fix problem with JOSE encryption in combination with HSM-Facade

add jUnit test for JoseUtils

12 files changed, 407 insertions, 62 deletions

diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
index 1b824ad1..dae11370 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
@@ -295,6 +295,16 @@ public class JsonSecurityUtils implements IJoseTools {
           keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), true,
           FRIENDLYNAME_KEYSTORE);
 
+      // set special provider if required
+      if (keyStore.getSecond() != null) {
+        log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName());
+        final ProviderContext providerCtx = new ProviderContext();
+        providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(
+            keyStore.getSecond().getName());
+        receiverJwe.setProviderContext(providerCtx);
+
+      }
+      
       // validate key from header against key from config
       final List<X509Certificate> x5cCerts = receiverJwe.getCertificateChainHeaderValue();
       final String x5t256 = receiverJwe.getX509CertSha256ThumbprintHeaderValue();
@@ -336,7 +346,7 @@ public class JsonSecurityUtils implements IJoseTools {
 
       // set key
       receiverJwe.setKey(encryptionCred.getFirst());
-
+      
       // decrypt payload
       return mapper.getMapper().readTree(receiverJwe.getPlaintextString());
 
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java
index f0557619..c95bcc45 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java
@@ -98,7 +98,11 @@ public class SL20Constants {
       KeyManagementAlgorithmIdentifiers.RSA_OAEP_256;
 
   public static final List<String> SL20_ALGORITHM_WHITELIST_KEYENCRYPTION = Collections
-      .unmodifiableList(Arrays.asList(JSON_ALGORITHM_ENC_KEY_RSAOAEP, JSON_ALGORITHM_ENC_KEY_RSAOAEP256));
+      .unmodifiableList(Arrays.asList(
+          JSON_ALGORITHM_ENC_KEY_RSAOAEP, 
+          JSON_ALGORITHM_ENC_KEY_RSAOAEP256,
+          KeyManagementAlgorithmIdentifiers.ECDH_ES_A128KW,
+          KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW));
 
