Merge branch 'RM-3528_update_certs' into 'master'

OlesjaAarma · OlesjaAarma · commit ab8e0dd7ae0b · 2024-08-29T11:41:31.000+03:00
RM-3528: update client and server certificates

See merge request cdoc2/cdoc2-java-ref-impl!39
diff --git a/cdoc2-cli/README.md b/cdoc2-cli/README.md
@@ -50,7 +50,7 @@ Optionally cdoc2-cli also supports encrypting with "soft" key or certificate
 
 Public key (`-p`)
 ```
-java -jar target/cdoc2-cli-*.jar create --server=config/localhost/localhost.properties -f /tmp/localhost.cdoc -p keys/cdoc2client_pub.pem README.md
+java -jar target/cdoc2-cli-*.jar create --server=config/localhost/localhost.properties -f /tmp/localhost.cdoc -p keys/cdoc2client_pub.key README.md
 ```
 
 Certificate (`-c` option):
@@ -143,7 +143,7 @@ It is also possible to decrypt documents created with "soft" keys, but configura
 key (read separately from a file) must match. Also, server must be configured to trust client certificate used for
 mutual TLS.
 ```
-java -jar target/cdoc2-cli-*.jar decrypt --server=config/localhost/localhost_pkcs12.properties -f /tmp/localhost.cdoc -k keys/cdoc2client.pem -o /tmp/
+java -jar target/cdoc2-cli-*.jar decrypt --server=config/localhost/localhost_pkcs12.properties -f /tmp/localhost.cdoc -k keys/cdoc2client_priv.key -o /tmp/
 ```
 
 
@@ -178,7 +178,7 @@ java -jar target/cdoc2-cli-*.jar list --file /tmp/mydoc.cdoc -k keys/bob.pem
 or with server scenario:
 
 ```
-java -jar target/cdoc2-cli-*.jar list --server=config/localhost/localhost_pkcs12.properties -f /tmp/localhost.cdoc -k keys/cdoc2client.pem
+java -jar target/cdoc2-cli-*.jar list --server=config/localhost/localhost_pkcs12.properties -f /tmp/localhost.cdoc -k keys/cdoc2client_priv.key
 ```
 
 or with password:
@@ -253,7 +253,7 @@ java -jar target/cdoc2-cli-*.jar create --file /tmp/mydoc.cdoc -c keys/cdoc2clie
 
 Decrypt created container with private key:
 ```
-java -jar target/cdoc2-cli-*.jar decrypt -f /tmp/mydoc.cdoc -k keys/cdoc2client.pem --output /tmp
+java -jar target/cdoc2-cli-*.jar decrypt -f /tmp/mydoc.cdoc -k keys/cdoc2client_priv.key --output /tmp
 ```
 
 ### Troubleshooting ID-card
diff --git a/cdoc2-cli/config/localhost/clienttruststore.jks b/cdoc2-cli/config/localhost/clienttruststore.jks
diff --git a/cdoc2-cli/config/ria-dev/README.md b/cdoc2-cli/config/ria-dev/README.md
@@ -26,7 +26,7 @@ Client certificate must be trusted by server
 
 ### Encrypt
 ```
-java -jar target/cdoc2-cli-*.jar create --server=config/ria-dev/ria-dev_pkcs12.properties -f /tmp/ria_p12.cdoc -p keys/cdoc2client_pub.pem README.md
+java -jar target/cdoc2-cli-*.jar create --server=config/ria-dev/ria-dev_pkcs12.properties -f /tmp/ria_p12.cdoc -p keys/cdoc2client_pub.key README.md
 ```
 
 ### Decrypt
diff --git a/cdoc2-cli/config/ria-test/README.md b/cdoc2-cli/config/ria-test/README.md
@@ -26,7 +26,7 @@ Client certificate must be trusted by server
 
