diff options
author | Thomas <> | 2023-01-18 13:46:22 +0100 |
---|---|---|
committer | Thomas <> | 2023-01-18 13:46:22 +0100 |
commit | 19a717e5684ea7cac8a39d24263cde0825c95968 (patch) | |
tree | 8d31979c0cebd5c8f841a739c6c6b3ad05650582 /eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv | |
parent | 4a6a9f69d15d4a517af075b31e06ae73a1aa3262 (diff) | |
download | EAAF-Components-19a717e5684ea7cac8a39d24263cde0825c95968.tar.gz EAAF-Components-19a717e5684ea7cac8a39d24263cde0825c95968.tar.bz2 EAAF-Components-19a717e5684ea7cac8a39d24263cde0825c95968.zip |
fix(saml2): support XML decryption by using key from HSM-Facade
Details: openSAML4 uses org.apache.xml.security.algorithms.JCEMapper to
define JCE cryptoprovider for openSAML crypto. operations. However, this
JCEMapper is not used for openSAML Decrypter, so it must be set manually.
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv')
2 files changed, 114 insertions, 12 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java index abbfb1ea..0eb80cc9 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java @@ -32,6 +32,7 @@ import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.utils.DomUtils; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; @@ -48,15 +49,16 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider; +import lombok.SneakyThrows; import net.shibboleth.utilities.java.support.xml.XMLParserException; public abstract class AbstractSamlVerificationEngine { @Autowired - private PvpMetadataResolverFactory metadataResolverFactory; + protected PvpMetadataResolverFactory metadataResolverFactory; @Autowired - private SamlVerificationEngine verifyEngine; + protected SamlVerificationEngine verifyEngine; @Autowired protected DummyCredentialProvider credentialProvider; @@ -255,22 +257,29 @@ public abstract class AbstractSamlVerificationEngine { } } + @SneakyThrows + protected Response initializeResponseSimple(String spEntityId, String authnReqPath, EaafX509Credential credential) { + final Response response = (Response) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); + response.setIssueInstant(Instant.now()); + final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); + issuer.setValue(spEntityId); + response.setIssuer(issuer); + + return Saml2Utils.signSamlObject(response, credential, true); + + } + + protected Pair<Response, IPvp2MetadataProvider> initializeResponse(String spEntityId, String metadataPath, String authnReqPath, EaafX509Credential credential) throws SamlSigningException, XMLParserException, UnmarshallingException, Pvp2MetadataException { final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider( metadataPath, null, "jUnit metadata resolver", null); - final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream( - XMLObjectProviderRegistrySupport.getParserPool(), - AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); - authnReq.setIssueInstant(Instant.now()); - final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); - issuer.setValue(spEntityId); - authnReq.setIssuer(issuer); - return Pair.newInstance( - Saml2Utils.signSamlObject(authnReq, credential, true), + initializeResponseSimple(spEntityId, authnReqPath, credential), mdResolver); } @@ -336,5 +345,34 @@ public abstract class AbstractSamlVerificationEngine { } + @SneakyThrows + protected void performEncryptionDecrytion(EaafX509Credential encdecCredential) { + final String responsePath = "/data/response_encrypt_decryption_test.xml"; + final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; + + final Response response = (Response) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + AbstractSamlVerificationEngine.class.getResourceAsStream(responsePath)); + + // encrypt assertion with key + response.getEncryptedAssertions().add(doEncryption(response.getAssertions().get(0), + encdecCredential, authConfig)); + response.getAssertions().clear(); + + // re-sign response + response.setIssueInstant(Instant.now()); + final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); + issuer.setValue(spEntityId); + response.setIssuer(issuer); + Saml2Utils.signSamlObject(response, credentialProvider.getMetaDataSigningCredential(), true); + + DomUtils.serializeNode(XMLObjectSupport.marshall(response)); + + + // decrypt and verify assertion by using EAAF implementation + verifyEngine.validateAssertion(response, encdecCredential, + spEntityId, "jUnit Test", false); + + } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java index 926f25b2..1511eb73 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java @@ -1,7 +1,13 @@ package at.gv.egiz.eaaf.modules.pvp2.test; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThrows; + +import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; +import org.opensaml.core.xml.io.UnmarshallingException; +import org.opensaml.saml.saml2.core.Response; import org.opensaml.xmlsec.signature.support.SignatureConstants; import org.springframework.test.annotation.DirtiesContext; import org.springframework.test.annotation.DirtiesContext.ClassMode; @@ -10,7 +16,12 @@ import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import lombok.SneakyThrows; +import net.shibboleth.utilities.java.support.xml.XMLParserException; //@IfProfileValue(name = "spring.profiles.active", value = "devEnvironment") @RunWith(SpringJUnit4ClassRunner.class) @@ -35,7 +46,6 @@ public class SamlVerificationEngineWithHsmFacadeTest extends AbstractSamlVerific @Override protected String getAuthnRequestWithoutSigPath() { return "/data/AuthRequest_without_sig_1.xml"; - } @Override @@ -69,6 +79,60 @@ public class SamlVerificationEngineWithHsmFacadeTest extends AbstractSamlVerific } } + + @Test + public void assertionDecryptionWithWrongEcKey() throws SamlSigningException, Pvp2MetadataException, + CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { + final String responsePath = "/data/response_decrypt_test.xml"; + final String spEntityId = "https://vidp.gv.at/EidasNode/ColleagueResponse"; + + final Response inputMsg = + initializeResponseSimple(spEntityId, responsePath, + credentialProvider.getMetaDataSigningCredential()); + + SamlAssertionValidationExeption error = assertThrows("wrong exception", SamlAssertionValidationExeption.class, + () -> verifyEngine.validateAssertion(inputMsg, credentialProvider.getMessageSigningCredential(), + spEntityId, "jUnit Test", false)); + assertEquals("wrong errorCode", "internal.pvp.16", error.getErrorId()); + + } + + @Test + public void assertionDecryptionWithWrongRsaKey() throws SamlSigningException, Pvp2MetadataException, + CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { + final String responsePath = "/data/response_decrypt_test.xml"; + final String spEntityId = "https://vidp.gv.at/EidasNode/ColleagueResponse"; + + final Response inputMsg = + initializeResponseSimple(spEntityId, responsePath, + credentialProvider.getMetaDataSigningCredential()); + SamlAssertionValidationExeption error = assertThrows("wrong exception", SamlAssertionValidationExeption.class, + () -> verifyEngine.validateAssertion(inputMsg, credentialProvider.getMetaDataSigningCredential(), + spEntityId, "jUnit Test", false)); + assertEquals("wrong errorCode", "internal.pvp.16", error.getErrorId()); + } + + @Test + @SneakyThrows + public void assertionEncryptionDecryptionRsa() throws SamlSigningException, Pvp2MetadataException, + CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { + performEncryptionDecrytion(credentialProvider.getMessageEncryptionCredential()); + + } + + + /* + * ECC keys currently not support for encryption. + */ + @Test + @Ignore + @SneakyThrows + public void assertionEncryptionDecryptionEcc() throws SamlSigningException, Pvp2MetadataException, + CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { + performEncryptionDecrytion(credentialProvider.getMessageSigningCredential()); + + } + } |