Reject unsigned and support fallback certificate for receiving files. (…

…#289)

* Support fallback x509 certificate aliases for certificate changeover.

* Enhance the properties parser to support periods in the property name

* Make it possible to override most of the values using a properties file

* Get rid of some white noise in the commit window

* Allow script to run without prompts

* Fix goto call

* Allow providing the override properties file if it exists
Allow defining a custom Java env to use.
Allow overriding the service name.

* Support overriding provioding the properties file for config override as
an env var into startup script.

* Add debug log statement to help with identifying config problems.

* Add static property key for rejecting unsigned messages.

* Add disposition message for when the message is not signed and is
required by the receiver.

* Support checking for config to reject unsigned messages.

* Fix the certificate fallback logic.

* Fix formatting

* Enhance documentation with new features

* Release notes documentation

* Version upgrades

* Add missing tcp server password property

* Documentation update on certificate fallback functionality.

* Support tracking when file cleanup has already been called to avoid
error messages.

.gitignore

@@ -12,3 +12,7 @@ pom.xml.versionsBackup
 /Bundle/target/
 /lib/
 /Server/src/logs/
+**/.DS_Store
+**/.settings
+**/*.class
+.metadata/*

RELEASE-NOTES.md

@@ -1,20 +1,25 @@
 #              OpenAS2 Server
-#              Version 3.2.1
+#              Version 3.3.0
 #              RELEASE NOTES
 -----
-The OpenAS2 project is pleased to announce the release of OpenAS2 3.2.1
+The OpenAS2 project is pleased to announce the release of OpenAS2 3.3.0
 
-The release download file is: OpenAS2Server-3.2.1.zip
+The release download file is: OpenAS2Server-3.3.0.zip
 
 The zip file contains a PDF document (OpenAS2HowTo.pdf) providing information on installing and using the application.
 ## NOTE: Testing covers Java 8 to 17. The application should work for older versions down to Java 7 but they are not tested as part of the CI/CD pipeline.
 
-Version 3.2.1 - 2022-07-06
-This is a minor enhancement and bugfix release:
+Version 3.3.0 - 2022-08-13
+This is a significant enhancement and minor bugfix release:
        **IMPORTANT NOTE**: Please review upgrade notes below if you are upgrading
 
-  1. Fix extracting the MDN bodypart from the multipart.
-  2. Fix creating a zip bomb package.
+  1. Support rejecting messages being sent that are unsigned. See section "Reject Unsigned Messages" in the documentation.
+  2. Support having 2 certificates for your partner definition. This allows switch over of your own certificate to be zero down time. See section "Overlapping Old And New Certificates When Changing" in the documentation.
+  3. Support overriding most of the config.xml attribute values using the external property file. This allows custom configuration to be restricted to a single properties file and makes version upgrades much simpler.
+  4. Enhance shell and bat scripts to prepare for install and upgrade scripts to simplify managing the install and upgrade of OpenAS2 in the future.
+  5. Enhance the properties parser to support periods in the property name.
+  6. Fix the erroneous error when cleaning up files due to a duplicate call to the file cleanup function.
+
 
 
 ##Upgrade Notes

Remote/pom.xml

@@ -4,7 +4,7 @@
     <parent>
         <groupId>net.sf.openas2</groupId>
         <artifactId>OpenAS2</artifactId>
-        <version>3.2.1</version>
+        <version>3.3.0</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

Server/pom.xml

@@ -7,7 +7,7 @@
         <!-- DO NOT CHANGE THIS "groupId" WITHOUT CHANGING XMLSession.getManifestAttributes.MANIFEST_VENDOR_ID_ATTRIB -->
         <groupId>net.sf.openas2</groupId>
         <artifactId>OpenAS2</artifactId>
-        <version>3.2.1</version>
+        <version>3.3.0</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
@@ -158,15 +158,15 @@
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcmail-jdk15on</artifactId>
+            <artifactId>bcmail-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk15on</artifactId>
+            <artifactId>bcpkix-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
+            <artifactId>bcprov-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
@@ -190,7 +190,7 @@
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpg-jdk15on</artifactId>
+            <artifactId>bcpg-jdk18on</artifactId>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>

