Added IAS4IncomingMessageState.get(Signing|Decrypting)Certificate

Author: phax

phase4-lib/src/main/java/com/helger/phase4/incoming/AS4IncomingHandler.java

@@ -179,8 +179,8 @@ public static void parseAS4Message (@Nonnull final IAS4IncomingAttachmentFactory
     final IMimeType aPlainContentType = aContentType.getCopyWithoutParameters ();
 
     // Fallback to global dumper if none is provided
-    final IAS4IncomingDumper aRealIncomingDumper = aIncomingDumper != null ? aIncomingDumper
-                                                                           : AS4DumpManager.getIncomingDumper ();
+    final IAS4IncomingDumper aRealIncomingDumper = aIncomingDumper != null ? aIncomingDumper : AS4DumpManager
+                                                                                                             .getIncomingDumper ();
 
     Document aSoapDocument = null;
     ESoapVersion eSoapVersion = null;
@@ -477,8 +477,7 @@ private static void _processSoapHeaderElements (@Nonnull final SoapHeaderElement
                                              aHeader.getNode (),
                                              aIncomingAttachments,
                                              aIncomingState,
-                                             aProcessingErrorMessagesTarget)
-                      .isSuccess ())
+                                             aProcessingErrorMessagesTarget).isSuccess ())
         {
           // Mark header as processed (for mustUnderstand check)
           aHeader.setProcessed (true);
@@ -740,7 +739,7 @@ public static IAS4IncomingMessageState processEbmsMessage (@Nonnull @WillNotClos
             aValidator.validatePMode (aPMode, aErrorList, EAS4ProfileValidationMode.USER_MESSAGE);
             aValidator.validateUserMessage (aEbmsUserMessage, aErrorList);
             aValidator.validateInitiatorIdentity (aEbmsUserMessage,
-                                                  aIncomingState.getUsedCertificate (),
+                                                  aIncomingState.getSigningCertificate (),
                                                   aMessageMetadata,
                                                   aErrorList);
             if (aErrorList.isNotEmpty ())

phase4-lib/src/main/java/com/helger/phase4/incoming/AS4IncomingMessageState.java

@@ -75,7 +75,10 @@ public final class AS4IncomingMessageState extends AttributeContainerAny <String
   private static final String KEY_SOAP_BODY_PAYLOAD_PRESENT = "phase4.soap.body.payload.present";
   private static final String KEY_INITIATOR_ID = "phase4.initiator.id";
   private static final String KEY_RESPONDER_ID = "phase4.responder.id";
+  @Deprecated (forRemoval = true, since = "3.0.5")
   private static final String KEY_USED_CERTIFICATE = "phase4.used.certificate";
+  private static final String KEY_SIGNING_CERTIFICATE = "phase4.signing.certificate";
+  private static final String KEY_DECRYPTING_CERTIFICATE = "phase4.decryting.certificate";
   private static final String KEY_EFFECTIVE_PMODE_LEG = "phase4.pmode.effective.leg";
   private static final String KEY_EFFECTIVE_PMODE_LEG_NUMBER = "phase4.pmode.effective.leg.number";
   private static final String KEY_WSS4J_SECURITY_ACTIONS = "phase4.soap.wss4j-security-actions";
@@ -256,16 +259,40 @@ public void setResponderID (@Nullable final String sResponderID)
   }
 
   @Nullable
+  @Deprecated (forRemoval = true, since = "3.0.5")
   public X509Certificate getUsedCertificate ()
   {
     return getCastedValue (KEY_USED_CERTIFICATE);
   }
 
+  @Deprecated (forRemoval = true, since = "3.0.5")
   public void setUsedCertificate (@Nullable final X509Certificate aCert)
   {
     putIn (KEY_USED_CERTIFICATE, aCert);
   }
 
+  @Nullable
+  public X509Certificate getSigningCertificate ()
+  {
+    return getCastedValue (KEY_SIGNING_CERTIFICATE);
+  }
+
+  public void setSigningCertificate (@Nullable final X509Certificate aCert)
+  {
+    putIn (KEY_SIGNING_CERTIFICATE, aCert);
+  }
+
+  @Nullable
+  public X509Certificate getDecryptingCertificate ()
+  {
+    return getCastedValue (KEY_DECRYPTING_CERTIFICATE);
+  }
+
+  public void setDecryptingCertificate (@Nullable final X509Certificate aCert)
+  {
+    putIn (KEY_DECRYPTING_CERTIFICATE, aCert);
+  }
+
   @Nullable
   public PModeLeg getEffectivePModeLeg ()
   {

phase4-lib/src/main/java/com/helger/phase4/incoming/IAS4IncomingMessageState.java

