Fix the tls version parameter and add a cipher parameter (#139)

Fix the tls version parameter and add a cipher parameter

# Checklist

The following aspects have been respected by the author of this pull
request, confirmed by both pull request assignee **and** reviewer:

* Adherence to coding conventions
  * [x] Pull Request Assignee
  * [x] Reviewer
* Adherence to javadoc conventions
  * [x] Pull Request Assignee
  * [x] Reviewer
* Changelog update (necessity checked and entry added or not added
respectively)
  * [x] Pull Request Assignee
  * [x] Reviewer
* README update (necessity checked and entry added or not added
respectively)
  * [x] Pull Request Assignee
  * [x] Reviewer
* config update (necessity checked and entry added or not added
respectively)
  * [x] Pull Request Assignee
  * [x] Reviewer
* SDCcc executable ran against a test device (if necessary)
  * [x] Pull Request Assignee
  * [x] Reviewer

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - a command line parameter to change the log level threshold of the log file
+- a parameter in a config file to specify the ciphers being used in the TLS protocol
 
 ### Changed
 
@@ -24,6 +25,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - potential NullPointerException in DescriptionModificationUptPrecondition
 - the test case for Glue:R0036_0 not accepting a SOAPFault as a valid answer for Subscribe messages
 - ReportWriter.write() could be called with ReportTypes it did not support.
+- the SDCcc.TLS.EnabledProtocols parameter being ignored for the internal TLS configuration
 
 ## [8.0.1] - 2023-09-13
 

README.md

@@ -63,6 +63,9 @@ Different combinations can be used to establish a connection:
 * participant_public, participant_private and ca_certificate
 * participant_public, participant_private and truststore
 