Server/src/bin/gen_p12_key_par.sh

@@ -21,6 +21,9 @@ if test $# -ne 4; then
   echo "     >$0 as2_certs partnera SHA256 \"CN=as2.partnerb.com, OU=QA, O=PartnerA, L=New York, S=New York, C=US\""
   echo "     Expected OUTPUT: as2_certs.p12 -  keystore containing both public and private key"
   echo "                     partnera.cer - public key certificate file ."
+  echo ""
+  echo "To run the script without prompts, set environment variables IS_AUTOMATED_EXEC=1 and KEYSTORE_PASSWORD to the desired password (can be blank)"
+  echo ""
   exit 1
 fi
 
@@ -60,30 +63,34 @@ if [ -z $JAVA_HOME ]; then
   exit
 fi
 
-echo "Generate a certificate to a PKCS12 key store."
-echo "Generating certificate:  using alias $certAlias to ${tgtStore}.p12 $PRE_GEN_MSG_ADDITIONAL"
-read -p "Do you wish to execute this request? [Y/N]" Response
-if [  $Response != "Y" -a $Response != "y"  ] ; then
-  exit 1
+if [ "1" != "$IS_AUTOMATED_EXEC" ]; then
+  echo "Generate a certificate to a PKCS12 key store."
+  echo "Generating certificate:  using alias $certAlias to ${tgtStore}.p12 $PRE_GEN_MSG_ADDITIONAL"
+  read -p "Do you wish to execute this request? [Y/N]" Response
+  if [  $Response != "Y" -a $Response != "y"  ] ; then
+    exit 1
+  fi
+  read -p "Enter password for keystore:" ksPwd
+else
+  ksPwd=$KEYSTORE_PASSWORD
 fi
 
-read -p "Enter password for keystore:" ksPwd
-$JAVA_HOME/bin/keytool -genkeypair -alias $certAlias -validity $CertValidDays  -keyalg RSA -sigalg $sigAlg -keystore ${tgtStore}.p12 -storepass $ksPwd -storetype pkcs12 $AdditionalGenArgs -dname "$dName"
+$JAVA_HOME/bin/keytool -genkeypair -alias $certAlias -validity $CertValidDays  -keyalg RSA -sigalg $sigAlg -keystore ${tgtStore}.p12 -storepass "$ksPwd" -storetype pkcs12 $AdditionalGenArgs -dname "$dName"
 if [ "$?" != 0 ]; then
 	echo ""
     echo "Failed to create a keystore. See errors above to correct the problem."
     exit 1
 fi
 
 #$JAVA_HOME/bin/keytool -selfcert -alias $certAlias -validity $CertValidDays  -sigalg $sigAlg -keystore ${tgtStore}.p12 -storepass $ksPwd -storetype pkcs12
-$JAVA_HOME/bin/keytool -selfcert -alias $certAlias $AdditionalGenArgs -validity $CertValidDays  -sigalg $sigAlg -keystore ${tgtStore}.p12 -storepass $ksPwd -storetype pkcs12
+$JAVA_HOME/bin/keytool -selfcert -alias $certAlias $AdditionalGenArgs -validity $CertValidDays  -sigalg $sigAlg -keystore ${tgtStore}.p12 -storepass "$ksPwd" -storetype pkcs12
 if [ "$?" != 0 ]; then
 	echo ""
     echo "Failed to self certifiy the certificates in the keystore. See errors above to correct the problem."
     exit 1
 fi
 
-$JAVA_HOME/bin/keytool -export -rfc -file $certAlias.cer -alias $certAlias  -keystore ${tgtStore}.p12 -storepass $ksPwd -storetype pkcs12
+$JAVA_HOME/bin/keytool -export -rfc -file $certAlias.cer -alias $certAlias  -keystore ${tgtStore}.p12 -storepass "$ksPwd" -storetype pkcs12
 if [ "$?" != 0 ]; then
 	echo ""
     echo "Failed to export the public key. See errors above to correct the problem."

Server/src/bin/import_public_cert.bat

@@ -81,7 +81,7 @@ echo.
 echo   Sucessfully Imported certificate from file "%srcFile%" using alias "%certAlias%" to: %tgtStore%
 echo. 
 
-goto :END
+goto END
 
 :Usage
   echo Import a public certificate to a PKCS12 key store.