@@ -351,18 +351,60 @@ default boolean hasResponderID ()
    * @see #hasUsedCertificate()
    */
   @Nullable
+  @Deprecated (forRemoval = true, since = "3.0.5")
   X509Certificate getUsedCertificate ();
 
   /**
    * @return <code>true</code> if a certificate is provided, <code>false</code>
    *         if not.
    * @see #getUsedCertificate()
    */
+  @Deprecated (forRemoval = true, since = "3.0.5")
   default boolean hasUsedCertificate ()
   {
     return getUsedCertificate () != null;
   }
 
+  /**
+   * @return The signing certificate in the incoming message. May be
+   *         <code>null</code>.
+   * @see #hasSigningCertificate()
+   * @since 3.0.5
+   */
+  @Nullable
+  X509Certificate getSigningCertificate ();
+
+  /**
+   * @return <code>true</code> if a signing certificate is provided,
+   *         <code>false</code> if not.
+   * @see #getSigningCertificate()
+   * @since 3.0.5
+   */
+  default boolean hasSigningCertificate ()
+  {
+    return getSigningCertificate () != null;
+  }
+
+  /**
+   * @return The decrypting certificate in the incoming message. May be
+   *         <code>null</code>.
+   * @see #hasDecryptingCertificate()
+   * @since 3.0.5
+   */
+  @Nullable
+  X509Certificate getDecryptingCertificate ();
+
+  /**
+   * @return <code>true</code> if a decrypting certificate is provided,
+   *         <code>false</code> if not.
+   * @see #getDecryptingCertificate()
+   * @since 3.0.5
+   */
+  default boolean hasDecryptingCertificate ()
+  {
+    return getDecryptingCertificate () != null;
+  }
+
   /**
    * @return The effective leg to use. May be leg 1 or leg 2 of the PMode. If no
    *         PMode was found, no PModeLeg is present.

phase4-lib/src/main/java/com/helger/phase4/incoming/soap/SoapHeaderElementProcessorWSS4J.java

@@ -108,6 +108,7 @@ public SoapHeaderElementProcessorWSS4J (@Nonnull final IAS4CryptoFactory aCrypto
     m_aDecryptParameterModifier = aDecryptParameterModifier;
   }
 
+  @SuppressWarnings ("removal")
   @Nonnull
   private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
                                       @Nonnull final ICommonsList <WSS4JAttachment> aAttachments,
@@ -225,8 +226,10 @@ private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
 
       // Collect all unique used certificates
       final ICommonsSet <X509Certificate> aCertSet = new CommonsHashSet <> ();
-      // Preferred certificate from BinarySecurityToken
-      X509Certificate aPreferredCert = null;
+      // The certificate used for signing
+      X509Certificate aSigningCert = null;
+      // The certificate used for decrypting
+      X509Certificate aDecryptingCert = null;
       int nWSS4JSecurityActions = 0;
       for (final WSSecurityEngineResult aResult : aResults)
       {
@@ -241,36 +244,31 @@ private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
         if (aCert != null)
         {
           aCertSet.add (aCert);
-          if (nAction == WSConstants.BST && aPreferredCert == null)
-            aPreferredCert = aCert;
+          if (nAction == WSConstants.SIGN)
+          {
+            if (aSigningCert == null)
+              aSigningCert = aCert;
+            else
+              if (aSigningCert != aCert)
+                LOGGER.warn ("Found a second signing certificate");
+          }
+          if (nAction == WSConstants.ENCR)
+          {
+            if (aDecryptingCert == null)
+              aDecryptingCert = aCert;
+            else
+              if (aDecryptingCert != aCert)
+                LOGGER.warn ("Found a second decryption certificate");
+          }
         }
       }
       // this determines if a signature check or a decryption happened
       aIncomingState.setSoapWSS4JSecurityActions (nWSS4JSecurityActions);
 
