summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_pvp2_core/src
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src')
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java328
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java96
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java331
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java69
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props7
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props18
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml32
7 files changed, 589 insertions, 292 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java
new file mode 100644
index 00000000..d5186857
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java
@@ -0,0 +1,328 @@
+package at.gv.egiz.eaaf.modules.pvp2.test;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
+import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory;
+import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
+import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine;
+import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider;
+import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider;
+
+import org.joda.time.DateTime;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
+import org.opensaml.core.xml.io.UnmarshallingException;
+import org.opensaml.core.xml.util.XMLObjectSupport;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.AuthnRequest;
+import org.opensaml.saml.saml2.core.EncryptedAssertion;
+import org.opensaml.saml.saml2.core.Issuer;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.encryption.Encrypter;
+import org.opensaml.saml.saml2.encryption.Encrypter.KeyPlacement;
+import org.opensaml.security.x509.X509Credential;
+import org.opensaml.xmlsec.SecurityConfigurationSupport;
+import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
+import org.opensaml.xmlsec.encryption.support.EncryptionException;
+import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
+import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.Assert;
+
+import net.shibboleth.utilities.java.support.xml.XMLParserException;
+
+
+public abstract class AbstractSamlVerificationEngine {
+
+ @Autowired
+ private PvpMetadataResolverFactory metadataResolverFactory;
+ @Autowired
+ private SamlVerificationEngine verifyEngine;
+ @Autowired
+ protected DummyCredentialProvider credentialProvider;
+
+ @Autowired DummyMetadataProvider metadataProvider;
+ @Autowired IConfiguration authConfig;
+
+ /**
+ * JUnit class initializer.
+ *
+ * @throws Exception In case of an OpenSAML3 initialization error
+ */
+ @BeforeClass
+ public static void classInitializer() throws Exception {
+ EaafOpenSaml3xInitializer.eaafInitialize();
+
+ }
+ protected abstract String getMetadataJunitJKeystore();
+
+ protected abstract String getMetadataClassPathEntityPath();
+
+ protected abstract String getAuthnRequestWithoutSigPath();
+
+ protected abstract String getResponseWithSigPath();
+
+ protected abstract String getResponseWithoutSigPath();
+
+
+ @Test
+ public void validateSamlRequestSuccess() throws SecurityException, Exception {
+
+ final String authnReqPath = getAuthnRequestWithoutSigPath();
+ final String metadataPath = getMetadataClassPathEntityPath();
+ final String spEntityId = metadataPath;
+
+ final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
+ initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
+ credentialProvider.getMetaDataSigningCredential());
+
+ final PvpSProfileRequest msg = new PvpSProfileRequest(
+ inputMsg.getFirst(),
+ SAMLConstants.SAML2_POST_BINDING_URI);
+ msg.setEntityID(spEntityId);
+
+ verifyEngine.verify(msg,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+
+ }
+
+ @Test
+ public void validateSamlRequestWrongSignature() throws SecurityException, Exception {
+
+ final String authnReqPath = getAuthnRequestWithoutSigPath();
+ final String metadataPath = getMetadataJunitJKeystore();
+ final String spEntityId = metadataPath;
+
+ final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
+ initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
+ credentialProvider.getMetaDataSigningCredential());
+
+ metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond());
+
+ final PvpSProfileRequest msg = new PvpSProfileRequest(
+ inputMsg.getFirst(),
+ SAMLConstants.SAML2_POST_BINDING_URI);
+ msg.setEntityID(spEntityId);
+
+ try {
+ verifyEngine.verify(msg,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+ org.junit.Assert.fail("Wrong signature not detected");
+
+ } catch (final Exception e) {
+ Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
+ org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId());
+
+ }
+ }
+
+ @Test
+ public void verifyResponseSuccessTest() throws Pvp2InternalErrorException, SecurityException, Exception {
+ metadataProvider.runGarbageCollector();
+
+ final String authnReqPath = getResponseWithoutSigPath();
+ final String metadataPath = getMetadataClassPathEntityPath();
