From bada55e1a4ee92bc05d55950836942ed6c3e97f6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 1 Apr 2020 09:05:40 +0200 Subject: fix wrong format in case of encrypted wbPKs --- .../core/impl/idp/auth/builder/BpkBuilder.java | 57 ++++++---- .../messages/eaaf_core_messages.properties | 5 +- .../core/impl/idp/auth/builder/BpkBuilderTest.java | 122 ++++++++++++++++++++- 3 files changed, 161 insertions(+), 23 deletions(-) (limited to 'eaaf_core/src') diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilder.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilder.java index bb8355ad..fed4af32 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilder.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilder.java @@ -52,6 +52,8 @@ import lombok.extern.slf4j.Slf4j; @Slf4j public class BpkBuilder { + private static final String ERROR_MSG_WRONG_TARGET_FORMAT = "bPK-target format must be full URI"; + /** * Calculates an area specific unique person-identifier from a baseID. * @@ -157,7 +159,7 @@ public class BpkBuilder { * Create an encrypted bPK. * * @param bpk unencrypted bPK - * @param target bPK target + * @param target bPK target in full form * @param publicKey Public-Key used for encryption * @return encrypted bPK * @throws EaafBuilderException In case of an error @@ -165,12 +167,17 @@ public class BpkBuilder { public static String encryptBpk(final String bpk, String target, final PublicKey publicKey) throws EaafBuilderException { final SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss"); - if (target.startsWith(EaafConstants.URN_PREFIX_CDID)) { - target = target.substring(EaafConstants.URN_PREFIX_CDID.length()); + + if (!target.startsWith(EaafConstants.URN_PREFIX_WITH_COLON)) { + throw new EaafBuilderException("builder.32", + null, ERROR_MSG_WRONG_TARGET_FORMAT); + } + + target = normalizeBpkTargetIdentifierToCalculationFormat(target); final String input = - "V1::urn:publicid:gv.at:cdid+" + target + "::" + bpk + "::" + sdf.format(new Date()); + "V1::" + target + "::" + bpk + "::" + sdf.format(new Date()); // System.out.println(input); byte[] result; try { @@ -190,17 +197,23 @@ public class BpkBuilder { * Decrypt an encrypted bPK. * * @param encryptedBpk encrypted bPK - * @param target bPK target + * @param target bPK target in full form * @param privateKey private-key for decryption - * @return bPK + * @return bPK Pair consists of (unique person identifier for this target, + * targetArea) but never null * @throws EaafBuilderException In case of an error */ - public static String decryptBpk(final String encryptedBpk, String target, + public static Pair decryptBpk(final String encryptedBpk, String target, final PrivateKey privateKey) throws EaafBuilderException { String decryptedString; + + if (!target.startsWith(EaafConstants.URN_PREFIX_WITH_COLON)) { + throw new EaafBuilderException("builder.32", + null, ERROR_MSG_WRONG_TARGET_FORMAT); + + } + try { - // byte[] encryptedBytes = Base64Utils.decode(encryptedBpk, false, - // "ISO-8859-1"); final byte[] encryptedBytes = Base64Utils.decode(encryptedBpk.getBytes("ISO-8859-1")); final byte[] decryptedBytes = decrypt(encryptedBytes, privateKey); decryptedString = new String(decryptedBytes, "ISO-8859-1"); @@ -210,20 +223,24 @@ public class BpkBuilder { } - String tmp = decryptedString.substring(decryptedString.indexOf('+') + 1); - final String sector = tmp.substring(0, tmp.indexOf("::")); - tmp = tmp.substring(tmp.indexOf("::") + 2); - final String bPK = tmp.substring(0, tmp.indexOf("::")); - - if (target.startsWith(EaafConstants.URN_PREFIX_CDID + "+")) { - target = target.substring((EaafConstants.URN_PREFIX_CDID + "+").length()); + String[] parts = decryptedString.split("::"); + if (parts.length != 4) { + log.trace("Encrypted bPK has value: {}", decryptedString); + throw new EaafBuilderException("builder.31", new Object[] {parts.length}, + "encBpk has a suspect format"); + } + + final String sector = parts[1]; + final String bPK = parts[2]; - if (target.equals(sector)) { - return bPK; + if (target.equals(normalizeBpkTargetIdentifierToCommonFormat(sector))) { + return Pair.newInstance(bPK, target); + } else { - log.error("Decrypted bPK does not match to request bPK target."); - return null; + throw new EaafBuilderException("builder.30", new Object[] {sector, target}, + "Decrypted bPK-target does not match"); + } } diff --git a/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties b/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties index 1916a7fc..064554b9 100644 --- a/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties +++ b/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties @@ -1,6 +1,7 @@ eaaf.core.00=Requested URL: {0} is NOT allowed by configuration. builder.08=Authentication process could NOT completed. Reason: {0} - - +builder.30=Decrypted bPK target: {0} does not match to required target: {1} +builder.31=Encrypted bPK has a suspect format