add Trusted-Certificates method to AbstractCredentialProvider

add jUnit tests for AbstractCredentialProvider change method names in AbstractCredentialProvider
author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-02-05 09:02:13 +0100
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-02-05 09:02:13 +0100
commit: 5a1eca23a9b35541b7b1955b83b47e0af983d5dd (patch)
tree: ea9045f10af6ba12f02777b2b6a3ff3f7fd5557b /eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules
parent: e7610325ee2f1d1f4e97e1e7a9b212e692836b5a (diff)
download: EAAF-Components-5a1eca23a9b35541b7b1955b83b47e0af983d5dd.tar.gz
EAAF-Components-5a1eca23a9b35541b7b1955b83b47e0af983d5dd.tar.bz2
EAAF-Components-5a1eca23a9b35541b7b1955b83b47e0af983d5dd.zip
4 files changed, 134 insertions, 67 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/credential/EaafX509Credential.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/credential/EaafX509Credential.java
index ce6451c0..95070167 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/credential/EaafX509Credential.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/credential/EaafX509Credential.java
@@ -21,4 +21,22 @@ public interface EaafX509Credential extends X509Credential {
    */
   void setSignatureAlgorithmForSigning(@Nonnull String sigAlg);
 
+
+  /**
+   * Get the key-encryption algorithm that has to be used with this credential
+   * in case of data-encryption operations.
+   *
+   * @return Key-encryption algorithm-identifier
+   */
+  @Nonnull
+  String getKeyEncryptionAlgorithmForDataEncryption();
+
+  /**
+   * Set the key-encryption algorithm that has to be used with this credential
+   * in case of data-encryption operations.
+   *
+   * @param sigAlg Key-encryption algorithm-identifier
+   */
+  void setKeyEncryptionAlgorithmForDataEncryption(@Nonnull String sigAlg);
+
 }
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java
index 6d81700a..1611d623 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafKeyStoreX509CredentialAdapter.java
@@ -46,6 +46,7 @@ public class EaafKeyStoreX509CredentialAdapter extends KeyStoreX509CredentialAda
     implements EaafX509Credential {
 
   private String signatureAlgorithmtToUse;
+  private String keyEncryptionAlgorithmtToUse;
 
   /**
    * Get an OpenSAML2 keystore.
@@ -72,10 +73,15 @@ public class EaafKeyStoreX509CredentialAdapter extends KeyStoreX509CredentialAda
     }
 
     try {
-      setSignatureAlgorithmForSigning(Saml2Utils.getSignatureAlgorithm(this,
+      setSignatureAlgorithmForSigning(Saml2Utils.getKeyOperationAlgorithmFromCredential(this,
           PvpConstants.DEFAULT_SIGNING_METHODE_RSA,
           PvpConstants.DEFAULT_SIGNING_METHODE_EC));
 
+      setKeyEncryptionAlgorithmForDataEncryption(
+          Saml2Utils.getKeyOperationAlgorithmFromCredential(this,
+          PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA,
+          PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_EC));
+
     } catch (final SamlSigningException e) {
       throw new CredentialsNotAvailableException("internal.pvp.01", new Object[] { keyStoreFriendlyName,
           alias }, e);
@@ -101,4 +107,16 @@ public class EaafKeyStoreX509CredentialAdapter extends KeyStoreX509CredentialAda
 
   }
 
+  @Override
+  public String getKeyEncryptionAlgorithmForDataEncryption() {
+    return this.keyEncryptionAlgorithmtToUse;
+
+  }
+
+  @Override
+  public void setKeyEncryptionAlgorithmForDataEncryption(String sigAlg) {
+    this.keyEncryptionAlgorithmtToUse = sigAlg;
+
+  }
+
 }
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
index 336741a0..13124114 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/AbstractCredentialProvider.java
@@ -23,10 +23,14 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
-import java.security.PrivateKey;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.RSAPrivateKey;
-
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.List;
+
+import javax.annotation.Nonnull;
 import javax.annotation.PostConstruct;
 
 import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
@@ -40,26 +44,24 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
 import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafKeyStoreX509CredentialAdapter;
 
 import org.apache.commons.lang3.StringUtils;
-import org.opensaml.security.credential.Credential;
 import org.opensaml.security.credential.UsageType;
-import org.opensaml.xmlsec.signature.Signature;
-import org.opensaml.xmlsec.signature.support.SignatureConstants;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.ResourceLoader;
 
