summaryrefslogtreecommitdiff
path: root/eaaf_core_utils
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-05-05 12:28:28 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-05-05 12:28:28 +0200
commit49cb8adfd8992dc8d21ff208d8dd93e0592e1be4 (patch)
tree7631ccdd3ce61754e7b24a8ec7be7cf9281ff37d /eaaf_core_utils
parentf7941c2004a157023f1f89ef2d3c9de75548d73e (diff)
downloadEAAF-Components-49cb8adfd8992dc8d21ff208d8dd93e0592e1be4.tar.gz
EAAF-Components-49cb8adfd8992dc8d21ff208d8dd93e0592e1be4.tar.bz2
EAAF-Components-49cb8adfd8992dc8d21ff208d8dd93e0592e1be4.zip
first tests for SSL Client Auth. with HSM-Facade
Diffstat (limited to 'eaaf_core_utils')
-rw-r--r--eaaf_core_utils/pom.xml4
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java14
-rw-r--r--eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java52
-rw-r--r--eaaf_core_utils/src/test/resources/data/config1.properties5
-rw-r--r--eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml2
-rw-r--r--eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml4
6 files changed, 70 insertions, 11 deletions
diff --git a/eaaf_core_utils/pom.xml b/eaaf_core_utils/pom.xml
index 13df6c1e..d933e309 100644
--- a/eaaf_core_utils/pom.xml
+++ b/eaaf_core_utils/pom.xml
@@ -48,6 +48,10 @@
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-core</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bctls-jdk15on</artifactId>
</dependency>
<dependency>
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
index 06b8dfd2..b357bb01 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
@@ -23,6 +23,7 @@ import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
+import java.security.Security;
import java.security.UnrecoverableKeyException;
import javax.annotation.Nonnull;
@@ -35,6 +36,7 @@ import org.apache.http.conn.ssl.TrustAllStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
+import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException;
@@ -166,8 +168,16 @@ public class HttpUtils {
: keyPasswordString.toCharArray();
SSLContextBuilder sslContextBuilder = SSLContexts.custom();
- Provider provider = null;
- sslContextBuilder.setProvider(provider);
+ if (keyStore.getSecond() != null) {
+ Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond());
+
+ log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext",
+ friendlyName, provider.getName());
+ sslContextBuilder.setProvider(provider);
+ Security.addProvider(provider);
+ //sslContextBuilder.setSecureRandom(SecureRandom.getInstanceStrong());
+
+ }
if (StringUtils.isNotEmpty(keyAlias)) {
sslContextBuilder = sslContextBuilder
.loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias));
diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
index 84c0b12c..140c74f5 100644
--- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
@@ -28,7 +28,6 @@ import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.core.impl.http.HttpClientConfiguration;
import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory;
-import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap;
import okhttp3.HttpUrl;
import okhttp3.mockwebserver.MockResponse;
import okhttp3.mockwebserver.MockWebServer;
@@ -42,7 +41,6 @@ public class HttpClientFactoryTest {
@Autowired private EaafKeyStoreFactory keyStoreFactory;
@Autowired private IHttpClientFactory httpClientFactory;
- @Autowired private DummyAuthConfigMap config;
private MockWebServer mockWebServer = null;
private HttpUrl mockServerUrl;
@@ -53,11 +51,6 @@ public class HttpClientFactoryTest {
*/
@Before
public void setup() {
- config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, "");
- config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, "");
- config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, "");
- config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, "");
- config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, "");
}
@@ -335,4 +328,49 @@ public class HttpClientFactoryTest {
Assert.assertEquals("http statusCode", 200, httpResp2.getStatusLine().getStatusCode());
}
+
+ @Test
+ public void getCustomClientX509AuthWithHsmFacade() throws EaafException, ClientProtocolException,
+ IOException, KeyStoreException {
+ final HttpClientConfiguration config = new HttpClientConfiguration("jUnit");
+ config.setAuthMode("ssl");
+ config.buildKeyStoreConfig(
+ "hsmfacade",
+ null,
+ null,
+ "authhandler");
+ config.setSslKeyPassword("password");
+ config.setSslKeyAlias("authhandler-sign");
+ config.setDisableTlsHostCertificateValidation(true);
+
+ final CloseableHttpClient client = httpClientFactory.getHttpClient(config);
+ Assert.assertNotNull("httpClient", client);
+
+ //set-up mock-up web-server with SSL client authentication
+ final Pair<KeyStore, Provider> sslClientKeyStore =
+ keyStoreFactory.buildNewKeyStore(config.getKeyStoreConfig());
+ final String localhost = InetAddress.getByName("localhost").getCanonicalHostName();
+ final HeldCertificate localhostCertificate = new HeldCertificate.Builder()
+ .addSubjectAlternativeName(localhost)
+ .build();
+ X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst()
+ .getCertificateChain(config.getSslKeyAlias())[1];
+
+ final HandshakeCertificates serverCertificates = new HandshakeCertificates.Builder()
+ .addTrustedCertificate(clientRootCert)
+ .heldCertificate(localhostCertificate)
+ .build();
+ mockWebServer = new MockWebServer();
+ mockWebServer.useHttps(serverCertificates.sslSocketFactory(), false);
+ mockWebServer.requireClientAuth();
+ mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+ .setBody("Successful auth!"));
+ mockServerUrl = mockWebServer.url("/sp/junit");
+
+ //perform test request
+ final HttpUriRequest httpGet2 = new HttpGet(mockServerUrl.url().toString());
+ final CloseableHttpResponse httpResp2 = client.execute(httpGet2);
+ Assert.assertEquals("http statusCode", 200, httpResp2.getStatusLine().getStatusCode());
+
+ }
}
diff --git a/eaaf_core_utils/src/test/resources/data/config1.properties b/eaaf_core_utils/src/test/resources/data/config1.properties
new file mode 100644
index 00000000..25bd201f
--- /dev/null
+++ b/eaaf_core_utils/src/test/resources/data/config1.properties
@@ -0,0 +1,5 @@
+security.hsmfacade.host=eid.a-sit.at
+security.hsmfacade.port=9050
+security.hsmfacade.trustedsslcert=src/test/resources/data/hsm_facade_trust_root.crt
+security.hsmfacade.username=authhandler-junit
+security.hsmfacade.password=supersecret123 \ No newline at end of file
diff --git a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml
index 210b88be..4af34b51 100644
--- a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml
+++ b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml
@@ -13,7 +13,7 @@
<bean id="dummyAuthConfigMap"
class="at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap" />
-
+
<bean id="eaafKeyStoreFactory"
class="at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory" />
diff --git a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml
index 402e07f9..dc520086 100644
--- a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml
+++ b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml
@@ -12,7 +12,9 @@
default-lazy-init="true">
<bean id="dummyAuthConfigMap"
- class="at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap" />
+ class="at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap">
+ <constructor-arg value="/data/config1.properties" />
+ </bean>
<import resource="classpath:/spring/eaaf_utils.beans.xml"/>