diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml
index 2c32c87b..da528f97 100644
--- a/.github/workflows/push-trigger.yml
+++ b/.github/workflows/push-trigger.yml
@@ -20,7 +20,7 @@ on:
- develop
- MOSIP*
- release*
- - INJICERT-13
+ - INJICERT-*
jobs:
build-maven-inji-certify:
diff --git a/certify-core/pom.xml b/certify-core/pom.xml
index 13985e62..b710bfd2 100644
--- a/certify-core/pom.xml
+++ b/certify-core/pom.xml
@@ -30,10 +30,28 @@
commons-validator
${commons.validator.version}
+
+ com.google.guava
+ guava
+ ${google.guava.version}
+
io.mosip.certify
certify-integration-api
${project.version}
+
+ com.h2database
+ h2
+ test
+
+
+ org.springframework.boot
+ spring-boot-starter-data-redis
+
+
+ org.springframework.boot
+ spring-boot-starter-cache
+
\ No newline at end of file
diff --git a/certify-core/src/main/java/io/mosip/certify/core/config/RedisCacheConfig.java b/certify-core/src/main/java/io/mosip/certify/core/config/RedisCacheConfig.java
new file mode 100644
index 00000000..cc5cae29
--- /dev/null
+++ b/certify-core/src/main/java/io/mosip/certify/core/config/RedisCacheConfig.java
@@ -0,0 +1,40 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+package io.mosip.certify.core.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.cache.RedisCacheManagerBuilderCustomizer;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.redis.cache.RedisCacheConfiguration;
+
+import java.time.Duration;
+import java.util.HashMap;
+import java.util.Map;
+
+
+@ConditionalOnProperty(value = "spring.cache.type", havingValue = "redis")
+@Configuration
+public class RedisCacheConfig {
+
+ @Value("#{${mosip.certify.cache.expire-in-seconds}}")
+ private Map cacheNamesWithTTLMap;
+
+ @Bean
+ public RedisCacheManagerBuilderCustomizer redisCacheManagerBuilderCustomizer() {
+ return (builder) -> {
+ Map configurationMap = new HashMap<>();
+ cacheNamesWithTTLMap.forEach((cacheName, ttl) -> {
+ configurationMap.put(cacheName, RedisCacheConfiguration
+ .defaultCacheConfig()
+ .disableCachingNullValues()
+ .entryTtl(Duration.ofSeconds(ttl)));
+ });
+ builder.withInitialCacheConfigurations(configurationMap);
+ };
+ }
+}
diff --git a/certify-core/src/main/java/io/mosip/certify/core/config/SimpleCacheConfig.java b/certify-core/src/main/java/io/mosip/certify/core/config/SimpleCacheConfig.java
new file mode 100644
index 00000000..f31c5145
--- /dev/null
+++ b/certify-core/src/main/java/io/mosip/certify/core/config/SimpleCacheConfig.java
@@ -0,0 +1,58 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+package io.mosip.certify.core.config;
+
+import com.google.common.cache.CacheBuilder;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.cache.Cache;
+import org.springframework.cache.CacheManager;
+import org.springframework.cache.annotation.CachingConfigurerSupport;
+import org.springframework.cache.concurrent.ConcurrentMapCache;
+import org.springframework.cache.support.SimpleCacheManager;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+
+@ConditionalOnProperty(value = "spring.cache.type", havingValue = "simple")
+@Configuration
+public class SimpleCacheConfig extends CachingConfigurerSupport {
+
+ @Value("${mosip.certify.cache.names}")
+ private List cacheNames;
+
+ @Value("#{${mosip.certify.cache.size}}")
+ private Map cacheMaxSize;
+
+ @Value("#{${mosip.certify.cache.expire-in-seconds}}")
+ private Map cacheExpireInSeconds;
+
+
+ @Bean
+ @Override
+ public CacheManager cacheManager() {
+ SimpleCacheManager cacheManager = new SimpleCacheManager();
+ List caches = new ArrayList<>();
+ for(String name : cacheNames) {
+ caches.add(buildMapCache(name));
+ }
+ cacheManager.setCaches(caches);
+ return cacheManager;
+ }
+
+ private ConcurrentMapCache buildMapCache(String name) {
+ return new ConcurrentMapCache(name,
+ CacheBuilder.newBuilder()
+ .expireAfterWrite(cacheExpireInSeconds.getOrDefault(name, 60), TimeUnit.SECONDS)
+ .maximumSize(cacheMaxSize.getOrDefault(name, 100))
+ .build()
+ .asMap(), true);
+ }
+}
diff --git a/certify-core/src/main/java/io/mosip/certify/core/constants/Constants.java b/certify-core/src/main/java/io/mosip/certify/core/constants/Constants.java
index 9508918c..509f4ac4 100644
--- a/certify-core/src/main/java/io/mosip/certify/core/constants/Constants.java
+++ b/certify-core/src/main/java/io/mosip/certify/core/constants/Constants.java
@@ -13,4 +13,7 @@ public class Constants {
public static final String C_NONCE = "c_nonce";
public static final String C_NONCE_EXPIRES_IN = "c_nonce_expires_in";
public static final String CLIENT_ID = "client_id";
+ public static final String CERTIFY_PARTNER_APP_ID = "CERTIFY_PARTNER";
+ public static final String CERTIFY_SERVICE_APP_ID = "CERTIFY_SERVICE";
+ public static final String ROOT_KEY = "ROOT";
}
diff --git a/certify-core/src/main/java/io/mosip/certify/core/util/AuditHelper.java b/certify-core/src/main/java/io/mosip/certify/core/util/AuditHelper.java
index 97b25160..9e05dee8 100644
--- a/certify-core/src/main/java/io/mosip/certify/core/util/AuditHelper.java
+++ b/certify-core/src/main/java/io/mosip/certify/core/util/AuditHelper.java
@@ -9,6 +9,14 @@
public class AuditHelper {
+ public static AuditDTO buildAuditDto(String clientId) {
+ AuditDTO auditDTO = new AuditDTO();
+ auditDTO.setClientId(clientId);
+ auditDTO.setTransactionId(clientId);
+ auditDTO.setIdType("ClientId");
+ return auditDTO;
+ }
+
public static AuditDTO buildAuditDto(String transactionId, String idType) {
AuditDTO auditDTO = new AuditDTO();
auditDTO.setTransactionId(transactionId);
diff --git a/certify-integration-api/src/main/java/io/mosip/certify/api/dto/AuditDTO.java b/certify-integration-api/src/main/java/io/mosip/certify/api/dto/AuditDTO.java
index a1209835..57775521 100644
--- a/certify-integration-api/src/main/java/io/mosip/certify/api/dto/AuditDTO.java
+++ b/certify-integration-api/src/main/java/io/mosip/certify/api/dto/AuditDTO.java
@@ -13,5 +13,6 @@
public class AuditDTO {
String transactionId;
+ String clientId;
String idType;
}
diff --git a/certify-service/Dockerfile b/certify-service/Dockerfile
index 736e43eb..f5bfec45 100644
--- a/certify-service/Dockerfile
+++ b/certify-service/Dockerfile
@@ -1,4 +1,4 @@
-FROM eclipse-temurin:21-jre-alpine
+FROM eclipse-temurin:21-jre
ARG SOURCE
ARG COMMIT_HASH
@@ -24,6 +24,12 @@ ARG is_glowroot
# can be passed during Docker build as build time environment for artifactory URL
ARG artifactory_url
+# can be passed during Docker build as build time environment for hsm client zip file path
+ARG hsm_client_zip_path
+
+# environment variable to pass hsm client zip file path, at docker runtime
+ENV hsm_zip_file_path=${hsm_client_zip_path}
+
# environment variable to pass active profile such as DEV, QA etc at docker runtime
ENV active_profile_env=${active_profile}
@@ -42,6 +48,9 @@ ENV artifactory_url_env=${artifactory_url}
# environment variable for certify artifactory plugins to pass at docker run time
ENV enable_certify_artifactory="true"
+# environment variable for downloading hsm client in certify, to pass at docker run time
+ENV download_hsm_client="true"
+
# can be passed during Docker build as build time environment for github branch to pickup configuration from.
ARG container_user=mosip
@@ -55,13 +64,18 @@ ARG container_user_uid=1001
ARG container_user_gid=1001
+ARG hsm_local_dir=hsm-client
+
+ENV hsm_local_dir_name=${hsm_local_dir}
+
# install packages and create user
-RUN apk -q update \
-&& apk add -q unzip sudo bash curl \
-&& addgroup -g ${container_user_gid} ${container_user_group} \
-&& adduser -s /bin/sh -u ${container_user_uid} -G ${container_user_group} -h /home/${container_user} --disabled-password ${container_user}
+RUN apt-get -y update \
+&& apt-get install -y unzip sudo\
+&& groupadd -g ${container_user_gid} ${container_user_group} \
+&& useradd -u ${container_user_uid} -g ${container_user_group} -s /bin/sh -m ${container_user} \
+&& adduser ${container_user} sudo \
+&& echo "%sudo ALL=(ALL) NOPASSWD:/home/${container_user}/${hsm_local_dir}/install.sh" >> /etc/sudoers
-RUN id -u ${container_user}
# set working directory for the user
WORKDIR /home/${container_user}
@@ -77,6 +91,8 @@ ADD configure_start.sh configure_start.sh
RUN chmod +x configure_start.sh
+RUN chmod a-w /home/${container_user}/configure_start.sh
+
COPY ./target/certify-service-*.jar certify-service.jar
# change permissions of file inside working dir
diff --git a/certify-service/configure_start.sh b/certify-service/configure_start.sh
index c79c4fba..ef5e13fd 100644
--- a/certify-service/configure_start.sh
+++ b/certify-service/configure_start.sh
@@ -5,28 +5,66 @@ set -e
download_and_extract() {
local url=$1
local dest_dir=$2
- shift 2
- local files_to_extract=("$@")
local temp_zip=$(mktemp)
wget -q "$url" -O "$temp_zip"
- for file in "${files_to_extract[@]}"; do
- unzip -o -j "$temp_zip" "$file" -d "$dest_dir"
+ echo "Installation of plugins started"
+ local files=$(unzip -l "$temp_zip" | awk 'NR>3 {print $4}' | sed '$d')
+
+ unzip -o -j "$temp_zip" -d "$dest_dir"
+
+ for file in $files; do
+ echo "Extracted file $file"
done
+ echo "Installation of plugins completed"
+
rm -f "$temp_zip"
}
-#if [ "$enable_esignet_artifactory" = "true" ]; then
-# download_and_extract "${artifactory_url_env}/artifactory/libs-release-local/esignet/esignet-wrapper.zip" "${loader_path_env}" "esignet-mock-wrapper.jar" "sunbird-rc-esignet-integration-impl.jar"
-#fi
-
if [ "$enable_certify_artifactory" = "true" ]; then
- download_and_extract "${artifactory_url_env}/artifactory/libs-release-local/certify/certify-plugin.zip" "${loader_path_env}" "certify-sunbird-plugin.jar"
+ download_and_extract "${artifactory_url_env}/artifactory/libs-release-local/certify/certify-plugin.zip" "${loader_path_env}"
fi
-echo "Installation complete"
+#installs the pkcs11 libraries.