+ final String spEntityId = metadataPath;
+
+ final Pair<Response, IPvp2MetadataProvider> inputMsg =
+ initializeResponse(spEntityId, metadataPath, authnReqPath,
+ credentialProvider.getMetaDataSigningCredential());
+
+ final PvpSProfileResponse msg = new PvpSProfileResponse(
+ inputMsg.getFirst());
+ msg.setEntityID(spEntityId);
+
+ verifyEngine.verify(msg,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+
+ }
+
+ @Test
+ public void verifyResponseSuccessSecondTest()
+ throws Pvp2InternalErrorException, SecurityException, Exception {
+
+ final String authnReqPath = getResponseWithoutSigPath();
+ final String metadataPath = getMetadataClassPathEntityPath();
+ final String spEntityId = metadataPath;
+
+ final Pair<Response, IPvp2MetadataProvider> inputMsg =
+ initializeResponse(spEntityId, metadataPath, authnReqPath,
+ credentialProvider.getMetaDataSigningCredential());
+
+ verifyEngine.verifyIdpResponse(inputMsg.getFirst(),
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+
+ }
+
+ @Test
+ public void verifySpResponse()
+ throws Pvp2InternalErrorException, SecurityException, Exception {
+
+ final String authnReqPath = getResponseWithoutSigPath();
+ final String metadataPath = getMetadataClassPathEntityPath();
+ final String spEntityId = metadataPath;
+
+ final Pair<Response, IPvp2MetadataProvider> inputMsg =
+ initializeResponse(spEntityId, metadataPath, authnReqPath,
+ credentialProvider.getMetaDataSigningCredential());
+
+ verifyEngine.verifySloResponse(inputMsg.getFirst(),
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+
+ }
+
+ @Test
+ public void verifyResponseWithoutId() throws Pvp2InternalErrorException, SecurityException, Exception {
+
+ final String authnReqPath = getResponseWithSigPath();
+ final String metadataPath = getMetadataClassPathEntityPath();
+ final String spEntityId = metadataPath;
+
+ final Pair<Response, IPvp2MetadataProvider> inputMsg =
+ initializeResponse(spEntityId, metadataPath, authnReqPath,
+ credentialProvider.getMetaDataSigningCredential());
+
+ final PvpSProfileResponse msg = new PvpSProfileResponse(
+ inputMsg.getFirst());
+ msg.setEntityID(spEntityId);
+
+ try {
+ verifyEngine.verify(msg,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+ org.junit.Assert.fail("Wrong XML schema not detected");
+
+ } catch (final Exception e) {
+ Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
+ org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.03", ((EaafException) e).getErrorId());
+
+ }
+ }
+
+ @Test
+ public void verifyResponseWrongTrust() throws Pvp2InternalErrorException, SecurityException, Exception {
+
+ final String authnReqPath = getResponseWithoutSigPath();
+ final String metadataPath = getMetadataJunitJKeystore();
+ final String spEntityId = metadataPath;
+
+ final Pair<Response, IPvp2MetadataProvider> inputMsg =
+ initializeResponse(spEntityId, metadataPath, authnReqPath,
+ credentialProvider.getMetaDataSigningCredential());
+
+ final PvpSProfileResponse msg = new PvpSProfileResponse(
+ inputMsg.getFirst());
+ msg.setEntityID(spEntityId);
+
+ try {
+ verifyEngine.verify(msg,
+ TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
+ org.junit.Assert.fail("No TrustedCert not detected");
+
+ } catch (final Exception e) {
+ Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
+ org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId());
+
+ }
+ }
+
+ protected Pair<Response, IPvp2MetadataProvider> initializeResponse(String spEntityId, String metadataPath,
+ String authnReqPath, EaafX509Credential credential)
+ throws SamlSigningException, XMLParserException, UnmarshallingException, Pvp2MetadataException {
+ final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+ metadataPath, null, "jUnit metadata resolver", null);
+
+ final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream(
+ XMLObjectProviderRegistrySupport.getParserPool(),
+ AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath));
+ authnReq.setIssueInstant(DateTime.now());
+ final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class);
+ issuer.setValue(spEntityId);
+ authnReq.setIssuer(issuer);
+
+ return Pair.newInstance(
+ Saml2Utils.signSamlObject(authnReq, credential, true),
+ mdResolver);
+ }
+
+ protected Pair<AuthnRequest, IPvp2MetadataProvider> initializeAuthnRequest(String spEntityId,
+ String metadataPath, String authnReqPath, EaafX509Credential credential)
+ throws SamlSigningException, CredentialsNotAvailableException,
+ XMLParserException, UnmarshallingException, Pvp2InternalErrorException, Pvp2MetadataException {
+
+ final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
+ metadataPath, null, "jUnit metadata resolver", null);
+
+ final AuthnRequest authnReq = (AuthnRequest) XMLObjectSupport.unmarshallFromInputStream(
+ XMLObjectProviderRegistrySupport.getParserPool(),
+ AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath));
+ authnReq.setIssueInstant(DateTime.now());
