Merge branch 'main' into develop

# Conflicts:
#	pom.xml
#	src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java
#	src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/AlgorithmHelper.java
#	src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CmsEncryptorBase.java
#	src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSignVerifier.java
#	src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSigner.java
#	src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/TrustCredentialAdapter.java
#	src/main/java/com/siemens/pki/cmpracomponent/msggeneration/PkiMessageGenerator.java
#	src/main/java/com/siemens/pki/cmpracomponent/msgvalidation/MessageBodyValidator.java
#	src/main/java/com/siemens/pki/cmpracomponent/persistency/PersistencyContext.java
#	src/main/java/com/siemens/pki/cmpracomponent/persistency/PersistencyContextManager.java
#	src/main/java/com/siemens/pki/cmpracomponent/persistency/TransactionStateTracker.java
#	src/test/java/com/siemens/pki/cmpracomponent/test/framework/TestCertUtility.java

Author: ZMaradics

CHANGELOG.md

@@ -128,7 +128,7 @@ feat: implement configurable recipient
 
 fix: extension processing in CMP client
 
-### 4.1.0 (Dec 14 2023)
+### 4.1.0 (Dec 14 2024)
 
 feat: revocation checking via inventory interface
 

pom.xml

@@ -8,16 +8,16 @@
 	<groupId>com.siemens.pki</groupId>
 	<artifactId>CmpRaComponent</artifactId>
 	<packaging>jar</packaging>
-	<version>4.3.0-SNAPSHOT</version>
+	<version>4.2.0_PQ</version>
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<parent.basedir>.</parent.basedir>
-		<spotless.version>3.0.0</spotless.version>
-		<jacoco.version>0.8.14</jacoco.version>
+		<spotless.version>2.46.1</spotless.version>
+		<jacoco.version>0.8.13</jacoco.version>
 		<source.version>3.3.1</source.version>
-		<maven.compiler.source>25</maven.compiler.source>
-		<maven.compiler.target>25</maven.compiler.target>
-		<maven-failsafe-plugin.version>3.5.4</maven-failsafe-plugin.version>
+		<maven.compiler.source>11</maven.compiler.source>
+		<maven.compiler.target>11</maven.compiler.target>
+		<maven-failsafe-plugin.version>3.0.0-M3</maven-failsafe-plugin.version>
 		<maven-site-plugin.version>3.8.2</maven-site-plugin.version>
 		<sonar.organization>siemens</sonar.organization>
 		<sonar.host.url>https://sonarcloud.io</sonar.host.url>
@@ -44,7 +44,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-dependency-plugin</artifactId>
-				<version>3.9.0</version>
+				<version>3.8.1</version>
 				<executions>
 					<execution>
 						<id>copy-dependencies</id>
@@ -83,7 +83,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
-				<version>3.5.4</version>
+				<version>3.5.3</version>
 				<configuration>
 					<excludes>
 						<exclude>**/local/**</exclude>
@@ -93,7 +93,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>3.12.0</version>
+				<version>3.11.3</version>
 				<executions>
 					<execution>
 						<id>javadoc-jar</id>
@@ -118,7 +118,7 @@
 							<include>src/test/java/**/*.java</include>
 						</includes>
 						<palantirJavaFormat>
-							<version>2.80.0</version>
+							<version>2.39.0</version>
 						</palantirJavaFormat>
 						<importOrder />
 						<removeUnusedImports />
@@ -130,7 +130,7 @@
 			<plugin>
 				<groupId>org.owasp</groupId>
 				<artifactId>dependency-check-maven</artifactId>
-				<version>12.1.8</version>
+				<version>12.1.3</version>
 				<executions>
 					<execution>
 						<goals>
@@ -236,12 +236,12 @@
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcprov-jdk18on</artifactId>
-			<version>1.82</version>
+			<version>1.81</version>
 		</dependency>
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcpkix-jdk18on</artifactId>
-			<version>1.82</version>
+			<version>1.81</version>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
@@ -251,12 +251,17 @@
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
-			<version>2.19.1</version>
+			<version>2.20.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.dataformat</groupId>
 			<artifactId>jackson-dataformat-yaml</artifactId>
-			<version>2.19.1</version>
+			<version>2.20.0</version>
+		</dependency>
+		<dependency>
+			<groupId>org.jacoco</groupId>
+			<artifactId>jacoco-maven-plugin</artifactId>
+			<version>${jacoco.version}</version>
 		</dependency>
 		<dependency>
 			<!--		Indirect dependency of jacoco-maven-plugin. We add this one

src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java

@@ -72,7 +72,7 @@ class ValidatorAndProtector {
 
         private final MessageHeaderValidator headerValidator;
 
