Merge pull request #6 from admin-ch/feature/VACCINECER-2278--extend-configuration-to-use-two-HSM-slots

Feature/vaccinecer 2278  extend configuration to use two hsm slots

Author: iris-hunkeler

pom.xml

@@ -10,7 +10,7 @@
     </parent>
     <groupId>ch.admin.bag.covidcertificate</groupId>
     <artifactId>cc-signing-service</artifactId>
-    <version>1.0.0-SNAPSHOT</version>
+    <version>4.4.3</version>
     <packaging>war</packaging>
     <name>cc-signing-service</name>
     <description>Service for signing Covid Certificates</description>

src/main/config/delivery/conf/cc-signing-service-external-config.properties

@@ -1,12 +1,28 @@
-# Crs keystore used for decryption
-crs.decryption.keyStoreSlotNumber=@crs.decryption.keyStoreSlotNumber@
-crs.decryption.keyStorePassword=@crs.decryption.keyStorePassword@
-crs.decryption.aliasSign=@crs.decryption.aliasSign@
-crs.decryption.aliasSignLight=@crs.decryption.aliasSignLight@
-crs.decryption.aliasVerify=@crs.decryption.aliasVerify@
-
 app.signing-service.monitor.prometheus.user=prometheus
 app.signing-service.monitor.prometheus.password=@monitor.prometheus.password@
 
+## HSM SLOT AND SIGNING KEY CONFIGURATION ##
+
+# passwords for both slots
+crs.decryption.keyStorePasswordSlot0=@crs.decryption.keyStorePasswordSlot0@
+crs.decryption.keyStorePasswordSlot1=@crs.decryption.keyStorePasswordSlot1@
+
+# default slot (only for backwards compatibility with management-service when switching)
+# TODO: can be removed after August 2022 if desired
+crs.decryption.defaultKeyStoreSlot=@crs.decryption.defaultKeyStoreSlot@
+
+
+# slot and name of certificate used for liveness check by loadbalancer
+crs.decryption.pingCertificateKeyStoreSlot=@crs.decryption.pingCertificateKeyStoreSlot@
+app.signing-service.keystore.monitoring.liveness-test-private-key=@app.signing-service.keystore.monitoring.liveness-test-private-key@
+
+# slot and name of certificate used for upload to EU gateway
+crs.decryption.euCertificateKeyStoreSlot=@crs.decryption.euCertificateKeyStoreSlot@
 app.signing-service.keystore.private-key-alias=@app.signing-service.keystore.private-key-alias@
 app.signing-service.keystore.signing-certificate-alias=@app.signing-service.keystore.signing-certificate-alias@
+
+# slot and name of certificate used to sign light certificates
+crs.decryption.lightKeyStoreSlot=@crs.decryption.lightKeyStoreSlot@
+crs.decryption.aliasSignLight=@crs.decryption.aliasSignLight@
+
+

src/main/java/ch/admin/bag/covidcertificate/signature/SigningApplication.java

@@ -1,16 +1,25 @@
 package ch.admin.bag.covidcertificate.signature;
 
 
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.core.env.Environment;
 
 
 @SpringBootApplication
+@Slf4j
 public class SigningApplication {
 
     public static void main(String[] args) {
-        SpringApplication.run(SigningApplication.class, args);
-    }
-
+        Environment env = SpringApplication.run(SigningApplication.class, args).getEnvironment();
 
+        log.info("\n----------------------------------------------------------\n\t" +
+                        "cc-signing-service is running! \n\t" +
+                        "\n\t" +
+                        "Profile(s): \t{}" +
+                        "\n----------------------------------------------------------",
+                (Object) env.getActiveProfiles()
+        );
+    }
 }

src/main/java/ch/admin/bag/covidcertificate/signature/api/SigningRequestDto.java

@@ -1,5 +1,6 @@
 package ch.admin.bag.covidcertificate.signature.api;
 
+import ch.admin.bag.covidcertificate.signature.service.KeyStoreSlot;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 
@@ -8,5 +9,5 @@
 public class SigningRequestDto {
     private final String dataToSign;
     private final String signingKeyAlias;
-    private final String certificateAlias;
+    private final KeyStoreSlot keyStoreSlot;
 }

src/main/java/ch/admin/bag/covidcertificate/signature/api/VerifyRequestDto.java

@@ -1,5 +1,6 @@
 package ch.admin.bag.covidcertificate.signature.api;
 
