Merge pull request #86 from eu-digital-green-certificates/feat/b64_en…

…vironment_keystores TLS keystores loading from b64 env variables
eu-digital-green-certificates · Jan 31, 2022 · 81ac06a · 81ac06a
2 parents eb9a7de + 1fbd9b5
commit 81ac06a
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 10 deletions.
diff --git a/...n/java/eu/europa/ec/dgc/gateway/connector/client/DgcGatewayConnectorRestClientConfig.java b/...n/java/eu/europa/ec/dgc/gateway/connector/client/DgcGatewayConnectorRestClientConfig.java
@@ -25,6 +25,7 @@
 import feign.httpclient.ApacheHttpClient;
 import java.io.IOException;
 import java.security.KeyManagementException;
+import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
@@ -37,11 +38,11 @@
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.message.BasicHeader;
 import org.apache.http.ssl.SSLContextBuilder;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.cloud.openfeign.EnableFeignClients;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.util.ResourceUtils;
 
 @ConditionalOnProperty("dgc.gateway.connector.tls-key-store.path")
 @Configuration
@@ -51,6 +52,12 @@ public class DgcGatewayConnectorRestClientConfig {
 
     private final DgcGatewayConnectorConfigProperties properties;
 
+    @Qualifier("tlsKeyStore")
+    private final KeyStore tlsKeyStore;
+
+    @Qualifier("tlsTrustStore")
+    private final KeyStore tlsTrustStore;
+
     /**
      * Feign Client for connection to DGC Gateway.
      *
@@ -77,16 +84,10 @@ private SSLContext getSslContext() throws
         IOException, UnrecoverableKeyException,
         CertificateException, NoSuchAlgorithmException,
         KeyStoreException, KeyManagementException {
-
         return SSLContextBuilder.create()
-            .loadTrustMaterial(
-                ResourceUtils.getFile(properties.getTlsTrustStore().getPath()),
-                properties.getTlsTrustStore().getPassword())
+            .loadTrustMaterial(tlsTrustStore, null)
             .loadKeyMaterial(
-                ResourceUtils.getFile(properties.getTlsKeyStore().getPath()),
-                properties.getTlsKeyStore().getPassword(),
-                properties.getTlsKeyStore().getPassword(),
-                (map, socket) -> properties.getTlsKeyStore().getAlias())
+                tlsKeyStore, properties.getTlsKeyStore().getPassword())
             .build();
     }
 

diff --git a/src/main/java/eu/europa/ec/dgc/gateway/connector/config/DgcGatewayConnectorKeystore.java b/src/main/java/eu/europa/ec/dgc/gateway/connector/config/DgcGatewayConnectorKeystore.java
@@ -91,14 +91,62 @@ public KeyStore trustAnchorKeyStore() throws KeyStoreException,
         return keyStore;
     }
 
+    /**
+     * Creates a KeyStore instance with keys for TLS trust Store.
+     *
+     * @return KeyStore Instance
+     * @throws KeyStoreException        if no implementation for the specified type found
+     * @throws CertificateException     if any of the certificates in the keystore could not be loaded
+     * @throws NoSuchAlgorithmException if the algorithm used to check the integrity of the keystore cannot be found
+     */
+    @Bean
+    @Qualifier("tlsTrustStore")
+    @ConditionalOnProperty("dgc.gateway.connector.tls-trust-store.path")
+    public KeyStore tlsTrustStore() throws KeyStoreException,
+        CertificateException, NoSuchAlgorithmException {
+        KeyStore keyStore = KeyStore.getInstance("JKS");
+
+        loadKeyStore(
+            keyStore,
+            dgcConfigProperties.getTlsTrustStore().getPath(),
+            dgcConfigProperties.getTlsTrustStore().getPassword());
+
+        return keyStore;
+    }
+
+
+    /**
+     * Creates a KeyStore instance with keys for TLS key Store.
+     *
+     * @return KeyStore Instance
+     * @throws KeyStoreException        if no implementation for the specified type found
+     * @throws CertificateException     if any of the certificates in the keystore could not be loaded
+     * @throws NoSuchAlgorithmException if the algorithm used to check the integrity of the keystore cannot be found
+     */
+    @Bean
+    @Qualifier("tlsKeyStore")
+    @ConditionalOnProperty("dgc.gateway.connector.tls-key-store.path")
+    public KeyStore tlsKeyStore() throws KeyStoreException,
+        CertificateException, NoSuchAlgorithmException {
+        KeyStore keyStore = KeyStore.getInstance("JKS");
+
+        loadKeyStore(
+            keyStore,
+            dgcConfigProperties.getTlsKeyStore().getPath(),
+            dgcConfigProperties.getTlsKeyStore().getPassword());
+
+        return keyStore;
+    }
+
+
     private void loadKeyStore(KeyStore keyStore, String path, char[] password)
         throws CertificateException, NoSuchAlgorithmException {
         try {
 
             InputStream stream;
 
             if (path.startsWith("$ENV:")) {
-                String env = path.substring(6);
+                String env = path.substring(5);
                 String b64 = System.getenv(env);
                 stream = new ByteArrayInputStream(Base64.getDecoder().decode(b64));
             } else {