KOP-2893 Add client and server keystore generation script

Generate new client and server certificates
Generate new truststore

build/assembly.xml

@@ -29,9 +29,9 @@
             <directory>${project.basedir}/src/main/resources/store</directory>
             <outputDirectory>/</outputDirectory>
             <includes>
-                <include>john_smith_xta_tester.p12</include>
+                <include>xta-test-client-john-smith_keystore.p12</include>
                 <include>xta-test-server_keystore.p12</include>
-                <include>xta-test-server_truststore.jks</include>
+                <include>xta-test_truststore.jks</include>
             </includes>
         </fileSet>
     </fileSets>

build/resources/application-local.yml

@@ -15,10 +15,10 @@ server:
     key-store-password: password
     key-store-type: pkcs12
     # Alias im KeyStore
-    key-alias: xta-test-application
+    key-alias: xta-test-server
     key-password: password
     # enthaelt alle vertrauenswuerdigen Zertifikate oder Oberzertifikate
-    trust-store: ./xta-test-server_truststore.jks
+    trust-store: ./xta-test_truststore.jks
     trust-store-password: password
     trust-store-type: JKS
     client-auth: want

doc/bedienungsanleitung.adoc

@@ -214,8 +214,7 @@ Die WSDL-Datei ist immer unter der Adresse des Services mit dem Zusatz ?wsdl auf
 
 Für die Kommunikation mittels HTTPs ist ein Client-Zertifikat notwendig, um den Client gegenüber der Testumgebung zu authentifizieren. Innerhalb der ZIP-Dateien der Testumgebung sind bereits mehrere Zertifikate und Keystores hinterlegt, die für die Kommunikation mit der Testumgebung genutzt werden können:
 
-* john_smith_xta_tester.p12 - Dieser Keystore beinhaltet ein Client-Zertifikat, das für die Kommunikation mit der Testumgebung verwendet werden kann. Sofern die Testumgebung in der Standardkonfiguration gestartet wurde, stuft die Umgebung das Zertifikat als vertrauenswürdig ein.
-* jane_doe_xta_tester.p12 - Dieser Keystore beinhaltet ein Client-Zertifikat, das für die Kommunikation mit der Testumgebung verwendet werden kann. Sofern die Testumgebung in der Standardkonfiguration gestartet wurde, stuft die Umgebung das Zertifikat als vertrauenswürdig ein.
+* xta-test-client-john-smith_keystore.p12 - Dieser Keystore beinhaltet ein Client-Zertifikat, das für die Kommunikation mit der Testumgebung verwendet werden kann. Sofern die Testumgebung in der Standardkonfiguration gestartet wurde, stuft die Umgebung das Zertifikat als vertrauenswürdig ein.
 