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
 public abstract class AbstractCredentialProvider {
 
+  private static final String TRUSTED_CERTIFICATES_OPERATION = "Trusted Certificate Entries";
+
   @Autowired
   protected ResourceLoader resourceLoader;
   @Autowired
   protected IConfiguration basicConfig;
 
-  private static final Logger log = LoggerFactory.getLogger(AbstractCredentialProvider.class);
-
   private KeyStore keyStore = null;
 
   /**
@@ -76,6 +78,7 @@ public abstract class AbstractCredentialProvider {
    * @return URL to the keyStore
    * @throws EaafException In case of an invalid filepath
    */
+  @Nonnull
   public abstract String getKeyStoreFilePath() throws EaafException;
 
   /**
@@ -133,23 +136,16 @@ public abstract class AbstractCredentialProvider {
    * @return Credentials
    * @throws CredentialsNotAvailableException In case of a credential error
    */
-  public EaafX509Credential getIdpMetaDataSigningCredential() throws CredentialsNotAvailableException {
+  public EaafX509Credential getMetaDataSigningCredential() throws CredentialsNotAvailableException {
     try {
       final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore,
           getMetadataKeyAlias(), getMetadataKeyPassword().toCharArray(), getFriendlyName());
-
       credentials.setUsageType(UsageType.SIGNING);
-      credentials.setSignatureAlgorithmForSigning(Saml2Utils.getSignatureAlgorithm(
-          credentials,
-          basicConfig.getBasicConfiguration(
-              PvpConstants.CONFIG_PROP_SEC_SIGNING_RSA_ALG,
-              PvpConstants.DEFAULT_SIGNING_METHODE_RSA),
-          basicConfig.getBasicConfiguration(
-              PvpConstants.CONFIG_PROP_SEC_SIGNING_RSA_ALG,
-              PvpConstants.DEFAULT_SIGNING_METHODE_EC)));
+      credentials.setSignatureAlgorithmForSigning(selectSigningAlgorithm(credentials));
+      credentials.setKeyEncryptionAlgorithmForDataEncryption(selectKeyEncryptionAlgorithm(credentials));
       return credentials;
 
-    } catch (final SamlSigningException e) {
+    } catch (final Exception e) {
       throw new CredentialsNotAvailableException("internal.pvp.01",
           new Object[] { getFriendlyName(), getMetadataKeyAlias() }, e);
 
@@ -157,26 +153,19 @@ public abstract class AbstractCredentialProvider {
   }
 
   /**
-   * Get Credentials to sign Assertion.
+   * Get Credentials to sign SAML2 messages, like AuthnRequest, Response,
+   * Assertions as some examples.
    *
    * @return Credentials
    * @throws CredentialsNotAvailableException In case of a credential error
    */
-  public EaafX509Credential getIdpAssertionSigningCredential() throws CredentialsNotAvailableException {
+  public EaafX509Credential getMessageSigningCredential() throws CredentialsNotAvailableException {
     try {
       final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore,
           getSignatureKeyAlias(), getSignatureKeyPassword().toCharArray(), getFriendlyName());
-
       credentials.setUsageType(UsageType.SIGNING);
-      credentials.setSignatureAlgorithmForSigning(Saml2Utils.getSignatureAlgorithm(
-          credentials,
-          basicConfig.getBasicConfiguration(
-              PvpConstants.CONFIG_PROP_SEC_SIGNING_RSA_ALG,
-              PvpConstants.DEFAULT_SIGNING_METHODE_RSA),
-          basicConfig.getBasicConfiguration(
-              PvpConstants.CONFIG_PROP_SEC_SIGNING_RSA_ALG,
-              PvpConstants.DEFAULT_SIGNING_METHODE_EC)));
-
+      credentials.setSignatureAlgorithmForSigning(selectSigningAlgorithm(credentials));
+      credentials.setKeyEncryptionAlgorithmForDataEncryption(selectKeyEncryptionAlgorithm(credentials));
       return credentials;
 