   public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 =
       ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256;
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
new file mode 100644
index 00000000..ebea35c6
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
@@ -0,0 +1,292 @@
+package at.gv.egiz.eaaf.modules.auth.sl20.utils;
+
+import java.io.IOException;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.Provider;
+import java.security.Security;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+
+import org.apache.commons.lang3.RandomStringUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.jose4j.jca.ProviderContext;
+import org.jose4j.jwa.AlgorithmConstraints;
+import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
+import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
+import org.jose4j.jwe.JsonWebEncryption;
+import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
+import org.jose4j.lang.JoseException;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap;
+import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml")
+public abstract class AbstractJsonSecurityUtilsTest {
+
+  @Autowired protected DummyAuthConfigMap config;
+  @Autowired protected IJoseTools joseTools;
+  @Autowired protected EaafKeyStoreFactory keyStoreFactory;
+  
+  @BeforeClass
+  public static void classInitializer() {
+    Security.addProvider(new BouncyCastleProvider());
+    
+  }
+  
+  protected abstract void setRsaSigningKey();  
+  
+  protected abstract void setEcSigningKey();
+  
+  protected abstract void setRsaEncryptionKey();
+  
+  protected abstract void setEcEncryptionKey();
+  
+  protected abstract Pair<KeyStore, Provider> getEncryptionKeyStore() throws EaafException;
+  
+  protected abstract String getRsaKeyAlias();  
+  
+  protected abstract String getRsaKeyPassword();
+  
+  protected abstract String getEcKeyAlias();  
+  
+  protected abstract String getEcKeyPassword();
+  
+  
+  @Test
+  public void fullEncryptDecrypt() throws JoseException, EaafException { 
+    String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+    
+    final JsonWebEncryption jwe = new JsonWebEncryption();
+    jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW);
+    jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
+    jwe.setKey(joseTools.getEncryptionCertificate().getPublicKey());
+    jwe.setX509CertSha256ThumbprintHeaderValue(joseTools.getEncryptionCertificate());
+    jwe.setPayload(payLoad);
+    
+    // set special provider if required
+    Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore();
+    if (rsaEncKeyStore.getSecond() != null) {
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
+          rsaEncKeyStore.getSecond().getName());
+      jwe.setProviderContext(providerCtx);
+
+    }
+    
+    String encData = jwe.getCompactSerialization();
+    Assert.assertNotNull("JWE Encryption", encData);
+    
+    
+    JsonNode decData = joseTools.decryptPayload(encData);   
+    Assert.assertNotNull("JWE Decryption", decData);
+    
+  }
+  
+  @Test
+  public void encryptionRsa() throws JoseException, EaafException {
+    String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+    Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore();    
+    Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+        rsaEncKeyStore.getFirst(), getRsaKeyAlias(), getRsaKeyPassword().toCharArray(), 
+        true, "jUnit RSA JWE");
+    
+    final JsonWebEncryption jwe = new JsonWebEncryption();
+    jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256);
+    jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
+    jwe.setKey(key.getSecond()[0].getPublicKey());
+    jwe.setPayload(payLoad);
+    
+    // set special provider if required
+    if (rsaEncKeyStore.getSecond() != null) {
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
+          rsaEncKeyStore.getSecond().getName());
+      jwe.setProviderContext(providerCtx);
+
+    }
+    
+    String encData = jwe.getCompactSerialization();    
+    Assert.assertNotNull("JWE", encData);
+    
+    
+  }
+  
+  @Test
+  public void encryptionEc() throws JoseException, EaafException {
+    String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+    Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore();
+    Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+        rsaEncKeyStore.getFirst(), getEcKeyAlias(), getEcKeyPassword().toCharArray(), 
+        true, "jUnit RSA JWE");
+    
+    final JsonWebEncryption jwe = new JsonWebEncryption();
+    jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW);
+    jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
+    jwe.setKey(key.getSecond()[0].getPublicKey());
+    jwe.setPayload(payLoad);
+    
+    // set special provider if required
+    if (rsaEncKeyStore.getSecond() != null) {
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
+          rsaEncKeyStore.getSecond().getName());
+      jwe.setProviderContext(providerCtx);
+
+    }
+    
+    String encData = jwe.getCompactSerialization();
+    
+    Assert.assertNotNull("JWE", encData);
+    
+            
+  }
+  
+
+  @Test
+  public void noTrustedCert() throws CertificateEncodingException, KeyStoreException, 
+      JoseException, IOException, EaafException {
+    setRsaSigningKey();
+    setRsaEncryptionKey();
+    
+    String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+        
+    String jws = joseTools.createSignature(payLoad);    
+    Assert.assertNotNull("Signed msg", jws);
+    
+    try {
+      joseTools.validateSignature(
+          jws,
