From 25462147df8ca8c90279455a5f8fa4ef8cfdc2bb Mon Sep 17 00:00:00 2001 From: nagendra0721 Date: Thu, 14 Nov 2024 19:48:28 +0530 Subject: [PATCH 1/5] MOSIP-36354: download a p7b file for a CA / Intermediate CA certificate along with the trust chain Signed-off-by: nagendra0721 --- .../CACertificateStoreRepository.java | 8 +++ .../constant/PartnerCertManagerConstants.java | 4 ++ .../PartnerCertManagerErrorConstants.java | 4 +- .../PartnerCertManagerController.java | 26 +++++++++ .../dto/AuthorizedRolesDTO.java | 1 + .../dto/CAp7bFileDownloadRequestDto.java | 23 ++++++++ .../dto/CAp7bFileDownloadResponseDto.java | 31 +++++++++++ .../helper/PartnerCertManagerDBHelper.java | 5 ++ .../PartnerCertificateManagerServiceImpl.java | 53 +++++++++++++++++++ .../spi/PartnerCertificateManagerService.java | 9 ++++ .../util/PartnerCertificateManagerUtil.java | 4 ++ .../resources/application-local.properties | 3 +- 12 files changed, 169 insertions(+), 2 deletions(-) create mode 100644 kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadRequestDto.java create mode 100644 kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadResponseDto.java diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/repository/CACertificateStoreRepository.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/repository/CACertificateStoreRepository.java index b1178d60..c04c1102 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/repository/CACertificateStoreRepository.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/keymanagerservice/repository/CACertificateStoreRepository.java @@ -39,6 +39,14 @@ public interface CACertificateStoreRepository extends JpaRepository getCaCertificateList( response.setResponse(partnerCertManagerService.getCaCertificateChain(certListRequestDto.getRequest())); return response; } + + /** + * To Download p7b file for a CA / Intermediate CA certificate along with the trust chain + * + * @param p7bFileDownloadRequestDto {@link CAp7bFileDownloadRequestDto} request + * @return {@link CAp7bFileDownloadResponseDto} p7b data + */ + @Operation(summary = "To Download p7b file for a CA / Intermediate CA certificate along with the trust chain.", + description = "To Download p7b file for a CA / Intermediate CA certificate along with the trust chain.", tags = { "cacertmanager" }) + @ApiResponses(value = { + @ApiResponse(responseCode = "200", description = "Success or you may find errors in error array in response"), + @ApiResponse(responseCode = "401", description = "Unauthorized", content = @Content(schema = @Schema(hidden = true))), + @ApiResponse(responseCode = "403", description = "Forbidden", content = @Content(schema = @Schema(hidden = true))), + @ApiResponse(responseCode = "404", description = "Not Found", content = @Content(schema = @Schema(hidden = true))) }) + @ResponseFilter + @PreAuthorize("hasAnyRole(@keyManAuthRoles.getGetcap7bfilecacertid())") + @GetMapping(value = "/getp7bCACertificateTrust/{caCertId}") + public ResponseWrapper getp7bCACertificateTrust( + @ApiParam("To Download p7b file CA certificate along with trust.") @PathVariable("caCertId") String caCertId) { + CAp7bFileDownloadRequestDto p7bFileDownloadRequestDto = new CAp7bFileDownloadRequestDto(); + p7bFileDownloadRequestDto.setCaCertId(caCertId); + ResponseWrapper response = new ResponseWrapper<>(); + response.setResponse(partnerCertManagerService.getp7bCACertificateWithTrust(p7bFileDownloadRequestDto)); + return response; + } + } \ No newline at end of file diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/AuthorizedRolesDTO.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/AuthorizedRolesDTO.java index 98b7a2c7..495dd401 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/AuthorizedRolesDTO.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/AuthorizedRolesDTO.java @@ -28,4 +28,5 @@ public class AuthorizedRolesDTO { private List postgetcacertificates; + private List getcap7bfilecacertid; } \ No newline at end of file diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadRequestDto.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadRequestDto.java new file mode 100644 index 00000000..34e3374e --- /dev/null +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadRequestDto.java @@ -0,0 +1,23 @@ +package io.mosip.kernel.partnercertservice.dto; + +import io.mosip.kernel.keymanagerservice.constant.KeymanagerConstant; +import io.swagger.annotations.ApiModel; +import io.swagger.annotations.ApiModelProperty; +import jakarta.validation.constraints.NotBlank; +import lombok.AllArgsConstructor; +import lombok.Data; +import lombok.NoArgsConstructor; + +@Data +@AllArgsConstructor +@NoArgsConstructor +@ApiModel(description = "Model representing request to download p7b file for ca certificate") +public class CAp7bFileDownloadRequestDto { + + /** + * Certificate ID of CA Certificate + */ + @ApiModelProperty(notes = "CA Certificate ID", required = true) + @NotBlank(message = KeymanagerConstant.INVALID_REQUEST) + String caCertId; +} diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadResponseDto.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadResponseDto.java new file mode 100644 index 00000000..088571a6 --- /dev/null +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadResponseDto.java @@ -0,0 +1,31 @@ +package io.mosip.kernel.partnercertservice.dto; + +import lombok.AllArgsConstructor; +import lombok.Data; +import lombok.NoArgsConstructor; + +import java.time.LocalDateTime; + +/** + * DTO class for download of p7b File for CA Certificate. + */ +@Data +@AllArgsConstructor +@NoArgsConstructor +public class CAp7bFileDownloadResponseDto { +// +// /** +// * format of certificate +// */ +// +// private String Format; + /** + * CA Certificate Data + */ + private String p7bFile; + + /** + * Response Timestamp + */ + private LocalDateTime timestamp; +} diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/helper/PartnerCertManagerDBHelper.