+if [ "$download_hsm_client" = "true" ]; then
+ set -e
+
+ DEFAULT_ZIP_PATH=artifactory/libs-release-local/hsm/client-21.zip
+ [ -z "$hsm_zip_file_path" ] && zip_path="$DEFAULT_ZIP_PATH" || zip_path="$hsm_zip_file_path"
+
+ echo "Download the client from $artifactory_url_env"
+ echo "Zip File Path: $zip_path"
+
+ wget -q "$artifactory_url_env/$zip_path"
+ echo "Downloaded $artifactory_url_env/$zip_path"
+
+ FILE_NAME=${zip_path##*/}
+
+ DIR_NAME=$hsm_local_dir_name
+
+ has_parent=$(zipinfo -1 "$FILE_NAME" | awk '{split($NF,a,"/");print a[1]}' | sort -u | wc -l)
+ if test "$has_parent" -eq 1; then
+ echo "Zip has a parent directory inside"
+ dirname=$(zipinfo -1 "$FILE_NAME" | awk '{split($NF,a,"/");print a[1]}' | sort -u | head -n 1)
+ echo "Unzip directory"
+ unzip $FILE_NAME
+ echo "Renaming directory"
+ mv -v $dirname $DIR_NAME
+ else
+ echo "Zip has no parent directory inside"
+ echo "Creating destination directory"
+ mkdir "$DIR_NAME"
+ echo "Unzip to destination directory"
+ unzip -d "$DIR_NAME" $FILE_NAME
+ fi
+
+ echo "Attempting to install"
+ cd ./$DIR_NAME && chmod +x install.sh && sudo ./install.sh
+
+ echo "Installation complete"
+fi
cd $work_dir
exec "$@"
\ No newline at end of file
diff --git a/certify-service/pom.xml b/certify-service/pom.xml
index e14c4e58..c8ed72fc 100644
--- a/certify-service/pom.xml
+++ b/certify-service/pom.xml
@@ -36,7 +36,32 @@
org.springframework.cloud
spring-cloud-starter-bootstrap
-
+
+ org.postgresql
+ postgresql
+ runtime
+
+
+ io.mosip.kernel
+ kernel-keymanager-service
+ 1.2.1-java21-SNAPSHOT
+ lib
+
+
+ org.springframework.cloud
+ spring-cloud-starter-sleuth
+
+
+ org.springframework.security
+ spring-security-test
+
+
+
+
+ info.weboftrust
+ ld-signatures-java
+ 1.0.0
+
diff --git a/certify-service/src/main/java/io/mosip/certify/CertifyServiceApplication.java b/certify-service/src/main/java/io/mosip/certify/CertifyServiceApplication.java
index da5a74b6..f69c7be7 100644
--- a/certify-service/src/main/java/io/mosip/certify/CertifyServiceApplication.java
+++ b/certify-service/src/main/java/io/mosip/certify/CertifyServiceApplication.java
@@ -14,6 +14,20 @@
@EnableAsync
@EnableCaching
@SpringBootApplication(scanBasePackages = "io.mosip.certify,"+
+ "io.mosip.kernel.crypto," +
+ "io.mosip.kernel.keymanager.hsm," +
+ "io.mosip.kernel.cryptomanager.util," +
+ "io.mosip.kernel.keymanagerservice.helper," +
+ "io.mosip.kernel.keymanagerservice.repository," +
+ "io.mosip.kernel.keymanagerservice.service," +
+ "io.mosip.kernel.keymanagerservice.util," +
+ "io.mosip.kernel.keygenerator.bouncycastle," +
+ "io.mosip.kernel.signature.service," +
+ "io.mosip.kernel.pdfgenerator.itext.impl,"+
+ "io.mosip.kernel.partnercertservice.service," +
+ "io.mosip.kernel.keymanagerservice.repository,"+
+ "io.mosip.kernel.keymanagerservice.entity,"+
+ "io.mosip.kernel.partnercertservice.helper," +
"${mosip.certify.integration.scan-base-package}")
public class CertifyServiceApplication {
public static void main(String[] args) {
diff --git a/certify-service/src/main/java/io/mosip/certify/config/AppConfig.java b/certify-service/src/main/java/io/mosip/certify/config/AppConfig.java
index b6c890f5..3035c47a 100644
--- a/certify-service/src/main/java/io/mosip/certify/config/AppConfig.java
+++ b/certify-service/src/main/java/io/mosip/certify/config/AppConfig.java
@@ -9,21 +9,31 @@
import com.fasterxml.jackson.databind.json.JsonMapper;
import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
import com.fasterxml.jackson.module.afterburner.AfterburnerModule;
+import io.mosip.certify.core.constants.Constants;
+import io.mosip.kernel.keymanagerservice.dto.KeyPairGenerateRequestDto;
+import io.mosip.kernel.keymanagerservice.service.KeymanagerService;
+import io.mosip.kernel.keymanagerservice.dto.SymmetricKeyGenerateRequestDto;
import lombok.extern.slf4j.Slf4j;
import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
import org.apache.hc.client5.http.impl.classic.HttpClients;
import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
-
+import org.springframework.util.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.ApplicationArguments;
+import org.springframework.boot.ApplicationRunner;
+import org.springframework.boot.autoconfigure.domain.EntityScan;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
+import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;
@Configuration
+@EnableJpaRepositories(basePackages = {"io.mosip.kernel.keymanagerservice.repository"})
+@EntityScan(basePackages = {"io.mosip.kernel.keymanagerservice.entity"})
@Slf4j
-public class AppConfig {
-
+public class AppConfig implements ApplicationRunner {
@Value("${mosip.certify.default.httpclient.connections.max.per.host:20}")
private int defaultMaxConnectionPerRoute;
@@ -31,6 +41,12 @@ public class AppConfig {
@Value("${mosip.certify.default.httpclient.connections.max:100}")
private int defaultTotalMaxConnection;
+ @Autowired
+ private KeymanagerService keymanagerService;
+
+ @Value("${mosip.certify.cache.security.secretkey.reference-id}")
+ private String cacheSecretKeyRefId;
+
@Bean
public ObjectMapper objectMapper() {
@@ -53,4 +69,31 @@ public RestTemplate restTemplate() {
return new RestTemplate(requestFactory);
}
+ @Override
+ public void run(ApplicationArguments args) throws Exception {
+ log.info("===================== CERTIFY_SERVICE ROOT KEY CHECK ========================");
+ String objectType = "CSR";
+ KeyPairGenerateRequestDto rootKeyRequest = new KeyPairGenerateRequestDto();
+ rootKeyRequest.setApplicationId(Constants.ROOT_KEY);
+ keymanagerService.generateMasterKey(objectType, rootKeyRequest);
+ log.info("===================== CERTIFY_SERVICE MASTER KEY CHECK ========================");
+ KeyPairGenerateRequestDto masterKeyRequest = new KeyPairGenerateRequestDto();
+ masterKeyRequest.setApplicationId(Constants.CERTIFY_SERVICE_APP_ID);
+ keymanagerService.generateMasterKey(objectType, masterKeyRequest);
+
+ if(!StringUtils.isEmpty(cacheSecretKeyRefId)) {
+ SymmetricKeyGenerateRequestDto symmetricKeyGenerateRequestDto = new SymmetricKeyGenerateRequestDto();
+ symmetricKeyGenerateRequestDto.setApplicationId(Constants.CERTIFY_SERVICE_APP_ID);
+ symmetricKeyGenerateRequestDto.setReferenceId(cacheSecretKeyRefId);
+ symmetricKeyGenerateRequestDto.setForce(false);
+ keymanagerService.generateSymmetricKey(symmetricKeyGenerateRequestDto);
+ log.info("============= CERTIFY_SERVICE CACHE SYMMETRIC KEY CHECK COMPLETED =============");
+ }
+
+ log.info("===================== CERTIFY_PARTNER MASTER KEY CHECK ========================");
+ KeyPairGenerateRequestDto partnerMasterKeyRequest = new KeyPairGenerateRequestDto();
+ partnerMasterKeyRequest.setApplicationId(Constants.CERTIFY_PARTNER_APP_ID);
+ keymanagerService.generateMasterKey(objectType, partnerMasterKeyRequest);
+ log.info("===================== CERTIFY KEY SETUP COMPLETED ========================");
+ }
}
diff --git a/certify-service/src/main/java/io/mosip/certify/controller/SystemInfoController.java b/certify-service/src/main/java/io/mosip/certify/controller/SystemInfoController.java
new file mode 100644
index 00000000..07c82679
--- /dev/null
+++ b/certify-service/src/main/java/io/mosip/certify/controller/SystemInfoController.java
@@ -0,0 +1,72 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+package io.mosip.certify.controller;
+
+import io.mosip.certify.api.spi.AuditPlugin;
+import io.mosip.certify.core.constants.ErrorConstants;
+import io.mosip.certify.core.dto.ResponseWrapper;
+import io.mosip.certify.core.exception.CertifyException;
+import io.mosip.certify.core.util.CommonUtil;
+import io.mosip.kernel.core.http.RequestWrapper;
+import io.mosip.kernel.keymanagerservice.dto.KeyPairGenerateResponseDto;
+import io.mosip.kernel.keymanagerservice.dto.UploadCertificateRequestDto;
+import io.mosip.kernel.keymanagerservice.dto.UploadCertificateResponseDto;
+import io.mosip.kernel.keymanagerservice.service.KeymanagerService;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.web.bind.annotation.*;
+
+import javax.validation.Valid;
+import javax.validation.constraints.NotBlank;
+import java.util.Optional;
+
+/**
+ * Controller GET Certify service certificates
+ */
+@Slf4j
+@RestController
+@RequestMapping("/system-info")
+public class SystemInfoController {
+
+ @Autowired
+ private KeymanagerService keymanagerService;
+
+ @Autowired
+ AuditPlugin auditWrapper;
+
+ @Value("${mosip.certify.audit.claim-name:preferred_username}")
+ private String claimName;
+
+ @GetMapping(value = "/certificate")
+ public ResponseWrapper getCertificate(
+ @Valid @NotBlank(message = ErrorConstants.INVALID_REQUEST) @RequestParam("applicationId") String applicationId,
+ @RequestParam("referenceId") Optional referenceId) {
+ ResponseWrapper responseWrapper = new ResponseWrapper<>();
+ try {
+ responseWrapper.setResponse(keymanagerService.getCertificate(applicationId, referenceId));
+ } catch (CertifyException ex) {
+ throw ex;
+ }
+ responseWrapper.setResponseTime(CommonUtil.getUTCDateTime());
+ return responseWrapper;
+ }
+
+ @PostMapping(value = "/uploadCertificate")
+ public ResponseWrapper uploadSignedCertificate(
+ @Valid @RequestBody RequestWrapper requestWrapper) {
+ ResponseWrapper responseWrapper = new ResponseWrapper<>();
+ UploadCertificateRequestDto uploadCertificateRequestDto = requestWrapper.getRequest();
+ try {
+ responseWrapper.setResponse(keymanagerService.uploadCertificate(uploadCertificateRequestDto));
+ } catch (CertifyException ex) {
+ throw ex;
+ }
+ responseWrapper.setResponseTime(CommonUtil.getUTCDateTime());
+ return responseWrapper;
+ }
+
+}
diff --git a/certify-service/src/main/java/io/mosip/certify/plugin/impl/LoggerAuditService.java b/certify-service/src/main/java/io/mosip/certify/impl/LoggerAuditService.java
similarity index 100%
rename from certify-service/src/main/java/io/mosip/certify/plugin/impl/LoggerAuditService.java
rename to certify-service/src/main/java/io/mosip/certify/impl/LoggerAuditService.java
diff --git a/certify-service/src/main/resources/application-local.properties b/certify-service/src/main/resources/application-local.properties
index 21bc79b2..63d70bfb 100644
--- a/certify-service/src/main/resources/application-local.properties
+++ b/certify-service/src/main/resources/application-local.properties
@@ -7,10 +7,10 @@ mosip.certify.security.auth.get-urls={}
mosip.certify.security.ignore-csrf-urls=**/actuator/**,/favicon.ico,**/error,\
