SecurityUtils.java

/*
 * GovWay - A customizable API Gateway 
 * https://govway.org
 * 
 * Copyright (c) 2005-2025 Link.it srl (https://link.it).
 * 
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3, as published by
 * the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 */
package org.openspcoop2.security.message.utils;

import java.security.KeyStore;
import java.util.ArrayList;
import java.util.List;

import org.apache.commons.lang.StringUtils;
import org.openspcoop2.core.config.MessageSecurityFlowParameter;
import org.openspcoop2.core.config.PortaApplicativa;
import org.openspcoop2.core.config.PortaDelegata;
import org.openspcoop2.core.constants.CostantiProprieta;
import org.openspcoop2.security.keystore.MerlinProvider;
import org.openspcoop2.security.message.constants.SecurityConstants;
import org.openspcoop2.utils.certificate.KeystoreParams;

/**     
 * SecurityUtils
 *
 * @author Poli Andrea (poli@link.it)
 * @author $Author$
 * @version $Rev$, $Date$
 */
public class SecurityUtils {
    
    private SecurityUtils() {}

    public static List<KeystoreParams> readRequestKeystoreParams(PortaApplicativa porta) {
        List<KeystoreParams> listKP = new ArrayList<>();
        if(porta!=null && porta.getMessageSecurity()!=null && porta.getMessageSecurity().getRequestFlow()!=null &&
                porta.getMessageSecurity().getRequestFlow().sizeParameterList()>0) {
            readStoreParams(listKP, porta.getMessageSecurity().getRequestFlow().getParameterList());
        }
        return listKP;
    }
    
    public static List<KeystoreParams> readResponseKeystoreParams(PortaApplicativa porta) {
        List<KeystoreParams> listKP = new ArrayList<>();
        if(porta!=null && porta.getMessageSecurity()!=null && porta.getMessageSecurity().getResponseFlow()!=null &&
                porta.getMessageSecurity().getResponseFlow().sizeParameterList()>0) {
            readStoreParams(listKP, porta.getMessageSecurity().getResponseFlow().getParameterList());
        }
        return listKP;
    }
    
    public static List<KeystoreParams> readRequestKeystoreParams(PortaDelegata porta) {
        List<KeystoreParams> listKP = new ArrayList<>();
        if(porta!=null && porta.getMessageSecurity()!=null && porta.getMessageSecurity().getRequestFlow()!=null &&
                porta.getMessageSecurity().getRequestFlow().sizeParameterList()>0) {
            readStoreParams(listKP, porta.getMessageSecurity().getRequestFlow().getParameterList());
        }
        return listKP;
    }
    
    public static List<KeystoreParams> readResponseKeystoreParams(PortaDelegata porta) {
        List<KeystoreParams> listKP = new ArrayList<>();
        if(porta!=null && porta.getMessageSecurity()!=null && porta.getMessageSecurity().getResponseFlow()!=null &&
                porta.getMessageSecurity().getResponseFlow().sizeParameterList()>0) {
            readStoreParams(listKP, porta.getMessageSecurity().getResponseFlow().getParameterList());
        }
        return listKP;
    }
    
    private static void readStoreParams(List<KeystoreParams> listKP, List<MessageSecurityFlowParameter> list) {
        
        readKestoreParamsJose(listKP, list);
        readTruststoreParamsJoseTls(listKP, list);
        readTruststoreParamsJoseUseHeaders(listKP, list);
        readKeystoreParamsJoseUseHeaders(listKP, list);
        
        readKeystoreParamsMerlin(listKP, list);
        
    }
    
    
    // JOSE
    
    private static void readKestoreParamsJose(List<KeystoreParams> listKP, List<MessageSecurityFlowParameter> list) {
        String pathJose = readProperty(list, SecurityConstants.JOSE_KEYSTORE_FILE);
        if(pathJose!=null && StringUtils.isNotEmpty(pathJose)) {
            // jose
            KeystoreParams kp = new KeystoreParams();
            kp.setPath(pathJose);
            kp.setType(readProperty(list, SecurityConstants.JOSE_KEYSTORE_TYPE));
            kp.setPassword(readProperty(list, SecurityConstants.JOSE_KEYSTORE_PSWD));
            
            kp.setCrls(readProperty(list, SecurityConstants.JOSE_KEYSTORE_CRL));
            kp.setOcspPolicy(readProperty(list, SecurityConstants.JOSE_KEYSTORE_OCSP_POLICY));
            
            kp.setByokPolicy(readProperty(list, SecurityConstants.JOSE_KEYSTORE_BYOK_POLICY));
            
