Updated to make it possible to have several keys with the same kid (eu-digital-green-certificates#38)

* Updated to make it possible to have several keys with the same kid

* Updated verification logic

Author: oleksandrsarapulovgl

app/src/main/java/dgca/verifier/app/android/data/VerifierRepository.kt

@@ -28,5 +28,5 @@ interface VerifierRepository {
 
     suspend fun fetchCertificates(): Boolean?
 
-    suspend fun getCertificate(kid: String): Certificate?
+    suspend fun getCertificatesBy(kid: String): List<Certificate>
 }

app/src/main/java/dgca/verifier/app/android/data/VerifierRepositoryImpl.kt

@@ -36,10 +36,10 @@ import java.security.cert.Certificate
 import javax.inject.Inject
 
 class VerifierRepositoryImpl @Inject constructor(
-    private val apiService: ApiService,
-    private val preferences: Preferences,
-    private val db: AppDatabase,
-    private val keyStoreCryptor: KeyStoreCryptor
+        private val apiService: ApiService,
+        private val preferences: Preferences,
+        private val db: AppDatabase,
+        private val keyStoreCryptor: KeyStoreCryptor
 ) : BaseRepository(), VerifierRepository {
 
     private val validCertList = mutableListOf<String>()
@@ -58,9 +58,8 @@ class VerifierRepositoryImpl @Inject constructor(
         }
     }
 
-    override suspend fun getCertificate(kid: String): Certificate? {
-        val key = db.keyDao().getById(kid)
-        return if (key != null) keyStoreCryptor.decrypt(key.key)?.base64ToX509Certificate() else null
+    override suspend fun getCertificatesBy(kid: String): List<Certificate> {
+        return db.keyDao().getByKid(kid).map { keyStoreCryptor.decrypt(it.key)?.base64ToX509Certificate()!! }
     }
 
     private suspend fun fetchCertificate(resumeToken: Long) {
@@ -79,7 +78,7 @@ class VerifierRepositoryImpl @Inject constructor(
 
         if (validCertList.contains(responseKid) && isKidValid(responseKid, responseStr)) {
             Timber.d("Cert KID verified")
-            val key = Key(responseKid!!, keyStoreCryptor.encrypt(responseStr)!!)
+            val key = Key(kid = responseKid!!, key = keyStoreCryptor.encrypt(responseStr)!!)
             db.keyDao().insert(key)
         }
 
@@ -95,9 +94,9 @@ class VerifierRepositoryImpl @Inject constructor(
 
         val cert = responseStr.base64ToX509Certificate() ?: return false
         val certKid = MessageDigest.getInstance("SHA-256")
-            .digest(cert.encoded)
-            .copyOf(8)
-            .toBase64()
+                .digest(cert.encoded)
+                .copyOf(8)
+                .toBase64()
 
         return responseKid == certKid
     }

app/src/main/java/dgca/verifier/app/android/data/local/Key.kt

@@ -27,7 +27,8 @@ import androidx.room.PrimaryKey
 
 @Entity(tableName = "keys")
 data class Key(
-
-    @PrimaryKey val kid: String,
-    val key: String
+        @PrimaryKey(autoGenerate = true)
+        val id: Int = 0,
+        val kid: String,
+        val key: String
 )

app/src/main/java/dgca/verifier/app/android/data/local/KeyDao.kt

@@ -36,8 +36,8 @@ interface KeyDao {
     @Query("SELECT * FROM keys WHERE kid IN (:keyIds)")
     fun getAllByIds(keyIds: Array<String>): List<Key>
 
-    @Query("SELECT * FROM keys WHERE kid LIKE :kid LIMIT 1")
-    fun getById(kid: String): Key?
+    @Query("SELECT * FROM keys WHERE kid LIKE :kid")
+    fun getByKid(kid: String): List<Key>
 
     @Query("DELETE FROM keys WHERE kid = :kid")
     fun deleteById(kid: String)

app/src/main/java/dgca/verifier/app/android/verification/VerificationViewModel.kt

@@ -49,14 +49,14 @@ import javax.inject.Inject
 
 @HiltViewModel
 class VerificationViewModel @Inject constructor(
-    private val prefixValidationService: PrefixValidationService,
-    private val base45Service: Base45Service,
-    private val compressorService: CompressorService,
-    private val cryptoService: CryptoService,
-    private val coseService: CoseService,
-    private val schemaValidator: SchemaValidator,
-    private val cborService: CborService,
-    private val verifierRepository: VerifierRepository
+        private val prefixValidationService: PrefixValidationService,
+        private val base45Service: Base45Service,
+        private val compressorService: CompressorService,
+        private val cryptoService: CryptoService,
+        private val coseService: CoseService,
+        private val schemaValidator: SchemaValidator,
+        private val cborService: CborService,
+        private val verifierRepository: VerifierRepository
 ) : ViewModel() {
 
     private val _verificationResult = MutableLiveData<VerificationResult>()
@@ -99,12 +99,17 @@ class VerificationViewModel @Inject constructor(
                 greenCertificate = cborService.decode(coseData.cbor, verificationResult)
                 validateCertData(greenCertificate, verificationResult)
 
-                val certificate = verifierRepository.getCertificate(kid.toBase64())
-                if (certificate == null) {
+                val certificates = verifierRepository.getCertificatesBy(kid.toBase64())
+                if (certificates.isEmpty()) {
                     Timber.d("Verification failed: failed to load certificate")
                     return@withContext
                 }
-                cryptoService.validate(cose, certificate, verificationResult)
+                certificates.forEach { innerCertificate ->
+                    cryptoService.validate(cose, innerCertificate, verificationResult)
+                    if (verificationResult.coseVerified) {
+                        return@forEach
+                    }
+                }
             }
 
             _inProgress.value = false