Merge develop into develop-8.x

.ort.yml

@@ -181,6 +181,12 @@ resolutions:
     - message: "property:advertising-clause license LicenseRef-scancode-rsa-md4 in Gradle:ee.ria.xroad:src:1.0."
       reason: "LICENSE_ACQUIRED_EXCEPTION"
       comment: "The LicenseRef-scancode-rsa-md4 in src/libs/iaikPkcs11Wrapper.AUTHORS is taken into account, and therefore the license conditions are satisfied."
+    - message: "property:advertising-clause license LicenseRef-scancode-rsa-md4 in Gradle:org.niis.xroad:x-road-core:1.0."
+      reason: "LICENSE_ACQUIRED_EXCEPTION"
+      comment: "The LicenseRef-scancode-rsa-md4 in src/libs/iaikPkcs11Wrapper.AUTHORS is taken into account, and therefore the license conditions are satisfied."
+    - message: "property:advertising-clause license LicenseRef-scancode-rsa-md4 in Unmanaged::X-Road:.*"
+      reason: "LICENSE_ACQUIRED_EXCEPTION"
+      comment: "The LicenseRef-scancode-rsa-md4 in src/libs/iaikPkcs11Wrapper.AUTHORS is taken into account, and therefore the license conditions are satisfied."
     - message: "commercial license LicenseRef-scancode-proprietary-license in Maven:org.apache.commons:commons-compress:1.26.*"
       reason: "LICENSE_ACQUIRED_EXCEPTION"
       comment: "This PKWare technology is not in use, therefore license is sufficient."
@@ -196,6 +202,9 @@ resolutions:
     - message: "proprietary-free license LicenseRef-verbatim-no-modifications in Maven:org.hsqldb:hsqldb:2.7.*"
       reason: "NOT_MODIFIED_EXCEPTION"
       comment: "The license represented by LicenseRef-verbatim-no-modifications allows redistributing without modifications. As long as the files licensed with the said license are redistributed without modifications, the condition is satisfied."
+    - message: "copyleft-strong license CC-BY-SA-3.0 in Unmanaged::X-Road:.*"
+      reason: "LICENSE_ACQUIRED_EXCEPTION"
+      comment: "The files meant by this license hit are not distributed with X-Road."
 
 license_choices:
   repository_license_choices:

Docker/securityserver/Dockerfile

@@ -90,16 +90,14 @@ RUN useradd xrd-sec && adduser xrd-sec xroad-security-officer && sh -c "echo 'xr
     && adduser xroad softhsm
 
 COPY --chown=xroad:xroad files/etc /etc/
+COPY --chown=xroad:xroad files/usr/share/xroad/autologin/custom-fetch-pin.sh /usr/share/xroad/autologin/custom-fetch-pin.sh
 COPY --chown=xroad:xroad build/libs /usr/share/xroad/jlib/
 
 COPY files/ss-entrypoint.sh /root/entrypoint.sh
 COPY --chown=xroad:xroad files/override-docker.ini /etc/xroad/conf.d/
 COPY --chown=root:root files/ss-xroad.conf /etc/supervisor/conf.d/xroad.conf
-COPY --chown=root:root files/ss-hwtoken-xroad.conf /etc/supervisor/conf.d/hwtoken-xroad.conf
-COPY --chown=root:root files/ss-hwtoken-login-inactive-token.sh /usr/share/xroad/autologin/login-inactive-token.sh
-RUN chmod 755 /usr/share/xroad/autologin/login-inactive-token.sh
 
 CMD ["/root/entrypoint.sh"]
 
 VOLUME ["/etc/xroad", "/var/lib/xroad", "/var/lib/postgresql/16/main/", "/var/lib/softhsm/tokens"]
-EXPOSE 8080 8443 4000 5432 5500 5577 5558 80
+EXPOSE 8080 8443 4000 5432 5500 5577 5558 80

Docker/securityserver/README.md

@@ -21,13 +21,21 @@ Alternatively, it's possible to use the image (`niis/xroad-security-server`) ava
 ## Running
 
 Publish the container ports (`8080` and/or `8443`, `4000`, and optionally `5500` and `5577`) to localhost (loopback address).
-Also, it's possible to pass the token pin code for autologin using the `XROAD_TOKEN_PIN` environment variable.
+Also, it's possible to pass the token pin code for autologin using environment variables. Use `XROAD_TOKEN_PIN` for token 0, or `XROAD_TOKEN_<id>_PIN` for specific token IDs.
 