and consists of #{0} elements +builder.32=bPK-target format must be full URI diff --git a/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilderTest.java b/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilderTest.java index 0ca8ca53..64c13781 100644 --- a/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilderTest.java +++ b/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/impl/idp/auth/builder/BpkBuilderTest.java @@ -1,7 +1,14 @@ package at.gv.egiz.eaaf.core.impl.idp.auth.builder; +import java.security.InvalidKeyException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; + import org.apache.commons.lang3.RandomStringUtils; import org.junit.Assert; +import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.BlockJUnit4ClassRunner; @@ -15,6 +22,118 @@ public class BpkBuilderTest { private static final String BASEID = "RUxHQVRlc3RQQjBYWFjFkHpnw7xyX1hYWFTDvHpla8OnaQ=="; + private KeyPair keyPair; + + + /** + * jUnit test initializer. + * @throws NoSuchProviderException In case of an error + * @throws NoSuchAlgorithmException In case of an error + */ + @Before + public void initialize() throws NoSuchAlgorithmException, NoSuchProviderException { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyPair = keyGen.generateKeyPair(); + + } + + @Test + public void encBpkWrongTarget() throws InvalidKeyException { + String bpk = RandomStringUtils.randomAlphanumeric(25); + String target = RandomStringUtils.randomAlphanumeric(25); + + try { + BpkBuilder.encryptBpk(bpk, target, keyPair.getPublic()); + Assert.fail("Wrong parameters not detected"); + + } catch (EaafBuilderException e) { + Assert.assertEquals("Wrong errorMsg", "builder.32", e.getErrorId()); + + } + } + + @Test + public void decBpkWrongTarget() throws InvalidKeyException { + String bpk = RandomStringUtils.randomAlphanumeric(25); + String target = RandomStringUtils.randomAlphanumeric(25); + + try { + BpkBuilder.decryptBpk(bpk, target, keyPair.getPrivate()); + Assert.fail("Wrong parameters not detected"); + + } catch (EaafBuilderException e) { + Assert.assertEquals("Wrong errorMsg", "builder.32", e.getErrorId()); + + } + } + + @Test + public void decBpkWrongTargetInEncBpk() throws InvalidKeyException, EaafBuilderException { + String bpk = RandomStringUtils.randomAlphanumeric(25); + String target = EaafConstants.URN_PREFIX_CDID + "AA"; + + String encBpk = BpkBuilder.encryptBpk(bpk, target, keyPair.getPublic()); + try { + BpkBuilder.decryptBpk(encBpk, + EaafConstants.URN_PREFIX_CDID + "BB", keyPair.getPrivate()); + Assert.fail("Wrong parameters not detected"); + + } catch (EaafBuilderException e) { + Assert.assertEquals("Wrong errorMsg", "builder.30", e.getErrorId()); + + } + } + + @Test + public void encBpkSuccess() throws EaafBuilderException, InvalidKeyException { + String bpk = RandomStringUtils.randomAlphanumeric(25); + String target = EaafConstants.URN_PREFIX_CDID + "AA"; + + String encBpk = BpkBuilder.encryptBpk(bpk, target, keyPair.getPublic()); + + Assert.assertNotNull("encBpk", encBpk); + + Pair decBpk = BpkBuilder.decryptBpk(encBpk, target, keyPair.getPrivate()); + + Assert.assertEquals("wrong bBK", bpk, decBpk.getFirst()); + Assert.assertEquals("wrong bBK-Target", target, decBpk.getSecond()); + + } + + @Test + public void encWbpkSuccess() throws EaafBuilderException, InvalidKeyException { + String bpk = RandomStringUtils.randomAlphanumeric(25); + String target = EaafConstants.URN_PREFIX_WBPK + "XFN+123456i"; + + String encBpk = BpkBuilder.encryptBpk(bpk, target, keyPair.getPublic()); + + Assert.assertNotNull("encBpk", encBpk); + + Pair decBpk = BpkBuilder.decryptBpk(encBpk, target, keyPair.getPrivate()); + + Assert.assertEquals("wrong bBK", bpk, decBpk.getFirst()); + Assert.assertEquals("wrong bBK-Target", target, decBpk.getSecond()); + + } + + @Test + public void encWbpkSuccessSecond() throws EaafBuilderException, InvalidKeyException { + String bpk = RandomStringUtils.randomAlphanumeric(25); + String target = EaafConstants.URN_PREFIX_WBPK + "FN+123456i"; + + String encBpk = BpkBuilder.encryptBpk(bpk, target, keyPair.getPublic()); + + Assert.assertNotNull("encBpk", encBpk); + + Pair decBpk = BpkBuilder.decryptBpk(encBpk, + EaafConstants.URN_PREFIX_WBPK + "XFN+123456i", keyPair.getPrivate()); + + Assert.assertEquals("wrong bBK", bpk, decBpk.getFirst()); + Assert.assertEquals("wrong bBK-Target", + EaafConstants.URN_PREFIX_WBPK + "XFN+123456i", decBpk.getSecond()); + + } + @Test public void noBaseId() { @@ -316,7 +435,8 @@ public class BpkBuilderTest { public void calcNormalizeWbpkTargetWithXMappingErsb() { Assert.assertEquals("Wrong normalized target", EaafConstants.URN_PREFIX_WBPK + "ERSB+998877665544", - BpkBuilder.normalizeBpkTargetIdentifierToCalculationFormat(EaafConstants.URN_PREFIX_WBPK + "XERSB+998877665544")); + BpkBuilder.normalizeBpkTargetIdentifierToCalculationFormat( + EaafConstants.URN_PREFIX_WBPK + "XERSB+998877665544")); } -- cgit v1.2.3