Merge pull request #22 from kolesa-team/sync-2025-01

CORE-3324 Синх с основым репозиторием

Author: av-angel

.github/workflows/create-docker-release.yml

@@ -36,19 +36,20 @@ jobs:
       - name: Build project
         run: ./gradlew -Pversion=$GITHUB_REF_NAME bootJar
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Login to DockerHub
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
         with:
           push: true
           tags: malikzh/ncanode:latest,malikzh/ncanode:${{ github.ref_name }}
           build-args: artifact=build/libs/NCANode-${{ github.ref_name }}.jar
           context: ./
           file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64

.github/workflows/validate-openapi-spec.yml

@@ -14,6 +14,6 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Validate OpenAPI definition
-        uses: char0n/swagger-editor-validate@v1
+        uses: swaggerexpert/swagger-editor-validate@v1
         with:
           definition-file: openapi.yml

Dockerfile

@@ -1,4 +1,5 @@
 FROM amazoncorretto:17-alpine
+ENV JAVA_OPTS='-Xms128m -Xmx512m'
 EXPOSE 14579
 WORKDIR /app
 ARG artifact=build/libs/NCANode.jar

README.md

@@ -74,6 +74,8 @@ https://profit.kz/news/56732/Otkritij-kod-Beeline-Hacktoberfest-v-Kazahstane/
 
 Документацию можно найти на http://ncanode.kz
 
+Swagger: https://v3.ncanode.kz/swagger-ui/
+
 ## Contributors
 
 <a href="https://github.com/malikzh/NCANode/graphs/contributors">
@@ -86,33 +88,47 @@ https://profit.kz/news/56732/Otkritij-kod-Beeline-Hacktoberfest-v-Kazahstane/
 
 ## Важно!!!
 
-По требованию  АО «НИТ» | НУЦ РК. Библиотеки `kalkancrypt-0.6.jar` и `kalkancrypt_xmldsig-0.3.jar`
+По требованию  АО «НИТ» | НУЦ РК. Библиотеки `kalkancrypt-*.jar`/`knca_provider_jce_kalkan-*.jar` и `kalkancrypt-xmldsig-*.jar`
 Были удалены из репозитория, поэтому для компиляции Вам необходимо подставить библиотеки
 из комплекта разработчика (SDK) в директорию `/lib`.
 
 ### Сборка проекта
 
+Версия gradle: 7.2
+Версия java: 17
+
 Для сборки проекта необходимо:
 
-1. Подставить бибилиотеки kalkancrypt (Их можно запросить [тут](https://pki.gov.kz/developers/))
+1. Подставить библиотеки kalkancrypt (`knca_provider_jce_kalkan-*.jar` и `kalkancrypt-xmldsig-*.jar`) в директорию lib (Их можно запросить [тут](https://pki.gov.kz/developers/))
 2. `./gradlew bootJar` (для jar файла) или `./gradlew bootWar` (для war файла)
 
 
 Собранный проект будет лежать: `build/libs/NCANode.jar` или `build/libs/NCANode.war`
 
-### Запуск в Docker
+### Запуск проекта без сборки
+
+Проект запустить можно командой:
+
+```bash
+$ ./gradlew bootRun
+```
+
+### Запуск в Docker из готового образа
 
 ```bash
 docker volume create ncanode_cache
 docker run -p 14579:14579 -v ncanode_cache:/app/cache -d malikzh/ncanode
 ```
 
-### Запуск проекта без сборки
+### Запуск через Docker Compose
 
-Проект запустить можно командой:
+Предварительно нужно собрать проект через gradle и сгенерировать jar файлы
 
 ```bash
-$ ./gradlew bootRun
+docker compose build  // сборка образа
+docker compose up -d  // запуск контейнера
+docker compose ps  // проверка статуса контейнера
+docker compose stop  // остановка контейнера
 ```
 
 ### После запуска

build.gradle

@@ -21,7 +21,7 @@ repositories {
     flatDir {
         dirs 'lib'
     }
-
+    mavenLocal()
     mavenCentral()
 }
 
@@ -51,9 +51,9 @@ dependencies {
     annotationProcessor 'org.projectlombok:lombok:1.18.24'
 