+ final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class);
+ issuer.setValue(spEntityId);
+ authnReq.setIssuer(issuer);
+
+ return Pair.newInstance(
+ Saml2Utils.signSamlObject(authnReq, credential, true),
+ mdResolver);
+
+ }
+
+ protected static EncryptedAssertion doEncryption(Assertion assertion,
+ X509Credential encryptionCredentials, IConfiguration authConfig)
+ throws Exception {
+ try {
+ final String keyEncAlg = Saml2Utils.getKeyOperationAlgorithmFromCredential(
+ encryptionCredentials,
+ authConfig.getBasicConfiguration(
+ PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_RSA_ALG,
+ PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA),
+ authConfig.getBasicConfiguration(
+ PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_EC_ALG,
+ PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_EC));
+
+ final DataEncryptionParameters dataEncParams = new DataEncryptionParameters();
+ dataEncParams.setAlgorithm(authConfig.getBasicConfiguration(
+ PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_DATA, PvpConstants.DEFAULT_SYM_ENCRYPTION_METHODE));
+
+ final List<KeyEncryptionParameters> keyEncParamList = new ArrayList<>();
+ final KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters();
+ keyEncParam.setEncryptionCredential(encryptionCredentials);
+ keyEncParam.setAlgorithm(keyEncAlg);
+
+ final KeyInfoGeneratorFactory kigf =
+ SecurityConfigurationSupport.getGlobalEncryptionConfiguration()
+ .getKeyTransportKeyInfoGeneratorManager().getDefaultManager().getFactory(encryptionCredentials);
+ keyEncParam.setKeyInfoGenerator(kigf.newInstance());
+ keyEncParamList.add(keyEncParam);
+
+ final Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);
+ samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
+
+ return samlEncrypter.encrypt(assertion);
+
+ } catch (final EncryptionException | SamlSigningException e1) {
+ throw new Exception(e1);
+
+ }
+
+ }
+
+
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
index be3f9a8f..3ba4c962 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java
@@ -6,6 +6,7 @@ import java.util.List;
import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException;
import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyAuthConfigMap;
import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
@@ -34,10 +35,11 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
public class CredentialProviderTest {
private static final String HSM_FACASE_HOST = "eid.a-sit.at";
- private static final String HSM_FACASE_PORT = "9000";
+ private static final String HSM_FACASE_PORT = "9050";
+ private static final String HSM_FACASE_SSL_TRUST = "src/test/resources/data/hsm_facade_trust_root.crt";
private static final String HSM_FACASE_USERNAME = "authhandler-junit";
private static final String HSM_FACASE_PASSWORD = "supersecret123";
- private static final String HSM_FACASE_SSL_TRUST = "src/test/resources/data/hsm_facade_trust_root.crt";
+ private static final String HSM_FACASE_HSM_NAME = "software";
private static final String PATH_JKS_WITH_TRUST_CERTS = "src/test/resources/data/junit.jks";
private static final String PATH_JKS_WITHOUT_TRUST_CERTS = "src/test/resources/data/junit_without_trustcerts.jks";
@@ -50,6 +52,8 @@ public class CredentialProviderTest {
private static final String PASSWORD = "password";
+ private static final String HSM_FACADE_KEY_ALIAS = "authhandler-sign";
+
@Autowired private ApplicationContext context;
@Autowired private DummyAuthConfigMap config;
@@ -61,9 +65,10 @@ public class CredentialProviderTest {
public void initialize() {
config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, HSM_FACASE_HOST);
config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, HSM_FACASE_PORT);
+ config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, HSM_FACASE_SSL_TRUST);
config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, HSM_FACASE_USERNAME);
config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, HSM_FACASE_PASSWORD);
- config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, HSM_FACASE_SSL_TRUST);
+ config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HSM_NAME, HSM_FACASE_HSM_NAME);
config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME);
@@ -505,6 +510,91 @@ public class CredentialProviderTest {
}
}
+ @Test
+ @DirtiesContext
+ public void hasFacadeMissingKeyStoreName() {
+ config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE,
+ KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType());
+ config.removeConfigValue(DummyCredentialProvider.KEYSTORE_NAME);
+
+ try {
+ context.getBean(DummyCredentialProvider.class);
+ Assert.fail("No KeyStore not detected");
+
+ } catch (final BeansException e) {
+ org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class,
+ e.getCause(), "Wrong exception");
+
+ }
+
+ }
+
+ @Test
+ @DirtiesContext
+ public void hasFacadeWrongAlias() {
+ config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE,
+ KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType());
