datasharingframework · hhund · Sep 5, 2025 · Aug 27, 2025 · Aug 27, 2025 · Aug 31, 2025
diff --git a/.gitignore b/.gitignore
@@ -21,7 +21,8 @@ dsf-bpe/dsf-bpe-server-jetty/cert/*.key
 dsf-bpe/dsf-bpe-server-jetty/conf/config.properties
 dsf-bpe/dsf-bpe-server-jetty/docker/api/v1/*.jar
 dsf-bpe/dsf-bpe-server-jetty/docker/api/v2/*.jar
-dsf-bpe/dsf-bpe-server-jetty/docker/ca/*.pem
+dsf-bpe/dsf-bpe-server-jetty/docker/ca/client_ca_chains/*.crt
+dsf-bpe/dsf-bpe-server-jetty/docker/ca/server_root_cas/*.crt
 dsf-bpe/dsf-bpe-server-jetty/docker/dsf_bpe.jar
 dsf-bpe/dsf-bpe-server-jetty/docker/dsf_status_client.jar
 dsf-bpe/dsf-bpe-server-jetty/docker/lib/*.jar
@@ -32,8 +33,10 @@ dsf-bpe/dsf-bpe-server-jetty/ui
 ###
 # dsf-docker ignore
 ###
-dsf-docker/bpe_proxy/ca/*.pem
-dsf-docker/fhir_proxy/ca/*.pem
+dsf-docker/bpe_proxy/ca/client_ca_chains/*.crt
+dsf-docker/bpe_proxy/ca/client_issuing_cas/*.crt
+dsf-docker/fhir_proxy/ca/client_ca_chains/*.crt
+dsf-docker/fhir_proxy/ca/client_issuing_cas/*.crt
 
 ###
 # dsf-docker-test-setup ignores
@@ -98,25 +101,10 @@ dsf-fhir/dsf-fhir-server-jetty/cert/*.crt
 dsf-fhir/dsf-fhir-server-jetty/cert/*.key
 dsf-fhir/dsf-fhir-server-jetty/conf/bundle.xml
 dsf-fhir/dsf-fhir-server-jetty/conf/config.properties
-dsf-fhir/dsf-fhir-server-jetty/docker/ca/*.pem
+dsf-fhir/dsf-fhir-server-jetty/docker/ca/client_ca_chains/*.crt
+dsf-fhir/dsf-fhir-server-jetty/docker/ca/server_root_cas/*.crt
 dsf-fhir/dsf-fhir-server-jetty/docker/dsf_fhir.jar
 dsf-fhir/dsf-fhir-server-jetty/docker/dsf_status_client.jar
 dsf-fhir/dsf-fhir-server-jetty/docker/lib/*.jar
 dsf-fhir/dsf-fhir-server-jetty/ui
-dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/bundle.xml
-
-###
-# dsf-tools ignores
-###
-dsf-tools/dsf-tools-default-ca-files-generator/cert/*.pem
-
-dsf-tools/dsf-tools-test-data-generator/bundle/*.xml
-
-dsf-tools/dsf-tools-test-data-generator/cert/**/*.pem
-dsf-tools/dsf-tools-test-data-generator/cert/**/*.key
-dsf-tools/dsf-tools-test-data-generator/cert/**/*.crt
-dsf-tools/dsf-tools-test-data-generator/cert/**/*.csr
-dsf-tools/dsf-tools-test-data-generator/cert/**/*.p12
-dsf-tools/dsf-tools-test-data-generator/cert/thumbprints.txt
-
-dsf-tools/dsf-tools-test-data-generator/config/*.properties
+dsf-fhir/dsf-fhir-validation/src/main/resources/fhir/bundle.xml
diff --git a/dsf-bpe/dsf-bpe-process-api-v1-impl/pom.xml b/dsf-bpe/dsf-bpe-process-api-v1-impl/pom.xml
@@ -64,10 +64,22 @@
 