 
 === Test mit SoapUI

soapui/XTA-soapui-project.xml

@@ -3358,7 +3358,7 @@ eine Nachricht für die synchrone Weiterleitung übergeben wurde, die nur für d
       <xs:documentation>Diese Exception wird allgemein geworfen, wenn ein technisches Problem im XTA-WS aufgetreten ist. Sie kann z. B. durch ein Problem beim Zugriff auf die interne Datenbank des XTA-Servers ausgelöst worden sein.</xs:documentation>
     </xs:annotation>
   </xs:element>
-</xs:schema>]]></con:content><con:type>http://www.w3.org/2001/XMLSchema</con:type></con:part></con:definitionCache><con:endpoints><con:endpoint>http://localhost:8080/xta/ws</con:endpoint><con:endpoint>https://localhost:8443/MB_XTA-WS</con:endpoint><con:endpoint>https://localhost:8881</con:endpoint></con:endpoints><con:operation id="638fc8ad-4e98-4cf6-be0c-e2638749cfe3" isOneWay="false" action="http://www.xta.de/XTA/CancelMessage" name="cancelMessage" bindingOperationName="cancelMessage" type="Request-Response" inputName="" receivesAttachments="false" sendsAttachments="false" anonymous="optional"><con:settings/><con:call id="9e166713-c453-4f91-b18b-81229ae9f636" name="CancelMessage" sslKeystore="john_smith_xta_tester.p12" useWsAddressing="true"><con:settings><con:setting id="com.eviware.soapui.impl.wsdl.WsdlRequest@request-headers">&lt;xml-fragment/></con:setting><con:setting id="WsdlSettings@enable-mtom">true</con:setting><con:setting id="com.eviware.soapui.impl.wsdl.WsdlRequest@force_mtom">true</con:setting></con:settings><con:encoding>UTF-8</con:encoding><con:endpoint>https://localhost:8443/MB_XTA-WS/XTA210managementPort.svc</con:endpoint><con:request><![CDATA[<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tran="http://www.osci.eu/ws/2014/10/transport" xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:add="http://www.w3.org/2005/08/addressing">\r
+</xs:schema>]]></con:content><con:type>http://www.w3.org/2001/XMLSchema</con:type></con:part></con:definitionCache><con:endpoints><con:endpoint>http://localhost:8080/xta/ws</con:endpoint><con:endpoint>https://localhost:8443/MB_XTA-WS</con:endpoint><con:endpoint>https://localhost:8881</con:endpoint></con:endpoints><con:operation id="638fc8ad-4e98-4cf6-be0c-e2638749cfe3" isOneWay="false" action="http://www.xta.de/XTA/CancelMessage" name="cancelMessage" bindingOperationName="cancelMessage" type="Request-Response" inputName="" receivesAttachments="false" sendsAttachments="false" anonymous="optional"><con:settings/><con:call id="9e166713-c453-4f91-b18b-81229ae9f636" name="CancelMessage" sslKeystore="xta-test-client-john-smith_keystore.p12" useWsAddressing="true"><con:settings><con:setting id="com.eviware.soapui.impl.wsdl.WsdlRequest@request-headers">&lt;xml-fragment/></con:setting><con:setting id="WsdlSettings@enable-mtom">true</con:setting><con:setting id="com.eviware.soapui.impl.wsdl.WsdlRequest@force_mtom">true</con:setting></con:settings><con:encoding>UTF-8</con:encoding><con:endpoint>https://localhost:8443/MB_XTA-WS/XTA210managementPort.svc</con:endpoint><con:request><![CDATA[<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tran="http://www.osci.eu/ws/2014/10/transport" xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:add="http://www.w3.org/2005/08/addressing">\r
    <soap:Header>\r
       <tran:Author>\r
          <tran:Identifier type="xoev" name="SoapUI" category="dbs:testumgebung">?</tran:Identifier>
@@ -3368,7 +3368,7 @@ eine Nachricht für die synchrone Weiterleitung übergeben wurde, die nur für d
    <soap:Body>\r
       <add:MessageID>urn:de:xta:messageid:xta-tester:b9f971c1-133e-4c33-91da-117a668f4343</add:MessageID>\r
    </soap:Body>\r
