Merge branch 'RM-3878_pkcs11-location' into 'master'

Rm-3878: pkcs11 location

See merge request cdoc2/cdoc2-java-ref-impl!64

README.md

@@ -197,6 +197,13 @@ Note: When pulling, the [GitHub package index is based on the organization level
 So defining any Maven package repo from `open-eid` is enough for pulling cdoc2-* dependencies.
 All packages published under `open-eid` can be found https://github.com/orgs/open-eid/packages
 
+Test that you have configured your Maven `settings.xml` for `github` correctly 
+(run from `cdoc2-java-ref-impl` root):
+
+```
+./mvnw dependency::get -Dartifact=ee.cyber.cdoc2:cdoc2-lib:2.0.0
+```
+
 ## Building
 [![Java CI with Maven](https://github.com/open-eid/cdoc2-java-ref-impl/actions/workflows/maven.yml/badge.svg)](https://github.com/open-eid/cdoc2-java-ref-impl/actions/workflows/maven.yml)
 

cdoc2-cli/config/localhost/README.md

@@ -0,0 +1,39 @@
+For testing server scenarios with cdoc2 capsule servers running on localhost.
+
+TLS (POST)
+https://localhost:8443
+
+mTLS (GET)
+https://localhost:8444
+
+## Running server
+
+Prerequisites: [docker compose](https://docs.docker.com/compose/install/) is installed  
+```
+cd cdoc2-java-ref-impl/test/config/server
+docker compose up
+```
+
+## Id-card
+
+Requirements:
+* [id-card (pkcs11) drivers](https://www.id.ee/) are installed
+
+Run from cdoc2-cli directory
+
+### Encrypt for id-card
+```
+java -jar target/cdoc2-cli-*.jar create --server=config/localhost/localhost.properties -f /tmp/localhost.cdoc -r 38001085718 README.md
+```
+Replace `3800108571` with your id code
+
+### Decrypting with id-card
+```
+java -jar target/cdoc2-cli-*.jar decrypt --server=config/localhost/localhost.properties -f /tmp/localhost.cdoc -o /tmp
+```
+
+If Pkcs11 driver is not found from default location, then alternative location can be provided with 
+`-Dpkcs11-library=<path>` option, for example
+```
+java -jar target/cdoc2-cli-*.jar decrypt -Dpkcs11-library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+```

cdoc2-cli/config/localhost/localhost.properties

@@ -9,6 +9,8 @@ cdoc2.client.server.base-url.post=https://localhost:8443
 # Querying capsules requires mTLS
 cdoc2.client.server.base-url.get=https://localhost:8444
 cdoc2.client.server.debug=true
+cdoc2.client.server.connect-timeout=2000
+cdoc2.client.server.read-timeout=5000
 
 # trusted certificates by client
 cdoc2.client.ssl.trust-store.type=JKS
@@ -26,5 +28,6 @@ cdoc2.client.ssl.client-store-password.prompt=PIN1
 # otherwise use password value
 #cdoc2.client.ssl.client-store-password=3471
 
-#PKCS11 library location, if not found in default location
-#pkcs11-library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+# if pkcs11 library is not found from default location, use
+# -Dpkcs11-library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+# cli option to specify pkcs11-library location

cdoc2-cli/config/ria-dev/ria-dev.properties

@@ -16,5 +16,6 @@ cdoc2.client.ssl.client-store-password.prompt=PIN1
 # otherwise use password value
 #cdoc2.client.ssl.client-store-password=3471
 
-# PKCS11 library location, if not found in default location
-#pkcs11-library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+# if pkcs11 library is not found from default location, use
+# -Dpkcs11-library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+# cli option to specify pkcs11-library location

cdoc2-cli/config/ria-test/ria-test.properties

@@ -16,5 +16,6 @@ cdoc2.client.ssl.client-store-password.prompt=PIN1
 # otherwise use password value
 #cdoc2.client.ssl.client-store-password=3471
 
