summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_auth_sl20
diff options
context:
space:
mode:
authorThomas <>2023-01-17 14:20:07 +0100
committerThomas <>2023-01-17 14:20:07 +0100
commit4a6a9f69d15d4a517af075b31e06ae73a1aa3262 (patch)
tree2501abb49e05083041f74c05da547bbf7d287683 /eaaf_modules/eaaf_module_auth_sl20
parent5781d1c6c8ce6002120aaf7499237fce17b50e41 (diff)
downloadEAAF-Components-4a6a9f69d15d4a517af075b31e06ae73a1aa3262.tar.gz
EAAF-Components-4a6a9f69d15d4a517af075b31e06ae73a1aa3262.tar.bz2
EAAF-Components-4a6a9f69d15d4a517af075b31e06ae73a1aa3262.zip
test(jose): add JWE encryption/decryptio test that uses a wrong decryption key
Diffstat (limited to 'eaaf_modules/eaaf_module_auth_sl20')
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java80
1 files changed, 80 insertions, 0 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
index b01330d2..29e0b565 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
@@ -1,18 +1,34 @@
package at.gv.egiz.eaaf.modules.auth.sl20.utils;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
+
+import java.security.Key;
import java.security.KeyStore;
import java.security.Provider;
+import java.security.cert.X509Certificate;
+import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.jose4j.jca.ProviderContext;
+import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
+import org.jose4j.jwe.JsonWebEncryption;
+import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
+import org.jose4j.lang.JoseException;
+import org.junit.Assert;
import org.junit.Before;
+import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.utils.JoseUtils;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml")
@@ -28,6 +44,70 @@ public class JsonSecurityUtilsHsmKeyTest extends AbstractJsonSecurityUtilsTest {
}
+ @Test
+ public void encryptionRsaWithWrongDecryptionKey() throws JoseException, EaafException {
+ final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+ final Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore();
+ final Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+ rsaEncKeyStore.getFirst(), getRsaKeyAlias(), getRsaKeyPassword().toCharArray(),
+ true, "jUnit RSA JWE");
+
+ final JsonWebEncryption jwe = new JsonWebEncryption();
+ jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256);
+ jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
+ jwe.setKey(key.getSecond()[0].getPublicKey());
+ jwe.setPayload(payLoad);
+
+ // set special provider if required
+ if (rsaEncKeyStore.getSecond() != null) {
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
+ rsaEncKeyStore.getSecond().getName());
+ jwe.setProviderContext(providerCtx);
+
+ }
+
+ final String encData = jwe.getCompactSerialization();
+ Assert.assertNotNull("JWE", encData);
+
+
+ //decrypt it again, but by using a wrong key
+ KeyStoreConfiguration keyConfig = new KeyStoreConfiguration();
+ keyConfig.setFriendlyName("Junit Enc Key Rsa");
+ keyConfig.setKeyStoreType(KeyStoreType.JKS);
+ keyConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks");
+ keyConfig.setSoftKeyStorePassword("password");
+
+ Pair<KeyStore, Provider> wrongKeyStore = keyStoreFactory.buildNewKeyStore(keyConfig);
+ final Pair<Key, X509Certificate[]> wrongKey = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+ wrongKeyStore.getFirst(), "meta", "password".toCharArray(),
+ true, "jUnit RSA JWE");
+
+ final JsonWebEncryption jweDecrypt = new JsonWebEncryption();
+ jweDecrypt.setCompactSerialization(encData);
+ jweDecrypt.setKey(JoseUtils.convertToBcKeyIfRequired(wrongKey.getFirst()));
+
+
+ // set special provider if required
+ if (wrongKeyStore.getSecond() != null) {
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName());
+ providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+ jweDecrypt.setProviderContext(providerCtx);
+
+ } else {
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+ jweDecrypt.setProviderContext(providerCtx);
+
+ }
+
+ JoseException error = assertThrows("wrong exception", JoseException.class,
+ () -> jweDecrypt.getPayload());
+ assertEquals("wrong errorMsg", "javax.crypto.AEADBadTagException: mac check in GCM failed", error.getMessage());
+
+ }
+
@Override
protected void setRsaSigningKey() {
config.putConfigValue("modules.sl20.security.sign.alias", "rsa-key-1");