 ### Encrypt
 ```
-java -jar target/cdoc2-cli-*.jar create --server=config/ria-test/ria-test_p12.properties -f /tmp/ria_p12.cdoc -p keys/cdoc2client_pub.pem README.md
+java -jar target/cdoc2-cli-*.jar create --server=config/ria-test/ria-test_p12.properties -f /tmp/ria_p12.cdoc -p keys/cdoc2client_pub.key README.md
 ```
 
 ### Decrypt
diff --git a/cdoc2-cli/config/ria-test/ria-test_p12.properties b/cdoc2-cli/config/ria-test/ria-test_p12.properties
@@ -19,4 +19,3 @@ cdoc2.client.ssl.trust-store-password=passwd
 cdoc2.client.ssl.client-store.type=PKCS12
 cdoc2.client.ssl.client-store=keys/cdoc2client.p12
 cdoc2.client.ssl.client-store-password=passwd
-
diff --git a/cdoc2-cli/keys/README.md b/cdoc2-cli/keys/README.md
@@ -1,5 +1,16 @@
 This directory contains pre-generate EC keys and downloaded id-card certificates.
 
+## Extract private and public keys from newly generated client certificate only if it was updated in capsule server
+Remote repository and branches must be set up manually in `remote_repository.sh` before running keys
+extracting script to copy updated client-certificate.pem and keystore cdoc2client.p12 from
+cdoc2-capsule-server/cdoc2-server/keys into cdoc2-cli/keys.
+Then run following script `extract_client_keys.sh` here for extracting keys from certificate:
+
+```bash
+source remote_repository.sh
+sh extract_client_keys.sh
+```
+
 ## Convert X509 Certificate DER to PEM
 .der and .cer are the same binary format. 
 ```
diff --git a/cdoc2-cli/keys/cdoc2client-certificate.pem b/cdoc2-cli/keys/cdoc2client-certificate.pem
@@ -1,15 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIICWTCCAd+gAwIBAgIJAIGzuV1v0kYtMAoGCCqGSM49BAMEMHQxCzAJBgNVBAYT
-AkVFMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRcwFQYDVQQK
-Ew5DeWJlcm5ldGljYSBBUzEQMA4GA1UECxMHVW5rbm93bjEWMBQGA1UEAxMNY2Rv
-YzIwLWNsaWVudDAeFw0yMjA1MDIxMTQ5MjZaFw0yMjA3MzExMTQ5MjZaMHQxCzAJ
-BgNVBAYTAkVFMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRcw
-FQYDVQQKEw5DeWJlcm5ldGljYSBBUzEQMA4GA1UECxMHVW5rbm93bjEWMBQGA1UE
-AxMNY2RvYzIwLWNsaWVudDB2MBAGByqGSM49AgEGBSuBBAAiA2IABFR25IttEoB7
-fwzJi5KOaVMTNrfGgXlC/SilElVubX8hmGL4orYq/oP5jP6dERD7Fnw4XUk7SQgr
-j70moX9K+3CISafQVEvEjhhgljBLV9jSiZuB2twrkmBN7ihLGig7e6M9MDswHQYD
-VR0OBBYEFGZcVZHppMn0R9RJOpYYE3VbPnz6MBoGA1UdEQQTMBGHBH8AAAGCCWxv
-Y2FsaG9zdDAKBggqhkjOPQQDBANoADBlAjEA3d+oUUShWb2DHPpyIY4y6/Fk25ow
-Dy5oHThaRh5/6GY0APVFIp/kd6lm3fY/JmORAjAO7+sHJ2fsUzNq5o1cPK65roDJ
-glqz1a3PNEiYGQJhduVaJ5Qqu4GeyxmWr4oiw+U=
+MIICVTCCAdygAwIBAgIIJkGb9aO/rHQwCgYIKoZIzj0EAwQwczELMAkGA1UEBhMC
+RUUxEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xFzAVBgNVBAoT
+DkN5YmVybmV0aWNhIEFTMRAwDgYDVQQLEwdVbmtub3duMRUwEwYDVQQDEwxjZG9j
+Mi1jbGllbnQwHhcNMjQwODA5MTI0MzE2WhcNMzQwODA3MTI0MzE2WjBzMQswCQYD
+VQQGEwJFRTEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEXMBUG
+A1UEChMOQ3liZXJuZXRpY2EgQVMxEDAOBgNVBAsTB1Vua25vd24xFTATBgNVBAMT
