Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recommendation about new self-signed cert management feature #407

Closed
szabarna opened this issue Dec 6, 2024 · 5 comments
Closed

Recommendation about new self-signed cert management feature #407

szabarna opened this issue Dec 6, 2024 · 5 comments

Comments

@szabarna
Copy link
Contributor

szabarna commented Dec 6, 2024

The feature added in #404 is great, i would like to recommend a small addition. It would be great if i could use the same .jks keystore i use for SSL/TLS to be used as the truststore as well. When i try this i get an error, because obviously PKCS12KeystoreFactory does not support JKS keystores. If i would use the same keystore as the as2_certs.p12 for truststore it would work, but i get an error about the keystore being already registered. It wouldn't be that great anyway, because i have to duplicate the SSL/TLS certificates in two keystores.

However the JKS Keystore could be used smoothly for this purpose, since the SSL/TLS certificates added to the SSL Keystore could be used as well for the trusted fingerprint check (feature added in #404 for self signed certs) as well as regular SSL/TLS validation.

In my experience (What i did in the PR) the certificates used for SSL/TLS are the same certificates that gets checked in the added solution when communicating through HTTPS.
@uhurusurfa
Copy link
Contributor

I have enhanced the NetModule which sets up the HTTP listener so it can use JKS or PKCS12 in that last PR so you can use a PKCS12 keystore as a consolidated certificate store for both.
If you move your SSL certificate from a JKS to a PKCS12 keystore (you must use a ".p12" extension for the loader to identify the type of keystore) then you just change these 2 properties to point to your SSL certificates store:

ssl_trust_keystore_password=$properties.ssl_keystore$
ssl_trust_keystore_password=$properties.ssl_keystore_password$

However, the possible problem is in defining which certificate the server should present to the connecting client. I think if you only had a single private key in your SSL keystore and then all the other partner public keys it would work fine but if you add a second SSL certificate then the selection is not guaranteed.

@uhurusurfa
Copy link
Contributor

uhurusurfa commented Dec 7, 2024
edited
Loading

Note that the JKS keystore is deprecated in Java anyway so moving certificxates overv to a PKCS12 store is a good idea.

@szabarna
Copy link
Contributor Author

szabarna commented Dec 9, 2024

I did as you told me and now the server can start, and i can also receive messages.
Problem comes when i want to send i get again the typical SSL error:

07:54:21.113 [AS2DirectoryPollingModule] ERROR org.openas2.processor.sender.AS2SenderModule - Failed to connect to partner using SSL certificate. Please run the SSL certificate checker utility to identify the issue: https://as2.evonit.hu:443/edi
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

I can see in the logs this warn:

07:54:19.781 [AS2DirectoryPollingModule] WARN org.openas2.util.HTTPUtil - SSL factory building using:
isExtendedSelfsignedTrustCheck: false
overrideSslChecks: false
isTrustSelfSignedCNHandling: false

Which i don't really understand why all of them are false, when my relevant config.xml attributes look like this:

            ssl_keystore="/converter/config/ssl_certs.p12"
            ssl_keystore_password="mypw"
            ssl_trust_keystore="$properties.ssl_keystore$"
            ssl_trust_keystore_password="$properties.ssl_keystore_password$"
            ssl_trust_keystore.enabled="true"
            ssl_trust_keystore.refresh_interval="150"
            
    <certificates 
    enabled="$properties.ssl_trust_keystore.enabled$"
    classname="org.openas2.cert.PKCS12CertificateFactory"
    filename="$properties.ssl_trust_keystore$"
    identifier="ssl_certs"
    password="$properties.ssl_trust_keystore_password$"
    interval="$properties.ssl_trust_keystore.refresh_interval$" />

I made the .p12 keystore from the already used JKS via keytool. Since for now i tried it to communicate between two of my OpenAS2 instances my ssl_certs.p12 (which i use for ssl, and trusted keystore) contains a single PrivateKeyEntry and a TrustedCertEntry. Both are part of the same certificate. It might be redundant for now but it is for testing only, but it worked with 4.0.0. What did i mess up?

@szabarna
Copy link
Contributor Author

szabarna commented Dec 9, 2024

I am sorry, by looking at the source code i realized that the identifier is hardcoded and must match what is defined in the CertificateFactory's COMPID_SSL_TRUST_CERTIFICATE_FACTORY property. It must be

    <certificates 
    enabled="$properties.ssl_trust_keystore.enabled$"
    classname="org.openas2.cert.PKCS12CertificateFactory"
    filename="$properties.ssl_trust_keystore$"
    identifier="ssl_trust_certs"
    password="$properties.ssl_trust_keystore_password$"
    interval="$properties.ssl_trust_keystore.refresh_interval$" />

Now everything seems to work, thank you!

@uhurusurfa
Copy link
Contributor

Excellent. I will closee this issue then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uhurusurfa @szabarna