+ config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME);
+
+ final DummyCredentialProvider credential = context.getBean(DummyCredentialProvider.class);
+
+ Assert.assertNotNull("Credetialprovider", credential);
+ Assert.assertNotNull("Friendlyname", credential.getFriendlyName());
+
+ config.putConfigValue(DummyCredentialProvider.KEY_METADATA_ALIAS,
+ RandomStringUtils.randomAlphabetic(5));
+
+ try {
+ checkCredential(credential.getMetaDataSigningCredential(),
+ PvpConstants.DEFAULT_SIGNING_METHODE_RSA,
+ PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA);
+ Assert.fail("Wrong 'alias' not detected");
+
+ } catch (final CredentialsNotAvailableException e) {
+ Assert.assertEquals("Wrong errorCode", "internal.pvp.01", e.getErrorId());
+
+ }
+
+ }
+
+ @Test
+ @DirtiesContext
+ public void validConfigurationHsmFacade() throws CredentialsNotAvailableException {
+
+ config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE,
+ KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType());
+ config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME);
+
+ final DummyCredentialProvider credential = context.getBean(DummyCredentialProvider.class);
+
+ Assert.assertNotNull("Credetialprovider", credential);
+ Assert.assertNotNull("Friendlyname", credential.getFriendlyName());
+
+ config.putConfigValue(DummyCredentialProvider.KEY_METADATA_ALIAS,
+ HSM_FACADE_KEY_ALIAS);
+ config.putConfigValue(DummyCredentialProvider.KEY_METADATA_PASSWORD,
+ PASSWORD);
+
+
+ checkCredential(credential.getMetaDataSigningCredential(),
+ PvpConstants.DEFAULT_SIGNING_METHODE_RSA,
+ PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA);
+
+ config.putConfigValue(DummyCredentialProvider.KEY_SIGNING_ALIAS,
+ HSM_FACADE_KEY_ALIAS);
+
+ checkCredential(credential.getMessageSigningCredential(),
+ PvpConstants.DEFAULT_SIGNING_METHODE_RSA,
+ PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA);
+
+
+ final List<X509Certificate> trustCerts = credential.getTrustedCertificates();
+ Assert.assertNotNull("TrustCerts are null", trustCerts);
+ Assert.assertTrue("TrustCerts not empty", trustCerts.isEmpty());
+
+ }
+
+
private void checkCredential(EaafX509Credential metaDataSigningCredential, String sigAlg, String keyEncAlg) {
Assert.assertNotNull("No metadata signing credentials", metaDataSigningCredential);
Assert.assertNotNull("SigAlg is null",
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java
index 66e87537..bc0084f7 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java
@@ -1,53 +1,33 @@
package at.gv.egiz.eaaf.modules.pvp2.test;
-import java.util.ArrayList;
-import java.util.List;
-
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException;
import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
-import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory;
-import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine;
import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider;
import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider;
import org.joda.time.DateTime;
-import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.EncryptedAssertion;
-import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.StatusCode;
-import org.opensaml.saml.saml2.encryption.Encrypter;
-import org.opensaml.saml.saml2.encryption.Encrypter.KeyPlacement;
-import org.opensaml.security.x509.X509Credential;
-import org.opensaml.xmlsec.SecurityConfigurationSupport;
-import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters;
-import org.opensaml.xmlsec.encryption.support.EncryptionException;
-import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters;
-import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorFactory;
import org.opensaml.xmlsec.signature.support.SignatureConstants;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.ContextConfiguration;
@@ -62,11 +42,9 @@ import net.shibboleth.utilities.java.support.xml.XMLParserException;
@ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml",
"/spring/test_eaaf_core_spring_config.beans.xml" })
@TestPropertySource(locations = { "/config/config_1.props" })
-public class SamlVerificationEngineTest {
+public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine {
@Autowired
- private PvpMetadataResolverFactory metadataResolverFactory;
- @Autowired
private SamlVerificationEngine verifyEngine;
@Autowired
private DummyCredentialProvider credentialProvider;
@@ -74,103 +52,38 @@ public class SamlVerificationEngineTest {
@Autowired DummyMetadataProvider metadataProvider;
@Autowired IConfiguration authConfig;
- /**
- * JUnit class initializer.
- *
- * @throws Exception In case of an OpenSAML3 initialization error
- */
- @BeforeClass
- public static void classInitializer() throws Exception {
- EaafOpenSaml3xInitializer.eaafInitialize();
+ @Override
+ protected String getMetadataClassPathEntityPath() {
+ return "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
}
- @Test