 Running a locally built image:
 ```shell
 docker run -p 127.0.0.1:4000:4000 -p 127.0.0.1:8080:8080 --name my-ss -e XROAD_TOKEN_PIN=1234 xroad-security-server
 ```
 
+For multiple tokens:
+```shell
+docker run -p 127.0.0.1:4000:4000 -p 127.0.0.1:8080:8080 --name my-ss \
+  -e XROAD_TOKEN_0_PIN=1234 \
+  -e XROAD_TOKEN_1_PIN=5678 \
+  xroad-security-server
+```
+
 Running an image available on [Docker Hub](https://hub.docker.com/r/niis/xroad-security-server):
 ```shell
 docker run -p 127.0.0.1:4000:4000 -p 127.0.0.1:8080:8080 --name my-ss -e XROAD_TOKEN_PIN=1234 niis/xroad-security-server:focal-7.1.0
@@ -97,3 +105,10 @@ One can create the autologin file by hand after initializing the Security Server
 docker exec my-ss su -c 'echo 1234 >/etc/xroad/autologin' xroad
 docker exec my-ss supervisorctl start xroad-autologin
 ```
+
+For multiple tokens, use one line per token in the format `token-id:token-pin`:
+
+```shell
+docker exec my-ss su -c 'echo -e "0:1234\n1:5678" >/etc/xroad/autologin' xroad
+docker exec my-ss supervisorctl start xroad-autologin
+```

Docker/securityserver/files/ss-entrypoint.sh

@@ -29,13 +29,6 @@ else
     echo "WARN: Installed version ($INSTALLED_VERSION) does not match packaged version ($PACKAGED_VERSION)" >&2
 fi
 
-if [  -n "$XROAD_TOKEN_PIN" ]
-then
-    echo "XROAD_TOKEN_PIN variable set, writing to /etc/xroad/autologin"
-    echo "$XROAD_TOKEN_PIN" > /etc/xroad/autologin
-    unset XROAD_TOKEN_PIN
-fi
-
 log "Enabling public postgres access.."
 sed -i 's/#listen_addresses = \x27localhost\x27/listen_addresses = \x27*\x27/g' /etc/postgresql/*/main/postgresql.conf
 sed -ri 's/host    replication     all             127.0.0.1\/32/host    all             all             0.0.0.0\/0/g' /etc/postgresql/*/main/pg_hba.conf

Docker/securityserver/files/usr/share/xroad/autologin/custom-fetch-pin.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+file="/etc/xroad/autologin"
+
+declare -a token_ids
+declare -a token_pins
+count=0
+
+for var in $(compgen -e | grep '^XROAD_TOKEN_.\+_PIN$' | sort -V); do
+    token_id="${var#XROAD_TOKEN_}"
+    token_id="${token_id%_PIN}"
+    pin_value="${!var}"
+
+    if [ -n "$pin_value" ]; then
+        token_ids+=("$token_id")
+        token_pins+=("$pin_value")
+        ((count++))
+    fi
+done
+
+if [ -n "$XROAD_TOKEN_PIN" ]; then
+    echo "${XROAD_TOKEN_PIN}"
+    exit 0
+elif [ "$count" -eq 1 ] && [ "${token_ids[0]}" = "0" ]; then
+    echo "${token_pins[0]}"
+    exit 0
+elif [ "$count" -eq 1 ] && [ "${token_ids[0]}" != "0" ]; then
+    >&2 echo "ERROR: Found XROAD_TOKEN_${token_ids[0]}_PIN but no other token PINs. Multiple token PINs are expected when using numbered tokens (other than 0)."
+    exit 127
+elif [ "$count" -gt 1 ]; then
+    for i in "${!token_ids[@]}"; do
+        echo "${token_ids[$i]}:${token_pins[$i]}"
+    done
+    exit 0
+elif [ -f "$file" ]
+then
+    >&2 echo "XROAD_TOKEN_PIN variable is not set, returning PIN code at $file"
+    cat $file
+    exit 0
+else
+    >&2 echo "PIN code not available at $file"
+    exit 127
+fi