-        private final ValidatorIF<String> bodyValidator;
+        private final ValidatorIF<Boolean> bodyValidator;
 
         private final VerificationContext inputVerification;
 

src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java

@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2025 Siemens AG
+ *  Copyright (c) 2023 Siemens AG
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
  *  not use this file except in compliance with the License.
@@ -40,12 +40,10 @@
 import com.siemens.pki.cmpracomponent.protection.ProtectionProvider;
 import com.siemens.pki.cmpracomponent.protection.SignatureBasedProtection;
 import com.siemens.pki.cmpracomponent.util.MessageDumper;
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -63,6 +61,7 @@
 import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers;
 import org.bouncycastle.asn1.cmp.CRLSource;
 import org.bouncycastle.asn1.cmp.CRLStatus;
+import org.bouncycastle.asn1.cmp.CertOrEncCert;
 import org.bouncycastle.asn1.cmp.CertRepMessage;
 import org.bouncycastle.asn1.cmp.CertReqTemplateContent;
 import org.bouncycastle.asn1.cmp.CertResponse;
@@ -76,6 +75,7 @@
 import org.bouncycastle.asn1.cmp.PKIStatus;
 import org.bouncycastle.asn1.cmp.RevRepContent;
 import org.bouncycastle.asn1.cmp.RootCaKeyUpdateContent;
+import org.bouncycastle.asn1.cms.ContentInfo;
 import org.bouncycastle.asn1.cms.EnvelopedData;
 import org.bouncycastle.asn1.crmf.AttributeTypeAndValue;
 import org.bouncycastle.asn1.crmf.CertId;
@@ -89,17 +89,28 @@
 import org.bouncycastle.asn1.x509.GeneralNames;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.asn1.x509.Time;
+import org.bouncycastle.cms.CMSEnvelopedData;
+import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.RecipientInformation;
+import org.bouncycastle.cms.RecipientInformationStore;
+import org.bouncycastle.cms.jcajce.JceKEMEnvelopedRecipient;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-/** a CMP client implementation */
+/**
+ * a CMP client implementation
+ *
+ */
 public class CmpClient
         implements CrlUpdateRetrievalHandler,
                 GetCaCertificatesHandler,
                 GetCertificateRequestTemplateHandler,
                 GetRootCaCertificateUpdateHandler {
-    /** result of an enrollment transaction */
+    /**
+     * result of an enrollment transaction
+     *
+     */
     public interface EnrollmentResult {
         /**
          * get enrolled certificate
@@ -109,7 +120,8 @@ public interface EnrollmentResult {
         X509Certificate getEnrolledCertificate();
 
         /**
-         * get certificate chain (1st intermediate certificate up to root certificate) of the enrolled certificate
+         * get certificate chain (1st intermediate certificate up to root certificate)
+         * of the enrolled certificate
          *
          * @return the certificate chain of the enrolled certificate
          */
@@ -134,11 +146,17 @@ public interface EnrollmentResult {
     /**
      * ctor
      *
-     * @param certProfile certificate profile to be used for enrollment. <code>null</code> if no certificate profile
-     *     should be used.
-     * @param upstreamExchange the {@link UpstreamExchange} interface implemented by the wrapping application.
-     * @param upstreamConfiguration configuration for the upstream CMP interface towards the CA
-     * @param clientContext client specific configuration
+     * @param certProfile           certificate profile to be used for enrollment.
+     *                              <code>null</code> if no certificate profile
+     *                              should be used.
+     *
+     * @param upstreamExchange      the {@link UpstreamExchange} interface
+     *                              implemented by the wrapping application.
+     *
+     * @param upstreamConfiguration configuration for the upstream CMP interface
+     *                              towards the CA
+     *
+     * @param clientContext         client specific configuration
      * @throws Exception in case of error
      */
     public CmpClient(
@@ -180,7 +198,9 @@ private Extension fetchSubjectAlternativeName(final X509Certificate cert) {
         return ret.length > 0 ? ret[0] : null;
     }
 
