIdentifier();
+        return BaseEncoding.base16().upperCase().withSeparator(":", 2).encode(r);
+    }
+
     public static X509Certificate loadCertificate(String pem) throws IOException, CertificateException {
         try(var ts = new ByteArrayInputStream(pem.getBytes(Charsets.UTF_8))) {
             CertificateFactory fac  = CertificateFactory.getInstance("X509");
diff --git a/src/test/java/org/eclipse/tractusx/dapsreg/DapsUtilTests.java b/src/test/java/org/eclipse/tractusx/dapsreg/DapsUtilTests.java
index 628a847..75850df 100644
--- a/src/test/java/org/eclipse/tractusx/dapsreg/DapsUtilTests.java
+++ b/src/test/java/org/eclipse/tractusx/dapsreg/DapsUtilTests.java
@@ -33,6 +33,7 @@
 
 import jakarta.annotation.PostConstruct;
 import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -53,12 +54,14 @@ public void init() {
 	}
 
 	@Test
-	void utilTest() throws IOException, CertificateException {
+	void utilTest() throws IOException, CertificateException, NoSuchAlgorithmException {
 		try (var pemStream = Resources.getResource("test.crt").openStream()) {
 			var pem = new String(pemStream.readAllBytes());
 			var cert = Certutil.loadCertificate(pem);
 			var clientId = Certutil.getClientId(cert);
+			var ski = Certutil.createSki(cert);
 			assertThat(clientId).isEqualTo("65:FA:DE:C2:6A:58:98:D8:EA:FC:70:27:76:A0:75:D5:A1:C4:89:F9:keyid:65:FA:DE:C2:6A:58:98:D8:EA:FC:70:27:76:A0:75:D5:A1:C4:89:F9");
+			assertThat(ski).isEqualTo(Certutil.getSki(cert));
 			var certPem = Certutil.getCertificate(cert);
 			System.out.println(certPem);
 			var certJson = jsonUtil.getCertificateJson(cert);