Extended the Peppol receiver configuration with the CA Checker

phax · Jan 23, 2025 · b9a92d8 · b9a92d8
1 parent 5cfeb6f
commit b9a92d8
Show file tree

Hide file tree

Showing 3 changed files with 122 additions and 7 deletions.
diff --git a/.../main/java/com/helger/phase4/peppol/servlet/Phase4PeppolDefaultReceiverConfiguration.java b/.../main/java/com/helger/phase4/peppol/servlet/Phase4PeppolDefaultReceiverConfiguration.java
@@ -28,6 +28,8 @@
 import com.helger.commons.ValueEnforcer;
 import com.helger.commons.string.StringHelper;
 import com.helger.peppol.sbdh.read.PeppolSBDHDocumentReader;
+import com.helger.peppol.utils.PeppolCAChecker;
+import com.helger.peppol.utils.PeppolCertificateChecker;
 import com.helger.peppolid.factory.IIdentifierFactory;
 import com.helger.peppolid.factory.SimpleIdentifierFactory;
 import com.helger.phase4.CAS4;
@@ -57,6 +59,7 @@ public final class Phase4PeppolDefaultReceiverConfiguration
   @Pfuoi420
   public static final EMode DEFAULT_WILDCARD_SELECTION_MODE = EMode.WILDCARD_ONLY;
   public static final boolean DEFAULT_CHECK_SIGNING_CERTIFICATE_REVOCATION = true;
+  public static final PeppolCAChecker DEFAULT_PEPPOL_AP_CA_CHECKER = PeppolCertificateChecker.peppolAllAP ();
 
   private static final Logger LOGGER = LoggerFactory.getLogger (Phase4PeppolDefaultReceiverConfiguration.class);
 
@@ -70,6 +73,7 @@ public final class Phase4PeppolDefaultReceiverConfiguration
   private static boolean s_bPerformSBDHValueChecks = PeppolSBDHDocumentReader.DEFAULT_PERFORM_VALUE_CHECKS;
   private static boolean s_bCheckSBDHForMandatoryCountryC1 = PeppolSBDHDocumentReader.DEFAULT_CHECK_FOR_COUNTRY_C1;
   private static boolean s_bCheckSigningCertificateRevocation = DEFAULT_CHECK_SIGNING_CERTIFICATE_REVOCATION;
+  private static PeppolCAChecker s_aPeppolAPCAChecker = DEFAULT_PEPPOL_AP_CA_CHECKER;
 
   private Phase4PeppolDefaultReceiverConfiguration ()
   {}
@@ -314,6 +318,35 @@ public static void setCheckSigningCertificateRevocation (final boolean b)
     }
   }
 
+  /**
+   * @return The Peppol AP CA checker to be used. Never <code>null</code>.
+   * @since 3.0.3
+   */
+  @Nonnull
+  public static PeppolCAChecker getPeppolAPCAChecker ()
+  {
+    return s_aPeppolAPCAChecker;
+  }
+
+  /**
+   * Set the Peppol CA checker to be used.
+   *
+   * @param a
+   *        The Peppol CA checker to be used. May not be <code>null</code>.
+   * @since 3.0.3
+   */
+  public static void setPeppolAPCAChecker (@Nonnull final PeppolCAChecker a)
+  {
+    ValueEnforcer.notNull (a, "PeppolAPCAChecker");
+
+    final boolean bChange = a != s_aPeppolAPCAChecker;
+    s_aPeppolAPCAChecker = a;
+    if (bChange)
+    {
+      LOGGER.info (CAS4.LIB_NAME + " Peppol AP CA Checker is set to " + a);
+    }
+  }
+
   /**
    * Get the statically configured data as a
    * {@link Phase4PeppolReceiverConfigurationBuilder} instance. This allows for
@@ -344,7 +377,8 @@ public static Phase4PeppolReceiverConfigurationBuilder getAsReceiverCheckDataBui
                                             .sbdhIdentifierFactory (getSBDHIdentifierFactory ())
                                             .performSBDHValueChecks (isPerformSBDHValueChecks ())
                                             .checkSBDHForMandatoryCountryC1 (isCheckSBDHForMandatoryCountryC1 ())
-                                            .checkSigningCertificateRevocation (isCheckSigningCertificateRevocation ());
+                                            .checkSigningCertificateRevocation (isCheckSigningCertificateRevocation ())
+                                            .apCAChecker (getPeppolAPCAChecker ());
   }
 
   /**

diff --git a/...let/src/main/java/com/helger/phase4/peppol/servlet/Phase4PeppolReceiverConfiguration.java b/...let/src/main/java/com/helger/phase4/peppol/servlet/Phase4PeppolReceiverConfiguration.java
@@ -26,6 +26,7 @@
 import com.helger.commons.builder.IBuilder;
 import com.helger.commons.string.StringHelper;
 import com.helger.commons.string.ToStringGenerator;
+import com.helger.peppol.utils.PeppolCAChecker;
 import com.helger.peppolid.factory.IIdentifierFactory;
 import com.helger.peppolid.factory.PeppolIdentifierFactory;
 import com.helger.peppolid.factory.SimpleIdentifierFactory;
@@ -54,6 +55,7 @@ public final class Phase4PeppolReceiverConfiguration
   private final boolean m_bPerformSBDHValueChecks;
   private final boolean m_bCheckSBDHForMandatoryCountryC1;
   private final boolean m_bCheckSigningCertificateRevocation;
+  private final PeppolCAChecker m_aAPCAChecker;
 
