add new pendingRequestId generation-strategy that uses authenticated-encryption protect the internal pendingRequesttId

6 files changed, 579 insertions, 1 deletions

diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/impl/utils/test/AuthenticatedEncryptionPendingRequestIdGenerationStrategyTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/impl/utils/test/AuthenticatedEncryptionPendingRequestIdGenerationStrategyTest.java
new file mode 100644
index 00000000..34f4a3b1
--- /dev/null
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/impl/utils/test/AuthenticatedEncryptionPendingRequestIdGenerationStrategyTest.java
@@ -0,0 +1,484 @@
+package at.gv.egiz.eaaf.core.impl.utils.test;
+
+import java.io.UnsupportedEncodingException;
+import java.security.Provider;
+import java.util.Base64;
+
+import javax.crypto.SecretKey;
+
+import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.joda.time.DateTime;
+import org.joda.time.ReadableInstant;
+import org.joda.time.format.DateTimeFormat;
+import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
+import org.jose4j.jwe.JsonWebEncryption;
+import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
+import org.jose4j.lang.JoseException;
+import org.junit.Assert;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.exceptions.PendingReqIdValidationException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.SymmetricKeyConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.SymmetricKeyConfiguration.SymmetricKeyType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.utils.AuthenticatedEncryptionPendingRequestIdGenerationStrategy;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration("/spring/test_eaaf_pvp_not_lazy.beans.xml")
+public class AuthenticatedEncryptionPendingRequestIdGenerationStrategyTest {
+
+  @Autowired private EaafKeyStoreFactory keyStoreFactory;
+  @Autowired private AuthenticatedEncryptionPendingRequestIdGenerationStrategy pendingIdStrategy;
+  
+  
+  @Test
+  public void generatePendingRequestId() throws EaafException {  
+    String pendingId = pendingIdStrategy.generateExternalPendingRequestId();        
+    Assert.assertNotNull("pendingId", pendingId);
+    
+  }
+  
+  @Test
+  public void validatePendingRequestId() throws EaafException {  
+    String extPendingId = pendingIdStrategy.generateExternalPendingRequestId();        
+    Assert.assertNotNull("external pendingId", extPendingId);
+    
+    
+    String pendingId = pendingIdStrategy.validateAndGetPendingRequestId(extPendingId);
+    Assert.assertNotNull("internal pendingId", pendingId);
+    
+    String pendingId2 = pendingIdStrategy.getPendingRequestIdWithOutChecks(extPendingId);
+    Assert.assertNotNull("internal pendingId", pendingId2);
+    
+    Assert.assertEquals("pendingId not match", pendingId, pendingId2);
+    
+  }
+  
+  @Test
+  public void nullPendingRequestId() {    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(null);
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, PendingReqId is 'null' or empty]", 
+          e.getMessage());
+      
+    }    
+  }
+  
+  @Test
+  public void emptyPendingRequestId() {    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(StringUtils.EMPTY);
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, PendingReqId is 'null' or empty]", 
+          e.getMessage());
+      
+    }    
+  }
+  
+  @Test
+  public void noBase64UrlPendingRequestId() {    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(RandomStringUtils.randomAlphanumeric(25));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, "
+          + "PendingReqId is NOT a valid String]", 
+          e.getMessage());
+      
+    }    
+  }
+  
+  @Test
+  public void toLongBase64UrlPendingRequestId() {    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(Base64.getUrlEncoder()
+          .encodeToString(RandomStringUtils.randomAlphanumeric(1100).getBytes()));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, "
+          + "pendingReqId exceeds max.size: 1024]", 
+          e.getMessage());
+      
+    }    
+  }
+  
+  @Test
+  public void wrongFormat() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = RandomStringUtils.randomAlphanumeric(25);
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, "
+          + "PendingReqId has an unvalid format]", 
+          e.getMessage());
+      
+    }    
+  }
+
+  @Test