Docker/xrd-dev-stack/compose.dev.yaml

@@ -36,7 +36,8 @@ services:
   ss1:
     container_name: ss1
     environment:
-      - XROAD_TOKEN_PIN=Secret1234
+      - XROAD_TOKEN_0_PIN=Secret1234
+      - XROAD_TOKEN_31_PIN=Secret1234
     ports:
       - "4300:4000" # Frontend
       - "4310:8080" # Proxy
@@ -91,4 +92,4 @@ networks:
   # Use implicitly named network so that is easier to add container outside the compose
   xroad-network:
     name: xroad-network
-    driver: bridge
+    driver: bridge

Docker/xrd-dev-stack/compose.e2e.yaml

@@ -1,9 +1,15 @@
 # E2E specific hurl execution on boot.
 services:
+  ss0:
+    environment:
+      - XROAD_TOKEN_PIN=Secret1234
   ss1:
     entrypoint: [ "/usr/local/bin/init-token-and-run-entrypoint.sh" ]
     volumes:
       - ./ss1/init-token-and-run-entrypoint.sh:/usr/local/bin/init-token-and-run-entrypoint.sh:ro
+    environment:
+      - XROAD_TOKEN_0_PIN=Secret1234
+      - XROAD_TOKEN_31_PIN=Secret1234
 
   hurl:
     command: >

Docker/xrd-dev-stack/ss1/init-token-and-run-entrypoint.sh

@@ -13,10 +13,11 @@ if ! grep -q "\[softhsm2\]" /etc/xroad/devices.ini 2>/dev/null; then
   printf "\n[softhsm2]\n\
     library = /usr/lib/softhsm/libsofthsm2.so\n\
     slot_ids = %s\n\
+    token_id_format = 1\n\
     os_locking_ok = true\n\
     library_cant_create_os_threads = true\n" "$slot_id" >> /etc/xroad/devices.ini
 fi
 
 chown -R xroad /var/lib/softhsm/tokens
 
-exec /root/entrypoint.sh
+exec /root/entrypoint.sh

ansible/roles/xroad-ca/files/home/ca/CA/sign_req.sh

@@ -32,7 +32,36 @@ trap 'status=$?; rm -rf "lock"; exit $status' INT TERM EXIT
 set -e
 SER=$(cat serial)
 openssl req -in $2 -inform $INFORM -out csr/${SER}.csr
-openssl ca -batch -config CA.cnf -extensions $EXT -days 7300 -notext -md sha256 -in csr/${SER}.csr
+
+function opensslCA() {
+  openssl ca -batch -config CA.cnf \
+             -extensions $EXT \
+             -days 7300 \
+             -notext \
+             -md sha256 \
+             -in csr/${SER}.csr \
+             "$@"
+}
+
+if [ "$1" == "auth" ]; then
+  subjectAltName=$(openssl req -in csr/${SER}.csr -text -noout | grep -A1 "Subject Alternative Name" | tail -n1 | sed 's/^[ \t]*//')
+  if [ ! -z "$subjectAltName" ]; then
+    extensionsOverride="
+[ auth_ext ]
+basicConstraints = CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
+extendedKeyUsage = clientAuth, serverAuth
+subjectAltName = ${subjectAltName}
+"
+  fi
+fi
+
+if [ ! -z "${extensionsOverride}" ]; then
+  opensslCA -extfile <(echo "$extensionsOverride")
+else
+  opensslCA
+fi
+
 chmod 0664 index.txt
 chmod 0664 serial
 echo $SER>changed

development/hurl/scenarios/setup.hurl

@@ -235,16 +235,6 @@ Content-Type: application/json
 
 HTTP 201
 
-# Log in to the Security Servers token
-PUT https://{{ss0_host}}:4000/api/v1/tokens/0/login
-X-XSRF-TOKEN: {{ss0_xsrf_token}}
-Content-Type: application/json
-{
-  "password": "Secret1234"
-}
-
-HTTP *
-
 # Get the CA name
 GET https://{{ss0_host}}:4000/api/v1/certificate-authorities
 X-XSRF-TOKEN: {{ss0_xsrf_token}}
@@ -597,16 +587,6 @@ Content-Type: application/json
 
 HTTP 201
 
-# Log in to the Security Servers token
-PUT https://{{ss1_host}}:4000/api/v1/tokens/0/login
-X-XSRF-TOKEN: {{ss1_xsrf_token}}
-Content-Type: application/json
-{
-  "password": "Secret1234"
-}
-
-HTTP *
-
 # Add auth key to the Security Server token
 POST https://{{ss1_host}}:4000/api/v1/tokens/0/keys-with-csrs
 X-XSRF-TOKEN: {{ss1_xsrf_token}}
@@ -685,16 +665,6 @@ HTTP 200
 [Captures]
 ss1_token_id: jsonpath "$[?(@.type == 'HARDWARE')].id" nth 0
 
