added/improved logging of trusted certificates

Author: hhund

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/spring/config/DsfClientConfig.java

@@ -2,6 +2,7 @@
 
 import java.security.KeyStore;
 import java.util.UUID;
+import java.util.stream.Collectors;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -10,6 +11,8 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
+import de.hsheilbronn.mi.utils.crypto.cert.CertificateFormatter.X500PrincipalFormat;
+import de.hsheilbronn.mi.utils.crypto.keystore.KeyStoreFormatter;
 import dev.dsf.bpe.client.dsf.ClientProvider;
 import dev.dsf.bpe.client.dsf.ClientProviderImpl;
 
@@ -31,7 +34,7 @@ public class DsfClientConfig implements InitializingBean
 	public void afterPropertiesSet() throws Exception
 	{
 		logger.info(
-				"Local webservice client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
+				"Local DSF webservice client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
 						+ " url: {}, proxy: {}}",
 				propertiesConfig.getDsfClientTrustedServerCasFileOrFolder(),
 				propertiesConfig.getDsfClientCertificateFile(),
@@ -41,7 +44,7 @@ public void afterPropertiesSet() throws Exception
 				propertiesConfig.proxyConfig().isEnabled(propertiesConfig.getDsfServerBaseUrl()) ? "enabled"
 						: "disabled");
 		logger.info(
-				"Local websocket client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
+				"Local DSF websocket client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
 						+ " url: {}, proxy: {}}",
 				propertiesConfig.getDsfClientTrustedServerCasFileOrFolder(),
 				propertiesConfig.getDsfClientCertificateFile(),
@@ -51,7 +54,7 @@ public void afterPropertiesSet() throws Exception
 				propertiesConfig.proxyConfig().isEnabled(getWebsocketUrl()) ? "enabled" : "disabled");
 
 		logger.info(
-				"Remote webservice client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
+				"Remote DSF webservice client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
 						+ " proxy: {}}",
 				propertiesConfig.getDsfClientTrustedServerCasFileOrFolder(),
 				propertiesConfig.getDsfClientCertificateFile(),
@@ -60,6 +63,12 @@ public void afterPropertiesSet() throws Exception
 				propertiesConfig.proxyConfig().isEnabled()
 						? "enabled if remote server not in " + propertiesConfig.proxyConfig().getNoProxyUrls()
 						: "disabled");
+
+		logger.info("Using trust-store with {} to validate local and remote DSF server certificates",
+				KeyStoreFormatter
+						.toSubjectsFromCertificates(propertiesConfig.getDsfClientTrustedServerCas(),
+								X500PrincipalFormat.RFC1779)
+						.values().stream().collect(Collectors.joining("; ", "[", "]")));
 	}
 
 	@Bean

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/spring/config/FhirClientConnectionsConfig.java

@@ -6,6 +6,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.time.Duration;
+import java.util.stream.Collectors;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -14,6 +15,8 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
+import de.hsheilbronn.mi.utils.crypto.cert.CertificateFormatter.X500PrincipalFormat;
+import de.hsheilbronn.mi.utils.crypto.keystore.KeyStoreFormatter;
 import dev.dsf.bpe.api.client.oidc.OidcClient;
 import dev.dsf.bpe.api.client.oidc.OidcClientException;
 import dev.dsf.bpe.api.config.FhirClientConfig;
@@ -58,6 +61,13 @@ public FhirClientConfigYamlReaderImpl fhirClientYamlConfigReader()
 		KeyStore defaultTrustStore = propertiesConfig.getFhirClientConnectionsConfigDefaultTrustStore();
 		String defaultOidcDiscoveryPath = propertiesConfig.getFhirClientConnectionsConfigDefaultOidcDiscoveryPath();
 
+		logger.info(
+				"Using trust-store with {} as default to validate server certificates for v2 process plugin client connections",
+				KeyStoreFormatter
+						.toSubjectsFromCertificates(propertiesConfig.getDsfClientTrustedServerCas(),
+								X500PrincipalFormat.RFC1779)
+						.values().stream().collect(Collectors.joining("; ", "[", "]")));
+
 		return new FhirClientConfigYamlReaderImpl(defaultTestConnectionOnStartup, defaultEnableDebugLogging,
 				defaultConnectTimeout, defaultReadTimeout, defaultTrustStore, defaultOidcDiscoveryPath);
 	}

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/spring/config/MailConfig.java

@@ -7,6 +7,7 @@
 import java.time.format.DateTimeFormatter;
 import java.util.List;
 import java.util.UUID;
+import java.util.stream.Collectors;
 
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.LogManager;
@@ -23,6 +24,8 @@
 import org.springframework.context.event.ContextRefreshedEvent;
 import org.springframework.context.event.EventListener;
 