Server/src/bin/install_winsvc.bat

@@ -1,10 +1,17 @@
+@echo off
+setLocal EnableDelayedExpansion
+if /I "!IS_AUTOMATED_EXEC!" == "1" goto CheckOk 
 goto CheckRun
 
 :CheckOk
 
 REM Set the key config strings
-
+if /I not "!SERVICE_NAME!" == "" goto ServiceNameSet
 set SERVICE_NAME=OpenAS2Server
+echo No override for service name specified. Using default service name...
+
+:ServiceNameSet
+echo Using service name: !SERVICE_NAME!
 SET tmppath=%~dp0
 pushd %tmppath%
 cd ..
@@ -15,7 +22,8 @@ REM If the directory structure was changed from the OpenAS2 standard set path di
 REM set OPENAS2_BASE_DIR=c:\opt\OpenAS2
 set APACHE_COMMONS_DAEMON=%OPENAS2_BASE_DIR%\bin\commons-daemon
 set PR_INSTALL=%APACHE_COMMONS_DAEMON%\amd64\prunsrv.exe
-set config_file=%OPENAS2_BASE_DIR%\config\config.xml
+set STARTUP_ARGS=%OPENAS2_BASE_DIR%\config\config.xml
+set CUSTOM_SERVICE_PARAMS=
 set PR_CLASSPATH=%OPENAS2_BASE_DIR%\lib\*
 REM If using a specific JVM then uncomment & set JAVA_HOME below
 REM set JAVA_HOME=C:\Program Files\Java\jre1.8.0_171
@@ -36,16 +44,24 @@ set PR_LOGLEVEL=Error
 REM Path to java installation
 REM If the auto mode does not work then you can explicitly set the path to the Java install DLL 
 set PR_JVM=auto
-rem set PR_JVM=%JAVA_HOME%\bin\server\jvm.dll
-
+if /I "!CUSTOM_JAVA_HOME!" == "" goto SkipCustomJava
+set PR_JVM=%CUSTOM_JAVA_HOME%\bin\server\jvm.dll
+:SkipCustomJava
+
+SET PR_JVM_OPTS="-Dorg.apache.commons.logging.Log=org.openas2.logging.Log"
+if /I "!OPENAS2_PROPERTIES_FILE!" == "" goto SkipArgsAdd
+rem Add the property arg to JVM options
+echo Setting custom properties file for service startup: !OPENAS2_PROPERTIES_FILE!
+set PR_JVM_OPTS=%PR_JVM_OPTS% ++JvmOptions="-Dopenas2.properties.file=%OPENAS2_PROPERTIES_FILE%"
+:SkipArgsAdd
+setLocal DisableDelayedExpansion
+
 REM Startup configuration
 set PR_STARTUP=auto
 set PR_STARTMODE=jvm
 set PR_STARTCLASS=org.openas2.app.OpenAS2WindowsService
 set PR_STARTMETHOD=start
-REM 1 way to add multiple params for some systems where it seems the StartMethod does not work
-REM set PR_STARTPARAMS=start ++StartParams=%config_file%
-set PR_STARTPARAMS=%config_file%
+set PR_STARTPARAMS=%STARTUP_ARGS%
 
 REM Shutdown configuration
 set PR_STOPMODE=jvm
@@ -55,7 +71,11 @@ set PR_STOPPARAMS=stop
 
 REM  Add the below line into the install command if using a specific JVM
 REM  --JavaHome="%JAVA_HOME%" ^
-
+if /I "!CUSTOM_JAVA_HOME!" == "" goto SkipCustomJavaHome
+rem Add the property arg to JVM options
+echo Setting custom properties file for service startup: !OPENAS2_PROPERTIES_FILE!
+set CUSTOM_SERVICE_PARAMS=%CUSTOM_SERVICE_PARAMS% ++JavaHome="%CUSTOM_JAVA_HOME%"
+:SkipCustomJavaHome
 REM Make the folder accessible to the "Local Service" user running the servioce
 icacls "%OPENAS2_BASE_DIR%" /grant *S-1-5-19:(OI)(CI)(M)
 
