test(jose): add JWE encryption/decryptio test that uses a wrong decryption key

1 files changed, 80 insertions, 0 deletions

diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
index b01330d2..29e0b565 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
@@ -1,18 +1,34 @@
 package at.gv.egiz.eaaf.modules.auth.sl20.utils;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
+
+import java.security.Key;
 import java.security.KeyStore;
 import java.security.Provider;
+import java.security.cert.X509Certificate;
 
+import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.commons.lang3.StringUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.jose4j.jca.ProviderContext;
+import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
+import org.jose4j.jwe.JsonWebEncryption;
+import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
+import org.jose4j.lang.JoseException;
+import org.junit.Assert;
 import org.junit.Before;
+import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
 import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
 import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.utils.JoseUtils;
 
 @RunWith(SpringJUnit4ClassRunner.class)
 @ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml")
@@ -28,6 +44,70 @@ public class JsonSecurityUtilsHsmKeyTest extends AbstractJsonSecurityUtilsTest {
 
   }
 
+  @Test
+  public void encryptionRsaWithWrongDecryptionKey() throws JoseException, EaafException {
+    final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+    final Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore();
+    final Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+        rsaEncKeyStore.getFirst(), getRsaKeyAlias(), getRsaKeyPassword().toCharArray(),
+        true, "jUnit RSA JWE");
+
+    final JsonWebEncryption jwe = new JsonWebEncryption();
+    jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256);
+    jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
+    jwe.setKey(key.getSecond()[0].getPublicKey());
+    jwe.setPayload(payLoad);
+
+    // set special provider if required
+    if (rsaEncKeyStore.getSecond() != null) {
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
+          rsaEncKeyStore.getSecond().getName());
+      jwe.setProviderContext(providerCtx);
+
+    }
+
+    final String encData = jwe.getCompactSerialization();
+    Assert.assertNotNull("JWE", encData);
+    
+    
+    //decrypt it again, but by using a wrong key
+    KeyStoreConfiguration keyConfig = new KeyStoreConfiguration();
+    keyConfig.setFriendlyName("Junit Enc Key Rsa");
+    keyConfig.setKeyStoreType(KeyStoreType.JKS);
+    keyConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks");
+    keyConfig.setSoftKeyStorePassword("password");
+    
+    Pair<KeyStore, Provider> wrongKeyStore = keyStoreFactory.buildNewKeyStore(keyConfig);
+    final Pair<Key, X509Certificate[]> wrongKey = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+        wrongKeyStore.getFirst(), "meta", "password".toCharArray(),
+        true, "jUnit RSA JWE");
+    
+    final JsonWebEncryption jweDecrypt = new JsonWebEncryption();
+    jweDecrypt.setCompactSerialization(encData);
+    jweDecrypt.setKey(JoseUtils.convertToBcKeyIfRequired(wrongKey.getFirst()));
+    
+    
+    // set special provider if required
+    if (wrongKeyStore.getSecond() != null) {
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName());
+      providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+      jweDecrypt.setProviderContext(providerCtx);
+
+    } else {
+      final ProviderContext providerCtx = new ProviderContext();
+      providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+      jweDecrypt.setProviderContext(providerCtx);
+      
+    }
+    
+    JoseException error = assertThrows("wrong exception", JoseException.class, 
+        () -> jweDecrypt.getPayload());
+    assertEquals("wrong errorMsg", "javax.crypto.AEADBadTagException: mac check in GCM failed", error.getMessage());
+    
+  }
+  
   @Override
   protected void setRsaSigningKey() {
     config.putConfigValue("modules.sl20.security.sign.alias", "rsa-key-1");