 	<build>
 		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<configuration>
+					<testCompilerArgument>-proc:none</testCompilerArgument>
+				</configuration>
+			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-dependency-plugin</artifactId>
 				<executions>
+					<execution>
+						<goals>
+							<goal>properties</goal>
+						</goals>
+					</execution>
 					<execution>
 						<id>copy-api-v1-dependencies-to-docker</id>
 						<phase>pre-integration-test</phase>
@@ -187,6 +199,13 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-surefire-plugin</artifactId>
+				<configuration>
+					<argLine>-javaagent:${org.mockito:mockito-core:jar}</argLine>
+				</configuration>
+			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-clean-plugin</artifactId>

diff --git a/dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/ProcessPluginApiImpl.java b/dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/ProcessPluginApiImpl.java
@@ -12,6 +12,7 @@
 import dev.dsf.bpe.v2.service.DataLogger;
 import dev.dsf.bpe.v2.service.DsfClientProvider;
 import dev.dsf.bpe.v2.service.EndpointProvider;
+import dev.dsf.bpe.v2.service.FhirClientConfigProvider;
 import dev.dsf.bpe.v2.service.FhirClientProvider;
 import dev.dsf.bpe.v2.service.MailService;
 import dev.dsf.bpe.v2.service.MimeTypeService;
@@ -30,6 +31,7 @@ public class ProcessPluginApiImpl implements ProcessPluginApi, InitializingBean
 	private final FhirContext fhirContext;
 	private final DsfClientProvider dsfClientProvider;
 	private final FhirClientProvider fhirClientProvider;
+	private final FhirClientConfigProvider fhirClientConfigProvider;
 	private final OidcClientProvider oidcClientProvider;
 	private final MailService mailService;
 	private final MimeTypeService mimeTypeService;
@@ -45,9 +47,9 @@ public class ProcessPluginApiImpl implements ProcessPluginApi, InitializingBean
 
 	public ProcessPluginApiImpl(ProxyConfig proxyConfig, EndpointProvider endpointProvider, FhirContext fhirContext,
 			DsfClientProvider dsfClientProvider, FhirClientProvider fhirClientProvider,
-			OidcClientProvider oidcClientProvider, MailService mailService, MimeTypeService mimeTypeService,
-			ObjectMapper objectMapper, OrganizationProvider organizationProvider,
-			ProcessAuthorizationHelper processAuthorizationHelper,
+			FhirClientConfigProvider fhirClientConfigProvider, OidcClientProvider oidcClientProvider,
+			MailService mailService, MimeTypeService mimeTypeService, ObjectMapper objectMapper,
+			OrganizationProvider organizationProvider, ProcessAuthorizationHelper processAuthorizationHelper,
 			QuestionnaireResponseHelper questionnaireResponseHelper, ReadAccessHelper readAccessHelper,
 			TaskHelper taskHelper, CryptoService cryptoService, TargetProvider targetProvider, DataLogger dataLogger)
 	{
@@ -56,6 +58,7 @@ public ProcessPluginApiImpl(ProxyConfig proxyConfig, EndpointProvider endpointPr
 		this.fhirContext = fhirContext;
 		this.dsfClientProvider = dsfClientProvider;
 		this.fhirClientProvider = fhirClientProvider;
+		this.fhirClientConfigProvider = fhirClientConfigProvider;
 		this.oidcClientProvider = oidcClientProvider;
 		this.mailService = mailService;
 		this.mimeTypeService = mimeTypeService;
@@ -78,6 +81,7 @@ public void afterPropertiesSet() throws Exception
 		Objects.requireNonNull(fhirContext, "fhirContext");
 		Objects.requireNonNull(dsfClientProvider, "dsfClientProvider");
 		Objects.requireNonNull(fhirClientProvider, "fhirClientProvider");
+		Objects.requireNonNull(fhirClientConfigProvider, "fhirClientConfigProvider");
 		Objects.requireNonNull(oidcClientProvider, "oidcClientProvider");
 		Objects.requireNonNull(mailService, "mailService");
 		Objects.requireNonNull(mimeTypeService, "mimeTypeService");
@@ -122,6 +126,12 @@ public FhirClientProvider getFhirClientProvider()
 		return fhirClientProvider;
 	}
 
+	@Override
+	public FhirClientConfigProvider getFhirClientConfigProvider()
+	{
+		return fhirClientConfigProvider;
+	}
+
 	@Override
 	public OidcClientProvider getOidcClientProvider()
 	{

diff --git a/...f-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/client/fhir/FhirClientFactory.java b/...f-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/client/fhir/FhirClientFactory.java
@@ -222,6 +222,7 @@ public int getConnectTimeout()
 	}
 
 	@Override
+	@Deprecated
 	public ServerValidationModeEnum getServerValidationModeEnum()
 	{
 		return getServerValidationMode();
@@ -294,6 +295,7 @@ public void setProxyCredentials(String theUsername, String thePassword)
 	}
 