**/swagger-ui/**,**/v3/api-docs/**,\
- **/issuance/**
+ **/issuance/**,**/system-info/**
mosip.certify.security.ignore-auth-urls=/actuator/**,**/error,**/swagger-ui/**,\
- **/v3/api-docs/**, **/issuance/**
+ **/v3/api-docs/**, **/issuance/**,/system-info/**
## ------------------------------------------ Discovery openid-configuration -------------------------------------------
@@ -22,7 +22,7 @@ mosip.certify.supported.jwt-proof-alg={'RS256','PS256'}
## ---------------------------------------------- VCI ------------------------------------------------------------------
##----- These are properties for any oauth resource server providing jwk------------###
-mosip.certify.identifier=http://localhost:8088
+mosip.certify.identifier=http://localhost:8090
mosip.certify.authn.filter-urls={ '${server.servlet.path}/issuance/credential', '${server.servlet.path}/issuance/vd12/credential', '${server.servlet.path}/issuance/vd11/credential'}
mosip.certify.authn.issuer-uri=http://localhost:8088/v1/esignet
mosip.certify.authn.jwk-set-uri=http://localhost:8088/v1/esignet/oauth/.well-known/jwks.json
@@ -217,9 +217,57 @@ mosip.certify.key-values={\
}
## ------------------------------------------- Integrations ------------------------------------------------------------
-mosip.certify.integration.scan-base-package=io.mosip.certify.sunbirdrc.integration
-mosip.certify.integration.vci-plugin=SunbirdRCVCIssuancePlugin
+#mosip.certify.integration.scan-base-package=io.mosip.certify.sunbirdrc.integration
+#mosip.certify.integration.vci-plugin=SunbirdRCVCIssuancePlugin
+#mosip.certify.integration.audit-plugin=LoggerAuditService
+
+## ------------------------------------------- MOSIP ID Integration properties ------------------------------------------------------------
+#mosip.certify.integration.scan-base-package=io.mosip.certify.mosipid.integration
+#mosip.certify.integration.vci-plugin=IdaVCIssuancePluginImpl
+#mosip.certify.ida.vci-user-info-cache=userinfo
+#mosip.certify.ida.vci-exchange-id=mosip.identity.vciexchange
+#mosip.certify.ida.vci-exchange-version=1.0
+#mosip.certify.ida.vci-exchange-url=http://localhost:8089/idauthentication/v1/vci-exchange/delegated/mosip-license-key/
+#mosip.certify.integration.audit-plugin=IdaAuditPluginImpl
+#mosip.certify.authenticator.ida.auth-token-url=http://localhost:8089/v1/authmanager/authenticate/clientidsecretkey
+#mosip.certify.authenticator.ida.audit-manager-url=http://localhost:8089/v1/auditmanager/audits
+#mosip.certify.authenticator.ida.client-id=mosip-ida-client
+#mosip.certify.authenticator.ida.secret-key=client-secret-key
+#mosip.certify.authenticator.ida.app-id=ida
+
+
+## ------------------------------------------- Mock ID Integration properties ------------------------------------------------------------
+mosip.certify.integration.scan-base-package=io.mosip.certify.mock.integration
mosip.certify.integration.audit-plugin=LoggerAuditService
+mosip.certify.integration.vci-plugin=MockVCIssuancePlugin
+mosip.certify.mock.vciplugin.verification-method=${mosip.certify.authn.jwk-set-uri}
+
+
+## ---------------------------------------- Cache configuration --------------------------------------------------------
+
+mosip.certify.cache.secure.individual-id=true
+mosip.certify.cache.store.individual-id=true
+mosip.certify.cache.security.secretkey.reference-id=TRANSACTION_CACHE
+mosip.certify.cache.security.algorithm-name=AES/ECB/PKCS5Padding
+
+#spring.cache.type=redis
+#spring.data.redis.host=localhost
+#spring.data.redis.port=6379
+#spring.data.redis.password=eYVX7EwVmmxKPCDmwMtyKVge8oLd2t81
+
+spring.cache.type=simple
+spring.cache.cache-names=${mosip.certify.cache.names}
+management.health.redis.enabled=false
+
+mosip.certify.access-token-expire-seconds=86400
+
+mosip.certify.cache.names=userinfo,vcissuance
+# Cache size setup is applicable only for 'simple' cache type.
+# Cache size configuration will not be considered with 'Redis' cache type
+mosip.certify.cache.size={'userinfo': 200, 'vcissuance' : 2000 }
+
+# Cache expire in seconds is applicable for both 'simple' and 'Redis' cache type
+mosip.certify.cache.expire-in-seconds={'userinfo': ${mosip.certify.access-token-expire-seconds}, 'vcissuance': ${mosip.certify.access-token-expire-seconds}}
##-----------------------------VCI related demo configuration---------------------------------------------##
@@ -246,3 +294,70 @@ mosip.certify.vciplugin.sunbird-rc.credential-type.InsuranceCredential.registry-
mosip.certify.vciplugin.sunbird-rc.credential-type.InsuranceCredential.cred-schema-id=did:schema:77ea2b1b-f0aa-4214-acb5-2f3b93bc7ee7
mosip.certify.vciplugin.sunbird-rc.credential-type.InsuranceCredential.cred-schema-version=1.0.0
mosip.certify.vciplugin.sunbird-rc.credential-type.InsuranceCredential.registry-search-url=http://localhost:8000/registry/api/v1/Insurance/search
+
+
+#------------------------------------ Key-manager specific properties --------------------------------------------------
+#Crypto asymmetric algorithm name
+mosip.kernel.crypto.asymmetric-algorithm-name=RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
+#Crypto symmetric algorithm name
+mosip.kernel.crypto.symmetric-algorithm-name=AES/GCM/PKCS5Padding
+#Keygenerator asymmetric algorithm name
+mosip.kernel.keygenerator.asymmetric-algorithm-name=RSA
+#Keygenerator symmetric algorithm name
+mosip.kernel.keygenerator.symmetric-algorithm-name=AES
+#Asymmetric algorithm key length
+mosip.kernel.keygenerator.asymmetric-key-length=2048
+#Symmetric algorithm key length
+mosip.kernel.keygenerator.symmetric-key-length=256
+#Encrypted data and encrypted symmetric key separator
+mosip.kernel.data-key-splitter=#KEY_SPLITTER#
+#GCM tag length
+mosip.kernel.crypto.gcm-tag-length=128
+#Hash algo name
+mosip.kernel.crypto.hash-algorithm-name=PBKDF2WithHmacSHA512
+#Symmtric key length used in hash
+mosip.kernel.crypto.hash-symmetric-key-length=256
+#No of iterations in hash
+mosip.kernel.crypto.hash-iteration=100000
+#Sign algo name
+mosip.kernel.crypto.sign-algorithm-name=RS256
+#Certificate Sign algo name
+mosip.kernel.certificate.sign.algorithm=SHA256withRSA
+
+mosip.kernel.keymanager.hsm.config-path=local.p12
+mosip.kernel.keymanager.hsm.keystore-type=PKCS12
+mosip.kernel.keymanager.hsm.keystore-pass=local
+
+mosip.kernel.keymanager.certificate.default.common-name=www.example.com
+mosip.kernel.keymanager.certificate.default.organizational-unit=EXAMPLE-CENTER
+mosip.kernel.keymanager.certificate.default.organization=IIITB
+mosip.kernel.keymanager.certificate.default.location=BANGALORE
+mosip.kernel.keymanager.certificate.default.state=KA
+mosip.kernel.keymanager.certificate.default.country=IN
+
+mosip.kernel.keymanager.softhsm.certificate.common-name=www.example.com
+mosip.kernel.keymanager.softhsm.certificate.organizational-unit=Example Unit
+mosip.kernel.keymanager.softhsm.certificate.organization=IIITB
+mosip.kernel.keymanager.softhsm.certificate.country=IN
+
+# ApplicationId for PMS master key.
+mosip.kernel.partner.sign.masterkey.application.id=PMS
+mosip.kernel.partner.allowed.domains=DEVICE
+
+mosip.kernel.keymanager-service-validate-url=https://${mosip.hostname}/keymanager/validate
+mosip.kernel.keymanager.jwtsign.validate.json=false
+mosip.keymanager.dao.enabled=false
+crypto.PrependThumbprint.enable=true
+
+##----------------------------------------- Database properties --------------------------------------------------------
+
+mosip.certify.database.hostname=localhost
+mosip.certify.database.port=5456
+spring.datasource.url=jdbc:postgresql://${mosip.certify.database.hostname}:${mosip.certify.database.port}/mosip_certify?currentSchema=certify
+spring.datasource.username=postgres
+spring.datasource.password=postgres
+
+spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
+spring.jpa.show-sql=false
+spring.jpa.hibernate.ddl-auto=none
+spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true
\ No newline at end of file
diff --git a/certify-service/src/test/resources/application-test.properties b/certify-service/src/test/resources/application-test.properties
index 8f73d97c..3b8865cc 100644
--- a/certify-service/src/test/resources/application-test.properties
+++ b/certify-service/src/test/resources/application-test.properties
@@ -213,3 +213,73 @@ mosip.certify.key-values={\
}\
}
+#------------------------------------ Key-manager specific properties --------------------------------------------------
+
+#Crypto asymmetric algorithm name
+mosip.kernel.crypto.asymmetric-algorithm-name=RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
+#Crypto symmetric algorithm name
+mosip.kernel.crypto.symmetric-algorithm-name=AES/GCM/PKCS5Padding
+#Keygenerator asymmetric algorithm name
+mosip.kernel.keygenerator.asymmetric-algorithm-name=RSA
+#Keygenerator symmetric algorithm name
+mosip.kernel.keygenerator.symmetric-algorithm-name=AES
+#Asymmetric algorithm key length
+mosip.kernel.keygenerator.asymmetric-key-length=2048
+#Symmetric algorithm key length
+mosip.kernel.keygenerator.symmetric-key-length=256
+#Encrypted data and encrypted symmetric key separator
+mosip.kernel.data-key-splitter=#KEY_SPLITTER#
+#GCM tag length
+mosip.kernel.crypto.gcm-tag-length=128
+#Hash algo name
+mosip.kernel.crypto.hash-algorithm-name=PBKDF2WithHmacSHA512
+#Symmtric key length used in hash
+mosip.kernel.crypto.hash-symmetric-key-length=256
+#No of iterations in hash
+mosip.kernel.crypto.hash-iteration=100000
+#Sign algo name
+mosip.kernel.crypto.sign-algorithm-name=RS256
+#Certificate Sign algo name
+mosip.kernel.certificate.sign.algorithm=SHA256withRSA
+
+mosip.kernel.keymanager.hsm.config-path=test/local.p12
+mosip.kernel.keymanager.hsm.keystore-type=PKCS12
+mosip.kernel.keymanager.hsm.keystore-pass=test
+
+mosip.kernel.keymanager.certificate.default.common-name=www.mosip.io
+mosip.kernel.keymanager.certificate.default.organizational-unit=MOSIP Engineering
+mosip.kernel.keymanager.certificate.default.organization=IIITB
+mosip.kernel.keymanager.certificate.default.location=BANGALORE
+mosip.kernel.keymanager.certificate.default.state=KA
+mosip.kernel.keymanager.certificate.default.country=IN
+
+mosip.kernel.keymanager.softhsm.certificate.common-name=www.mosip.io
+mosip.kernel.keymanager.softhsm.certificate.organizational-unit=MOSIP
+mosip.kernel.keymanager.softhsm.certificate.organization=IIITB
+mosip.kernel.keymanager.softhsm.certificate.country=IN
+
+# Application Id for PMS master key.
