From bada55e1a4ee92bc05d55950836942ed6c3e97f6 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 1 Apr 2020 09:05:40 +0200
Subject: fix wrong format in case of encrypted wbPKs

---
 .../core/impl/idp/auth/builder/BpkBuilder.java     |  57 ++++++----
 .../messages/eaaf_core_messages.properties         |   5 +-
 .../core/impl/idp/auth/builder/BpkBuilderTest.java | 122 ++++++++++++++++++++-
 3 files changed, 161 insertions(+), 23 deletions(-)

diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilder.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilder.java
index bb8355ad..fed4af32 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilder.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilder.java
@@ -52,6 +52,8 @@ import lombok.extern.slf4j.Slf4j;
 @Slf4j
 public class BpkBuilder {
     
+  private static final String ERROR_MSG_WRONG_TARGET_FORMAT = "bPK-target format must be full URI";
+  
   /**
    * Calculates an area specific unique person-identifier from a baseID.
    *
@@ -157,7 +159,7 @@ public class BpkBuilder {
    * Create an encrypted bPK.
    *
    * @param bpk       unencrypted bPK
-   * @param target    bPK target
+   * @param target    bPK target in full form
    * @param publicKey Public-Key used for encryption
    * @return encrypted bPK
    * @throws EaafBuilderException In case of an error
@@ -165,12 +167,17 @@ public class BpkBuilder {
   public static String encryptBpk(final String bpk, String target, final PublicKey publicKey)
       throws EaafBuilderException {
     final SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss");
-    if (target.startsWith(EaafConstants.URN_PREFIX_CDID)) {
-      target = target.substring(EaafConstants.URN_PREFIX_CDID.length());
+    
+    if (!target.startsWith(EaafConstants.URN_PREFIX_WITH_COLON)) {
+      throw new EaafBuilderException("builder.32", 
+          null, ERROR_MSG_WRONG_TARGET_FORMAT);
+      
     }
+    
+    target = normalizeBpkTargetIdentifierToCalculationFormat(target);
 
     final String input =
-        "V1::urn:publicid:gv.at:cdid+" + target + "::" + bpk + "::" + sdf.format(new Date());
+        "V1::" + target + "::" + bpk + "::" + sdf.format(new Date());
     // System.out.println(input);
     byte[] result;
     try {
@@ -190,17 +197,23 @@ public class BpkBuilder {
    * Decrypt an encrypted bPK.
    *
    * @param encryptedBpk encrypted bPK
-   * @param target       bPK target
+   * @param target       bPK target in full form
    * @param privateKey   private-key for decryption
-   * @return bPK
+   * @return bPK Pair consists of (unique person identifier for this target,
+   *         targetArea) but never null
    * @throws EaafBuilderException In case of an error
    */
-  public static String decryptBpk(final String encryptedBpk, String target,
+  public static Pair<String, String> decryptBpk(final String encryptedBpk, String target,
       final PrivateKey privateKey) throws EaafBuilderException {
     String decryptedString;
+    
+    if (!target.startsWith(EaafConstants.URN_PREFIX_WITH_COLON)) {
+      throw new EaafBuilderException("builder.32", 
+          null, ERROR_MSG_WRONG_TARGET_FORMAT);
+      
+    }
+    
     try {
-      // byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false,
-      // "ISO-8859-1");
       final byte[] encryptedBytes = Base64Utils.decode(encryptedBpk.getBytes("ISO-8859-1"));
       final byte[] decryptedBytes = decrypt(encryptedBytes, privateKey);
       decryptedString = new String(decryptedBytes, "ISO-8859-1");
@@ -210,20 +223,24 @@ public class BpkBuilder {
 
