Merge remote-tracking branch

'origin/issue/395_New_D-Trust_Server_Root_CAs' into develop_2

Author: hhund

dsf-maven/dsf-maven-plugin/src/main/java/dev/dsf/maven/ca/DefaultCaFilesGenerator.java

@@ -59,15 +59,18 @@ private static final class X509CertificateHolder
 	{
 		final X509Certificate certificate;
 		final Predicate<String> isClientOnly;
+		final Predicate<String> isServerOnly;
 		final JcaX509CertificateHolder certificateHolder;
 
 		final List<X509CertificateHolder> children = new ArrayList<>();
 		X509CertificateHolder parent;
 
-		X509CertificateHolder(X509Certificate certificate, Predicate<String> isClientOnly)
+		X509CertificateHolder(X509Certificate certificate, Predicate<String> isClientOnly,
+				Predicate<String> isServerOnly)
 		{
 			this.certificate = certificate;
 			this.isClientOnly = isClientOnly;
+			this.isServerOnly = isServerOnly;
 
 			try
 			{
@@ -106,6 +109,12 @@ boolean isClientOnly()
 					: getChildren().stream().allMatch(X509CertificateHolder::isClientOnly);
 		}
 
+		boolean isServerOnly()
+		{
+			return getChildren().isEmpty() ? isServerOnly.test(getSubjectCommonName())
+					: getChildren().stream().allMatch(X509CertificateHolder::isServerOnly);
+		}
+
 		X500Name getSubject()
 		{
 			return certificateHolder.getSubject();
@@ -151,22 +160,26 @@ ZonedDateTime getNotBefore()
 	private final Path projectBasedir;
 	private final Path certFolder;
 	private final List<String> clientOnlyCaCommonNames;
+	private final List<String> serverOnlyCaCommonNames;
 
-	public DefaultCaFilesGenerator(Path projectBasedir, Path certFolder, List<String> clientOnlyCaCommonNames)
-			throws MojoExecutionException
+	public DefaultCaFilesGenerator(Path projectBasedir, Path certFolder, List<String> clientOnlyCaCommonNames,
+			List<String> serverOnlyCaCommonNames) throws MojoExecutionException
 	{
 		this.projectBasedir = projectBasedir;
 		this.certFolder = certFolder;
 		this.clientOnlyCaCommonNames = clientOnlyCaCommonNames;
+		this.serverOnlyCaCommonNames = serverOnlyCaCommonNames;
 
 		if (projectBasedir == null)
 			throw new MojoExecutionException("projectBasedir not defined");
 		if (certFolder == null)
 			throw new MojoExecutionException("certFolder not defined");
 		if (!Files.isReadable(certFolder))
 			throw new MojoExecutionException("certFolder '" + certFolder.toString() + "' not readable");
-		if (clientOnlyCaCommonNames == null || clientOnlyCaCommonNames.isEmpty())
-			throw new MojoExecutionException("clientOnlyCaCommonNames not defined or empty");
+		if (clientOnlyCaCommonNames == null)
+			throw new MojoExecutionException("clientOnlyCaCommonNames not defined");
+		if (serverOnlyCaCommonNames == null)
+			throw new MojoExecutionException("serverOnlyCaCommonNames not defined");
 	}
 
 	public void createFiles(Stream<Path> clientIssuingCas, Stream<Path> clientCaChains, Stream<Path> serverRootCas)
@@ -186,7 +199,7 @@ public void createFiles(Stream<Path> clientIssuingCas, Stream<Path> clientCaChai
 		if (iToWrite.isEmpty() && cToWrite.isEmpty() && sWrite.isEmpty())
 			return;
 
-		List<X509CertificateHolder> certificates = readCertificates(certFolder, clientOnlyCaCommonNames);
+		List<X509CertificateHolder> certificates = readCertificates();
 
 		try
 		{
@@ -215,14 +228,13 @@ private Predicate<Path> isDirectory(String logMessage)
 		};
 	}
 