            kp.setKeyAlias(readProperty(list, SecurityConstants.JOSE_KEYSTORE_KEY_ALIAS));
            kp.setKeyPassword(readProperty(list, SecurityConstants.JOSE_KEYSTORE_KEY_PSWD));
            
            kp.setKeyPairPublicKeyPath(readProperty(list, SecurityConstants.JOSE_KEYSTORE_PUBLIC_KEY));
            kp.setKeyPairAlgorithm(readProperty(list, SecurityConstants.JOSE_KEYSTORE_KEY_ALGORITHM));
            
            listKP.add(kp);
        }
    }
    
    private static void readTruststoreParamsJoseTls(List<KeystoreParams> listKP, List<MessageSecurityFlowParameter> list) {
        String pathJose = readProperty(list, SecurityConstants.JOSE_TRUSTSTORE_SSL_FILE);
        if(pathJose!=null && StringUtils.isNotEmpty(pathJose)) {
            // jose
            KeystoreParams kp = new KeystoreParams();
            kp.setPath(pathJose);
            kp.setType(readProperty(list, SecurityConstants.JOSE_TRUSTSTORE_SSL_TYPE));
            kp.setPassword(readProperty(list, SecurityConstants.JOSE_TRUSTSTORE_SSL_PSWD));
            
            kp.setCrls(readProperty(list, SecurityConstants.JOSE_TRUSTSTORE_SSL_CRL));
            kp.setOcspPolicy(readProperty(list, SecurityConstants.JOSE_TRUSTSTORE_SSL_OCSP));
            
            kp.setDescription("TLS TrustStore");
            
            listKP.add(kp);
        }
    }
    
    private static void readTruststoreParamsJoseUseHeaders(List<KeystoreParams> listKP, List<MessageSecurityFlowParameter> list) {
        String pathJose = readProperty(list, SecurityConstants.JOSE_USE_HEADERS_TRUSTSTORE_FILE);
        if(pathJose!=null && StringUtils.isNotEmpty(pathJose)) {
            // jose
            KeystoreParams kp = new KeystoreParams();
            kp.setPath(pathJose);
            kp.setType(readProperty(list, SecurityConstants.JOSE_USE_HEADERS_TRUSTSTORE_TYPE));
            kp.setPassword(readProperty(list, SecurityConstants.JOSE_USE_HEADERS_TRUSTSTORE_PASSWORD));
            
            kp.setCrls(readProperty(list, SecurityConstants.JOSE_USE_HEADERS_TRUSTSTORE_CRL));
            kp.setOcspPolicy(readProperty(list, SecurityConstants.JOSE_USE_HEADERS_TRUSTSTORE_OCSP));
            
            kp.setKeyPairAlgorithm(readProperty(list, SecurityConstants.JOSE_USE_HEADERS_TRUSTSTORE_KEY_PAIR_ALGORITHM));
            
            kp.setDescription("TrustStore Certificati X.509");
            
            listKP.add(kp);
        }    
    }
    
    private static void readKeystoreParamsJoseUseHeaders(List<KeystoreParams> listKP, List<MessageSecurityFlowParameter> list) {
        String pathJose = readProperty(list, SecurityConstants.JOSE_USE_HEADERS_KEYSTORE_FILE);
        if(pathJose!=null && StringUtils.isNotEmpty(pathJose)) {
            
            for (int i = 1; i < 11; i++) {
            
                String user = readProperty(list, SecurityConstants.JOSE_USE_HEADERS_KEYSTORE_MAP_ALIAS_PW+i+SecurityConstants.JOSE_USE_HEADERS_KEYSTORE_MAP_ALIAS_PW_SUFFIX_ALIAS);
                if(user!=null) {
                    // jose
                    KeystoreParams kp = new KeystoreParams();
                    kp.setPath(pathJose);
                    kp.setType(readProperty(list, SecurityConstants.JOSE_USE_HEADERS_KEYSTORE_TYPE));
                    kp.setPassword(readProperty(list, SecurityConstants.JOSE_USE_HEADERS_KEYSTORE_PASSWORD));
                    
                    kp.setKeyAlias(user);
                    kp.setKeyPassword(readProperty(list, SecurityConstants.JOSE_USE_HEADERS_KEYSTORE_MAP_ALIAS_PW+i+SecurityConstants.JOSE_USE_HEADERS_KEYSTORE_MAP_ALIAS_PW_SUFFIX_PW));
                    
                    kp.setDescription("KeyStore Certificati X.509");
                    
                    listKP.add(kp);
                }
                
            }
            
        }    
    }
    
    
    // MERLIN
    
    private static void readKeystoreParamsMerlin(List<KeystoreParams> listKP, List<MessageSecurityFlowParameter> list) {
        
        String prefix = readPrefix(list);
        if(prefix==null || StringUtils.isEmpty(prefix)) {
            return;
        }
        
