From 49cb8adfd8992dc8d21ff208d8dd93e0592e1be4 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Tue, 5 May 2020 12:28:28 +0200
Subject: first tests for SSL Client Auth. with HSM-Facade

---
 eaaf_core_utils/pom.xml                            |  4 ++
 .../at/gv/egiz/eaaf/core/impl/http/HttpUtils.java  | 14 +++++-
 .../eaaf/core/test/http/HttpClientFactoryTest.java | 52 +++++++++++++++++++---
 .../src/test/resources/data/config1.properties     |  5 +++
 .../resources/spring/test_eaaf_pvp_lazy.beans.xml  |  2 +-
 .../spring/test_eaaf_pvp_not_lazy.beans.xml        |  4 +-
 pom.xml                                            | 10 ++++-
 7 files changed, 78 insertions(+), 13 deletions(-)
 create mode 100644 eaaf_core_utils/src/test/resources/data/config1.properties

diff --git a/eaaf_core_utils/pom.xml b/eaaf_core_utils/pom.xml
index 13df6c1e..d933e309 100644
--- a/eaaf_core_utils/pom.xml
+++ b/eaaf_core_utils/pom.xml
@@ -48,6 +48,10 @@
     <dependency>
       <groupId>io.grpc</groupId>
       <artifactId>grpc-core</artifactId>
+    </dependency>    
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bctls-jdk15on</artifactId>
     </dependency>
     
     <dependency>
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
index 06b8dfd2..b357bb01 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/http/HttpUtils.java
@@ -23,6 +23,7 @@ import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
+import java.security.Security;
 import java.security.UnrecoverableKeyException;
 
 import javax.annotation.Nonnull;
@@ -35,6 +36,7 @@ import org.apache.http.conn.ssl.TrustAllStrategy;
 import org.apache.http.ssl.SSLContextBuilder;
 import org.apache.http.ssl.SSLContexts;
 import org.apache.http.ssl.TrustStrategy;
+import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
 
 import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
 import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException;
@@ -166,8 +168,16 @@ public class HttpUtils {
           : keyPasswordString.toCharArray();
 
       SSLContextBuilder sslContextBuilder = SSLContexts.custom();
-      Provider provider = null;
-      sslContextBuilder.setProvider(provider);
+      if (keyStore.getSecond() != null) {        
+        Provider provider = new BouncyCastleJsseProvider(keyStore.getSecond());
+        
+        log.debug("KeyStore: {} provide special security-provider. Inject: {} into SSLContext",
+            friendlyName, provider.getName());
+        sslContextBuilder.setProvider(provider);
+        Security.addProvider(provider);
+        //sslContextBuilder.setSecureRandom(SecureRandom.getInstanceStrong());
+        
+      }
       if (StringUtils.isNotEmpty(keyAlias)) {
         sslContextBuilder = sslContextBuilder
             .loadKeyMaterial(keyStore.getFirst(), keyPassword, new EaafSslKeySelectionStrategy(keyAlias));
diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
index 84c0b12c..140c74f5 100644
--- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
@@ -28,7 +28,6 @@ import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.http.HttpClientConfiguration;
 import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory;
-import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap;
 import okhttp3.HttpUrl;
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
@@ -42,7 +41,6 @@ public class HttpClientFactoryTest {
 
   @Autowired private EaafKeyStoreFactory keyStoreFactory;
   @Autowired private IHttpClientFactory httpClientFactory;
-  @Autowired private DummyAuthConfigMap config;
   
   private MockWebServer mockWebServer = null;
   private HttpUrl mockServerUrl;
@@ -53,11 +51,6 @@ public class HttpClientFactoryTest {
    */
   @Before
   public void setup() {
-    config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, "");
-    config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, "");
-    config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, "");
-    config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, "");
-    config.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, "");
     
   }
 
@@ -335,4 +328,49 @@ public class HttpClientFactoryTest {
     Assert.assertEquals("http statusCode", 200, httpResp2.getStatusLine().getStatusCode());
 