+mosip.kernel.partner.sign.masterkey.application.id=PMS
+mosip.kernel.partner.allowed.domains=DEVICE
+
+mosip.kernel.keymanager-service-validate-url=https://${mosip.hostname}/keymanager/validate
+mosip.keymanager.dao.enabled=false
+mosip.kernel.keymanager.jwtsign.validate.json=false
+crypto.PrependThumbprint.enable=true
+
+mosip.certify.cache.security.secretkey.reference-id=TRANSACTION_CACHE
+
+##----------------------------------------- Database properties --------------------------------------------------------
+
+spring.jpa.defer-datasource-initialization=false
+spring.jpa.hibernate.ddl-auto=none
+spring.jpa.show-sql=false
+spring.jpa.properties.hibernate.format_sql=true
+#Enabling H2 console
+spring.h2.console.enabled=false
+spring.datasource.url=jdbc:h2:mem:mosip_esignet
+spring.datasource.driverClassName=org.h2.Driver
+spring.datasource.username=test
+spring.datasource.password=test
+
+spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true
\ No newline at end of file
diff --git a/certify-service/src/test/resources/data.sql b/certify-service/src/test/resources/data.sql
new file mode 100644
index 00000000..87d0ebbd
--- /dev/null
+++ b/certify-service/src/test/resources/data.sql
@@ -0,0 +1,2 @@
+
+MERGE INTO KEY_POLICY_DEF (APP_ID,KEY_VALIDITY_DURATION,PRE_EXPIRE_DAYS,ACCESS_ALLOWED,IS_ACTIVE,CR_BY,CR_DTIMES) KEY(APP_ID) VALUES ('ROOT', 1095, 50, 'NA', true, 'mosipadmin', now()), ('CERTIFY_SERVICE', 1095, 50, 'NA', true, 'mosipadmin', now()), ('CERTIFY_PARTNER', 1095, 50, 'NA', true, 'mosipadmin', now());
diff --git a/certify-service/src/test/resources/schema.sql b/certify-service/src/test/resources/schema.sql
new file mode 100644
index 00000000..fdfcf541
--- /dev/null
+++ b/certify-service/src/test/resources/schema.sql
@@ -0,0 +1,47 @@
+CREATE TABLE IF NOT EXISTS key_alias(
+ id character varying(36) NOT NULL,
+ app_id character varying(36) NOT NULL,
+ ref_id character varying(128),
+ key_gen_dtimes timestamp,
+ key_expire_dtimes timestamp,
+ status_code character varying(36),
+ lang_code character varying(3),
+ cr_by character varying(256) NOT NULL,
+ cr_dtimes timestamp NOT NULL,
+ upd_by character varying(256),
+ upd_dtimes timestamp,
+ is_deleted boolean DEFAULT FALSE,
+ del_dtimes timestamp,
+ cert_thumbprint character varying(100),
+ uni_ident character varying(50),
+ CONSTRAINT pk_keymals_id PRIMARY KEY (id),
+ CONSTRAINT uni_ident_const UNIQUE (uni_ident)
+);
+
+CREATE TABLE IF NOT EXISTS key_policy_def(
+ app_id character varying(36) NOT NULL,
+ key_validity_duration smallint,
+ is_active boolean NOT NULL,
+ pre_expire_days smallint,
+ access_allowed character varying(1024),
+ cr_by character varying(256) NOT NULL,
+ cr_dtimes timestamp NOT NULL,
+ upd_by character varying(256),
+ upd_dtimes timestamp,
+ is_deleted boolean DEFAULT FALSE,
+ del_dtimes timestamp,
+ CONSTRAINT pk_keypdef_id PRIMARY KEY (app_id)
+);
+CREATE TABLE IF NOT EXISTS key_store(
+ id character varying(36) NOT NULL,
+ master_key character varying(36) NOT NULL,
+ private_key character varying(2500) NOT NULL,
+ certificate_data character varying NOT NULL,
+ cr_by character varying(256) NOT NULL,
+ cr_dtimes timestamp NOT NULL,
+ upd_by character varying(256),
+ upd_dtimes timestamp,
+ is_deleted boolean DEFAULT FALSE,
+ del_dtimes timestamp,
+ CONSTRAINT pk_keystr_id PRIMARY KEY (id)
+);
diff --git a/db_scripts/README.md b/db_scripts/README.md
new file mode 100644
index 00000000..8e039b8b
--- /dev/null
+++ b/db_scripts/README.md
@@ -0,0 +1,32 @@
+# Certify Database
+
+
+## Overview
+This folder containers various SQL scripts to create database and tables in postgres.
+The tables are described under `/ddl/`.
+Default data that's populated in the tables is present under `/dml` folder.
+
+## Prerequisites
+* Make sure DB changes for IDA and PMS are up to date.
+* If not upgraded, IDA DB using the [release script](https://github.com/mosip/id-authentication/tree/develop/db_release_scripts).
+* If not upgraded, PMS DB using the [release script](https://github.com/mosip/partner-management-services/tree/develop/db_release_scripts).
+* Command line utilities:
+ - kubectl
+ - helm
+* Helm repos:
+ ```sh
+ helm repo add bitnami https://charts.bitnami.com/bitnami
+ helm repo add mosip https://mosip.github.io/mosip-helm
+ ```
+
+## Install in existing MOSIP K8 Cluster
+These scripts are automatically run with below mentioned script in existing k8 cluster with Postgres installed.
+### Install
+* Set your kube_config file or kube_config variable on PC.
+* Update `init_values.yaml` with db-common-password from the postgres namespace in the required field `dbUserPasswords.dbuserPassword` and ensure `databases.mosip_certify` is enabled.
+ ```
+ ./init_db.sh`
+ ```
+
+## Install for developers
+Developers may run the SQLs using `/deploy.sh` script.
diff --git a/db_scripts/copy_cm_func.sh b/db_scripts/copy_cm_func.sh
new file mode 100755
index 00000000..7b225948
--- /dev/null
+++ b/db_scripts/copy_cm_func.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copy configmap and secret from one namespace to another.
+# ./copy_cm_func.sh [name]
+# Parameters:
+# resource: configmap|secret
+# name: Optional new name of the configmap or secret in destination namespace. This may be needed if there is
+# clash of names
+
+if [ $1 = "configmap" ]
+then
+ RESOURCE=configmap
+elif [ $1 = "secret" ]
+then
+ RESOURCE=secret
+else
+ echo "Incorrect resource $1. Exiting.."
+ exit 1
+fi
+
+
+if [ $# -ge 5 ]
+then
+ kubectl -n $4 delete --ignore-not-found=true $RESOURCE $5
+ kubectl -n $3 get $RESOURCE $2 -o yaml | sed "s/namespace: $3/namespace: $4/g" | sed "s/name: $2/name: $5/g" | kubectl -n $4 create -f -
+else
+ kubectl -n $4 delete --ignore-not-found=true $RESOURCE $2
+ kubectl -n $3 get $RESOURCE $2 -o yaml | sed "s/namespace: $3/namespace: $4/g" | kubectl -n $4 create -f -
+fi
+
+
+
+
+
diff --git a/db_scripts/init_db.sh b/db_scripts/init_db.sh
new file mode 100755
index 00000000..dcb71d54
--- /dev/null
+++ b/db_scripts/init_db.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Script to initialize certify DB.
+## Usage: ./init_db.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+ export KUBECONFIG=$1
+fi
+
+NS=esignet
+CHART_VERSION=12.0.2
+
+helm repo add mosip https://mosip.github.io/mosip-helm
+helm repo update
+
+while true; do
+ read -p "CAUTION: Do we already have Postgres installed? Also make sure the certify DB is backed up as the same will be overriden. Do you still want to continue?" yn
+ if [ $yn = "Y" ]
+ then
+ DB_USER_PASSWORD=$( kubectl -n postgres get secrets db-common-secrets -o jsonpath={.data.db-dbuser-password} | base64 -d )
+
+ kubectl create ns $NS
+
+ echo Removing existing mosip_certify DB installation
+ helm -n $NS delete postgres-init-certify
+
+ echo Copy Postgres secrets
+ ./copy_cm_func.sh secret postgres-postgresql postgres $NS
+
+ echo Delete existing DB common sets
+ kubectl -n $NS delete secret db-common-secrets
+
+ echo Initializing DB
+ helm -n $NS install postgres-init-certify mosip/postgres-init -f init_values.yaml \
+ --version $CHART_VERSION \
+ --set dbUserPasswords.dbuserPassword="$DB_USER_PASSWORD" \
+ --wait --wait-for-jobs
+ break
+ else
+ break
+ fi
+done
\ No newline at end of file
diff --git a/db_scripts/init_values.yaml b/db_scripts/init_values.yaml
new file mode 100644
index 00000000..66e28779
--- /dev/null
+++ b/db_scripts/init_values.yaml
@@ -0,0 +1,72 @@
+#dbUserPasswords:
+# dbuserPassword: ""
+
+databases:
+ mosip_toolkit:
+ enabled: false
+
+ mosip_master:
+ enabled: false
+
+ mosip_audit:
+ enabled: false
+
+ mosip_keymgr:
+ enabled: false
+
+ mosip_kernel:
+ enabled: false
+
+ mosip_idmap:
+ enabled: false
+
+ mosip_prereg:
+ enabled: false
+
+ mosip_idrepo:
+ enabled: false
+
+ mosip_ida:
+ enabled: false
+
+ mosip_credential:
+ enabled: false
+
+ mosip_regprc:
+ enabled: false
+
+ mosip_regdevice:
+ enabled: false
+
+ mosip_authdevice:
+ enabled: false
+
+ mosip_pms:
+ enabled: false
+
+ mosip_hotlist:
+ enabled: false
+
+ mosip_resident:
+ enabled: false
+
+ mosip_digitalcard:
+ enabled: false
+
+ mosip_mockidentitysystem:
+ enabled: false
+
+ mosip_esignet:
+ enabled: false
+
+ mosip_certify:
+ enabled: true
+ host: "postgres-postgresql.postgres"
+ port: 5432
+ su:
+ user: postgres
+ secret:
+ name: postgres-postgresql
+ key: postgres-password
+ dml: 1
+ branch: develop
diff --git a/db_scripts/mosip_certify/db.sql b/db_scripts/mosip_certify/db.sql
new file mode 100644
index 00000000..1f6059d7
--- /dev/null
+++ b/db_scripts/mosip_certify/db.sql
@@ -0,0 +1,22 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at https://mozilla.org/MPL/2.0/.
