Dynamically modify truststore at runtime

[MakakWasTaken]

I was wondering whether or not it is possible to modify the trusted certificates at runtime.

I have tried modifying the file that the truststore uses by doing the following:

File file = new File("src/main/resources/truststore.jks");
KeyStore keystore = KeyStore.getInstance("JKS");
if (!file.exists()) {
  keystore.load(null, password);
} else {
  FileInputStream in = new FileInputStream(file);
  keystore.load(in, password);
  in.close();
}


// If the certificate does not already exist.
if (!keystore.containsAlias(alias)) {
  FileOutputStream out = new FileOutputStream(file);
  keystore.setCertificateEntry(alias, certificate);

  LOGGER.info("Adding file to truststore");
  keystore.store(out, password);
  out.close();
}

This results in keystore.store giving me a NullPointerException.

I also thought that this might not update the file used by phase4 before the program is restarted. Is it possible to dynamically add a new X509Certificate to the truststore at runtime?

Would this approach then include defining the cryptoFactory method on the sender builder every time or is there a more straightforward way to approach this?

OBS.
If I of course use an empty truststore, I will end up with an TRANSPORT_ERROR, because I don't have any trusted certificates. But I only know what certificates to trust at runtime.

[phax]

Hi, try this for line 4 above (no password needed):

keystore.load(null, null);

Setting the truststore dynamically is possible in phase4, it just matters if you need it for sending and receiving, and if receiving is affected, how you enable the dynamic truststore.

For sending (assuming you use the builder), you need to set a different cryptoFactory using an instance of AS4CryptoFactoryInMemoryKeyStore where you pass in keystore and truststore dyanmically. The same can be done for receiving as well, just that the point for interception is a bit tricky ;-)

[phax]

If you can give me a rough estimation, what kind of parameter you are using to make the differentiation, it will help.
Does this only affect the TrustStore or also the KeyStore?

The start point is class AS4Servlet. You need to define your own Servlet based class and using the constructor params or manipulating the parameters of the AS4XServletHandler instance:

 {
    // Multipart is handled specifically inside
    settings ().setMultipartEnabled (false);
    // HTTP POST only
    AS4XServletHandler hdl = new AS4XServletHandler (/* use */);
    /* hdl. ... */
    handlerRegistry ().registerHandler (EHttpMethod.POST, hdl);
  }

The first ctor parameter is a Supplier <? extends IAS4CryptoFactory> aCryptoFactorySupplier that you can use to make the decision.

Alternatively (or additionally), overwrite AS4XServletHandler.handleRequest(IRequestWebScopeWithoutResponse,UnifiedResponse) and use specific parameters to make the choice.

hth

[MakakWasTaken]

Ahh, I see. I was using the handler.setCryptoFactorySupplier(), but I was creating the factory at the servlet initialisation. Instead of doing that I went ahead and made the following modifications.
Before:

KeyStore truststore = KeyStore.getInstance("JKS");
// A trust store only contains public information, so no password
truststore.load(null,null);
IAS4CryptoFactory cryptoFactory = new AS4CryptoFactoryInMemoryKeyStore(keyStore, System.getenv("ORG_APACHE_WSS4J_CRYPTO_MERLIN_KEYSTORE_ALIAS"),
          System.getenv("ORG_APACHE_WSS4J_CRYPTO_MERLIN_KEYSTORE_PASSWORD"), truststore)
handler.setCryptoFactorySupplier(() -> cryptoFactory);

After:

KeyStore truststore = KeyStore.getInstance("JKS");
// A trust store only contains public information, so no password
truststore.load(null,null);
handler.setCryptoFactorySupplier(() -> {
  // Add all certificates to trust store using truststore.setCertificateEntry()
  // ...
  return new AS4CryptoFactoryInMemoryKeyStore(keyStore, System.getenv("ORG_APACHE_WSS4J_CRYPTO_MERLIN_KEYSTORE_ALIAS"),
          System.getenv("ORG_APACHE_WSS4J_CRYPTO_MERLIN_KEYSTORE_PASSWORD"), truststore);
});

[phax]

Well, that means you want a constant, but empty truststore? So you want to rely on the CA certs only?
Are the ENV vars changing?
Otherwise I would suggest you create the Crypto factory once like this:

KeyStore truststore = KeyStore.getInstance("JKS");
// A trust store only contains public information, so no password
truststore.load(null,null);
  // Add all certificates to trust store using truststore.setCertificateEntry()
  // ...
AS4CryptoFactoryInMemoryKeyStore cf = new AS4CryptoFactoryInMemoryKeyStore(keyStore, System.getenv("ORG_APACHE_WSS4J_CRYPTO_MERLIN_KEYSTORE_ALIAS"),
          System.getenv("ORG_APACHE_WSS4J_CRYPTO_MERLIN_KEYSTORE_PASSWORD"), truststore);
handler.setCryptoFactorySupplier(() -> cf);

[MakakWasTaken]

// Add all certificates to trust store using truststore.setCertificateEntry()
// ...

This part includes an SQL fetch from a server, so it will try to fetch all the certificates from the server for every request.

[phax]

Okay, well that doesn't sound too efficient, but I leave it up to you. Then you need to do it inside the Supplier as you suggested

[TMain-Tomi]

Dear @MakakWasTaken,

Do you solve tthis question? May you share the solution with me？
I call this method after I add/delete a cert from test.jks, but it seems useless. The AS4XServletHandler is not global.

void reloadTrustCerts() {
AS4XServletHandler handler = new AS4XServletHandler()
handler.setCryptoFactorySupplier(() -> {
Path publicCertPath = new File("D:\phase4-as4\src\main\resources\test.jks").toPath()
String partnerPwd = 'test'
KeyStore trustKeyStore = AS4KeystoreUtils.load(publicCertPath, partnerPwd)
KeyStore keyStore = AS4CryptoFactoryProperties.getDefaultInstance().getKeyStore()
AS4CryptoFactoryInMemoryKeyStore cf = new AS4CryptoFactoryInMemoryKeyStore(keyStore, 'test', 'test', trustKeyStore);
return cf;
})
}

Thanks.

Best Regards,
Tomi Lin

[phax]

This was answered in #130