default trusted CAs now stored as separate files

Default trusted CAs (root, issuing or chains - root and issuing) are now
stored as separate files in folders of the bpe, bpe_proxy, fhir and
fhir_proxy docker images.
The config parameters of the fhir and bpe servers can be configured with
a folder containing (*.pem, *.crt) files or a single file with multiple
pem encoded CAs. By default a folder is configured, allowing additions
or full override via docker bind mount, but a single custom file can
still be configured.
The fhir_proxy and bpe_proxy images have now default folders configured
via the SSL_CA_DN_REQUEST_PATH and SSL_CA_CERTIFICATE_PATH environment
variables. The matching ..._PATH variables are ignored if
SSL_CA_DN_REQUEST_FILE or SSL_CA_CERTIFICATE_FILE point to existing
files. This change also enablsd addition or replacement via docker bind
mount and configuration of single files via the ...FILE variables.
The symlinks with sha1 hashes of a canonicalized form of the subject DN
string needed for apache httpd are created during container startup.

Author: hhund

.gitignore

@@ -21,7 +21,8 @@ dsf-bpe/dsf-bpe-server-jetty/cert/*.key
 dsf-bpe/dsf-bpe-server-jetty/conf/config.properties
 dsf-bpe/dsf-bpe-server-jetty/docker/api/v1/*.jar
 dsf-bpe/dsf-bpe-server-jetty/docker/api/v2/*.jar
-dsf-bpe/dsf-bpe-server-jetty/docker/ca/*.pem
+dsf-bpe/dsf-bpe-server-jetty/docker/ca/client_ca_chains/*.crt
+dsf-bpe/dsf-bpe-server-jetty/docker/ca/server_root_cas/*.crt
 dsf-bpe/dsf-bpe-server-jetty/docker/dsf_bpe.jar
 dsf-bpe/dsf-bpe-server-jetty/docker/dsf_status_client.jar
 dsf-bpe/dsf-bpe-server-jetty/docker/lib/*.jar
@@ -32,8 +33,10 @@ dsf-bpe/dsf-bpe-server-jetty/ui
 ###
 # dsf-docker ignore
 ###
-dsf-docker/bpe_proxy/ca/*.pem
-dsf-docker/fhir_proxy/ca/*.pem
+dsf-docker/bpe_proxy/ca/client_ca_chains/*.crt
+dsf-docker/bpe_proxy/ca/client_issuing_cas/*.crt
+dsf-docker/fhir_proxy/ca/client_ca_chains/*.crt
+dsf-docker/fhir_proxy/ca/client_issuing_cas/*.crt
 
 ###
 # dsf-docker-test-setup ignores
@@ -98,25 +101,10 @@ dsf-fhir/dsf-fhir-server-jetty/cert/*.crt
 dsf-fhir/dsf-fhir-server-jetty/cert/*.key
 dsf-fhir/dsf-fhir-server-jetty/conf/bundle.xml
 dsf-fhir/dsf-fhir-server-jetty/conf/config.properties
-dsf-fhir/dsf-fhir-server-jetty/docker/ca/*.pem
+dsf-fhir/dsf-fhir-server-jetty/docker/ca/client_ca_chains/*.crt
+dsf-fhir/dsf-fhir-server-jetty/docker/ca/server_root_cas/*.crt
 dsf-fhir/dsf-fhir-server-jetty/docker/dsf_fhir.jar
 dsf-fhir/dsf-fhir-server-jetty/docker/dsf_status_client.jar
 dsf-fhir/dsf-fhir-server-jetty/docker/lib/*.jar
 dsf-fhir/dsf-fhir-server-jetty/ui
-dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/bundle.xml
-
-###
-# dsf-tools ignores
-###
-dsf-tools/dsf-tools-default-ca-files-generator/cert/*.pem
-
-dsf-tools/dsf-tools-test-data-generator/bundle/*.xml
-
-dsf-tools/dsf-tools-test-data-generator/cert/**/*.pem
-dsf-tools/dsf-tools-test-data-generator/cert/**/*.key
-dsf-tools/dsf-tools-test-data-generator/cert/**/*.crt
-dsf-tools/dsf-tools-test-data-generator/cert/**/*.csr
-dsf-tools/dsf-tools-test-data-generator/cert/**/*.p12
-dsf-tools/dsf-tools-test-data-generator/cert/thumbprints.txt
-
-dsf-tools/dsf-tools-test-data-generator/config/*.properties
+dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/bundle.xml

dsf-bpe/dsf-bpe-server-jetty/docker/.dockerignore

@@ -1,6 +1,7 @@
 api/v1/README.md
 api/v2/README.md
-ca/README.md
+ca/client_ca_chains/README.md
+ca/server_root_cas/README.md
 conf/README.md
 lib/README.md
 lib_external/README.md

