RM-4957: unencode serial_number field in keylabel

Olesja Aarma · Olesja Aarma · commit 61c4cb476df4 · 2025-02-18T16:43:05.000+02:00
diff --git a/cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/KeyLabelTools.java b/cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/KeyLabelTools.java
@@ -3,7 +3,6 @@
 import jakarta.annotation.Nullable;
 
 import java.io.File;
-import java.math.BigInteger;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
@@ -167,12 +166,12 @@ public static KeyLabelParams createCertKeyLabelParams(
     /**
      * Create eID key label parameters for data section of formatted key label.
      * @param keyLabel key label as common name from certificate
-     * @param serialNumber serial number from certificate
+     * @param serialNumber serial number, parsed from certificate field 'subjectDn'
      * @param keyLabelType key label type from certificate
      * @return KeyLabelParams key label parameters required for data section
      */
     public static KeyLabelParams createEIdKeyLabelParams(
-        String keyLabel, BigInteger serialNumber, String keyLabelType
+        String keyLabel, String serialNumber, String keyLabelType
     ) {
         Map<String, String> keyLabelParamsMap = createKeyLabelParamsMap();
         keyLabelParamsMap.put(
@@ -190,7 +189,7 @@ public static KeyLabelParams createEIdKeyLabelParams(
             = new KeyLabelParams(EncryptionKeyOrigin.ID_CARD, keyLabelParamsMap);
 
         keyLabelParams.addParam(KeyLabelDataFields.CN.name(), keyLabel);
-        keyLabelParams.addParam(KeyLabelDataFields.SERIAL_NUMBER.name(), String.valueOf(serialNumber));
+        keyLabelParams.addParam(KeyLabelDataFields.SERIAL_NUMBER.name(), serialNumber);
 
         int endAfterLastName = keyLabel.indexOf(",");
         int endAfterFirstName = keyLabel.indexOf(",", endAfterLastName + 1);
diff --git a/cdoc2-lib/src/main/java/ee/cyber/cdoc2/util/SkLdapUtil.java b/cdoc2-lib/src/main/java/ee/cyber/cdoc2/util/SkLdapUtil.java
@@ -2,7 +2,6 @@
 
 import java.io.ByteArrayInputStream;
 import java.io.File;
-import java.math.BigInteger;
 import java.security.PublicKey;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
@@ -24,6 +23,8 @@
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import javax.security.auth.x500.X500Principal;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -36,8 +37,8 @@
  * @see <a href=https://www.skidsolutions.eu/repositoorium/ldap/esteid-ldap-kataloogi-kasutamine/>SK LDAP</a>
  */
 public final class SkLdapUtil {
-    private SkLdapUtil() {
 
+    private SkLdapUtil() {
     }
 
     private static final Logger log = LoggerFactory.getLogger(SkLdapUtil.class);
@@ -155,15 +156,15 @@ public static List<SkLdapUtil.CertificateData> getPublicKeysWithLabels(String[]
             for (String id: ids) {
                 Map<X509Certificate, String> certs = findAuthenticationEstEidCertificates(ctx, id);
                 if (certs.isEmpty()) {
-                    throw new CertificateException("Identity code " + id + "is  not found at server");
+                    throw new CertificateException("Identity code " + id + " is not found at server");
                 }
 
                 for (var certNameEntry: certs.entrySet()) {
                     X509Certificate cert = certNameEntry.getKey();
                     String distinguishedName = certNameEntry.getValue();
                     CertificateData certificateData = getKeyLabel(cert, distinguishedName);
                     certificateData.setPublicKey(cert.getPublicKey());
-                    certificateData.setSerialNumber(cert.getSerialNumber());
+                    certificateData.setSerialNumber(getSemanticsIdentifier(cert));
 
                     log.debug("Adding certificate data {}", certificateData);
                     certDatas.add(certificateData);
@@ -253,6 +254,39 @@ private static CertificateData getKeyLabel(X509Certificate cert, @Nullable Strin
         }
     }
 