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/helper/PartnerCertManagerDBHelper.java index 1e18d169..dd9e5fa8 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/helper/PartnerCertManagerDBHelper.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/helper/PartnerCertManagerDBHelper.java @@ -177,4 +177,9 @@ public void getCertThumbprints(String appId, Optional refId, List certList = null; + if (!PartnerCertificateManagerUtil.isSelfSignedCertificate(caCertificate)){ + certList = getCertificateTrustPath(caCertificate, partnerDomain); + } + + + List chain = new ArrayList<>(); + chain.add(caCertificate); + if (certList != null) { + chain.addAll(certList); + } + String p7bFile = PartnerCertificateManagerUtil.buildp7bFile(chain.toArray(new Certificate[0])); + + CAp7bFileDownloadResponseDto responseDto = new CAp7bFileDownloadResponseDto(); + responseDto.setP7bFile(p7bFile); + responseDto.setTimestamp(timestamp); + return responseDto; + } + + private CACertificateStore getCACertificate(String caCertId) { + LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.GET_CA_CERT, PartnerCertManagerConstants.EMPTY, + "Request to get CA Certificate for caCertId: " + caCertId); + + if (!PartnerCertificateManagerUtil.isValidCertificateID(caCertId)) { + LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.GET_CA_CERT, + PartnerCertManagerConstants.EMPTY, "Invalid CA Certificate ID provided to get the CA Certificate."); + throw new PartnerCertManagerException( + PartnerCertManagerErrorConstants.INVALID_CERTIFICATE_ID.getErrorCode(), + PartnerCertManagerErrorConstants.INVALID_CERTIFICATE_ID.getErrorMessage()); + } + CACertificateStore caCertificateStore = certDBHelper.getCACert(caCertId); + if (Objects.isNull(caCertificateStore)) { + LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.GET_CA_CERT, + PartnerCertManagerConstants.EMPTY, "CA Certificate not found for the provided ID."); + throw new PartnerCertManagerException( + PartnerCertManagerErrorConstants.CA_CERT_ID_NOT_FOUND.getErrorCode(), + PartnerCertManagerErrorConstants.CA_CERT_ID_NOT_FOUND.getErrorMessage()); + } + return caCertificateStore; + } + private PartnerCertificateStore getPartnerCertificate(String partnetCertId) { LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.GET_PARTNER_CERT, PartnerCertManagerConstants.EMPTY, "Request to get Certificate for partnerId: " + partnetCertId); diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/spi/PartnerCertificateManagerService.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/spi/PartnerCertificateManagerService.java index 350e0e2e..d7ffd667 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/spi/PartnerCertificateManagerService.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/spi/PartnerCertificateManagerService.java @@ -77,4 +77,13 @@ public interface PartnerCertificateManagerService { * @return {@link CaCertificateChainResponseDto} response */ public CaCertificateChainResponseDto getCaCertificateChain(CaCertTypeListRequestDto certListRequestDto); + + /** + * Function to Download p7b file for CA Certificates along with trust + * + * @param p7bFileDownloadRequestDto p7bFileDownloadRequestDto + * @return {@link CAp7bFileDownloadResponseDto} respponse + */ + public CAp7bFileDownloadResponseDto getp7bCACertificateWithTrust(CAp7bFileDownloadRequestDto p7bFileDownloadRequestDto); + } \ No newline at end of file diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java index 45ec2a2f..1c21f3bd 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/util/PartnerCertificateManagerUtil.java @@ -240,6 +240,10 @@ public static String buildP7BCertificateChain(List certLi return buildCertChain(chain.toArray(new Certificate[0])); } + public static String buildp7bFile(Certificate[] chain) { + return buildCertChain(chain); + } + private static String buildCertChain(Certificate[] chain) { try { diff --git a/kernel/kernel-keymanager-service/src/main/resources/application-local.properties b/kernel/kernel-keymanager-service/src/main/resources/application-local.properties index 9fa6d2c3..ef2e289b 100644 --- a/kernel/kernel-keymanager-service/src/main/resources/application-local.properties +++ b/kernel/kernel-keymanager-service/src/main/resources/application-local.properties @@ -159,4 +159,5 @@ mosip.role.keymanager.getuinpartnercode=ZONAL_ADMIN,GLOBAL_ADMIN,ID_AUTHENTICATI mosip.role.keymanager.postzkencrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postzkdecrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postzkreencryptrandomkey=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT -mosip.role.keymanager.postgetcacertificates=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER \ No newline at end of file +mosip.role.keymanager.postgetcacertificates=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER +mosip.role.keymanager.getcap7bfilecacertid=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER \ No newline at end of file From ccfdffdec1923d68ce5576dd191d6b9be2df4f56 Mon Sep 17 00:00:00 2001 From: nagendra0721 Date: Tue, 19 Nov 2024 14:52:29 +0530 Subject: [PATCH 2/5] MOSIP-36354: get Trust Path (download a p7b file for a CA / Intermediate CA certificate) --- .../PartnerCertManagerController.java | 25 ++++++++----------- .../dto/AuthorizedRolesDTO.java | 2 +- ... => CACertificateTrustPathRequestDto.java} | 2 +- ...