+DGNkb2MyLWNsaWVudDB2MBAGByqGSM49AgEGBSuBBAAiA2IABCdUFlDBrYlsWLsh
+venBl8MfdsAuLgab0m6Gyja1vZ3czlNc+1vKg4GYVFB6cxBeOBYTv+86JCCsb5Fn
+PYxFapfy+r995ZJ4n0fb/zu48Sg0rCslvrtnymv8aQlnM36VDKM9MDswHQYDVR0O
+BBYEFBDO/vmkajznwVReDa4EXoVS098XMBoGA1UdEQQTMBGHBH8AAAGCCWxvY2Fs
+aG9zdDAKBggqhkjOPQQDBANnADBkAjBvuj4xfDHQiwiYUFojROonwdSIFlzDy8bh
+wuOZ48KyQmXeg6qcZ26gstrBkYL/eIECMCnwm75rA7VydL4SiH70qdu5May1tm0g
+tc9VikmIarZX+d6rHJmCQ0eo6Vi1U8BYXg==
 -----END CERTIFICATE-----
diff --git a/cdoc2-cli/keys/cdoc2client.p12 b/cdoc2-cli/keys/cdoc2client.p12
diff --git a/cdoc2-cli/keys/cdoc2client_priv.key b/cdoc2-cli/keys/cdoc2client_priv.key
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDaHrkmfvP3MVnpwjmYd2HZVIJNs8XZX8uqaDsx2LGYNudRGvImLZ41
+V7QMCd44fhGgBwYFK4EEACKhZANiAAQnVBZQwa2JbFi7Ib3pwZfDH3bALi4Gm9Ju
+hso2tb2d3M5TXPtbyoOBmFRQenMQXjgWE7/vOiQgrG+RZz2MRWqX8vq/feWSeJ9H
+2/87uPEoNKwrJb67Z8pr/GkJZzN+lQw=
+-----END EC PRIVATE KEY-----
diff --git a/cdoc2-cli/keys/cdoc2client_pub.key b/cdoc2-cli/keys/cdoc2client_pub.key
@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJ1QWUMGtiWxYuyG96cGXwx92wC4uBpvS
+bobKNrW9ndzOU1z7W8qDgZhUUHpzEF44FhO/7zokIKxvkWc9jEVql/L6v33lknif
+R9v/O7jxKDSsKyW+u2fKa/xpCWczfpUM
+-----END PUBLIC KEY-----
diff --git a/cdoc2-cli/keys/cdoc2client_pub.pem b/cdoc2-cli/keys/cdoc2client_pub.pem
diff --git a/cdoc2-cli/keys/expired/cdoc2client_expired_priv.key b/cdoc2-cli/keys/expired/cdoc2client_expired_priv.key
diff --git a/cdoc2-cli/keys/extract_client_keys.sh b/cdoc2-cli/keys/extract_client_keys.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+cd ../..
+PROJECT_DIR=$(pwd)
+KEYS_DIR=${PROJECT_DIR}/cdoc2-cli/keys
+
+# fetching updated client certificate and key store (have to be commited at source remote repository)
+git remote add source "$REMOTE_REPOSITORY"
+echo "# Fetching source..."
+git fetch source
+echo "# Checkout source branch $SOURCE_BRANCH_NAME/keys"
+git checkout source/"$SOURCE_BRANCH_NAME" -- keys
+echo "# Got following files in keys directory:"
+git status --branch --short
+
+echo "# Checkout destination branch $DESTINATION_BRANCH_NAME"
+git checkout -b "$DESTINATION_BRANCH_NAME"
+echo "# Moving client key store cdoc2client.p12 to cdoc2-cli/keys..."
+mv keys/cdoc2client.p12 cdoc2-cli/keys
+echo "# Moving client certificate client-certificate.pem to cdoc2-cli/keys..."
+mv keys/ca_certs/client-certificate.pem cdoc2-cli/keys
+echo "# Renaming client certificate to cdoc2client-certificate.pem..."
+mv cdoc2-cli/keys/client-certificate.pem cdoc2-cli/keys/cdoc2client-certificate.pem
+echo "# Removing unnecessary fetched files..."
+rm -rf keys
+
+git remote remove source "$REMOTE_REPOSITORY"
+cd "$KEYS_DIR" || exit
+
+
+# Extract private key from pkcs12 format keystore
+echo "# Beginning to extract private and public keys..."
