server cert made as optional and also server cert can be passed as cert chain

Author: gaubansa

src/main/java/Api/BatchUploadwithMTLSApi.java

@@ -3,6 +3,7 @@
 import java.io.File;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
+import java.util.Collection;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -30,9 +31,9 @@ public class BatchUploadwithMTLSApi {
      * @param inputFile The file to be uploaded.
      * @param environmentHostname The environment hostname (e.g., secure-batch-test.cybersource.com).
      * @param pgpEncryptionCertPath Path to the PGP encryption certificate.
-     * @param keystorePath Path to the JKS keystore file.
+     * @param keystorePath Path to the JKS keystore file containing client certificates.
      * @param keystorePassword Password for the keystore.
-     * @param truststorePath Path to the truststore file.
+     * @param truststorePath Path to the JKS truststore file containing trusted server certificates. <b>Optional</b>: Can be <code>null</code> if not required.
      * @param truststorePassword Password for the truststore.
      * @return ApiResponse containing the server response as a String.
      * @throws ApiException If an API error occurs.
@@ -56,9 +57,9 @@ public ApiResponse<String> uploadBatchAPI(File inputFile, String environmentHost
      * @param inputFile The file to be uploaded.
      * @param environmentHostname The environment hostname (e.g., api.cybersource.com).
      * @param pgpEncryptionCertPath Path to the PGP encryption certificate.
-     * @param clientCertP12FilePath Path to the PKCS#12 client certificate file.
+     * @param clientCertP12FilePath Path to the PKCS#12 client certificate file (.p12 or .pfx).
      * @param clientCertP12Password Password for the PKCS#12 client certificate.
-     * @param serverTrustCertPath Path to the server trust certificate.
+     * @param serverTrustCertPath Path to the server trust certificate(s) in PEM format. <b>Optional</b>: Can be <code>null</code> if not required.
      * @return ApiResponse containing the server response as a String.
      * @throws ApiException If an API error occurs.
      * @throws Exception If a general error occurs.
@@ -83,20 +84,20 @@ public ApiResponse<String> uploadBatchAPI(File inputFile, String environmentHost
      * @param pgpPublicKey The PGP public key for encryption.
      * @param clientPrivateKey The client's private key.
      * @param clientCert The client's X509 certificate.
-     * @param serverTrustCert The server's trust X509 certificate.
+     * @param serverTrustCerts A collection of server's trusted X509 certificates (can be a certificate chain). <b>Optional</b>: Can be <code>null</code> or empty if not required.
      * @return ApiResponse containing the server response as a String.
      * @throws ApiException If an API error occurs.
      * @throws Exception If a general error occurs.
      */
-    public ApiResponse<String> uploadBatchAPI(File inputFile, String environmentHostname, PGPPublicKey pgpPublicKey, PrivateKey clientPrivateKey, X509Certificate clientCert , X509Certificate serverTrustCert) throws ApiException, Exception {
+    public ApiResponse<String> uploadBatchAPI(File inputFile, String environmentHostname, PGPPublicKey pgpPublicKey, PrivateKey clientPrivateKey, X509Certificate clientCert , Collection<X509Certificate> serverTrustCerts) throws ApiException, Exception {
         logger.info("Starting batch upload with client private key and certs for given file");
-        BatchUploadUtility.validateBatchApiKeysInputs(inputFile, environmentHostname, pgpPublicKey, clientPrivateKey, clientCert, serverTrustCert);
+        BatchUploadUtility.validateBatchApiKeysInputs(inputFile, environmentHostname, pgpPublicKey, clientPrivateKey, clientCert, serverTrustCerts);
         String endpoint = "/pts/v1/transaction-batch-upload";
         String endpointUrl = BatchUploadUtility.getEndpointUrl(environmentHostname, endpoint);
         byte[] encryptedPgpBytes = PgpEncryptionUtility.handlePGPEncrypt(inputFile, pgpPublicKey);
         return MutualAuthUploadUtility.handleUploadOperationUsingPrivateKeyAndCerts(
             encryptedPgpBytes, endpointUrl, inputFile.getName(),
-            clientPrivateKey, clientCert, serverTrustCert
+            clientPrivateKey, clientCert, serverTrustCerts
         );
     }
 