dsf-bpe/dsf-bpe-server-jetty/docker/Dockerfile

@@ -3,8 +3,8 @@ RUN adduser --system --no-create-home --group --uid 2202 java
 WORKDIR /opt/bpe
 COPY --chown=root:java ./ ./
 RUN chown root:java ./ && \
-    chmod 750 ./ ./api ./api/v1 ./api/v2 ./ca ./conf ./lib ./lib_external ./process ./ui ./dsf_bpe_start.sh ./healthcheck.sh && \
-	chmod 440 ./ca/client_cert_ca_chains.pem ./ca/server_cert_root_cas.pem ./dsf_bpe.jar ./lib/*.jar && \
+    chmod 750 ./ ./api ./api/v1 ./api/v2 ./ca ./ca/client_ca_chains ./ca/server_root_cas ./conf ./lib ./lib_external ./process ./ui ./dsf_bpe_start.sh ./healthcheck.sh && \
+	chmod 440 ./ca/client_ca_chains/*.crt ./ca/server_root_cas/*.crt ./dsf_bpe.jar ./lib/*.jar && \
 	chmod 1775 ./log
 
 

dsf-bpe/dsf-bpe-server-jetty/docker/ca/README.md

@@ -0,0 +1 @@
+Empty `client_ca_chains` directory for maven/docker build, will contain default certificate authority pem files after maven build

dsf-bpe/dsf-bpe-server-jetty/docker/ca/client_ca_chains/README.md

@@ -0,0 +1 @@
+Empty `server_root_cas` directory for maven/docker build, will contain default certificate authority pem files after maven build

dsf-bpe/dsf-bpe-server-jetty/docker/ca/server_root_cas/README.md

@@ -125,16 +125,30 @@
 							<followSymlinks>false</followSymlinks>
 						</fileset>
 						<fileset>
-							<directory>docker/ca</directory>
+							<directory>docker/ca/client_ca_chains</directory>
 							<includes>
-								<include>*.pem</include>
+								<include>*.crt</include>
 							</includes>
 							<followSymlinks>false</followSymlinks>
 						</fileset>
 						<fileset>
-							<directory>../../dsf-docker/bpe_proxy/ca</directory>
+							<directory>docker/ca/server_root_cas</directory>
 							<includes>
-								<include>*.pem</include>
+								<include>*.crt</include>
+							</includes>
+							<followSymlinks>false</followSymlinks>
+						</fileset>
+						<fileset>
+							<directory>../../dsf-docker/bpe_proxy/ca/client_ca_chains</directory>
+							<includes>
+								<include>*.crt</include>
+							</includes>
+							<followSymlinks>false</followSymlinks>
+						</fileset>
+						<fileset>
+							<directory>../../dsf-docker/bpe_proxy/ca/client_issuing_cas</directory>
+							<includes>
+								<include>*.crt</include>
 							</includes>
 							<followSymlinks>false</followSymlinks>
 						</fileset>
@@ -160,15 +174,15 @@
 				</executions>
 				<configuration>
 					<configDocPackages>dev.dsf.common,dev.dsf.bpe</configDocPackages>
-					<clientCertIssuingCaFiles>
-						../../dsf-docker/bpe_proxy/ca/client_cert_issuing_cas.pem
-					</clientCertIssuingCaFiles>
-					<clientCertCaChainFiles>
-						../../dsf-docker/bpe_proxy/ca/client_cert_ca_chains.pem,docker/ca/client_cert_ca_chains.pem
-					</clientCertCaChainFiles>
-					<serverCertRootCaFiles>
-						docker/ca/server_cert_root_cas.pem
-					</serverCertRootCaFiles>
+					<clientIssuingCas>
+						../../dsf-docker/bpe_proxy/ca/client_issuing_cas
+					</clientIssuingCas>
+					<clientCaChains>
+						../../dsf-docker/bpe_proxy/ca/client_ca_chains,docker/ca/client_ca_chains
+					</clientCaChains>
+					<serverRootCas>
+						docker/ca/server_root_cas
+					</serverRootCas>
 				</configuration>
 			</plugin>
 		</plugins>