+  public void wrongFormatToLong() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = RandomStringUtils.randomAlphanumeric(25) + "|"
+        + RandomStringUtils.randomAlphanumeric(25) + "|" + "aabbcc";
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, "
+          + "PendingReqId has an unvalid format]", 
+          e.getMessage());
+      
+    }    
+  }
+  
+  @Test
+  public void wrongFormatNoDate() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = RandomStringUtils.randomAlphanumeric(25) + "|"
+        + RandomStringUtils.randomAlphanumeric(25);
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, "
+          + "PendingReqId is NOT a valid String]", 
+          e.getMessage());
+      
+    }    
+  }
+  
+  @Test
+  public void wrongFormatWrongDate() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = "2020-01-01 12:01:55 111" + "|"
+        + RandomStringUtils.randomAlphanumeric(25);
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNotNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());      
+      Assert.assertTrue("Wrong errorMsg", e.getMessage().contains("PendingRequestId exceeds the valid period")); 
+      
+    }    
+  }
+ 
+  @Test
+  public void wrongFormatNotValidation() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = RandomStringUtils.randomAlphanumeric(25);
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+    try {
+      pendingIdStrategy.getPendingRequestIdWithOutChecks(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, "
+          + "PendingReqId has an unvalid format]", 
+          e.getMessage());
+      
+    }    
+  }
+
+  @Test
+  public void wrongFormatToLongNotValidation() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = RandomStringUtils.randomAlphanumeric(25) + "|"
+        + RandomStringUtils.randomAlphanumeric(25) + "|" + "aabbcc";
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+    try {
+      pendingIdStrategy.getPendingRequestIdWithOutChecks(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, "
+          + "PendingReqId has an unvalid format]", 
+          e.getMessage());
+      
+    }    
+  }
+  
+  @Test
+  public void wrongFormatNoDateNotValidation() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = RandomStringUtils.randomAlphanumeric(25) + "|"
+        + RandomStringUtils.randomAlphanumeric(25);
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+
+    String intPendingId = pendingIdStrategy.getPendingRequestIdWithOutChecks(Base64.getUrlEncoder()
+        .encodeToString(extPendingId.getBytes()));
+    Assert.assertNotNull("Int PendingId", intPendingId);
+   
+  }
+  
+  @Test
+  public void wrongFormatWrongDateNotValidation() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = "2020-01-01 12:01:55 111" + "|"
+        + RandomStringUtils.randomAlphanumeric(25);
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+
+    String intPendingId = pendingIdStrategy.getPendingRequestIdWithOutChecks(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+    Assert.assertNotNull("Int PendingId", intPendingId);
+      
+    
+  }
+  
+  @Test
+  public void validFormat() throws EaafException, JoseException, UnsupportedEncodingException {    
+    String intId = RandomStringUtils.randomAlphanumeric(25);
+    ReadableInstant now = DateTime.now();
+    String payLoad =  DateTimeFormat.forPattern("yyyy-MM-dd HH:mm:ss SSS").print(now) 
+        + "|" + intId;
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+
+    String intPendingId = pendingIdStrategy.getPendingRequestIdWithOutChecks(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+    Assert.assertNotNull("Int PendingId", intPendingId);
+    Assert.assertEquals("pendingId not match", intId, intPendingId);
+    
+  }
+  
+  @Test
+  public void validFormatNotValidation() throws EaafException, JoseException, UnsupportedEncodingException {
+    String intId = RandomStringUtils.randomAlphanumeric(25);
+    String payLoad =  "2020-01-01 12:01:55 111" 
+        + "|" + intId;
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+    String intPendingId = pendingIdStrategy.getPendingRequestIdWithOutChecks(Base64.getUrlEncoder()
+        .encodeToString(extPendingId.getBytes()));
+    Assert.assertNotNull("Int PendingId", intPendingId);
+    
+  }
+  
+  @Test
+  public void validFormatWrongDateNotValidation() throws EaafException, JoseException, UnsupportedEncodingException {