src/main/java/utilities/pgpBatchUpload/BatchUploadUtility.java

@@ -12,7 +12,10 @@
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Iterator;
+import java.util.List;
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
@@ -33,21 +36,27 @@ public class BatchUploadUtility {
 
 	private static final Logger logger = LogManager.getLogger(BatchUploadUtility.class);
 	private static final long MAX_FILE_SIZE_BYTES = 75 * 1024 * 1024;
-	
-	/**
-     * Loads an X509 certificate from a PEM file.
+    
+    /**
+     * Loads X509 certificates from a PEM file.
      *
      * @param certFilePath The file path to the PEM certificate file.
-     * @return The loaded X509Certificate object.
+     * @return The loaded X509Certificate(s) as a Collection.
      * @throws CertificateException If the certificate cannot be parsed or is invalid.
      * @throws IOException If the file cannot be read or does not exist.
      */
-    public static X509Certificate loadCertificateFromPemFile(String certFilePath) throws CertificateException, IOException {
-	    try (FileInputStream inStream = new FileInputStream(certFilePath)) {
-	        CertificateFactory cf = CertificateFactory.getInstance("X.509");
-	        return (X509Certificate) cf.generateCertificate(inStream);
-	    }
-	}
+    public static Collection<X509Certificate> loadCertificatesFromPemFile(String certFilePath) throws CertificateException, IOException {
+        try (FileInputStream inStream = new FileInputStream(certFilePath)) {
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            Collection<? extends java.security.cert.Certificate> certs = cf.generateCertificates(inStream);
+            // Cast to X509Certificate
+            List<X509Certificate> x509Certs = new ArrayList<>();
+            for (java.security.cert.Certificate cert : certs) {
+                x509Certs.add((X509Certificate) cert);
+            }
+            return x509Certs;
+        }
+    }
 
     /**
      * Reads a PGP public key from the specified file.
@@ -114,7 +123,8 @@ public static void validateBatchApiJKSInputs(File inputFile, String environmentH
     	}
     	validatePathAndFile(pgpEncryptionCertPath, "PGP Encryption Cert Path");
     	validatePathAndFile(keystorePath, "Keystore Path");
-    	validatePathAndFile(truststorePath, "Truststore Path");
+    	if (!StringUtils.isEmpty(truststorePath))
+    		validatePathAndFile(truststorePath, "Truststore Path");
     }
 
     /**
@@ -135,7 +145,8 @@ public static void validateBatchApiP12Inputs(File inputFile, String environmentH
     	}
     	validatePathAndFile(pgpEncryptionCertPath, "PGP Encryption Cert Path");
     	validatePathAndFile(clientCertP12FilePath, "Client Cert P12 File Path");
-    	validatePathAndFile(serverTrustCertPath, "Server Trust Cert Path");
+    	if (!StringUtils.isEmpty(serverTrustCertPath))
+    		validatePathAndFile(serverTrustCertPath, "Server Trust Cert Path");
     }
 
     /**
@@ -149,7 +160,7 @@ public static void validateBatchApiP12Inputs(File inputFile, String environmentH
      * @param serverTrustCert The server trust X509 certificate.
      * @throws Exception If any validation fails.
      */
-    public static void validateBatchApiKeysInputs(File inputFile, String environmentHostname, PGPPublicKey pgpPublicKey,  PrivateKey clientPrivateKey, X509Certificate clientCert , X509Certificate serverTrustCert) throws Exception{
+    public static void validateBatchApiKeysInputs(File inputFile, String environmentHostname, PGPPublicKey pgpPublicKey,  PrivateKey clientPrivateKey, X509Certificate clientCert , Collection<X509Certificate> serverTrustCert) throws Exception{
     	validateInputFile(inputFile);
     	if(StringUtils.isEmpty(environmentHostname)) {
     		logger.error("Environment Host Name for Batch Upload API cannot be null or empty.");
@@ -158,7 +169,7 @@ public static void validateBatchApiKeysInputs(File inputFile, String environment
     	if (pgpPublicKey == null) throw new IllegalArgumentException("PGP Public Key is null");
         if (clientPrivateKey == null) throw new IllegalArgumentException("Client Private Key is null");
         if (clientCert == null) throw new IllegalArgumentException("Client Certificate is null");
-        if (serverTrustCert == null) throw new IllegalArgumentException("Server Trust Certificate is null");
+        //if (serverTrustCert == null) throw new IllegalArgumentException("Server Trust Certificate is null"); serverTrustCert is optional so can be null
     }
 
