diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-05-05 12:28:28 +0200 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-05-05 12:28:28 +0200 |
commit | 49cb8adfd8992dc8d21ff208d8dd93e0592e1be4 (patch) | |
tree | 7631ccdd3ce61754e7b24a8ec7be7cf9281ff37d /eaaf_core_utils | |
parent | f7941c2004a157023f1f89ef2d3c9de75548d73e (diff) | |
download | EAAF-Components-49cb8adfd8992dc8d21ff208d8dd93e0592e1be4.tar.gz EAAF-Components-49cb8adfd8992dc8d21ff208d8dd93e0592e1be4.tar.bz2 EAAF-Components-49cb8adfd8992dc8d21ff208d8dd93e0592e1be4.zip |
first tests for SSL Client Auth. with HSM-Facade
Diffstat (limited to 'eaaf_core_utils')
6 files changed, 70 insertions, 11 deletions
diff --git a/eaaf_core_utils/pom.xml b/eaaf_core_utils/pom.xml index 13df6c1e..d933e309 100644 --- a/eaaf_core_utils/pom.xml +++ b/eaaf_core_utils/pom.xml @@ -48,6 +48,10 @@ <dependency> <groupId>io.grpc</groupId> <artifactId>grpc-core</artifactId> + </dependency> + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bctls-jdk15on</artifactId> </dependency> <dependency> diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java index 06b8dfd2..b357bb01 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java @@ -23,6 +23,7 @@ import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.Provider; +import java.security.Security; import java.security.UnrecoverableKeyException; import javax.annotation.Nonnull; @@ -35,6 +36,7 @@ import org.apache.http.conn.ssl.TrustAllStrategy; import org.apache.http.ssl.SSLContextBuilder; import org.apache.http.ssl.SSLContexts; import org.apache.http.ssl.TrustStrategy; +import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException; @@ -166,8 +168,16 @@ public class HttpUtils { : keyPasswordString.toCharArray(); SSLContextBuilder sslContextBuilder = SSLContexts.custom(); - Provider provider = null; - sslContextBuilder.setProvider(provider); + if (keyStore.getSecond() != null) { + Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond()); + + log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext", + friendlyName, provider.getName()); + sslContextBuilder.setProvider(provider); + Security.addProvider(provider); + //sslContextBuilder.setSecureRandom(SecureRandom.getInstanceStrong()); + + } if (StringUtils.isNotEmpty(keyAlias)) { sslContextBuilder = sslContextBuilder .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias)); diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java index 84c0b12c..140c74f5 100644 --- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java +++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java @@ -28,7 +28,6 @@ import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.http.HttpClientConfiguration; import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; -import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap; import okhttp3.HttpUrl; import okhttp3.mockwebserver.MockResponse; import okhttp3.mockwebserver.MockWebServer; @@ -42,7 +41,6 @@ public class HttpClientFactoryTest { @Autowired private EaafKeyStoreFactory keyStoreFactory; @Autowired private IHttpClientFactory httpClientFactory; - @Autowired private DummyAuthConfigMap config; private MockWebServer mockWebServer = null; private HttpUrl mockServerUrl; @@ -53,11 +51,6 @@ public class HttpClientFactoryTest { */ @Before public void setup() { - config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, ""); - config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, ""); - config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, ""); - config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, ""); - config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, ""); } @@ -335,4 +328,49 @@ public class HttpClientFactoryTest { Assert.assertEquals("http statusCode", 200, httpResp2.getStatusLine().getStatusCode()); } + + @Test + public void getCustomClientX509AuthWithHsmFacade() throws EaafException, ClientProtocolException, + IOException, KeyStoreException { + final HttpClientConfiguration config = new HttpClientConfiguration("jUnit"); + config.setAuthMode("ssl"); + config.buildKeyStoreConfig( + "hsmfacade", + null, + null, + "authhandler"); + config.setSslKeyPassword("password"); + config.setSslKeyAlias("authhandler-sign"); + config.setDisableTlsHostCertificateValidation(true); + + final CloseableHttpClient client = httpClientFactory.getHttpClient(config); + Assert.assertNotNull("httpClient", client); + + //set-up mock-up web-server with SSL client authentication + final Pair<KeyStore, Provider> sslClientKeyStore = + keyStoreFactory.buildNewKeyStore(config.getKeyStoreConfig()); + final String localhost = InetAddress.getByName("localhost").getCanonicalHostName(); + final HeldCertificate localhostCertificate = new HeldCertificate.Builder() + .addSubjectAlternativeName(localhost) + .build(); + X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst() + .getCertificateChain(config.getSslKeyAlias())[1]; + + final HandshakeCertificates serverCertificates = new HandshakeCertificates.Builder() + .addTrustedCertificate(clientRootCert) + .heldCertificate(localhostCertificate) + .build(); + mockWebServer = new MockWebServer(); + mockWebServer.useHttps(serverCertificates.sslSocketFactory(), false); + mockWebServer.requireClientAuth(); + mockWebServer.enqueue(new MockResponse().setResponseCode(200) + .setBody("Successful auth!")); + mockServerUrl = mockWebServer.url("/sp/junit"); + + //perform test request + final HttpUriRequest httpGet2 = new HttpGet(mockServerUrl.url().toString()); + final CloseableHttpResponse httpResp2 = client.execute(httpGet2); + Assert.assertEquals("http statusCode", 200, httpResp2.getStatusLine().getStatusCode()); + + } } diff --git a/eaaf_core_utils/src/test/resources/data/config1.properties b/eaaf_core_utils/src/test/resources/data/config1.properties new file mode 100644 index 00000000..25bd201f --- /dev/null +++ b/eaaf_core_utils/src/test/resources/data/config1.properties @@ -0,0 +1,5 @@ +security.hsmfacade.host=eid.a-sit.at +security.hsmfacade.port=9050 +security.hsmfacade.trustedsslcert=src/test/resources/data/hsm_facade_trust_root.crt +security.hsmfacade.username=authhandler-junit +security.hsmfacade.password=supersecret123
\ No newline at end of file diff --git a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml index 210b88be..4af34b51 100644 --- a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml +++ b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml @@ -13,7 +13,7 @@ <bean id="dummyAuthConfigMap" class="at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap" /> - + <bean id="eaafKeyStoreFactory" class="at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory" /> diff --git a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml index 402e07f9..dc520086 100644 --- a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml +++ b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml @@ -12,7 +12,9 @@ default-lazy-init="true"> <bean id="dummyAuthConfigMap" - class="at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap" /> + class="at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap"> + <constructor-arg value="/data/config1.properties" /> + </bean> <import resource="classpath:/spring/eaaf_utils.beans.xml"/> |