+    String intId = RandomStringUtils.randomAlphanumeric(25);
+    String payLoad = "2020-01-01 12:01:55 111" + "|"
+        + intId;
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "pendingReqIdSecret");
+    
+
+    String intPendingId = pendingIdStrategy.getPendingRequestIdWithOutChecks(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+    Assert.assertNotNull("Int PendingId", intPendingId);
+    Assert.assertEquals("pendingId not match", intId, intPendingId);
+      
+    
+  }
+  
+  @Test
+  public void wrongEncrypted() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = RandomStringUtils.randomAlphanumeric(25);
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.DIRECT,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_GCM,
+        "wrongPassword");
+    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, "
+          + "PendingReqId is NOT a valid encrypted]", 
+          e.getMessage());
+      
+    }    
+  }
+  
+  @Ignore
+  @Test
+  public void wrongEncryptionAlg() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = RandomStringUtils.randomAlphanumeric(25);
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.A256KW,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256,
+        "pendingReqIdSecret");
+    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, "
+          + "PendingReqId has an unvalid format]", 
+          e.getMessage());
+      
+    }    
+  }
+  
+  @Ignore
+  @Test
+  public void wrongKeyEncAlg() throws EaafException, JoseException, UnsupportedEncodingException {
+    String payLoad = RandomStringUtils.randomAlphanumeric(25);
+    
+    String extPendingId = generateEncryptedPendingId(payLoad,
+        KeyManagementAlgorithmIdentifiers.A128KW,
+        ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256,
+        "pendingReqIdSecret");
+    
+    try {
+      pendingIdStrategy.validateAndGetPendingRequestId(Base64.getUrlEncoder()
+          .encodeToString(extPendingId.getBytes()));
+      Assert.fail("Wrong pendingId not detected");
+      
+    } catch (PendingReqIdValidationException e) {
+      Assert.assertNull("internal pendingReqId", e.getInvalidInternalPendingReqId());
+      Assert.assertNull("internal pendingReq", e.getInvalidPendingReq());
+      Assert.assertEquals("Wrong errorId", "process.99", e.getErrorId());
+      Assert.assertEquals("Wrong errorMsg", 
+          "No StatusMessager-Backend available! StatusCode:process.99 Params:[null, "
+          + "PendingReqId is NOT a valid String]", 
+          e.getMessage());
+      
+    }    
+  }
+  
+  private String generateEncryptedPendingId(String payLoad, String direct, String aes128Gcm, String softKeyPassphrase) 
+      throws EaafException, JoseException, UnsupportedEncodingException {    
+    SymmetricKeyConfiguration config = new SymmetricKeyConfiguration();
+    config.setFriendlyName("jUnit");
+    config.setKeyType(SymmetricKeyType.PASSPHRASE);
+    config.setSoftKeySalt("notRequiredInThisScenario");
+    config.setSoftKeyPassphrase(softKeyPassphrase);
+    Pair<SecretKey, Provider> key = keyStoreFactory.buildNewSymmetricKey(config);
+    
+    JsonWebEncryption encToken = new JsonWebEncryption();     
+    encToken.setAlgorithmHeaderValue(direct);
+    encToken.setEncryptionMethodHeaderParameter(aes128Gcm);    
+    encToken.setKey(key.getFirst());
+    encToken.setPayload(payLoad);
+    
+    return encToken.getCompactSerialization();
+    
+  }
+  
+}
diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/impl/utils/test/AuthenticatedEncryptionPendingRequestIdGenerationStrategyWithHsmTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/impl/utils/test/AuthenticatedEncryptionPendingRequestIdGenerationStrategyWithHsmTest.java
new file mode 100644
index 00000000..95a2b7a7
--- /dev/null
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/impl/utils/test/AuthenticatedEncryptionPendingRequestIdGenerationStrategyWithHsmTest.java
@@ -0,0 +1,42 @@
+package at.gv.egiz.eaaf.core.impl.utils.test;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.utils.AuthenticatedEncryptionPendingRequestIdGenerationStrategy;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration("/spring/test_eaaf_pvp_not_lazy_with_hsm.beans.xml")
+public class AuthenticatedEncryptionPendingRequestIdGenerationStrategyWithHsmTest {
+