- public void validateSamlRequestSuccess() throws SecurityException, Exception {
-
- final String authnReqPath = "/data/AuthRequest_without_sig_1.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
- final String spEntityId = metadataPath;
-
- final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
- initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
- credentialProvider.getMetaDataSigningCredential());
-
- final PvpSProfileRequest msg = new PvpSProfileRequest(
- inputMsg.getFirst(),
- SAMLConstants.SAML2_POST_BINDING_URI);
- msg.setEntityID(spEntityId);
-
- verifyEngine.verify(msg,
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-
+ @Override
+ protected String getMetadataJunitJKeystore() {
+ return "classpath:/data/pvp_metadata_junit_keystore.xml";
}
- @Test
- public void validateSamlRequestWrongSignature() throws SecurityException, Exception {
-
- final String authnReqPath = "/data/AuthRequest_without_sig_1.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
- final String spEntityId = metadataPath;
-
- final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
- initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
- credentialProvider.getMetaDataSigningCredential());
-
- metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond());
-
- final PvpSProfileRequest msg = new PvpSProfileRequest(
- inputMsg.getFirst(),
- SAMLConstants.SAML2_POST_BINDING_URI);
- msg.setEntityID(spEntityId);
-
- try {
- verifyEngine.verify(msg,
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
- org.junit.Assert.fail("Wrong signature not detected");
-
- } catch (final Exception e) {
- Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
- org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId());
+ @Override
+ protected String getAuthnRequestWithoutSigPath() {
+ return "/data/AuthRequest_without_sig_1.xml";
- }
}
- @Test
- public void validateSamlInvalidRequest() throws SecurityException, Exception {
-
- final String authnReqPath = "/data/AuthRequest_without_sig_missing_id.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
- final String spEntityId = metadataPath;
-
- final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
- initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
- credentialProvider.getMetaDataSigningCredential());
-
- metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond());
-
- final PvpSProfileRequest msg = new PvpSProfileRequest(
- inputMsg.getFirst(),
- SAMLConstants.SAML2_POST_BINDING_URI);
- msg.setEntityID(spEntityId);
-
- try {
- verifyEngine.verify(msg,
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
- org.junit.Assert.fail("invalid request not detected");
-
- } catch (final Exception e) {
- Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
- org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.03", ((EaafException) e).getErrorId());
+ @Override
+ protected String getResponseWithSigPath() {
+ return "/data/Response_with_sig_1.xml";
+ }
- }
+ @Override
+ protected String getResponseWithoutSigPath() {
+ return "/data/Response_without_sig_1.xml";
}
@Test
public void validateSamlRequestWrongSignatureAlg() throws SecurityException, Exception {
- final String authnReqPath = "/data/AuthRequest_without_sig_1.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String authnReqPath = getAuthnRequestWithoutSigPath();
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = metadataPath;
metadataProvider.runGarbageCollector();
@@ -199,79 +112,27 @@ public class SamlVerificationEngineTest {
}
@Test
- public void verifyResponseSuccessTest() throws Pvp2InternalErrorException, SecurityException, Exception {
- metadataProvider.runGarbageCollector();
-
- final String authnReqPath = "/data/Response_without_sig_1.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
- final String spEntityId = metadataPath;
-
- final Pair<Response, IPvp2MetadataProvider> inputMsg =
- initializeResponse(spEntityId, metadataPath, authnReqPath,
- credentialProvider.getMetaDataSigningCredential());
-
- final PvpSProfileResponse msg = new PvpSProfileResponse(
- inputMsg.getFirst());
- msg.setEntityID(spEntityId);
-
- verifyEngine.verify(msg,
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-
- }
-
- @Test
- public void verifyResponseSuccessSecondTest()
- throws Pvp2InternalErrorException, SecurityException, Exception {
-
- final String authnReqPath = "/data/Response_without_sig_1.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
- final String spEntityId = metadataPath;
-
- final Pair<Response, IPvp2MetadataProvider> inputMsg =
- initializeResponse(spEntityId, metadataPath, authnReqPath,
- credentialProvider.getMetaDataSigningCredential());
-
- verifyEngine.verifyIdpResponse(inputMsg.getFirst(),
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-
- }
-
- @Test
- public void verifySpResponse()
- throws Pvp2InternalErrorException, SecurityException, Exception {
+ public void validateSamlInvalidRequest() throws SecurityException, Exception {