+          keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigOnlyEc()).getFirst(),
+          getDefaultAlgorithmConstrains());      
+      Assert.fail("Wrong JOSE Sig not detected");
+      
+    } catch (JoseException e) {
+      Assert.assertEquals("Wrong errorCode", 
+          "Can NOT select verification key for JWS. Signature verification FAILED", 
+          e.getMessage());
+      
+    }
+  }
+  
+  @Test
+  public void invalidSignature() throws CertificateEncodingException, KeyStoreException, 
+      JoseException, IOException, EaafException {
+    setRsaSigningKey();
+    setRsaEncryptionKey();
+    
+    String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+        
+    String jws = joseTools.createSignature(payLoad);    
+    Assert.assertNotNull("Signed msg", jws);
+    
+    String invalidJws = 
+        jws.substring(0, jws.indexOf(".") + 5) + "dd" + jws.substring(jws.indexOf(".") + 6);  
+        
+    try {
+      joseTools.validateSignature(
+          invalidJws,
+          keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(),
+          getDefaultAlgorithmConstrains());
+      Assert.fail("Wrong JOSE Sig not detected");
+      
+    } catch (JoseException e) {
+      Assert.assertEquals("Wrong errorCode", 
+          "JWS signature is invalid.", 
+          e.getMessage());
+      
+    }
+    
+  }
+  
+  @Test
+  public void validSigningRsa() throws CertificateEncodingException, KeyStoreException, 
+      JoseException, IOException, EaafException {
+    setRsaSigningKey();
+    setRsaEncryptionKey();
+    
+    String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+        
+    String jws = joseTools.createSignature(payLoad);    
+    Assert.assertNotNull("Signed msg", jws);
+    
+    VerificationResult verify = joseTools.validateSignature(
+        jws,
+        keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(),
+        getDefaultAlgorithmConstrains());    
+    Assert.assertTrue("wrong verify state", verify.isValidSigned());
+    Assert.assertNotNull("JWS Header", verify.getJoseHeader());
+    Assert.assertNotNull("JWS Payload", verify.getPayload());
+    Assert.assertNotNull("CertChain", verify.getCertChain());
+
+    
+  }
+  
+  @Test
+  public void validSigningEc() throws CertificateEncodingException, KeyStoreException, 
+      JoseException, IOException, EaafException {
+    setEcSigningKey();
+    setEcEncryptionKey();
+    
+    String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+        
+    String jws = joseTools.createSignature(payLoad);    
+    Assert.assertNotNull("Signed msg", jws);
+    
+    VerificationResult verify = joseTools.validateSignature(
+        jws,
+        keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(),
+        getDefaultAlgorithmConstrains());    
+    Assert.assertTrue("wrong verify state", verify.isValidSigned());
+    Assert.assertNotNull("JWS Header", verify.getJoseHeader());
+    Assert.assertNotNull("JWS Payload", verify.getPayload());
+    Assert.assertNotNull("CertChain", verify.getCertChain());
+    
+  }
+  
+  protected KeyStoreConfiguration getSigTrustStoreConfigValid() {
+    KeyStoreConfiguration trustConfig = new KeyStoreConfiguration();
+    trustConfig.setFriendlyName("jUnit TrustStore");
+    trustConfig.setKeyStoreType(KeyStoreType.JKS);
+    trustConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks");
+    trustConfig.setSoftKeyStorePassword("password");
+    
+    return trustConfig;
+        
+  }
+  
+  protected KeyStoreConfiguration getSigTrustStoreConfigOnlyEc() {
+    KeyStoreConfiguration trustConfig = new KeyStoreConfiguration();
+    trustConfig.setFriendlyName("jUnit TrustStore");
+    trustConfig.setKeyStoreType(KeyStoreType.JKS);
+    trustConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit_no_rsa.jks");
+    trustConfig.setSoftKeyStorePassword("password");
+    
+    return trustConfig;
+        
+  }
+  
+  private AlgorithmConstraints getDefaultAlgorithmConstrains() {
+    return new AlgorithmConstraints(ConstraintType.WHITELIST,
+        SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING
+        .toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()]));
+  }
+  
+}
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
deleted file mode 100644
index 64987942..00000000
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
+++ /dev/null
@@ -1,41 +0,0 @@
-package at.gv.egiz.eaaf.modules.auth.sl20.utils;
-
-import java.security.Security;
-
-import org.apache.commons.lang3.RandomStringUtils;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
-
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
-
-@RunWith(SpringJUnit4ClassRunner.class)
-@ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml")
-public class JsonSecurityUtilsHsmKeyTest {
-
-  @Autowired private IJoseTools joseTools;
-  
-  @BeforeClass
-  public static void classInitializer() {
-    Security.addProvider(new BouncyCastleProvider());
-    
-  }
-  
-  @Test
-  public void simpleSigningTest() throws SL20Exception {
-    String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
-        
-    String jws = joseTools.createSignature(payLoad);    
-    Assert.assertNotNull("Signed msg", jws);
-      
-    //VerificationResult verify = joseTools.validateSignature(jws);    
-    //Assert.assertTrue("wrong verify state", verify.isValidSigned());
-    
-  }
-  
-}
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java
index 5b8acb16..d78bdbd7 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java
@@ -1,42 +1,110 @@
 package at.gv.egiz.eaaf.modules.auth.sl20.utils;
 
