diff options
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src')
7 files changed, 589 insertions, 292 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java new file mode 100644 index 00000000..d5186857 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java @@ -0,0 +1,328 @@ +package at.gv.egiz.eaaf.modules.pvp2.test; + +import java.util.ArrayList; +import java.util.List; + +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider; + +import org.joda.time.DateTime; +import org.junit.BeforeClass; +import org.junit.Test; +import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; +import org.opensaml.core.xml.io.UnmarshallingException; +import org.opensaml.core.xml.util.XMLObjectSupport; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.core.Assertion; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.EncryptedAssertion; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.encryption.Encrypter; +import org.opensaml.saml.saml2.encryption.Encrypter.KeyPlacement; +import org.opensaml.security.x509.X509Credential; +import org.opensaml.xmlsec.SecurityConfigurationSupport; +import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters; +import org.opensaml.xmlsec.encryption.support.EncryptionException; +import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters; +import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.util.Assert; + +import net.shibboleth.utilities.java.support.xml.XMLParserException; + + +public abstract class AbstractSamlVerificationEngine { + + @Autowired + private PvpMetadataResolverFactory metadataResolverFactory; + @Autowired + private SamlVerificationEngine verifyEngine; + @Autowired + protected DummyCredentialProvider credentialProvider; + + @Autowired DummyMetadataProvider metadataProvider; + @Autowired IConfiguration authConfig; + + /** + * JUnit class initializer. + * + * @throws Exception In case of an OpenSAML3 initialization error + */ + @BeforeClass + public static void classInitializer() throws Exception { + EaafOpenSaml3xInitializer.eaafInitialize(); + + } + protected abstract String getMetadataJunitJKeystore(); + + protected abstract String getMetadataClassPathEntityPath(); + + protected abstract String getAuthnRequestWithoutSigPath(); + + protected abstract String getResponseWithSigPath(); + + protected abstract String getResponseWithoutSigPath(); + + + @Test + public void validateSamlRequestSuccess() throws SecurityException, Exception { + + final String authnReqPath = getAuthnRequestWithoutSigPath(); + final String metadataPath = getMetadataClassPathEntityPath(); + final String spEntityId = metadataPath; + + final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = + initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + final PvpSProfileRequest msg = new PvpSProfileRequest( + inputMsg.getFirst(), + SAMLConstants.SAML2_POST_BINDING_URI); + msg.setEntityID(spEntityId); + + verifyEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + + } + + @Test + public void validateSamlRequestWrongSignature() throws SecurityException, Exception { + + final String authnReqPath = getAuthnRequestWithoutSigPath(); + final String metadataPath = getMetadataJunitJKeystore(); + final String spEntityId = metadataPath; + + final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = + initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond()); + + final PvpSProfileRequest msg = new PvpSProfileRequest( + inputMsg.getFirst(), + SAMLConstants.SAML2_POST_BINDING_URI); + msg.setEntityID(spEntityId); + + try { + verifyEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + org.junit.Assert.fail("Wrong signature not detected"); + + } catch (final Exception e) { + Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); + org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId()); + + } + } + + @Test + public void verifyResponseSuccessTest() throws Pvp2InternalErrorException, SecurityException, Exception { + metadataProvider.runGarbageCollector(); + + final String authnReqPath = getResponseWithoutSigPath(); + final String metadataPath = getMetadataClassPathEntityPath(); + final String spEntityId = metadataPath; + + final Pair<Response, IPvp2MetadataProvider> inputMsg = + initializeResponse(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + final PvpSProfileResponse msg = new PvpSProfileResponse( + inputMsg.getFirst()); + msg.setEntityID(spEntityId); + + verifyEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + + } + + @Test + public void verifyResponseSuccessSecondTest() + throws Pvp2InternalErrorException, SecurityException, Exception { + + final String authnReqPath = getResponseWithoutSigPath(); + final String metadataPath = getMetadataClassPathEntityPath(); + final String spEntityId = metadataPath; + + final Pair<Response, IPvp2MetadataProvider> inputMsg = + initializeResponse(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + verifyEngine.verifyIdpResponse(inputMsg.getFirst(), + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + + } + + @Test + public void verifySpResponse() + throws Pvp2InternalErrorException, SecurityException, Exception { + + final String authnReqPath = getResponseWithoutSigPath(); + final String metadataPath = getMetadataClassPathEntityPath(); + final String spEntityId = metadataPath; + + final Pair<Response, IPvp2MetadataProvider> inputMsg = + initializeResponse(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + verifyEngine.verifySloResponse(inputMsg.getFirst(), + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + + } + + @Test + public void verifyResponseWithoutId() throws Pvp2InternalErrorException, SecurityException, Exception { + + final String authnReqPath = getResponseWithSigPath(); + final String metadataPath = getMetadataClassPathEntityPath(); + final String spEntityId = metadataPath; + + final Pair<Response, IPvp2MetadataProvider> inputMsg = + initializeResponse(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + final PvpSProfileResponse msg = new PvpSProfileResponse( + inputMsg.getFirst()); + msg.setEntityID(spEntityId); + + try { + verifyEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + org.junit.Assert.fail("Wrong XML schema not detected"); + + } catch (final Exception e) { + Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); + org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.03", ((EaafException) e).getErrorId()); + + } + } + + @Test + public void verifyResponseWrongTrust() throws Pvp2InternalErrorException, SecurityException, Exception { + + final String authnReqPath = getResponseWithoutSigPath(); + final String metadataPath = getMetadataJunitJKeystore(); + final String spEntityId = metadataPath; + + final Pair<Response, IPvp2MetadataProvider> inputMsg = + initializeResponse(spEntityId, metadataPath, authnReqPath, + credentialProvider.getMetaDataSigningCredential()); + + final PvpSProfileResponse msg = new PvpSProfileResponse( + inputMsg.getFirst()); + msg.setEntityID(spEntityId); + + try { + verifyEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); + org.junit.Assert.fail("No TrustedCert not detected"); + + } catch (final Exception e) { + Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); + org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId()); + + } + } + + protected Pair<Response, IPvp2MetadataProvider> initializeResponse(String spEntityId, String metadataPath, + String authnReqPath, EaafX509Credential credential) + throws SamlSigningException, XMLParserException, UnmarshallingException, Pvp2MetadataException { + final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider( + metadataPath, null, "jUnit metadata resolver", null); + + final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); + authnReq.setIssueInstant(DateTime.now()); + final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); + issuer.setValue(spEntityId); + authnReq.setIssuer(issuer); + + return Pair.newInstance( + Saml2Utils.signSamlObject(authnReq, credential, true), + mdResolver); + } + + protected Pair<AuthnRequest, IPvp2MetadataProvider> initializeAuthnRequest(String spEntityId, + String metadataPath, String authnReqPath, EaafX509Credential credential) + throws SamlSigningException, CredentialsNotAvailableException, + XMLParserException, UnmarshallingException, Pvp2InternalErrorException, Pvp2MetadataException { + + final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider( + metadataPath, null, "jUnit metadata resolver", null); + + final AuthnRequest authnReq = (AuthnRequest) XMLObjectSupport.unmarshallFromInputStream( + XMLObjectProviderRegistrySupport.getParserPool(), + AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); + authnReq.setIssueInstant(DateTime.now()); + final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); + issuer.setValue(spEntityId); + authnReq.setIssuer(issuer); + + return Pair.newInstance( + Saml2Utils.signSamlObject(authnReq, credential, true), + mdResolver); + + } + + protected static EncryptedAssertion doEncryption(Assertion assertion, + X509Credential encryptionCredentials, IConfiguration authConfig) + throws Exception { + try { + final String keyEncAlg = Saml2Utils.getKeyOperationAlgorithmFromCredential( + encryptionCredentials, + authConfig.getBasicConfiguration( + PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_RSA_ALG, + PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA), + authConfig.getBasicConfiguration( + PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_EC_ALG, + PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_EC)); + + final DataEncryptionParameters dataEncParams = new