Trust Buypass SEID2 enterprise certificates

Modifies the alias-generating for certificate to include the name of the containing
folder, because the file names for test and production CA certs are the
same, and to be able to reliably test that the trusts are containing the
expected certifiates. The aliases are not used by the client.

Add test that we recognize orgnr in SEID2 certs

Author: runeflobakk

src/main/java/no/digipost/signature/client/Certificates.java

@@ -10,13 +10,27 @@ public enum Certificates {
     TEST(
             "test/Buypass_Class_3_Test4_CA_3.cer",
             "test/Buypass_Class_3_Test4_Root_CA.cer",
+
+            "test/BPCl3CaG2HTBS.cer",
+            "test/BPCl3CaG2STBS.cer",
+            "test/BPCl3RootCaG2HT.cer",
+            "test/BPCl3RootCaG2ST.cer",
+
             "test/commfides_test_ca.cer",
             "test/commfides_test_root_ca.cer",
+
             "test/digipost_test_root_ca.cert.pem"
+
     ),
     PRODUCTION(
             "prod/BPClass3CA3.cer",
             "prod/BPClass3RootCA.cer",
+
+            "prod/BPCl3CaG2HTBS.cer",
+            "prod/BPCl3CaG2STBS.cer",
+            "prod/BPCl3RootCaG2HT.cer",
+            "prod/BPCl3RootCaG2ST.cer",
+
             "prod/commfides_ca.cer",
             "prod/commfides_root_ca.cer"
     );

src/main/java/no/digipost/signature/client/core/internal/security/TrustStoreLoader.java

@@ -1,23 +1,30 @@
 package no.digipost.signature.client.core.internal.security;
 
-import no.digipost.signature.client.Certificates;
 import no.digipost.signature.client.core.exceptions.ConfigurationException;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManagerFactory;
 
-import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.GeneralSecurityException;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.UUID;
+import java.util.stream.Stream;
+
+import static java.nio.file.Files.isDirectory;
+import static java.util.stream.Collectors.joining;
+import static java.util.stream.StreamSupport.stream;
 
 public class TrustStoreLoader {
 
@@ -31,93 +38,103 @@ public static KeyStore build(ProvidesCertificateResourcePaths hasCertificatePath
             }
 
             return trustStore;
-        } catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException | KeyManagementException e) {
+        } catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException e) {
             throw new ConfigurationException("Unable to load certificates into truststore", e);
         }
     }
 
-    private static void loadCertificatesInto(String certificateFolder, final KeyStore trustStore) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
+    private static void loadCertificatesInto(String certificateLocation, KeyStore trustStore) {
         ResourceLoader certificateLoader;
-        if (certificateFolder.indexOf("classpath:") == 0) {
-            certificateLoader = new ClassPathFileLoader(certificateFolder);
+        if (certificateLocation.startsWith(ClassPathResourceLoader.CLASSPATH_PATH_PREFIX)) {
+            certificateLoader = new ClassPathResourceLoader(certificateLocation);
         } else {
-            certificateLoader = new FileLoader(certificateFolder);
+            certificateLoader = new FileLoader(certificateLocation);
         }
 
-        certificateLoader.forEachFile(new ForFile() {
-            @Override
-            void call(String fileName, InputStream contents) {
-                try {
-                    X509Certificate ca = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(contents);
-                    trustStore.setCertificateEntry(fileName, ca);
-                } catch (CertificateException | KeyStoreException e) {
-                    throw new ConfigurationException("Unable to load certificate in " + fileName);
-                }
-            }
+        certificateLoader.forEachFile((fileName, contents) -> {
+            X509Certificate ca = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(contents);
+            trustStore.setCertificateEntry(fileName, ca);
         });
 
+        try {
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            tmf.init(trustStore);
 