-import java.security.Security;
+import java.security.KeyStore;
+import java.security.Provider;
 
 import org.apache.commons.lang3.RandomStringUtils;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.Assert;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.util.Base64Utils;
 
-import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
 
+
 @RunWith(SpringJUnit4ClassRunner.class)
 @ContextConfiguration("/spring/test_eaaf_sl20.beans.xml")
-public class JsonSecurityUtilsSoftwareKeyTest {
+public class JsonSecurityUtilsSoftwareKeyTest extends AbstractJsonSecurityUtilsTest {
 
-  @Autowired private IJoseTools joseTools;
-  
-  @BeforeClass
-  public static void classInitializer() {
-    Security.addProvider(new BouncyCastleProvider());
-    
+  @Test
+  public void invalidSignatureRandomString() {
+    try {
+      joseTools.validateSignature(RandomStringUtils.randomAlphabetic(10));
+      Assert.fail("Wrong JOSE Sig not detected");
+      
+    } catch (SL20Exception e) {
+      Assert.assertEquals("Wrong errorCode", "sl20.05", e.getErrorId());
+    }
+      
   }
   
   @Test
-  public void simpleSigningTest() throws SL20Exception {
-    String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
-        
-    String jws = joseTools.createSignature(payLoad);    
-    Assert.assertNotNull("Signed msg", jws);
+  public void invalidSignatureRandomBase64UrlEncoded() {
+    String testValue = Base64Utils.encodeToUrlSafeString(RandomStringUtils.randomAlphanumeric(10).getBytes())
+        + "."
+        + Base64Utils.encodeToUrlSafeString(RandomStringUtils.randomAlphanumeric(10).getBytes())
+        + "."
+        + Base64Utils.encodeToUrlSafeString(RandomStringUtils.randomAlphanumeric(10).getBytes());
+    
+    try {     
+      joseTools.validateSignature(testValue);
+      Assert.fail("Wrong JOSE Sig not detected");
+      
+    } catch (SL20Exception e) {
+      Assert.assertEquals("Wrong errorCode", "sl20.05", e.getErrorId());
+    }
       
-    VerificationResult verify = joseTools.validateSignature(jws);    
-    Assert.assertTrue("wrong verify state", verify.isValidSigned());
+  }
+    
+  @Override
+  protected void setRsaSigningKey() {
+    config.putConfigValue("modules.sl20.security.sign.alias", "meta");
+    
+  }
+
+  @Override
+  protected void setEcSigningKey() {
+    config.putConfigValue("modules.sl20.security.sign.alias", "sig");
+    
+  }
+  
+  @Override
+  protected void setRsaEncryptionKey() {
+    config.putConfigValue("modules.sl20.security.encryption.alias", "meta");
+    
+  }
+
+  @Override
+  protected void setEcEncryptionKey() {
+    config.putConfigValue("modules.sl20.security.encryption.alias", "sig");
     
   }
+
+  @Override
+  protected Pair<KeyStore, Provider> getEncryptionKeyStore() throws EaafException {    
+    KeyStoreConfiguration keyConfig = new KeyStoreConfiguration();
+    keyConfig.setFriendlyName("Junit Enc Key Rsa");
+    keyConfig.setKeyStoreType(KeyStoreType.JKS);
+    keyConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks");
+    keyConfig.setSoftKeyStorePassword("password");
+    
+    return keyStoreFactory.buildNewKeyStore(keyConfig);
+  }
+
+  @Override
+  protected String getRsaKeyAlias() {
+    return "meta";
+  }
+
+  @Override
+  protected String getRsaKeyPassword() {
+    return "password";
+  }
+
+  @Override
+  protected String getEcKeyAlias() {
+    return "sig";
+  }
+
+  @Override
+  protected String getEcKeyPassword() {
+    return "password";
+  }
   
