Dynamic loading truststore certificates

[TMain-Tomi]

Dear @phax ,

I used phase4-spring-boot-demo to release AS4 server now. And it runs successful.
But I meet a problem when I want to dynamic loading truststore certificates.
I config the truststore like this:

org.apache.wss4j.crypto.merlin.truststore.type=JKS
org.apache.wss4j.crypto.merlin.truststore.file=test.jks
org.apache.wss4j.crypto.merlin.truststore.password=test

when I add/delete a cert from test.jks, will run the following logic:

Path publicCertPath = new File("D:\phase4-as4\src\main\resources\test.jks").toPath()
String partnerPwd = 'test'
// Add all certificates to trust store
KeyStore trustKeyStore = AS4KeystoreUtils.load(publicCertPath, partnerPwd)
KeyStore keyStore = AS4CryptoFactoryProperties.getDefaultInstance ().getKeyStore ()
AS4XServletHandler handler = new AS4XServletHandler ();
AS4CryptoFactoryInMemoryKeyStore cf = new AS4CryptoFactoryInMemoryKeyStore(keyStore, 'test','test', trustKeyStore);
handler.setCryptoFactorySupplier(() -> cf);

But when I add a new cert into test.jks, the server doesn't identify it, need to re-run the server.
May you give me some advices? thanks.

Best Regards,
Tomi Lin

[phax]

[Based on #129]
Well, I think the easiest way to do this, is to move all the loading part into the CryptoFactpry supplier, like this:

AS4XServletHandler handler = new AS4XServletHandler ();
handler.setCryptoFactorySupplier(() ->{
        Path publicCertPath = new File("D:\phase4-as4\src\main\resources\test.jks").toPath()
        String partnerPwd = 'test'
        // Add all certificates to trust store
        KeyStore trustKeyStore = AS4KeystoreUtils.load(publicCertPath, partnerPwd)
        KeyStore keyStore = AS4CryptoFactoryProperties.getDefaultInstance ().getKeyStore ()

        AS4CryptoFactoryInMemoryKeyStore cf = new AS4CryptoFactoryInMemoryKeyStore(keyStore, 'test','test', trustKeyStore);
         return cf;
});

[TMain-Tomi]

Dear @phax ,

Thanks for your reply.
I want to make an API which can reload the trustcerts(test.jks) dynamically when I add/delete a cert from trustcert(test.jks).
From your advice, I make a method(reloadTrustCerts) to do it.

void reloadTrustCerts() {
AS4XServletHandler handler = new AS4XServletHandler()
handler.setCryptoFactorySupplier(()->{
Path publicCertPath = new File("D:\phase4-as4\src\main\resources\PARTNER.jks").toPath()
String partnerPwd = 'test'
KeyStore trustKeyStore = AS4KeystoreUtils.load(publicCertPath, partnerPwd)
KeyStore keyStore = AS4CryptoFactoryProperties.getDefaultInstance ().getKeyStore ()
AS4CryptoFactoryInMemoryKeyStore cf = new AS4CryptoFactoryInMemoryKeyStore(keyStore, 'test','test', trustKeyStore);
return cf;
})

After I add a new cert into test.jks, I call this api and send a message which take the signature with new cert.
And it is error:

org.apache.wss4j.common.ext.WSSecurityException: The signature or decryption was invalid
at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:202) ~[wss4j-ws-security-dom-3.0.0.jar:3.0.0]
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) ~[wss4j-ws-security-dom-3.0.0.jar:3.0.0]
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:251) ~[wss4j-ws-security-dom-3.0.0.jar:3.0.0]
at com.helger.phase4.servlet.soap.SOAPHeaderElementProcessorWSS4J._verifyAndDecrypt(SOAPHeaderElementProcessorWSS4J.java:134) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.soap.SOAPHeaderElementProcessorWSS4J.lambda$processHeaderElement$1(SOAPHeaderElementProcessorWSS4J.java:421) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.wss.WSSSynchronizer.call(WSSSynchronizer.java:79) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.soap.SOAPHeaderElementProcessorWSS4J.processHeaderElement(SOAPHeaderElementProcessorWSS4J.java:421) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.AS4IncomingHandler._processSoapHeaderElements(AS4IncomingHandler.java:414) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.AS4IncomingHandler.processEbmsMessage(AS4IncomingHandler.java:593) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.AS4RequestHandler._handleSoapMessage(AS4RequestHandler.java:1291) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.AS4RequestHandler.lambda$handleRequest$4(AS4RequestHandler.java:1714) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.AS4IncomingHandler.parseAS4Message(AS4IncomingHandler.java:335) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.AS4RequestHandler.handleRequest(AS4RequestHandler.java:1733) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.AS4RequestHandler.handleRequest(AS4RequestHandler.java:1772) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.AS4XServletHandler.handleRequest(AS4XServletHandler.java:310) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.phase4.servlet.AS4XServletHandler.handleRequest(AS4XServletHandler.java:344) ~[phase4-lib-2.1.0.jar:2.1.0]
at com.helger.xservlet.handler.simple.XServletHandlerToSimpleHandler.onRequest(XServletHandlerToSimpleHandler.java:238) ~[ph-xservlet-10.1.1.jar:10.1.1]
at com.helger.xservlet.AbstractXServlet._invokeHandler(AbstractXServlet.java:354) ~[ph-xservlet-10.1.1.jar:10.1.1]
at com.helger.xservlet.AbstractXServlet.service(AbstractXServlet.java:539) ~[ph-xservlet-10.1.1.jar:10.1.1]
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) ~[tomcat-embed-core-10.1.8.jar:6.0]
at com.helger.xservlet.AbstractXServlet.service(AbstractXServlet.java:595) ~[ph-xservlet-10.1.1.jar:10.1.1]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat-embed-websocket-10.1.8.jar:10.1.8]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.8.jar:6.0.8]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.0.8.jar:6.0.8]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.8.jar:6.0.8]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:166) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:894) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-10.1.8.jar:10.1.8]
at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]