+import de.hsheilbronn.mi.utils.crypto.cert.CertificateFormatter.X500PrincipalFormat;
+import de.hsheilbronn.mi.utils.crypto.keystore.KeyStoreFormatter;
 import dev.dsf.bpe.api.service.BpeMailService;
 import dev.dsf.bpe.mail.LoggingMailService;
 import dev.dsf.bpe.mail.SmtpMailService;
@@ -106,6 +109,15 @@ public void afterPropertiesSet() throws Exception
 					propertiesConfig.getSendTestMailOnStartup(), propertiesConfig.getSendMailOnErrorLogEvent(),
 					propertiesConfig.getMailOnErrorLogEventBufferSize(),
 					propertiesConfig.getMailOnErrorLogEventDebugLogLocation());
+
+			if (propertiesConfig.getMailUseSmtps())
+			{
+				logger.info("Using trust-store with {} to validate mail server certificate",
+						KeyStoreFormatter
+								.toSubjectsFromCertificates(propertiesConfig.getDsfClientTrustedServerCas(),
+										X500PrincipalFormat.RFC1779)
+								.values().stream().collect(Collectors.joining("; ", "[", "]")));
+			}
 		}
 		else
 		{

dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/auth/ClientCertificateAuthenticator.java

@@ -82,7 +82,7 @@ public AuthenticationState validateRequest(Request request, Response response, C
 
 	private X509TrustManager createX509TrustManager(KeyStore clientTrustStore)
 	{
-		logger.info("Using {} to validate client certificates",
+		logger.info("Using trust-store with {} to validate client certificates",
 				KeyStoreFormatter.toSubjectsFromCertificates(clientTrustStore, X500PrincipalFormat.RFC1779).values()
 						.stream().collect(Collectors.joining("; ", "[", "]")));
 

dsf-common/dsf-common-jetty/src/main/java/dev/dsf/common/config/AbstractJettyConfig.java

@@ -43,10 +43,12 @@
 import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
 import org.springframework.core.env.ConfigurableEnvironment;
 
+import de.hsheilbronn.mi.utils.crypto.cert.CertificateFormatter.X500PrincipalFormat;
 import de.hsheilbronn.mi.utils.crypto.cert.CertificateValidator;
 import de.hsheilbronn.mi.utils.crypto.io.PemReader;
 import de.hsheilbronn.mi.utils.crypto.keypair.KeyPairValidator;
 import de.hsheilbronn.mi.utils.crypto.keystore.KeyStoreCreator;
+import de.hsheilbronn.mi.utils.crypto.keystore.KeyStoreFormatter;
 import dev.dsf.common.auth.BackChannelLogoutAuthenticator;
 import dev.dsf.common.auth.BearerTokenAuthenticator;
 import dev.dsf.common.auth.ClientCertificateAuthenticator;
@@ -391,7 +393,13 @@ private HttpClient createOidcClient()
 
 		SslContextFactory.Client sslContextFactory = new SslContextFactory.Client(false);
 		if (oidcProviderClientTrustStore != null)
+		{
 			sslContextFactory.setTrustStore(oidcProviderClientTrustStore);
+			logger.info("Using trust-store with {} to validate OIDC provider server certificate",
+					KeyStoreFormatter
+							.toSubjectsFromCertificates(oidcProviderClientTrustStore, X500PrincipalFormat.RFC1779)
+							.values().stream().collect(Collectors.joining("; ", "[", "]")));
+		}
 		if (oidcProviderClientKeyStore != null)
 		{
 			sslContextFactory.setKeyStore(oidcProviderClientKeyStore);

dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/spring/config/ClientConfig.java

@@ -12,6 +12,7 @@
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.UUID;
+import java.util.stream.Collectors;
 
 import org.bouncycastle.pkcs.PKCSException;
 import org.slf4j.Logger;
@@ -21,10 +22,12 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
+import de.hsheilbronn.mi.utils.crypto.cert.CertificateFormatter.X500PrincipalFormat;
 import de.hsheilbronn.mi.utils.crypto.cert.CertificateValidator;
 import de.hsheilbronn.mi.utils.crypto.io.PemReader;
 import de.hsheilbronn.mi.utils.crypto.keypair.KeyPairValidator;
 import de.hsheilbronn.mi.utils.crypto.keystore.KeyStoreCreator;
+import de.hsheilbronn.mi.utils.crypto.keystore.KeyStoreFormatter;
 import dev.dsf.fhir.client.ClientProvider;
 import dev.dsf.fhir.client.ClientProviderImpl;
 
@@ -110,13 +113,18 @@ else if (!KeyPairValidator.matches(privateKey, certificates.get(0).getPublicKey(
 	public void afterPropertiesSet() throws Exception
 	{
 		logger.info(
-				"Remote webservice client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
+				"Remote DSF webservice client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
 						+ " proxy: {}, no_proxy: {}}",
 				propertiesConfig.getDsfClientTrustedServerCasFileOrFolder(),
 				propertiesConfig.getDsfClientCertificateFile(),
 				propertiesConfig.getDsfClientCertificatePrivateKeyFile(),
 				propertiesConfig.getDsfClientCertificatePrivateKeyFilePassword() != null ? "***" : "null",
 				propertiesConfig.proxyConfig().isEnabled() ? "enabled" : "disabled",
 				propertiesConfig.proxyConfig().getNoProxyUrls());
+		logger.info("Using trust-store with {} to validate remote DSF server certificates",
+				KeyStoreFormatter
+						.toSubjectsFromCertificates(propertiesConfig.getDsfClientTrustedServerCas(),
+								X500PrincipalFormat.RFC1779)
+						.values().stream().collect(Collectors.joining("; ", "[", "]")));
 	}
 }