Merge branch 'RM-3762' into 'master'

RM-3762: fix reading of PKCS11 properties when sent via CLI

See merge request cdoc2/cdoc2-java-ref-impl!50

Author: OlesjaAarma

cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/commands/CDocCreateCmd.java

@@ -123,8 +123,8 @@ public Void call() throws Exception {
         LabeledPassword labeledPassword = null;
         if (this.recipient.labeledPasswordParam != null) {
             labeledPassword = (this.recipient.labeledPasswordParam.isEmpty())
-                    ? InteractiveCommunicationUtil.readPasswordAndLabelInteractively(true)
-                    : this.recipient.labeledPasswordParam.labeledPassword();
+                ? InteractiveCommunicationUtil.readPasswordAndLabelInteractively(true)
+                : this.recipient.labeledPasswordParam.labeledPassword();
         }
 
         List<EncryptionKeyMaterial> recipients = EncryptionKeyMaterial.collectionBuilder()

cdoc2-lib/src/test/java/ee/cyber/cdoc2/crypto/Pkcs11DeviceConfiguration.java

@@ -14,32 +14,52 @@
 /**
  * Test configuration for running PKCS11 tests using a hardware device.
  */
-public record Pkcs11DeviceConfiguration(
-        // full path to the PKCS11 provider library
-        String pkcs11Library,
+public class Pkcs11DeviceConfiguration {
 
-        // the PKCS11 device slot
-        int slot,
+    private static final Logger log = LoggerFactory.getLogger(Pkcs11DeviceConfiguration.class);
 
-        // alias of the key in the keystore to use (if multiple keys in the keystore)
-        @Nullable String keyAlias,
+    public Pkcs11DeviceConfiguration() {
+        load();
+    }
 
-        // the keystore pin
-        char[] pin,
+    private String pkcs11Library;
+    // the PKCS11 device slot
+    private int slot;
+    // alias of the key in the keystore to use (if multiple keys in the keystore)
+    private @Nullable String keyAlias;
+    // the keystore pin
+    private char[] pin;
+    // part of the CN field in the certificate
+    private String certCn;
 
-        // part of the CN field in the certificate
-        String certCn) {
+    public String getPkcs11Library() {
+        return pkcs11Library;
+    }
 
-    private static final Logger log = LoggerFactory.getLogger(Pkcs11DeviceConfiguration.class);
+    public int getSlot() {
+        return slot;
+    }
+
+    public char[] getPin() {
+        return pin;
+    }
+
+    @Nullable
+    public String getKeyAlias() {
+        return keyAlias;
+    }
+
+    public String getCertCn() {
+        return certCn;
+    }
 
     /**
      * Loads the PKCS11 device configuration from a file on the classpath.
      * <p>
      * The properties file can be specified with the system property cdoc2.pkcs11.test-configuration
      * e.g -D cdoc2.pkcs11.test-configuration=pkcs11-test-idcard.properties
-     *
      */
-    public static Pkcs11DeviceConfiguration load() {
+    private void load() {
         final String classpath = "classpath:";
         String filename = System.getProperty(
             "cdoc2.pkcs11.conf-file",
@@ -51,18 +71,18 @@ public static Pkcs11DeviceConfiguration load() {
         } else {
             propertyFileName = new File(filename).getAbsolutePath();
         }
-        return loadFromPropertiesFile(propertyFileName);
+        loadFromPropertiesFile(propertyFileName);
     }
 
-    private static Pkcs11DeviceConfiguration loadFromPropertiesFile(String filename) {
+    private void loadFromPropertiesFile(String filename) {
         log.info("Loading PKCS11 device configuration from {}", filename);
 
         try (InputStream is
                  = Resources.getResourceAsStream(filename, Pkcs11Test.class.getClassLoader())) {
             var properties = new Properties();
             properties.load(is);
 
-            return new Pkcs11DeviceConfiguration(
+            init(
                 getRequiredProperty(properties, "pkcs11.library"),
                 Integer.parseInt(getRequiredProperty(properties, "pkcs11.slot")),
                 properties.getProperty("pkcs11.key-alias"),
@@ -75,7 +95,21 @@ private static Pkcs11DeviceConfiguration loadFromPropertiesFile(String filename)
         }
     }
 