 	@Override
+	@Deprecated
 	public void setServerValidationModeEnum(ServerValidationModeEnum theServerValidationMode)
 	{
 		throw notSupported();

diff --git a/...rocess-api-v2-impl/src/main/java/dev/dsf/bpe/v2/service/FhirClientConfigProviderImpl.java b/...rocess-api-v2-impl/src/main/java/dev/dsf/bpe/v2/service/FhirClientConfigProviderImpl.java
@@ -0,0 +1,89 @@
+package dev.dsf.bpe.v2.service;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+import javax.net.ssl.SSLContext;
+
+import org.springframework.beans.factory.InitializingBean;
+
+import de.hsheilbronn.mi.utils.crypto.context.SSLContextFactory;
+import dev.dsf.bpe.v2.client.fhir.ClientConfig;
+import dev.dsf.bpe.v2.client.fhir.ClientConfigs;
+
+public class FhirClientConfigProviderImpl implements FhirClientConfigProvider, InitializingBean
+{
+	private final Map<String, ClientConfig> clientConfigsByFhirServerId = new HashMap<>();
+	private final KeyStore defaultTrustStore;
+
+	public FhirClientConfigProviderImpl(KeyStore defaultTrustStore, ClientConfigs clientConfigs)
+	{
+		this.defaultTrustStore = defaultTrustStore;
+
+		if (clientConfigs != null)
+			clientConfigsByFhirServerId.putAll(clientConfigs.getConfigs().stream()
+					.collect(Collectors.toMap(ClientConfig::getFhirServerId, Function.identity())));
+	}
+
+	@Override
+	public void afterPropertiesSet() throws Exception
+	{
+		Objects.requireNonNull(defaultTrustStore, "defaultTrustStore");
+	}
+
+	@Override
+	public SSLContext createDefaultSslContext()
+	{
+		try
+		{
+			return SSLContextFactory.createSSLContext(defaultTrustStore);
+		}
+		catch (UnrecoverableKeyException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException e)
+		{
+			throw new RuntimeException(e);
+		}
+	}
+
+	@Override
+	public KeyStore createDefaultTrustStore()
+	{
+		try
+		{
+			char[] password = UUID.randomUUID().toString().toCharArray();
+			ByteArrayOutputStream out = new ByteArrayOutputStream();
+			defaultTrustStore.store(out, password);
+
+			KeyStore store = KeyStore.getInstance(defaultTrustStore.getType(), defaultTrustStore.getProvider());
+			store.load(new ByteArrayInputStream(out.toByteArray()), password);
+
+			return store;
+		}
+		catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e)
+		{
+			throw new RuntimeException(e);
+		}
+	}
+
+	@Override
+	public Optional<ClientConfig> getClientConfig(String fhirServerId)
+	{
+		if (fhirServerId == null || fhirServerId.isBlank())
+			return Optional.empty();
+
+		return Optional.ofNullable(clientConfigsByFhirServerId.get(fhirServerId));
+	}
+}
diff --git a/...hirClientProviderWithEndpointSupport.java → ...entConfigProviderWithEndpointSupport.java b/...hirClientProviderWithEndpointSupport.java → ...entConfigProviderWithEndpointSupport.java
@@ -2,43 +2,36 @@
 
 import java.security.KeyStore;
 import java.time.Duration;
-import java.util.Objects;
 import java.util.Optional;
 import java.util.function.Function;
 
-import org.springframework.beans.factory.InitializingBean;
+import javax.net.ssl.SSLContext;
 
-import ca.uhn.fhir.rest.client.api.IGenericClient;
 import dev.dsf.bpe.api.config.FhirClientConfig;
 import dev.dsf.bpe.v2.client.fhir.ClientConfig;
 
-public class FhirClientProviderWithEndpointSupport implements FhirClientProvider, InitializingBean
+public class FhirClientConfigProviderWithEndpointSupport implements FhirClientConfigProvider
 {
 	private final EndpointProvider endpointProvider;
-	private final FhirClientProviderImpl delegate;
+	private final FhirClientConfigProvider delegate;
 
-	public FhirClientProviderWithEndpointSupport(EndpointProvider endpointProvider, FhirClientProviderImpl delegate)
+	public FhirClientConfigProviderWithEndpointSupport(EndpointProvider endpointProvider,
+			FhirClientConfigProvider delegate)
 	{
 		this.endpointProvider = endpointProvider;
 		this.delegate = delegate;
 	}
 