DataEncryptionParameters(); + dataEncParams.setAlgorithm(authConfig.getBasicConfiguration( + PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_DATA, PvpConstants.DEFAULT_SYM_ENCRYPTION_METHODE)); + + final List<KeyEncryptionParameters> keyEncParamList = new ArrayList<>(); + final KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); + keyEncParam.setEncryptionCredential(encryptionCredentials); + keyEncParam.setAlgorithm(keyEncAlg); + + final KeyInfoGeneratorFactory kigf = + SecurityConfigurationSupport.getGlobalEncryptionConfiguration() + .getKeyTransportKeyInfoGeneratorManager().getDefaultManager().getFactory(encryptionCredentials); + keyEncParam.setKeyInfoGenerator(kigf.newInstance()); + keyEncParamList.add(keyEncParam); + + final Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); + samlEncrypter.setKeyPlacement(KeyPlacement.PEER); + + return samlEncrypter.encrypt(assertion); + + } catch (final EncryptionException | SamlSigningException e1) { + throw new Exception(e1); + + } + + } + + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java index be3f9a8f..3ba4c962 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/CredentialProviderTest.java @@ -6,6 +6,7 @@ import java.util.List; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyAuthConfigMap; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; @@ -34,10 +35,11 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; public class CredentialProviderTest { private static final String HSM_FACASE_HOST = "eid.a-sit.at"; - private static final String HSM_FACASE_PORT = "9000"; + private static final String HSM_FACASE_PORT = "9050"; + private static final String HSM_FACASE_SSL_TRUST = "src/test/resources/data/hsm_facade_trust_root.crt"; private static final String HSM_FACASE_USERNAME = "authhandler-junit"; private static final String HSM_FACASE_PASSWORD = "supersecret123"; - private static final String HSM_FACASE_SSL_TRUST = "src/test/resources/data/hsm_facade_trust_root.crt"; + private static final String HSM_FACASE_HSM_NAME = "software"; private static final String PATH_JKS_WITH_TRUST_CERTS = "src/test/resources/data/junit.jks"; private static final String PATH_JKS_WITHOUT_TRUST_CERTS = "src/test/resources/data/junit_without_trustcerts.jks"; @@ -50,6 +52,8 @@ public class CredentialProviderTest { private static final String PASSWORD = "password"; + private static final String HSM_FACADE_KEY_ALIAS = "authhandler-sign"; + @Autowired private ApplicationContext context; @Autowired private DummyAuthConfigMap config; @@ -61,9 +65,10 @@ public class CredentialProviderTest { public void initialize() { config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, HSM_FACASE_HOST); config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, HSM_FACASE_PORT); + config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, HSM_FACASE_SSL_TRUST); config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, HSM_FACASE_USERNAME); config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, HSM_FACASE_PASSWORD); - config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, HSM_FACASE_SSL_TRUST); + config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HSM_NAME, HSM_FACASE_HSM_NAME); config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME); @@ -505,6 +510,91 @@ public class CredentialProviderTest { } } + @Test + @DirtiesContext + public void hasFacadeMissingKeyStoreName() { + config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE, + KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType()); + config.removeConfigValue(DummyCredentialProvider.KEYSTORE_NAME); + + try { + context.getBean(DummyCredentialProvider.class); + Assert.fail("No KeyStore not detected"); + + } catch (final BeansException e) { + org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, + e.getCause(), "Wrong exception"); + + } + + } + + @Test + @DirtiesContext + public void hasFacadeWrongAlias() { + config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE, + KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType()); + config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME); + + final DummyCredentialProvider credential = context.getBean(DummyCredentialProvider.class); + + Assert.assertNotNull("Credetialprovider", credential); + Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + + config.putConfigValue(DummyCredentialProvider.KEY_METADATA_ALIAS, + RandomStringUtils.randomAlphabetic(5)); + + try { + checkCredential(credential.getMetaDataSigningCredential(), + PvpConstants.DEFAULT_SIGNING_METHODE_RSA, + PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA); + Assert.fail("Wrong 'alias' not detected"); + + } catch (final CredentialsNotAvailableException e) { + Assert.assertEquals("Wrong errorCode", "internal.pvp.01", e.getErrorId()); + + } + + } + + @Test + @DirtiesContext + public void validConfigurationHsmFacade() throws CredentialsNotAvailableException { + + config.putConfigValue(DummyCredentialProvider.KEYSTORE_TYPE, + KeyStoreConfiguration.KeyStoreType.HSMFACADE.getKeyStoreType()); + config.putConfigValue(DummyCredentialProvider.KEYSTORE_NAME, HSM_FACASE_KEYSTORE_NAME); + + final DummyCredentialProvider credential = context.getBean(DummyCredentialProvider.class); + + Assert.assertNotNull("Credetialprovider", credential); + Assert.assertNotNull("Friendlyname", credential.getFriendlyName()); + + config.putConfigValue(DummyCredentialProvider.KEY_METADATA_ALIAS, + HSM_FACADE_KEY_ALIAS); + config.putConfigValue(DummyCredentialProvider.KEY_METADATA_PASSWORD, + PASSWORD); + + + checkCredential(credential.getMetaDataSigningCredential(), + PvpConstants.DEFAULT_SIGNING_METHODE_RSA, + PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA); + + config.putConfigValue(DummyCredentialProvider.KEY_SIGNING_ALIAS, + HSM_FACADE_KEY_ALIAS); + + checkCredential(credential.getMessageSigningCredential(), + PvpConstants.DEFAULT_SIGNING_METHODE_RSA, + PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA); + + + final List<X509Certificate> trustCerts = credential.getTrustedCertificates(); + Assert.assertNotNull("TrustCerts are null", trustCerts); + Assert.assertTrue("TrustCerts not empty", trustCerts.isEmpty()); + + } + + private void checkCredential(EaafX509Credential metaDataSigningCredential, String sigAlg, String keyEncAlg) { Assert.assertNotNull("No metadata signing credentials", metaDataSigningCredential); Assert.assertNotNull("SigAlg is null", diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java index 66e87537..bc0084f7 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java @@ -1,53 +1,33 @@ package at.gv.egiz.eaaf.modules.pvp2.test; -import java.util.ArrayList; -import java.util.List; - import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyMetadataProvider; import org.joda.time.DateTime; -import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; -import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.opensaml.core.xml.io.UnmarshallingException; import org.opensaml.core.xml.util.XMLObjectSupport; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.Assertion; import org.opensaml.saml.saml2.core.AuthnRequest; import org.opensaml.saml.saml2.core.EncryptedAssertion; -import org.opensaml.saml.saml2.core.Issuer; import org.opensaml.saml.saml2.core.Response; import org.opensaml.saml.saml2.core.StatusCode; -import org.opensaml.saml.saml2.encryption.Encrypter; -import org.opensaml.saml.saml2.encryption.Encrypter.KeyPlacement; -import org.opensaml.security.x509.X509Credential; -import org.opensaml.xmlsec.SecurityConfigurationSupport; -import org.opensaml.xmlsec.encryption.support.DataEncryptionParameters; -import org.opensaml.xmlsec.encryption.support.EncryptionException; -import org.opensaml.xmlsec.encryption.support.KeyEncryptionParameters; -import org.opensaml.xmlsec.keyinfo.KeyInfoGeneratorFactory; import org.opensaml.xmlsec.signature.support.SignatureConstants; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.test.context.ContextConfiguration; @@ -62,11 +42,9 @@ import net.shibboleth.utilities.java.support.xml.XMLParserException; @ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml", "/spring/test_eaaf_core_spring_config.beans.xml" }) @TestPropertySource(locations = { "/config/config_1.props" }) -public class SamlVerificationEngineTest { +public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine { @Autowired - private PvpMetadataResolverFactory metadataResolverFactory; - @Autowired private SamlVerificationEngine verifyEngine; @Autowired private DummyCredentialProvider credentialProvider; @@ -74,103 +52,38 @@ public class SamlVerificationEngineTest { @Autowired DummyMetadataProvider metadataProvider; @Autowired IConfiguration authConfig; - /** - * JUnit class initializer. - * - * @throws Exception In case of an OpenSAML3 initialization error - */ - @BeforeClass - public static void classInitializer() throws Exception { - EaafOpenSaml3xInitializer.eaafInitialize(); + @Override + protected String getMetadataClassPathEntityPath() { + return "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; } - @Test - public void validateSamlRequestSuccess() throws SecurityException, Exception { - - final String authnReqPath = "/data/AuthRequest_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; - final String spEntityId = metadataPath; - - final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = - initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - final PvpSProfileRequest msg = new PvpSProfileRequest( - inputMsg.getFirst(), - SAMLConstants.SAML2_POST_BINDING_URI); - msg.setEntityID(spEntityId); - - verifyEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - + @Override + protected String getMetadataJunitJKeystore() { + return "classpath:/data/pvp_metadata_junit_keystore.xml"; } - @Test - public void validateSamlRequestWrongSignature() throws SecurityException, Exception { - - final String authnReqPath = "/data/AuthRequest_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; - final String spEntityId = metadataPath; - - final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = - initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond()); - - final PvpSProfileRequest msg = new PvpSProfileRequest( - inputMsg.getFirst(), - SAMLConstants.SAML2_POST_BINDING_URI); - msg.setEntityID(spEntityId); - - try { - verifyEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - org.junit.Assert.fail("Wrong signature not detected"); - - } catch (final Exception e) { - Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); - org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId()); + @Override + protected String getAuthnRequestWithoutSigPath() { + return "/data/AuthRequest_without_sig_1.xml"; - } } - @Test - public void validateSamlInvalidRequest() throws SecurityException, Exception { - - final String authnReqPath = "/data/AuthRequest_without_sig_missing_id.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; - final String spEntityId = metadataPath; - - final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = - initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond()); - - final PvpSProfileRequest msg = new PvpSProfileRequest( - inputMsg.getFirst(), - SAMLConstants.SAML2_POST_BINDING_URI); - msg.setEntityID(spEntityId); - - try { - verifyEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - org.junit.Assert.fail("invalid request not detected"); - - } catch (final Exception e) { - Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); - org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.03", ((EaafException) e).getErrorId()); + @Override + protected String getResponseWithSigPath() { + return "/data/Response_with_sig_1.xml"; + } - } + @Override + protected String getResponseWithoutSigPath() { + return "/data/Response_without_sig_1.xml"; } @Test public void validateSamlRequestWrongSignatureAlg() throws SecurityException, Exception { - final String authnReqPath = "/data/AuthRequest_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String authnReqPath = getAuthnRequestWithoutSigPath(); + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = metadataPath; metadataProvider.runGarbageCollector(); @@ -199,79 +112,27 @@ public class SamlVerificationEngineTest { } @Test - public void verifyResponseSuccessTest() throws Pvp2InternalErrorException, SecurityException, Exception { - metadataProvider.runGarbageCollector(); - - final String authnReqPath = "/data/Response_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; - final String spEntityId = metadataPath; - - final Pair<Response, IPvp2MetadataProvider> inputMsg = - initializeResponse(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - final PvpSProfileResponse msg = new PvpSProfileResponse( - inputMsg.getFirst()); - msg.setEntityID(spEntityId); - - verifyEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - - } - - @Test - public void verifyResponseSuccessSecondTest() - throws Pvp2InternalErrorException, SecurityException, Exception { - - final String authnReqPath = "/data/Response_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; - final String spEntityId = metadataPath; - - final Pair<Response, IPvp2MetadataProvider> inputMsg = - initializeResponse(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - verifyEngine.verifyIdpResponse(inputMsg.getFirst(), - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - - } - - @Test - public void verifySpResponse() - throws Pvp2InternalErrorException, SecurityException, Exception { + public void validateSamlInvalidRequest() throws SecurityException, Exception { - final String authnReqPath = "/data/Response_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; + final String authnReqPath = "/data/AuthRequest_without_sig_missing_id.