     }
 
-    String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1);
-    final String sector = tmp.substring(0, tmp.indexOf("::"));
-    tmp = tmp.substring(tmp.indexOf("::") + 2);
-    final String bPK = tmp.substring(0, tmp.indexOf("::"));
-
-    if (target.startsWith(EaafConstants.URN_PREFIX_CDID + "+")) {
-      target = target.substring((EaafConstants.URN_PREFIX_CDID + "+").length());
+    String[] parts = decryptedString.split("::");
+    if (parts.length != 4) {
+      log.trace("Encrypted bPK has value: {}", decryptedString);
+      throw new EaafBuilderException("builder.31", new Object[] {parts.length}, 
+          "encBpk has a suspect format");
+      
     }
+    
+    final String sector = parts[1];
+    final String bPK = parts[2];
 
-    if (target.equals(sector)) {
-      return bPK;
+    if (target.equals(normalizeBpkTargetIdentifierToCommonFormat(sector))) {
+      return Pair.newInstance(bPK, target);
+      
     } else {
-      log.error("Decrypted bPK does not match to request bPK target.");
-      return null;
+      throw new EaafBuilderException("builder.30", new Object[] {sector, target}, 
+          "Decrypted bPK-target does not match");
+      
     }
   }
 
diff --git a/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties b/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties
index 1916a7fc..064554b9 100644
--- a/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties
+++ b/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties
@@ -1,6 +1,7 @@
 eaaf.core.00=Requested URL: {0} is NOT allowed by configuration.
 
 builder.08=Authentication process could NOT completed. Reason: {0}
-
-
+builder.30=Decrypted bPK target: {0} does not match to required target: {1}
+builder.31=Encrypted bPK has a suspect format and consists of #{0} elements
+builder.32=bPK-target format must be full URI
 
diff --git a/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilderTest.java b/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilderTest.java
index 0ca8ca53..64c13781 100644
--- a/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilderTest.java
+++ b/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilderTest.java
@@ -1,7 +1,14 @@
 package at.gv.egiz.eaaf.core.impl.idp.auth.builder;
 
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+
 import org.apache.commons.lang3.RandomStringUtils;
 import org.junit.Assert;
+import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.BlockJUnit4ClassRunner;
@@ -15,6 +22,118 @@ public class BpkBuilderTest {
 
   private static final String BASEID = "RUxHQVRlc3RQQjBYWFjFkHpnw7xyX1hYWFTDvHpla8OnaQ==";
   