     // KalkanCrypt
-    implementation name: 'kalkancrypt-0.7.2'
-    implementation name: 'kalkancrypt_xmldsig-0.4'
-    implementation 'org.apache.santuario:xmlsec:2.1.7'
+    implementation name: 'knca_provider_jce_kalkan-0.7.5'
+    implementation name: 'kalkancrypt-xmldsig-0.5'
+    implementation 'org.apache.santuario:xmlsec:3.0.3'
 
     // SOAP/WSSE
     implementation 'org.apache.ws.security:wss4j:1.6.19'

docker-compose.yml

@@ -0,0 +1,15 @@
+version: '3.7'
+
+services:
+  ncanode:
+    image: ncanode
+    restart: unless-stopped
+    build:
+      context: .
+    volumes:
+      - ncanode_cache:/app/cache
+    ports:
+      - "14579:14579"
+
+volumes:
+  ncanode_cache:

lib/.gitignore

@@ -1,2 +1,3 @@
 kalkancrypt-*.jar
 kalkancrypt_xmldsig-*.jar
+knca_provider_jce_kalkan*.jar

lib/README.md

@@ -1,5 +1,5 @@
 # README
 
-По требованию  АО «НИТ» | НУЦ РК. Библиотеки `kalkancrypt-0.7.jar` и `kalkancrypt_xmldsig-0.4.jar`
+По требованию  АО «НИТ» | НУЦ РК. Библиотеки `kalkancrypt-*.jar`/`knca_provider_jce_kalkan-*.jar` и `kalkancrypt-xmldsig-*.jar`
 Были удалены из репозитория, поэтому для компиляции Вам необходимо сюда подставить библиотеки
 из комплекта разработчика (SDK).

src/main/java/kz/ncanode/NCANode.java

@@ -17,7 +17,7 @@ public static void main(String[] args) {
         System.out.println(banner());
         SpringApplication.run(NCANode.class, args);
     }
-    private static String banner() {
+    public static String banner() {
         return """
              ____  _____   ______       _       ____  _____               __          ______  \s
             |_   \\|_   _|.' ___  |     / \\     |_   \\|_   _|             |  ]        / ____ `.\s

src/main/java/kz/ncanode/configuration/CorsConfiguration.java

@@ -0,0 +1,13 @@
+package kz.ncanode.configuration;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+public class CorsConfiguration implements WebMvcConfigurer {
+    @Override
+    public void addCorsMappings(CorsRegistry registry) {
+        registry.addMapping("/**").allowedMethods("*");
+    }
+}

src/main/java/kz/ncanode/controller/HomePageController.java

@@ -0,0 +1,46 @@
+package kz.ncanode.controller;
+
+import kz.ncanode.NCANode;
+import kz.ncanode.service.MaintenanceService;
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.io.Resource;
+import org.springframework.http.MediaType;
+import org.springframework.stereotype.Controller;
+import org.springframework.util.FileCopyUtils;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.io.UncheckedIOException;
+import java.nio.charset.StandardCharsets;
+
+@Controller
+@RequiredArgsConstructor
+public class HomePageController {
+    private final MaintenanceService maintenanceService;
+
+    @Value("classpath:home.html")
+    private Resource homePage;
+    @RequestMapping(value = "/", produces = MediaType.TEXT_HTML_VALUE)
+    @ResponseBody
+    public String homePage() {
+        return loadHtml()
+            .replace(variable("VERSION"), maintenanceService.getNCANodeVersion())
+            .replace(variable("BANNER"), NCANode.banner());
+    }
+
+    private String loadHtml() {
+        try (Reader reader = new InputStreamReader(homePage.getInputStream(), StandardCharsets.UTF_8)) {
+            return FileCopyUtils.copyToString(reader);
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    private static String variable(String name) {
+        return String.format("#{%s}", name);
+    }
+}

src/main/java/kz/ncanode/service/CrlService.java

@@ -84,31 +84,22 @@ private void initializeDeltaScheduler() {
      * @return Статус проверки
      */
     public CrlStatus verify(CertificateWrapper cert) {
-        for (final String cacheDirectory : List.of(CRL_CACHE_DELTA_DIR_NAME, CRL_CACHE_FULL_DIR_NAME)) {
-            // Догружаем CRL из сертификата
-            for (URL crlUrl : cert.getCrlList()) {
-                Util.findAllUrls(crlUrl.toString()).forEach(url -> {
-                    try {
-                        URL u = new URL(url);
-                        File crlFile = getCrlCacheFilePathFor(cacheDirectory, u);
-
-                        if (!crlFile.exists()) {
-                            downloadCrl(cacheDirectory, u);
-                        }
-                    } catch (MalformedURLException e) {
-                        log.warn("Invalid CRL url: {}. Certificate: {}", crlUrl, cert.getSubjectX500Principal().toString());
-                    }
-                });
-            }
+        if (!crlConfiguration.isEnabled()) {
+            return CrlStatus.builder()
+                .result(CrlResult.ACTIVE)
+                .build();
+        }
 
