From e0f7b2c41f66038dc6438b3cc6da14a1422ccf43 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Wed, 12 Jul 2023 10:13:44 +0200
Subject: feat(hsm-facade): make trusted SSL-certificate optional for
 HSM-Facade initialization

---
 .../core/impl/credential/EaafKeyStoreFactory.java  | 54 +++++++++++++++-------
 .../test/credentials/EaafKeyStoreFactoryTest.java  | 37 +++++++--------
 2 files changed, 54 insertions(+), 37 deletions(-)

(limited to 'eaaf_core_utils')

diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java
index fec984c4..0ecdcc92 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java
@@ -288,17 +288,29 @@ public class EaafKeyStoreFactory {
       final long grpcDeadline = getConfigurationParameterLong(CONFIG_PROP_HSM_FACADE_GRPC_DEADLINE, 
           HSM_FACADE_DEFAULT_DEADLINE);
       
+      X509Certificate trustedSslCertificate = getHsmFacadeTrustSslCertificate();
       
       //initialize HSM-Facade by using JAVA Reflection, because in that case HSM-Facade
       //has not be in ClassPath on every project
       final Method constructor = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, new Class[]{});
-      final Method initMethod = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT,
+      final Method initMethodWithSslCert = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT,
           X509Certificate.class, String.class, String.class, String.class, int.class, long.class);
-      if (initMethod != null && constructor != null) {
+      final Method initMethod = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT,
+          String.class, String.class, String.class, int.class, long.class);
+      if (initMethodWithSslCert != null && initMethod != null && constructor != null) {
         final Object rawProvider = constructor.invoke(hsmProviderClazz);
-        initMethod.invoke(
-            rawProvider, getHsmFacadeTrustSslCertificate(),
-            clientUsername, clientPassword, hsmFacadeHost, port, grpcDeadline);
+
+        if (trustedSslCertificate != null) {
+          log.trace("Invoking HSM-Facade constructor with SSL certificate ... ");
+          initMethodWithSslCert.invoke(rawProvider, trustedSslCertificate, clientUsername, clientPassword,
+              hsmFacadeHost, port, grpcDeadline);
+
+        } else {
+          log.trace("Invoking HSM-Facade constructor without SSL certificate ... ");
+          initMethod.invoke(rawProvider, clientUsername, clientPassword,
+              hsmFacadeHost, port, grpcDeadline);
+
+        }
 
         if (rawProvider instanceof Provider) {
           Security.addProvider((Provider) rawProvider);
@@ -318,7 +330,7 @@ public class EaafKeyStoreFactory {
         log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG,
             HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, constructor != null);
         log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG,
-            HSM_FACADE_PROVIDER_METHOD_INIT, initMethod != null);
+            HSM_FACADE_PROVIDER_METHOD_INIT, initMethodWithSslCert != null);
         throw new EaafException(ERRORCODE_10, new Object[] {HSM_FACADE_PROVIDER_CLASS});
 
       }
@@ -527,21 +539,29 @@ public class EaafKeyStoreFactory {
 
   private X509Certificate getHsmFacadeTrustSslCertificate() throws EaafConfigurationException {
     try {
-      final String certFilePath = getConfigurationParameter(CONFIG_PROP_HSM_FACADE_SSLTRUST);
+      final String certFilePath = basicConfig.getBasicConfiguration(CONFIG_PROP_HSM_FACADE_SSLTRUST);
+      if (StringUtils.isNotEmpty(certFilePath)) {
+        final String absolutCertFilePath = FileUtils.makeAbsoluteUrl(
+            certFilePath, basicConfig.getConfigurationRootDirectory());
 
-      final String absolutCertFilePath = FileUtils.makeAbsoluteUrl(
-          certFilePath, basicConfig.getConfigurationRootDirectory());
-      final Resource certFile = resourceLoader.getResource(absolutCertFilePath);
+        log.debug("Loading HSM-Facade trusted server-certificate from path : {}", absolutCertFilePath);
+        final Resource certFile = resourceLoader.getResource(absolutCertFilePath);
 
-      if (!certFile.exists()) {
-        throw new EaafConfigurationException(ERRORCODE_05,
-            new Object[] { CONFIG_PROP_HSM_FACADE_SSLTRUST,
-                "File not found at: " + absolutCertFilePath });
+        if (!certFile.exists()) {
+          throw new EaafConfigurationException(ERRORCODE_05,
+              new Object[] { CONFIG_PROP_HSM_FACADE_SSLTRUST,
+                  "File not found at: " + absolutCertFilePath });
 
-      }
+        }
+
+        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(
+            certFile.getInputStream());
 
-      return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(certFile
-          .getInputStream());
+      } else {
+        log.info("HSM-Facade trusted server-certificate is not set. Using System-TrustStore ... ");
+        return null;
+
+      }
 
     } catch (final EaafConfigurationException e) {
       throw e;
diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java
index 932beb31..0d3492a7 100644
--- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java
@@ -608,27 +608,7 @@ public class EaafKeyStoreFactoryTest {
     }
   }
 
-  @Test
-  @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD)
-  public void hsmFacadeMissingTrustedCertificate() {
-    mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST,
-        RandomStringUtils.randomNumeric(10));
-    mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT,
-        RandomStringUtils.randomNumeric(4));
-    mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME,
-        RandomStringUtils.randomNumeric(10));
-    mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD,
-        RandomStringUtils.randomAlphanumeric(10));
 
-    try {
-      context.getBean(EaafKeyStoreFactory.class);
-      Assert.fail("Missing HSM Facade not detected");
-
-    } catch (final BeansException e) {
-      checkMissingConfigException(e);
-
-    }
-  }
 
   @Test
   @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD)
@@ -728,6 +708,23 @@ public class EaafKeyStoreFactoryTest {
 
   }
 
+  @Test
+  @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD)
+  public void hsmFacadeWithOutTrustedCertificate() {
+    mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST,
+        RandomStringUtils.randomNumeric(10));
+    mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT,
+        RandomStringUtils.randomNumeric(4));
+    mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME,
+        RandomStringUtils.randomNumeric(10));
+    mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD,
+        RandomStringUtils.randomAlphanumeric(10));
+
+    final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class);
+    Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized());
+
+  }
+
   @Test
   @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD)
   public void hsmFacadeHealthCheckNoProvider() {
-- 
cgit v1.2.3