-# Log in to the Security Servers token
-PUT https://{{ss1_host}}:4000/api/v1/tokens/{{ss1_token_id}}/login
-X-XSRF-TOKEN: {{ss1_xsrf_token}}
-Content-Type: application/json
-{
-  "password": "Secret1234"
-}
-
-HTTP *
-
 # Add sign key to the Security Server token
 POST https://{{ss1_host}}:4000/api/v1/tokens/{{ss1_token_id}}/keys-with-csrs
 X-XSRF-TOKEN: {{ss1_xsrf_token}}

doc/Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md

@@ -1,6 +1,6 @@
 # X-Road: Autologin User Guide
 
-Version: 1.4
+Version: 1.5
 Doc. ID: UG-AUTOLOGIN
 
 
@@ -11,6 +11,7 @@ Doc. ID: UG-AUTOLOGIN
 | 15.11.2018 | 1.2     | Ubuntu 18.04 updates                                                                              |
 | 11.09.2019 | 1.3     | Remove Ubuntu 14.04 support                                                                       |
 | 26.09.2022 | 1.4     | Remove Ubuntu 18.04 support                                                                       |
+| 14.10.2025 | 1.5     | Add multiple token support documentation                                                          |
 
 ## Table of Contents
 
@@ -44,23 +45,42 @@ See X-Road terms and abbreviations documentation \[[TA-TERMS](#Ref_TERMS)\].
   * Ubuntu: apt install xroad-autologin
   * RedHat: yum install xroad-autologin
 
-2. If storing the PIN code on the server in plaintext is acceptable, create file `/etc/xroad/autologin` that contains the PIN code. 
+2. If storing the PIN code on the server in plaintext is acceptable, create file `/etc/xroad/autologin` that contains the PIN code(s).
   * File should be readable by user `xroad`
   * If `/etc/xroad/autologin` does not exists, and you have not implemented `custom-fetch-pin.sh`, the service will not start
-3. If you do not want to store PIN code in plaintext, implement bash script 
+  * For a single token (token ID 0), the file should contain just the PIN code:
+    ```
+    1234
+    ```
+  * For multiple tokens, each line should be in the format `token-id:token-pin`:
+    ```
+    0:1234
+    1:5678
+    ```
+3. If you do not want to store PIN code in plaintext, implement bash script
 `/usr/share/xroad/autologin/custom-fetch-pin.sh`
-  * The script needs to output the PIN code to stdout
+  * The script needs to output the PIN code(s) to stdout
   * Script should be readable and executable by user `xroad`
   * Script should exit with exit code
     * 0 if it was able to fetch PIN code successfully
     * 127 if it was not able to fetch PIN code, but this is not an actual error that should cause the service to fail (default implementation uses this if `/etc/xroad/autologin` does not exist)
     * other exit codes in error situations that should cause the service to fail
+  * Single token example:
   ```bash
   #!/bin/bash
-  PIN_CODE=$(curl https://some-address)
+  PIN_CODE=$(curl https://some-address/token-pin)
   echo "${PIN_CODE}"
   exit 0
   ```
+  * Multiple tokens example (output one `token-id:token-pin` per line):
+  ```bash
+  #!/bin/bash
+  TOKEN_0_PIN=$(curl https://some-address/token-0-pin)
+  TOKEN_1_PIN=$(curl https://some-address/token-1-pin)
+  echo "0:${TOKEN_0_PIN}"
+  echo "1:${TOKEN_1_PIN}"
+  exit 0
+  ```
 
 ### 2.2 Implementation details
 
@@ -70,4 +90,4 @@ See X-Road terms and abbreviations documentation \[[TA-TERMS](#Ref_TERMS)\].
   * Wrapper script handles retries in error situations.
 * Service tries to enter the PIN code using script `signer-console`
   * If the PIN was correct or incorrect, it exits
-  * If an error occurred (for example because `xroad-signer` has not yet fully started), it keeps retrying indefinitely
+  * If an error occurred (for example because `xroad-signer` has not yet fully started or been initialised), it keeps retrying indefinitely