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = metadataPath; - final Pair<Response, IPvp2MetadataProvider> inputMsg = - initializeResponse(spEntityId, metadataPath, authnReqPath, + final Pair<AuthnRequest, IPvp2MetadataProvider> inputMsg = + initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, credentialProvider.getMetaDataSigningCredential()); - verifyEngine.verifySloResponse(inputMsg.getFirst(), - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - - } - - @Test - public void verifyResponseWithoutId() throws Pvp2InternalErrorException, SecurityException, Exception { - - final String authnReqPath = "/data/Response_with_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; - final String spEntityId = metadataPath; - - final Pair<Response, IPvp2MetadataProvider> inputMsg = - initializeResponse(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); + metadataProvider.addMetadataResolverIntoChain(inputMsg.getSecond()); - final PvpSProfileResponse msg = new PvpSProfileResponse( - inputMsg.getFirst()); + final PvpSProfileRequest msg = new PvpSProfileRequest( + inputMsg.getFirst(), + SAMLConstants.SAML2_POST_BINDING_URI); msg.setEntityID(spEntityId); try { verifyEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - org.junit.Assert.fail("Wrong XML schema not detected"); + org.junit.Assert.fail("invalid request not detected"); } catch (final Exception e) { Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); @@ -281,37 +142,10 @@ public class SamlVerificationEngineTest { } @Test - public void verifyResponseWrongTrust() throws Pvp2InternalErrorException, SecurityException, Exception { - - final String authnReqPath = "/data/Response_without_sig_1.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; - final String spEntityId = metadataPath; - - final Pair<Response, IPvp2MetadataProvider> inputMsg = - initializeResponse(spEntityId, metadataPath, authnReqPath, - credentialProvider.getMetaDataSigningCredential()); - - final PvpSProfileResponse msg = new PvpSProfileResponse( - inputMsg.getFirst()); - msg.setEntityID(spEntityId); - - try { - verifyEngine.verify(msg, - TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); - org.junit.Assert.fail("No TrustedCert not detected"); - - } catch (final Exception e) { - Assert.isInstanceOf(InvalidProtocolRequestException.class, e, "Wrong exceptionType"); - org.junit.Assert.assertEquals("Wrong errorcode", "internal.pvp.10", ((EaafException) e).getErrorId()); - - } - } - - @Test public void verifyAssertionSucessNotEncrypted() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -328,7 +162,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongAudiency() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -349,7 +183,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongStatusCode() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -374,7 +208,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongIssueInstant() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -399,7 +233,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionNoContitions() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -424,7 +258,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongContitions() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -448,7 +282,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongContitionsAudienceRestrictions() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -475,7 +309,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongContitionsNotBefore() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -501,7 +335,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionWrongContitionsNotOnOrAfter() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -527,7 +361,7 @@ public class SamlVerificationEngineTest { public void verifyAssertionValidContitions() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -548,7 +382,7 @@ public class SamlVerificationEngineTest { public void verifyEncAssertionWrongKey() throws SamlSigningException, Pvp2MetadataException, CredentialsNotAvailableException, XMLParserException, UnmarshallingException, SamlAssertionValidationExeption { final String authnReqPath = "/data/Asserion_enc_no_key.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://eid.a-sit.at/Shibboleth.sso/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -569,7 +403,7 @@ public class SamlVerificationEngineTest { @Test public void verifyEncAssertion() throws Exception { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -602,7 +436,7 @@ public class SamlVerificationEngineTest { @Test public void verifyEncAssertionWrongSchema() throws Exception { final String authnReqPath = "/data/Response_without_sig_classpath_entityid.xml"; - final String metadataPath = "classpath:/data/pvp_metadata_junit_keystore.xml"; + final String metadataPath = getMetadataJunitJKeystore(); final String spEntityId = "https://demo.egiz.gv.at/demoportal_demologin/"; final Pair<Response, IPvp2MetadataProvider> inputMsg = @@ -636,85 +470,4 @@ public class SamlVerificationEngineTest { } - private Pair<Response, IPvp2MetadataProvider> initializeResponse(String spEntityId, String metadataPath, - String authnReqPath, EaafX509Credential credential) - throws SamlSigningException, XMLParserException, UnmarshallingException, Pvp2MetadataException { - final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider( - metadataPath, null, "jUnit metadata