+-- -------------------------------------------------------------------------------------------------
+
+CREATE DATABASE mosip_certify
+ ENCODING = 'UTF8'
+ LC_COLLATE = 'en_US.UTF-8'
+ LC_CTYPE = 'en_US.UTF-8'
+ TABLESPACE = pg_default
+ OWNER = postgres
+ TEMPLATE = template0;
+
+COMMENT ON DATABASE mosip_idp IS 'Certify related data is stored in this database';
+
+\c mosip_certify postgres
+
+DROP SCHEMA IF EXISTS certify CASCADE;
+CREATE SCHEMA certify;
+ALTER SCHEMA certify OWNER TO postgres;
+ALTER DATABASE mosip_certify SET search_path TO certify,pg_catalog,public;
+
diff --git a/db_scripts/mosip_certify/ddl.sql b/db_scripts/mosip_certify/ddl.sql
new file mode 100644
index 00000000..51b368ae
--- /dev/null
+++ b/db_scripts/mosip_certify/ddl.sql
@@ -0,0 +1,7 @@
+\c mosip_certify
+
+\ir ddl/certify-key_alias.sql
+\ir ddl/certify-key_policy_def.sql
+\ir ddl/certify-key_store.sql
+
+
diff --git a/db_scripts/mosip_certify/ddl/certify-key_alias.sql b/db_scripts/mosip_certify/ddl/certify-key_alias.sql
new file mode 100644
index 00000000..4d3c6b01
--- /dev/null
+++ b/db_scripts/mosip_certify/ddl/certify-key_alias.sql
@@ -0,0 +1,47 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at https://mozilla.org/MPL/2.0/.
+-- -------------------------------------------------------------------------------------------------
+-- Database Name: mosip_certify
+-- Table Name : key_alias
+-- Purpose : Key Alias table
+--
+--
+-- Modified Date Modified By Comments / Remarks
+-- ------------------------------------------------------------------------------------------
+-- ------------------------------------------------------------------------------------------
+CREATE TABLE key_alias(
+ id character varying(36) NOT NULL,
+ app_id character varying(36) NOT NULL,
+ ref_id character varying(128),
+ key_gen_dtimes timestamp,
+ key_expire_dtimes timestamp,
+ status_code character varying(36),
+ lang_code character varying(3),
+ cr_by character varying(256) NOT NULL,
+ cr_dtimes timestamp NOT NULL,
+ upd_by character varying(256),
+ upd_dtimes timestamp,
+ is_deleted boolean DEFAULT FALSE,
+ del_dtimes timestamp,
+ cert_thumbprint character varying(100),
+ uni_ident character varying(50),
+ CONSTRAINT pk_keymals_id PRIMARY KEY (id),
+ CONSTRAINT uni_ident_const UNIQUE (uni_ident)
+);
+
+COMMENT ON TABLE key_alias IS 'Contains key alias and metadata of all the keys used in MOSIP system.';
+
+COMMENT ON COLUMN key_alias.id IS 'Unique identifier (UUID) used for referencing keys in key_store table and HSM';
+COMMENT ON COLUMN key_alias.app_id IS 'To reference a Module key';
+COMMENT ON COLUMN key_alias.ref_id IS 'To reference a Encryption key ';
+COMMENT ON COLUMN key_alias.key_gen_dtimes IS 'Date and time when the key was generated.';
+COMMENT ON COLUMN key_alias.key_expire_dtimes IS 'Date and time when the key will be expired. This will be derived based on the configuration / policy defined in Key policy definition.';
+COMMENT ON COLUMN key_alias.status_code IS 'Status of the key, whether it is active or expired.';
+COMMENT ON COLUMN key_alias.lang_code IS 'For multilanguage implementation this attribute Refers master.language.code. The value of some of the attributes in current record is stored in this respective language. ';
+COMMENT ON COLUMN key_alias.cr_by IS 'ID or name of the user who create / insert record';
+COMMENT ON COLUMN key_alias.cr_dtimes IS 'Date and Timestamp when the record is created/inserted';
+COMMENT ON COLUMN key_alias.upd_by IS 'ID or name of the user who update the record with new values';
+COMMENT ON COLUMN key_alias.upd_dtimes IS 'Date and Timestamp when any of the fields in the record is updated with new values.';
+COMMENT ON COLUMN key_alias.is_deleted IS 'Flag to mark whether the record is Soft deleted.';
+COMMENT ON COLUMN key_alias.del_dtimes IS 'Date and Timestamp when the record is soft deleted with is_deleted=TRUE';
\ No newline at end of file
diff --git a/db_scripts/mosip_certify/ddl/certify-key_policy_def.sql b/db_scripts/mosip_certify/ddl/certify-key_policy_def.sql
new file mode 100644
index 00000000..b5451033
--- /dev/null
+++ b/db_scripts/mosip_certify/ddl/certify-key_policy_def.sql
@@ -0,0 +1,36 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at https://mozilla.org/MPL/2.0/.
+-- -------------------------------------------------------------------------------------------------
+-- Database Name: mosip_certify
+-- Table Name : key_policy_def
+-- Purpose : Key Policy definition table
+--
+--
+-- Modified Date Modified By Comments / Remarks
+-- ------------------------------------------------------------------------------------------
+-- ------------------------------------------------------------------------------------------
+CREATE TABLE key_policy_def(
+ app_id character varying(36) NOT NULL,
+ key_validity_duration smallint,
+ is_active boolean NOT NULL,
+ pre_expire_days smallint,
+ access_allowed character varying(1024),
+ cr_by character varying(256) NOT NULL,
+ cr_dtimes timestamp NOT NULL,
+ upd_by character varying(256),
+ upd_dtimes timestamp,
+ is_deleted boolean DEFAULT FALSE,
+ del_dtimes timestamp,
+ CONSTRAINT pk_keypdef_id PRIMARY KEY (app_id)
+);
+COMMENT ON TABLE key_policy_def IS 'Key Policy Defination: Policy related to encryption key management is defined here. For eg. Expiry duration of a key generated.';
+COMMENT ON COLUMN key_policy_def.app_id IS 'Application ID: Application id for which the key policy is defined';
+COMMENT ON COLUMN key_policy_def.key_validity_duration IS 'Key Validity Duration: Duration for which key is valid';
+COMMENT ON COLUMN key_policy_def.is_active IS 'IS_Active : Flag to mark whether the record is Active or In-active';
+COMMENT ON COLUMN key_policy_def.cr_by IS 'Created By : ID or name of the user who create / insert record';
+COMMENT ON COLUMN key_policy_def.cr_dtimes IS 'Created DateTimestamp : Date and Timestamp when the record is created/inserted';
+COMMENT ON COLUMN key_policy_def.upd_by IS 'Updated By : ID or name of the user who update the record with new values';
+COMMENT ON COLUMN key_policy_def.upd_dtimes IS 'Updated DateTimestamp : Date and Timestamp when any of the fields in the record is updated with new values.';
+COMMENT ON COLUMN key_policy_def.is_deleted IS 'IS_Deleted : Flag to mark whether the record is Soft deleted.';
+COMMENT ON COLUMN key_policy_def.del_dtimes IS 'Deleted DateTimestamp : Date and Timestamp when the record is soft deleted with is_deleted=TRUE';
\ No newline at end of file
diff --git a/db_scripts/mosip_certify/ddl/certify-key_store.sql b/db_scripts/mosip_certify/ddl/certify-key_store.sql
new file mode 100644
index 00000000..f62ddaff
--- /dev/null
+++ b/db_scripts/mosip_certify/ddl/certify-key_store.sql
@@ -0,0 +1,37 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at https://mozilla.org/MPL/2.0/.
+-- -------------------------------------------------------------------------------------------------
+-- Database Name: mosip_certify
+-- Table Name : key_store
+-- Purpose : Key Store table
+--
+--
+-- Modified Date Modified By Comments / Remarks
+-- ------------------------------------------------------------------------------------------
+-- ------------------------------------------------------------------------------------------
+CREATE TABLE key_store(
+ id character varying(36) NOT NULL,
+ master_key character varying(36) NOT NULL,
+ private_key character varying(2500) NOT NULL,
+ certificate_data character varying NOT NULL,
+ cr_by character varying(256) NOT NULL,
+ cr_dtimes timestamp NOT NULL,
+ upd_by character varying(256),
+ upd_dtimes timestamp,
+ is_deleted boolean DEFAULT FALSE,
+ del_dtimes timestamp,
+ CONSTRAINT pk_keystr_id PRIMARY KEY (id)
+);
+
+COMMENT ON TABLE key_store IS 'Stores Encryption (Base) private keys along with certificates';
+COMMENT ON COLUMN key_store.id IS 'Unique identifier (UUID) for referencing keys';
+COMMENT ON COLUMN key_store.master_key IS 'UUID of the master key used to encrypt this key';
+COMMENT ON COLUMN key_store.private_key IS 'Encrypted private key';
+COMMENT ON COLUMN key_store.certificate_data IS 'X.509 encoded certificate data';
+COMMENT ON COLUMN key_store.cr_by IS 'ID or name of the user who create / insert record';
+COMMENT ON COLUMN key_store.cr_dtimes IS 'Date and Timestamp when the record is created/inserted';
+COMMENT ON COLUMN key_store.upd_by IS 'ID or name of the user who update the record with new values';
+COMMENT ON COLUMN key_store.upd_dtimes IS 'Date and Timestamp when any of the fields in the record is updated with new values.';
+COMMENT ON COLUMN key_store.is_deleted IS 'Flag to mark whether the record is Soft deleted.';
+COMMENT ON COLUMN key_store.del_dtimes IS 'Date and Timestamp when the record is soft deleted with is_deleted=TRUE';
\ No newline at end of file
diff --git a/db_scripts/mosip_certify/deploy.properties b/db_scripts/mosip_certify/deploy.properties
new file mode 100644
index 00000000..fac98f44
--- /dev/null
+++ b/db_scripts/mosip_certify/deploy.properties
@@ -0,0 +1,6 @@
+DB_SERVERIP=
+DB_PORT=5432
+SU_USER=postgres
+DEFAULT_DB_NAME=postgres
+MOSIP_DB_NAME=mosip_certify
+DML_FLAG=1
diff --git a/db_scripts/mosip_certify/deploy.sh b/db_scripts/mosip_certify/deploy.sh
new file mode 100644
index 00000000..ef9cc3c0
--- /dev/null
+++ b/db_scripts/mosip_certify/deploy.sh
@@ -0,0 +1,44 @@
+
+## Properties file
+set -e
+properties_file="$1"
+echo `date "+%m/%d/%Y %H:%M:%S"` ": $properties_file"
+if [ -f "$properties_file" ]
+then
+ echo `date "+%m/%d/%Y %H:%M:%S"` ": Property file \"$properties_file\" found."