+        for (final String cacheDirectory : List.of(CRL_CACHE_DELTA_DIR_NAME, CRL_CACHE_FULL_DIR_NAME)) {
             // Проверяем в CRL
-            for (var crlEntry : getLoadedCrlEntries(cacheDirectory).entrySet()) {
-                if (crlEntry.getValue().isRevoked(cert.getX509Certificate())) {
+            for (File crlFile : getCrlFiles(cacheDirectory)) {
+                X509CRL crl = loadCrl(crlFile);
 
-                    return Optional.ofNullable(crlEntry.getValue().getRevokedCertificate(cert.getX509Certificate()))
+                if (crl.isRevoked(cert.getX509Certificate())) {
+                    return Optional.ofNullable(crl.getRevokedCertificate(cert.getX509Certificate()))
                         .map( entry -> CrlStatus.builder()
                             .result(CrlResult.REVOKED)
-                            .file(crlEntry.getKey())
+                            .file(crlFile.getName())
                             .revocationDate(entry.getRevocationDate())
                             .reason(Optional.ofNullable(entry.getRevocationReason()).map(CRLReason::toString).orElse(""))
                             .build()
@@ -125,16 +116,11 @@ public CrlStatus verify(CertificateWrapper cert) {
             .build();
     }
 
-    public Map<String, X509CRL> getLoadedCrlEntries(String cacheDirName) {
-        return getCrlFiles(cacheDirName).stream().collect(Collectors.toMap(File::getName, this::loadCrl));
-    }
-
     /**
      * Обновляет кэш CRL
      *
      * @param force Если true, то кэш будет обновлен в любом случае
      */
-    @CacheEvict("crls")
     public synchronized void updateCache(boolean force, CrlConfiguration crlConfiguration, String cacheDirectory) {
         synchronized (directoryService) {
             if (!crlConfiguration.isEnabled() || crlConfiguration.getTtl() <= 0) {
@@ -185,7 +171,6 @@ public synchronized void updateCache(boolean force, CrlConfiguration crlConfigur
      * @param file
      * @return
      */
-    @Cacheable(value = "crls", key = "#file.absolutePath")
     public X509CRL loadCrl(File file) {
         try (FileInputStream in = new FileInputStream(file)) {
             return (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(in);
@@ -215,13 +200,15 @@ public void downloadCrl(String cacheDirName, URL url) {
     }
 
     /**
-     * Возвращает файл кэша для URL
+     * Возвращает список CRL файлов в указанной директории
+     *
      * @param cacheDirName
-     * @param url
      * @return
      */
-    public File getCrlCacheFilePathFor(String cacheDirName, URL url) {
-        return getCrlCacheFilePathFor(cacheDirName, Util.sha1(url.toString()) + CRL_FILE_EXTENSION);
+    public List<File> getCrlFiles(String cacheDirName) {
+        return Arrays.stream(Objects.requireNonNull(directoryService.getCachePathFor(cacheDirName).orElseThrow().listFiles()))
+            .filter(file -> file.isFile() && file.canRead() && file.getName().endsWith(CRL_FILE_EXTENSION))
+            .toList();
     }
 
     private File download(String url, Path path) throws CrlException {
@@ -253,10 +240,4 @@ private File download(String url, Path path) throws CrlException {
     private File getCrlCacheFilePathFor(String cacheDirName, String fileName) {
         return new File(directoryService.getCachePathFor(cacheDirName).orElseThrow(), fileName);
     }
-
-    private List<File> getCrlFiles(String cacheDirName) {
-        return Arrays.stream(Objects.requireNonNull(directoryService.getCachePathFor(cacheDirName).orElseThrow().listFiles()))
-            .filter(file -> file.isFile() && file.canRead() && file.getName().endsWith(CRL_FILE_EXTENSION))
-            .collect(Collectors.toList());
-    }
 }

src/main/java/kz/ncanode/service/OcspService.java

@@ -49,6 +49,16 @@ public class OcspService {
     public List<OcspStatus> verify(CertificateWrapper cert, CertificateWrapper issuer) {
         List<OcspStatus> statuses = new ArrayList<>();
 