-</soap:Envelope>]]></con:request><con:credentials><con:authType>No Authorization</con:authType></con:credentials><con:jmsConfig JMSDeliveryMode="PERSISTENT"/><con:jmsPropertyConfig/><con:wsaConfig mustUnderstand="NONE" version="200508" action="http://www.xta.de/XTA/CancelMessage" addDefaultAction="true" addDefaultTo="true" generateMessageId="true"/><con:wsrmConfig version="1.2"/></con:call></con:operation><con:operation id="ed63891c-c43a-4476-8208-f37771b9a239" isOneWay="false" action="http://www.xta.de/XTA/CheckAccountActive" name="checkAccountActive" bindingOperationName="checkAccountActive" type="Request-Response" inputName="" receivesAttachments="false" sendsAttachments="false" anonymous="optional"><con:settings/><con:call id="246c0286-5928-43a6-ab33-56b93f9308b3" name="CheckAccountActive" sslKeystore="john_smith_xta_tester.p12" useWsAddressing="true"><con:settings><con:setting id="com.eviware.soapui.impl.wsdl.WsdlRequest@request-headers">&lt;xml-fragment/></con:setting><con:setting id="WsdlSettings@enable-mtom">true</con:setting><con:setting id="com.eviware.soapui.impl.wsdl.WsdlRequest@force_mtom">true</con:setting></con:settings><con:encoding>UTF-8</con:encoding><con:endpoint>https://localhost:9443/MB_XTA-WS/XTA210managementPort.svc</con:endpoint><con:request><![CDATA[<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tran="http://www.osci.eu/ws/2014/10/transport" xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">\r
+</soap:Envelope>]]></con:request><con:credentials><con:authType>No Authorization</con:authType></con:credentials><con:jmsConfig JMSDeliveryMode="PERSISTENT"/><con:jmsPropertyConfig/><con:wsaConfig mustUnderstand="NONE" version="200508" action="http://www.xta.de/XTA/CancelMessage" addDefaultAction="true" addDefaultTo="true" generateMessageId="true"/><con:wsrmConfig version="1.2"/></con:call></con:operation><con:operation id="ed63891c-c43a-4476-8208-f37771b9a239" isOneWay="false" action="http://www.xta.de/XTA/CheckAccountActive" name="checkAccountActive" bindingOperationName="checkAccountActive" type="Request-Response" inputName="" receivesAttachments="false" sendsAttachments="false" anonymous="optional"><con:settings/><con:call id="246c0286-5928-43a6-ab33-56b93f9308b3" name="CheckAccountActive" sslKeystore="xta-test-client-john-smith_keystore.p12" useWsAddressing="true"><con:settings><con:setting id="com.eviware.soapui.impl.wsdl.WsdlRequest@request-headers">&lt;xml-fragment/></con:setting><con:setting id="WsdlSettings@enable-mtom">true</con:setting><con:setting id="com.eviware.soapui.impl.wsdl.WsdlRequest@force_mtom">true</con:setting></con:settings><con:encoding>UTF-8</con:encoding><con:endpoint>https://localhost:9443/MB_XTA-WS/XTA210managementPort.svc</con:endpoint><con:request><![CDATA[<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tran="http://www.osci.eu/ws/2014/10/transport" xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">\r
    <soap:Header>\r
       <tran:Author>\r
          <tran:Identifier type="xoev" name="SoapUI" category="dbs:testumgebung">?</tran:Identifier>\r
@@ -10846,4 +10846,4 @@ if (action[0..1] == "\\\"") {
          </ns:ContentContainer>
       </ns:GenericContentContainer>
    </soapenv:Body>
-</soapenv:Envelope>]]></con:responseContent><con:wsaConfig mustUnderstand="NONE" version="200508" action="http://www.osci.eu/ws/2008/05/transport/urn/messageTypes/MsgBoxFetchRequest"/></con:response><con:dispatchConfig/></con:mockOperation></con:mockService><con:properties/><con:afterLoadScript/><con:wssContainer><con:crypto><con:source>../src/main/resources/store/john_smith_xta_tester.p12</con:source><con:password>password</con:password><con:type>KEYSTORE</con:type></con:crypto><con:crypto><con:source>../src/main/resources/store/xta-test-server_keystore.p12</con:source><con:password>password</con:password><con:type>TRUSTSTORE</con:type></con:crypto></con:wssContainer><con:oAuth2ProfileContainer/><con:oAuth1ProfileContainer/><con:sensitiveInformation/></con:soapui-project>
+</soapenv:Envelope>]]></con:responseContent><con:wsaConfig mustUnderstand="NONE" version="200508" action="http://www.osci.eu/ws/2008/05/transport/urn/messageTypes/MsgBoxFetchRequest"/></con:response><con:dispatchConfig/></con:mockOperation></con:mockService><con:properties/><con:afterLoadScript/><con:wssContainer><con:crypto><con:source>../src/main/resources/store/xta-test-client-john-smith_keystore.p12</con:source><con:password>password</con:password><con:type>KEYSTORE</con:type></con:crypto><con:crypto><con:source>../src/main/resources/store/xta-test-server_keystore.p12</con:source><con:password>password</con:password><con:type>TRUSTSTORE</con:type></con:crypto></con:wssContainer><con:oAuth2ProfileContainer/><con:oAuth1ProfileContainer/><con:sensitiveInformation/></con:soapui-project>
\ No newline at end of file

