diff --git a/patterns/New_Automatic_Trust_Store_ac2b3d6517982bc176f80c96.yml b/patterns/New_Automatic_Trust_Store_ac2b3d6517982bc176f80c96.yml
new file mode 100644
index 0000000..c16944b
--- /dev/null
+++ b/patterns/New_Automatic_Trust_Store_ac2b3d6517982bc176f80c96.yml
@@ -0,0 +1,7 @@
+schemaVersion: "1.0"
+pattern:
+ id: "ac2b3d6517982bc176f80c96"
+ className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.AutomaticTrustStoreProvider"
+ name: "New Automatic Trust Store"
+ properties:
+ truststoreFile: "res://ac2b3d6517982bc176f80c96#truststoreFile"
diff --git a/patterns/ac2b3d6517982bc176f80c96_truststoreFile/ISRG-Root-X1.pem b/patterns/ac2b3d6517982bc176f80c96_truststoreFile/ISRG-Root-X1.pem
new file mode 100644
index 0000000..30aa936
--- /dev/null
+++ b/patterns/ac2b3d6517982bc176f80c96_truststoreFile/ISRG-Root-X1.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
diff --git a/patterns/ac2b3d6517982bc176f80c96_truststoreFile/ISRG-Root-X1_R10.pem b/patterns/ac2b3d6517982bc176f80c96_truststoreFile/ISRG-Root-X1_R10.pem
new file mode 100644
index 0000000..df09da6
--- /dev/null
+++ b/patterns/ac2b3d6517982bc176f80c96_truststoreFile/ISRG-Root-X1_R10.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
+MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
+Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
+Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
+bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
+YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
+/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
+FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
+mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
+DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
+MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
+AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
+tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
+Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
+VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
+AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
+zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
+u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
+1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
+GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
+1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
+QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
+4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
+rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
+RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
+KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
+-----END CERTIFICATE-----
diff --git a/patterns/db89acad30d11cbc950a87c7_script/addUserIdAndLanguage.lua b/patterns/db89acad30d11cbc950a87c7_script/addUserIdAndLanguage.lua
index 7989f6e..9fdd1bc 100644
--- a/patterns/db89acad30d11cbc950a87c7_script/addUserIdAndLanguage.lua
+++ b/patterns/db89acad30d11cbc950a87c7_script/addUserIdAndLanguage.lua
@@ -22,7 +22,10 @@ function inputHeader(request, response)
local jwtHandler = nevis.util.jwt.new()
local publickey = param_auth_signer_key:gsub("
", "\n")
- trace:debug("publickey: '" .. publickey .. "'")
+ trace:debug("public key: '" .. publickey .. "'")
+
+ local newPublickey = param_auth_signer_new_key:gsub("
", "\n")
+ trace:debug("new public key: '" .. newPublickey .. "'")
local base64 = nevis.crypto.base64.new()
token = base64:decode(token)
@@ -30,6 +33,11 @@ function inputHeader(request, response)
local verified = jwtHandler:verifySignature(token, "rs256", publickey)
+ if not verified and newPublickey ~= "none" then
+ trace:notice("AGOV: Check key rotation, using new public key to validate JWT token")
+ verified = jwtHandler:verifySignature(token, "rs256", newPublickey)
+ end
+
if not verified then
trace:error("Blocking request: Invalid JWT : '" .. token .. "'")
response:setBody("Blocking request: Invalid JWT")
diff --git a/patterns/nevisAuth_7022472ae407577ae604bbb8.yml b/patterns/nevisAuth_7022472ae407577ae604bbb8.yml
index 786a54c..547bd4f 100644
--- a/patterns/nevisAuth_7022472ae407577ae604bbb8.yml
+++ b/patterns/nevisAuth_7022472ae407577ae604bbb8.yml
@@ -12,6 +12,8 @@ pattern:
- "pattern://b7b59e97b3fd18bb60178573"
frontendTrustStore:
- "pattern://c0722fc79e7314c9cdcd20ff"
+ backendTrustStore:
+ - "pattern://ac2b3d6517982bc176f80c96"
signerKeyStore:
- "pattern://aeb2fed9962dcd5f7893db51"
addons:
diff --git a/variables.yml b/variables.yml
index 826bfcf..f247ec0 100644
--- a/variables.yml
+++ b/variables.yml
@@ -852,6 +852,7 @@ variables:
switchedSeparators: []
value:
- param_auth_signer_key: "keyvalue
anotherline"
+ - param_auth_signer_new_key: "keyvalue
anotherline"
requireOverloading: true
recovery_pdf_generation-backend-address:
className: "ch.nevis.admin.v4.plugin.base.generation.property.URLProperty"