+        if (issuer == null) {
+            statuses.add(OcspStatus.builder()
+                .result(OcspResult.UNKOWN)
+                .message("Cannot find root certificate in NCANode. Try add it using NCANODE_CA_URL variable.")
+                .build()
+            );
+
+            return statuses;
+        }
+
         for (Map.Entry<String, URL> entry : ocspConfiguration.getUrlList().entrySet()) {
             try {
                 byte[] nonce = generateOcspNonce();

src/main/java/kz/ncanode/wrapper/CertificateWrapper.java

@@ -193,19 +193,23 @@ public PublicKey getPublicKey() {
         return x509Certificate.getPublicKey();
     }
 
-    private Set<CertificateKeyUser> getKeyUser() {
+    public List<String> getExtendedKeyUsage() {
         try {
-            return getX509Certificate().getExtendedKeyUsage().stream()
-                .map(CertificateKeyUser::fromOID)
-                .filter(Optional::isPresent)
-                .map(Optional::get)
-                .collect(Collectors.toSet());
+            return getX509Certificate().getExtendedKeyUsage();
         } catch (CertificateParsingException e) {
             log.error("Certificate key user extracting error", e);
-            return Collections.emptySet();
+            return Collections.emptyList();
         }
     }
 
+    private Set<CertificateKeyUser> getKeyUser() {
+        return getExtendedKeyUsage().stream()
+            .map(CertificateKeyUser::fromOID)
+            .filter(Optional::isPresent)
+            .map(Optional::get)
+            .collect(Collectors.toSet());
+    }
+
     public static Optional<CertificateWrapper> fromBase64(final String encodedCert) {
         return fromBytes(Base64.getDecoder().decode(encodedCert.replaceAll("\\s", "")));
     }
@@ -259,7 +263,7 @@ private static Optional<CertificateSubject> createCertificateSubjectFromDn(Strin
                     subjectBuilder.locality((String)rdn.getValue());
                 } else if (rdn.getType().equalsIgnoreCase("S")) {
                     subjectBuilder.state((String)rdn.getValue());
-                } else if (rdn.getType().equalsIgnoreCase("E")) {
+                } else if ((rdn.getType().equalsIgnoreCase("E")) || (rdn.getType().equalsIgnoreCase("EMAILADDRESS"))) {
                     subjectBuilder.email((String)rdn.getValue());
                 } else if (rdn.getType().equalsIgnoreCase("O")) {
                     subjectBuilder.organization((String)rdn.getValue());
@@ -276,7 +280,7 @@ private static Optional<CertificateSubject> createCertificateSubjectFromDn(Strin
 
             return Optional.of(subjectBuilder.build());
         } catch (InvalidNameException e) {
-            log.warn("Distinguished name parseing error", e);
+            log.warn("Distinguished name parsing error", e);
             return Optional.empty();
         }
     }

src/main/resources/application.yml

@@ -10,9 +10,9 @@ ncanode:
   crl:
     enabled: ${NCANODE_CRL_ENABLED:true}
     ttl: ${NCANODE_CRL_TTL:1440}
-    url: ${NCANODE_CRL_URL:https://crl.pki.gov.kz/nca_gost.crl https://crl.pki.gov.kz/nca_rsa.crl}
+    url: ${NCANODE_CRL_URL:https://crl.pki.gov.kz/nca_gost.crl https://crl.pki.gov.kz/nca_rsa.crl https://crl.pki.gov.kz/nca_rsa_2022.crl https://crl.pki.gov.kz/nca_gost_2022.crl}
     delta:
-      url: ${NCANODE_CRL_DELTA_URL:https://crl.pki.gov.kz/nca_d_gost.crl https://crl.pki.gov.kz/nca_d_rsa.crl}
+      url: ${NCANODE_CRL_DELTA_URL:https://crl.pki.gov.kz/nca_d_gost.crl https://crl.pki.gov.kz/nca_d_rsa.crl https://crl.pki.gov.kz/nca_d_rsa_2022.crl https://crl.pki.gov.kz/nca_d_gost_2022.crl}
       ttl: ${NCANODE_CRL_DELTA_TTL:60}
   http-client:
     connectionTtl: ${NCANODE_HTTP_CLIENT_CONNECTION_TTL:10}