src/main/resources/application.yml

@@ -17,10 +17,10 @@ server:
     key-store-password: password
     key-store-type: pkcs12
     # Alias im KeyStore
-    key-alias: xta-test-application
+    key-alias: xta-test-server
     key-password: password
     # enthaelt alle vertrauenswuerdigen Zertifikate
-    trust-store: classpath:store/xta-test-server_truststore.jks
+    trust-store: classpath:store/xta-test_truststore.jks
     trust-store-password: password
     trust-store-type: JKS
     # want, need, none; see org.springframework.boot.web.server.ClientAuth

src/main/resources/store/.gitignore

+*.crt
+*.csr
+*.key
+*.slr
\ No newline at end of file

src/main/resources/store/ca-openssl.cnf

+[req]
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+req_extensions     = v3_ca
+prompt             = no
+
+[req_distinguished_name]
+C  = DE
+ST = XTATestState
+L  = XTATestCity
+O  = XTATestOrg
+OU = XTATestOrgUnit
+CN = XTA Test Root CA
+
+[ v3_ca ]
+# Basic Constraints
+basicConstraints = critical, CA:true, pathlen:0
+
+# Key Usage
+keyUsage = critical, digitalSignature, keyCertSign, cRLSign
+
+# Netscape Cert Type
+nsCertType = sslCA
\ No newline at end of file

src/main/resources/store/client-openssl.cnf

+[ req ]
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+prompt             = no
+
+[ req_distinguished_name ]
+C  = DE
+ST = XTACity
+L  = XTACountry
+O  = XTAOrg
+OU = XTAOrgUnit
+CN = XTA Test Client
+
+[ req_ext ]
+authorityKeyIdentifier=keyid,issuer
+keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
+extendedKeyUsage = clientAuth
+basicConstraints=CA:FALSE
+nsCertType = client
\ No newline at end of file