-        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-        tmf.init(trustStore);
-
-        SSLContext context = SSLContext.getInstance("TLS");
-        context.init(null, tmf.getTrustManagers(), null);
+            SSLContext context = SSLContext.getInstance("TLS");
+            context.init(null, tmf.getTrustManagers(), null);
+        } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) {
+            throw new ConfigurationException("Error initializing SSLContext for certification location " + certificateLocation, e);
+        }
     }
 
-    private static class ClassPathFileLoader implements ResourceLoader {
+
+    private static class ClassPathResourceLoader implements ResourceLoader {
 
         static final String CLASSPATH_PATH_PREFIX = "classpath:";
 
-        private final String certificatePath;
+        private final String resourceName;
 
-        ClassPathFileLoader(String certificateFolder) {
-            this.certificatePath = certificateFolder.substring(CLASSPATH_PATH_PREFIX.length());
+        ClassPathResourceLoader(String resourceName) {
+            this.resourceName = resourceName.replaceFirst(CLASSPATH_PATH_PREFIX, "");
         }
 
         @Override
-        public void forEachFile(ForFile forEachFile) throws IOException {
-            URL contentsUrl = Certificates.class.getResource(certificatePath);
-            if (contentsUrl == null) {
-                throw new ConfigurationException(certificatePath + " was not found");
+        public void forEachFile(ForFile forEachFile) {
+            URL resourceUrl = TrustStoreLoader.class.getResource(resourceName);
+            if (resourceUrl == null) {
+                throw new ConfigurationException(resourceName + " not found on classpath");
             }
-            try (InputStream inputStream = contentsUrl.openStream()){
-                forEachFile.call(new File(contentsUrl.getFile()).getName(), inputStream);
+
+            try (InputStream inputStream = resourceUrl.openStream()) {
+                forEachFile.call(generateAlias(Paths.get(resourceUrl.getPath())), inputStream);
+            } catch (Exception e) {
+                throw new ConfigurationException("Unable to load certificate from classpath: " + resourceName, e);
             }
         }
     }
 
     private static class FileLoader implements ResourceLoader {
-        private final File path;
+        private final Path path;
 
         FileLoader(String certificateFolder) {
-            this.path = new File(certificateFolder);
+            this.path = Paths.get(certificateFolder);
         }
 
         @Override
-        public void forEachFile(ForFile forEachFile) throws IOException {
-            if (!this.path.isDirectory()) {
+        public void forEachFile(ForFile forEachFile) {
+            if (!isDirectory(path)) {
                 throw new ConfigurationException("Certificate path '" + this.path + "' is not a directory. " +
                         "It should point to a directory containing certificates.");
             }
-            File[] files = this.path.listFiles();
-            if (files == null) {
-                throw new ConfigurationException("Unable to read certificates from '" + path + "'. Make sure it's the correct path.");
-            }
 
-            for (File file : files) {
-                try (InputStream contents = new FileInputStream(file)) {
-                    forEachFile.call(file.getName(), contents);
-                }
+            try (Stream<Path> files = Files.list(path)) {
+                files.forEach(file -> {
+                    try (InputStream contents = Files.newInputStream(file)) {
+                        forEachFile.call(generateAlias(file), contents);
+                    } catch (Exception e) {
+                        throw new ConfigurationException("Unable to load certificate from file " + file, e);
+                    }
+                });
+            } catch (IOException e) {
+                throw new ConfigurationException("Error reading certificates from " + path, e);
             }
         }
     }
 
     private interface ResourceLoader {
-        void forEachFile(ForFile forEachFile) throws IOException;
+        void forEachFile(ForFile forEachFile);
+    }
+
+    @FunctionalInterface
+    private interface ForFile {
+        void call(String fileName, InputStream contents) throws IOException, GeneralSecurityException;
     }
 
-    private abstract static class ForFile {
-        abstract void call(String fileName, InputStream contents);
+    private static String generateAlias(Path location) {
+        return stream(location.normalize().spliterator(), false)
+                .reduce((e1, e2) -> e1.getFileName().resolve(e2))
+                .map(nameBase -> stream(nameBase.spliterator(), false).map(Path::toString).collect(joining(":")))
+                .orElseGet(() -> UUID.randomUUID().toString());
     }
 