        String pathKeystore = readProperty(list, prefix+org.apache.wss4j.common.crypto.Merlin.KEYSTORE_FILE);
        if(pathKeystore==null || StringUtils.isEmpty(pathKeystore)) {
            pathKeystore = readProperty(list, prefix+org.apache.wss4j.common.crypto.Merlin.OLD_KEYSTORE_FILE);
        }
        
        if(pathKeystore!=null && StringUtils.isNotEmpty(pathKeystore)) {
            readKeystoreParamsMerlin(listKP, list, prefix, pathKeystore);
        }    
    }
    private static void readKeystoreParamsMerlin(List<KeystoreParams> listKP, List<MessageSecurityFlowParameter> list, String prefix, String pathKeystore) {
        KeystoreParams kp = new KeystoreParams();
        kp.setPath(pathKeystore);
        
        String keyStoreType = readProperty(list, prefix+org.apache.wss4j.common.crypto.Merlin.KEYSTORE_TYPE);
        if (keyStoreType == null) {
            keyStoreType = KeyStore.getDefaultType();
        }
        kp.setType(keyStoreType);
        kp.setPassword(readProperty(list, prefix+org.apache.wss4j.common.crypto.Merlin.KEYSTORE_PASSWORD));
        
        String crlLocations = readProperty(list, prefix+org.apache.wss4j.common.crypto.Merlin.X509_CRL_FILE);
        if (crlLocations == null || StringUtils.isEmpty(crlLocations)) {
            crlLocations = readProperty(list, SecurityConstants.SIGNATURE_CRL);
        }
        kp.setCrls(crlLocations);
        kp.setOcspPolicy(readProperty(list, SecurityConstants.SIGNATURE_OCSP));
        
        String keyStoreByokPolicy = readProperty(list, prefix+org.apache.wss4j.common.crypto.Merlin.KEYSTORE_FILE+MerlinProvider.SUFFIX_BYOK);
        if (keyStoreByokPolicy == null || StringUtils.isEmpty(keyStoreByokPolicy)) {
            keyStoreByokPolicy = readProperty(list, prefix+org.apache.wss4j.common.crypto.Merlin.OLD_KEYSTORE_FILE+MerlinProvider.SUFFIX_BYOK);
        }
        kp.setByokPolicy(keyStoreByokPolicy);
        
        listKP.add(kp);
        
        readKeystoreAliasParamsMerlin(list, kp);
    }
    private static void readKeystoreAliasParamsMerlin(List<MessageSecurityFlowParameter> list, KeystoreParams kp) {
        if(readKeystoreSignatureAliasParamsMerlin(list,  kp)) {
            return;
        }
        if(readKeystoreEncryptAliasParamsMerlin(list, kp)) {
            return;
        }
        if(readKeystoreUserAliasParamsMerlin(list, kp)) {
            /**return;*/
        }
    }
    private static boolean readKeystoreSignatureAliasParamsMerlin(List<MessageSecurityFlowParameter> list, KeystoreParams kp) {
        String alias = readProperty(list, SecurityConstants.SIGNATURE_USER);
        if (alias != null && StringUtils.isNotEmpty(alias)) {
            kp.setKeyAlias(alias);
            kp.setKeyPassword(readProperty(list, SecurityConstants.SIGNATURE_PASSWORD));
            return true;
        }
        return false;
    }
    private static boolean readKeystoreEncryptAliasParamsMerlin(List<MessageSecurityFlowParameter> list, KeystoreParams kp) {   
        String alias = readProperty(list, SecurityConstants.ENCRYPTION_USER);
        if (alias != null && StringUtils.isNotEmpty(alias)) {
            kp.setKeyAlias(alias);
            String pwd = readProperty(list, SecurityConstants.ENCRYPTION_PASSWORD);
            if (pwd == null || StringUtils.isEmpty(pwd)) {
                pwd = readProperty(list, SecurityConstants.DECRYPTION_PASSWORD);
            }
            kp.setKeyPassword(pwd);
            return true;
        }
        
        alias = readProperty(list, SecurityConstants.DECRYPTION_USER);
        if (alias != null && StringUtils.isNotEmpty(alias)) {
            kp.setKeyAlias(alias);
            String pwd = readProperty(list, SecurityConstants.DECRYPTION_PASSWORD);
            if (pwd == null || StringUtils.isEmpty(pwd)) {
                pwd = readProperty(list, SecurityConstants.ENCRYPTION_PASSWORD);
            }
            kp.setKeyPassword(pwd);
            return true;
        }
        return false;
    }
    private static boolean readKeystoreUserAliasParamsMerlin(List<MessageSecurityFlowParameter> list, KeystoreParams kp) {  
        