@@ -73,15 +93,15 @@ REM Install service
   --JvmMs="%PR_JVMMS%" ^
   --JvmMx="%PR_JVMMX%" ^
   --JvmSs="%PR_JVMSS%" ^
-  --JvmOptions="-Dorg.apache.commons.logging.Log=org.openas2.logging.Log" ^
+  --JvmOptions=%PR_JVM_OPTS% ^
   --Classpath="%PR_CLASSPATH%" ^
   --StartMode="%PR_STARTMODE%" ^
   --StartMethod="%PR_STARTMETHOD%" ^
   --StartClass="%PR_STARTCLASS%" ^
   --StartParams=%PR_STARTPARAMS% ^
   --StopMode="%PR_STOPMODE%" ^
   --StopClass="%PR_STOPCLASS%" ^
-  --StopParams="stop"
+  --StopParams="stop" %CUSTOM_SERVICE_PARAMS%
 
 goto END
 

Server/src/bin/start-openas2.bat

@@ -20,6 +20,9 @@ rem set EXTRA_PARMS=%EXTRA_PARMS% -Dsun.net.http.allowRestrictedHeaders=true
 rem When using old (unsecure) certificates (please replace them!) that fail to load from the certificate store.
 rem set EXTRA_PARMS=%EXTRA_PARMS% -Dorg.bouncycastle.asn1.allow_unsafe_integer=true
 
+if [%OPENAS2_PROPERTIES_FILE%]==[]] goto skip_properties_file
+set EXTRA_PARMS=%EXTRA_PARMS% -Dopenas2.properties.file="%OPENAS2_PROPERTIES_FILE%"
+:skip_properties_file
 rem set EXTRA_PARMS=%EXTRA_PARMS% -Dhttps.protocols=TLSv1.2
 
 rem Uncomment any of the following for enhanced debug
@@ -44,7 +47,7 @@ set LIB_JARS=".!LIB_JARS!"
 setLocal disableDelayedExpansion
 rem  Include the bin dir so that commons-logging.properties is found
 set CLASSPATH=.;%LIB_JARS%;%OPENAS2_BASE_DIR%/bin
-rem echo Running: "%JAVA%" %EXTRA_PARMS%  -cp %CLASSPATH% org.openas2.app.OpenAS2Server "%OPENAS2_BASE_DIR%/config/config.xml"
+rem echo Running: "%JAVA%" %EXTRA_PARMS%  -cp .;%LIB_JARS% org.openas2.app.OpenAS2Server "%OPENAS2_BASE_DIR%/config/config.xml"
 "%JAVA%" %EXTRA_PARMS%  -cp .;%LIB_JARS% org.openas2.app.OpenAS2Server "%OPENAS2_BASE_DIR%/config/config.xml"
 
 :warn

Server/src/bin/start-openas2.sh

@@ -30,6 +30,11 @@ if [ -z $OPENAS2_CONFIG_FILE ]; then
 fi
 EXTRA_PARMS="$EXTRA_PARMS -Dopenas2.config.file=${OPENAS2_CONFIG_FILE}"
 
+# Set the properties file if set to a valid file
+if [ ! -z "$OPENAS2_PROPERTIES_FILE" ] && [ -f $OPENAS2_PROPERTIES_FILE ]; then
+  EXTRA_PARMS="$EXTRA_PARMS -Dopenas2.properties.file=${OPENAS2_PROPERTIES_FILE}"
+fi
+
 # For versions of Java that prevent restricted HTTP headers (see documentation for discussion on this)
 #EXTRA_PARMS="$EXTRA_PARMS -Dsun.net.http.allowRestrictedHeaders=true"
 
@@ -65,7 +70,7 @@ if [ -z $JAVA_HOME ]; then
 fi
 # Expand the classpath instead of using file globbing expansion in the java command as it seems to mess with Mailcap loading
 CLASSPATH=$(echo "${binDir}/../lib/"*".jar" | tr ' ' ':')
-# Include the bin dir so that icommons-logging.properties is always found
+# Include the bin dir so that commons-logging.properties is always found
 CLASSPATH=${CLASSPATH}:${binDir}
 CMD=$(echo "${JAVA_HOME}/bin/java ${PWD_OVERRIDE} ${EXTRA_PARMS} -cp .:${CLASSPATH} org.openas2.app.OpenAS2Server")
 echo