-# PKCS11 library location, if not found in default location
-#pkcs11-library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+# if pkcs11 library is not found from default location, use
+# -Dpkcs11-library=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+# cli option to specify pkcs11-library location

cdoc2-cli/pom.xml

@@ -87,20 +87,6 @@
                 </executions>
             </plugin>
 
-                    <!--plugin>
-                        <groupId>org.jacoco</groupId>
-                        <artifactId>jacoco-maven-plugin</artifactId>
-                        <executions>
-                            <execution>
-                                <id>report</id>
-                                <goals>
-                                    <goal>report-aggregate</goal>
-                                </goals>
-                                <phase>verify</phase>
-                            </execution>
-                        </executions>
-                    </plugin-->
-
         </plugins>
     </build>
 

cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/commands/CDocListCmd.java

@@ -3,17 +3,14 @@
 import ee.cyber.cdoc2.cli.DecryptionKeyExclusiveArgument;
 import ee.cyber.cdoc2.CDocDecrypter;
 import ee.cyber.cdoc2.client.KeyCapsuleClientFactory;
-import ee.cyber.cdoc2.client.KeyCapsuleClientImpl;
 import ee.cyber.cdoc2.crypto.keymaterial.DecryptionKeyMaterial;
-import ee.cyber.cdoc2.util.Resources;
 import java.io.File;
 import java.nio.file.InvalidPathException;
 import java.time.LocalDateTime;
 import java.time.ZoneId;
 import java.time.format.DateTimeFormatter;
 import java.util.List;
 import java.util.Map;
-import java.util.Properties;
 import java.util.concurrent.Callable;
 import org.apache.commons.compress.archivers.ArchiveEntry;
 
@@ -22,6 +19,7 @@
 import picocli.CommandLine.Option;
 
 import static ee.cyber.cdoc2.cli.util.CDocDecryptionHelper.getDecryptionKeyMaterial;
+import static ee.cyber.cdoc2.cli.util.CDocDecryptionHelper.getKeyCapsulesClientFactory;
 import static ee.cyber.cdoc2.cli.util.CDocDecryptionHelper.getSmartCardDecryptionKeyMaterial;
 
 
@@ -66,29 +64,24 @@ public Void call() throws Exception {
             throw new InvalidPathException(this.cdocFile.getAbsolutePath(), "Input CDOC file does not exist");
         }
 
-        Properties p;
-
-        KeyCapsuleClientFactory keyCapsulesClient = null;
-
+        KeyCapsuleClientFactory keyCapsulesClientFactory = null;
         if (keyServerPropertiesFile != null) {
-            p = new Properties();
-            p.load(Resources.getResourceAsStream(keyServerPropertiesFile));
-            keyCapsulesClient = KeyCapsuleClientImpl.createFactory(p);
+            keyCapsulesClientFactory = getKeyCapsulesClientFactory(this.keyServerPropertiesFile);
         }
 
         DecryptionKeyMaterial decryptionKeyMaterial = (null == this.exclusive)
             ? getSmartCardDecryptionKeyMaterial(this.slot, this.keyAlias)
             : getDecryptionKeyMaterial(
-            this.cdocFile,
-            this.exclusive.getLabeledPasswordParam(),
-            this.exclusive.getSecret(),
-            this.exclusive.getP12(),
-            this.exclusive.getPrivKeyFile()
-        );
+                this.cdocFile,
+                this.exclusive.getLabeledPasswordParam(),
+                this.exclusive.getSecret(),
+                this.exclusive.getP12(),
+                this.exclusive.getPrivKeyFile()
+                );
 
         CDocDecrypter cDocDecrypter = new CDocDecrypter()
                 .withCDoc(cdocFile)
-                .withKeyServers(keyCapsulesClient)
+                .withKeyServers(keyCapsulesClientFactory)
                 .withRecipient(decryptionKeyMaterial);
 
         System.out.println("Listing contents of " + cdocFile);

cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/util/CDocCommonHelper.java

@@ -18,5 +18,4 @@ public static Properties getServerProperties(String keyServerPropertiesFile) thr
         p.load(Resources.getResourceAsStream(keyServerPropertiesFile));
         return p;
     }
-
 }

cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/util/CDocDecryptionHelper.java