 }
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt
new file mode 100644
index 00000000..ad780a21
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIBQTCB56ADAgECAghqWvzGZbotTjAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdFQy1Sb290MB4XDTIwMDYxODA3MzYwOVoXDTI1MDYxODA3MzYwOVowOzEaMBgGA1UEAwwRaW50LWVjLWtleS0xLTAwMDExETAPBgNVBAoMCHNvZnR3YXJlMQowCAYDVQQFEwExMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMYva5n1ISLX4bZdG9ecGVNVId7OEY4Yjeu+4kk+nbppxNMj6JX5tO2iCCpgHlKC5WWTSJyxSQh3CoLzc8XLUmjAKBggqhkjOPQQDAgNJADBGAiEAiegmUzDThtinnuUwsHXwdr4Y/XUednOyIy7RBeClvyYCIQC/v5NZzg+H6FUrQ2nds2hlB6sD7z5cZPJcqm8+S0wYCw==
+-----END CERTIFICATE-----
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt
new file mode 100644
index 00000000..aa83c8d9
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIICDTCCAbOgAwIBAgIIVLxIFI8kRpkwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAwwHRUMtUm9vdDAeFw0yMDA2MTgwNzM2MTBaFw0yNTA2MTgwNzM2MTBaMDwxGzAZBgNVBAMMEmludC1yc2Eta2V5LTEtMDAwMTERMA8GA1UECgwIc29mdHdhcmUxCjAIBgNVBAUTATEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrM1ocQqtch95Dm21JHi0V35nlWZibsjLqR+g8ERdD1qFgun/X0I/Rbft+KxB8QsDX7UmIjXGdavNcEjY/XcbiJxUcpv7vn/2+x3JxZO6Iye/ut001okICt3OGIqP93ZEnIaTTNhDsK7OnvD/eUjlmuHiTaFq1dZLKYDQlz9jl/9F4axfrz1V7oo60iqFIW+7tlUeh8VGDUPjQpHghzjHXTJv/OIAt752K31Tn8KR3kvkn6WTPo8eOWVaPQ480Dik0e2afTPPJNZJ7BW111IwqBAOKp586yVsQ4XVEF8H64Cq+s+b4/HBboo9TDJKTJvo2yQmcTsahbH+Rlm20ifUTAgMBAAEwCgYIKoZIzj0EAwIDSAAwRQIhANKN/N2Atb5fbeHSB2Myv/JcNf9JonxFe92AOu4f62NNAiBjOEeg4OyJZKPiDl6aqYVtz1Qroo6xzUC9UVA4qNe4LA==
+-----END CERTIFICATE-----
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks
index 59e6ad13..a18df332 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.jks b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_no_rsa.jks
index b5262cb8..370cf19e 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.jks
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_no_rsa.jks
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12 b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12
deleted file mode 100644
index c3fe2681..00000000
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12
+++ /dev/null
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt
new file mode 100644
index 00000000..5311f3f1
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIBbTCCARKgAwIBAgIEXjF+qTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJBVDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcwHhcNMjAwMTI5MTI0NjMzWhcNMjcwMTI4MTI0NjMzWjA+MQswCQYDVQQGEwJBVDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRt7gZRrr4rSEE7Q922oKQJF+mlkwCLZnv8ZzHtH54s4VdyQFIBjQF1PPf9PTn+5tid8QJehZPndcoeD7J8fPJMAoGCCqGSM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIhANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L
+-----END CERTIFICATE-----
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt
new file mode 100644
index 00000000..c70f5031
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIEXjF+fTANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJBVDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxETAPBgNVBAMMCE1ldGFkYXRhMB4XDTIwMDEyOTEyNDU0OVoXDTI2MDEyODEyNDU0OVowPzELMAkGA1UEBhMCQVQxDTALBgNVBAcMBEVHSVoxDjAMBgNVBAoMBWpVbml0MREwDwYDVQQDDAhNZXRhZGF0YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK230G3dxNbNlSYAO5Kx/Js0aBAgxMt7q9m+dA35fK/dOvF/GjrqjWsMCnax+no9gLnq6x0gXiJclz6Hrp/YDOfLrJjMpNL/r0FWT947vbnEj7eT8TdY5d6Yi8AZulZmjiCI5nbZh2zwrP4+WqRroLoPhXQj8mDyp26M4xHBBUhLMRc2HV4S+XH4uNZ/vTmb8vBg31XGHCY33gl7/KA54JNGxJdN8Dxv6yHYsm91ZfVrX39W0iYLUNhUCkolwuQmjDVfrExM8BTLIONbf+erJoCm3A9ghZyDYRQ/e69/UEUqDa6XOzykr88INkQscEiAXCDS+EBPMpKo+t3lPIA9r7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh/2mg4S03bdZy1OVtEAudBT9YZb9OF34hxPtNbkB/V04wSIg1d4TBr5KDhV7CdiUOxPZzHpS8LUCgfGX306FB6NXzh/b67uTOPaE72AB4VIT/Np0fsM7k5WhG9k9NoprIGiqCz2lXcfpZiT+LtSO1vWSYI87wR9KOSWjcw/5i5qZIAJuwvLCQj5JtUsmrhHK75222J3TJf4dS/gfN4xfY2rW9vcXtH6//8WdWp/zx9V7Z1ZsDb8TDKtBCEGuFDgVeU5ScKtVq8qRoUKD3Ve76cZipurO3KrRrVAuZP2EfLkZdHEHqe8GPigNnZ5kTn8V2VJ3iRAQ73hpJRR98tFd0A==
+-----END CERTIFICATE-----