diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-08-26 16:21:39 +0200 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-08-26 16:21:39 +0200 |
commit | be7b4a37fb0844e9f1b9ed91742af3d204f68f22 (patch) | |
tree | 29f7db190f647ab35905784c805cfefb9c73abba /eaaf_modules/eaaf_module_auth_sl20/src/test/java/at | |
parent | 4d49513b7c28197b6c767e79e510db18ba73acb5 (diff) | |
download | EAAF-Components-be7b4a37fb0844e9f1b9ed91742af3d204f68f22.tar.gz EAAF-Components-be7b4a37fb0844e9f1b9ed91742af3d204f68f22.tar.bz2 EAAF-Components-be7b4a37fb0844e9f1b9ed91742af3d204f68f22.zip |
refactor JWS and JWE implementation in SL2.0 module to reuse JWS and JWE specific implementation in other classes
Diffstat (limited to 'eaaf_modules/eaaf_module_auth_sl20/src/test/java/at')
2 files changed, 145 insertions, 139 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java index ebea35c6..917ef1e0 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java @@ -9,8 +9,18 @@ import java.security.Security; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap; +import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; + import org.apache.commons.lang3.RandomStringUtils; import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.jose4j.base64url.Base64Url; import org.jose4j.jca.ProviderContext; import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; @@ -28,15 +38,6 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import com.fasterxml.jackson.databind.JsonNode; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap; -import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; - @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml") public abstract class AbstractJsonSecurityUtilsTest { @@ -44,45 +45,45 @@ public abstract class AbstractJsonSecurityUtilsTest { @Autowired protected DummyAuthConfigMap config; @Autowired protected IJoseTools joseTools; @Autowired protected EaafKeyStoreFactory keyStoreFactory; - + @BeforeClass public static void classInitializer() { Security.addProvider(new BouncyCastleProvider()); - + } - - protected abstract void setRsaSigningKey(); - + + protected abstract void setRsaSigningKey(); + protected abstract void setEcSigningKey(); - + protected abstract void setRsaEncryptionKey(); - + protected abstract void setEcEncryptionKey(); - + protected abstract Pair<KeyStore, Provider> getEncryptionKeyStore() throws EaafException; - - protected abstract String getRsaKeyAlias(); - + + protected abstract String getRsaKeyAlias(); + protected abstract String getRsaKeyPassword(); - - protected abstract String getEcKeyAlias(); - + + protected abstract String getEcKeyAlias(); + protected abstract String getEcKeyPassword(); - - + + @Test - public void fullEncryptDecrypt() throws JoseException, EaafException { - String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; - + public void fullEncryptDecrypt() throws JoseException, EaafException { + final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + final JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM); jwe.setKey(joseTools.getEncryptionCertificate().getPublicKey()); jwe.setX509CertSha256ThumbprintHeaderValue(joseTools.getEncryptionCertificate()); jwe.setPayload(payLoad); - + // set special provider if required - Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore(); + final Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore(); if (rsaEncKeyStore.getSecond() != null) { final ProviderContext providerCtx = new ProviderContext(); providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( @@ -90,30 +91,30 @@ public abstract class AbstractJsonSecurityUtilsTest { jwe.setProviderContext(providerCtx); } - - String encData = jwe.getCompactSerialization(); + + final String encData = jwe.getCompactSerialization(); Assert.assertNotNull("JWE Encryption", encData); - - - JsonNode decData = joseTools.decryptPayload(encData); + + + final JsonNode decData = joseTools.decryptPayload(encData); Assert.assertNotNull("JWE Decryption", decData); - + } - + @Test public void encryptionRsa() throws JoseException, EaafException { - String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; - Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore(); - Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates( - rsaEncKeyStore.getFirst(), getRsaKeyAlias(), getRsaKeyPassword().toCharArray(), + final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + final Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore(); + final Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + rsaEncKeyStore.getFirst(), getRsaKeyAlias(), getRsaKeyPassword().toCharArray(), true, "jUnit RSA JWE"); - + final JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM); jwe.setKey(key.getSecond()[0].getPublicKey()); jwe.setPayload(payLoad); - + // set special provider if required if (rsaEncKeyStore.getSecond() != null) { final ProviderContext providerCtx = new ProviderContext(); @@ -122,27 +123,27 @@ public abstract class AbstractJsonSecurityUtilsTest { jwe.setProviderContext(providerCtx); } - - String encData = jwe.getCompactSerialization(); + + final String encData = jwe.getCompactSerialization(); Assert.assertNotNull("JWE", encData); - - + + } - + @Test public void encryptionEc() throws JoseException, EaafException { - String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; - Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore(); - Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates( - rsaEncKeyStore.getFirst(), getEcKeyAlias(), getEcKeyPassword().toCharArray(), + final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + final Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore(); + final Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + rsaEncKeyStore.getFirst(), getEcKeyAlias(), getEcKeyPassword().toCharArray(), true, "jUnit RSA JWE"); - + final JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM); jwe.setKey(key.getSecond()[0].getPublicKey()); jwe.setPayload(payLoad); - + // set special provider if required if (rsaEncKeyStore.getSecond() != null) { final ProviderContext providerCtx = new ProviderContext(); @@ -151,142 +152,139 @@ public abstract class AbstractJsonSecurityUtilsTest { jwe.setProviderContext(providerCtx); } - - String encData = jwe.getCompactSerialization(); - + + final String encData = jwe.getCompactSerialization(); + Assert.assertNotNull("JWE", encData); - - + + } - + @Test - public void noTrustedCert() throws CertificateEncodingException, KeyStoreException, + public void noTrustedCert() throws CertificateEncodingException, KeyStoreException, JoseException, IOException, EaafException { setRsaSigningKey(); setRsaEncryptionKey(); - - String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; - - String jws = joseTools.createSignature(payLoad); + + final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + + final String jws = joseTools.createSignature(payLoad); Assert.assertNotNull("Signed msg", jws); - + try { joseTools.validateSignature( jws, keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigOnlyEc()).getFirst(), - getDefaultAlgorithmConstrains()); + getDefaultAlgorithmConstrains()); Assert.fail("Wrong JOSE Sig not detected"); - - } catch (JoseException e) { - Assert.assertEquals("Wrong errorCode", - "Can NOT select verification key for JWS. Signature verification FAILED", + + } catch (final JoseException e) { + Assert.assertEquals("Wrong errorCode", + "Can NOT select verification key for JWS. Signature verification FAILED", e.getMessage()); - + } } - + @Test - public void invalidSignature() throws CertificateEncodingException, KeyStoreException, + public void invalidSignature() throws CertificateEncodingException, KeyStoreException, JoseException, IOException, EaafException { setRsaSigningKey(); setRsaEncryptionKey(); - - String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; - - String jws = joseTools.createSignature(payLoad); + + final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + + final String jws = joseTools.createSignature(payLoad); Assert.assertNotNull("Signed msg", jws); - - String invalidJws = - jws.substring(0, jws.indexOf(".") + 5) + "dd" + jws.substring(jws.indexOf(".") + 6); - - try { - joseTools.validateSignature( - invalidJws, - keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), - getDefaultAlgorithmConstrains()); - Assert.fail("Wrong JOSE Sig not detected"); - - } catch (JoseException e) { - Assert.assertEquals("Wrong errorCode", - "JWS signature is invalid.", - e.getMessage()); - - } - + + final String invalidJws = jws.substring(0, jws.indexOf(".")) + + "." + + Base64Url.encodeUtf8ByteRepresentation("{\"aac\":\"" + RandomStringUtils.randomAlphabetic(25) + "\"}") + + "." + + jws.substring(jws.lastIndexOf(".") + 1); + + + final VerificationResult result = joseTools.validateSignature( + invalidJws, + keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), + getDefaultAlgorithmConstrains()); + + Assert.assertFalse("wrong sig. verification state", result.isValidSigned()); + } - + @Test - public void validSigningRsa() throws CertificateEncodingException, KeyStoreException, + public void validSigningRsa() throws CertificateEncodingException, KeyStoreException, JoseException, IOException, EaafException { setRsaSigningKey(); setRsaEncryptionKey(); - - String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; - - String jws = joseTools.createSignature(payLoad); + + final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + + final String jws = joseTools.createSignature(payLoad); Assert.assertNotNull("Signed msg", jws); - - VerificationResult verify = joseTools.validateSignature( + + final VerificationResult verify = joseTools.validateSignature( jws, keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), - getDefaultAlgorithmConstrains()); + getDefaultAlgorithmConstrains()); Assert.assertTrue("wrong verify state", verify.isValidSigned()); Assert.assertNotNull("JWS Header", verify.getJoseHeader()); Assert.assertNotNull("JWS Payload", verify.getPayload()); Assert.assertNotNull("CertChain", verify.getCertChain()); - + } - + @Test - public void validSigningEc() throws CertificateEncodingException, KeyStoreException, + public void validSigningEc() throws CertificateEncodingException, KeyStoreException, JoseException, IOException, EaafException { setEcSigningKey(); setEcEncryptionKey(); - - String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; - - String jws = joseTools.createSignature(payLoad); + + final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + + final String jws = joseTools.createSignature(payLoad); Assert.assertNotNull("Signed msg", jws); - - VerificationResult verify = joseTools.validateSignature( + + final VerificationResult verify = joseTools.validateSignature( jws, keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), - getDefaultAlgorithmConstrains()); + getDefaultAlgorithmConstrains()); Assert.assertTrue("wrong verify state", verify.isValidSigned()); Assert.assertNotNull("JWS Header", verify.getJoseHeader()); Assert.assertNotNull("JWS Payload", verify.getPayload()); Assert.assertNotNull("CertChain", verify.getCertChain()); - + } - + protected KeyStoreConfiguration getSigTrustStoreConfigValid() { - KeyStoreConfiguration trustConfig = new KeyStoreConfiguration(); + final KeyStoreConfiguration trustConfig = new KeyStoreConfiguration(); trustConfig.setFriendlyName("jUnit TrustStore"); trustConfig.setKeyStoreType(KeyStoreType.JKS); trustConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks"); trustConfig.setSoftKeyStorePassword("password"); - + return trustConfig; - + } - + protected KeyStoreConfiguration getSigTrustStoreConfigOnlyEc() { - KeyStoreConfiguration trustConfig = new KeyStoreConfiguration(); + final KeyStoreConfiguration trustConfig = new KeyStoreConfiguration(); trustConfig.setFriendlyName("jUnit TrustStore"); trustConfig.setKeyStoreType(KeyStoreType.JKS); trustConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit_no_rsa.jks"); trustConfig.setSoftKeyStorePassword("password"); - + return trustConfig; - + } - + private AlgorithmConstraints getDefaultAlgorithmConstrains() { return new AlgorithmConstraints(ConstraintType.WHITELIST, SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING .toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()])); } - + } diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java index d9406b2d..4f8b2a23 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java @@ -3,51 +3,59 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils; import java.security.KeyStore; import java.security.Provider; -import org.apache.commons.lang3.StringUtils; -import org.junit.runner.RunWith; -import org.springframework.test.context.ContextConfiguration; -import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; - import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import at.gv.egiz.eaaf.core.impl.data.Pair; +import org.apache.commons.lang3.StringUtils; +import org.junit.Before; +import org.junit.runner.RunWith; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml") public class JsonSecurityUtilsHsmKeyTest extends AbstractJsonSecurityUtilsTest { + @Before + public void initialize() { + config.putConfigValue("modules.sl20.security.sigalg.rsa", "RS256"); + config.putConfigValue("modules.sl20.security.sigalg.ecc", "ES256"); + + } + @Override protected void setRsaSigningKey() { config.putConfigValue("modules.sl20.security.sign.alias", "rsa-key-1"); - + } @Override protected void setEcSigningKey() { config.putConfigValue("modules.sl20.security.sign.alias", "ec-key-1"); - + } @Override protected void setRsaEncryptionKey() { config.putConfigValue("modules.sl20.security.encryption.alias", "rsa-key-1"); - + } @Override protected void setEcEncryptionKey() { config.putConfigValue("modules.sl20.security.encryption.alias", "ec-key-1"); - + } @Override - protected Pair<KeyStore, Provider> getEncryptionKeyStore() throws EaafException { - KeyStoreConfiguration keyConfig = new KeyStoreConfiguration(); + protected Pair<KeyStore, Provider> getEncryptionKeyStore() throws EaafException { + final KeyStoreConfiguration keyConfig = new KeyStoreConfiguration(); keyConfig.setFriendlyName("Junit Enc Key Rsa"); keyConfig.setKeyStoreType(KeyStoreType.HSMFACADE); keyConfig.setKeyStoreName("eid-junit"); - + return keyStoreFactory.buildNewKeyStore(keyConfig); } @@ -71,5 +79,5 @@ public class JsonSecurityUtilsHsmKeyTest extends AbstractJsonSecurityUtilsTest { return StringUtils.EMPTY; } - + } |