+ while IFS='=' read -r key value
+ do
+ key=$(echo $key | tr '.' '_')
+ eval ${key}=\${value}
+ done < "$properties_file"
+else
+ echo `date "+%m/%d/%Y %H:%M:%S"` ": Property file not found, Pass property file name as argument."
+fi
+
+## Terminate existing connections
+echo "Terminating active connections"
+CONN=$(PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -t -c "SELECT count(pg_terminate_backend(pg_stat_activity.pid)) FROM pg_stat_activity WHERE datname = '$MOSIP_DB_NAME' AND pid <> pg_backend_pid()";exit;)
+echo "Terminated connections"
+
+## Drop db and role
+PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -f drop_db.sql
+PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -f drop_role.sql
+
+## Create users
+echo `date "+%m/%d/%Y %H:%M:%S"` ": Creating database users" | tee
+PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -f role_dbuser.sql -v dbuserpwd=\'$DBUSER_PWD\'
+
+## Create DB
+PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -f db.sql
+PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -f ddl.sql
+
+## Grants
+PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -f grants.sql
+
+## Populate tables
+if [ ${DML_FLAG} == 1 ]
+then
+ echo `date "+%m/%d/%Y %H:%M:%S"` ": Deploying DML for ${MOSIP_DB_NAME} database"
+ PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -a -b -f dml.sql
+fi
+
diff --git a/db_scripts/mosip_certify/dml.sql b/db_scripts/mosip_certify/dml.sql
new file mode 100644
index 00000000..03c80195
--- /dev/null
+++ b/db_scripts/mosip_certify/dml.sql
@@ -0,0 +1,24 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at https://mozilla.org/MPL/2.0/.
+-- -------------------------------------------------------------------------------------------------
+
+\c mosip_certify
+
+
+\COPY certify.key_policy_def (APP_ID,KEY_VALIDITY_DURATION,PRE_EXPIRE_DAYS,ACCESS_ALLOWED,IS_ACTIVE,CR_BY,CR_DTIMES) FROM './dml/certify-key_policy_def.csv' delimiter ',' HEADER csv;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/db_scripts/mosip_certify/dml/certify-key_policy_def.csv b/db_scripts/mosip_certify/dml/certify-key_policy_def.csv
new file mode 100644
index 00000000..1dcfce5f
--- /dev/null
+++ b/db_scripts/mosip_certify/dml/certify-key_policy_def.csv
@@ -0,0 +1,4 @@
+app_id,key_validity_duration,pre_expire_days,access_allowed,is_active,cr_by,cr_dtimes
+ROOT,2920,1125,NA,TRUE,mosipadmin,now()
+CERTIFY_SERVICE,1095,60,NA,TRUE,mosipadmin,now()
+CERTIFY_PARTNER,1095,60,NA,TRUE,mosipadmin,now()
diff --git a/db_scripts/mosip_certify/drop_db.sql b/db_scripts/mosip_certify/drop_db.sql
new file mode 100644
index 00000000..375fa445
--- /dev/null
+++ b/db_scripts/mosip_certify/drop_db.sql
@@ -0,0 +1,7 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at https://mozilla.org/MPL/2.0/.
+-- -------------------------------------------------------------------------------------------------
+
+DROP DATABASE IF EXISTS mosip_certify;
+
diff --git a/db_scripts/mosip_certify/drop_role.sql b/db_scripts/mosip_certify/drop_role.sql
new file mode 100644
index 00000000..5e6209a8
--- /dev/null
+++ b/db_scripts/mosip_certify/drop_role.sql
@@ -0,0 +1,6 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at https://mozilla.org/MPL/2.0/.
+-- -------------------------------------------------------------------------------------------------
+
+drop role if exists certifyuser;
diff --git a/db_scripts/mosip_certify/grants.sql b/db_scripts/mosip_certify/grants.sql
new file mode 100644
index 00000000..d7a28195
--- /dev/null
+++ b/db_scripts/mosip_certify/grants.sql
@@ -0,0 +1,22 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at https://mozilla.org/MPL/2.0/.
+-- -------------------------------------------------------------------------------------------------
+
+\c mosip_certify
+
+GRANT CONNECT
+ ON DATABASE mosip_certify
+ TO certifyuser;
+
+GRANT USAGE
+ ON SCHEMA certify
+ TO certifyuser;
+
+GRANT SELECT,INSERT,UPDATE,DELETE,TRUNCATE,REFERENCES
+ ON ALL TABLES IN SCHEMA certify
+ TO certifyuser;
+
+ALTER DEFAULT PRIVILEGES IN SCHEMA certify
+ GRANT SELECT,INSERT,UPDATE,DELETE,REFERENCES ON TABLES TO certifyuser;
+
diff --git a/db_scripts/mosip_certify/role_dbuser.sql b/db_scripts/mosip_certify/role_dbuser.sql
new file mode 100644
index 00000000..0168adb7
--- /dev/null
+++ b/db_scripts/mosip_certify/role_dbuser.sql
@@ -0,0 +1,9 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at https://mozilla.org/MPL/2.0/.
+-- -------------------------------------------------------------------------------------------------
+
+CREATE ROLE certifyuser WITH
+ INHERIT
+ LOGIN
+ PASSWORD :dbuserpwd;
diff --git a/db_upgrade_script/README.md b/db_upgrade_script/README.md
new file mode 100644
index 00000000..1b407890
--- /dev/null
+++ b/db_upgrade_script/README.md
@@ -0,0 +1 @@
+Directory contains sql scripts to be executed for DB migrations. upgrade and revoke scripts are named after the migrated version.
\ No newline at end of file
diff --git a/db_upgrade_script/mosip_certify/upgrade.properties b/db_upgrade_script/mosip_certify/upgrade.properties
new file mode 100644
index 00000000..5281a777
--- /dev/null
+++ b/db_upgrade_script/mosip_certify/upgrade.properties
@@ -0,0 +1,12 @@
+ACTION=upgrade
+MOSIP_DB_NAME=
+DB_SERVERIP=
+DB_PORT=
+SU_USER=postgres
+SU_USER_PWD=
+SYS_ADMIN_USER=
+SYS_ADMIN_PWD=
+DEFAULT_DB_NAME=postgres
+DBUSER_PWD=
+CURRENT_VERSION=
+UPGRADE_VERSION=
\ No newline at end of file
diff --git a/db_upgrade_script/mosip_certify/upgrade.sh b/db_upgrade_script/mosip_certify/upgrade.sh
new file mode 100644
index 00000000..fb6fcecf
--- /dev/null
+++ b/db_upgrade_script/mosip_certify/upgrade.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+properties_file="$1"
+echo `date "+%m/%d/%Y %H:%M:%S"` ": $properties_file"
+if [ -f "$properties_file" ]
+then
+ echo `date "+%m/%d/%Y %H:%M:%S"` ": Property file \"$properties_file\" found."
+ while IFS='=' read -r key value
+ do
+ key=$(echo $key | tr '.' '_')
+ eval ${key}=\${value}
+ done < "$properties_file"
+else
+ echo `date "+%m/%d/%Y %H:%M:%S"` ": Property file not found, Pass property file name as argument."
+fi
+
+echo "Current version: $CURRENT_VERSION"
+echo "UPGRADE version: $UPGRADE_VERSION"
+echo "Action: $ACTION"
+
+# Terminate existing connections
+echo "Terminating active connections"
+CONN=$(PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -t -c "SELECT count(pg_terminate_backend(pg_stat_activity.pid)) FROM pg_stat_activity WHERE datname = '$MOSIP_DB_NAME' AND pid <> pg_backend_pid()";exit;)
+echo "Terminated connections"
+
+# Execute upgrade or rollback
+if [ "$ACTION" == "upgrade" ]; then
+ echo "Upgrading database from $CURRENT_VERSION to $UPGRADE_VERSION"
+ UPGRADE_SCRIPT_FILE="sql/${CURRENT_VERSION}_to_${UPGRADE_VERSION}_upgrade.sql"
+ if [ -f "$UPGRADE_SCRIPT_FILE" ]; then
+ echo "Executing upgrade script $UPGRADE_SCRIPT_FILE"
+ PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -v primary_language_code=$PRIMARY_LANGUAGE_CODE -a -b -f $UPGRADE_SCRIPT_FILE
+ else
+ echo "Upgrade script not found, exiting."
+ exit 1
+ fi
+elif [ "$ACTION" == "rollback" ]; then
+ echo "Rolling back database for $CURRENT_VERSION to $UPGRADE_VERSION"
+ REVOKE_SCRIPT_FILE="sql/${CURRENT_VERSION}_to_${UPGRADE_VERSION}_rollback.sql"
+ if [ -f "$REVOKE_SCRIPT_FILE" ]; then
+ echo "Executing rollback script $REVOKE_SCRIPT_FILE"
+ PGPASSWORD=$SU_USER_PWD psql -v ON_ERROR_STOP=1 --username=$SU_USER --host=$DB_SERVERIP --port=$DB_PORT --dbname=$DEFAULT_DB_NAME -v primary_language_code=$PRIMARY_LANGUAGE_CODE -a -b -f $REVOKE_SCRIPT_FILE
+ else
+ echo "rollback script not found, exiting."
+ exit 1
+ fi
+else
+ echo "Unknown action: $ACTION, must be 'upgrade' or 'rollback'."
+ exit 1
+fi
\ No newline at end of file
diff --git a/docker-compose/docker-compose-certify/README.md b/docker-compose/docker-compose-certify/README.md
index 87af1651..3725510f 100644
--- a/docker-compose/docker-compose-certify/README.md
+++ b/docker-compose/docker-compose-certify/README.md
@@ -6,7 +6,7 @@ This is the docker-compose setup to run esignet UI and esignet-service. This is
1. "config" folder holds the esignet properties file.
2. "docker-compose.yml" file with esignet setup with other required services
-3. "init.sql" comprises DDL and DMLs required by esignet.
+3. "esignet_init.sql" comprises DDL and DMLs required by esignet.
