Refactor certificate validation to support test and self-signed CAs

Introduce `allowUziTestCa` and `allowSelfSignedCa` flags to UraValidatorImpl for more flexible certificate chain validation. Refactor the validation logic to handle these new flags appropriately, ensuring better support for various CA configurations.
nuts-foundation · Oct 14, 2024 · 2eaf1d2 · 2eaf1d2
1 parent 7e88b99
commit 2eaf1d2
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 34 deletions.
diff --git a/uzi_vc_issuer/ura_issuer.go b/uzi_vc_issuer/ura_issuer.go
@@ -33,24 +33,19 @@ import (
 var RegexOtherNameValue = regexp.MustCompile(`\d+-\d+-S-(\d+)-00\.000-\d+`)
 
 // Issue generates a URA Verifiable Credential using provided certificate, signing key, subject DID, and subject name.
-func Issue(certificateFile string, signingKeyFile string, subjectDID string, test bool) (string, error) {
+func Issue(certificateFile string, signingKeyFile string, subjectDID string, allowTestUraCa bool) (string, error) {
 	pemBlocks, err := pem2.ParseFileOrPath(certificateFile, "CERTIFICATE")
 	if err != nil {
 		return "", err
 	}
-
+	allowSelfSignedCa := len(pemBlocks) > 1
 	if len(pemBlocks) == 1 {
-		if !test {
-			err = fmt.Errorf("did not find exactly one certificate in file %s", certificateFile)
+		certificate := pemBlocks[0]
+		pemBlocks, err = ca_certs.GetDERs(allowTestUraCa)
+		if err != nil {
 			return "", err
-		} else {
-			certificate := pemBlocks[0]
-			pemBlocks, err = ca_certs.GetDERs(test)
-			if err != nil {
-				return "", err
-			}
-			pemBlocks = append(pemBlocks, certificate)
 		}
+		pemBlocks = append(pemBlocks, certificate)
 	}
 
 	signingKeys, err := pem2.ParseFileOrPath(signingKeyFile, "PRIVATE KEY")
@@ -86,7 +81,7 @@ func Issue(certificateFile string, signingKeyFile string, subjectDID string, tes
 	if err != nil {
 		return "", err
 	}
-	validator := uzi_vc_validator.NewUraValidator(test)
+	validator := uzi_vc_validator.NewUraValidator(allowTestUraCa, allowSelfSignedCa)
 	jwtString := string(credentialJSON)
 	jwtString = jwtString[1:]                // Chop start
 	jwtString = jwtString[:len(jwtString)-1] // Chop end

diff --git a/uzi_vc_validator/ura_validator.go b/uzi_vc_validator/ura_validator.go
@@ -22,7 +22,12 @@ type UraValidator interface {
 }
 
 type UraValidatorImpl struct {
-	test bool
+	allowUziTestCa    bool
+	allowSelfSignedCa bool
+}
+
+func NewUraValidator(allowUziTestCa bool, allowSelfSignedCa bool) *UraValidatorImpl {
+	return &UraValidatorImpl{allowUziTestCa, allowSelfSignedCa}
 }
 
 type JwtHeaderValues struct {
@@ -58,7 +63,7 @@ func (u UraValidatorImpl) Validate(jwtString string) error {
 	// 	return err
 	// }
 
-	err = validateChain(chainCertificates, u.test)
+	err = validateChain(signingCert, chainCertificates, u.allowUziTestCa, u.allowSelfSignedCa)
 	if err != nil {
 		return err
 	}
@@ -87,37 +92,26 @@ func (u UraValidatorImpl) Validate(jwtString string) error {
 }
 
 // func validateChain(signingCert *x509.Certificate, certificates []*x509.Certificate, includeTest bool) error {
-func validateChain(chain []*x509.Certificate, testChain bool) error {
+func validateChain(signingCert *x509.Certificate, chain []*x509.Certificate, allowUziTestCa bool, allowSelfSignedCa bool) error {
 
 	roots := x509.NewCertPool()
 	intermediates := x509.NewCertPool()
 	var err error
 
-	if testChain {
+	if allowSelfSignedCa {
 		roots.AddCert(chain[len(chain)-1])
 		for i := 1; i < len(chain)-1; i++ {
 			intermediates.AddCert(chain[i])
 		}
 	} else {
-		roots, intermediates, err = ca_certs.GetCertPools(testChain)
+		roots, intermediates, err = ca_certs.GetCertPools(allowUziTestCa)
 		if err != nil {
 			return err
 		}
 	}
-
-	// // First validate against the own provided pool
-	// err = validate(signingCert, roots, intermediates)
-	// if err != nil {
-	// 	err = fmt.Errorf("could not validate against own provided pool: %s", err.Error())
-	// 	return err
-	// }
-	// root, intermediates, err := ca_certs.GetCertPools(includeTest)
-	// if err != nil {
-	// 	return err
-	// }
-	err = validate(chain[0], roots, intermediates)
+	err = validate(signingCert, roots, intermediates)
 	if err != nil {
-		err = fmt.Errorf("could not validate against the CA pool from zorgcsp (includeTest=%v): %s", testChain, err.Error())
+		err = fmt.Errorf("could not validate against the CA pool. %s", err.Error())
 		return err
 	}
 	return nil
@@ -181,7 +175,3 @@ func parseJwtHeaderValues(jwtString string) (*JwtHeaderValues, error) {
 	}
 	return metadata, nil
 }
-
-func NewUraValidator(test bool) *UraValidatorImpl {
-	return &UraValidatorImpl{test}
-}