+import ch.admin.bag.covidcertificate.signature.service.KeyStoreSlot;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 
@@ -9,4 +10,5 @@ public class VerifyRequestDto {
     private String dataToSign;
     private String signature;
     private String certificateAlias;
+    private KeyStoreSlot keyStoreSlot;
 }

src/main/java/ch/admin/bag/covidcertificate/signature/config/HsmConfig.java

@@ -2,15 +2,21 @@
 
 import ch.admin.bag.covidcertificate.signature.config.error.SignatureCreationException;
 import ch.admin.bag.covidcertificate.signature.service.KeyStoreEntryReader;
-import ch.admin.bag.covidcertificate.signature.service.LunaSAKeyStoreProvider;
+import ch.admin.bag.covidcertificate.signature.service.KeyStoreSlot;
+import ch.admin.bag.covidcertificate.signature.service.LunaKeyStoreProvider;
 import com.safenetinc.luna.provider.LunaProvider;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 
-import java.security.*;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Security;
+import java.security.Signature;
+import java.util.HashMap;
+import java.util.Map;
 import java.util.function.Supplier;
 
 @Configuration
@@ -21,38 +27,51 @@ public class HsmConfig {
 
     public static final String LUNA_PROVIDER;
 
-    @Value("${crs.decryption.keyStorePassword}")
-    private String keyStorePassword;
+    @Value("${crs.decryption.keyStorePasswordSlot0}")
+    private String keyStorePasswordSlot0;
 
-    @Value("${crs.decryption.aliasSign}")
-    private String aliasSign;
-
-    @Value("${crs.decryption.aliasSignLight}")
-    private String aliasSignLight;
+    @Value("${crs.decryption.keyStorePasswordSlot1}")
+    private String keyStorePasswordSlot1;
 
     static {
         try {
             var lunaProvider = new LunaProvider();
             Security.addProvider(lunaProvider);
             LUNA_PROVIDER = lunaProvider.getName();
-        }catch (Exception | ExceptionInInitializerError e){
+        } catch (Exception | ExceptionInInitializerError e) {
             throw new IllegalStateException("Failed to register the Luna Provider", e);
         }
     }
 
     @Bean
-    KeyStoreEntryReader keyStoreEntryReader(LunaSAKeyStoreProvider lunaSAKeyStoreProvider) {
-        var keyStore = lunaSAKeyStoreProvider.loadKeyStore();
-        return new KeyStoreEntryReader(lunaSAKeyStoreProvider, keyStore, keyStorePassword.toCharArray());
+    public Map<KeyStoreSlot, KeyStoreEntryReader> keyStoreEntryReaderMap() {
+        Map<KeyStoreSlot, KeyStoreEntryReader> map = new HashMap<>();
+        map.put(KeyStoreSlot.SLOT_NUMBER_0, keyStoreEntryReaderSlot0());
+        map.put(KeyStoreSlot.SLOT_NUMBER_1, keyStoreEntryReaderSlot1());
+        return map;
+    }
+
+    private KeyStoreEntryReader keyStoreEntryReaderSlot0() {
+        KeyStoreSlot slot = KeyStoreSlot.SLOT_NUMBER_0;
+        LunaKeyStoreProvider lunaKeyStoreProvider = new LunaKeyStoreProvider(slot, keyStorePasswordSlot0);
+        var keyStore = lunaKeyStoreProvider.loadKeyStore();
+        return new KeyStoreEntryReader(lunaKeyStoreProvider, keyStore, slot, keyStorePasswordSlot0.toCharArray());
+    }
+
+    private KeyStoreEntryReader keyStoreEntryReaderSlot1() {
+        KeyStoreSlot slot = KeyStoreSlot.SLOT_NUMBER_1;
+        LunaKeyStoreProvider lunaKeyStoreProvider = new LunaKeyStoreProvider(slot, keyStorePasswordSlot1);
+        var keyStore = lunaKeyStoreProvider.loadKeyStore();
+        return new KeyStoreEntryReader(lunaKeyStoreProvider, keyStore, slot, keyStorePasswordSlot1.toCharArray());
     }
 
     @Bean
     Supplier<Signature> signatureSupplier() {
         return this::getSignatureInstance;
     }
 
-    private Signature getSignatureInstance()  {
-        log.debug("signingSignature with {} and {}", SIGNING_ALGORITHM, LUNA_PROVIDER);
+    private Signature getSignatureInstance() {
+        log.debug("Get Signature Instance with {} and {}", SIGNING_ALGORITHM, LUNA_PROVIDER);
         Signature signature;
 
         try {

src/main/java/ch/admin/bag/covidcertificate/signature/config/HsmMockConfig.java

@@ -3,13 +3,16 @@
 import ch.admin.bag.covidcertificate.signature.config.error.SignatureCreationException;
 import ch.admin.bag.covidcertificate.signature.service.JksKeystoreProvider;
 import ch.admin.bag.covidcertificate.signature.service.KeyStoreEntryReader;
+import ch.admin.bag.covidcertificate.signature.service.KeyStoreSlot;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 
 import java.security.NoSuchAlgorithmException;
 import java.security.Signature;
+import java.util.HashMap;
+import java.util.Map;
 import java.util.function.Supplier;
 