resolver", null); - - final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream( - XMLObjectProviderRegistrySupport.getParserPool(), - SamlVerificationEngineTest.class.getResourceAsStream(authnReqPath)); - authnReq.setIssueInstant(DateTime.now()); - final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); - issuer.setValue(spEntityId); - authnReq.setIssuer(issuer); - - return Pair.newInstance( - Saml2Utils.signSamlObject(authnReq, credential, true), - mdResolver); - } - - private Pair<AuthnRequest, IPvp2MetadataProvider> initializeAuthnRequest(String spEntityId, - String metadataPath, String authnReqPath, EaafX509Credential credential) - throws SamlSigningException, CredentialsNotAvailableException, - XMLParserException, UnmarshallingException, Pvp2InternalErrorException, Pvp2MetadataException { - - final IPvp2MetadataProvider mdResolver = metadataResolverFactory.createMetadataProvider( - metadataPath, null, "jUnit metadata resolver", null); - - final AuthnRequest authnReq = (AuthnRequest) XMLObjectSupport.unmarshallFromInputStream( - XMLObjectProviderRegistrySupport.getParserPool(), - SamlVerificationEngineTest.class.getResourceAsStream(authnReqPath)); - authnReq.setIssueInstant(DateTime.now()); - final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); - issuer.setValue(spEntityId); - authnReq.setIssuer(issuer); - - return Pair.newInstance( - Saml2Utils.signSamlObject(authnReq, credential, true), - mdResolver); - - } - - private static EncryptedAssertion doEncryption(Assertion assertion, - X509Credential encryptionCredentials, IConfiguration authConfig) - throws Exception { - try { - final String keyEncAlg = Saml2Utils.getKeyOperationAlgorithmFromCredential( - encryptionCredentials, - authConfig.getBasicConfiguration( - PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_RSA_ALG, - PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_RSA), - authConfig.getBasicConfiguration( - PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_KEY_EC_ALG, - PvpConstants.DEFAULT_ASYM_ENCRYPTION_METHODE_EC)); - - final DataEncryptionParameters dataEncParams = new DataEncryptionParameters(); - dataEncParams.setAlgorithm(authConfig.getBasicConfiguration( - PvpConstants.CONFIG_PROP_SEC_ENCRYPTION_DATA, PvpConstants.DEFAULT_SYM_ENCRYPTION_METHODE)); - - final List<KeyEncryptionParameters> keyEncParamList = new ArrayList<>(); - final KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); - keyEncParam.setEncryptionCredential(encryptionCredentials); - keyEncParam.setAlgorithm(keyEncAlg); - - final KeyInfoGeneratorFactory kigf = - SecurityConfigurationSupport.getGlobalEncryptionConfiguration() - .getKeyTransportKeyInfoGeneratorManager().getDefaultManager().getFactory(encryptionCredentials); - keyEncParam.setKeyInfoGenerator(kigf.newInstance()); - keyEncParamList.add(keyEncParam); - - final Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); - samlEncrypter.setKeyPlacement(KeyPlacement.PEER); - - return samlEncrypter.encrypt(assertion); - - } catch (final EncryptionException | SamlSigningException e1) { - throw new Exception(e1); - - } - - } - } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java new file mode 100644 index 00000000..95f63003 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineWithHsmFacadeTest.java @@ -0,0 +1,69 @@ +package at.gv.egiz.eaaf.modules.pvp2.test; + +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.opensaml.xmlsec.signature.support.SignatureConstants; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.TestPropertySource; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration({ "/spring/test_eaaf_pvp.beans.xml", + "/spring/test_eaaf_core_spring_config.beans.xml" }) +@TestPropertySource(locations = { "/config/config_3.props" }) +public class SamlVerificationEngineWithHsmFacadeTest extends AbstractSamlVerificationEngine { + + @Override + protected String getMetadataClassPathEntityPath() { + return "classpath:/data/pvp_metadata_junit_keystore_classpath_entityId.xml"; + + } + + @Override + protected String getMetadataJunitJKeystore() { + return "classpath:/data/pvp_metadata_junit_keystore.xml"; + } + + @Override + protected String getAuthnRequestWithoutSigPath() { + return "/data/AuthRequest_without_sig_1.xml"; + + } + + @Override + protected String getResponseWithSigPath() { + return "/data/Response_with_sig_1.xml"; + } + + @Override + protected String getResponseWithoutSigPath() { + return "/data/Response_without_sig_1.xml"; + } + + @Test + public void validateSamlRequestWrongSignatureAlg() throws SecurityException, Exception { + + final String authnReqPath = getAuthnRequestWithoutSigPath(); + final String metadataPath = getMetadataJunitJKeystore(); + final String spEntityId = metadataPath; + + metadataProvider.runGarbageCollector(); + + final EaafX509Credential cred = credentialProvider.getMetaDataSigningCredential(); + cred.setSignatureAlgorithmForSigning(SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5); + try { + initializeAuthnRequest(spEntityId, metadataPath, authnReqPath, + cred); + org.junit.Assert.fail("Wrong SigAlg not detected"); + + } catch (final SamlSigningException e) { + org.junit.Assert.assertEquals("Wrong errorCode", "internal.pvp.96", e.getErrorId()); + + } + } + + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props index 164b8807..6177b738 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_1.props @@ -1,3 +1,10 @@ +security.hsmfacade.host=eid.a-sit.at +security.hsmfacade.port=9050 +security.hsmfacade.trustedsslcert=src/test/resources/data/hsm_facade_trust_root.crt +security.hsmfacade.username=authhandler-junit +security.hsmfacade.password=supersecret123 +security.hsmfacade.hsmname=software + keystore.path=classpath:/data/junit.jks keystore.pass=password key.metadata.alias=meta diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props new file mode 100644 index 00000000..abc8f591 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/config/config_3.props @@ -0,0 +1,18 @@ +security.hsmfacade.host=eid.a-sit.at +security.hsmfacade.port=9050 +security.hsmfacade.trustedsslcert=src/test/resources/data/hsm_facade_trust_root.crt +security.hsmfacade.username=authhandler-junit +security.hsmfacade.password=supersecret123 +security.hsmfacade.hsmname=software + +keystore.type=hsmfacade +keystore.name=authhandler +key.metadata.alias=authhandler-sign +key.sig.alias=authhandler-sign +key.sig.pass=password +key.enc.alias= +key.enc.pass= + +client.http.connection.timeout.socket=2 +client.http.connection.timeout.connection=2 +client.http.connection.timeout.request=2
\ No newline at end of file diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml index cfc334a6..67eed2ac 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/resources/data/pvp_metadata_junit_keystore_classpath_entityId.xml @@ -66,6 +66,22 @@ SM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIh ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L </ds:X509Certificate> </ds:X509Data> + <ds:X509Data> + <ds:X509Certificate>MIIDEzCCArqgAwIBAgIIHL62SBANl8QwCgYIKoZIzj0EAwIwIzEhMB8GA1UEAwwYS2V5c3RvcmVC +YWNrZWRQa2lTZXJ2aWNlMB4XDTIwMDIxNzEyMzMxNloXDTIwMDUxNzExMzMxNlowMjEdMBsGA1UE +AwwUaW50LWF1dGhoYW5kbGVyLXNpZ24xETAPBgNVBAoMCHNvZnR3YXJlMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAtVRK3ocL1aqCO+Q0OELikVbEU6tOsXGg1HCWr07YdTsu/qoRCVrB +THF6xqgtFjBVGWkg5kFS7853Lg3peSO1K63RzXWldcgUUM8o9zTybbBI74eXcK8pug1LLAkytQ1i +I6w166am8eoG/vTrc+TIFCDm+pyzmGcl5K8c8Gnm0k41vsMViEFgy6Oq9glts8eEUCOF3ZnL8rIv +w4hjrGsQ+8iZPZEEuMj+rZ2iLI9bjWv6xmNKWTLSO9dm7d2kTNGLQST0XFJkmFDXjQ1jXApXkGlp +i8igWCX3CU8jSuPLdCQ4VU/Pqr/J4uzBWBsv01vs4aqyLVZTGs23xUjJ+9I9fmn1VIfhuh6zGHq+ +jfjBfD6FhndNoPiMEpJT34h39rtF14GOlhb/I1OGjxIyMQGvT7up7p3AlPC7Lz2ylWrVWojR/cAE +umzS6zWgRW9zmVIgC7j48EmMjkapyUWVBR7FkfdodedzSPNETRdWXr7WulSBjjj82AWmwuoDrSZd +330g7FUZHd0D1JFUkLXOgZ1SmyFXds7fTiJGzk4XdYiS8MD07pokNDhZ7FHFGSoTHB8u4fvG2r0u +6tvLRBRkv/3wzDcTcPbEa9Z1JQ3Qh+/aJQmaQMMnE9m4msW4GqTGBoshss8FW1EvUi7JAh4EvXJJ +bhNQmfwU5wBD6WbPsURo7i0CAwEAATAKBggqhkjOPQQDAgNHADBEAiAyb9SMaC7U/HY//YcfjcR0 +j0/DL+9ckFNMvdw0IUq3yAIgEtWkYQrh5Oog7DmVJv0z/C1qPzcjfzDwJI4AlF7IfO4=</ds:X509Certificate> + </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo.egiz.gv.at/demoportal_moaid-2.0/pvp2/post"/> @@ -145,6 +161,22 @@ SM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIh ANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L </ds:X509Certificate> </ds:X509Data> + <ds:X509Data> + <ds:X509Certificate>MIIDEzCCArqgAwIBAgIIHL62SBANl8QwCgYIKoZIzj0EAwIwIzEhMB8GA1UEAwwYS2V5c3RvcmVC +YWNrZWRQa2lTZXJ2aWNlMB4XDTIwMDIxNzEyMzMxNloXDTIwMDUxNzExMzMxNlowMjEdMBsGA1UE +AwwUaW50LWF1dGhoYW5kbGVyLXNpZ24xETAPBgNVBAoMCHNvZnR3YXJlMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEAtVRK3ocL1aqCO+Q0OELikVbEU6tOsXGg1HCWr07YdTsu/qoRCVrB +THF6xqgtFjBVGWkg5kFS7853Lg3peSO1K63RzXWldcgUUM8o9zTybbBI74eXcK8pug1LLAkytQ1i +I6w166am8eoG/vTrc+TIFCDm+pyzmGcl5K8c8Gnm0k41vsMViEFgy6Oq9glts8eEUCOF3ZnL8rIv +w4hjrGsQ+8iZPZEEuMj+rZ2iLI9bjWv6xmNKWTLSO9dm7d2kTNGLQST0XFJkmFDXjQ1jXApXkGlp +i8igWCX3CU8jSuPLdCQ4VU/Pqr/J4uzBWBsv01vs4aqyLVZTGs23xUjJ+9I9fmn1VIfhuh6zGHq+ +jfjBfD6FhndNoPiMEpJT34h39rtF14GOlhb/I1OGjxIyMQGvT7up7p3AlPC7Lz2ylWrVWojR/cAE +umzS6zWgRW9zmVIgC7j48EmMjkapyUWVBR7FkfdodedzSPNETRdWXr7WulSBjjj82AWmwuoDrSZd +330g7FUZHd0D1JFUkLXOgZ1SmyFXds7fTiJGzk4XdYiS8MD07pokNDhZ7FHFGSoTHB8u4fvG2r0u +6tvLRBRkv/3wzDcTcPbEa9Z1JQ3Qh+/aJQmaQMMnE9m4msW4GqTGBoshss8FW1EvUi7JAh4EvXJJ +bhNQmfwU5wBD6WbPsURo7i0CAwEAATAKBggqhkjOPQQDAgNHADBEAiAyb9SMaC7U/HY//YcfjcR0 +j0/DL+9ckFNMvdw0IUq3yAIgEtWkYQrh5Oog7DmVJv0z/C1qPzcjfzDwJI4AlF7IfO4=</ds:X509Certificate> + </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> |