=> CACertificateTrustPathResponseDto.java} | 2 +- .../PartnerCertificateManagerServiceImpl.java | 13 ++++++---- .../spi/PartnerCertificateManagerService.java | 6 ++--- ...operties => application-local1.properties} | 2 +- 7 files changed, 25 insertions(+), 27 deletions(-) rename kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/{CAp7bFileDownloadRequestDto.java => CACertificateTrustPathRequestDto.java} (93%) rename kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/{CAp7bFileDownloadResponseDto.java => CACertificateTrustPathResponseDto.java} (91%) rename kernel/kernel-keymanager-service/src/main/resources/{application-local.properties => application-local1.properties} (99%) diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java index 09132157..dd081e9b 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/controller/PartnerCertManagerController.java @@ -5,12 +5,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.prepost.PreAuthorize; -import org.springframework.web.bind.annotation.CrossOrigin; -import org.springframework.web.bind.annotation.GetMapping; -import org.springframework.web.bind.annotation.PathVariable; -import org.springframework.web.bind.annotation.PostMapping; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RestController; +import org.springframework.web.bind.annotation.*; import io.mosip.kernel.core.http.RequestWrapper; import io.mosip.kernel.core.http.ResponseFilter; @@ -201,8 +196,8 @@ public ResponseWrapper getCaCertificateList( /** * To Download p7b file for a CA / Intermediate CA certificate along with the trust chain * - * @param p7bFileDownloadRequestDto {@link CAp7bFileDownloadRequestDto} request - * @return {@link CAp7bFileDownloadResponseDto} p7b data + * @param caCertId {@link CACertificateTrustPathRequestDto} request + * @return {@link CACertificateTrustPathResponseDto} p7b data */ @Operation(summary = "To Download p7b file for a CA / Intermediate CA certificate along with the trust chain.", description = "To Download p7b file for a CA / Intermediate CA certificate along with the trust chain.", tags = { "cacertmanager" }) @@ -212,14 +207,14 @@ public ResponseWrapper getCaCertificateList( @ApiResponse(responseCode = "403", description = "Forbidden", content = @Content(schema = @Schema(hidden = true))), @ApiResponse(responseCode = "404", description = "Not Found", content = @Content(schema = @Schema(hidden = true))) }) @ResponseFilter - @PreAuthorize("hasAnyRole(@keyManAuthRoles.getGetcap7bfilecacertid())") - @GetMapping(value = "/getp7bCACertificateTrust/{caCertId}") - public ResponseWrapper getp7bCACertificateTrust( + @PreAuthorize("hasAnyRole(@keyManAuthRoles.getGetcacertificatetrustpath())") + @GetMapping(value = "/getCACertificateTrustPath/{caCertId}") + public ResponseWrapper getCACertificateTrustPath( @ApiParam("To Download p7b file CA certificate along with trust.") @PathVariable("caCertId") String caCertId) { - CAp7bFileDownloadRequestDto p7bFileDownloadRequestDto = new CAp7bFileDownloadRequestDto(); - p7bFileDownloadRequestDto.setCaCertId(caCertId); - ResponseWrapper response = new ResponseWrapper<>(); - response.setResponse(partnerCertManagerService.getp7bCACertificateWithTrust(p7bFileDownloadRequestDto)); + CACertificateTrustPathRequestDto caCertificateTrustPathRequestDto = new CACertificateTrustPathRequestDto(); + caCertificateTrustPathRequestDto.setCaCertId(caCertId); + ResponseWrapper response = new ResponseWrapper<>(); + response.setResponse(partnerCertManagerService.getCACertificateTrustPath(caCertificateTrustPathRequestDto)); return response; } diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/AuthorizedRolesDTO.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/AuthorizedRolesDTO.java index 495dd401..2dad1a71 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/AuthorizedRolesDTO.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/AuthorizedRolesDTO.java @@ -28,5 +28,5 @@ public class AuthorizedRolesDTO { private List postgetcacertificates; - private List getcap7bfilecacertid; + private List getcacertificatetrustpath; } \ No newline at end of file diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadRequestDto.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CACertificateTrustPathRequestDto.java similarity index 93% rename from kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadRequestDto.java rename to kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CACertificateTrustPathRequestDto.java index 34e3374e..774fd23c 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadRequestDto.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CACertificateTrustPathRequestDto.java @@ -12,7 +12,7 @@ @AllArgsConstructor @NoArgsConstructor @ApiModel(description = "Model representing request to download p7b file for ca certificate") -public class CAp7bFileDownloadRequestDto { +public class CACertificateTrustPathRequestDto { /** * Certificate ID of CA Certificate diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadResponseDto.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CACertificateTrustPathResponseDto.java similarity index 91% rename from kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadResponseDto.java rename to kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CACertificateTrustPathResponseDto.java index 088571a6..50b628b4 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CAp7bFileDownloadResponseDto.