From 1fbd9b54fc238a50f910f53d237784c25dc1cbdc Mon Sep 17 00:00:00 2001 From: Simon Laurenz Date: Mon, 31 Jan 2022 16:11:34 +0100 Subject: [PATCH] Added Tls keysores loading from b64 env variable --- .../DgcGatewayConnectorRestClientConfig.java | 19 +++---- .../config/DgcGatewayConnectorKeystore.java | 50 ++++++++++++++++++- 2 files changed, 59 insertions(+), 10 deletions(-) diff --git a/src/main/java/eu/europa/ec/dgc/gateway/connector/client/DgcGatewayConnectorRestClientConfig.java b/src/main/java/eu/europa/ec/dgc/gateway/connector/client/DgcGatewayConnectorRestClientConfig.java index 5761e01..809425e 100644 --- a/src/main/java/eu/europa/ec/dgc/gateway/connector/client/DgcGatewayConnectorRestClientConfig.java +++ b/src/main/java/eu/europa/ec/dgc/gateway/connector/client/DgcGatewayConnectorRestClientConfig.java @@ -25,6 +25,7 @@ import feign.httpclient.ApacheHttpClient; import java.io.IOException; import java.security.KeyManagementException; +import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.UnrecoverableKeyException; @@ -37,11 +38,11 @@ import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.message.BasicHeader; import org.apache.http.ssl.SSLContextBuilder; +import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.cloud.openfeign.EnableFeignClients; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.util.ResourceUtils; @ConditionalOnProperty("dgc.gateway.connector.tls-key-store.path") @Configuration @@ -51,6 +52,12 @@ public class DgcGatewayConnectorRestClientConfig { private final DgcGatewayConnectorConfigProperties properties; + @Qualifier("tlsKeyStore") + private final KeyStore tlsKeyStore; + + @Qualifier("tlsTrustStore") + private final KeyStore tlsTrustStore; + /** * Feign Client for connection to DGC Gateway. * @@ -77,16 +84,10 @@ private SSLContext getSslContext() throws IOException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { - return SSLContextBuilder.create() - .loadTrustMaterial( - ResourceUtils.getFile(properties.getTlsTrustStore().getPath()), - properties.getTlsTrustStore().getPassword()) + .loadTrustMaterial(tlsTrustStore, null) .loadKeyMaterial( - ResourceUtils.getFile(properties.getTlsKeyStore().getPath()), - properties.getTlsKeyStore().getPassword(), - properties.getTlsKeyStore().getPassword(), - (map, socket) -> properties.getTlsKeyStore().getAlias()) + tlsKeyStore, properties.getTlsKeyStore().getPassword()) .build(); } diff --git a/src/main/java/eu/europa/ec/dgc/gateway/connector/config/DgcGatewayConnectorKeystore.java b/src/main/java/eu/europa/ec/dgc/gateway/connector/config/DgcGatewayConnectorKeystore.java index da1e563..d8b6a61 100644 --- a/src/main/java/eu/europa/ec/dgc/gateway/connector/config/DgcGatewayConnectorKeystore.java +++ b/src/main/java/eu/europa/ec/dgc/gateway/connector/config/DgcGatewayConnectorKeystore.java @@ -91,6 +91,54 @@ public KeyStore trustAnchorKeyStore() throws KeyStoreException, return keyStore; } + /** + * Creates a KeyStore instance with keys for TLS trust Store. + * + * @return KeyStore Instance + * @throws KeyStoreException if no implementation for the specified type found + * @throws CertificateException if any of the certificates in the keystore could not be loaded + * @throws NoSuchAlgorithmException if the algorithm used to check the integrity of the keystore cannot be found + */ + @Bean + @Qualifier("tlsTrustStore") + @ConditionalOnProperty("dgc.gateway.connector.tls-trust-store.path") + public KeyStore tlsTrustStore() throws KeyStoreException, + CertificateException, NoSuchAlgorithmException { + KeyStore keyStore = KeyStore.getInstance("JKS"); + + loadKeyStore( + keyStore, + dgcConfigProperties.getTlsTrustStore().getPath(), + dgcConfigProperties.getTlsTrustStore().getPassword()); + + return keyStore; + } + + + /** + * Creates a KeyStore instance with keys for TLS key Store. + * + * @return KeyStore Instance + * @throws KeyStoreException if no implementation for the specified type found + * @throws CertificateException if any of the certificates in the keystore could not be loaded + * @throws NoSuchAlgorithmException if the algorithm used to check the integrity of the keystore cannot be found + */ + @Bean + @Qualifier("tlsKeyStore") + @ConditionalOnProperty("dgc.gateway.connector.tls-key-store.path") + public KeyStore tlsKeyStore() throws KeyStoreException, + CertificateException, NoSuchAlgorithmException { + KeyStore keyStore = KeyStore.getInstance("JKS"); + + loadKeyStore( + keyStore, + dgcConfigProperties.getTlsKeyStore().getPath(), + dgcConfigProperties.getTlsKeyStore().getPassword()); + + return keyStore; + } + + private void loadKeyStore(KeyStore keyStore, String path, char[] password) throws CertificateException, NoSuchAlgorithmException { try { @@ -98,7 +146,7 @@ private void loadKeyStore(KeyStore keyStore, String path, char[] password) InputStream stream; if (path.startsWith("$ENV:")) { - String env = path.substring(6); + String env = path.substring(5); String b64 = System.getenv(env); stream = new ByteArrayInputStream(Base64.getDecoder().decode(b64)); } else {