+    /**
+     * Parse serialNumber from certificate subjectDN serialNumber
+     * (example subjectDN='SERIALNUMBER=PNOEE-30303039914, GIVENNAME=OK, SURNAME=TESTNUMBER, CN="TESTNUMBER,OK", C=EE')
+     * @param cert certificate
+     * @return semanticsIdentifier as String (for example PNOEE-30303039914)
+     */
+    @Nullable
+    private static String getSemanticsIdentifier(X509Certificate cert) {
+        X500Principal subjectX500Principal = cert.getSubjectX500Principal();
+        var knownOids = Map.of(
+            "2.5.4.5", "serialNumber",
+            "2.5.4.42", "givenName",
+            "2.5.4.4", "surname");
+
+        // X500Principal in Java 17 doesn't know about knowOids, although deprecated getSubjectDN is able to parse those
+        // subjectDN='SERIALNUMBER=PNOEE-30303039914, GIVENNAME=OK, SURNAME=TESTNUMBER, CN="TESTNUMBER,OK", C=EE'
+        String subjectDN = subjectX500Principal.getName(X500Principal.RFC2253, knownOids);
+
+        try {
+            LdapName ln = new LdapName(subjectDN);
+
+            for (Rdn rdn : ln.getRdns()) {
+                if (rdn.getType().equalsIgnoreCase("serialNumber")) {
+                    return rdn.getValue().toString();
+                }
+            }
+            log.info("serialNumber not found from subjectDN {}", subjectDN);
+        } catch (InvalidNameException ine) {
+            log.info("Failed to get serialNumber from invalid certificate subjectDN field");
+        }
+        return null;
+    }
+
     public static class CertificateData {
         private PublicKey publicKey;
         private String keyLabel;
@@ -261,7 +295,7 @@ public static class CertificateData {
         @Nullable
         private String fingerprint;
         @Nullable
-        private BigInteger serialNumber;
+        private String serialNumber;
         private String keyLabelType;
 
         public CertificateData() {
@@ -276,15 +310,18 @@ public String getKeyLabel() {
             return this.keyLabel;
         }
 
+        @Nullable
         public File getFile() {
             return this.file;
         }
 
+        @Nullable
         public String getFingerprint() {
             return this.fingerprint;
         }
 
-        public BigInteger getSerialNumber() {
+        @Nullable
+        public String getSerialNumber() {
             return this.serialNumber;
         }
 
@@ -300,15 +337,15 @@ public void setKeyLabel(String keyLabel) {
             this.keyLabel = keyLabel;
         }
 
-        public void setFile(File file) {
+        public void setFile(@Nullable File file) {
             this.file = file;
         }
 
-        public void setFingerprint(String fingerprint) {
+        public void setFingerprint(@Nullable String fingerprint) {
             this.fingerprint = fingerprint;
         }
 
-        public void setSerialNumber(BigInteger serialNumber) {
+        public void setSerialNumber(@Nullable String serialNumber) {
             this.serialNumber = serialNumber;
         }
 
diff --git a/cdoc2-lib/src/test/java/ee/cyber/cdoc2/KeyLabelToolsTest.java b/cdoc2-lib/src/test/java/ee/cyber/cdoc2/KeyLabelToolsTest.java
@@ -11,7 +11,6 @@
 import org.junit.jupiter.api.Test;
 
 import java.io.File;
-import java.math.BigInteger;
 import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import java.util.TreeMap;
@@ -238,7 +237,7 @@ null, null, new File("file_name")
     void testEIdLabelParamsCreation() {
         KeyLabelParams keyLabelParams = createEIdKeyLabelParams(
             "Common,Name,IdentityCode",
-            BigInteger.valueOf(123456),
+            "PNOEE-30303039914",
             KeyLabelTools.KeyLabelType.CERT.getName()
         );
 
@@ -250,7 +249,7 @@ void testEIdLabelParamsCreation() {
             )
         );
         assertEquals(
-            "123456",
+            "PNOEE-30303039914",
             getDecodedKeyLabelParamValue(
                 keyLabelParams.keyLabelParams(),
                 KeyLabelTools.KeyLabelDataFields.SERIAL_NUMBER
