eclipse-tractusx · SebastianBezold · May 12, 2023 · May 12, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ### Changed 
 - make DapsManager methods synchronized
 - check if a client was registered before creating new registration
+- check if SKI was spoofed before creating a new registration
 
 ### Added
 - add attributes validation

diff --git a/src/main/java/org/eclipse/tractusx/dapsreg/service/DapsManager.java b/src/main/java/org/eclipse/tractusx/dapsreg/service/DapsManager.java
@@ -68,6 +68,9 @@ public synchronized ResponseEntity<Map<String, Object>> createClientPost(String
                                                  String securityProfile) {
         var cert = Certutil.loadCertificate(new String(file.getBytes()));
         var clientId = Certutil.getClientId(cert);
+        if (!Certutil.createSki(cert).equals(Certutil.getSki(cert))) {
+            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Certificate problem");
+        }
         if (dapsClient.getClient(clientId).isPresent()) {
             throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Client exists");
         }

diff --git a/src/main/java/org/eclipse/tractusx/dapsreg/util/Certutil.java b/src/main/java/org/eclipse/tractusx/dapsreg/util/Certutil.java
@@ -25,11 +25,13 @@
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
 import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.StringWriter;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -56,6 +58,12 @@ public static String getSki(X509Certificate cert) {
         return BaseEncoding.base16().upperCase().withSeparator(":", 2).encode(keyIdentifier);
     }
 
+    public static String createSki(X509Certificate cert) throws NoSuchAlgorithmException {
+        var publicKey = cert.getPublicKey();
+        var r = new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKey).getKeyIdentifier();
+        return BaseEncoding.base16().upperCase().withSeparator(":", 2).encode(r);
+    }
+
     public static X509Certificate loadCertificate(String pem) throws IOException, CertificateException {
         try(var ts = new ByteArrayInputStream(pem.getBytes(Charsets.UTF_8))) {
             CertificateFactory fac  = CertificateFactory.getInstance("X509");

diff --git a/src/test/java/org/eclipse/tractusx/dapsreg/DapsUtilTests.java b/src/test/java/org/eclipse/tractusx/dapsreg/DapsUtilTests.java
@@ -33,6 +33,7 @@
 
 import jakarta.annotation.PostConstruct;
 import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -53,12 +54,14 @@ public void init() {
 	}
 
 	@Test
-	void utilTest() throws IOException, CertificateException {
+	void utilTest() throws IOException, CertificateException, NoSuchAlgorithmException {
 		try (var pemStream = Resources.getResource("test.crt").openStream()) {
 			var pem = new String(pemStream.readAllBytes());
 			var cert = Certutil.loadCertificate(pem);
 			var clientId = Certutil.getClientId(cert);
+			var ski = Certutil.createSki(cert);
 			assertThat(clientId).isEqualTo("65:FA:DE:C2:6A:58:98:D8:EA:FC:70:27:76:A0:75:D5:A1:C4:89:F9:keyid:65:FA:DE:C2:6A:58:98:D8:EA:FC:70:27:76:A0:75:D5:A1:C4:89:F9");
+			assertThat(ski).isEqualTo(Certutil.getSki(cert));
 			var certPem = Certutil.getCertificate(cert);
 			System.out.println(certPem);
 			var certJson = jsonUtil.getCertificateJson(cert);