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/dto/CACertificateTrustPathResponseDto.java @@ -12,7 +12,7 @@ @Data @AllArgsConstructor @NoArgsConstructor -public class CAp7bFileDownloadResponseDto { +public class CACertificateTrustPathResponseDto { // // /** // * format of certificate diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java index f246984b..677424ec 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java @@ -713,13 +713,13 @@ public PartnerSignedCertDownloadResponseDto getPartnerSignedCertificate(PartnerC } @Override - public CAp7bFileDownloadResponseDto getp7bCACertificateWithTrust(CAp7bFileDownloadRequestDto p7bFileDownloadRequestDto) { + public CACertificateTrustPathResponseDto getCACertificateTrustPath(CACertificateTrustPathRequestDto caCertificateTrustPathRequestDto) { LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.GET_CA_CERT_TRUST, PartnerCertManagerConstants.EMPTY, "Get CA Certificate with trust request: " ); - String caCertId = p7bFileDownloadRequestDto.getCaCertId(); + String caCertId = caCertificateTrustPathRequestDto.getCaCertId(); CACertificateStore caCertificateStore = getCACertificate(caCertId); X509Certificate caCertificate = (X509Certificate) keymanagerUtil.convertToCertificate(String.valueOf(caCertificateStore.getCertData())); String partnerDomain = caCertificateStore.getPartnerDomain(); @@ -735,10 +735,13 @@ public CAp7bFileDownloadResponseDto getp7bCACertificateWithTrust(CAp7bFileDownlo if (certList != null) { chain.addAll(certList); } - String p7bFile = PartnerCertificateManagerUtil.buildp7bFile(chain.toArray(new Certificate[0])); + String buildTrustPath = PartnerCertificateManagerUtil.buildp7bFile(chain.toArray(new Certificate[0])); - CAp7bFileDownloadResponseDto responseDto = new CAp7bFileDownloadResponseDto(); - responseDto.setP7bFile(p7bFile); + CACertificateTrustPathResponseDto responseDto = new CACertificateTrustPathResponseDto(); + responseDto.setP7bFile(buildTrustPath); + responseDto.setTimestamp(timestamp); + return responseDto; + } responseDto.setTimestamp(timestamp); return responseDto; } diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/spi/PartnerCertificateManagerService.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/spi/PartnerCertificateManagerService.java index d7ffd667..efeb5674 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/spi/PartnerCertificateManagerService.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/spi/PartnerCertificateManagerService.java @@ -81,9 +81,9 @@ public interface PartnerCertificateManagerService { /** * Function to Download p7b file for CA Certificates along with trust * - * @param p7bFileDownloadRequestDto p7bFileDownloadRequestDto - * @return {@link CAp7bFileDownloadResponseDto} respponse + * @param caCertificateTrustPathRequestDto p7bFileDownloadRequestDto + * @return {@link CACertificateTrustPathResponseDto} respponse */ - public CAp7bFileDownloadResponseDto getp7bCACertificateWithTrust(CAp7bFileDownloadRequestDto p7bFileDownloadRequestDto); + public CACertificateTrustPathResponseDto getCACertificateTrustPath(CACertificateTrustPathRequestDto caCertificateTrustPathRequestDto); } \ No newline at end of file diff --git a/kernel/kernel-keymanager-service/src/main/resources/application-local.properties b/kernel/kernel-keymanager-service/src/main/resources/application-local1.properties similarity index 99% rename from kernel/kernel-keymanager-service/src/main/resources/application-local.properties rename to kernel/kernel-keymanager-service/src/main/resources/application-local1.properties index ef2e289b..95bf5ebb 100644 --- a/kernel/kernel-keymanager-service/src/main/resources/application-local.properties +++ b/kernel/kernel-keymanager-service/src/main/resources/application-local1.properties @@ -160,4 +160,4 @@ mosip.role.keymanager.postzkencrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHE mosip.role.keymanager.postzkdecrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postzkreencryptrandomkey=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postgetcacertificates=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER -mosip.role.keymanager.getcap7bfilecacertid=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER \ No newline at end of file +mosip.role.keymanager.getcacertificatetrustpath=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER From a786274e676cf78e4ce32c330e8420ff67810ab8 Mon Sep 17 00:00:00 2001 From: nagendra0721 Date: Fri, 29 Nov 2024 13:48:15 +0530 Subject: [PATCH 3/5] Update application-local.properties --- ...roperties => application-local.properties} | 92 +++++++++++++------ 1 file changed, 63 insertions(+), 29 deletions(-) rename kernel/kernel-keymanager-service/src/main/resources/{application-local1.properties => application-local.properties} (73%) diff --git a/kernel/kernel-keymanager-service/src/main/resources/application-local1.properties b/kernel/kernel-keymanager-service/src/main/resources/application-local.properties similarity index 73% rename from kernel/kernel-keymanager-service/src/main/resources/application-local1.properties rename to kernel/kernel-keymanager-service/src/main/resources/application-local.properties index 95bf5ebb..98975b4d 100644 --- a/kernel/kernel-keymanager-service/src/main/resources/application-local1.properties +++ b/kernel/kernel-keymanager-service/src/main/resources/application-local.properties @@ -3,9 +3,9 @@ mosip.kernel.keymanager.hsm.keystore-type=PKCS11 -mosip.kernel.keymanager.hsm.config-path=/hsm-files/pkcs11-softhsm.cfg -#mosip.kernel.keymanager.hsm.config-path=/hsm-files/pkcs/mosip-ks.p12 -mosip.kernel.keymanager.hsm.keystore-pass=1234 +mosip.kernel.keymanager.hsm.config-path=C:/SoftHSM2/pkcs11.cfg +#mosip.kernel.keymanager.hsm.config-path=/opt/taheer-mos/hsm-test/hsm-files/mosip-ks.p12 +mosip.kernel.keymanager.hsm.keystore-pass=1629 mosip.kernel.keymanager.certificate.default.common-name=www.mosip.io mosip.kernel.keymanager.certificate.default.organizational-unit=IIITB @@ -23,7 +23,7 @@ mosip.kernel.keymanager.softhsm.certificate.country=IN #Crypto asymmetric algorithm name mosip.kernel.crypto.asymmetric-algorithm-name=RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING #Crypto symmetric algorithm name -mosip.kernel.crypto.symmetric-algorithm-name=AES/GCM/PKCS5Padding +mosip.kernel.crypto.symmetric-algorithm-name=AES/GCM/NoPadding #Keygenerator asymmetric algorithm name mosip.kernel.keygenerator.asymmetric-algorithm-name=RSA #Keygenerator symmetric algorithm name @@ -42,7 +42,7 @@ mosip.kernel.crypto.hash-algorithm-name=PBKDF2WithHmacSHA512 #Symmtric key length used in hash mosip.kernel.crypto.hash-symmetric-key-length=256 #No of iterations in hash -mosip.kernel.crypto.hash-iteration=10 +mosip.kernel.crypto.hash-iteration=10000 #Sign algo name mosip.kernel.crypto.sign-algorithm-name=RS256 #Certificate Sign algo name @@ -51,12 +51,14 @@ mosip.kernel.certificate.sign.algorithm=SHA256withRSA keymanager.persistence.jdbc.driver=org.postgresql.Driver keymanager_database_url=jdbc:postgresql://localhost:5432/mosip_keymgr -keymanager_database_username=mosip-db -keymanager_database_password= - +keymanager_database_username=postgres +keymanager_database_password=0685 +#keymanager_database_url=jdbc:postgresql://qa-double-rc2.mosip.net:30090/mosip_keymgr +#keymanager_database_username=postgres +#keymanager_database_password=mosip123 hibernate.hbm2ddl.auto=none -hibernate.dialect=org.hibernate.dialect.PostgreSQL95Dialect +hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect hibernate.jdbc.lob.non_contextual_creation=true hibernate.show_sql=false hibernate.format_sql=false @@ -67,8 +69,9 @@ hibernate.cache.use_structured_entries=false hibernate.generate_statistics=false hibernate.current_session_context_class=org.springframework.orm.hibernate5.SpringSessionContext -auth.server.validate.url=http://localhost:8091/v1/authmanager/authorize/admin/validateToken -auth.server.admin.validate.url=http://localhost:8091/v1/authmanager/authorize/admin/validateToken +auth.server.validate.url=https://api-internal.dev.mosip.net/v1/authmanager/authorize/admin/validateToken +auth.server.admin.validate.url=https://api-internal.dev.mosip.net/v1/authmanager/authorize/admin/validateToken +#auth.server.admin.validate.url=https://dev.mosip.net/v1/authmanager/authorize/admin/validateToken auth.role.prefix=ROLE_ auth.header.name=Authorization @@ -85,21 +88,26 @@ mosip.signed.header=response-signature #--- + +mosip.kernel.tokenid.uin.salt=zHuDEAbmbxiUbUShgy6pwUhKh9DE0EZn9kQDKPPKbWscGajMwf +mosip.kernel.tokenid.partnercode.salt=yS8w5Wb6vhIKdf1msi4LYTJks7mqkbmITk2O63Iq8h0bkRlD0d mosip.kernel.tokenid.length=36 #--- #Length of license key to be generated. mosip.kernel.licensekey.length=16 #List of permissions -# NOTE: ',' in the below list is used as splitter in the implementation. +# NOTE: ',' in the below list is used as splitter in the implementation. # Use of ',' in the values for below key should be avoided. # Use of spaces before and after ',' also should be avoided. mosip.kernel.licensekey.permissions=OTP Trigger,OTP Authentication,Demo Authentication - Identity Data Match,Demo Authentication - Address Data Match,Demo Authentication - Full Address Data Match,Demo Authentication - Secondary Language Match,Biometric Authentication - FMR Data Match,Biometric Authentication - IIR Data Match,Biometric Authentication - FID Data Match,Static Pin Authentication,eKYC - limited,eKYC - Full,eKYC - No mosip.kernel.zkcrypto.masterkey.application.id=KERNEL mosip.kernel.zkcrypto.masterkey.reference.id=IDENTITY_CACHE -mosip.kernel.zkcrypto.publickey.application.id=IDA -mosip.kernel.zkcrypto.publickey.reference.id=PUBLIC_KEY +#mosip.kernel.zkcrypto.publickey.application.id=IDA +#mosip.kernel.zkcrypto.publickey.reference.id=PUBLIC_KEY01 +mosip.kernel.zkcrypto.publickey.application.id=REGISTRATION +mosip.kernel.zkcrypto.publickey.reference.id=REF_002 mosip.kernel.zkcrypto.wrap.algorithm-name=AES/ECB/NoPadding mosip.kernel.zkcrypto.derive.encrypt.algorithm-name=AES/ECB/PKCS5Padding @@ -110,18 +118,31 @@ mosip.kernel.partner.allowed.domains=AUTH,DEVICE,FTM mosip.iam.impl.basepackage=io.mosip.kernel.auth.defaultimpl mosip.auth.adapter.impl.basepackage=io.mosip.kernel.auth.defaultadapter -mosip.kernel.keymanager.hsm.jce.className=io.mosip.keymanager.hsm.impl.HSMKeyStoreImpl -mosip.kernel.keymanager.hsm.jce.keyStoreType=CloudHSM -mosip.kernel.keymanager.hsm.jce.keyStoreFile= -mosip.kernel.keymanager.hsm.jce.localKeyStorePwd= -mosip.kernel.keymanager.hsm.jce.partitionName=PARTITION_01 -mosip.kernel.keymanager.hsm.jce.cuUserName=keyusr -mosip.kernel.keymanager.hsm.jce.cuPassword= + +mosip.kernel.keymanager.hsm.jce.className=io.mosip.keymanager.hsm.impl.SafenetHSMKeyStoreImpl +mosip.kernel.keymanager.hsm.jce.keyStoreType=LUNA +mosip.kernel.keymanager.hsm.jce.keyStoreFile=partition-pwd +mosip.kernel.keymanager.hsm.jce.slot.number=01 mosip.kernel.keymanager.113nothumbprint.support=false -##Adding controller props to local prop file +auth.server.admin.offline.token.validate=false + +mosip.iam.adapter.clientid=mosip-regproc-client +mosip.iam.adapter.clientsecret=rOE0Tx44C4HJ05qi +mosip.iam.adapter.appid=regproc +mosip.authmanager.base-url=https://api-internal.dev1.mosip.net/v1/authmanager +mosip.authmanager.client-token-endpoint=${mosip.authmanager.base-url}/authenticate/clientidsecretkey + + +auth.server.admin.issuer.domain.validate=true +auth.server.admin.issuer.uri=https://iam.dev1.mosip.net/auth/realms/ +auth.server.admin.audience.claim.validate=true +auth.server.admin.allowed.audience=mosip-regproc-client,mosip-partner-client,mosip-crereq-client,mosip-creser-client,mosip-pms-client + +mosip.kernel.auth.appids.realm.map={prereg:'preregistration',ida:'mosip',registrationclient:'mosip',regproc:'mosip',partner:'mosip',resident:'mosip'} + mosip.role.keymanager.postcssign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postcsverifysign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.posttpmencrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT @@ -135,7 +156,7 @@ mosip.role.keymanager.postdecryptwithpin=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_ mosip.role.keymanager.postencryptdt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postdecryptdt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postgeneratemasterkeyobjecttype=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT -mosip.role.keymanager.getgetcertificate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT +mosip.role.keymanager.getgetcertificate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,CREDENTIAL_ISSUANCE mosip.role.keymanager.postgeneratecsr=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postuploadcertificate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postuploadotherdomaincertificate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT @@ -145,19 +166,32 @@ mosip.role.keymanager.postmigratebasekey=KEY_MIGRATION_ADMIN mosip.role.keymanager.getzktempcertificate=KEY_MIGRATION_ADMIN mosip.role.keymanager.postlicensegenerate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postmigratezkkeys=KEY_MIGRATION_ADMIN -mosip.role.keymanager.postuploadcacertificate=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN +mosip.role.keymanager.postuploadcacertificate=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER mosip.role.keymanager.postuploadpartnercertificate=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER mosip.role.keymanager.getgetpartnercertificatepartnercertid=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER mosip.role.keymanager.postverifycertificatetrust=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER -mosip.role.keymanager.getgetpartnersignedcertificatepartnercertid=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER mosip.role.keymanager.postsign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postvalidate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postpdfsign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT -mosip.role.keymanager.postjwtsign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT -mosip.role.keymanager.postjwtverify=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT +mosip.role.keymanager.postjwtsign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,CREDENTIAL_ISSUANCE +mosip.role.keymanager.postjwtverify=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,CREDENTIAL_ISSUANCE mosip.role.keymanager.getuinpartnercode=ZONAL_ADMIN,GLOBAL_ADMIN,ID_AUTHENTICATION,RESIDENT mosip.role.keymanager.postzkencrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postzkdecrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postzkreencryptrandomkey=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT -mosip.role.keymanager.postgetcacertificates=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER -mosip.role.keymanager.getcacertificatetrustpath=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER +mosip.role.keymanager.postjwssign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,CREDENTIAL_ISSUANCE +mosip.role.keymanager.postjwtencrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT +mosip.role.keymanager.postjwtdecrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT +mosip.role.keymanager.postgenerateargon2hash=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT +mosip.role.keymanager.postgetcacertificates=PARTNER_ADMIN +mosip.role.keymanager.getcacertificatetrustpath=PARTNER_ADMIN +mosip.role.keymanager.putdeactivecacertificate=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER + +mosip.kernel.keymanager.jwtsign.validate.json=false + +mosip.kernel.keymanager.service.cose.privatekey=MC4CAQAwBQYDK2VwBCIEIBSRNSG9zqqQSmGWiHuI6vA3GkW6wMMFuxiupMX87JmP +mosip.kernel.keymanager.service.cose.publickey=MCowBQYDK2VwAyEAPvDN-FB2f50m3si16mEJF07X-Yn5yhyEC6jPE0D3aOE + +spring.cloud.loadbalancer.configurations=weighted + +spring.mvc.pathmatch.matching-strategy=ANT_PATH_MATCHER \ No newline at end of file From 711f62f44fe04fbea86316189429a1b3f6f62737 Mon Sep 17 00:00:00 2001 From: nagendra0721 Date: Fri, 29 Nov 2024 13:57:46 +0530 Subject: [PATCH 4/5] Update application-local.properties --- .../resources/application-local.properties | 88 ++++++------------- 1 file changed, 27 insertions(+), 61 deletions(-) diff --git a/kernel/kernel-keymanager-service/src/main/resources/application-local.properties b/kernel/kernel-keymanager-service/src/main/resources/application-local.properties index 98975b4d..ca0cf304 100644 --- a/kernel/kernel-keymanager-service/src/main/resources/application-local.properties +++ b/kernel/kernel-keymanager-service/src/main/resources/application-local.properties @@ -3,9 +3,9 @@ mosip.kernel.keymanager.hsm.keystore-type=PKCS11 -mosip.kernel.keymanager.hsm.config-path=C:/SoftHSM2/pkcs11.cfg -#mosip.kernel.keymanager.hsm.config-path=/opt/taheer-mos/hsm-test/hsm-files/mosip-ks.p12 -mosip.kernel.keymanager.hsm.keystore-pass=1629 +mosip.kernel.keymanager.hsm.config-path=/hsm-files/pkcs11-softhsm.cfg +#mosip.kernel.keymanager.hsm.config-path=/hsm-files/pkcs/mosip-ks.p12 +mosip.kernel.keymanager.hsm.keystore-pass=1234 mosip.kernel.keymanager.certificate.default.common-name=www.mosip.io mosip.kernel.keymanager.certificate.default.organizational-unit=IIITB @@ -23,7 +23,7 @@ mosip.kernel.keymanager.softhsm.certificate.country=IN #Crypto asymmetric algorithm name mosip.kernel.crypto.asymmetric-algorithm-name=RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING #Crypto symmetric algorithm name -mosip.kernel.crypto.symmetric-algorithm-name=AES/GCM/NoPadding +mosip.kernel.crypto.symmetric-algorithm-name=AES/GCM/PKCS5Padding #Keygenerator asymmetric algorithm name mosip.kernel.keygenerator.asymmetric-algorithm-name=RSA #Keygenerator symmetric algorithm name @@ -42,7 +42,7 @@ mosip.kernel.crypto.hash-algorithm-name=PBKDF2WithHmacSHA512 #Symmtric key length used in hash mosip.kernel.crypto.hash-symmetric-key-length=256 #No of iterations in hash -mosip.kernel.crypto.hash-iteration=10000 +mosip.kernel.crypto.hash-iteration=10 #Sign algo name mosip.kernel.crypto.sign-algorithm-name=RS256 #Certificate Sign algo name @@ -51,14 +51,12 @@ mosip.kernel.certificate.sign.algorithm=SHA256withRSA keymanager.persistence.jdbc.driver=org.postgresql.Driver keymanager_database_url=jdbc:postgresql://localhost:5432/mosip_keymgr -keymanager_database_username=postgres -keymanager_database_password=0685 -#keymanager_database_url=jdbc:postgresql://qa-double-rc2.mosip.net:30090/mosip_keymgr -#keymanager_database_username=postgres -#keymanager_database_password=mosip123 +keymanager_database_username=mosip-db +keymanager_database_password= + hibernate.hbm2ddl.auto=none -hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect +hibernate.dialect=org.hibernate.dialect.PostgreSQL95Dialect hibernate.jdbc.lob.non_contextual_creation=true hibernate.show_sql=false hibernate.format_sql=false @@ -69,9 +67,8 @@ hibernate.cache.use_structured_entries=false hibernate.generate_statistics=false hibernate.current_session_context_class=org.springframework.orm.hibernate5.SpringSessionContext -auth.server.validate.url=https://api-internal.dev.mosip.net/v1/authmanager/authorize/admin/validateToken -auth.server.admin.validate.url=https://api-internal.dev.mosip.net/v1/authmanager/authorize/admin/validateToken -#auth.server.admin.validate.url=https://dev.mosip.net/v1/authmanager/authorize/admin/validateToken +auth.server.validate.url=http://localhost:8091/v1/authmanager/authorize/admin/validateToken +auth.server.admin.validate.url=http://localhost:8091/v1/authmanager/authorize/admin/validateToken auth.role.prefix=ROLE_ auth.header.name=Authorization @@ -88,26 +85,21 @@ mosip.signed.header=response-signature #--- - -mosip.kernel.tokenid.uin.salt=zHuDEAbmbxiUbUShgy6pwUhKh9DE0EZn9kQDKPPKbWscGajMwf -mosip.kernel.tokenid.partnercode.salt=yS8w5Wb6vhIKdf1msi4LYTJks7mqkbmITk2O63Iq8h0bkRlD0d mosip.kernel.tokenid.length=36 #--- #Length of license key to be generated. mosip.kernel.licensekey.length=16 #List of permissions -# NOTE: ',' in the below list is used as splitter in the implementation. +# NOTE: ',' in the below list is used as splitter in the implementation. # Use of ',' in the values for below key should be avoided. # Use of spaces before and after ',' also should be avoided. mosip.kernel.licensekey.permissions=OTP Trigger,OTP Authentication,Demo Authentication - Identity Data Match,Demo Authentication - Address Data Match,Demo Authentication - Full Address Data Match,Demo Authentication - Secondary Language Match,Biometric Authentication - FMR Data Match,Biometric Authentication - IIR Data Match,Biometric Authentication - FID Data Match,Static Pin Authentication,eKYC - limited,eKYC - Full,eKYC - No mosip.kernel.zkcrypto.masterkey.application.id=KERNEL mosip.kernel.zkcrypto.masterkey.reference.id=IDENTITY_CACHE -#mosip.kernel.zkcrypto.publickey.application.id=IDA -#mosip.kernel.zkcrypto.publickey.reference.id=PUBLIC_KEY01 -mosip.kernel.zkcrypto.publickey.application.id=REGISTRATION -mosip.kernel.zkcrypto.publickey.reference.id=REF_002 +mosip.kernel.zkcrypto.publickey.application.id=IDA +mosip.kernel.zkcrypto.publickey.reference.id=PUBLIC_KEY mosip.kernel.zkcrypto.wrap.algorithm-name=AES/ECB/NoPadding mosip.kernel.zkcrypto.derive.encrypt.algorithm-name=AES/ECB/PKCS5Padding @@ -118,31 +110,18 @@ mosip.kernel.partner.allowed.domains=AUTH,DEVICE,FTM mosip.iam.impl.basepackage=io.mosip.kernel.auth.defaultimpl mosip.auth.adapter.impl.basepackage=io.mosip.kernel.auth.defaultadapter - -mosip.kernel.keymanager.hsm.jce.className=io.mosip.keymanager.hsm.impl.SafenetHSMKeyStoreImpl -mosip.kernel.keymanager.hsm.jce.keyStoreType=LUNA -mosip.kernel.keymanager.hsm.jce.keyStoreFile=partition-pwd -mosip.kernel.keymanager.hsm.jce.slot.number=01 +mosip.kernel.keymanager.hsm.jce.className=io.mosip.keymanager.hsm.impl.HSMKeyStoreImpl +mosip.kernel.keymanager.hsm.jce.keyStoreType=CloudHSM +mosip.kernel.keymanager.hsm.jce.keyStoreFile= +mosip.kernel.keymanager.hsm.jce.localKeyStorePwd= +mosip.kernel.keymanager.hsm.jce.partitionName=PARTITION_01 +mosip.kernel.keymanager.hsm.jce.cuUserName=keyusr +mosip.kernel.keymanager.hsm.jce.cuPassword= mosip.kernel.keymanager.113nothumbprint.support=false -auth.server.admin.offline.token.validate=false - -mosip.iam.adapter.clientid=mosip-regproc-client -mosip.iam.adapter.clientsecret=rOE0Tx44C4HJ05qi -mosip.iam.adapter.appid=regproc -mosip.authmanager.base-url=https://api-internal.dev1.mosip.net/v1/authmanager -mosip.authmanager.client-token-endpoint=${mosip.authmanager.base-url}/authenticate/clientidsecretkey - - -auth.server.admin.issuer.domain.validate=true -auth.server.admin.issuer.uri=https://iam.dev1.mosip.net/auth/realms/ -auth.server.admin.audience.claim.validate=true -auth.server.admin.allowed.audience=mosip-regproc-client,mosip-partner-client,mosip-crereq-client,mosip-creser-client,mosip-pms-client - -mosip.kernel.auth.appids.realm.map={prereg:'preregistration',ida:'mosip',registrationclient:'mosip',regproc:'mosip',partner:'mosip',resident:'mosip'} - +##Adding controller props to local prop file mosip.role.keymanager.postcssign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postcsverifysign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.posttpmencrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT @@ -156,7 +135,7 @@ mosip.role.keymanager.postdecryptwithpin=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_ mosip.role.keymanager.postencryptdt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postdecryptdt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postgeneratemasterkeyobjecttype=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT -mosip.role.keymanager.getgetcertificate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,CREDENTIAL_ISSUANCE +mosip.role.keymanager.getgetcertificate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postgeneratecsr=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postuploadcertificate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postuploadotherdomaincertificate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT @@ -166,32 +145,19 @@ mosip.role.keymanager.postmigratebasekey=KEY_MIGRATION_ADMIN mosip.role.keymanager.getzktempcertificate=KEY_MIGRATION_ADMIN mosip.role.keymanager.postlicensegenerate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postmigratezkkeys=KEY_MIGRATION_ADMIN -mosip.role.keymanager.postuploadcacertificate=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER +mosip.role.keymanager.postuploadcacertificate=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN mosip.role.keymanager.postuploadpartnercertificate=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER mosip.role.keymanager.getgetpartnercertificatepartnercertid=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER mosip.role.keymanager.postverifycertificatetrust=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER +mosip.role.keymanager.getgetpartnersignedcertificatepartnercertid=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER mosip.role.keymanager.postsign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postvalidate=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postpdfsign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT -mosip.role.keymanager.postjwtsign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,CREDENTIAL_ISSUANCE -mosip.role.keymanager.postjwtverify=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,CREDENTIAL_ISSUANCE +mosip.role.keymanager.postjwtsign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT +mosip.role.keymanager.postjwtverify=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.getuinpartnercode=ZONAL_ADMIN,GLOBAL_ADMIN,ID_AUTHENTICATION,RESIDENT mosip.role.keymanager.postzkencrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postzkdecrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postzkreencryptrandomkey=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT -mosip.role.keymanager.postjwssign=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT,CREDENTIAL_ISSUANCE -mosip.role.keymanager.postjwtencrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT -mosip.role.keymanager.postjwtdecrypt=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT -mosip.role.keymanager.postgenerateargon2hash=ZONAL_ADMIN,GLOBAL_ADMIN,INDIVIDUAL,ID_AUTHENTICATION,TEST,REGISTRATION_ADMIN,REGISTRATION_SUPERVISOR,REGISTRATION_OFFICER,REGISTRATION_PROCESSOR,PRE_REGISTRATION_ADMIN,RESIDENT mosip.role.keymanager.postgetcacertificates=PARTNER_ADMIN mosip.role.keymanager.getcacertificatetrustpath=PARTNER_ADMIN -mosip.role.keymanager.putdeactivecacertificate=ZONAL_ADMIN,GLOBAL_ADMIN,PMS_ADMIN,PMS_USER - -mosip.kernel.keymanager.jwtsign.validate.json=false - -mosip.kernel.keymanager.service.cose.privatekey=MC4CAQAwBQYDK2VwBCIEIBSRNSG9zqqQSmGWiHuI6vA3GkW6wMMFuxiupMX87JmP -mosip.kernel.keymanager.service.cose.publickey=MCowBQYDK2VwAyEAPvDN-FB2f50m3si16mEJF07X-Yn5yhyEC6jPE0D3aOE - -spring.cloud.loadbalancer.configurations=weighted - -spring.mvc.pathmatch.matching-strategy=ANT_PATH_MATCHER \ No newline at end of file From ca5d526bdb5bc90f88271fc3f5a1d37fa8b2fb88 Mon Sep 17 00:00:00 2001 From: nagendra0721 Date: Fri, 29 Nov 2024 16:17:03 +0530 Subject: [PATCH 5/5] Update PartnerCertificateManagerServiceImpl.java --- .../service/impl/PartnerCertificateManagerServiceImpl.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java index 677424ec..652001fc 100644 --- a/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java +++ b/kernel/kernel-keymanager-service/src/main/java/io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.java @@ -742,9 +742,6 @@ public CACertificateTrustPathResponseDto getCACertificateTrustPath(CACertificate responseDto.setTimestamp(timestamp); return responseDto; } - responseDto.setTimestamp(timestamp); - return responseDto; - } private CACertificateStore getCACertificate(String caCertId) { LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.GET_CA_CERT, PartnerCertManagerConstants.EMPTY,