Different Keystore/Alias per partner

[sopgreg]

Hi,

we are currently using a different AS4 library (using the ENTSOG profile) and are experiencing a problem with phase4 as drop-in replacement:

The other library allows for different keystores/aliases per remote partner. In fact, all private keypairs are stored within one single JKS/PKCS12 file and the approriate alias is stored within the PMode per partner.

The same goes for the encryption keys (certifactes), which are all stored in one JKS/PKCS12 file and the appropriate alias per partner ist also stored in the PMode.

That's how we also built our GUI and storage around, which seemed fine so far.

With phase4, it seems there is only one global keystore set via org.apache.wss4j.crypto.merlin.keystore(.file|alias|password).

Is it possible to change this to a multi-alias behaviour? I tried something like this:

Phase4ENTSOGSender.builder()
   .cryptoFactory(xxx)

But I would actually only need to override the getKeyAlias depending on the partner. And what about the reception side for decryption?

Another approach, which would also be fine, could be to store a separate PKCS12 file per remote partner.

[phax]

Hi @sopgreg,

Please see #88 for a very similar discussion.
If you have further questions, don't hesitate to ask.

hth, Philip

[phax]

Without being in front of the code I think that looks feasible. The only thing I would change is to introduce a new interface IPModeAwareCertificateFactory with the new method, to keep backwards compatibility. That may lead to active CryptoFactory implementations nit being final - but that's a micro thingy...

Also I like the default crypto factories to be read-only for the sake of simplicity and thread management etc.

[sopgreg]

That was also something I was worried about, a new IPModeAwareCertificateFactory sounds fine for me, too. It would just require an instanceof check in the IPModeResolvedCallback, like (pseudocode):

new SOAPHeaderElementProcessorExtractEbms3Messaging (aPModeResolver, 
   pModeResolved -> if (aCryptoFactory instanceof IPModeAwareCertificateFactory cf) { cf.setContextPMode(pModeResolved)); }

Is the whole feature something you would consider adding to the main branch anytime soon, or would you expect a pull request?

[phax]

If you find time for a PR I would appreciate it - and I don't expect it to be perfect, but if it works for you, we can save the testing iteration :)

[sopgreg]

I created a PR with the changes which did work for us

[phax]

So PR #121 was merged and will be part of the 2.1.0 release