+openssl pkcs12 -in cdoc2client.p12 -nodes -nocerts -passin pass:passwd -out temp_all_keys.key
+awk -vwant=cdoc2-client '/friendlyName:/{sel=($2==want)} /^-----BEGIN/,/^-----END/{if(sel)print}' temp_all_keys.key > cdoc2client_priv.key
+rm temp_all_keys.key
+# Convert it to EC PRIVATE KEY using below command:
+openssl ec -in cdoc2client_priv.key -out cdoc2client_priv.key -passin pass:passwd
+echo "# Private key is extracted."
+
+# Extract public key from certificate
+openssl x509 -inform pem -in cdoc2client-certificate.pem -pubkey -out temp_public.key
+awk '/^-----BEGIN PUBLIC KEY/,/^-----END PUBLIC KEY/' temp_public.key > cdoc2client_pub.key
+rm temp_public.key
+echo "# Public key is extracted."
diff --git a/cdoc2-cli/keys/remote_repository.sh b/cdoc2-cli/keys/remote_repository.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# Set up remote repository and required branches manually before running extract_client_keys.sh script
+export REMOTE_REPOSITORY=<SSH/to/cdoc2-capsule-server> # git@<git.url>:cdoc2/cdoc2-capsule-server.git
+export SOURCE_BRANCH_NAME=<source branch name for fetching files>
+export DESTINATION_BRANCH_NAME=<name of NEW destination branch>
diff --git a/cdoc2-cli/src/test/java/CDocCliTest.java b/cdoc2-cli/src/test/java/CDocCliTest.java
@@ -71,8 +71,8 @@ void testCreateDecryptDocEC() throws IOException {
 
     @Test
     void testCreateDecryptDocECShort() throws IOException {
-        String publicKey = "keys/cdoc2client_pub.pem";
-        String privateKey = "keys/cdoc2client.pem";
+        String publicKey = "keys/cdoc2client_pub.key";
+        String privateKey = "keys/cdoc2client_priv.key";
 
         successfullyDecryptDocWithPublicKey(publicKey, privateKey);
     }
diff --git a/cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/keymaterial/encrypt/EncryptionKeyMaterialCollectionBuilder.java b/cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/keymaterial/encrypt/EncryptionKeyMaterialCollectionBuilder.java
@@ -59,8 +59,9 @@ public EncryptionKeyMaterialCollectionBuilder fromPublicKey(File[] pubPemFiles)
      * @param certificates certificates
      * @return the list of EncryptionKeyMaterial
      */
-    public EncryptionKeyMaterialCollectionBuilder fromX509Certificate(File[] certificates)
-        throws IOException, CertificateException {
+    public EncryptionKeyMaterialCollectionBuilder fromX509Certificate(
+        File[] certificates
+    ) throws IOException, CertificateException {
 
         List<SkLdapUtil.CertificateData> certData = PemTools.loadCertKeysWithLabel(certificates);
         List<EncryptionKeyMaterial> keyMaterials = certData.stream()
diff --git a/cdoc2-lib/src/main/java/ee/cyber/cdoc2/util/SkLdapUtil.java b/cdoc2-lib/src/main/java/ee/cyber/cdoc2/util/SkLdapUtil.java
@@ -145,6 +145,10 @@ public static List<SkLdapUtil.CertificateData> getPublicKeysWithLabels(String[]
         try {