 	@Override
-	public void afterPropertiesSet() throws Exception
+	public SSLContext createDefaultSslContext()
 	{
-		Objects.requireNonNull(endpointProvider, "endpointProvider");
-		Objects.requireNonNull(delegate, "delegate");
+		return delegate.createDefaultSslContext();
 	}
 
 	@Override
-	public Optional<IGenericClient> getClient(String fhirServerId)
+	public KeyStore createDefaultTrustStore()
 	{
-		if (fhirServerId == null || fhirServerId.isBlank())
-			return Optional.empty();
-		else if (fhirServerId.startsWith("#"))
-			return getClientConfig(fhirServerId).flatMap(delegate::getClient);
-		else
-			return delegate.getClient(fhirServerId);
+		return delegate.createDefaultTrustStore();
 	}
 
 	@Override

diff --git a/...-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/service/FhirClientProviderImpl.java b/...-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/service/FhirClientProviderImpl.java
@@ -4,15 +4,12 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
-import java.util.function.Function;
-import java.util.stream.Collectors;
 
 import org.springframework.beans.factory.InitializingBean;
 
 import ca.uhn.fhir.context.FhirContext;
 import ca.uhn.fhir.rest.client.api.IGenericClient;
 import dev.dsf.bpe.v2.client.fhir.ClientConfig;
-import dev.dsf.bpe.v2.client.fhir.ClientConfigs;
 import dev.dsf.bpe.v2.client.fhir.FhirClientFactory;
 import dev.dsf.bpe.v2.config.ProxyConfig;
 
@@ -22,8 +19,8 @@ public class FhirClientProviderImpl implements FhirClientProvider, InitializingB
 	private final ProxyConfig proxyConfig;
 	private final OidcClientProvider oidcClientProvider;
 	private final String userAgent;
+	private final FhirClientConfigProvider configProvider;
 
-	private final Map<String, ClientConfig> clientConfigsByFhirServerId = new HashMap<>();
 	private final Map<String, FhirClientFactory> clientFactoriesByFhirServerId = new HashMap<>();
 
 	/**
@@ -35,20 +32,17 @@ public class FhirClientProviderImpl implements FhirClientProvider, InitializingB
 	 *            not <code>null</code>
 	 * @param userAgent
 	 *            not <code>null</code>
-	 * @param clientConfigs
-	 *            may be <code>null</code>
+	 * @param configProvider
+	 *            not <code>null</code>
 	 */
 	public FhirClientProviderImpl(FhirContext fhirContext, ProxyConfig proxyConfig,
-			OidcClientProvider oidcClientProvider, String userAgent, ClientConfigs clientConfigs)
+			OidcClientProvider oidcClientProvider, String userAgent, FhirClientConfigProvider configProvider)
 	{
 		this.fhirContext = fhirContext;
 		this.proxyConfig = proxyConfig;
 		this.oidcClientProvider = oidcClientProvider;
 		this.userAgent = userAgent;
-
-		if (clientConfigs != null)
-			clientConfigsByFhirServerId.putAll(clientConfigs.getConfigs().stream()
-					.collect(Collectors.toMap(ClientConfig::getFhirServerId, Function.identity())));
+		this.configProvider = configProvider;
 	}
 
 	@Override
@@ -58,6 +52,7 @@ public void afterPropertiesSet() throws Exception
 		Objects.requireNonNull(proxyConfig, "proxyConfig");
 		Objects.requireNonNull(oidcClientProvider, "oidcClientProvider");
 		Objects.requireNonNull(userAgent, "userAgent");
+		Objects.requireNonNull(configProvider, "configProvider");
 	}
 
 	protected Optional<IGenericClient> getClient(ClientConfig clientConfig)
@@ -82,16 +77,7 @@ protected Optional<IGenericClient> getClient(ClientConfig clientConfig)
 	@Override
 	public Optional<IGenericClient> getClient(String fhirServerId)
 	{
-		return getClientConfig(fhirServerId).flatMap(this::getClient);
-	}
-
-	@Override
-	public Optional<ClientConfig> getClientConfig(String fhirServerId)
-	{
-		if (fhirServerId == null || fhirServerId.isBlank())
-			return Optional.empty();
-
-		return Optional.ofNullable(clientConfigsByFhirServerId.get(fhirServerId));
+		return configProvider.getClientConfig(fhirServerId).flatMap(this::getClient);
 	}
 
 	protected FhirClientFactory createClientFactory(ClientConfig config)