fix: Parse full certificate chain for client certificates

[JCapucho]

Previously the code for parsing the certificate chain for use in connection's client certificate based authentication only parsed the very first certificate of what the user submitted (the client certificate itself), and disregarded all other certificates.

This works when the validation path doesn't include any intermediate certificates. However, as soon as an intermediate certificate is introduced everything stops working, because when the server requests a certificate for it's configured client certificate authority, no path can be made and client certificate authentication fails.

This PR fixes this issue by properly parsing the full certificate chain.

[thjaeckle]

Started a systemTests run at: https://github.com/eclipse-ditto/ditto/actions/runs/17616067613

[JCapucho]

Sorry just noticed that there was a problem with the code where it will accept empty certificates chains, should be fixed now.

[thjaeckle]

One relevant System-Test failed: org.eclipse.ditto.testing.system.connectivity.amqp10.Amqp10SaslIT

We must look into this before being able to accept the PR.
Test code is located here: https://github.com/eclipse-ditto/ditto-testing/blob/main/system/src/test/java/org/eclipse/ditto/testing/system/connectivity/amqp10/Amqp10SaslIT.java

[JCapucho]

One relevant System-Test failed: org.eclipse.ditto.testing.system.connectivity.amqp10.Amqp10SaslIT

We must look into this before being able to accept the PR. Test code is located here: https://github.com/eclipse-ditto/ditto-testing/blob/main/system/src/test/java/org/eclipse/ditto/testing/system/connectivity/amqp10/Amqp10SaslIT.java

I've had a quick look and this test seems to be using hmac credentials and there doesn't seem to be anything involving client certificates (or even amqps) and the timeout error seems a bit suspicious.

I'll try to look deeper as soon as I can find the time.

[JCapucho]

@thjaeckle I've just checked locally and the test passes, seeing as these changes shouldn't affect the test and the error seems to be a timeout I think it's fair to assume it's flakiness on the part of the tests.

[thjaeckle]

Ran another test-run: https://github.com/eclipse-ditto/ditto/actions/runs/17738343683

The test failure/error is still there - and it is not on a run against the "master" branch .. I'll look into it once I find some time.

[JCapucho]

@thjaeckle I didn't notice at first but the tests include logs

15:49:13.697 [ERROR] [Time-limited test] o.e.d.t.s.c.a.Amqp10TestServer - Could not listen on AMQP 1.0 server port 5887, remaining attempts: 1.
java.net.BindException: Address already in use
	at java.base/sun.nio.ch.Net.bind0(Native Method)
	at java.base/sun.nio.ch.Net.bind(Net.java:565)
	at java.base/sun.nio.ch.ServerSocketChannelImpl.netBind(ServerSocketChannelImpl.java:344)
	at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:301)
	at io.netty.channel.socket.nio.NioServerSocketChannel.doBind(NioServerSocketChannel.java:141)
	at io.netty.channel.AbstractChannel$AbstractUnsafe.bind(AbstractChannel.java:561)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.bind(DefaultChannelPipeline.java:1281)
	at io.netty.channel.AbstractChannelHandlerContext.invokeBind(AbstractChannelHandlerContext.java:600)
	at io.netty.channel.AbstractChannelHandlerContext.bind(AbstractChannelHandlerContext.java:579)
	at io.netty.channel.DefaultChannelPipeline.bind(DefaultChannelPipeline.java:922)
	at io.netty.channel.AbstractChannel.bind(AbstractChannel.java:259)
	at io.netty.bootstrap.AbstractBootstrap$2.run(AbstractBootstrap.java:380)
	at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
	at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
	at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)
15:50:10.580 [INFO ] [Time-limited test] o.e.d.t.c.IntegrationTest - Removing all dynamic connections for solution username <user-e8df3fdb-c228-4a18-b182-8ad88ddaef73>

This is the relevant logs for the test. Seems like the test can't start the test amqp server because the port is already taken.

[thjaeckle]

@JCapucho thanks, good catch 👍
I saw that 2 system-tests (which could run in parallel) used the same port for the Amqp10Server (used for tests).
I adjusted the one the Amqp10SaslIT.java uses .. and will re-run the tests now .. fingers crossed :)

Run: https://github.com/eclipse-ditto/ditto/actions/runs/17769628910

[thjaeckle]

Ok, the last test run was a success .. so good for me to be merged.

Thanks a lot @JCapucho for the contribution 🥳