Getting remote TLS certs for incoming responses

[koes-soptim]

Good morning,

we asked ourselves if it is possible to access the remote TLS certificates when receiving a signal message.

Aeons ago, I added m_aRemoteTlsCerts to AS4IncomingMessageMetadata - but for outward connections, the peer certificates aren't yet populated.

I think we could gather the certificates in AbstractAS4Client#sendMessageWithRetries - but I assume the prerequisite are changes to ph-httpclient (some kind of interceptor or related measure). Then, we could call AS4IncomingMessageMetadata#setRemoteTlsCerts in AS4BidirectionalClientHelper.

Our main aim is a validation like #182 on the peer certificates.

Would that be possible?

[phax]

When I understand you correctly, you want to limit the allowed TLS server certificate CAs, right?
The usual way to do this is to provide a truststore with the allowed CAs and not intercept them manually. Is that something that could work for you as well?

[koes-soptim]

Not quite.
We wanted to validate if the remote TLS and signature certificates match the responder party ID - just like in BDEWCompatibilityValidator#validateInitiatorIdentity but for the responder.

(the OU part of the subject DN contains the market participant ID in BDEW contexts)

[phax]

And you want to verify that ahead of sending I assume, correct.
So we have 2 general approaches:

• During regular AS4 transmission add some "interrupt" possibility to check between the handshake and the data transmission or
• Perform an initial connection request prior to sending to only get the certificate data, perform the checks and then do the regular atomic sending

I would prefer the second approach, as it keeps the atomicity of HTTP transport

[koes-soptim]

As discussed via Slack: We would like to validate the AS4 NRR signature against the TLS remote server cert. 🙂 The solution for this should be much less complex.