     } catch (final Exception e) {
@@ -187,51 +176,70 @@ public abstract class AbstractCredentialProvider {
   }
 
   /**
-   * Get Credentials to encrypt assertion.
+   * Get Credentials to encrypt messages, like Assertion as example.
    *
    * @return Credentials
    * @throws CredentialsNotAvailableException In case of a credential error
    */
-  public EaafX509Credential getIdpAssertionEncryptionCredential()
+  public EaafX509Credential getMessageEncryptionCredential()
       throws CredentialsNotAvailableException {
     // if no encryption key is configured return null
     if (StringUtils.isEmpty(getEncryptionKeyAlias())) {
       return null;
     }
 
-    final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore,
-        getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray(), getFriendlyName());
-    credentials.setUsageType(UsageType.ENCRYPTION);
-    return credentials;
+    try {
+      final EaafKeyStoreX509CredentialAdapter credentials = new EaafKeyStoreX509CredentialAdapter(keyStore,
+          getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray(), getFriendlyName());
+      credentials.setUsageType(UsageType.ENCRYPTION);
+      credentials.setSignatureAlgorithmForSigning(selectSigningAlgorithm(credentials));
+      credentials.setKeyEncryptionAlgorithmForDataEncryption(selectKeyEncryptionAlgorithm(credentials));
+      return credentials;
+
+    } catch (final Exception e) {
+      throw new CredentialsNotAvailableException("internal.pvp.01",
+          new Object[] { getFriendlyName(), getEncryptionKeyAlias() }, e);
+
+    }
 
   }
 
   /**
-   * Get an XML signature object.
+   * Get a List of trusted {@link X509Certificate} that are available in this
+   * KeyStore.
    *
-   * @param credentials Credentials for signing
-   * @return OpenSAML Signature object
+   * @return List of trusted {@link X509Certificate}, or an emptry {@link List} if
+   *         no certificates are available
+   * @throws CredentialsNotAvailableException In case of a KeyStore error
    */
-  @Deprecated
-  public static Signature getIdpSignature(final Credential credentials) {
-    final PrivateKey privatekey = credentials.getPrivateKey();
-    final Signature signer = Saml2Utils.createSamlObject(Signature.class);
-
-    if (privatekey instanceof RSAPrivateKey) {
-      signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
-
-    } else if (privatekey instanceof ECPrivateKey) {
-      signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256);
-
-    } else {
-      log.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId()
-          + " credential.");
+  @Nonnull
+  public List<X509Certificate> getTrustedCertificates()
+      throws CredentialsNotAvailableException {
+    final List<X509Certificate> result = new ArrayList<>();
 
+    try {
+      final Enumeration<String> aliases = keyStore.aliases();
+      while (aliases.hasMoreElements()) {
+        final String el = aliases.nextElement();
+        log.trace("Process TrustStoreEntry: " + el);
+        if (keyStore.isCertificateEntry(el)) {
+          final Certificate cert = keyStore.getCertificate(el);
+          if (cert != null && cert instanceof X509Certificate) {
+            result.add((X509Certificate) cert);
+
+          } else {
+            log.info("Can not process entry: {}. Reason: {}",
+                el, cert != null ? cert.getType() : "cert is null");
+
+          }
+        }
+      }
+    } catch (final KeyStoreException e) {
+      throw new CredentialsNotAvailableException("internal.pvp.01",
+          new Object[] { getFriendlyName(), TRUSTED_CERTIFICATES_OPERATION }, e);
     }
 