src/main/resources/store/generate.sh

+#!/bin/bash
+
+set -e
+
+STORE_PASS=password
+ISSUER_ALIAS=xta-test-root-ca
+TRUST_STORE_JKS=xta-test_truststore.jks
+
+if [ ! -f $ISSUER_ALIAS.key ] || [ ! -f $ISSUER_ALIAS.crt ]; then
+  rm $TRUST_STORE_JKS || true
+  echo "[1.0] Generate key for the Xta-Root-CA (Root CA key or crt not found)"
+  openssl genrsa -out $ISSUER_ALIAS.key 2048
+  echo "[1.1] Generate a self-signed certificate for the Xta-Root-CA"
+  openssl req -x509 -new -nodes -key $ISSUER_ALIAS.key -sha256 -days 4000 -out $ISSUER_ALIAS.crt -config ca-openssl.cnf -extensions v3_ca
+else
+  echo "[1.0] Root CA found. Skipping generation."
+fi
+
+if [ ! -f $TRUST_STORE_JKS ]; then
+  echo "[2.0] Import Root CA into Xta-Server-Truststore"
+  keytool -importcert -alias $ISSUER_ALIAS -keystore $TRUST_STORE_JKS -storetype JKS -storepass "$STORE_PASS" -file $ISSUER_ALIAS.crt -noprompt
+else
+  echo "[2.0] Xta-Server-Truststore found. Skipping generation."
+fi
+
+function generate_keystore_with_signed_certificate {
+  local step_num="$1"
+  local key_alias="$2"
+  local key_cn="$3"
+  local ext_config_file="$4"
+  local keystore_args=( -keystore "${key_alias}_keystore.p12" -storepass "$STORE_PASS" -storetype PKCS12 )
+  rm "$key_alias"_keystore.p12 || true
+  echo "[$step_num.0] Generate a keystore for $key_cn"
+  keytool -genkeypair "${keystore_args[@]}" -alias "$key_alias" -keyalg RSA -keysize 2048 -validity 3900 -dname "CN=$key_cn, OU=XtaTestOrgUnit, O=XtaTestOrg, L=XtaTestCity, S=XtaTestState, C=DE"
+  keytool -importcert "${keystore_args[@]}" -alias $ISSUER_ALIAS -file $ISSUER_ALIAS.crt -noprompt
+
+  echo "[$step_num.1] Generate a certificate signing request for $key_cn"
+  keytool -certreq "${keystore_args[@]}" -alias "$key_alias" -file "$key_alias.csr"
+
+  echo "[$step_num.2] Sign the certificate with the Root CA using $ext_config_file"
+  openssl x509 -req -in "$key_alias.csr" -out "$key_alias.crt" -CA $ISSUER_ALIAS.crt -CAkey $ISSUER_ALIAS.key -CAcreateserial -days 3900 -sha256 -extfile "$ext_config_file" -extensions req_ext
+  rm "$key_alias.csr" || true
+
+  echo "[$step_num.3] Import the signed certificate into the keystore with alias $key_alias"
+  keytool -importcert "${keystore_args[@]}" -alias "$key_alias" -file "$key_alias.crt" -noprompt
+  rm "$key_alias.crt" || true
+  keytool -delete "${keystore_args[@]}" -alias $ISSUER_ALIAS -noprompt
+}
+
+generate_keystore_with_signed_certificate "3" xta-test-server "XTA Test Server" server-openssl.cnf
+generate_keystore_with_signed_certificate "4" xta-test-client-john-smith "XTA Test Client John Smith" client-openssl.cnf
+generate_keystore_with_signed_certificate "5" xta-test-client-jane-doe "XTA Test Client Jane Doe" client-openssl.cnf
\ No newline at end of file

src/main/resources/store/server-openssl.cnf

+[req]
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+prompt             = no
+
+[req_distinguished_name]
+C  = YourCountry
+ST = YourState
+L  = YourCity
+O  = YourOrg
+OU = YourOrgUnit
+CN = your.server.com
+
+[req_ext]
+subjectAltName = @alt_names
+keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyAgreement
+extendedKeyUsage = serverAuth
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+
+[alt_names]
+DNS.1 = localhost
+IP.1  = 127.0.0.1
+DNS.2 = docker
\ No newline at end of file

src/main/resources/store/show_certs.sh

+#!/bin/bash
+
+set -e
+
+ISSUER_ALIAS=xta-test-root-ca
+STORE_PASS=password
+
+function show_cert_by_alias {
+  local key_alias="$1"
+  keytool -exportcert -alias "$key_alias" -keystore "${key_alias}_keystore.p12" -file "${key_alias}.crt" -storepass "$STORE_PASS"
+  openssl x509 -in "${key_alias}.crt" -text -noout
+  rm "${key_alias}.crt" || true
+}
+
+openssl x509 -in "${ISSUER_ALIAS}.crt" -text -noout
+
+show_cert_by_alias xta-test-server
+show_cert_by_alias xta-test-client-john-smith
+

src/test/resources/application.yml

@@ -10,10 +10,10 @@ server:
     key-store-password: password
     key-store-type: pkcs12
     # Alias im KeyStore
-    key-alias: xta-test-application
+    key-alias: xta-test-server
     key-password: password
     # enthaelt alle vertrauenswuerdigen Zertifikate
-    trust-store: classpath:store/xta-test-server_truststore.jks
+    trust-store: classpath:store/xta-test_truststore.jks
     trust-store-password: password
     trust-store-type: JKS
     # want, need, none; see org.springframework.boot.web.server.ClientAuth