- final String authnReqPath = "/data/Response_without_sig_1.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
+ final String authnReqPath = "/data/AuthRequest_without_sig_missing_id.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = metadataPath;
- final Pair<Response, IPvp2MetadataProvider> inputMsg =
- initializeResponse(spEntityId, metadataPath, authnReqPath,
+ final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg =
+ initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
credentialProvider.getMetaDataSigningCredential());
- verifyEngine.verifySloResponse(inputMsg.getFirst(),
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
-
- }
-
- @Test
- public void verifyResponseWithoutId() throws Pvp2InternalErrorException, SecurityException, Exception {
-
- final String authnReqPath = "/data/Response_with_sig_1.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
- final String spEntityId = metadataPath;
-
- final Pair<Response, IPvp2MetadataProvider> inputMsg =
- initializeResponse(spEntityId, metadataPath, authnReqPath,
- credentialProvider.getMetaDataSigningCredential());
+ metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond());
- final PvpSProfileResponse msg = new PvpSProfileResponse(
- inputMsg.getFirst());
+ final PvpSProfileRequest msg = new PvpSProfileRequest(
+ inputMsg.getFirst(),
+ SAMLConstants.SAML2_POST_BINDING_URI);
msg.setEntityID(spEntityId);
try {
verifyEngine.verify(msg,
TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
- org.junit.Assert.fail("Wrong XML schema not detected");
+ org.junit.Assert.fail("invalid request not detected");
} catch (final Exception e) {
Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
@@ -281,37 +142,10 @@ public class SamlVerificationEngineTest {
}
@Test
- public void verifyResponseWrongTrust() throws Pvp2InternalErrorException, SecurityException, Exception {
-
- final String authnReqPath = "/data/Response_without_sig_1.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
- final String spEntityId = metadataPath;
-
- final Pair<Response, IPvp2MetadataProvider> inputMsg =
- initializeResponse(spEntityId, metadataPath, authnReqPath,
- credentialProvider.getMetaDataSigningCredential());
-
- final PvpSProfileResponse msg = new PvpSProfileResponse(
- inputMsg.getFirst());
- msg.setEntityID(spEntityId);
-
- try {
- verifyEngine.verify(msg,
- TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider));
- org.junit.Assert.fail("No TrustedCert not detected");
-
- } catch (final Exception e) {
- Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType");
- org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId());
-
- }
- }
-
- @Test
public void verifyAssertionSucessNotEncrypted() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -328,7 +162,7 @@ public class SamlVerificationEngineTest {
public void verifyAssertionWrongAudiency() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -349,7 +183,7 @@ public class SamlVerificationEngineTest {
public void verifyAssertionWrongStatusCode() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -374,7 +208,7 @@ public class SamlVerificationEngineTest {
public void verifyAssertionWrongIssueInstant() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -399,7 +233,7 @@ public class SamlVerificationEngineTest {
public void verifyAssertionNoContitions() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -424,7 +258,7 @@ public class SamlVerificationEngineTest {
public void verifyAssertionWrongContitions() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -448,7 +282,7 @@ public class SamlVerificationEngineTest {
public void verifyAssertionWrongContitionsAudienceRestrictions() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -475,7 +309,7 @@ public class SamlVerificationEngineTest {
public void verifyAssertionWrongContitionsNotBefore() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -501,7 +335,7 @@ public class SamlVerificationEngineTest {
public void verifyAssertionWrongContitionsNotOnOrAfter() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -527,7 +361,7 @@ public class SamlVerificationEngineTest {
public void verifyAssertionValidContitions() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -548,7 +382,7 @@ public class SamlVerificationEngineTest {
public void verifyEncAssertionWrongKey() throws SamlSigningException, Pvp2MetadataException,
CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption {
final String authnReqPath = "/data/Asserion_enc_no_key.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://eid.a-sit.at/Shibboleth.sso/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -569,7 +403,7 @@ public class SamlVerificationEngineTest {
@Test
public void verifyEncAssertion() throws Exception {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -602,7 +436,7 @@ public class SamlVerificationEngineTest {
@Test
public void verifyEncAssertionWrongSchema() throws Exception {
final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml";
