From 7fddcabaaea47006990a2149dbfcd3a722eea14a Mon Sep 17 00:00:00 2001 From: Thomas Burnett Date: Wed, 3 Sep 2025 10:28:56 +0200 Subject: [PATCH 1/3] Support for new test certificates --- .nais/ebms-async-dev.yaml | 7 ++++++- .nais/ebms-payload-dev.yaml | 13 +++++++++++-- .nais/ebms-provider-dev.yaml | 7 ++++++- .../no/nav/emottak/payload/crypto/Dekryptering.kt | 7 ++++++- .../nav/emottak/payload/crypto/PayloadSignering.kt | 7 ++++++- .../kotlin/no/nav/emottak/ebms/xml/EbMSSigning.kt | 7 ++++++- 6 files changed, 41 insertions(+), 7 deletions(-) diff --git a/.nais/ebms-async-dev.yaml b/.nais/ebms-async-dev.yaml index db6118be..df491bc0 100644 --- a/.nais/ebms-async-dev.yaml +++ b/.nais/ebms-async-dev.yaml @@ -68,8 +68,10 @@ spec: rules: - application: smtp-transport env: - - name: KEYSTORE_FILE + - name: KEYSTORE_FILE_SIGN_2022 value: /var/run/secrets/ebms-keystore-signering/signering-key.p12 + - name: KEYSTORE_FILE_SIGN_2025 + value: /var/run/secrets/ebms-keystore-signering-2025/signering-key.p12 - name: EMOTTAK_LOGGING_LEVEL value: DEBUG - name: MAX_CONNECTION_POOL_SIZE_FOR_USER @@ -100,6 +102,9 @@ spec: value: http://emottak-event-manager envFrom: - secret: ebms-payload-secret + - secret: ebms-keystore-pwd-2025 filesFrom: - secret: ebms-keystore-signering mountPath: /var/run/secrets/ebms-keystore-signering + - secret: ebms-keystore-sign-2025 + mountPath: /var/run/secrets/ebms-keystore-signering-2025 diff --git a/.nais/ebms-payload-dev.yaml b/.nais/ebms-payload-dev.yaml index 9eab9757..7ecab57e 100644 --- a/.nais/ebms-payload-dev.yaml +++ b/.nais/ebms-payload-dev.yaml @@ -63,16 +63,25 @@ spec: webproxy: true envFrom: - secret: ebms-payload-secret + - secret: ebms-keystore-pwd-2025 filesFrom: - secret: ebms-payload-sign-keystore mountPath: /var/run/secrets/ebms-signing-keystore - secret: ebms-payload-enc-keystore mountPath: /var/run/secrets/ebms-encryption-keystore + - secret: ebms-keystore-sign-2025 + mountPath: /var/run/secrets/ebms-signing-keystore-2025 + - secret: ebms-keystore-enc-2025 + mountPath: /var/run/secrets/ebms-encryption-keystore-2025 env: - - name: KEYSTORE_FILE_DEKRYPT + - name: KEYSTORE_FILE_DEKRYPT_2022 value: /var/run/secrets/ebms-encryption-keystore/nav_encryption_test.p12 - - name: KEYSTORE_FILE_SIGN + - name: KEYSTORE_FILE_SIGN_2022 value: /var/run/secrets/ebms-signing-keystore/nav_signing_test.p12 + - name: KEYSTORE_FILE_DEKRYPT_2025 + value: /var/run/secrets/ebms-signing-keystore-2025/nav_encryption_test.p12 + - name: KEYSTORE_FILE_SIGN_2025 + value: /var/run/secrets/ebms-encryption-keystore-2025/nav_signing_test.p12 - name: EMOTTAK_LOGGING_LEVEL value: DEBUG - name: TRUSTSTORE_PATH diff --git a/.nais/ebms-provider-dev.yaml b/.nais/ebms-provider-dev.yaml index 6ae66687..6c4e87db 100644 --- a/.nais/ebms-provider-dev.yaml +++ b/.nais/ebms-provider-dev.yaml @@ -63,8 +63,10 @@ spec: - application: ebms-payload - application: ebms-send-in env: - - name: KEYSTORE_FILE + - name: KEYSTORE_FILE_SIGN_2022 value: /var/run/secrets/ebms-keystore-signering/signering-key.p12 + - name: KEYSTORE_FILE_SIGN_2025 + value: /var/run/secrets/ebms-keystore-signering-2025/signering-key.p12 - name: EMOTTAK_LOGGING_LEVEL value: DEBUG - name: CPA_REPO_URL @@ -77,6 +79,9 @@ spec: value: http://smtp-transport envFrom: - secret: ebms-payload-secret + - secret: ebms-keystore-pwd-2025 filesFrom: - secret: ebms-keystore-signering mountPath: /var/run/secrets/ebms-keystore-signering + - secret: ebms-keystore-sign-2025 + mountPath: /var/run/secrets/ebms-keystore-signering-2025 diff --git a/ebms-payload/src/main/kotlin/no/nav/emottak/payload/crypto/Dekryptering.kt b/ebms-payload/src/main/kotlin/no/nav/emottak/payload/crypto/Dekryptering.kt index 387f096b..84ba6821 100644 --- a/ebms-payload/src/main/kotlin/no/nav/emottak/payload/crypto/Dekryptering.kt +++ b/ebms-payload/src/main/kotlin/no/nav/emottak/payload/crypto/Dekryptering.kt @@ -24,9 +24,14 @@ private fun dekrypteringConfig() = // Fixme burde egentlig hente fra dev vault context for å matche prod oppførsel listOf( FileKeyStoreConfig( - keyStoreFilePath = getEnvVar("KEYSTORE_FILE_DEKRYPT"), + keyStoreFilePath = getEnvVar("KEYSTORE_FILE_DEKRYPT_2022"), keyStorePass = getEnvVar("KEYSTORE_PWD").toCharArray(), keyStoreType = getEnvVar("KEYSTORE_TYPE", "PKCS12") + ), + FileKeyStoreConfig( + keyStoreFilePath = getEnvVar("KEYSTORE_FILE_DEKRYPT_2025"), + keyStorePass = getEnvVar("KEYSTORE_PWD_2025").toCharArray(), + keyStoreType = getEnvVar("KEYSTORE_TYPE", "PKCS12") ) ) "prod-fss" -> diff --git a/ebms-payload/src/main/kotlin/no/nav/emottak/payload/crypto/PayloadSignering.kt b/ebms-payload/src/main/kotlin/no/nav/emottak/payload/crypto/PayloadSignering.kt index 20857caa..6d21ebfc 100644 --- a/ebms-payload/src/main/kotlin/no/nav/emottak/payload/crypto/PayloadSignering.kt +++ b/ebms-payload/src/main/kotlin/no/nav/emottak/payload/crypto/PayloadSignering.kt @@ -26,9 +26,14 @@ fun payloadSigneringConfig() = // Fixme burde egentlig hente fra dev vault context for å matche prod oppførsel listOf( FileKeyStoreConfig( - keyStoreFilePath = getEnvVar("KEYSTORE_FILE_SIGN"), + keyStoreFilePath = getEnvVar("KEYSTORE_FILE_SIGN_2022"), keyStorePass = getEnvVar("KEYSTORE_PWD").toCharArray(), keyStoreType = getEnvVar("KEYSTORE_TYPE", "PKCS12") + ), + FileKeyStoreConfig( + keyStoreFilePath = getEnvVar("KEYSTORE_FILE_SIGN_2025"), + keyStorePass = getEnvVar("KEYSTORE_PWD_2025").toCharArray(), + keyStoreType = getEnvVar("KEYSTORE_TYPE", "PKCS12") ) ) "prod-fss" -> diff --git a/ebms-provider/src/main/kotlin/no/nav/emottak/ebms/xml/EbMSSigning.kt b/ebms-provider/src/main/kotlin/no/nav/emottak/ebms/xml/EbMSSigning.kt index 5157dd6b..f4f7c253 100644 --- a/ebms-provider/src/main/kotlin/no/nav/emottak/ebms/xml/EbMSSigning.kt +++ b/ebms-provider/src/main/kotlin/no/nav/emottak/ebms/xml/EbMSSigning.kt @@ -30,9 +30,14 @@ fun signeringConfig() = // Fixme burde egentlig hente fra dev vault context for å matche prod oppførsel listOf( FileKeyStoreConfig( - keyStoreFilePath = getEnvVar("KEYSTORE_FILE"), + keyStoreFilePath = getEnvVar("KEYSTORE_FILE_SIGN_2022"), keyStorePass = getEnvVar("KEYSTORE_PWD").toCharArray(), keyStoreType = getEnvVar("KEYSTORE_TYPE", "PKCS12") + ), + FileKeyStoreConfig( + keyStoreFilePath = getEnvVar("KEYSTORE_FILE_SIGN_2025"), + keyStorePass = getEnvVar("KEYSTORE_PWD_2025").toCharArray(), + keyStoreType = getEnvVar("KEYSTORE_TYPE", "PKCS12") ) ) "prod-fss" -> From be3dee10c7fbba42f5748791b88e77f3c5f3cbfc Mon Sep 17 00:00:00 2001 From: Thomas Burnett Date: Wed, 3 Sep 2025 11:21:23 +0200 Subject: [PATCH 2/3] Support for new test certificates --- .nais/ebms-async-dev.yaml | 4 ++-- .nais/ebms-payload-dev.yaml | 4 ++-- .nais/ebms-provider-dev.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.nais/ebms-async-dev.yaml b/.nais/ebms-async-dev.yaml index df491bc0..a3191d32 100644 --- a/.nais/ebms-async-dev.yaml +++ b/.nais/ebms-async-dev.yaml @@ -71,7 +71,7 @@ spec: - name: KEYSTORE_FILE_SIGN_2022 value: /var/run/secrets/ebms-keystore-signering/signering-key.p12 - name: KEYSTORE_FILE_SIGN_2025 - value: /var/run/secrets/ebms-keystore-signering-2025/signering-key.p12 + value: /var/run/secrets/ebms-signing-keystore-2025/nav_signing_test.p12 - name: EMOTTAK_LOGGING_LEVEL value: DEBUG - name: MAX_CONNECTION_POOL_SIZE_FOR_USER @@ -107,4 +107,4 @@ spec: - secret: ebms-keystore-signering mountPath: /var/run/secrets/ebms-keystore-signering - secret: ebms-keystore-sign-2025 - mountPath: /var/run/secrets/ebms-keystore-signering-2025 + mountPath: /var/run/secrets/ebms-signing-keystore-2025 diff --git a/.nais/ebms-payload-dev.yaml b/.nais/ebms-payload-dev.yaml index 7ecab57e..78f1f741 100644 --- a/.nais/ebms-payload-dev.yaml +++ b/.nais/ebms-payload-dev.yaml @@ -79,9 +79,9 @@ spec: - name: KEYSTORE_FILE_SIGN_2022 value: /var/run/secrets/ebms-signing-keystore/nav_signing_test.p12 - name: KEYSTORE_FILE_DEKRYPT_2025 - value: /var/run/secrets/ebms-signing-keystore-2025/nav_encryption_test.p12 + value: /var/run/secrets/ebms-encryption-keystore-2025/nav_encryption_test.p12 - name: KEYSTORE_FILE_SIGN_2025 - value: /var/run/secrets/ebms-encryption-keystore-2025/nav_signing_test.p12 + value: /var/run/secrets/ebms-signing-keystore-2025/nav_signing_test.p12 - name: EMOTTAK_LOGGING_LEVEL value: DEBUG - name: TRUSTSTORE_PATH diff --git a/.nais/ebms-provider-dev.yaml b/.nais/ebms-provider-dev.yaml index 6c4e87db..ee9f92ee 100644 --- a/.nais/ebms-provider-dev.yaml +++ b/.nais/ebms-provider-dev.yaml @@ -66,7 +66,7 @@ spec: - name: KEYSTORE_FILE_SIGN_2022 value: /var/run/secrets/ebms-keystore-signering/signering-key.p12 - name: KEYSTORE_FILE_SIGN_2025 - value: /var/run/secrets/ebms-keystore-signering-2025/signering-key.p12 + value: /var/run/secrets/ebms-signing-keystore-2025/nav_signing_test.p12 - name: EMOTTAK_LOGGING_LEVEL value: DEBUG - name: CPA_REPO_URL @@ -84,4 +84,4 @@ spec: - secret: ebms-keystore-signering mountPath: /var/run/secrets/ebms-keystore-signering - secret: ebms-keystore-sign-2025 - mountPath: /var/run/secrets/ebms-keystore-signering-2025 + mountPath: /var/run/secrets/ebms-signing-keystore-2025 From 8d1c5df86bd0dfee72b09ae9e298e201b0ae0d84 Mon Sep 17 00:00:00 2001 From: Thomas Burnett Date: Wed, 3 Sep 2025 11:30:04 +0200 Subject: [PATCH 3/3] Support for new test certificates --- .nais/ebms-async-dev.yaml | 6 +++--- .nais/ebms-payload-dev.yaml | 10 ++++------ .nais/ebms-provider-dev.yaml | 6 +++--- 3 files changed, 10 insertions(+), 12 deletions(-) diff --git a/.nais/ebms-async-dev.yaml b/.nais/ebms-async-dev.yaml index a3191d32..f6d28c83 100644 --- a/.nais/ebms-async-dev.yaml +++ b/.nais/ebms-async-dev.yaml @@ -71,7 +71,7 @@ spec: - name: KEYSTORE_FILE_SIGN_2022 value: /var/run/secrets/ebms-keystore-signering/signering-key.p12 - name: KEYSTORE_FILE_SIGN_2025 - value: /var/run/secrets/ebms-signing-keystore-2025/nav_signing_test.p12 + value: /var/run/secrets/ebms-keystore-2025/nav_signing_test.p12 - name: EMOTTAK_LOGGING_LEVEL value: DEBUG - name: MAX_CONNECTION_POOL_SIZE_FOR_USER @@ -106,5 +106,5 @@ spec: filesFrom: - secret: ebms-keystore-signering mountPath: /var/run/secrets/ebms-keystore-signering - - secret: ebms-keystore-sign-2025 - mountPath: /var/run/secrets/ebms-signing-keystore-2025 + - secret: ebms-keystore-2025 + mountPath: /var/run/secrets/ebms-keystore-2025 diff --git a/.nais/ebms-payload-dev.yaml b/.nais/ebms-payload-dev.yaml index 78f1f741..f331c10d 100644 --- a/.nais/ebms-payload-dev.yaml +++ b/.nais/ebms-payload-dev.yaml @@ -69,19 +69,17 @@ spec: mountPath: /var/run/secrets/ebms-signing-keystore - secret: ebms-payload-enc-keystore mountPath: /var/run/secrets/ebms-encryption-keystore - - secret: ebms-keystore-sign-2025 - mountPath: /var/run/secrets/ebms-signing-keystore-2025 - - secret: ebms-keystore-enc-2025 - mountPath: /var/run/secrets/ebms-encryption-keystore-2025 + - secret: ebms-keystore-2025 + mountPath: /var/run/secrets/ebms-keystore-2025 env: - name: KEYSTORE_FILE_DEKRYPT_2022 value: /var/run/secrets/ebms-encryption-keystore/nav_encryption_test.p12 - name: KEYSTORE_FILE_SIGN_2022 value: /var/run/secrets/ebms-signing-keystore/nav_signing_test.p12 - name: KEYSTORE_FILE_DEKRYPT_2025 - value: /var/run/secrets/ebms-encryption-keystore-2025/nav_encryption_test.p12 + value: /var/run/secrets/ebms-keystore-2025/nav_encryption_test.p12 - name: KEYSTORE_FILE_SIGN_2025 - value: /var/run/secrets/ebms-signing-keystore-2025/nav_signing_test.p12 + value: /var/run/secrets/ebms-keystore-2025/nav_signing_test.p12 - name: EMOTTAK_LOGGING_LEVEL value: DEBUG - name: TRUSTSTORE_PATH diff --git a/.nais/ebms-provider-dev.yaml b/.nais/ebms-provider-dev.yaml index ee9f92ee..5d787371 100644 --- a/.nais/ebms-provider-dev.yaml +++ b/.nais/ebms-provider-dev.yaml @@ -66,7 +66,7 @@ spec: - name: KEYSTORE_FILE_SIGN_2022 value: /var/run/secrets/ebms-keystore-signering/signering-key.p12 - name: KEYSTORE_FILE_SIGN_2025 - value: /var/run/secrets/ebms-signing-keystore-2025/nav_signing_test.p12 + value: /var/run/secrets/ebms-keystore-2025/nav_signing_test.p12 - name: EMOTTAK_LOGGING_LEVEL value: DEBUG - name: CPA_REPO_URL @@ -83,5 +83,5 @@ spec: filesFrom: - secret: ebms-keystore-signering mountPath: /var/run/secrets/ebms-keystore-signering - - secret: ebms-keystore-sign-2025 - mountPath: /var/run/secrets/ebms-signing-keystore-2025 + - secret: ebms-keystore-2025 + mountPath: /var/run/secrets/ebms-keystore-2025