4. "loader_path" this is esignet mount volume from where all the runtime dependencies are loaded to classpath. If any new esignet plugins to be tested
should be placed in this folder and respective plugin configuration should be updated in config/esignet-default.properties.
diff --git a/docker-compose/docker-compose-certify/certify_init.sql b/docker-compose/docker-compose-certify/certify_init.sql
new file mode 100644
index 00000000..a2cc9df0
--- /dev/null
+++ b/docker-compose/docker-compose-certify/certify_init.sql
@@ -0,0 +1,72 @@
+CREATE DATABASE mosip_certify
+ ENCODING = 'UTF8'
+ LC_COLLATE = 'en_US.UTF-8'
+ LC_CTYPE = 'en_US.UTF-8'
+ TABLESPACE = pg_default
+ OWNER = postgres
+ TEMPLATE = template0;
+
+COMMENT ON DATABASE mosip_certify IS 'certify related data is stored in this database';
+
+\c mosip_certify postgres
+
+DROP SCHEMA IF EXISTS certify CASCADE;
+CREATE SCHEMA certify;
+ALTER SCHEMA certify OWNER TO postgres;
+ALTER DATABASE mosip_certify SET search_path TO certify,pg_catalog,public;
+
+CREATE TABLE certify.key_alias(
+ id character varying(36) NOT NULL,
+ app_id character varying(36) NOT NULL,
+ ref_id character varying(128),
+ key_gen_dtimes timestamp,
+ key_expire_dtimes timestamp,
+ status_code character varying(36),
+ lang_code character varying(3),
+ cr_by character varying(256) NOT NULL,
+ cr_dtimes timestamp NOT NULL,
+ upd_by character varying(256),
+ upd_dtimes timestamp,
+ is_deleted boolean DEFAULT FALSE,
+ del_dtimes timestamp,
+ cert_thumbprint character varying(100),
+ uni_ident character varying(50),
+ CONSTRAINT pk_keymals_id PRIMARY KEY (id),
+ CONSTRAINT uni_ident_const UNIQUE (uni_ident)
+);
+
+CREATE TABLE certify.key_policy_def(
+ app_id character varying(36) NOT NULL,
+ key_validity_duration smallint,
+ is_active boolean NOT NULL,
+ pre_expire_days smallint,
+ access_allowed character varying(1024),
+ cr_by character varying(256) NOT NULL,
+ cr_dtimes timestamp NOT NULL,
+ upd_by character varying(256),
+ upd_dtimes timestamp,
+ is_deleted boolean DEFAULT FALSE,
+ del_dtimes timestamp,
+ CONSTRAINT pk_keypdef_id PRIMARY KEY (app_id)
+);
+
+CREATE TABLE certify.key_store(
+ id character varying(36) NOT NULL,
+ master_key character varying(36) NOT NULL,
+ private_key character varying(2500) NOT NULL,
+ certificate_data character varying NOT NULL,
+ cr_by character varying(256) NOT NULL,
+ cr_dtimes timestamp NOT NULL,
+ upd_by character varying(256),
+ upd_dtimes timestamp,
+ is_deleted boolean DEFAULT FALSE,
+ del_dtimes timestamp,
+ CONSTRAINT pk_keystr_id PRIMARY KEY (id)
+);
+
+
+
+INSERT INTO certify.KEY_POLICY_DEF(APP_ID,KEY_VALIDITY_DURATION,PRE_EXPIRE_DAYS,ACCESS_ALLOWED,IS_ACTIVE,CR_BY,CR_DTIMES) VALUES('ROOT', 2920, 1125, 'NA', true, 'mosipadmin', now());
+INSERT INTO certify.KEY_POLICY_DEF(APP_ID,KEY_VALIDITY_DURATION,PRE_EXPIRE_DAYS,ACCESS_ALLOWED,IS_ACTIVE,CR_BY,CR_DTIMES) VALUES('CERTIFY_SERVICE', 1095, 50, 'NA', true, 'mosipadmin', now());
+INSERT INTO certify.KEY_POLICY_DEF(APP_ID,KEY_VALIDITY_DURATION,PRE_EXPIRE_DAYS,ACCESS_ALLOWED,IS_ACTIVE,CR_BY,CR_DTIMES) VALUES('CERTIFY_PARTNER', 1095, 50, 'NA', true, 'mosipadmin', now());
+
diff --git a/docker-compose/docker-compose-certify/config/certify-default.properties b/docker-compose/docker-compose-certify/config/certify-default.properties
index ea54eff6..2b825f2d 100644
--- a/docker-compose/docker-compose-certify/config/certify-default.properties
+++ b/docker-compose/docker-compose-certify/config/certify-default.properties
@@ -247,3 +247,110 @@ mosip.certify.key-values={\
}}\
}\
}
+
+#------------------------------------ Key-manager specific properties --------------------------------------------------
+#Crypto asymmetric algorithm name
+mosip.kernel.crypto.asymmetric-algorithm-name=RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
+#Crypto symmetric algorithm name
+mosip.kernel.crypto.symmetric-algorithm-name=AES/GCM/PKCS5Padding
+#Keygenerator asymmetric algorithm name
+mosip.kernel.keygenerator.asymmetric-algorithm-name=RSA
+#Keygenerator symmetric algorithm name
+mosip.kernel.keygenerator.symmetric-algorithm-name=AES
+#Asymmetric algorithm key length
+mosip.kernel.keygenerator.asymmetric-key-length=2048
+#Symmetric algorithm key length
+mosip.kernel.keygenerator.symmetric-key-length=256
+#Encrypted data and encrypted symmetric key separator
+mosip.kernel.data-key-splitter=#KEY_SPLITTER#
+#GCM tag length
+mosip.kernel.crypto.gcm-tag-length=128
+#Hash algo name
+mosip.kernel.crypto.hash-algorithm-name=PBKDF2WithHmacSHA512
+#Symmtric key length used in hash
+mosip.kernel.crypto.hash-symmetric-key-length=256
+#No of iterations in hash
+mosip.kernel.crypto.hash-iteration=100000
+#Sign algo name
+mosip.kernel.crypto.sign-algorithm-name=RS256
+#Certificate Sign algo name
+mosip.kernel.certificate.sign.algorithm=SHA256withRSA
+
+mosip.kernel.keymanager.hsm.config-path=CERTIFY_PKCS12/local.p12
+mosip.kernel.keymanager.hsm.keystore-type=PKCS12
+mosip.kernel.keymanager.hsm.keystore-pass=local
+
+#Type of keystore, Supported Types: PKCS11, PKCS12, Offline, JCE
+#mosip.kernel.keymanager.hsm.keystore-type=PKCS11
+# For PKCS11 provide Path of config file.
+# For PKCS12 keystore type provide the p12/pfx file path. P12 file will be created internally so provide only file path & file name.
+# For Offline & JCE property can be left blank, specified value will be ignored.
+#mosip.kernel.keymanager.hsm.config-path=/config/softhsm-application.conf
+# Passkey of keystore for PKCS11, PKCS12
+# For Offline & JCE proer can be left blank. JCE password use other JCE specific properties.
+#mosip.kernel.keymanager.hsm.keystore-pass=${softhsm.certify.mock.security.pin}
+
+
+mosip.kernel.keymanager.certificate.default.common-name=www.example.com
+mosip.kernel.keymanager.certificate.default.organizational-unit=EXAMPLE-CENTER
+mosip.kernel.keymanager.certificate.default.organization=IIITB
+mosip.kernel.keymanager.certificate.default.location=BANGALORE
+mosip.kernel.keymanager.certificate.default.state=KA
+mosip.kernel.keymanager.certificate.default.country=IN
+
+mosip.kernel.keymanager.softhsm.certificate.common-name=www.example.com
+mosip.kernel.keymanager.softhsm.certificate.organizational-unit=Example Unit
+mosip.kernel.keymanager.softhsm.certificate.organization=IIITB
+mosip.kernel.keymanager.softhsm.certificate.country=IN
+
+# Application Id for PMS master key.
+mosip.kernel.partner.sign.masterkey.application.id=PMS
+mosip.kernel.partner.allowed.domains=DEVICE
+
+mosip.kernel.keymanager-service-validate-url=https://${mosip.hostname}/keymanager/validate
+mosip.kernel.keymanager.jwtsign.validate.json=false
+mosip.keymanager.dao.enabled=false
+crypto.PrependThumbprint.enable=true
+
+mosip.kernel.keymgr.hsm.health.check.enabled=true
+mosip.kernel.keymgr.hsm.health.key.app-id=CERTIFY_SERVICE
+mosip.kernel.keymgr.hsm.healthkey.ref-id=TRANSACTION_CACHE
+
+mosip.kernel.keymgr.hsm.health.check.encrypt=true
+
+mosip.certify.cache.security.secretkey.reference-id=TRANSACTION_CACHE
+
+##----------------------------------------- Database properties --------------------------------------------------------
+
+mosip.certify.database.hostname=database
+mosip.certify.database.port=5432
+spring.datasource.url=jdbc:postgresql://${mosip.certify.database.hostname}:${mosip.certify.database.port}/mosip_certify?currentSchema=certify
+spring.datasource.username=postgres
+spring.datasource.password=postgres
+
+spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
+spring.jpa.show-sql=false
+spring.jpa.hibernate.ddl-auto=none
+spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true
+
+## ---------------------------------------- Cache configuration --------------------------------------------------------
+#spring.cache.type=redis
+#spring.data.redis.host=redis
+#spring.data.redis.port=6379
+#spring.data.redis.password=redis
+
+spring.cache.type=simple
+spring.cache.cache-names=${mosip.certify.cache.names}
+
+management.health.redis.enabled=false
+
+mosip.certify.access-token-expire-seconds=86400
+
+mosip.certify.cache.names=userinfo,vcissuance
+# Cache size setup is applicable only for 'simple' cache type.
+# Cache size configuration will not be considered with 'Redis' cache type
+mosip.certify.cache.size={'userinfo': 200, 'vcissuance' : 2000 }
+
+
+# Cache expire in seconds is applicable for both 'simple' and 'Redis' cache type
+mosip.certify.cache.expire-in-seconds={'userinfo': ${mosip.certify.access-token-expire-seconds}, 'vcissuance': ${mosip.certify.access-token-expire-seconds}}
\ No newline at end of file
diff --git a/docker-compose/docker-compose-certify/config/certify-plugin-default.properties b/docker-compose/docker-compose-certify/config/certify-plugin-default.properties
index 3b738ef8..d59ff170 100644
--- a/docker-compose/docker-compose-certify/config/certify-plugin-default.properties
+++ b/docker-compose/docker-compose-certify/config/certify-plugin-default.properties
@@ -27,4 +27,10 @@ mosip.certify.vciplugin.sunbird-rc.credential-type.InsuranceCredential.template-
mosip.certify.vciplugin.sunbird-rc.credential-type.InsuranceCredential.registry-get-url=http://nginx:80/registry/api/v1/Insurance/
mosip.certify.vciplugin.sunbird-rc.credential-type.InsuranceCredential.cred-schema-id=did:schema:6f0d5bd7-3e77-4b18-9984-14a7a64f0596
mosip.certify.vciplugin.sunbird-rc.credential-type.InsuranceCredential.cred-schema-version=1.0.0
-mosip.certify.vciplugin.sunbird-rc.credential-type.InsuranceCredential.registry-search-url=http://nginx:80/registry/api/v1/Insurance/search
\ No newline at end of file
+mosip.certify.vciplugin.sunbird-rc.credential-type.InsuranceCredential.registry-search-url=http://nginx:80/registry/api/v1/Insurance/search
+
+## ------------------------------------------- Mock ID Integration properties ------------------------------------------------------------
+#mosip.certify.integration.scan-base-package=io.mosip.certify.mock.integration
+#mosip.certify.integration.audit-plugin=LoggerAuditService
+#mosip.certify.integration.vci-plugin=MockVCIssuancePlugin
+#mosip.certify.mock.vciplugin.verification-method=${mosip.certify.authn.jwk-set-uri}
diff --git a/docker-compose/docker-compose-certify/config/esignet-default.properties b/docker-compose/docker-compose-certify/config/esignet-default.properties
index 85eb2a3c..058d084e 100644
--- a/docker-compose/docker-compose-certify/config/esignet-default.properties
+++ b/docker-compose/docker-compose-certify/config/esignet-default.properties
@@ -319,7 +319,7 @@ mosip.kernel.crypto.sign-algorithm-name=RS256
#Certificate Sign algo name
mosip.kernel.certificate.sign.algorithm=SHA256withRSA
-mosip.kernel.keymanager.hsm.config-path=PKCS12/local.p12
+mosip.kernel.keymanager.hsm.config-path=ESIGNET_PKCS12/local.p12
mosip.kernel.keymanager.hsm.keystore-type=PKCS12
mosip.kernel.keymanager.hsm.keystore-pass=local
@@ -336,16 +336,16 @@ mosip.kernel.keymanager.hsm.keystore-pass=local
mosip.esignet.supported-formats={'OTP': 'alpha-numeric', 'PWD': 'alpha-numeric', 'BIO': 'encoded-json', 'WLA': 'jwt', 'PIN': 'number', 'KBA': 'base64url-encoded-json'}
-mosip.kernel.keymanager.certificate.default.common-name=www.mosip.io
-mosip.kernel.keymanager.certificate.default.organizational-unit=MOSIP-TECH-CENTER