The system CryptoFactory seems not reload.
So how can I replace the old handler with new ones？Thanks.

Best Regards,
Tomi Lin

[phax]

HI @TMain-Tomi , sorry for the delayed response - I am currently on vacation.

I created some stub code for you in https://github.com/phax/phase4/blob/master/phase4-spring-boot-demo/src/main/java/com/helger/phase4/springboot/servlet/ServletConfig.java#L67-L92 where you can see how that might work. You create your own Servlet class (MyAS4Servlet) and customize the handler there.

Inside the static method of the outer class, you can add you code as above:

Path publicCertPath = new File("D:\phase4-as4\src\main\resources\test.jks").toPath()
        String partnerPwd = 'test'
        // Add all certificates to trust store
        KeyStore trustKeyStore = AS4KeystoreUtils.load(publicCertPath, partnerPwd)
        KeyStore keyStore = AS4CryptoFactoryProperties.getDefaultInstance ().getKeyStore ()
        return new AS4CryptoFactoryInMemoryKeyStore(keyStore, 'test','test', trustKeyStore);

That means that each time a message is received, a new AS4CryptoFactoryInMemoryKeyStore is instantiated. With some static variables, the code could also be tweaked, that there is always just one static AS4CryptoFactoryInMemoryKeyStore that you modify with your "update truststore".

I hope that makes sense to you.

[TMain-Tomi]

Dear @phax,

Thanks for you reply.
I will try the above solution.
Have a pleasant holiday.

Best Regards,
Tomi Lin

[TMain-Tomi]

Dear @phax,

I add getCryptoFactoryToUse() and MyAS4Servlet in ServletConfig and it works normal now.
Thanks for your guidance.

Best Regards,
Tomi Lin

[TMain-Tomi]

Hi @phax,

I successfully used AS4ClientPullRequestMessage to pull AS4 message from other AS4(Base on Holodeck-B2B) server when this message without signture and ecryption. My code is following:

AS4ResourceHelper as4ResourceHelper= new AS4ResourceHelper ()
AS4ClientPullRequestMessage aClient = new AS4ClientPullRequestMessage (as4ResourceHelper)
aClient.setSoapVersion (ESoapVersion.AS4_DEFAULT)
aClient.setMPC('http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/defaultMPC')
aClient = BaseDataPhase4.setKeyStore(aClient)
IAS4OutgoingDumper dumper = AS4DumpManager.getOutgoingDumper()
HttpClientResponseHandler responseHandlerByteArray = new ResponseHandlerByteArray()
final AS4ClientSentMessage<byte[]> aResponseEntity = aClient.sendMessageWithRetries("http://127.0.0.1:9090/holodeckb2b/as4",
responseHandlerByteArray,
null,
dumper,
null)
log.info("response: {}", new String(aResponseEntity.getResponse()))

But when I add ecryption in other AS4 Server's pull message:

    <PartyId>test</PartyId>
    <Role>Receiver</Role>
    **<SecurityConfiguration>
        <Encryption>
            <KeystoreAlias>test</KeystoreAlias>
            <Algorithm>http://www.w3.org/2009/xmlenc11#aes128-gcm</Algorithm>
        </Encryption>
    </SecurityConfiguration>**
</Initiator>
<Responder>
    <PartyId>user2</PartyId>
    <Role>Sender</Role>
</Responder>

I don't know how to add the decryption in AS4ClientPullRequestMessage. I tried to add this, but it failed.

aClient.cryptParams ().setAlgorithmCrypt (ECryptoAlgorithmCrypt.AES_128_GCM);

And if customer AS4 Server need a response, how I can do after I get optimistic response?

Another problem is how to set up a pull server. If I need to save a message into MPC and wait partner to pull it, how to achieve it?

May you give me some advices? Thanks.

Best Regards,
Tomi Lin