support for encrypted fTTP certificate private-keys

hhund · hhund · commit 08453747c985 · 2021-08-25T13:14:37.000+02:00
diff --git a/codex-process-data-transfer/src/main/java/de/netzwerk_universitaetsmedizin/codex/processes/data_transfer/client/FttpClientFactory.java b/codex-process-data-transfer/src/main/java/de/netzwerk_universitaetsmedizin/codex/processes/data_transfer/client/FttpClientFactory.java
@@ -80,6 +80,7 @@ public void testConnection()
 	private final Path trustStorePath;
 	private final Path certificatePath;
 	private final Path privateKeyPath;
+	private final char[] privateKeyPassword;
 
 	private final String fttpServerBase;
 	private final String fttpBasicAuthUsername;
@@ -99,14 +100,15 @@ public void testConnection()
 
 	private final boolean hapiClientVerbose;
 
-	public FttpClientFactory(Path trustStorePath, Path certificatePath, Path privateKeyPath, int connectTimeout,
-			int socketTimeout, int connectionRequestTimeout, String fttpBasicAuthUsername, String fttpBasicAuthPassword,
-			String fttpServerBase, String fttpApiKey, String fttpStudy, String fttpTarget, String proxySchemeHostPort,
-			String proxyUsername, String proxyPassword, boolean hapiClientVerbose)
+	public FttpClientFactory(Path trustStorePath, Path certificatePath, Path privateKeyPath, char[] privateKeyPassword,
+			int connectTimeout, int socketTimeout, int connectionRequestTimeout, String fttpBasicAuthUsername,
+			String fttpBasicAuthPassword, String fttpServerBase, String fttpApiKey, String fttpStudy, String fttpTarget,
+			String proxySchemeHostPort, String proxyUsername, String proxyPassword, boolean hapiClientVerbose)
 	{
 		this.trustStorePath = trustStorePath;
 		this.certificatePath = certificatePath;
 		this.privateKeyPath = privateKeyPath;
+		this.privateKeyPassword = privateKeyPassword;
 
 		this.connectTimeout = connectTimeout;
 		this.socketTimeout = socketTimeout;
@@ -133,8 +135,9 @@ public void onContextRefreshedEvent(ContextRefreshedEvent event)
 		try
 		{
 			logger.info(
-					"Testing connection to fTTP with {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, fttpServerBase: {}, fttpApiKey: {}, fttpStudy: {}, fttpTarget: {}}",
-					trustStorePath, certificatePath, privateKeyPath, fttpServerBase, fttpApiKey, fttpStudy, fttpTarget);
+					"Testing connection to fTTP with {trustStorePath: {}, certificatePath: {}, privateKeyPath: {}, privateKeyPassword: {}, fttpServerBase: {}, fttpApiKey: {}, fttpStudy: {}, fttpTarget: {}}",
+					trustStorePath, certificatePath, privateKeyPath, privateKeyPassword != null ? "***" : "null",
+					fttpServerBase, fttpApiKey, fttpStudy, fttpTarget);
 
 			getFttpClient().testConnection();
 		}
@@ -166,7 +169,7 @@ protected FttpClient createFttpClient()
 		char[] keyStorePassword = UUID.randomUUID().toString().toCharArray();
 
 		logger.debug("Creating key-store from {} and {}", certificatePath.toString(), privateKeyPath.toString());
-		KeyStore keyStore = readKeyStore(certificatePath, privateKeyPath, keyStorePassword);
+		KeyStore keyStore = readKeyStore(certificatePath, privateKeyPath, privateKeyPassword, keyStorePassword);
 
 		return new FttpClientImpl(trustStore, keyStore, keyStorePassword, connectTimeout, socketTimeout,
 				connectionRequestTimeout, fttpBasicAuthUsername, fttpBasicAuthPassword, fttpServerBase, fttpApiKey,
@@ -185,11 +188,11 @@ private KeyStore readTrustStore(Path trustPath)
 		}
 	}
 
-	private KeyStore readKeyStore(Path certificatePath, Path keyPath, char[] keyStorePassword)
+	private KeyStore readKeyStore(Path certificatePath, Path keyPath, char[] keyPassword, char[] keyStorePassword)
 	{
 		try
 		{
-			PrivateKey privateKey = PemIo.readPrivateKeyFromPem(keyPath);
+			PrivateKey privateKey = PemIo.readPrivateKeyFromPem(keyPath, keyPassword);
 			X509Certificate certificate = PemIo.readX509CertificateFromPem(certificatePath);
 
 			return CertificateHelper.toJksKeyStore(privateKey, new Certificate[] { certificate },
diff --git a/codex-process-data-transfer/src/main/java/de/netzwerk_universitaetsmedizin/codex/processes/data_transfer/spring/config/TransferDataConfig.java b/codex-process-data-transfer/src/main/java/de/netzwerk_universitaetsmedizin/codex/processes/data_transfer/spring/config/TransferDataConfig.java
@@ -134,6 +134,9 @@ public class TransferDataConfig
 	@Value("${de.netzwerk.universitaetsmedizin.codex.fttp.private.key:#{null}}")
 	private String fttpPrivateKey;
 
+	@Value("${de.netzwerk.universitaetsmedizin.codex.fttp.private.key.password:#{null}}")
+	private char[] fttpPrivateKeyPassword;
+
 	@Value("${de.netzwerk.universitaetsmedizin.codex.fttp.timeout.connect:10000}")
 	private int fttpConnectTimeout;
 
@@ -198,10 +201,10 @@ public FttpClientFactory fttpClientFactory()
 		Path certificatePath = checkExists(fttpCertificate);
 		Path privateKeyPath = checkExists(fttpPrivateKey);
 
-		return new FttpClientFactory(trustStorePath, certificatePath, privateKeyPath, fttpConnectTimeout,
-				fttpSocketTimeout, fttpConnectionRequestTimeout, fttpBasicAuthUsername, fttpBasicAuthPassword,
-				fttpServerBase, fttpApiKey, fttpStudy, fttpTarget, proxySchemeHostPort, proxyUsername, proxyPassword,
-				fttpHapiClientVerbose);
+		return new FttpClientFactory(trustStorePath, certificatePath, privateKeyPath, fttpPrivateKeyPassword,
+				fttpConnectTimeout, fttpSocketTimeout, fttpConnectionRequestTimeout, fttpBasicAuthUsername,
+				fttpBasicAuthPassword, fttpServerBase, fttpApiKey, fttpStudy, fttpTarget, proxySchemeHostPort,
+				proxyUsername, proxyPassword, fttpHapiClientVerbose);
 	}
 
 	@Bean
