The goal of this project is to develop the official European solution for the interoperability between national backend servers of decentralised contact tracing applications to combat COVID-19.
There are various implementations of Proxy/Load-Balancers and there is no standard agreed on, how to inform services behind the proxy of which certificate was used for mutual TLS. There are certain quasi standard headers, which have been established as a convention, to provide meta information about the certificate.
Sadly, there is no common ground on how to pass a representation of the certificate to said services. Whereas the original EFGS implementation uses the SHA-256 hash of the DER-representation of the certificate (aka fingerprint/thumbprint), the load balancer used for the Swiss implementation does not provide such a functionality. The Swiss load balancer only allows to pass on the full certificate to the service.
Solution
In this PR we added new properties to control the header used for the certificate, and a flag indicating if the certificate fingerprint should be calculated from the full certificate. Furthermore, CertificateUtils has been extended to provide a function parsing a certificate in the DER encoding, either within a container (aka PEM) or by itself. It tries to normalize the given certificate in regards to newline encodings, and parses the DER bytes, creating a Java representation of a X509 certificate, which then uses the methods in place to calculate the hash (aka fingerprint/tumbprint).
Further a copy of the original test class was modified to not send a fingerprint but rather provide the full certificate.
Introduction
There are various implementations of Proxy/Load-Balancers and there is no standard agreed on, how to inform services behind the proxy of which certificate was used for mutual TLS. There are certain quasi standard headers, which have been established as a convention, to provide meta information about the certificate. Sadly, there is no common ground on how to pass a representation of the certificate to said services. Whereas the original
EFGSimplementation uses the SHA-256 hash of theDER-representation of the certificate (aka fingerprint/thumbprint), the load balancer used for the Swiss implementation does not provide such a functionality. The Swiss load balancer only allows to pass on the full certificate to the service.Solution
In this PR we added new properties to control the header used for the certificate, and a flag indicating if the certificate fingerprint should be calculated from the full certificate. Furthermore,
CertificateUtilshas been extended to provide a function parsing a certificate in theDERencoding, either within a container (akaPEM) or by itself. It tries to normalize the given certificate in regards to newline encodings, and parses theDERbytes, creating a Java representation of aX509certificate, which then uses the methods in place to calculate the hash (aka fingerprint/tumbprint). Further a copy of the original test class was modified to not send a fingerprint but rather provide the full certificate.