+Optionally the TLS protocol versions to be enabled can be specified as well as the ciphers to be enabled for
+the TLS protocol. An example can be found in configuration/config.toml, the values there are also the default values.
+
 ### Network setup
 To select the network interface that should be used, the interface address can be set under
 ```

configuration/config.toml

@@ -11,6 +11,18 @@ KeyStorePassword="whatever"
 TrustStorePassword="whatever"
 ParticipantPrivatePassword="dummypass"
 EnabledProtocols = ["TLSv1.2", "TLSv1.3"]
+EnabledCiphers = [
+    # TLS 1.2
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+    # TLS 1.3
+    "TLS_AES_128_GCM_SHA256",
+    "TLS_AES_256_GCM_SHA384",
+]
 
 [SDCcc.Network]
 InterfaceAddress="127.0.0.1"

sdccc/src/main/java/com/draeger/medical/sdccc/configuration/DefaultTestSuiteConfig.java

@@ -1,6 +1,6 @@
 /*
  * This Source Code Form is subject to the terms of the MIT License.
- * Copyright (c) 2023 Draegerwerk AG & Co. KGaA.
+ * Copyright (c) 2023, 2024 Draegerwerk AG & Co. KGaA.
  *
  * SPDX-License-Identifier: MIT
  */
@@ -47,6 +47,18 @@ void configureTLS() {
         bind(TestSuiteConfig.TRUST_STORE_PASSWORD, String.class, "");
         bind(TestSuiteConfig.PARTICIPANT_PRIVATE_PASSWORD, String.class, "");
         bind(TestSuiteConfig.TLS_ENABLED_PROTOCOLS, String[].class, new String[] {"TLSv1.2", "TLSv1.3"});
+        bind(TestSuiteConfig.TLS_ENABLED_CIPHERS, String[].class, new String[] {
+            // TLS 1.2
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+            // TLS 1.3
+            "TLS_AES_128_GCM_SHA256",
+            "TLS_AES_256_GCM_SHA384",
+        });
     }
 
     void configureNetwork() {

sdccc/src/main/java/com/draeger/medical/sdccc/configuration/TestSuiteConfig.java

@@ -1,6 +1,6 @@
 /*
  * This Source Code Form is subject to the terms of the MIT License.
- * Copyright (c) 2023 Draegerwerk AG & Co. KGaA.
+ * Copyright (c) 2023, 2024 Draegerwerk AG & Co. KGaA.
  *
  * SPDX-License-Identifier: MIT
  */
@@ -35,6 +35,7 @@ public final class TestSuiteConfig {
     public static final String TRUST_STORE_PASSWORD = SDCCC + TLS + "TrustStorePassword";
     public static final String PARTICIPANT_PRIVATE_PASSWORD = SDCCC + TLS + "ParticipantPrivatePassword";
     public static final String TLS_ENABLED_PROTOCOLS = SDCCC + TLS + "EnabledProtocols";
+    public static final String TLS_ENABLED_CIPHERS = SDCCC + TLS + "EnabledCiphers";
 
     /*
      * Network configuration

sdccc/src/main/java/com/draeger/medical/sdccc/sdcri/testclient/TestClientUtil.java

@@ -59,20 +59,26 @@ public class TestClientUtil {
      * @param localAddressResolver           resolver for getting the local address to use
      * @param multicastTTL                   TTL for multicast packets used in Discovery.
      *                                       Values from 1 to 255 are valid.
+     * @param enabledTlsProtocols            TLS protocol versions to be enabled
+     * @param enabledCiphers                 ciphers to be enabled
      */
     @Inject
     public TestClientUtil(
             final CryptoSettings cryptoSettings,
             final CommunicationLogMessageStorage communicationLogMessageStorage,
             final TestRunObserver testRunObserver,
             final LocalAddressResolver localAddressResolver,
-            @Named(TestSuiteConfig.NETWORK_MULTICAST_TTL) final Long multicastTTL) {
+            @Named(TestSuiteConfig.NETWORK_MULTICAST_TTL) final Long multicastTTL,
+            @Named(TestSuiteConfig.TLS_ENABLED_PROTOCOLS) final String[] enabledTlsProtocols,
+            @Named(TestSuiteConfig.TLS_ENABLED_CIPHERS) final String[] enabledCiphers) {
 
         injector = createClientInjector(List.of(
                 new AbstractConfigurationModule() {
                     @Override
                     protected void defaultConfigure() {
                         bind(CryptoConfig.CRYPTO_SETTINGS, CryptoSettings.class, cryptoSettings);
+                        bind(CryptoConfig.CRYPTO_TLS_ENABLED_VERSIONS, String[].class, enabledTlsProtocols);
+                        bind(CryptoConfig.CRYPTO_TLS_ENABLED_CIPHERS, String[].class, enabledCiphers);
                         bind(
                                 CryptoConfig.CRYPTO_CLIENT_HOSTNAME_VERIFIER,
                                 HostnameVerifier.class,

sdccc/src/main/java/com/draeger/medical/sdccc/sdcri/testprovider/TestProviderUtil.java

@@ -1,12 +1,13 @@
 /*
  * This Source Code Form is subject to the terms of the MIT License.
- * Copyright (c) 2023 Draegerwerk AG & Co. KGaA.
+ * Copyright (c) 2023, 2024 Draegerwerk AG & Co. KGaA.
  *
  * SPDX-License-Identifier: MIT
  */
 
 package com.draeger.medical.sdccc.sdcri.testprovider;
 
+import com.draeger.medical.sdccc.configuration.TestSuiteConfig;
 import com.draeger.medical.sdccc.messages.MessageStorage;
 import com.draeger.medical.sdccc.sdcri.CommunicationLogMessageStorage;
 import com.google.inject.AbstractModule;
@@ -15,6 +16,7 @@
 import com.google.inject.Injector;
 import com.google.inject.assistedinject.FactoryModuleBuilder;
 import com.google.inject.util.Modules;
+import javax.inject.Named;
 import javax.net.ssl.HostnameVerifier;
 import org.somda.sdc.biceps.guice.DefaultBicepsConfigModule;
 import org.somda.sdc.biceps.guice.DefaultBicepsModule;
@@ -43,10 +45,15 @@ public class TestProviderUtil {
      *
      * @param cryptoSettings                 crypto setting
      * @param communicationLogMessageStorage connector to the {@linkplain MessageStorage} to write to
+     * @param enabledTlsProtocols            TLS protocol versions to be enabled
+     * @param enabledCiphers                 ciphers to be enabled
      */
     @Inject
     public TestProviderUtil(
-            final CryptoSettings cryptoSettings, final CommunicationLogMessageStorage communicationLogMessageStorage) {
+            final CryptoSettings cryptoSettings,
+            final CommunicationLogMessageStorage communicationLogMessageStorage,
+            @Named(TestSuiteConfig.TLS_ENABLED_PROTOCOLS) final String[] enabledTlsProtocols,
+            @Named(TestSuiteConfig.TLS_ENABLED_CIPHERS) final String[] enabledCiphers) {
         injector = Guice.createInjector(Modules.override(
                         new DefaultCommonConfigModule(),
                         new DefaultGlueModule(),
@@ -60,6 +67,8 @@ public TestProviderUtil(
                             protected void customConfigure() {
                                 super.customConfigure();
                                 bind(CryptoConfig.CRYPTO_SETTINGS, CryptoSettings.class, cryptoSettings);
+                                bind(CryptoConfig.CRYPTO_TLS_ENABLED_VERSIONS, String[].class, enabledTlsProtocols);
+                                bind(CryptoConfig.CRYPTO_TLS_ENABLED_CIPHERS, String[].class, enabledCiphers);
                                 bind(
                                         CryptoConfig.CRYPTO_DEVICE_HOSTNAME_VERIFIER,
                                         HostnameVerifier.class,