- final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml";
+ final String metadataPath = getMetadataJunitJKeystore();
final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/";
final Pair<Response, IPvp2MetadataProvider> inputMsg =
@@ -636,85 +470,4 @@ public class SamlVerificationEngineTest {
}
- private Pair<Response, IPvp2MetadataProvider> initializeResponse(String spEntityId, String metadataPath,
- String authnReqPath, EaafX509Credential credential)
- throws SamlSigningException, XMLParserException, UnmarshallingException, Pvp2MetadataException {
- final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
- metadataPath, null, "jUnit metadata resolver", null);
-
- final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream(
- XMLObjectProviderRegistrySupport.getParserPool(),
- SamlVerificationEngineTest.class.getResourceAsStream(authnReqPath));
- authnReq.setIssueInstant(DateTime.now());
- final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class);
- issuer.setValue(spEntityId);
- authnReq.setIssuer(issuer);
-
- return Pair.newInstance(
- Saml2Utils.signSamlObject(authnReq, credential, true),
- mdResolver);
- }
-
- private Pair<AuthnRequest, IPvp2MetadataProvider> initializeAuthnRequest(String spEntityId,
- String metadataPath, String authnReqPath, EaafX509Credential credential)
- throws SamlSigningException, CredentialsNotAvailableException,
- XMLParserException, UnmarshallingException, Pvp2InternalErrorException, Pvp2MetadataException {
-
- final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider(
- metadataPath, null, "jUnit metadata resolver", null);
-
- final AuthnRequest authnReq = (AuthnRequest) XMLObjectSupport.unmarshallFromInputStream(
- XMLObjectProviderRegistrySupport.getParserPool(),
- SamlVerificationEngineTest.class.getResourceAsStream(authnReqPath));
- authnReq.setIssueInstant(DateTime.now());
- final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class);
- issuer.setValue(spEntityId);
- authnReq.setIssuer(issuer);
-
- return Pair.newInstance(
- Saml2Utils.signSamlObject(authnReq, credential, true),
- mdResolver);
-
- }
-
- private static EncryptedAssertion doEncryption(Assertion assertion,
- X509Credential encryptionCredentials, IConfiguration authConfig)
- throws Exception {
- try {
- final String keyEncAlg = Saml2Utils.getKeyOperationAlgorithmFromCredential(
- encryptionCredentials,
- authConfig.getBasicConfiguration(
- PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_RSA_ALG,
- PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA),
- authConfig.getBasicConfiguration(
- PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_EC_ALG,
- PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_EC));
-
- final DataEncryptionParameters dataEncParams = new DataEncryptionParameters();
- dataEncParams.setAlgorithm(authConfig.getBasicConfiguration(
- PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_DATA, PvpConstants.DEFAULT_SYM_ENCRYPTION_METHODE));
-
- final List<KeyEncryptionParameters> keyEncParamList = new ArrayList<>();
- final KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters();
- keyEncParam.setEncryptionCredential(encryptionCredentials);
- keyEncParam.setAlgorithm(keyEncAlg);
-
- final KeyInfoGeneratorFactory kigf =
- SecurityConfigurationSupport.getGlobalEncryptionConfiguration()
- .getKeyTransportKeyInfoGeneratorManager().getDefaultManager().getFactory(encryptionCredentials);
- keyEncParam.setKeyInfoGenerator(kigf.newInstance());
- keyEncParamList.add(keyEncParam);
-
- final Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList);
- samlEncrypter.setKeyPlacement(KeyPlacement.PEER);
-
- return samlEncrypter.encrypt(assertion);
-
- } catch (final EncryptionException | SamlSigningException e1) {
- throw new Exception(e1);
-
- }
-
- }
-
}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java
new file mode 100644
index 00000000..95f63003
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java
@@ -0,0 +1,69 @@
+package at.gv.egiz.eaaf.modules.pvp2.test;
+
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml",
+ "/spring/test_eaaf_core_spring_config.beans.xml" })
+@TestPropertySource(locations = { "/config/config_3.props" })
+public class SamlVerificationEngineWithHsmFacadeTest extends AbstractSamlVerificationEngine {
+
+ @Override
+ protected String getMetadataClassPathEntityPath() {
+ return "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml";
+
+ }
+
+ @Override
+ protected String getMetadataJunitJKeystore() {
+ return "classpath:/data/pvp_metadata_junit_keystore.xml";
+ }
+
+ @Override
+ protected String getAuthnRequestWithoutSigPath() {
+ return "/data/AuthRequest_without_sig_1.xml";
+
+ }
+
+ @Override
+ protected String getResponseWithSigPath() {
+ return "/data/Response_with_sig_1.xml";
+ }
+
+ @Override
+ protected String getResponseWithoutSigPath() {
+ return "/data/Response_without_sig_1.xml";
+ }
+
+ @Test
+ public void validateSamlRequestWrongSignatureAlg() throws SecurityException, Exception {