+  @Autowired private AuthenticatedEncryptionPendingRequestIdGenerationStrategy pendingIdStrategy;
+  
+  @Test
+  public void generatePendingRequestId() throws EaafException {  
+    String pendingId = pendingIdStrategy.generateExternalPendingRequestId();        
+    Assert.assertNotNull("pendingId", pendingId);
+    
+  }
+  
+  @Test
+  public void validatePendingRequestId() throws EaafException {  
+    String extPendingId = pendingIdStrategy.generateExternalPendingRequestId();        
+    Assert.assertNotNull("external pendingId", extPendingId);
+    
+    
+    String pendingId = pendingIdStrategy.validateAndGetPendingRequestId(extPendingId);
+    Assert.assertNotNull("internal pendingId", pendingId);
+    
+    String pendingId2 = pendingIdStrategy.getPendingRequestIdWithOutChecks(extPendingId);
+    Assert.assertNotNull("internal pendingId", pendingId2);
+    
+    Assert.assertEquals("pendingId not match", pendingId, pendingId2);
+    
+  }
+  
+}
diff --git a/eaaf_core_utils/src/test/resources/data/config1.properties b/eaaf_core_utils/src/test/resources/data/config1.properties
index 6192002e..12209d21 100644
--- a/eaaf_core_utils/src/test/resources/data/config1.properties
+++ b/eaaf_core_utils/src/test/resources/data/config1.properties
@@ -6,4 +6,10 @@ security.hsmfacade.password=supersecret123
 
 client.http.connection.timeout.socket=2
 client.http.connection.timeout.connection=2
-client.http.connection.timeout.request=2
\ No newline at end of file
+client.http.connection.timeout.request=2
+
+core.pendingrequestid.maxlifetime=180
+core.pendingrequestid.digist.type=passphrase
+core.pendingrequestid.digist.secret=pendingReqIdSecret
+core.pendingrequestid.digist.keystore.name=
+core.pendingrequestid.digist.key.alias=
\ No newline at end of file
diff --git a/eaaf_core_utils/src/test/resources/data/config2.properties b/eaaf_core_utils/src/test/resources/data/config2.properties
new file mode 100644
index 00000000..3a1194b4
--- /dev/null
+++ b/eaaf_core_utils/src/test/resources/data/config2.properties
@@ -0,0 +1,15 @@
+security.hsmfacade.host=eid.a-sit.at
+security.hsmfacade.port=9050
+security.hsmfacade.trustedsslcert=src/test/resources/data/hsm_facade_trust_root.crt
+security.hsmfacade.username=authhandler-junit
+security.hsmfacade.password=supersecret123
+
+client.http.connection.timeout.socket=2
+client.http.connection.timeout.connection=2
+client.http.connection.timeout.request=2
+
+core.pendingrequestid.maxlifetime=180
+core.pendingrequestid.digist.type=hsmfacade
+core.pendingrequestid.digist.secret=pendingReqIdSecret
+core.pendingrequestid.digist.keystore.name=authhandler
+core.pendingrequestid.digist.key.alias=aes-key-1
\ No newline at end of file
diff --git a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml
index dc520086..92dd5928 100644
--- a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml
+++ b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml
@@ -16,6 +16,11 @@
     <constructor-arg value="/data/config1.properties" />
   </bean>
 
+  <bean id="encrytedTokenGenerationStrategy"
+        class="at.gv.egiz.eaaf.core.impl.utils.AuthenticatedEncryptionPendingRequestIdGenerationStrategy" />
+    
+
+
   <import resource="classpath:/spring/eaaf_utils.beans.xml"/>
  
 </beans>
\ No newline at end of file
diff --git a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy_with_hsm.beans.xml b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy_with_hsm.beans.xml
new file mode 100644
index 00000000..0f235e29
--- /dev/null
+++ b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy_with_hsm.beans.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xmlns:context="http://www.springframework.org/schema/context"
+  xmlns:tx="http://www.springframework.org/schema/tx"
+  xmlns:aop="http://www.springframework.org/schema/aop"
+  xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
+    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"
+  default-lazy-init="true">
+
+  <bean id="dummyAuthConfigMap"
+        class="at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap">
+    <constructor-arg value="/data/config2.properties" />
+  </bean>
+
+  <bean id="encrytedTokenGenerationStrategy"
+        class="at.gv.egiz.eaaf.core.impl.utils.AuthenticatedEncryptionPendingRequestIdGenerationStrategy" />
+    
+
+
+  <import resource="classpath:/spring/eaaf_utils.beans.xml"/>
+ 
+</beans>
\ No newline at end of file