-    private static String getRequiredProperty(Properties properties, String property) {
+    private void init(
+        String xPkcs11Library,
+        int xSlot,
+        String xKeyAlias,
+        char[] xPin,
+        String xCertCn
+    ) {
+        this.pkcs11Library = xPkcs11Library;
+        this.slot = xSlot;
+        this.keyAlias = xKeyAlias;
+        this.pin = xPin;
+        this.certCn = xCertCn;
+    }
+
+    private String getRequiredProperty(Properties properties, String property) {
         return Optional.ofNullable(properties.getProperty(property))
             .orElseThrow(() -> new IllegalArgumentException("Required property '" + property + "' not found"));
     }

cdoc2-lib/src/test/java/ee/cyber/cdoc2/crypto/Pkcs11Test.java

@@ -21,6 +21,7 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+
 /**
  * These tests will fail without a PKCS11 device (smart card, usb token).
  * The device and its details can be configured using a properties file under src/test/resources/
@@ -31,15 +32,15 @@ class Pkcs11Test {
     private static final Logger log = LoggerFactory.getLogger(Pkcs11Test.class);
 
     // load pkcs11 device properties
-    private static final Pkcs11DeviceConfiguration CONF = Pkcs11DeviceConfiguration.load();
+    private Pkcs11DeviceConfiguration conf = new Pkcs11DeviceConfiguration();
 
     @Test
     @Tag("pkcs11")
     void testLoadKeyInteractively() throws Exception {
         // seems that when pin has already been provided to SunPKCS11, then pin is not asked again
         // so running this test with other tests doesn't make much sense
         KeyPair keyPair = Pkcs11Tools.loadFromPKCS11Interactively(
-            CONF.pkcs11Library(), CONF.slot(), CONF.keyAlias()
+            conf.getPkcs11Library(), conf.getSlot(), conf.getKeyAlias()
         );
 
         if (Crypto.isECPKCS11Key(keyPair.getPrivate())) {
@@ -51,9 +52,9 @@ void testLoadKeyInteractively() throws Exception {
     @Tag("pkcs11")
     void testLoadCert() throws Exception {
         var pair = Pkcs11Tools.loadFromPKCS11(
-            Pkcs11Tools.createSunPkcsConfigurationFile(null, CONF.pkcs11Library(), CONF.slot()),
-            new KeyStore.PasswordProtection(CONF.pin()),
-            CONF.keyAlias()
+            Pkcs11Tools.createSunPkcsConfigurationFile(null, conf.getPkcs11Library(), conf.getSlot()),
+            new KeyStore.PasswordProtection(conf.getPin()),
+            conf.getKeyAlias()
         );
 
         X509Certificate cert = pair.getValue();
@@ -73,7 +74,7 @@ void testLoadCert() throws Exception {
         log.debug("CN {}", cn);
 
         assertEquals(1, cn.size());
-        assertTrue(cn.get(0).contains(CONF.certCn()));
+        assertTrue(cn.get(0).contains(conf.getCertCn()));
     }
 
     @Test
@@ -89,11 +90,13 @@ void testContainerUsingPKCS11Key(@TempDir Path tempDir) throws Exception {
                 "testContainerUsingPKCS11Key", null);
     }
 
-    private static KeyPair loadFromPKCS11() throws Exception {
-        Path confPath = Pkcs11Tools.createSunPkcsConfigurationFile("OpenSC", CONF.pkcs11Library(), CONF.slot());
+    private KeyPair loadFromPKCS11() throws Exception {
+        Path confPath = Pkcs11Tools.createSunPkcsConfigurationFile(
+            "OpenSC", conf.getPkcs11Library(), conf.getSlot());
         var entry = Pkcs11Tools.loadFromPKCS11(
-            confPath, new KeyStore.PasswordProtection(CONF.pin()), CONF.keyAlias()
+            confPath, new KeyStore.PasswordProtection(conf.getPin()), conf.getKeyAlias()
         );
         return new KeyPair(entry.getValue().getPublicKey(), entry.getKey());
     }
+
 }