Merge pull request #39 from admin-ch/feature/renew

add verification endpoint for cert renewal

Author: ubhaller

ch-covidcertificate-backend-verification-check/ch-covidcertificate-backend-verification-check-ws/pom.xml

@@ -74,7 +74,7 @@
         <dependency>
             <groupId>ch.admin.bag.covidcertificate</groupId>
             <artifactId>sdk-core</artifactId>
-            <version>3.1.0</version>
+            <version>3.2.0</version>
         </dependency>
 
         <dependency>

ch-covidcertificate-backend-verification-check/ch-covidcertificate-backend-verification-check-ws/src/main/java/ch/admin/bag/covidcertificate/backend/verification/check/ws/controller/VerificationController.java

@@ -84,6 +84,31 @@ public VerificationController(VerificationService verificationService) {
         return verificationResponse;
     }
 
+    @Documentation(
+            description = "Verify whether a certificate is eligible for renewal"
+    )
+    @PostMapping(path = {"/verifyRenewal"})
+    public @ResponseBody VerificationResponse verifyRenewal(
+            @RequestBody HCertPayload hCertPayload){
+        // Decode hcert
+        final var certificateHolder = verificationService.decodeHCert(hCertPayload);
+
+        // Verify hcert
+        final var verificationState = verificationService.verifyDccForRenewal(certificateHolder);
+
+        // Build response
+        final var verificationResponse = new VerificationResponse();
+        verificationResponse.setHcertDecoded(certificateHolder);
+        if (verificationState instanceof VerificationState.SUCCESS) {
+            verificationResponse.setSuccessState((VerificationState.SUCCESS) verificationState);
+        } else if (verificationState instanceof ERROR) {
+            verificationResponse.setErrorState((ERROR) verificationState);
+        } else {
+            verificationResponse.setInvalidState((INVALID) verificationState);
+        }
+        return verificationResponse;
+    }
+
     @ExceptionHandler(DecodingException.class)
     @ResponseStatus(HttpStatus.BAD_REQUEST)
     public ResponseEntity<String> invalidHCert(DecodingException e) {

ch-covidcertificate-backend-verification-check/ch-covidcertificate-backend-verification-check-ws/src/main/java/ch/admin/bag/covidcertificate/backend/verification/check/ws/model/TrustListConfig.java

@@ -10,6 +10,8 @@ public class TrustListConfig {
 
     private RevokedCertificatesRepository revokedCertificatesRepository;
 
+    private TrustList renewalTrustList;
+
     public RevokedCertificatesRepository getRevokedCertificatesRepository() {
         return revokedCertificatesRepository;
     }
@@ -42,4 +44,13 @@ public boolean isOutdated() {
                 || this.lastSync.isBefore(
                         now.minusMillis(trustList.getRuleSet().getValidDuration()));
     }
+
+    public TrustList getRenewalTrustList() {
+        return renewalTrustList;
+    }
+
+    public void setRenewalTrustList(
+            TrustList renewalTrustList) {
+        this.renewalTrustList = renewalTrustList;
+    }
 }

ch-covidcertificate-backend-verification-check/ch-covidcertificate-backend-verification-check-ws/src/main/java/ch/admin/bag/covidcertificate/backend/verification/check/ws/verification/VerificationService.java

@@ -8,14 +8,18 @@
 import ch.admin.bag.covidcertificate.backend.verification.check.ws.model.RevokedCertificatesRepository;
 import ch.admin.bag.covidcertificate.backend.verification.check.ws.model.RevokedCertificatesRepository.RevokedCertificates;
 import ch.admin.bag.covidcertificate.backend.verification.check.ws.model.TrustListConfig;
+import ch.admin.bag.covidcertificate.sdk.core.data.ErrorCodes;
 import ch.admin.bag.covidcertificate.sdk.core.decoder.CertificateDecoder;
 import ch.admin.bag.covidcertificate.sdk.core.models.healthcert.CertificateHolder;
 import ch.admin.bag.covidcertificate.sdk.core.models.state.CheckNationalRulesState;
 import ch.admin.bag.covidcertificate.sdk.core.models.state.CheckRevocationState;
 import ch.admin.bag.covidcertificate.sdk.core.models.state.CheckSignatureState;
 import ch.admin.bag.covidcertificate.sdk.core.models.state.DecodeState;
+import ch.admin.bag.covidcertificate.sdk.core.models.state.SuccessState.WalletSuccessState;
 import ch.admin.bag.covidcertificate.sdk.core.models.state.VerificationState;
+import ch.admin.bag.covidcertificate.sdk.core.models.state.VerificationState.ERROR;
 import ch.admin.bag.covidcertificate.sdk.core.models.state.VerificationState.INVALID;
+import ch.admin.bag.covidcertificate.sdk.core.models.state.VerificationState.LOADING;
 import ch.admin.bag.covidcertificate.sdk.core.models.state.VerificationState.SUCCESS;
 import ch.admin.bag.covidcertificate.sdk.core.models.trustlist.ActiveModes;
 import ch.admin.bag.covidcertificate.sdk.core.models.trustlist.DisplayRule;
@@ -66,6 +70,10 @@ public class VerificationService {
 
     private final RestTemplate rt;
 