-	private List<X509CertificateHolder> readCertificates(Path certFolder, List<String> clientOnlyCaCommonNames)
-			throws IOException
+	private List<X509CertificateHolder> readCertificates() throws IOException
 	{
 		List<X509CertificateHolder> certificates = new ArrayList<>();
 		try (DirectoryStream<Path> directoryStream = Files.newDirectoryStream(certFolder,
 				entry -> entry.getFileName().toString().endsWith(".pem")))
 		{
-			directoryStream.forEach(readCertificate(certificates, clientOnlyCaCommonNames));
+			directoryStream.forEach(readCertificate(certificates));
 		}
 
 		Map<X500Name, X509CertificateHolder> certificatesBySubject = certificates.stream()
@@ -232,16 +244,15 @@ private List<X509CertificateHolder> readCertificates(Path certFolder, List<Strin
 		return certificates;
 	}
 
-	private Consumer<? super Path> readCertificate(List<X509CertificateHolder> certificates,
-			List<String> clientOnlyCaCommonNames)
+	private Consumer<? super Path> readCertificate(List<X509CertificateHolder> certificates)
 	{
 		return file ->
 		{
 			try
 			{
 				logger.info("Reading certificate from {}", projectBasedir.relativize(file));
 				X509CertificateHolder certificate = new X509CertificateHolder(PemReader.readCertificate(file),
-						clientOnlyCaCommonNames::contains);
+						clientOnlyCaCommonNames::contains, serverOnlyCaCommonNames::contains);
 
 				if (!certificate.isCa())
 					throw new RuntimeException("Certificate in " + file.toString() + " is not a CA certificate");
@@ -274,6 +285,7 @@ private Consumer<? super Path> readCertificate(List<X509CertificateHolder> certi
 	private Consumer<Path> writeClientIssuingCas(List<X509CertificateHolder> certificates, String logMessage)
 	{
 		List<X509CertificateHolder> issuingCas = certificates.stream().filter(X509CertificateHolder::isIssuingCa)
+				.filter(Predicate.not(X509CertificateHolder::isServerOnly))
 				.sorted(Comparator.comparing(X509CertificateHolder::getSubjectCommonName)).toList();
 
 		return folder -> issuingCas.forEach(writeCert(folder, logMessage));
@@ -282,6 +294,7 @@ private Consumer<Path> writeClientIssuingCas(List<X509CertificateHolder> certifi
 	private Consumer<Path> writeClientCaChains(List<X509CertificateHolder> certificates, String logMessage)
 	{
 		List<X509CertificateHolder> caChains = certificates.stream().filter(X509CertificateHolder::isRoot)
+				.filter(Predicate.not(X509CertificateHolder::isServerOnly))
 				.sorted(Comparator.comparing(X509CertificateHolder::getSubjectCommonName)).flatMap(childern()).toList();
 
 		return folder -> caChains.forEach(writeCert(folder, logMessage));

dsf-maven/dsf-maven-plugin/src/main/java/dev/dsf/maven/ca/GenerateDefaultCaFilesMojo.java

@@ -45,6 +45,9 @@ public class GenerateDefaultCaFilesMojo extends AbstractMojo
 	@Parameter(property = "dsf.clientOnlyCaCommonNames", required = true)
 	private List<String> clientOnlyCaCommonNames;
 
+	@Parameter(property = "dsf.serverOnlyCaCommonNames", required = true)
+	private List<String> serverOnlyCaCommonNames;
+
 	@Parameter(property = "dsf.clientIssuingCas", required = true)
 	private List<File> clientIssuingCas;
 