-    /** invoke a Get CA certificates GENM request {@inheritDoc} */
+    /**
+     * invoke a Get CA certificates GENM request {@inheritDoc}
+     */
     @Override
     public List<X509Certificate> getCaCertificates() {
         final PKIBody requestBody = new PKIBody(
@@ -205,7 +225,9 @@ public List<X509Certificate> getCaCertificates() {
         return null;
     }
 
-    /** invoke a Get certificate request template GENM request {@inheritDoc} */
+    /**
+     * invoke a Get certificate request template GENM request {@inheritDoc}
+     */
     @Override
     public byte[] getCertificateRequestTemplate() {
         final PKIBody requestBody = new PKIBody(
@@ -283,12 +305,11 @@ public List<X509CRL> getCrls(
                             if (infoValue == null) {
                                 return null;
                             }
-                            final CertificateFactory certificateFactory = CertUtility.getCertificateFactory();
                             final ASN1Sequence crls = ASN1Sequence.getInstance(infoValue);
                             final List<X509CRL> ret = new ArrayList<>(crls.size());
                             for (final ASN1Encodable aktCrl : crls) {
-                                ret.add((X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(
-                                        aktCrl.toASN1Primitive().getEncoded())));
+                                ret.add(CertUtility.parseCrl(
+                                        aktCrl.toASN1Primitive().getEncoded()));
                             }
                             return ret;
                         }
@@ -302,7 +323,9 @@ public List<X509CRL> getCrls(
         return null;
     }
 
-    /** invoke a Get root CA certificate update GENM request {@inheritDoc} */
+    /**
+     * invoke a Get root CA certificate update GENM request {@inheritDoc}
+     */
     @Override
     public RootCaCertificateUpdateResponse getRootCaCertificateUpdate(final X509Certificate oldRootCaCertificate) {
 
@@ -479,8 +502,33 @@ public EnrollmentResult invokeEnrollment() {
                 return null;
             }
             final CertifiedKeyPair certifiedKeyPair = certResponse.getCertifiedKeyPair();
-            final CMPCertificate enrolledCertificate =
-                    certifiedKeyPair.getCertOrEncCert().getCertificate();
+            CertOrEncCert certOrEncCert = certifiedKeyPair.getCertOrEncCert();
+            CMPCertificate enrolledCertificate = null;
+            if (certOrEncCert.hasEncryptedCertificate()) {
+                JceKEMEnvelopedRecipient jkr = new JceKEMEnvelopedRecipient(certificateKeypair.getPrivate());
+                EnvelopedData envelopedData =
+                        (EnvelopedData) certOrEncCert.getEncryptedCert().getValue();
+                final CMSEnvelopedData cmsEnvelopedData = new CMSEnvelopedData(
+                        new ContentInfo(envelopedData.getEncryptedContentInfo().getContentType(), envelopedData));
+                final RecipientInformationStore recipients = cmsEnvelopedData.getRecipientInfos();
+                for (RecipientInformation recipient : recipients.getRecipients()) {
+                    // in case of multiple recipients we try until we find a
+                    // recipient fitting our key
+                    try {
+                        byte[] content = recipient.getContent(jkr);
+                        enrolledCertificate = CMPCertificate.getInstance(content);
+                        break;
+                    } catch (CMSException ex) {
+                        LOGGER.debug("unable to decrypt recipient, try next", ex);
+                    }
+                }
+            } else {
+                enrolledCertificate = certOrEncCert.getCertificate();
+            }
+            if (enrolledCertificate == null) {
+                LOGGER.error("could not extract enrolled certificate from response");
+                return null;
+            }
 
             if (enrollmentType != PKIBody.TYPE_P10_CERT_REQ && enrolledPrivateKey == null) {
                 // central key generation in place, decrypt private key

src/main/java/com/siemens/pki/cmpracomponent/configuration/SignatureCredentialContext.java

@@ -43,6 +43,17 @@ public interface SignatureCredentialContext extends CredentialContext {
      */
     PrivateKey getPrivateKey();
 
+    /**
+     * provide the alternative private key for the end certificate, see X.509 (2019)
+     * section 9.8
+     *
+     * @return private key for first certificate returned by
+     *         {@link #getCertificateChain()}
+     */
+    default PrivateKey getAlternativePrivateKey() {
+        return null;
+    }
+
     /**
      * provide name or OID of signature algorithm, see <a
      * href=https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#signature-algorithms>Signature