 }

src/test/java/no/digipost/signature/client/core/internal/security/TrustStoreLoaderTest.java

@@ -2,63 +2,114 @@
 
 import no.digipost.signature.client.ClientConfiguration;
 import no.digipost.signature.client.TestKonfigurasjon;
+import org.hamcrest.Description;
+import org.hamcrest.Matcher;
+import org.hamcrest.TypeSafeDiagnosingMatcher;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.util.List;
 
+import static java.util.Collections.list;
 import static no.digipost.signature.client.Certificates.PRODUCTION;
 import static no.digipost.signature.client.Certificates.TEST;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.is;
-import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-public class TrustStoreLoaderTest {
+class TrustStoreLoaderTest {
 
     private ClientConfiguration.Builder configBuilder;
 
     @BeforeEach
-    public void setUp() {
+    void setUp() {
         configBuilder = ClientConfiguration.builder(TestKonfigurasjon.CLIENT_KEYSTORE);
     }
 
     @Test
-    public void loads_productions_certificates_by_default() throws KeyStoreException {
-        KeyStore keyStore = TrustStoreLoader.build(configBuilder.build());
+    void loads_productions_certificates_by_default() throws KeyStoreException {
+        KeyStore trustStore = TrustStoreLoader.build(configBuilder.build());
 
-        assertThat(keyStore.size(), is(4));
-        assertTrue(keyStore.containsAlias("bpclass3rootca.cer"), "Trust store should contain BuyPass root CA");
+        assertTrue(trustStore.containsAlias("prod:bpclass3rootca.cer"), "Trust store should contain BuyPass root CA");
+        assertThat(trustStore.size(), is(8));
     }
 
     @Test
-    public void loads_productions_certificates() throws KeyStoreException {
+    void loads_productions_certificates() throws KeyStoreException {
         ClientConfiguration config = configBuilder.trustStore(PRODUCTION).build();
-        KeyStore keyStore = TrustStoreLoader.build(config);
-
-        assertThat(keyStore.size(), is(4));
-        assertTrue(keyStore.containsAlias("bpclass3rootca.cer"), "Trust store should contain bp root ca");
-        assertFalse(keyStore.containsAlias("buypass_class_3_test4_root_ca.cer"), "Trust store should not contain buypass test root ca");
+        KeyStore trustStore = TrustStoreLoader.build(config);
+
+        assertThat(trustStore, containsExactlyTheAliases(
+                "prod:bpclass3rootca.cer",
+                "prod:bpclass3ca3.cer",
+                "prod:bpcl3rootcag2st.cer",
+                "prod:bpcl3cag2stbs.cer",
+                "prod:bpcl3rootcag2ht.cer",
+                "prod:bpcl3cag2htbs.cer",
+                "prod:commfides_root_ca.cer",
+                "prod:commfides_ca.cer"));
     }
 
     @Test
-    public void loads_test_certificates() throws KeyStoreException {
+    void loads_test_certificates() throws KeyStoreException {
         ClientConfiguration config = configBuilder.trustStore(TEST).build();
-        KeyStore keyStore = TrustStoreLoader.build(config);
-
-        assertThat(keyStore.size(), is(5));
-        assertFalse(keyStore.containsAlias("bpclass3rootca.cer"), "Trust store should not buypass root ca");
-        assertTrue(keyStore.containsAlias("buypass_class_3_test4_root_ca.cer"), "Trust store should contain buypass test root ca");
+        KeyStore trustStore = TrustStoreLoader.build(config);
+
+        assertThat(trustStore, containsExactlyTheAliases(
+                "test:buypass_class_3_test4_root_ca.cer",
+                "test:buypass_class_3_test4_ca_3.cer",
+                "test:bpcl3rootcag2st.cer",
+                "test:bpcl3cag2stbs.cer",
+                "test:bpcl3rootcag2ht.cer",
+                "test:bpcl3cag2htbs.cer",
+                "test:commfides_test_root_ca.cer",
+                "test:commfides_test_ca.cer",
+                "test:digipost_test_root_ca.cert.pem"));
     }
 