 @Configuration
@@ -18,25 +21,43 @@
 public class HsmMockConfig {
     private static final String SIGNING_ALGORITHM = "SHA512withRSA";
 
-    private static final String KEYSTORE_RESOURCE = "keystore.jks";
+    private static final String KEYSTORE_RESOURCE_SLOT_0 = "keystore_slot_0.jks";
+    private static final String KEYSTORE_RESOURCE_SLOT_1 = "keystore_slot_1.jks";
 
-    private static final String KEY_STORE_PASSWORD = "secret";
+    private static final String KEY_STORE_PASSWORD_SLOT_0 = "secret";
+    private static final String KEY_STORE_PASSWORD_SLOT_1 = "secret";
 
     @Bean
-    public KeyStoreEntryReader keyStoreEntryReader() {
-        log.info("--------------> Login MOCK HSM");
-        var keystoreProvider = new JksKeystoreProvider(KEYSTORE_RESOURCE, KEY_STORE_PASSWORD);
+    public Map<KeyStoreSlot, KeyStoreEntryReader> keyStoreEntryReaderMap() {
+        Map<KeyStoreSlot, KeyStoreEntryReader> map = new HashMap<>();
+        map.put(KeyStoreSlot.SLOT_NUMBER_0, keyStoreEntryReaderSlot0());
+        map.put(KeyStoreSlot.SLOT_NUMBER_1, keyStoreEntryReaderSlot1());
+        return map;
+    }
+
+    private KeyStoreEntryReader keyStoreEntryReaderSlot0() {
+        KeyStoreSlot slot = KeyStoreSlot.SLOT_NUMBER_0;
+        log.info("--------------> Login MOCK HSM slot {}", slot);
+        var keystoreProvider = new JksKeystoreProvider(KEYSTORE_RESOURCE_SLOT_0, KEY_STORE_PASSWORD_SLOT_0);
+        var keyStore = keystoreProvider.loadKeyStore();
+        return new KeyStoreEntryReader(keystoreProvider, keyStore, slot, KEY_STORE_PASSWORD_SLOT_0.toCharArray());
+    }
+
+    private KeyStoreEntryReader keyStoreEntryReaderSlot1() {
+        KeyStoreSlot slot = KeyStoreSlot.SLOT_NUMBER_1;
+        log.info("--------------> Login MOCK HSM slot {}", slot);
+        var keystoreProvider = new JksKeystoreProvider(KEYSTORE_RESOURCE_SLOT_1, KEY_STORE_PASSWORD_SLOT_1);
         var keyStore = keystoreProvider.loadKeyStore();
-        return new KeyStoreEntryReader(keystoreProvider, keyStore, KEY_STORE_PASSWORD.toCharArray());
+        return new KeyStoreEntryReader(keystoreProvider, keyStore, slot, KEY_STORE_PASSWORD_SLOT_1.toCharArray());
     }
 
     @Bean
     Supplier<Signature> signatureSupplier() {
         return this::getSignatureInstance;
     }
 
-    private Signature getSignatureInstance()  {
-        log.debug("signingSignature with {}", SIGNING_ALGORITHM);
+    private Signature getSignatureInstance() {
+        log.debug("Get Signature Instance with {}", SIGNING_ALGORITHM);
         Signature signature;
 
         try {

src/main/java/ch/admin/bag/covidcertificate/signature/service/JksKeystoreProvider.java

@@ -29,7 +29,7 @@ public KeyStore loadKeyStore() {
 
             return keyStore;
         } catch (IOException | CertificateException | NoSuchAlgorithmException | KeyStoreException e) {
-            throw new IllegalStateException("Could not open the " + keystoreResource + " keystore: " + e.getMessage(), e);
+            throw new IllegalStateException(String.format("Could not open the keystore for resource %s: %s", keystoreResource, e.getMessage()), e);
         }
     }
 

src/main/java/ch/admin/bag/covidcertificate/signature/service/KeyStoreEntryReader.java

@@ -10,27 +10,24 @@
 
 @Slf4j
 public class KeyStoreEntryReader {
-    private static final String MOCK_AND_TEST_PASS = "secret";
+
+    /** An email alert is triggered when this message appears in the logs. */
+    private static final String WARNING_KEYSTORE_LOST_WITH_MONITORING = "Connection to Keystore was lost. Reloading keystore.";
 
     private final KeyStoreProvider keyStoreProvider;
     private KeyStore keyStore;
+    private final KeyStoreSlot slot;
     private final char[] keyPassword;
 
-    public KeyStoreEntryReader(KeyStoreProvider keyStoreProvider, KeyStore keyStore, char[] keyPassword) {
+    public KeyStoreEntryReader(KeyStoreProvider keyStoreProvider, KeyStore keyStore, KeyStoreSlot slot, char[] keyPassword) {
         this.keyStoreProvider = keyStoreProvider;
         this.keyStore = keyStore;
+        this.slot = slot;
         this.keyPassword = keyPassword;
     }
 