+  private KeyPair keyPair;
+  
+  
+  /**
+   * jUnit test initializer.
+   * @throws NoSuchProviderException In case of an error
+   * @throws NoSuchAlgorithmException  In case of an error
+   */
+  @Before
+  public void initialize() throws NoSuchAlgorithmException, NoSuchProviderException {
+    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+    keyPair = keyGen.generateKeyPair();
+    
+  }
+  
+  @Test
+  public void encBpkWrongTarget() throws InvalidKeyException {
+    String bpk = RandomStringUtils.randomAlphanumeric(25);
+    String target = RandomStringUtils.randomAlphanumeric(25);
+    
+    try {
+      BpkBuilder.encryptBpk(bpk, target, keyPair.getPublic());
+      Assert.fail("Wrong parameters not detected");
+      
+    } catch (EaafBuilderException e) {
+      Assert.assertEquals("Wrong errorMsg", "builder.32", e.getErrorId());
+      
+    }
+  }
+  
+  @Test
+  public void decBpkWrongTarget() throws InvalidKeyException {
+    String bpk = RandomStringUtils.randomAlphanumeric(25);
+    String target = RandomStringUtils.randomAlphanumeric(25);
+    
+    try {
+      BpkBuilder.decryptBpk(bpk, target, keyPair.getPrivate());
+      Assert.fail("Wrong parameters not detected");
+      
+    } catch (EaafBuilderException e) {
+      Assert.assertEquals("Wrong errorMsg", "builder.32", e.getErrorId());
+      
+    }
+  }
+  
+  @Test
+  public void decBpkWrongTargetInEncBpk() throws InvalidKeyException, EaafBuilderException {
+    String bpk = RandomStringUtils.randomAlphanumeric(25);
+    String target = EaafConstants.URN_PREFIX_CDID + "AA";
+    
+    String encBpk = BpkBuilder.encryptBpk(bpk, target, keyPair.getPublic());
+    try {
+      BpkBuilder.decryptBpk(encBpk, 
+          EaafConstants.URN_PREFIX_CDID + "BB", keyPair.getPrivate());
+      Assert.fail("Wrong parameters not detected");
+      
+    } catch (EaafBuilderException e) {
+      Assert.assertEquals("Wrong errorMsg", "builder.30", e.getErrorId());
+      
+    }
+  }
+  
+  @Test
+  public void encBpkSuccess() throws EaafBuilderException, InvalidKeyException {
+    String bpk = RandomStringUtils.randomAlphanumeric(25);
+    String target = EaafConstants.URN_PREFIX_CDID + "AA";
+    
+    String encBpk = BpkBuilder.encryptBpk(bpk, target, keyPair.getPublic());
+    
+    Assert.assertNotNull("encBpk", encBpk);
+    
+    Pair<String, String> decBpk = BpkBuilder.decryptBpk(encBpk, target, keyPair.getPrivate());
+    
+    Assert.assertEquals("wrong bBK", bpk, decBpk.getFirst());
+    Assert.assertEquals("wrong bBK-Target", target, decBpk.getSecond());
+    
+  }
+  
+  @Test
+  public void encWbpkSuccess() throws EaafBuilderException, InvalidKeyException {
+    String bpk = RandomStringUtils.randomAlphanumeric(25);
+    String target = EaafConstants.URN_PREFIX_WBPK + "XFN+123456i";
+    
+    String encBpk = BpkBuilder.encryptBpk(bpk, target, keyPair.getPublic());
+    
+    Assert.assertNotNull("encBpk", encBpk);
+    
+    Pair<String, String> decBpk = BpkBuilder.decryptBpk(encBpk, target, keyPair.getPrivate());
+    
+    Assert.assertEquals("wrong bBK", bpk, decBpk.getFirst());
+    Assert.assertEquals("wrong bBK-Target", target, decBpk.getSecond());
+    
+  }
+  
+  @Test
+  public void encWbpkSuccessSecond() throws EaafBuilderException, InvalidKeyException {
+    String bpk = RandomStringUtils.randomAlphanumeric(25);
+    String target = EaafConstants.URN_PREFIX_WBPK + "FN+123456i";
+    
+    String encBpk = BpkBuilder.encryptBpk(bpk, target, keyPair.getPublic());
+    
+    Assert.assertNotNull("encBpk", encBpk);
+    
+    Pair<String, String> decBpk = BpkBuilder.decryptBpk(encBpk, 
+        EaafConstants.URN_PREFIX_WBPK + "XFN+123456i", keyPair.getPrivate());
+    
+    Assert.assertEquals("wrong bBK", bpk, decBpk.getFirst());
+    Assert.assertEquals("wrong bBK-Target", 
+        EaafConstants.URN_PREFIX_WBPK + "XFN+123456i", decBpk.getSecond());
+    
+  }
+  
   
   @Test
   public void noBaseId() {
@@ -316,7 +435,8 @@ public class BpkBuilderTest {
   public void calcNormalizeWbpkTargetWithXMappingErsb() {
     Assert.assertEquals("Wrong normalized target", 
         EaafConstants.URN_PREFIX_WBPK + "ERSB+998877665544", 
-        BpkBuilder.normalizeBpkTargetIdentifierToCalculationFormat(EaafConstants.URN_PREFIX_WBPK + "XERSB+998877665544"));
+        BpkBuilder.normalizeBpkTargetIdentifierToCalculationFormat(
+            EaafConstants.URN_PREFIX_WBPK + "XERSB+998877665544"));
     
   }
   
-- 
cgit v1.2.3