@@ -60,15 +63,16 @@ public void execute() throws MojoExecutionException, MojoFailureException
 		getLog().debug("projectBasedir: " + projectBasedir);
 		getLog().debug("certFolder: " + certFolder);
 		getLog().debug("clientOnlyCaCommonNames: " + clientOnlyCaCommonNames);
+		getLog().debug("serverOnlyCaCommonNames: " + serverOnlyCaCommonNames);
 		getLog().debug("clientIssuingCas: " + clientIssuingCas);
 		getLog().debug("clientCaChains: " + clientCaChains);
 		getLog().debug("serverRootCas: " + serverRootCas);
 
 		try
 		{
-			new DefaultCaFilesGenerator(projectBasedir.toPath(), certFolder.toPath(), clientOnlyCaCommonNames)
-					.createFiles(clientIssuingCas.stream().map(File::toPath), clientCaChains.stream().map(File::toPath),
-							serverRootCas.stream().map(File::toPath));
+			new DefaultCaFilesGenerator(projectBasedir.toPath(), certFolder.toPath(), clientOnlyCaCommonNames,
+					serverOnlyCaCommonNames).createFiles(clientIssuingCas.stream().map(File::toPath),
+							clientCaChains.stream().map(File::toPath), serverRootCas.stream().map(File::toPath));
 		}
 		catch (IOException e)
 		{

pom.xml

@@ -858,6 +858,14 @@
 								HARICA S/MIME RSA
 							</clientOnlyCaCommonName>
 						</clientOnlyCaCommonNames>
+						<serverOnlyCaCommonNames>
+							<serverOnlyCaCommonName>
+								D-TRUST BR Root CA 1 2020
+							</serverOnlyCaCommonName>
+							<serverOnlyCaCommonName>
+								D-TRUST BR Root CA 2 2023
+							</serverOnlyCaCommonName>
+						</serverOnlyCaCommonNames>
 					</configuration>
 				</plugin>
 				<!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself.-->

src/main/resources/cert/D-TRUST_BR_Root_CA_1_2020.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC2zCCAmCgAwIBAgIQfMmPK4TX3+oPyWWa00tNljAKBggqhkjOPQQDAzBIMQsw
+CQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRS
+VVNUIEJSIFJvb3QgQ0EgMSAyMDIwMB4XDTIwMDIxMTA5NDUwMFoXDTM1MDIxMTA5
+NDQ1OVowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEiMCAG
+A1UEAxMZRC1UUlVTVCBCUiBSb290IENBIDEgMjAyMDB2MBAGByqGSM49AgEGBSuB
+BAAiA2IABMbLxyjR+4T1mu9CFCDhQ2tuda38KwOE1HaTJddZO0Flax7mNCq7dPYS
+zuht56vkPE4/RAiLzRZxy7+SmfSk1zxQVFKQhYN4lGdnoxwJGT11NIXe7WB9xwy0
+QVK5buXuQqOCAQ0wggEJMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHOREKv/
+VbNafAkl1bK6CKBrqx9tMA4GA1UdDwEB/wQEAwIBBjCBxgYDVR0fBIG+MIG7MD6g
+PKA6hjhodHRwOi8vY3JsLmQtdHJ1c3QubmV0L2NybC9kLXRydXN0X2JyX3Jvb3Rf
+Y2FfMV8yMDIwLmNybDB5oHegdYZzbGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l
+dC9DTj1ELVRSVVNUJTIwQlIlMjBSb290JTIwQ0ElMjAxJTIwMjAyMCxPPUQtVHJ1
+c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDAKBggqhkjO
+PQQDAwNpADBmAjEAlJAtE/rhY/hhY+ithXhUkZy4kzg+GkHaQBZTQgjKL47xPoFW
+wKrY7RjEsK70PvomAjEA8yjixtsrmfu3Ubgko6SUeho/5jbiA1czijDLgsfWFBHV
+dWNbFJWcHwHP2NVypw87
+-----END CERTIFICATE-----