-      final X509Certificate aUsedCert;
-      if (aCertSet.size () > 1)
-      {
-        if (aPreferredCert == null)
-        {
-          LOGGER.warn ("Found " + aCertSet.size () + " different certificates in message. Using the first one.");
-          if (LOGGER.isDebugEnabled ())
-            LOGGER.debug ("All gathered certificates: " + aCertSet);
-          aUsedCert = aCertSet.getAtIndex (0);
-        }
-        else
-          aUsedCert = aPreferredCert;
-      }
-      else
-      {
-        if (aCertSet.size () == 1)
-          aUsedCert = aCertSet.getAtIndex (0);
-        else
-          aUsedCert = null;
-      }
-
       // Remember in State
-      aIncomingState.setUsedCertificate (aUsedCert);
+      aIncomingState.setUsedCertificate (aSigningCert);
+      aIncomingState.setSigningCertificate (aSigningCert);
+      aIncomingState.setDecryptingCertificate (aDecryptingCert);
       aIncomingState.setDecryptedSoapDocument (aSOAPDoc);
 
       LOGGER.info ("phase4 --- attachment.storetemp:start");
@@ -305,7 +303,7 @@ private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
     catch (final IndexOutOfBoundsException | IllegalStateException | WSSecurityException ex)
     {
       /**
-       * Error processing the WSSSecurity Header
+       * Error processing the WSSecurity Header
        *
        * <pre>
        * java.lang.IndexOutOfBoundsException: null
@@ -331,7 +329,7 @@ private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
       at com.helger.phase4.servlet.soap.SOAPHeaderElementProcessorWSS4J._verifyAndDecrypt(SOAPHeaderElementProcessorWSS4J.java:187) ~[classes/:?]
        * </pre>
        *
-       * Error processing the WSSSecurity Header
+       * Error processing the WSSecurity Header
        *
        * <pre>
       org.apache.wss4j.common.ext.WSSecurityException: Error during certificate path validation: No trusted certs found
@@ -359,7 +357,7 @@ private ESuccess _verifyAndDecrypt (@Nonnull final Document aSOAPDoc,
        */
 
       // Decryption or Signature check failed
-      String sDetails = "Error processing the WSSSecurity Header";
+      String sDetails = "Error processing the WSSecurity Header";
       if (ex instanceof WSSecurityException)
       {
         sDetails += " (WS Security error: " + ((WSSecurityException) ex).getErrorCode () + ")";

phase4-lib/src/main/java/com/helger/phase4/model/error/Ebms3ErrorBuilder.java

@@ -95,14 +95,14 @@ public Ebms3ErrorBuilder description (@Nullable final Ebms3Description a)
   public Ebms3ErrorBuilder errorDetail (@Nullable final String s, @Nullable final Throwable t)
   {
     // Be able to allow disabling sending stack traces (see #225)
+    String sErrorDetail = s;
     final Throwable aLogT = AS4Configuration.isIncludeStackTraceInErrorMessages () ? t : null;
-    return errorDetail (StringHelper.getConcatenatedOnDemand (s,
-                                                              ": ",
-                                                              aLogT == null ? "" : "Technical details: " +
-                                                                                   StringHelper.getConcatenatedOnDemand (aLogT.getClass ()
-                                                                                                                              .getName (),
-                                                                                                                         " - ",
-                                                                                                                         aLogT.getMessage ())));
+    if (aLogT != null)
+    {
+      sErrorDetail += ": Technical details: " +
+                      StringHelper.getConcatenatedOnDemand (aLogT.getClass ().getName (), " - ", aLogT.getMessage ());
+    }
+    return errorDetail (sErrorDetail);
   }
 
   @Nonnull

phase4-peppol-server-webapp/src/main/java/com/helger/phase4/peppol/server/spi/StoringPeppolIncomingSBDHandlerSPI.java

@@ -71,7 +71,7 @@ public void handleIncomingSBD (@Nonnull final IAS4IncomingMessageMetadata aMessa
     // Example code snippets how to get data
     LOGGER.info ("Received a new Peppol Message");
     LOGGER.info ("  C1 = " + aPeppolSBD.getSenderAsIdentifier ().getURIEncoded ());
-    LOGGER.info ("  C2 = " + PeppolCertificateHelper.getSubjectCN (aIncomingState.getUsedCertificate ()));
+    LOGGER.info ("  C2 = " + PeppolCertificateHelper.getSubjectCN (aIncomingState.getSigningCertificate ()));
     LOGGER.info ("  C3 = " + sMyPeppolSeatID);
     LOGGER.info ("  C4 = " + aPeppolSBD.getReceiverAsIdentifier ().getURIEncoded ());
     LOGGER.info ("  DocType = " + aPeppolSBD.getDocumentTypeAsIdentifier ().getURIEncoded ());

phase4-peppol-server-webapp/src/main/java/com/helger/phase4/peppol/server/spi/StoringServletMessageProcessorSPI.java