   }
+  
+  @Test
+  public void getCustomClientX509AuthWithHsmFacade() throws EaafException, ClientProtocolException,
+      IOException, KeyStoreException {
+    final HttpClientConfiguration config = new HttpClientConfiguration("jUnit");
+    config.setAuthMode("ssl");
+    config.buildKeyStoreConfig(
+        "hsmfacade",
+        null,
+        null,
+        "authhandler");
+    config.setSslKeyPassword("password");
+    config.setSslKeyAlias("authhandler-sign");
+    config.setDisableTlsHostCertificateValidation(true);
+
+    final CloseableHttpClient client = httpClientFactory.getHttpClient(config);
+    Assert.assertNotNull("httpClient", client);
+
+    //set-up mock-up web-server with SSL client authentication
+    final Pair<KeyStore, Provider> sslClientKeyStore =
+        keyStoreFactory.buildNewKeyStore(config.getKeyStoreConfig());
+    final String localhost = InetAddress.getByName("localhost").getCanonicalHostName();
+    final HeldCertificate localhostCertificate = new HeldCertificate.Builder()
+        .addSubjectAlternativeName(localhost)
+        .build();
+    X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst()
+        .getCertificateChain(config.getSslKeyAlias())[1];
+        
+    final HandshakeCertificates serverCertificates = new HandshakeCertificates.Builder()
+        .addTrustedCertificate(clientRootCert)
+        .heldCertificate(localhostCertificate)
+        .build();
+    mockWebServer = new MockWebServer();
+    mockWebServer.useHttps(serverCertificates.sslSocketFactory(), false);
+    mockWebServer.requireClientAuth();
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody("Successful auth!"));
+    mockServerUrl = mockWebServer.url("/sp/junit");
+
+    //perform test request
+    final HttpUriRequest httpGet2 = new HttpGet(mockServerUrl.url().toString());
+    final CloseableHttpResponse httpResp2 = client.execute(httpGet2);
+    Assert.assertEquals("http statusCode", 200, httpResp2.getStatusLine().getStatusCode());
+
+  }
 }
diff --git a/eaaf_core_utils/src/test/resources/data/config1.properties b/eaaf_core_utils/src/test/resources/data/config1.properties
new file mode 100644
index 00000000..25bd201f
--- /dev/null
+++ b/eaaf_core_utils/src/test/resources/data/config1.properties
@@ -0,0 +1,5 @@
+security.hsmfacade.host=eid.a-sit.at
+security.hsmfacade.port=9050
+security.hsmfacade.trustedsslcert=src/test/resources/data/hsm_facade_trust_root.crt
+security.hsmfacade.username=authhandler-junit
+security.hsmfacade.password=supersecret123
\ No newline at end of file
diff --git a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml
index 210b88be..4af34b51 100644
--- a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml
+++ b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml
@@ -13,7 +13,7 @@
 
   <bean id="dummyAuthConfigMap"
         class="at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap" />
-
+        
   <bean id="eaafKeyStoreFactory"
         class="at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory" />
 
diff --git a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml
index 402e07f9..dc520086 100644
--- a/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml
+++ b/eaaf_core_utils/src/test/resources/spring/test_eaaf_pvp_not_lazy.beans.xml
@@ -12,7 +12,9 @@
   default-lazy-init="true">
 
   <bean id="dummyAuthConfigMap"
-        class="at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap" />
+        class="at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap">
+    <constructor-arg value="/data/config1.properties" />
+  </bean>
 
   <import resource="classpath:/spring/eaaf_utils.beans.xml"/>
  
diff --git a/pom.xml b/pom.xml
index f38165a9..38c107a1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -43,14 +43,15 @@
     <iaik.prod.iaik_xades.version>2.13_moa</iaik.prod.iaik_xades.version>
     <iaik.prod.iaik_xsect.version>2.13_moa</iaik.prod.iaik_xsect.version>
 
-    <hsm-facade-provider.version>0.4.0-SNAPSHOT</hsm-facade-provider.version>
+    <hsm-facade-provider.version>0.5.0-SNAPSHOT</hsm-facade-provider.version>
     <io.grpc-core.version>1.25.0</io.grpc-core.version>
 
     <!-- Other third-party libs -->
     <org.springframework.version>5.1.5.RELEASE</org.springframework.version>
     <org.opensaml.version>3.4.3</org.opensaml.version>
     <org.apache.santuario.xmlsec.version>2.1.4</org.apache.santuario.xmlsec.version>
-    <org.bouncycastle.bcprov-jdk15on.version>1.64</org.bouncycastle.bcprov-jdk15on.version>
+    <org.bouncycastle.bcprov-jdk15on.version>1.65</org.bouncycastle.bcprov-jdk15on.version>
+    <org.bouncycastle.bctls-jdk15on.version>1.65</org.bouncycastle.bctls-jdk15on.version>
 
     <org.slf4j.version>1.7.25</org.slf4j.version>
     <commons-codec.version>1.11</commons-codec.version>
@@ -402,6 +403,11 @@
         <artifactId>bcprov-jdk15on</artifactId>
         <version>${org.bouncycastle.bcprov-jdk15on.version}</version>
       </dependency>
+      <dependency>
+        <groupId>org.bouncycastle</groupId>
+        <artifactId>bctls-jdk15on</artifactId>
+        <version>${org.bouncycastle.bctls-jdk15on.version}</version>      
+      </dependency>
 
       <dependency>
         <groupId>javax.servlet</groupId>
-- 
cgit v1.2.3