+    private static final VerificationState DUMMY_SUCCESS_STATE =
+            new VerificationState.SUCCESS(
+                    new WalletSuccessState(false, null, new ArrayList<>(), null, null), false);
+
     @Value("${verifier.baseurl}")
     private String verifierBaseUrl;
 
@@ -81,6 +89,8 @@ public class VerificationService {
     @Value("${verifier.api-key:}")
     private String apiKey;
 
+    private static final String SHOW_RENEW_BANNER = "showRenewBanner";
+
     public VerificationService(RestTemplate rt) {
         this.rt = rt;
     }
@@ -93,12 +103,15 @@ public void init() {
     public void updateTrustListConfig() {
         try {
             logger.info("updating trust list config");
-            Jwks jwks = getDSCs();
+            Jwks jwks = getDSCs(null);
+            Jwks jwksCh = getDSCs("CH");
             RevokedCertificatesRepository revokedCerts = getRevokedCerts();
             RuleSet nationalRules = getNationalRules();
             this.trustListConfig.setTrustList(new TrustList(jwks, revokedCerts, nationalRules));
             this.trustListConfig.setRevokedCertificatesRepository(revokedCerts);
             this.trustListConfig.setLastSync(Instant.now());
+            this.trustListConfig.setRenewalTrustList(
+                    new TrustList(jwksCh, revokedCerts, nationalRules));
             logger.info("done updating trust list config");
         } catch (Exception e) {
             logger.error("failed to update trust list config", e);
@@ -111,17 +124,24 @@ public void updateTrustListConfig() {
      *
      * @return a JWKs object as required by the SDK-core mapped from a list of ClientCerts
      */
-    private Jwks getDSCs() throws URISyntaxException {
-        logger.info("Updating list of DSCs");
+    private Jwks getDSCs(String country) throws URISyntaxException {
+        if (country == null) {
+            logger.info("Updating list of DSCs for all countries");
+        } else {
+            logger.info("Updating list of DSCs for {}", country);
+        }
         Map<String, String> params = getKeyUpdatesParams();
+        if (country != null) {
+            params.put("country", country);
+        }
         List<Jwk> jwkList = new ArrayList<>();
         boolean done = false;
         int it = 0;
         do {
             final ResponseEntity<Jwks> response =
                     rt.exchange(getRequestEntity(dscEndpoint, params), Jwks.class);
             var body = response.getBody();
-            if(body != null){
+            if (body != null) {
                 jwkList.addAll(body.getCerts());
             }
 
@@ -172,7 +192,7 @@ private RevokedCertificatesRepository getRevokedCerts() throws URISyntaxExceptio
                 rt.exchange(
                         getRequestEntity(revocationEndpoint, params), RevokedCertificates.class);
         RevokedCertificates revokedCerts = response.getBody();
-        if(revokedCerts == null){
+        if (revokedCerts == null) {
             logger.error("Failed to get revoked certificates");
             throw new NullPointerException("Failed to get revoked certificates");
         }
@@ -188,11 +208,11 @@ private RevokedCertificatesRepository getRevokedCerts() throws URISyntaxExceptio
                         rt.exchange(
                                 getRequestEntity(revocationEndpoint, params),
                                 RevokedCertificates.class);
-                if(response.getBody() != null) {
+                if (response.getBody() != null) {
                     var body = response.getBody();
-                    if(body != null){
+                    if (body != null) {
                         repo.addCertificates(body.getRevokedCerts());
-                    }else{
+                    } else {
                         logger.error("Failed to fetch some of the revoked certificates");
                     }
                 }
@@ -203,7 +223,7 @@ private RevokedCertificatesRepository getRevokedCerts() throws URISyntaxExceptio
 
             it++;
         }
-            logger.info("downloaded {} revoked certificates", revokedCerts.getRevokedCerts().size());
+        logger.info("downloaded {} revoked certificates", revokedCerts.getRevokedCerts().size());
 