dsf-bpe/dsf-bpe-server-jetty/pom.xml

@@ -33,7 +33,8 @@ public void afterPropertiesSet() throws Exception
 		logger.info(
 				"Local webservice client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
 						+ " url: {}, proxy: {}}",
-				propertiesConfig.getDsfClientTrustedServerCasFile(), propertiesConfig.getDsfClientCertificateFile(),
+				propertiesConfig.getDsfClientTrustedServerCasFileOrFolder(),
+				propertiesConfig.getDsfClientCertificateFile(),
 				propertiesConfig.getDsfClientCertificatePrivateKeyFile(),
 				propertiesConfig.getDsfClientCertificatePrivateKeyFilePassword() != null ? "***" : "null",
 				propertiesConfig.getDsfServerBaseUrl(),
@@ -42,7 +43,8 @@ public void afterPropertiesSet() throws Exception
 		logger.info(
 				"Local websocket client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
 						+ " url: {}, proxy: {}}",
-				propertiesConfig.getDsfClientTrustedServerCasFile(), propertiesConfig.getDsfClientCertificateFile(),
+				propertiesConfig.getDsfClientTrustedServerCasFileOrFolder(),
+				propertiesConfig.getDsfClientCertificateFile(),
 				propertiesConfig.getDsfClientCertificatePrivateKeyFile(),
 				propertiesConfig.getDsfClientCertificatePrivateKeyFilePassword() != null ? "***" : "null",
 				getWebsocketUrl(),
@@ -51,7 +53,8 @@ public void afterPropertiesSet() throws Exception
 		logger.info(
 				"Remote webservice client config: {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {},"
 						+ " proxy: {}}",
-				propertiesConfig.getDsfClientTrustedServerCasFile(), propertiesConfig.getDsfClientCertificateFile(),
+				propertiesConfig.getDsfClientTrustedServerCasFileOrFolder(),
+				propertiesConfig.getDsfClientCertificateFile(),
 				propertiesConfig.getDsfClientCertificatePrivateKeyFile(),
 				propertiesConfig.getDsfClientCertificatePrivateKeyFilePassword() != null ? "***" : "null",
 				propertiesConfig.proxyConfig().isEnabled()
@@ -63,7 +66,7 @@ public void afterPropertiesSet() throws Exception
 	public ClientProvider clientProvider()
 	{
 		char[] keyStorePassword = UUID.randomUUID().toString().toCharArray();
-		KeyStore keyStore = propertiesConfig.getDsfClientCertificate(keyStorePassword);
+		KeyStore keyStore = propertiesConfig.getDsfClientKeyStore(keyStorePassword);
 		KeyStore trustStore = propertiesConfig.getDsfClientTrustedServerCas();
 
 		return new ClientProviderImpl(fhirConfig.fhirContext(), propertiesConfig.getDsfServerBaseUrl(),

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/spring/config/DsfClientConfig.java

@@ -70,8 +70,8 @@ private BpeMailService newSmptMailService()
 
 		KeyStore trustStore = propertiesConfig.getMailServerTrustStore();
 		char[] keyStorePassword = UUID.randomUUID().toString().toCharArray();
-		KeyStore keyStore = propertiesConfig.getMailServerKeyStore(keyStorePassword).orElse(null);
-		KeyStore signStore = propertiesConfig.getMailSmimeSigingKeyStore().orElse(null);
+		KeyStore keyStore = propertiesConfig.getMailClientKeyStore(keyStorePassword);
+		KeyStore signStore = propertiesConfig.getMailSmimeSigingKeyStore();
 
 		return new SmtpMailService(fromAddress, toAddresses, toAddressesCc, replyToAddresses, useSmtps,
 				mailServerHostname, mailServerPort, mailServerUsername, mailServerPassword, trustStore, keyStore,
@@ -97,10 +97,10 @@ public void afterPropertiesSet() throws Exception
 					propertiesConfig.getMailUseSmtps(), propertiesConfig.getMailServerHostname(),
 					propertiesConfig.getMailServerPort(), propertiesConfig.getMailServerUsername(),
 					propertiesConfig.getMailServerPassword() != null ? "***" : "null",
-					propertiesConfig.getMailServerTrustStoreFile(),
-					propertiesConfig.getMailServerClientCertificateFile(),
-					propertiesConfig.getMailServerClientCertificatePrivateKeyFile(),
-					propertiesConfig.getMailServerClientCertificatePrivateKeyFilePassword() != null ? "***" : "null",
+					propertiesConfig.getMailServerTrustStoreFileOrFolder(),
+					propertiesConfig.getMailClientCertificateFile(),
+					propertiesConfig.getMailClientCertificatePrivateKeyFile(),
+					propertiesConfig.getMailClientCertificatePrivateKeyFilePassword() != null ? "***" : "null",
 					propertiesConfig.getMailSmimeSigingKeyStoreFile(),
 					propertiesConfig.getMailSmimeSigingKeyStorePassword() != null ? "***" : "null",
 					propertiesConfig.getSendTestMailOnStartup(), propertiesConfig.getSendMailOnErrorLogEvent(),

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/spring/config/MailConfig.java

@@ -118,7 +118,7 @@ public KeyStore getTrustStore()
 			@Override
 			public KeyStore getKeyStore()
 			{
-				return propertiesConfig.getDsfClientCertificate(keyStorePassword);
+				return propertiesConfig.getDsfClientKeyStore(keyStorePassword);
 			}
 
 			@Override