     /**

src/main/java/utilities/pgpBatchUpload/MutualAuthUploadUtility.java

@@ -12,6 +12,7 @@
 import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Collection;
 import java.util.UUID;
 
 import javax.net.ssl.KeyManagerFactory;
@@ -52,7 +53,7 @@ public class MutualAuthUploadUtility {
      * @param fileName The name of the file to be uploaded (will be suffixed with .pgp)
      * @param keystorePath The file path to the JKS keystore containing client certificates
      * @param keystorePassword The password for the JKS keystore
-     * @param truststorePath The file path to the JKS truststore containing trusted server certificates
+     * @param truststorePath (Optional) The file path to the JKS truststore containing trusted server certificates. Can be null if not required.
      * @param truststorePassword The password for the JKS truststore
      * @return ApiResponse containing the upload response details
      * @throws IOException If file operations or network communication fails
@@ -67,16 +68,19 @@ public static ApiResponse<String> handleUploadOperationWithJKS(byte[] encryptedP
             NoSuchAlgorithmException, CertificateException, KeyManagementException, UnrecoverableKeyException {
 
         KeyStore clientKeyStore = KeyStore.getInstance("JKS");
-        KeyStore serverTrustStore = KeyStore.getInstance("JKS");
+        KeyStore serverTrustStore = null;
 
         // Load the JKS keyStore using try-with-resources
         try (FileInputStream keyStoreFile = new FileInputStream(keystorePath)) {
             clientKeyStore.load(keyStoreFile, keystorePassword);
         }
 
         // Load the JKS trustStore using try-with-resources
-        try (FileInputStream trustStoreFile = new FileInputStream(truststorePath)) {
-            serverTrustStore.load(trustStoreFile, truststorePassword);
+        if(!StringUtils.isEmpty(truststorePath)) {
+        	serverTrustStore = KeyStore.getInstance("JKS");
+        	try (FileInputStream trustStoreFile = new FileInputStream(truststorePath)) {
+                serverTrustStore.load(trustStoreFile, truststorePassword);
+            }
         }
 
         try {
@@ -89,14 +93,14 @@ public static ApiResponse<String> handleUploadOperationWithJKS(byte[] encryptedP
     }
 
     /**
-     * Handles file upload operation using P12/PFX keystore and PEM server certificate for mutual authentication.
-     * 
-     * @param encryptedPgpBytes The encrypted PGP file content as byte array
+     * Handles file upload operation using P12/PFX keystore and PEM server certificate(s) for mutual authentication
+     *
+     * @param encryptedPgpBytes The encrypted PGP file content as a byte array
      * @param endpointUrl The target URL endpoint for file upload
      * @param fileName The name of the file to be uploaded (will be suffixed with .pgp)
      * @param p12FilePath The file path to the P12/PFX keystore containing client certificates
      * @param p12FilePassword The password for the P12/PFX keystore
-     * @param serverTrustCertPath The file path to the PEM file containing server trust certificate
+     * @param serverTrustCertPath (Optional) The file path to the PEM file containing one or more server trust certificates. Can be null if not required
      * @return ApiResponse containing the upload response details
      * @throws IOException If file operations or network communication fails
      * @throws KeyStoreException If keystore operations fail
@@ -108,14 +112,24 @@ public static ApiResponse<String> handleUploadOperationWithJKS(byte[] encryptedP
     public static ApiResponse<String> handleUploadOperationUsingP12orPfx(byte[] encryptedPgpBytes, String endpointUrl, String fileName, String p12FilePath, char[] p12FilePassword, String serverTrustCertPath) throws IOException, KeyStoreException, 
             NoSuchAlgorithmException, CertificateException, KeyManagementException, UnrecoverableKeyException {
 
-            X509Certificate serverTrustCert;
+            Collection<X509Certificate> serverTrustCert;
             KeyStore clientKeyStore;
+            KeyStore serverTrustStore =null;
 