         return repo;
     }
@@ -220,7 +240,7 @@ private RuleSet getNationalRules() throws URISyntaxException {
                                 getRequestEntity(rulesEndpoint, new HashMap<>()),
                                 IntermediateRuleSet.class)
                         .getBody();
-        if(intermediateRuleSet == null){
+        if (intermediateRuleSet == null) {
             logger.error("Failed to fetch national rules");
             throw new NullPointerException("intermediateRuleSet is null");
         }
@@ -248,7 +268,12 @@ private RuleSet getNationalRules() throws URISyntaxException {
                         .map(rule -> new DisplayRule(rule.getId(), rule.getLogic()))
                         .collect(Collectors.toList());
         ModeRules intermediateModeRules = intermediateRuleSet.getModeRules();
-        ch.admin.bag.covidcertificate.sdk.core.models.trustlist.ModeRules sdkModeRules = new ch.admin.bag.covidcertificate.sdk.core.models.trustlist.ModeRules(intermediateModeRules.getActiveModes(), intermediateModeRules.getWalletActiveModes(), intermediateModeRules.getVerifierActiveModes(), intermediateModeRules.getLogic());
+        ch.admin.bag.covidcertificate.sdk.core.models.trustlist.ModeRules sdkModeRules =
+                new ch.admin.bag.covidcertificate.sdk.core.models.trustlist.ModeRules(
+                        intermediateModeRules.getActiveModes(),
+                        intermediateModeRules.getWalletActiveModes(),
+                        intermediateModeRules.getVerifierActiveModes(),
+                        intermediateModeRules.getLogic());
         logger.info("downloaded {} rules", rules.size());
 
         return new RuleSet(
@@ -303,10 +328,53 @@ public VerificationState verifyDccAllModes(CertificateHolder certificateHolder)
                 : getOutdatedTrustListState(state);
     }
 
-    public VerificationState verifyDccSingleMode(CertificateHolder certificateHolder, String mode){
+    public VerificationState verifyDccSingleMode(CertificateHolder certificateHolder, String mode) {
         TrustList trustList = trustListConfig.getTrustList();
         VerificationState state =
-                VerifyWrapper.verifyVerifier(certificateVerifier, certificateHolder, trustList, mode);
+                VerifyWrapper.verifyVerifier(
+                        certificateVerifier, certificateHolder, trustList, mode);
+        return !trustListConfig.isOutdated() || state instanceof VerificationState.ERROR
+                ? state
+                : getOutdatedTrustListState(state);
+    }
+
+    public VerificationState verifyDccForRenewal(CertificateHolder certificateHolder) {
+        TrustList trustList = trustListConfig.getRenewalTrustList();
+        VerificationState state =
+                VerifyWrapper.verifyWallet(certificateVerifier, certificateHolder, trustList);
+        String renewBanner = null;
+        if (state instanceof ERROR || state instanceof LOADING) {
+            return state;
+        } else if (state instanceof SUCCESS) {
+            renewBanner =
+                    ((WalletSuccessState) ((SUCCESS) state).getSuccessState()).getShowRenewBanner();
+        } else if (state instanceof INVALID) {
+            renewBanner = ((INVALID) state).getShowRenewBanner();
+        }
+        if (!SHOW_RENEW_BANNER.equals(renewBanner)) {
+            return new INVALID(null, null, null, null, null);
+        }
+        // Certain verification failures are accepted in the renewal case as long as it's not
+        // revoked
+        if (state instanceof INVALID
+                && (((INVALID) state).getRevocationState()
+                        instanceof CheckRevocationState.SUCCESS)) {
+            var signatureState = ((INVALID) state).getSignatureState();
+
+            // As long as the signature is ok, we can ignore rule failures
+            if (signatureState instanceof CheckSignatureState.SUCCESS) {
+                state = DUMMY_SUCCESS_STATE;
+                // If the signature has expired but is otherwise ok, the cert is also approved for
+                // renewal
+            } else if (signatureState instanceof CheckSignatureState.INVALID) {
+                var invalidState = (CheckSignatureState.INVALID) signatureState;
+                if (invalidState
+                        .getSignatureErrorCode()
+                        .equals(ErrorCodes.SIGNATURE_TIMESTAMP_EXPIRED)) {
+                    state = DUMMY_SUCCESS_STATE;
+                }
+            }
+        }
         return !trustListConfig.isOutdated() || state instanceof VerificationState.ERROR
                 ? state
                 : getOutdatedTrustListState(state);
@@ -343,16 +411,16 @@ private VerificationState getOutdatedTrustListState(VerificationState originalSt
                 signatureState,
                 new CheckRevocationState.INVALID(TRUST_LIST_OUTDATED),
                 new CheckNationalRulesState.INVALID(
-                        NationalRulesError.UNKNOWN_RULE_FAILED, false, TRUST_LIST_OUTDATED),
-                null);
+                        NationalRulesError.UNKNOWN_RULE_FAILED, false, TRUST_LIST_OUTDATED, ""),
+                null,
+                "");
     }
 
-    public List<ActiveModes> getWalletVerificationModes(){
+    public List<ActiveModes> getWalletVerificationModes() {
         return trustListConfig.getTrustList().getRuleSet().getModeRules().getActiveModes();
     }
 
-    public List<ActiveModes> getVerifierVerificationModes(){
+    public List<ActiveModes> getVerifierVerificationModes() {
         return trustListConfig.getTrustList().getRuleSet().getModeRules().getVerifierActiveModes();
     }
-
 }