src/main/resources/cert/D-TRUST_BR_Root_CA_2_2023.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFqTCCA5GgAwIBAgIQczswBEhb2U14LnNLyaHcZjANBgkqhkiG9w0BAQ0FADBI
+MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlE
+LVRSVVNUIEJSIFJvb3QgQ0EgMiAyMDIzMB4XDTIzMDUwOTA4NTYzMVoXDTM4MDUw
+OTA4NTYzMFowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEi
+MCAGA1UEAxMZRC1UUlVTVCBCUiBSb290IENBIDIgMjAyMzCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAK7/CVmRgApKaOYkP7in5Mg6CjoWzckjYaCTcfKr
+i3OPoGdlYNJUa2NRb0kz4HIHE304zQaSBylSa053bATTlfrdTIzZXcFhfUvnKLNE
+gXtRr90zsWh81k5M/itoucpmacTsXld/9w3HnDY25QdgrMBM6ghs7wZ8T1soegj8
+k12b9py0i4a6Ibn08OhZWiihNIQaJZG2tY/vsvmA+vk9PBFy2OMvhnbFeSzBqZCT
+Rphny4NqoFAjpzv2gTng7fC5v2Xx2Mt6++9zA84A9H3X4F07ZrjcjrqDy4d2A/wl
+2ecjbwb9Z/Pg/4S8R7+1FhhGaRTMBffb00msa8yr5LULQyReS2tNZ9/WtT5PeB+U
+cSTq3nD88ZP+npNa5JRal1QMNXtfbO4AHyTsA7oC9Xb0n9Sa7YUsOCIvx9gvdhFP
+/Wxc6PWOJ4d/GUohR5AdeY0cW/jPSoXk7bNbjb7EZChdQcRurDhaTyN0dKkSw/bS
+uREVMweR2Ds3OmMwBtHFIjYoYiMQ4EbMl6zWK11kJNXuHA7e+whadSr2Y23OC0K+
+0bpwHJwh5Q8xaRfX/Aq03u2AnMuStIv13lmiWAmlY0cL4UEyNEHZmrHZqLAbWt4N
+DfTisl01gLmB1IRpkQLLddCNxbU9CZEJjxShFHR5PtbJFR2kWVki3PaKRT08EtY+
+XTIvAgMBAAGjgY4wgYswDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUZ5Dw1t61
+GNVGKX5cq/ieCLxklRAwDgYDVR0PAQH/BAQDAgEGMEkGA1UdHwRCMEAwPqA8oDqG
+OGh0dHA6Ly9jcmwuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfYnJfcm9vdF9jYV8y
+XzIwMjMuY3JsMA0GCSqGSIb3DQEBDQUAA4ICAQA097N3U9swFrktpSHxQCF16+tI
+FoE9c+CeJyrrd6kTpGoKWloUMz1oH4Guaf2Mn2VsNELZLdB/eBaxOqwjMa1ef67n
+riv6uvw8l5VAk1/DLQOj7aRvU9f6QA4w9QAgLABMjDu0ox+2v5Eyq6+SmNMW5tTR
+VFxDWy6u71cqqLRvpO8NVhTaIasgdp4D/Ca4nj8+AybmTNudX0KEPUUDAxxZiMrc
+LmEkWqTqJwtzEr5SswrPMhfiHocaFpVIbVrg0M8JkiZmkdijYQ6qgYF/6FKC0ULn
+4B0Y+qSFNueG4A3rvNTJ1jxD8V1Jbn6Bm2m1iWKPiFLY1/4nwSPFyysCu7Ff/vtD
+hQNGvl3GyiEm/9cCnnRK3PgTFbGBVzbLZVzRHTF36SXDw7IyN9XxmAnkbWOACKsG
+koHU6XCPpz+y7YaMgmo1yEJagtFSGkUPFaUA8JR7ZSdXOUPPfH/mvTWze/EZTN46
+ls/pdu4D58JDUjxqgejBWoC9EV2Ta/vH5mQ/u2kc6d0li690yVRAysuTEwrt+2aS
+Ecr1wPrYg1UDfNPFIkZ1cGt5SAYqgpq/5usWDiJFAbzdNpQ0qTUmiteXue4Icr80
+knCDgKs4qllo3UCkGJCy89UDyibK79XH4I9TjvAA46jtn/mtd+ArY0+ew+43u3gJ
+hJ65bvspmZDogNOfJA==
+-----END CERTIFICATE-----