   /**
    * Constructor
@@ -86,6 +88,7 @@ public final class Phase4PeppolReceiverConfiguration
    *        performed.
    * @since 2.8.1
    */
+  @Deprecated (forRemoval = true, since = "3.0.3")
   public Phase4PeppolReceiverConfiguration (final boolean bReceiverCheckEnabled,
                                             @Nullable final ISMPExtendedServiceMetadataProvider aSMPClient,
                                             @Nonnull final PeppolWildcardSelector.EMode eWildcardSelectionMode,
@@ -95,6 +98,62 @@ public Phase4PeppolReceiverConfiguration (final boolean bReceiverCheckEnabled,
                                             final boolean bPerformSBDHValueChecks,
                                             final boolean bCheckSBDHForMandatoryCountryC1,
                                             final boolean bCheckSigningCertificateRevocation)
+  {
+    this (bReceiverCheckEnabled,
+          aSMPClient,
+          eWildcardSelectionMode,
+          sAS4EndpointURL,
+          aAPCertificate,
+          aSBDHIdentifierFactory,
+          bPerformSBDHValueChecks,
+          bCheckSBDHForMandatoryCountryC1,
+          bCheckSigningCertificateRevocation,
+          Phase4PeppolDefaultReceiverConfiguration.DEFAULT_PEPPOL_AP_CA_CHECKER);
+  }
+
+  /**
+   * Constructor
+   *
+   * @param bReceiverCheckEnabled
+   *        <code>true</code> if the receiver checks are enabled,
+   *        <code>false</code> otherwise
+   * @param aSMPClient
+   *        The SMP metadata provider to be used. May not be <code>null</code>
+   *        if receiver checks are enabled.
+   * @param eWildcardSelectionMode
+   *        The wildcard selection mode to use for the SMP. May not be
+   *        <code>null</code>
+   * @param sAS4EndpointURL
+   *        The endpoint URL to check against. May neither be <code>null</code>
+   *        nor empty if receiver checks are enabled.
+   * @param aAPCertificate
+   *        The AP certificate to be used for compatibility. May not be
+   *        <code>null</code> if receiver checks are enabled.
+   * @param aSBDHIdentifierFactory
+   *        The identifier factory to be used for SBDH parsing. May not be
+   *        <code>null</code>.
+   * @param bPerformSBDHValueChecks
+   *        <code>true</code> if SBDH value checks should be performed.
+   * @param bCheckSBDHForMandatoryCountryC1
+   *        <code>true</code> if SBDH value checks should be performed for
+   *        mandatory C1 country code.
+   * @param bCheckSigningCertificateRevocation
+   *        <code>true</code> if signing certificate revocation checks should be
+   *        performed.
+   * @param aAPCAChecker
+   *        The Peppol AP CA checker. May not be <code>null</code>.
+   * @since 3.0.3
+   */
+  public Phase4PeppolReceiverConfiguration (final boolean bReceiverCheckEnabled,
+                                            @Nullable final ISMPExtendedServiceMetadataProvider aSMPClient,
+                                            @Nonnull final PeppolWildcardSelector.EMode eWildcardSelectionMode,
+                                            @Nullable final String sAS4EndpointURL,
+                                            @Nullable final X509Certificate aAPCertificate,
+                                            @Nonnull final IIdentifierFactory aSBDHIdentifierFactory,
+                                            final boolean bPerformSBDHValueChecks,
+                                            final boolean bCheckSBDHForMandatoryCountryC1,
+                                            final boolean bCheckSigningCertificateRevocation,
+                                            @Nonnull final PeppolCAChecker aAPCAChecker)
   {
     if (bReceiverCheckEnabled)
       ValueEnforcer.notNull (aSMPClient, "SMPClient");
@@ -113,6 +172,7 @@ public Phase4PeppolReceiverConfiguration (final boolean bReceiverCheckEnabled,
     m_bPerformSBDHValueChecks = bPerformSBDHValueChecks;
     m_bCheckSBDHForMandatoryCountryC1 = bCheckSBDHForMandatoryCountryC1;
     m_bCheckSigningCertificateRevocation = bCheckSigningCertificateRevocation;
+    m_aAPCAChecker = aAPCAChecker;
   }
 
   public boolean isReceiverCheckEnabled ()
@@ -193,6 +253,16 @@ public boolean isCheckSigningCertificateRevocation ()
     return m_bCheckSigningCertificateRevocation;
   }
 