@@ -89,13 +89,13 @@ private static void _dumpSoap (@Nonnull final IAS4IncomingMessageMetadata aMessa
       }
     }
 
-    if (aIncomingState.hasUsedCertificate ())
+    if (aIncomingState.hasSigningCertificate ())
     {
       // Dump the senders certificate as PEM file
       // That can usually extracted from the Binary Security Token of the SOAP
       final File aFile = StorageHelper.getStorageFile (aMessageMetadata, ".pem");
-      final X509Certificate aUsedCert = aIncomingState.getUsedCertificate ();
-      final String sPEM = CertificateHelper.getPEMEncodedCertificate (aUsedCert);
+      final X509Certificate aSigningCert = aIncomingState.getSigningCertificate ();
+      final String sPEM = CertificateHelper.getPEMEncodedCertificate (aSigningCert);
       final byte [] aBytes = sPEM.getBytes (StandardCharsets.US_ASCII);
       if (SimpleFileIO.writeFile (aFile, aBytes).isFailure ())
       {

phase4-peppol-servlet/src/main/java/com/helger/phase4/peppol/servlet/Phase4PeppolServletMessageProcessorSPI.java

@@ -476,7 +476,7 @@ public static PeppolReportingItem createPeppolReportingItemForReceivedMessage (@
     }
 
     // Incoming message signed by C2
-    final String sC2ID = PeppolCertificateHelper.getSubjectCN (aState.getUsedCertificate ());
+    final String sC2ID = PeppolCertificateHelper.getSubjectCN (aState.getSigningCertificate ());
 
     try
     {
@@ -608,12 +608,13 @@ public AS4MessageProcessorResult processAS4UserMessage (@Nonnull final IAS4Incom
     if (aReceiverCheckData.isCheckSigningCertificateRevocation ())
     {
       final OffsetDateTime aNow = MetaAS4Manager.getTimestampMgr ().getCurrentDateTime ();
-      final X509Certificate aSenderCert = aState.getUsedCertificate ();
+      final X509Certificate aSenderSigningCert = aState.getSigningCertificate ();
       // Check if signing AP certificate is revoked
       // * Use global caching setting
       // * Use global certificate check mode
       final EPeppolCertificateCheckResult eCertCheckResult = aReceiverCheckData.getAPCAChecker ()
-                                                                               .checkCertificate (aSenderCert, aNow);
+                                                                               .checkCertificate (aSenderSigningCert,
+                                                                                                  aNow);
       if (eCertCheckResult.isInvalid ())
       {
         final String sDetails = "The received Peppol message is signed with a Peppol AP certificate invalid at " +

phase4-server-webapp/src/main/java/com/helger/phase4/server/spi/ExampleReceiveMessageProcessorSPI.java

@@ -77,13 +77,13 @@ private static void _dumpSoap (@Nonnull final IAS4IncomingMessageMetadata aMessa
         LOGGER.info ("Wrote SOAP to '" + aFile.getAbsolutePath () + "'");
     }
 
-    if (aState.hasUsedCertificate ())
+    if (aState.hasSigningCertificate ())
     {
       // Dump the senders certificate as PEM file
       // That can usually extracted from the Binary Security Token of the SOAP
       final File aFile = StorageHelper.getStorageFile (aMessageMetadata, ".pem");
-      final X509Certificate aUsedCert = aState.getUsedCertificate ();
-      final String sPEM = CertificateHelper.getPEMEncodedCertificate (aUsedCert);
+      final X509Certificate aSigningCert = aState.getSigningCertificate ();
+      final String sPEM = CertificateHelper.getPEMEncodedCertificate (aSigningCert);
       final byte [] aBytes = sPEM.getBytes (StandardCharsets.US_ASCII);
       if (SimpleFileIO.writeFile (aFile, aBytes).isFailure ())
         LOGGER.error ("Failed to write certificate to '" + aFile.getAbsolutePath () + "'");