diff options
Diffstat (limited to 'eaaf_modules')
-rw-r--r-- | eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java index b01330d2..29e0b565 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java @@ -1,18 +1,34 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThrows; + +import java.security.Key; import java.security.KeyStore; import java.security.Provider; +import java.security.cert.X509Certificate; +import org.apache.commons.lang3.RandomStringUtils; import org.apache.commons.lang3.StringUtils; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.jose4j.jca.ProviderContext; +import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers; +import org.jose4j.jwe.JsonWebEncryption; +import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers; +import org.jose4j.lang.JoseException; +import org.junit.Assert; import org.junit.Before; +import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.utils.JoseUtils; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml") @@ -28,6 +44,70 @@ public class JsonSecurityUtilsHsmKeyTest extends AbstractJsonSecurityUtilsTest { } + @Test + public void encryptionRsaWithWrongDecryptionKey() throws JoseException, EaafException { + final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + final Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore(); + final Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + rsaEncKeyStore.getFirst(), getRsaKeyAlias(), getRsaKeyPassword().toCharArray(), + true, "jUnit RSA JWE"); + + final JsonWebEncryption jwe = new JsonWebEncryption(); + jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256); + jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM); + jwe.setKey(key.getSecond()[0].getPublicKey()); + jwe.setPayload(payLoad); + + // set special provider if required + if (rsaEncKeyStore.getSecond() != null) { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( + rsaEncKeyStore.getSecond().getName()); + jwe.setProviderContext(providerCtx); + + } + + final String encData = jwe.getCompactSerialization(); + Assert.assertNotNull("JWE", encData); + + + //decrypt it again, but by using a wrong key + KeyStoreConfiguration keyConfig = new KeyStoreConfiguration(); + keyConfig.setFriendlyName("Junit Enc Key Rsa"); + keyConfig.setKeyStoreType(KeyStoreType.JKS); + keyConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks"); + keyConfig.setSoftKeyStorePassword("password"); + + Pair<KeyStore, Provider> wrongKeyStore = keyStoreFactory.buildNewKeyStore(keyConfig); + final Pair<Key, X509Certificate[]> wrongKey = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + wrongKeyStore.getFirst(), "meta", "password".toCharArray(), + true, "jUnit RSA JWE"); + + final JsonWebEncryption jweDecrypt = new JsonWebEncryption(); + jweDecrypt.setCompactSerialization(encData); + jweDecrypt.setKey(JoseUtils.convertToBcKeyIfRequired(wrongKey.getFirst())); + + + // set special provider if required + if (wrongKeyStore.getSecond() != null) { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName()); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + jweDecrypt.setProviderContext(providerCtx); + + } else { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + jweDecrypt.setProviderContext(providerCtx); + + } + + JoseException error = assertThrows("wrong exception", JoseException.class, + () -> jweDecrypt.getPayload()); + assertEquals("wrong errorMsg", "javax.crypto.AEADBadTagException: mac check in GCM failed", error.getMessage()); + + } + @Override protected void setRsaSigningKey() { config.putConfigValue("modules.sl20.security.sign.alias", "rsa-key-1"); |