             for (String id: ids) {
                 Map<X509Certificate, String> certs = findAuthenticationEstEidCertificates(ctx, id);
+                if (certs.isEmpty()) {
+                    throw new CertificateException("Identity code " + id + "is  not found at server");
+                }
+
                 for (var certNameEntry: certs.entrySet()) {
                     X509Certificate cert = certNameEntry.getKey();
                     String distinguishedName = certNameEntry.getValue();
diff --git a/test/bats/aliases.sh b/test/bats/aliases.sh
@@ -6,23 +6,26 @@ if [ -z ${CDOC2_DIR+x} ]
 then
   # two steps back to get root directory
   cd ../..
-  export CDOC2_DIR=`pwd`
-  export CDOC2_VER=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
-  cd cdoc2-cli
-  export CDOC2_CLI_VER=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
-  cd ..
-  cd $TESTING_DIR
+  CDOC2_DIR=$(pwd)
+  export CDOC2_DIR
+  CDOC2_VER=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+  export CDOC2_VER
+  cd cdoc2-cli || exit
+  CDOC2_CLI_VER=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
+  export CDOC2_CLI_VER
+  (cd ..)
+  cd "$TESTING_DIR" || exit
 fi
 
 if [ -z ${TEST_VECTORS+x} ]
 then
   export TEST_VECTORS=${CDOC2_DIR}/test/testvectors
   export TEST_VECTORS_V_1_2=${CDOC2_DIR}/test/testvectors-v1.2
-  cd $TESTING_DIR
+  cd "$TESTING_DIR" || exit
 fi
 
 alias cdoc-cli='java -jar $CDOC2_DIR/cdoc2-cli/target/cdoc2-cli-$CDOC2_CLI_VER.jar'
 export CDOC2_CMD="java -jar $CDOC2_DIR/cdoc2-cli/target/cdoc2-cli-$CDOC2_CLI_VER.jar"
 
 
-cd $TESTING_DIR
+cd "$TESTING_DIR" || exit
diff --git a/test/bats/cdoc2_tests.bats b/test/bats/cdoc2_tests.bats
@@ -16,7 +16,6 @@ setup() {
   else
       HAS_EXPECT=false
   fi
-
 }
 
 
@@ -100,7 +99,7 @@ run_alias() {
   assert_output --partial "Created $TEST_RESULTS_DIR/$cdoc_file"
 
   # ensure encrypted container can be decrypted successfully
-  run run_alias cdoc-cli decrypt -f $TEST_RESULTS_DIR/$cdoc_file -k $CLI_KEYS_DIR/cdoc2client.pem -o $TEST_RESULTS_DIR
+  run run_alias cdoc-cli decrypt -f $TEST_RESULTS_DIR/$cdoc_file -k $CLI_KEYS_DIR/cdoc2client_priv.key -o $TEST_RESULTS_DIR
   assertSuccessfulDecryption
 
   rm -f $TEST_RESULTS_DIR/$cdoc_file
@@ -110,7 +109,7 @@ run_alias() {
   local cdoc_file="ec_simple_old_version_DO_NOT_DELETE.cdoc"
 
   echo "# Decrypting ${cdoc_file}">&3
-  run run_alias cdoc-cli decrypt -f ${TEST_VECTORS}/${cdoc_file} -k $CLI_KEYS_DIR/cdoc2client.pem --output $TEST_RESULTS_DIR
+  run run_alias cdoc-cli decrypt -f ${TEST_VECTORS}/${cdoc_file} -k $CLI_KEYS_DIR/expired/cdoc2client_expired_priv.key --output $TEST_RESULTS_DIR
 
   assertSuccessfulExitCode
   assert_output --partial "Decrypting ${TEST_VECTORS}/${cdoc_file}"
@@ -380,12 +379,12 @@ EOF
   run run_alias cdoc-cli info -f ${TEST_RESULTS_DIR}/${cdoc_file}
 
   assertSuccessfulExitCode