+
+ final String authnReqPath = getAuthnRequestWithoutSigPath();
+ final String metadataPath = getMetadataJunitJKeystore();
+ final String spEntityId = metadataPath;
+
+ metadataProvider.runGarbageCollector();
+
+ final EaafX509Credential cred = credentialProvider.getMetaDataSigningCredential();
+ cred.setSignatureAlgorithmForSigning(SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5);
+ try {
+ initializeAuthnRequest(spEntityId, metadataPath, authnReqPath,
+ cred);
+ org.junit.Assert.fail("Wrong SigAlg not detected");
+
+ } catch (final SamlSigningException e) {
+ org.junit.Assert.assertEquals("Wrong errorCode", "internal.pvp.96", e.getErrorId());
+
+ }
+ }
+
+
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props
index 164b8807..6177b738 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props
@@ -1,3 +1,10 @@
+security.hsmfacade.host=eid.a-sit.at
+security.hsmfacade.port=9050
+security.hsmfacade.trustedsslcert=src/test/resources/data/hsm_facade_trust_root.crt
+security.hsmfacade.username=authhandler-junit
+security.hsmfacade.password=supersecret123
+security.hsmfacade.hsmname=software
+
keystore.path=classpath:/data/junit.jks
keystore.pass=password
key.metadata.alias=meta
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props
new file mode 100644
index 00000000..abc8f591
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props
@@ -0,0 +1,18 @@
+security.hsmfacade.host=eid.a-sit.at
+security.hsmfacade.port=9050
+security.hsmfacade.trustedsslcert=src/test/resources/data/hsm_facade_trust_root.crt
+security.hsmfacade.username=authhandler-junit
+security.hsmfacade.password=supersecret123
+security.hsmfacade.hsmname=software
+
+keystore.type=hsmfacade
+keystore.name=authhandler
+key.metadata.alias=authhandler-sign
+key.sig.alias=authhandler-sign
+key.sig.pass=password
+key.enc.alias=
+key.enc.pass=
+
+client.http.connection.timeout.socket=2
+client.http.connection.timeout.connection=2
+client.http.connection.timeout.request=2 \ No newline at end of file
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml
index cfc334a6..67eed2ac 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml
@@ -66,6 +66,22 @@ SM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIh
ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L
</ds:X509Certificate>
</ds:X509Data>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDEzCCArqgAwIBAgIIHL62SBANl8QwCgYIKoZIzj0EAwIwIzEhMB8GA1UEAwwYS2V5c3RvcmVC
+YWNrZWRQa2lTZXJ2aWNlMB4XDTIwMDIxNzEyMzMxNloXDTIwMDUxNzExMzMxNlowMjEdMBsGA1UE
+AwwUaW50LWF1dGhoYW5kbGVyLXNpZ24xETAPBgNVBAoMCHNvZnR3YXJlMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAtVRK3ocL1aqCO+Q0OELikVbEU6tOsXGg1HCWr07YdTsu/qoRCVrB
+THF6xqgtFjBVGWkg5kFS7853Lg3peSO1K63RzXWldcgUUM8o9zTybbBI74eXcK8pug1LLAkytQ1i
+I6w166am8eoG/vTrc+TIFCDm+pyzmGcl5K8c8Gnm0k41vsMViEFgy6Oq9glts8eEUCOF3ZnL8rIv
+w4hjrGsQ+8iZPZEEuMj+rZ2iLI9bjWv6xmNKWTLSO9dm7d2kTNGLQST0XFJkmFDXjQ1jXApXkGlp
+i8igWCX3CU8jSuPLdCQ4VU/Pqr/J4uzBWBsv01vs4aqyLVZTGs23xUjJ+9I9fmn1VIfhuh6zGHq+
+jfjBfD6FhndNoPiMEpJT34h39rtF14GOlhb/I1OGjxIyMQGvT7up7p3AlPC7Lz2ylWrVWojR/cAE
+umzS6zWgRW9zmVIgC7j48EmMjkapyUWVBR7FkfdodedzSPNETRdWXr7WulSBjjj82AWmwuoDrSZd
+330g7FUZHd0D1JFUkLXOgZ1SmyFXds7fTiJGzk4XdYiS8MD07pokNDhZ7FHFGSoTHB8u4fvG2r0u
+6tvLRBRkv/3wzDcTcPbEa9Z1JQ3Qh+/aJQmaQMMnE9m4msW4GqTGBoshss8FW1EvUi7JAh4EvXJJ
+bhNQmfwU5wBD6WbPsURo7i0CAwEAATAKBggqhkjOPQQDAgNHADBEAiAyb9SMaC7U/HY//YcfjcR0
+j0/DL+9ckFNMvdw0IUq3yAIgEtWkYQrh5Oog7DmVJv0z/C1qPzcjfzDwJI4AlF7IfO4=</ds:X509Certificate>
+ </ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/post"/>
@@ -145,6 +161,22 @@ SM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIh
ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L
</ds:X509Certificate>
</ds:X509Data>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDEzCCArqgAwIBAgIIHL62SBANl8QwCgYIKoZIzj0EAwIwIzEhMB8GA1UEAwwYS2V5c3RvcmVC
+YWNrZWRQa2lTZXJ2aWNlMB4XDTIwMDIxNzEyMzMxNloXDTIwMDUxNzExMzMxNlowMjEdMBsGA1UE
+AwwUaW50LWF1dGhoYW5kbGVyLXNpZ24xETAPBgNVBAoMCHNvZnR3YXJlMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAtVRK3ocL1aqCO+Q0OELikVbEU6tOsXGg1HCWr07YdTsu/qoRCVrB
+THF6xqgtFjBVGWkg5kFS7853Lg3peSO1K63RzXWldcgUUM8o9zTybbBI74eXcK8pug1LLAkytQ1i
+I6w166am8eoG/vTrc+TIFCDm+pyzmGcl5K8c8Gnm0k41vsMViEFgy6Oq9glts8eEUCOF3ZnL8rIv
+w4hjrGsQ+8iZPZEEuMj+rZ2iLI9bjWv6xmNKWTLSO9dm7d2kTNGLQST0XFJkmFDXjQ1jXApXkGlp
+i8igWCX3CU8jSuPLdCQ4VU/Pqr/J4uzBWBsv01vs4aqyLVZTGs23xUjJ+9I9fmn1VIfhuh6zGHq+
+jfjBfD6FhndNoPiMEpJT34h39rtF14GOlhb/I1OGjxIyMQGvT7up7p3AlPC7Lz2ylWrVWojR/cAE
+umzS6zWgRW9zmVIgC7j48EmMjkapyUWVBR7FkfdodedzSPNETRdWXr7WulSBjjj82AWmwuoDrSZd
+330g7FUZHd0D1JFUkLXOgZ1SmyFXds7fTiJGzk4XdYiS8MD07pokNDhZ7FHFGSoTHB8u4fvG2r0u
+6tvLRBRkv/3wzDcTcPbEa9Z1JQ3Qh+/aJQmaQMMnE9m4msW4GqTGBoshss8FW1EvUi7JAh4EvXJJ
+bhNQmfwU5wBD6WbPsURo7i0CAwEAATAKBggqhkjOPQQDAgNHADBEAiAyb9SMaC7U/HY//YcfjcR0
+j0/DL+9ckFNMvdw0IUq3yAIgEtWkYQrh5Oog7DmVJv0z/C1qPzcjfzDwJI4AlF7IfO4=</ds:X509Certificate>
+ </ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">