-            try {
-                serverTrustCert = BatchUploadUtility.loadCertificateFromPemFile(serverTrustCertPath);
-            } catch (CertificateException e) {
-                logger.error("Error loading certificate from PEM file", e);
-                throw new CertificateException("Failed to load certificate from PEM file: " + serverTrustCertPath, e);
+            if(!StringUtils.isEmpty(serverTrustCertPath)) {
+                try {
+                    serverTrustCert = BatchUploadUtility.loadCertificatesFromPemFile(serverTrustCertPath);
+                } catch (CertificateException e) {
+                    logger.error("Error loading certificate from PEM file", e);
+                    throw new CertificateException("Failed to load certificate from PEM file: " + serverTrustCertPath, e);
+                }
+                serverTrustStore = KeyStore.getInstance("JKS");
+                serverTrustStore.load(null, null);
+                int i = 0;
+                for (X509Certificate cert : serverTrustCert) {
+                    serverTrustStore.setCertificateEntry("server-" + i, cert);
+                    i++;
+                }
             }
 
             clientKeyStore = KeyStore.getInstance("PKCS12", new BouncyCastleProvider());
@@ -124,11 +138,7 @@ public static ApiResponse<String> handleUploadOperationUsingP12orPfx(byte[] encr
             try (FileInputStream file = new FileInputStream(new File(p12FilePath))) {
                 clientKeyStore.load(file, p12FilePassword);
             }
-            
-            KeyStore serverTrustStore = KeyStore.getInstance("JKS");
-            serverTrustStore.load(null, null);
-            serverTrustStore.setCertificateEntry("server", serverTrustCert);
-            
+
             try {
                 OkHttpClient client = getOkHttpClientForMutualAuth(clientKeyStore, serverTrustStore, p12FilePassword);
                 return uploadFile(encryptedPgpBytes, fileName, endpointUrl, client);
@@ -146,7 +156,7 @@ public static ApiResponse<String> handleUploadOperationUsingP12orPfx(byte[] encr
      * @param fileName The name of the file to be uploaded (will be suffixed with .pgp)
      * @param clientPrivateKey The client's private key for authentication
      * @param clientCert The client's X509 certificate
-     * @param serverTrustCert The server's trusted X509 certificate
+     * @param serverTrustCerts (Optional) A collection of server's trusted X509 certificates (can be a certificate chain). Can be null or empty if not required.
      * @return ApiResponse containing the upload response details
      * @throws KeyStoreException If keystore operations fail
      * @throws NoSuchAlgorithmException If required cryptographic algorithms are not available
@@ -155,7 +165,7 @@ public static ApiResponse<String> handleUploadOperationUsingP12orPfx(byte[] encr
      * @throws UnrecoverableKeyException If private key cannot be recovered
      * @throws KeyManagementException If SSL key management fails
      */
-    public static ApiResponse<String> handleUploadOperationUsingPrivateKeyAndCerts(byte[] encryptedPgpBytes, String endpointUrl, String fileName, PrivateKey clientPrivateKey,X509Certificate clientCert,X509Certificate serverTrustCert) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException, KeyManagementException 
+    public static ApiResponse<String> handleUploadOperationUsingPrivateKeyAndCerts(byte[] encryptedPgpBytes, String endpointUrl, String fileName, PrivateKey clientPrivateKey, X509Certificate clientCert, Collection<X509Certificate> serverTrustCerts) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException, KeyManagementException 
 	{
 		// Create a KeyStore containing the client private key and certificate
         KeyStore clientKeyStore = KeyStore.getInstance("PKCS12");
@@ -164,9 +174,16 @@ public static ApiResponse<String> handleUploadOperationUsingPrivateKeyAndCerts(b
         clientKeyStore.setKeyEntry("client", clientPrivateKey, new char[] {}, new java.security.cert.Certificate[]{clientCert});
 
         // Create a KeyStore containing the server's trusted certificate
-        KeyStore serverTrustStore = KeyStore.getInstance("JKS");
-        serverTrustStore.load(null, null);
-        serverTrustStore.setCertificateEntry("server", serverTrustCert);
+        KeyStore serverTrustStore =null;
+        if(serverTrustCerts!=null && !serverTrustCerts.isEmpty()) {
+            serverTrustStore = KeyStore.getInstance("JKS");
+            serverTrustStore.load(null, null);
+            int i = 0;
+            for (X509Certificate cert : serverTrustCerts) {
+                serverTrustStore.setCertificateEntry("server-" + i, cert);
+                i++;
+            }
+        }
 
         try {
 			OkHttpClient client = getOkHttpClientForMutualAuth(clientKeyStore, serverTrustStore, new char[] {});