+  /**
+   * @return The Peppol CA checker to be used. Must not be <code>null</code>.
+   * @since 3.0.3
+   */
+  @Nonnull
+  public PeppolCAChecker getAPCAChecker ()
+  {
+    return m_aAPCAChecker;
+  }
+
   @Override
   public String toString ()
   {
@@ -206,6 +276,7 @@ public String toString ()
                                        .append ("CheckSBDHForMandatoryCountryC1", m_bCheckSBDHForMandatoryCountryC1)
                                        .append ("CheckSigningCertificateRevocation",
                                                 m_bCheckSigningCertificateRevocation)
+                                       .append ("APCAChecker", m_aAPCAChecker)
                                        .getToString ();
   }
 
@@ -251,6 +322,7 @@ public static class Phase4PeppolReceiverConfigurationBuilder implements IBuilder
     private boolean m_bPerformSBDHValueChecks;
     private boolean m_bCheckSBDHForMandatoryCountryC1;
     private boolean m_bCheckSigningCertificateRevocation;
+    private PeppolCAChecker m_aAPCAChecker;
 
     public Phase4PeppolReceiverConfigurationBuilder ()
     {}
@@ -265,7 +337,8 @@ public Phase4PeppolReceiverConfigurationBuilder (@Nonnull final Phase4PeppolRece
                                                            .sbdhIdentifierFactory (aSrc.getSBDHIdentifierFactory ())
                                                            .performSBDHValueChecks (aSrc.isPerformSBDHValueChecks ())
                                                            .checkSBDHForMandatoryCountryC1 (aSrc.isCheckSBDHForMandatoryCountryC1 ())
-                                                           .checkSigningCertificateRevocation (aSrc.isCheckSigningCertificateRevocation ());
+                                                           .checkSigningCertificateRevocation (aSrc.isCheckSigningCertificateRevocation ())
+                                                           .apCAChecker (aSrc.getAPCAChecker ());
     }
 
     @Nonnull
@@ -344,6 +417,13 @@ public Phase4PeppolReceiverConfigurationBuilder checkSigningCertificateRevocatio
       return this;
     }
 
+    @Nonnull
+    public Phase4PeppolReceiverConfigurationBuilder apCAChecker (@Nullable final PeppolCAChecker a)
+    {
+      m_aAPCAChecker = a;
+      return this;
+    }
+
     @Nonnull
     public Phase4PeppolReceiverConfiguration build ()
     {
@@ -360,6 +440,8 @@ public Phase4PeppolReceiverConfiguration build ()
         throw new IllegalStateException ("The Wildcard Selection Mode must be provided");
       if (m_aSBDHIdentifierFactory == null)
         throw new IllegalStateException ("The SBDH Identifier Factory must be provided");
+      if (m_aAPCAChecker == null)
+        throw new IllegalStateException ("The Peppol AP CA checker must be provided");
 
       return new Phase4PeppolReceiverConfiguration (m_bReceiverCheckEnabled,
                                                     m_aSMPClient,
@@ -369,7 +451,8 @@ public Phase4PeppolReceiverConfiguration build ()
                                                     m_aSBDHIdentifierFactory,
                                                     m_bPerformSBDHValueChecks,
                                                     m_bCheckSBDHForMandatoryCountryC1,
-                                                    m_bCheckSigningCertificateRevocation);
+                                                    m_bCheckSigningCertificateRevocation,
+                                                    m_aAPCAChecker);
     }
   }
 }
diff --git a/...rc/main/java/com/helger/phase4/peppol/servlet/Phase4PeppolServletMessageProcessorSPI.java b/...rc/main/java/com/helger/phase4/peppol/servlet/Phase4PeppolServletMessageProcessorSPI.java
@@ -59,7 +59,6 @@
 import com.helger.peppol.smp.ESMPTransportProfile;
 import com.helger.peppol.smp.ISMPTransportProfile;
 import com.helger.peppol.utils.EPeppolCertificateCheckResult;
-import com.helger.peppol.utils.PeppolCertificateChecker;
 import com.helger.peppol.utils.PeppolCertificateHelper;
 import com.helger.peppolid.IDocumentTypeIdentifier;
 import com.helger.peppolid.IParticipantIdentifier;
@@ -613,9 +612,8 @@ public AS4MessageProcessorResult processAS4UserMessage (@Nonnull final IAS4Incom
       // Check if signing AP certificate is revoked
       // * Use global caching setting
       // * Use global certificate check mode
-      final EPeppolCertificateCheckResult eCertCheckResult = PeppolCertificateChecker.peppolAllAP ()
-                                                                                     .checkCertificate (aSenderCert,
-                                                                                                        aNow);
+      final EPeppolCertificateCheckResult eCertCheckResult = aReceiverCheckData.getAPCAChecker ()
+                                                                               .checkCertificate (aSenderCert, aNow);
       if (eCertCheckResult.isInvalid ())
       {
         final String sDetails = "The received Peppol message is signed with a Peppol AP certificate invalid at " +