     @Test
-    public void loads_certificates_from_file_location() throws KeyStoreException {
+    void loads_certificates_from_file_location() throws KeyStoreException {
         ClientConfiguration config = configBuilder.trustStore("./src/test/files/certificateTest").build();
-        KeyStore keyStore = TrustStoreLoader.build(config);
+        KeyStore trustStore = TrustStoreLoader.build(config);
 
-        assertThat(keyStore.size(), is(1));
+        assertThat(trustStore, containsExactlyTheAliases("certificatetest:commfides_test_ca.cer"));
     }
 
 
+    private static Matcher<KeyStore> containsExactlyTheAliases(String ... certAliases) {
+        return new TypeSafeDiagnosingMatcher<KeyStore>() {
+
+            @Override
+            public void describeTo(Description description) {
+                description
+                    .appendText("key store containing " + certAliases.length + " certificates with aliases: ")
+                    .appendValueList("", ", ", "", certAliases);
+            }
+
+            @Override
+            protected boolean matchesSafely(KeyStore keyStore, Description mismatchDescription) {
+                try {
+                    List<String> actualAliases = list(keyStore.aliases());
+                    Matcher<Iterable<? extends String>> expectedAliases = containsInAnyOrder(certAliases);
+                    if (!expectedAliases.matches(actualAliases)) {
+                        expectedAliases.describeMismatch(actualAliases, mismatchDescription);
+                        return false;
+                    } else if (keyStore.size() != certAliases.length) {
+                        mismatchDescription.appendText("contained " + keyStore.size() + " certificates");
+                    }
+                    return true;
+                } catch (KeyStoreException e) {
+                    mismatchDescription
+                        .appendText("threw exception retrieving the aliases from the key store: ")
+                        .appendValue(e.getClass().getSimpleName());
+                    throw new RuntimeException(e.getMessage(), e);
+                }
+            }
+
+        };
+    }
+
 }

src/test/java/no/digipost/signature/client/security/OrganizationNumberValidationTest.java

@@ -3,6 +3,10 @@
 import no.digipost.signature.client.TestCertificates;
 import org.junit.jupiter.api.Test;
 
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 
 import static no.digipost.signature.client.security.CertificateChainValidation.Result.TRUSTED;
@@ -14,10 +18,20 @@
 public class OrganizationNumberValidationTest {
 
     @Test
-    void trusts_Posten_Norge_SEID1_enterprise_certificate() {
-        X509Certificate cert = TestCertificates.getOrganizationCertificateKeyStore().getCertificate();
-        assertThat(cert.getSubjectX500Principal() + "is trusted",
-                cert, where(c -> new OrganizationNumberValidation("988015814").validate(new X509Certificate[]{c}), is(TRUSTED)));
+    void trusts_SEID1_enterprise_certificate() {
+        X509Certificate seid1Cert = TestCertificates.getOrganizationCertificateKeyStore().getCertificate();
+        assertThat(seid1Cert.getSubjectX500Principal() + "is trusted",
+                seid1Cert, where(c -> new OrganizationNumberValidation("988015814").validate(new X509Certificate[]{c}), is(TRUSTED)));
+    }
+
+    @Test
+    void trusts_SEID2_enterprise_certificate() throws CertificateException, IOException {
+        X509Certificate seid2Cert;
+        try (InputStream certContents = getClass().getResourceAsStream("/test4-autentiseringssertifikat-vid-europa.cer")) {
+            seid2Cert = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(certContents);
+        }
+        assertThat(seid2Cert.getSubjectX500Principal() + "is trusted",
+                seid2Cert, where(c -> new OrganizationNumberValidation("100101688").validate(new X509Certificate[]{c}), is(TRUSTED)));
     }
 
     @Test