@@ -41,7 +41,9 @@ private CDocDecryptionHelper() { }
 
     /**
      * Loads DecryptionKeyMaterial from CLI options. If decryption material is not given by user, then
-     * tries to load decryption key material from smart-card. Asks PIN interactively when using smart-card
+     * tries to load decryption key material from smart-card. Asks PIN interactively when using smart-card.
+     * Reads pkcs11 library location from `pkcs11-library` Java system property if set. Otherwise, uses system default
+     * location.
      * @param slot smart-card slot number when overwriting default
      * @param keyAlias key alias
      * @return loaded DecryptionKeyMaterial

cdoc2-lib/README.md

@@ -215,7 +215,7 @@ directory and `.withServerProperties` method:
 the shortest name (without `_pkcs12` or `_p12` in name).
 
 Uploading key material to server allows to invalidate CDOC2 documents that are may be affected from
-future Security vulnerability like [ROCA vulnerability](https://en.wikipedia.org/wiki/ROCA_vulnerability)
+future security vulnerability like [ROCA vulnerability](https://en.wikipedia.org/wiki/ROCA_vulnerability)
 
 In non-server scenarios sender public key material is included in CDOC2 itself. For server scenarios
 sender public key material is uploaded to server and recipient needs first to download the
@@ -258,6 +258,11 @@ that takes `KeyCapsuleClientFactory` as parameter:
         .decrypt();
 ```
 
+**Note**: `pkcs11-library` location can also be specified as Java system property 
+(`-Dpkcs11-library=<path>` or `System.setProperty("pkcs11-library", "<path>")`), 
+when not specified explicitly as method parameter. If `pkcs11-library` system property is not set,
+then pkcs11 library is looked for from [default locations](https://github.com/open-eid/cdoc2-java-ref-impl/blob/ae1351db7e13c3ede58a48757ae53c2c80166a70/cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/Pkcs11Tools.java#L404)
+
 ### Latest server configuration
 
 Latest server configuration is available through https://id.eesti.ee/config.json

cdoc2-lib/src/main/java/ee/cyber/cdoc2/client/KeyCapsuleClientImpl.java

@@ -147,8 +147,7 @@ private static KeyStore.ProtectionParameter loadClientKeyStoreProtectionParamete
      *      if a password is required but not given,
      *      or if the given password was incorrect. If the error is due to a wrong password,
      *      the cause of the IOException should be an UnrecoverableKeyException
-     * @KeyStoreException
-     * @IOException
+     * @throws KeyStoreException
      */
     @Nullable
     private static KeyStore loadClientKeyStore(Properties p) throws KeyStoreException, IOException,
@@ -185,7 +184,7 @@ private static KeyStore loadClientKeyStore(Properties p) throws KeyStoreExceptio
 
     /**
      * If "pkcs11-library" property is set in properties or System properties, return value specified.
-     * If both specify a balue then use one from System properties.
+     * If both specify a value then use one from System properties.
      * @param p properties provided
      * @return "pkcs11-library" value specified in properties or null if not property not present
      */
@@ -207,9 +206,8 @@ private static String loadPkcs11LibPath(Properties p) {
      *      if a password is required but not given,
      *      or if the given password was incorrect. If the error is due to a wrong password,
      *      the cause of the IOException should be an UnrecoverableKeyException
-     * @IOException
-     * @KeyStoreException
-     * @CertificateException – if any of the certificates in the keystore could not be loaded
+     * @throws KeyStoreException
+     * @throws CertificateException – if any of the certificates in the keystore could not be loaded
      */
     private static KeyStore loadTrustKeyStore(Properties p) throws KeyStoreException, IOException,
             CertificateException, NoSuchAlgorithmException {

cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/Pkcs11Tools.java

@@ -36,7 +36,9 @@
 /**
  * Utility class for PKCS11 operations.
  * <p>
- * Common pkcs11 provider library locations:
+ * If pkcs11 provider library is not explicitly provided as method parameter, then pkcs11 lib location
+ * is read from `pkcs11-library` system property. If `pkcs11-library` system property is not defined, then
+ * following default pkcs11 provider library locations are used:
  * <ul>
  *   <li>For Windows, it could be C:\Windows\SysWOW64\opensc-pkcs11.dll,
  *   <li>For Linux, it could be /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so,