-  local expected_output_info="EC PublicKey: CERT_SHA1:5d5d9c00eeb79d89e3a54e791a6256f892ad9411, V:1, CN:cdoc20-client, FILE:cdoc2client-certificate.pem, TYPE:cert "
+  local expected_output_info="EC PublicKey: CERT_SHA1:9460be97b0f67a2fb98f0d73821293879804ab5e, V:1, CN:cdoc2-client, FILE:cdoc2client-certificate.pem, TYPE:cert "
   echo "# $expected_output_info">&3
   assert_output --partial "EC PublicKey:"
-  assert_output --partial "CERT_SHA1:5d5d9c00eeb79d89e3a54e791a6256f892ad9411"
+  assert_output --partial "CERT_SHA1:9460be97b0f67a2fb98f0d73821293879804ab5e"
   assert_output --partial "V:1"
-  assert_output --partial "CN:cdoc20-client"
+  assert_output --partial "CN:cdoc2-client"
   assert_output --partial "FILE:cdoc2client-certificate.pem"
   assert_output --partial "TYPE:cert"
 
@@ -409,7 +408,7 @@ EOF
   assert_output --partial "TYPE:cert"
 
   # ensure encrypted container can be decrypted successfully
-  run run_alias cdoc-cli decrypt -f $TEST_VECTORS_V_1_2/$existing_test_vector -k $CLI_KEYS_DIR/cdoc2client.pem -o $TEST_RESULTS_DIR
+  run run_alias cdoc-cli decrypt -f $TEST_VECTORS_V_1_2/$existing_test_vector -k $CLI_KEYS_DIR/cdoc2client_priv.key -o $TEST_RESULTS_DIR
   assertSuccessfulDecryption
 
   rm -f $TEST_RESULTS_DIR/$existing_test_vector
diff --git a/test/bats/variables.sh b/test/bats/variables.sh
@@ -1,8 +1,9 @@
 #!/usr/bin/env bash
 
 # testing directory
-export TESTING_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+TESTING_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+export TESTING_DIR
 export BATS_HOME=$TESTING_DIR/target
-mkdir -p $BATS_HOME
+mkdir -p "$BATS_HOME"
 
 alias bats='$BATS_HOME/bats-core/bin/bats'
diff --git a/test/generate_documents.sh b/test/generate_documents.sh
@@ -54,7 +54,7 @@ create_simple_ec() {
   if $RUN_DECRYPT
   then
     echo "Decrypting ${cdoc_file}"
-    $CDOC_DECRYPT_CMD --file ${TESTVECTORS_DIR}/${cdoc_file} -k ${CLI_KEYS_DIR}/cdoc2client.pem -o ${TMP_DIR}
+    $CDOC_DECRYPT_CMD --file ${TESTVECTORS_DIR}/${cdoc_file} -k ${CLI_KEYS_DIR}/cdoc2client_priv.key -o ${TMP_DIR}
   fi
 }
 
@@ -72,7 +72,7 @@ create_simple_ec_with_formatted_key_label() {
   if $RUN_DECRYPT
   then
     echo "Decrypting ${cdoc_file}"
-    $CDOC_DECRYPT_CMD --file ${TESTVECTORS_v_1_2_DIR}/${cdoc_file} -k ${CLI_KEYS_DIR}/cdoc2client.pem -o ${TMP_DIR}
+    $CDOC_DECRYPT_CMD --file ${TESTVECTORS_v_1_2_DIR}/${cdoc_file} -k ${CLI_KEYS_DIR}/cdoc2client_priv.key -o ${TMP_DIR}
   fi
 }
 
@@ -95,7 +95,7 @@ create_ec_server_ria_dev_pkcs12() {
     echo "Decrypting ${cdoc_file}"
       cd $CLI_DIR && $CDOC_DECRYPT_CMD --file ${TESTVECTORS_DIR}/${cdoc_file} \
           --server=${CLI_CONF}/ria-dev/ria-dev_pkcs12.properties \
-          -k ${CLI_KEYS_DIR}/cdoc2client.pem -o ${TMP_DIR}
+          -k ${CLI_KEYS_DIR}/cdoc2client_priv.key -o ${TMP_DIR}
   fi
 }
 