-    public KeyStoreEntryReader(KeyStoreProvider keyStoreProvider, KeyStore keyStore) {
-        this.keyStoreProvider = keyStoreProvider;
-        this.keyStore = keyStore;
-        this.keyPassword = MOCK_AND_TEST_PASS.toCharArray();
-    }
-
-    public PrivateKey getPrivateKey(String alias)  {
-
-        log.debug("GET PRIVATE KEY {}", alias);
+    public PrivateKey getPrivateKey(String alias) {
+        log.debug("GET PRIVATE KEY {} from slot {}", alias, slot.getSlotNumber());
         rebuildKeystoreIfNeeded(alias);
 
         try {
@@ -39,40 +36,37 @@ public PrivateKey getPrivateKey(String alias)  {
                 return privateKey;
             }
         } catch (Exception e) {
-            throw new SecurityException("Failed to retrieve the key for alias " + alias + " from the keystore: ", e);
-        }
-        throw new SecurityException("The KeyStore has no privateKey for alias: " + alias);
-    }
-
-    private void rebuildKeystoreIfNeeded(String alias){
-        var warning = "Connection to Keystore was lost. Reloading keystore.";
-        try {
-            if(!keyStore.containsAlias(alias)) {
-                log.warn(warning);
-                keyStore = keyStoreProvider.loadKeyStore();
-            }
-        }catch (KeyStoreException| RuntimeException e){
-            log.warn(warning);
-            if(log.isDebugEnabled()) {
-                log.debug(warning, e);
-            }
-            keyStore = keyStoreProvider.loadKeyStore();
+            throw new SecurityException(String.format("KeyStore slot %s: Failed to retrieve the privateKey for alias %s", slot.getSlotNumber(), alias), e);
         }
+        throw new SecurityException(String.format("KeyStore slot %s: Has no privateKey for alias %s", slot.getSlotNumber(), alias));
     }
 
     public X509Certificate getCertificate(String alias) {
-        log.debug("GET Certificate {}", alias);
+        log.debug("GET Certificate {} from slot {}", alias, slot.getSlotNumber());
         rebuildKeystoreIfNeeded(alias);
 
         try {
+
             var certificate = keyStore.getCertificate(alias);
             if (certificate != null) {
                 return (X509Certificate) certificate;
             }
         } catch (Exception e) {
-            throw new CertificateNotFoundException("Failed to retrieve the certificate from the keyStore for alias: " + alias, e);
+            throw new CertificateNotFoundException(String.format("KeyStore slot %s: Failed to retrieve the certificate for alias %s", slot.getSlotNumber(), alias), e);
         }
-        throw new CertificateNotFoundException("The KeyStore has no certificate for alias: " + alias);
+        throw new CertificateNotFoundException(String.format("KeyStore slot %s: Has no certificate for alias %s", slot.getSlotNumber(), alias));
     }
 
+    private void rebuildKeystoreIfNeeded(String alias) {
+        try {
+            if (!keyStore.containsAlias(alias)) {
+                log.info("Alias {} not found. Reloading keystore for slot {}.", alias, slot);
+                keyStore = keyStoreProvider.loadKeyStore();
+            }
+        } catch (KeyStoreException | RuntimeException e) {
+            log.warn("Could not reload keystore for slot {}, trying again", slot, e);
+            log.warn(WARNING_KEYSTORE_LOST_WITH_MONITORING);
+            keyStore = keyStoreProvider.loadKeyStore();
+        }
+    }
 }

src/main/java/ch/admin/bag/covidcertificate/signature/service/KeyStoreSlot.java

@@ -0,0 +1,31 @@
+package ch.admin.bag.covidcertificate.signature.service;
+
+import java.util.Objects;
+
+/**
+ * The HSM can be configured to use multiple slots.
+ * Each slot can be viewed like a separate HSM and has to be accessed separately.
+ */
+public enum KeyStoreSlot {
+    SLOT_NUMBER_0(0),
+    SLOT_NUMBER_1(1);
+
+    private final Integer slotNumber;
+
+    KeyStoreSlot(Integer slotNumber) {
+        this.slotNumber = slotNumber;
+    }
+
+    public Integer getSlotNumber() {
+        return this.slotNumber;
+    }
+
+    public static KeyStoreSlot fromSlotNumber(Integer slotNumber) {
+        for (KeyStoreSlot slot : KeyStoreSlot.values()) {
+            if (Objects.equals(slot.getSlotNumber(), slotNumber)) {
+                return slot;
+            }
+        }
+        throw new IllegalArgumentException(String.format("SlotNumber %s is not a valid value.", slotNumber));
+    }
+}