-    signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
-    signer.setSigningCredential(credentials);
-    return signer;
+    return Collections.unmodifiableList(result);
 
   }
 
@@ -254,7 +262,30 @@ public abstract class AbstractCredentialProvider {
       throw e;
 
     }
+  }
+
+  private String selectSigningAlgorithm(EaafKeyStoreX509CredentialAdapter credentials)
+      throws SamlSigningException {
+    return Saml2Utils.getKeyOperationAlgorithmFromCredential(
+        credentials,
+        basicConfig.getBasicConfiguration(
+            PvpConstants.CONFIG_PROP_SEC_SIGNING_RSA_ALG,
+            PvpConstants.DEFAULT_SIGNING_METHODE_RSA),
+        basicConfig.getBasicConfiguration(
+            PvpConstants.CONFIG_PROP_SEC_SIGNING_EC_ALG,
+            PvpConstants.DEFAULT_SIGNING_METHODE_EC));
+  }
 
+  private String selectKeyEncryptionAlgorithm(EaafKeyStoreX509CredentialAdapter credentials)
+      throws SamlSigningException {
+    return Saml2Utils.getKeyOperationAlgorithmFromCredential(
+        credentials,
+        basicConfig.getBasicConfiguration(
+            PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_RSA_ALG,
+            PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA),
+        basicConfig.getBasicConfiguration(
+            PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_EC_ALG,
+            PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_EC));
   }
 
 }
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java
index dc7e9338..14e6a78a 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/utils/Saml2Utils.java
@@ -132,7 +132,7 @@ public class Saml2Utils {
       @Nonnull EaafX509Credential signingCredential, boolean injectCertificate) throws SamlSigningException {
 
     try {
-      final String usedSigAlg = getSignatureAlgorithm(signingCredential,
+      final String usedSigAlg = getKeyOperationAlgorithmFromCredential(signingCredential,
           PvpConstants.DEFAULT_SIGNING_METHODE_RSA,
           PvpConstants.DEFAULT_SIGNING_METHODE_EC);
 
@@ -218,15 +218,15 @@ public class Saml2Utils {
   /**
    * Select signature algorithm for a given credential.
    *
-   * @param credentials     {@link X509Credential} that will be used for signing
-   * @param rsaSigAlgorithm RSA based signing algorithm that should be used in
+   * @param credentials     {@link X509Credential} that will be used for key operations
+   * @param rsaSigAlgorithm RSA based algorithm that should be used in
    *                        case of RSA credential
-   * @param ecSigAlgorithm  EC based signing algorithm that should be used in case
+   * @param ecSigAlgorithm  EC based algorithm that should be used in case
    *                        of RSA credential
-   * @return either the rsaSigAlgorithm or the ecSigAlgorithm
+   * @return either the RSA based algorithm or the EC based algorithm
    * @throws SamlSigningException In case of an unsupported credential
    */
-  public static String getSignatureAlgorithm(X509Credential credentials,
+  public static String getKeyOperationAlgorithmFromCredential(X509Credential credentials,
       String rsaSigAlgorithm, String ecSigAlgorithm) throws SamlSigningException {
     final PrivateKey privatekey = credentials.getPrivateKey();
     if (privatekey instanceof RSAPrivateKey) {
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-02-05 09:02:13 +0100
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-02-05 09:02:13 +0100
commit	5a1eca23a9b35541b7b1955b83b47e0af983d5dd (patch)
tree	ea9045f10af6ba12f02777b2b6a3ff3f7fd5557b /eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules
parent	e7610325ee2f1d1f4e97e1e7a9b212e692836b5a (diff)
download	EAAF-Components-5a1eca23a9b35541b7b1955b83b47e0af983d5dd.tar.gz EAAF-Components-5a1eca23a9b35541b7b1955b83b47e0af983d5dd.tar.bz2 EAAF-Components-5a1eca23a9b35541b7b1955b83b47e0af983d5dd.zip