        String alias = readProperty(list, SecurityConstants.USER);
        if (alias != null && StringUtils.isNotEmpty(alias)) {
            kp.setKeyAlias(alias);
            String pwd = readProperty(list, SecurityConstants.SIGNATURE_PASSWORD);
            if (pwd == null || StringUtils.isEmpty(pwd)) {
                pwd = readProperty(list, SecurityConstants.ENCRYPTION_PASSWORD);
            }
            if (pwd == null || StringUtils.isEmpty(pwd)) {
                pwd = readProperty(list, SecurityConstants.DECRYPTION_PASSWORD);
            }
            kp.setKeyPassword(pwd);
            return true;
        }
        return false;
    }
    
    private static String readPrefix(List<MessageSecurityFlowParameter> list) {
        if(list==null || list.isEmpty()) {
            return null;
        }
        String prefix = null;
        for (MessageSecurityFlowParameter p : list) {
            String propKey = p.getNome();
            if (startsWith(propKey,org.apache.wss4j.common.crypto.Merlin.PREFIX)) {
                prefix = org.apache.wss4j.common.crypto.Merlin.PREFIX;
                return prefix;
            } else if (startsWith(propKey,org.apache.wss4j.common.crypto.Merlin.OLD_PREFIX)) {
                prefix = org.apache.wss4j.common.crypto.Merlin.OLD_PREFIX;
                return prefix;
            }
        }
        return prefix;
    }
    private static boolean startsWith(String propKey, String check) {
        return propKey.startsWith(check)
                ||
                (propKey.contains(CostantiProprieta.KEY_PROPERTIES_CUSTOM_SEPARATOR) && isStartsWithConfidentialPropertyCustomSeparator(propKey,check))
                ||
                (propKey.contains(CostantiProprieta.KEY_PROPERTIES_DEFAULT_SEPARATOR) && isStartsWithConfidentialPropertyDefaultSeparator(propKey,check));
    }
    
    
    // UTILITY
    
    private static String readProperty(List<MessageSecurityFlowParameter> list, String name) {
        if(list!=null && !list.isEmpty()) {
            for (MessageSecurityFlowParameter messageSecurityFlowParameter : list) {
                if(isProperty(messageSecurityFlowParameter, name)) {
                    if(messageSecurityFlowParameter.getValore()!=null && StringUtils.isNotEmpty(messageSecurityFlowParameter.getValore())) {
                        return messageSecurityFlowParameter.getValore();
                    }
                    return null;
                }
            }
        }
        return null;
    }
    private static boolean isProperty(MessageSecurityFlowParameter messageSecurityFlowParameter, String name) {
        return (messageSecurityFlowParameter.getNome()!=null && 
                (
                        messageSecurityFlowParameter.getNome().equals(name)
                        ||
                        (messageSecurityFlowParameter.getNome().contains(CostantiProprieta.KEY_PROPERTIES_CUSTOM_SEPARATOR) && isConfidentialPropertyCustomSeparator(messageSecurityFlowParameter.getNome(),name))
                        ||
                        (messageSecurityFlowParameter.getNome().contains(CostantiProprieta.KEY_PROPERTIES_DEFAULT_SEPARATOR) && isConfidentialPropertyDefaultSeparator(messageSecurityFlowParameter.getNome(),name))
                )
        );
    }   
    private static boolean isConfidentialPropertyCustomSeparator(String nome, String check) {
        String [] tmp = nome.split(CostantiProprieta.KEY_PROPERTIES_CUSTOM_SEPARATOR);
        return (tmp!=null && tmp.length>1 && tmp[1]!=null &&
            tmp[1].equals(check));
    }
    private static boolean isConfidentialPropertyDefaultSeparator(String nome, String check) {
        String [] tmp = nome.split(CostantiProprieta.KEY_PROPERTIES_DEFAULT_SEPARATOR);
        return (tmp!=null && tmp.length>1 && tmp[1]!=null &&
            tmp[1].equals(check)) ;
    }
    private static boolean isStartsWithConfidentialPropertyCustomSeparator(String nome, String check) {
        String [] tmp = nome.split(CostantiProprieta.KEY_PROPERTIES_CUSTOM_SEPARATOR);
        return (tmp!=null && tmp.length>1 && tmp[1]!=null &&
            tmp[1].startsWith(check));
    }
    private static boolean isStartsWithConfidentialPropertyDefaultSeparator(String nome, String check) {
        String [] tmp = nome.split(CostantiProprieta.KEY_PROPERTIES_DEFAULT_SEPARATOR);
        return (tmp!=null && tmp.length>1 && tmp[1]!=null &&
            tmp[1].startsWith(check)) ;
    }
}