Add ria-test client configuration

Author: jann0k

cdoc2-cli/config/ria-dev/ria-dev_pkcs12_rsa.properties

@@ -1,4 +1,4 @@
-# server.id is written to cdoc header. Must have configuration on recipient side
+# This configuration is untested, after 03.07.24 certificate change and load balancer activation
 cdoc2.client.server.id=ria-dev
 cdoc2.client.server.base-url.post=https://cdoc2-keyserver-01.dev.riaint.ee:8443
 cdoc2.client.server.base-url.get=https://cdoc2-keyserver-01.dev.riaint.ee:8444

cdoc2-cli/config/ria-test/README.md

@@ -0,0 +1,36 @@
+
+This directory contains cdoc2-cli config for RIA-dev servers
+
+TLS (POST)
+https://cdoc2-keyserver.test.riaint.ee:8443
+
+mTLS (GET)
+https://cdoc2-keyserver.test.riaint.ee:8444
+
+## Id-card
+Run from cdoc2-cli directory
+
+### Encrypt for id-card
+```
+java -jar target/cdoc2-cli-*.jar create --server=config/ria-test/ria-test.properties -f /tmp/ria.cdoc -r 37903130370 README.md
+```
+
+### Decrypting with id-card
+```
+java -jar target/cdoc2-cli-*.jar decrypt --server=config/ria-test/ria-test.properties -f /tmp/ria.cdoc
+```
+
+## General EC secp384 key pair
+
+Client certificate must be trusted by server
+
+### Encrypt
+```
+java -jar target/cdoc2-cli-*.jar create --server=config/ria-test/ria-test_p12.properties -f /tmp/ria_p12.cdoc -p keys/cdoc2client_pub.pem README.md
+```
+
+### Decrypt
+
+```
+java -jar target/cdoc2-cli-*.jar decrypt --server=config/ria-test/ria-test_p12.properties -p12 keys/cdoc2client.p12:passwd -f /tmp/ria_p12.cdoc -o /tmp
+```

cdoc2-cli/config/ria-test/clienttruststore_ria-test.jks

@@ -0,0 +1 @@
+keytool -import -trustcacerts -file tls-issuer.crt.pem -alias klass3-ria_2018_ecc_g3 -storepass passwd -keystore clienttruststore_ria-dev.jks

cdoc2-cli/config/ria-test/clienttruststore_ria-test.jks.README

@@ -0,0 +1,20 @@
+# ria-dev, mutual TLS establishment with private key from id-cards (for reading key-capsule from the server)
+cdoc2.client.server.id=ria-test
+cdoc2.client.server.base-url.post=https://cdoc2-keyserver.test.riaint.ee:8443
+cdoc2.client.server.base-url.get=https://cdoc2-keyserver.test.riaint.ee:8444
+
+# trusted certificates by client
+cdoc2.client.ssl.trust-store.type=JKS
+# path (full or relative)
+cdoc2.client.ssl.trust-store=config/ria-test/clienttruststore_ria-dev.jks
+cdoc2.client.ssl.trust-store-password=passwd
+
+# mutual TLS with cert from smart-card (EST-ID certificates are trusted by the server)
+cdoc2.client.ssl.client-store.type=PKCS11
+# if ssl.client-store-password.prompt is set, then ask user interactively
+cdoc2.client.ssl.client-store-password.prompt=PIN1
+# otherwise use password value
+#cdoc2.client.ssl.client-store-password=3471
+
+# PKCS11 library location, if not found in default location
+#pkcs11-library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

cdoc2-cli/config/ria-test/ria-test.properties

@@ -0,0 +1,22 @@
+# ria-dev, mutual TLS establishment with private key from PKCS12 store (for reading key-capsule from the server)
+# public key part of servers trusted certs. See cdoc2-server/cdoc2-server/keys/README.md
+cdoc2.client.server.id=ria-test
+cdoc2.client.server.base-url.post=https://cdoc2-keyserver.test.riaint.ee:8443
+cdoc2.client.server.base-url.get=https://cdoc2-keyserver.test.riaint.ee:8444
+
+cdoc2.client.server.debug=true
+cdoc2.client.server.connect-timeout=1000
+cdoc2.client.server.read-timeout=1000
+
+# trusted certificates by client
+cdoc2.client.ssl.trust-store.type=JKS
+# path (full or relative)
+cdoc2.client.ssl.trust-store=config/ria-test/clienttruststore_ria-test.jks
+cdoc2.client.ssl.trust-store-password=passwd
+
+# Client private key and certificate for mutual TLS. Only required for decrypt or list commands
+# Example configuration for pkcs12 based client configuration, update cdoc2.client.ssl.client-store to correct path
+cdoc2.client.ssl.client-store.type=PKCS12
+cdoc2.client.ssl.client-store=keys/cdoc2client.p12
+cdoc2.client.ssl.client-store-password=passwd
+

cdoc2-cli/config/ria-test/ria-test_p12.properties

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvTCCAmOgAwIBAgIIEwktMxn8tjIwCgYIKoZIzj0EAwQwcTELMAkGA1UEBhMC
+RUUxJTAjBgNVBAoMHEluZm9ybWF0aW9uIFN5c3RlbSBBdXRob3JpdHkxIDAeBgNV
+BAMMF1JJQSBST09UIENBIDIwMTggRUNDIEcyMRkwFwYJKoZIhvcNAQkBFgpwa2lA
+cmlhLmVlMB4XDTIwMDgxODEwMDU1M1oXDTM4MDkyMDIwNDIxOFowdjELMAkGA1UE
+BhMCRUUxJTAjBgNVBAoMHEluZm9ybWF0aW9uIFN5c3RlbSBBdXRob3JpdHkxHzAd
+BgNVBAsMFkNlcnRpZmljYXRpb24gU2VydmljZXMxHzAdBgNVBAMMFktMQVNTMy1S
+SUEgMjAxOCBFQ0MgRzMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT3VfEDD3qs
+NO5cTGmJHeUdgWKMVOKwFunKmUf5fx82waWthh/XgcZXBxg6wMpc05x/wsVjhEtz
+q4Ll6UeFwiJDo4HfMIHcMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU
+UCFh01APe/+6Mb/XVsMuezIYCEIwdgYIKwYBBQUHAQEEajBoMEMGCCsGAQUFBzAC
+hjdodHRwOi8vd3d3LnJpYS5lZS9jZXJ0cy9SSUFfUk9PVF9DQV8yMDE4X0VDQ19H
+Mi5kZXIuY3J0MCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5yaWEuZWUvQ0EwHQYD
+VR0OBBYEFFcaZmPOL66vUw4v7g888ZdZ3c7EMA4GA1UdDwEB/wQEAwIBxjAKBggq
+hkjOPQQDBANIADBFAiEAipQ0yy53GLNbYFuMyxSHBKmEchGxZojuxsV62rS7C/gC
+IF7PshKqti26zdo/0JuwYXIohUdiSpbIPTcZgU1Su9Wo
+-----END CERTIFICATE-----