-mosip.kernel.keymanager.certificate.default.organization=IITB
+mosip.kernel.keymanager.certificate.default.common-name=www.example.com
+mosip.kernel.keymanager.certificate.default.organizational-unit=EXAMPLE-CENTER
+mosip.kernel.keymanager.certificate.default.organization=IIITB
mosip.kernel.keymanager.certificate.default.location=BANGALORE
mosip.kernel.keymanager.certificate.default.state=KA
mosip.kernel.keymanager.certificate.default.country=IN
-mosip.kernel.keymanager.softhsm.certificate.common-name=www.mosip.io
-mosip.kernel.keymanager.softhsm.certificate.organizational-unit=MOSIP
-mosip.kernel.keymanager.softhsm.certificate.organization=IITB
+mosip.kernel.keymanager.softhsm.certificate.common-name=www.example.com
+mosip.kernel.keymanager.softhsm.certificate.organizational-unit=Example Unit
+mosip.kernel.keymanager.softhsm.certificate.organization=IIITB
mosip.kernel.keymanager.softhsm.certificate.country=IN
# Application Id for PMS master key.
diff --git a/docker-compose/docker-compose-certify/docker-compose.yml b/docker-compose/docker-compose-certify/docker-compose.yml
index 4a1aaaab..aaebdd96 100644
--- a/docker-compose/docker-compose-certify/docker-compose.yml
+++ b/docker-compose/docker-compose-certify/docker-compose.yml
@@ -9,11 +9,12 @@ services:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=postgres
volumes:
- - ./init.sql:/docker-entrypoint-initdb.d/init.sql
+ - ./esignet_init.sql:/docker-entrypoint-initdb.d/esignet_init.sql
+ - ./certify_init.sql:/docker-entrypoint-initdb.d/certify_init.sql
networks:
- network
artifactory-server:
- image: 'mosipdev/artifactory-server:develop'
+ image: 'mosipdev/artifactory-server:release-0.9.0-INJI'
ports:
- 8080:8080
networks:
@@ -57,7 +58,7 @@ services:
volumes:
- ./config/esignet-default.properties:/home/mosip/esignet-default.properties
- ./loader_path/esignet/:/home/mosip/additional_jars/
- - ./data/PKCS12:/home/mosip/PKCS12
+ - ./data/ESIGNET_PKCS12:/home/mosip/ESIGNET_PKCS12
networks:
- network
certify:
@@ -72,9 +73,11 @@ services:
- SPRING_CONFIG_NAME=certify,certify-plugin
- SPRING_CONFIG_LOCATION=/home/mosip/certify-default.properties,/home/mosip/certify-plugin-default.properties
# - enable_certify_artifactory=false
+ - download_hsm_client=false
volumes:
- ./config/certify-default.properties:/home/mosip/certify-default.properties
- ./config/certify-plugin-default.properties:/home/mosip/certify-plugin-default.properties
+ - ./data/CERTIFY_PKCS12:/home/mosip/CERTIFY_PKCS12
# - ./loader_path/certify/:/home/mosip/additional_jars/
depends_on:
- esignet
diff --git a/docker-compose/docker-compose-certify/init.sql b/docker-compose/docker-compose-certify/esignet_init.sql
similarity index 100%
rename from docker-compose/docker-compose-certify/init.sql
rename to docker-compose/docker-compose-certify/esignet_init.sql
diff --git a/helm/inji-certify/copy_cm.sh b/helm/inji-certify/copy_cm.sh
old mode 100644
new mode 100755
index 0fe9a310..3b77f80f
--- a/helm/inji-certify/copy_cm.sh
+++ b/helm/inji-certify/copy_cm.sh
@@ -9,6 +9,7 @@ function copying_cm() {
$COPY_UTIL configmap global default $DST_NS
$COPY_UTIL configmap artifactory-share artifactory $DST_NS
$COPY_UTIL configmap config-server-share config-server $DST_NS
+ $COPY_UTIL configmap softhsm-certify-share softhsm $DST_NS
return 0
}
diff --git a/helm/inji-certify/copy_cm_func.sh b/helm/inji-certify/copy_cm_func.sh
old mode 100644
new mode 100755
diff --git a/helm/inji-certify/delete.sh b/helm/inji-certify/delete.sh
old mode 100644
new mode 100755
diff --git a/helm/inji-certify/install.sh b/helm/inji-certify/install.sh
old mode 100644
new mode 100755
index c6003a7d..b170a720
--- a/helm/inji-certify/install.sh
+++ b/helm/inji-certify/install.sh
@@ -6,6 +6,12 @@ if [ $# -ge 1 ] ; then
export KUBECONFIG=$1
fi
+SOFTHSM_NS=softhsm
+SOFTHSM_CHART_VERSION=0.0.1-develop
+
+echo Create $SOFTHSM_NS namespace
+kubectl create ns $SOFTHSM_NS
+
NS=inji-certify
CHART_VERSION=0.0.1-develop
@@ -13,15 +19,31 @@ echo Create $NS namespace
kubectl create ns $NS
function installing_inji-certify() {
+
echo Istio label
- kubectl label ns $NS istio-injection=enabled --overwrite
+ kubectl label ns $SOFTHSM_NS istio-injection=enabled --overwrite
+ helm repo add mosip https://mosip.github.io/mosip-helm
helm repo update
+ echo Installing Softhsm for certify
+ helm -n $SOFTHSM_NS install softhsm-certify mosip/softhsm -f softhsm-values.yaml --version $SOFTHSM_CHART_VERSION --wait
+ echo Installed Softhsm for certify
+
+ echo Copy configmaps
+ ./copy_cm_func.sh configmap global default config-server
+
+ echo Copy secrets
+ ./copy_cm_func.sh secret softhsm-certify softhsm config-server
+
+ kubectl -n config-server set env --keys=mosip-injicertify-host --from configmap/global deployment/config-server --prefix=SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_
+ kubectl -n config-server set env --keys=security-pin --from secret/softhsm-certify deployment/config-server --prefix=SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SOFTHSM_CERTIFY_
+ kubectl -n config-server get deploy -o name | xargs -n1 -t kubectl -n config-server rollout status
echo Copy configmaps
sed -i 's/\r$//' copy_cm.sh
./copy_cm.sh
+ INJICERTIFY_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-injicertify-host})
echo "Do you have public domain & valid SSL? (Y/n) "
echo "Y: if you have public domain & valid ssl certificate"
echo "n: If you don't have a public domain and a valid SSL certificate. Note: It is recommended to use this option only in development environments."
@@ -37,7 +59,7 @@ function installing_inji-certify() {
fi
echo Running inji-certify
- helm -n $NS install inji-certify mosip/inji-certify --version $CHART_VERSION $ENABLE_INSECURE
+ helm -n $NS install inji-certify mosip/inji-certify --set image.repository=mosipqa/inji-certify --set image.tag=0.9.x --set istio.hosts\[0\]=$INJICERTIFY_HOST --version $CHART_VERSION $ENABLE_INSECURE
kubectl -n $NS get deploy -o name | xargs -n1 -t kubectl -n $NS rollout status
@@ -51,4 +73,4 @@ set -o errexit ## set -e : exit the script if any statement returns a non-true
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable
set -o errtrace # trace ERR through 'time command' and other functions
set -o pipefail # trace ERR through pipes
-installing_inji-certify # calling function
\ No newline at end of file
+installing_inji-certify # calling function
diff --git a/helm/inji-certify/restart.sh b/helm/inji-certify/restart.sh
old mode 100644
new mode 100755
diff --git a/helm/inji-certify/softhsm-values.yaml b/helm/inji-certify/softhsm-values.yaml
new file mode 100644
index 00000000..581bbd13
--- /dev/null
+++ b/helm/inji-certify/softhsm-values.yaml
@@ -0,0 +1,7 @@
+resources:
+ limits: {}
+ # cpu: 250m
+ # memory: 1Gi
+ requests:
+ cpu: 100m
+ memory: 20Mi
diff --git a/helm/inji-certify/templates/gateway.yaml b/helm/inji-certify/templates/gateway.yaml
new file mode 100644
index 00000000..c52cd450
--- /dev/null
+++ b/helm/inji-certify/templates/gateway.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.istio.enabled }}
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+ {{- with (first .Values.istio.gateways) }}
+ name: {{ .name }}
+ {{- end }}
+spec:
+ selector:
+ istio: {{ .Values.istio.ingressController.name }}
+ servers:
+ - port:
+ {{- with (first .Values.istio.gateways) }}
+ number: {{ .port }}
+ name: {{ .portName }}
+ protocol: {{ .protocol }}
+ {{- end }}
+ hosts:
+ {{- include "common.tplvalues.render" ( dict "value" .Values.istio.hosts "context" $ ) | nindent 6 }}
+ {{- end }}
diff --git a/helm/inji-certify/templates/virtualservice.yaml b/helm/inji-certify/templates/virtualservice.yaml
index 2b8e5e41..1a2b72ff 100644
--- a/helm/inji-certify/templates/virtualservice.yaml
+++ b/helm/inji-certify/templates/virtualservice.yaml
@@ -15,7 +15,9 @@ spec:
hosts:
- "*"
gateways:
- {{- include "common.tplvalues.render" ( dict "value" .Values.istio.gateways "context" $ ) | nindent 4 }}
+ {{ range $index, $service := .Values.istio.gateways }}
+ - {{ .name }}
+ {{ end }}
http:
- match:
- uri:
diff --git a/helm/inji-certify/values.yaml b/helm/inji-certify/values.yaml
index 7839dbee..bcafe045 100644
--- a/helm/inji-certify/values.yaml
+++ b/helm/inji-certify/values.yaml
@@ -446,14 +446,19 @@ metrics:
# severity: error
rules: []
-inji-certify:
## Only internal access
istio:
enabled: true
+ ingressController:
+ name: ingressgateway
gateways:
- - istio-system/public
- - istio-system/internal
- prefix: /v1/certify/
+ - name: inji-certify-gateway
+ protocol: HTTP
+ portName: http
+ port: 80
+ hosts:
+ - injicertify.sandbox.xyz.net
+ prefix: /
enable_insecure: false
springConfigNameEnv:
diff --git a/pom.xml b/pom.xml
index 9229ea82..a9f0a15e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -103,6 +103,7 @@
0.5.0
2.5.0
1.7
+ 18.0
@@ -126,9 +127,13 @@
${jose4j.version}
- io.mosip.kernel
- kernel-core
- ${kernel.core.version}
+ org.projectlombok
+ lombok
+ 1.18.30
+
+
+ jakarta.servlet
+ jakarta.servlet-api
com.vaadin.external.google