From a849dd49daf60128db79311293d7f5c466bd0642 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Fri, 16 Apr 2021 22:08:42 +0200
Subject: Use custom SSLContext builder to generate BouncyCastle specific
 TrustManager in case of keys base on HSM-Facade, because SSLContext based on
 BCJSSE needs BCJSSE TrustManager BCJSSE is not compatible to SunJSSE
 TrustManager in Java >= 9

---
 .../eaaf/core/test/http/HttpClientFactoryTest.java | 96 ++++++++++++++++++++++
 1 file changed, 96 insertions(+)

(limited to 'eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java')

diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
index baedadc8..c71d8352 100644
--- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
+++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java
@@ -5,9 +5,14 @@ import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.InetAddress;
 import java.net.SocketTimeoutException;
+import java.security.Key;
+import java.security.KeyPair;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
 import java.security.Provider;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.X509Certificate;
 
 import org.apache.commons.lang3.RandomStringUtils;
@@ -20,10 +25,13 @@ import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.entity.ContentType;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.junit.After;
+import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.Before;
+import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.annotation.DirtiesContext.MethodMode;
@@ -32,12 +40,16 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
 import at.gv.egiz.eaaf.core.impl.data.Pair;
 import at.gv.egiz.eaaf.core.impl.data.Triple;
 import at.gv.egiz.eaaf.core.impl.http.HttpClientConfiguration;
 import at.gv.egiz.eaaf.core.impl.http.HttpUtils;
 import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory;
 import at.gv.egiz.eaaf.core.impl.utils.StreamUtils;
+import ch.qos.logback.classic.Level;
+import ch.qos.logback.classic.Logger;
 import okhttp3.HttpUrl;
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
@@ -57,6 +69,27 @@ public class HttpClientFactoryTest {
   private MockWebServer mockWebServer = null;
   private HttpUrl mockServerUrl;
 
+  /**
+   * Initialize full class.
+   */
+  @BeforeClass
+  public static void classInitializer() {
+    final Logger logger = (Logger) LoggerFactory.getLogger("org.bouncycastle.jsse");
+    logger.setLevel(Level.TRACE);
+    
+  }
+  
+  /**
+   * Reset test environment.
+   */
+  @AfterClass
+  public static void classReset() {
+    System.clearProperty("javax.net.ssl.trustStoreType");
+    System.clearProperty("javax.net.ssl.trustStore");
+    System.clearProperty("javax.net.ssl.trustStorePassword");
+    
+  }
+  
   /**
    * JUnit test set-up.
    *
@@ -595,4 +628,67 @@ public class HttpClientFactoryTest {
 
   }
 
+  @Test
+  @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD)
+  public void getCustomClientX509AuthWithHsmFacadeTrustStore() throws EaafException, ClientProtocolException,
+      IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {
+    
+    final String current = new java.io.File(".").getCanonicalPath();
+    System.setProperty("javax.net.ssl.trustStoreType", "jks");
+    System.setProperty("javax.net.ssl.trustStore",
+        current + "/src/test/resources/data/ssL_truststore.jks");
+    System.setProperty("javax.net.ssl.trustStorePassword",
+        "password");
+    
+    final KeyStoreConfiguration sslServerCertConfig = new KeyStoreConfiguration();
+    sslServerCertConfig.setKeyStoreType(KeyStoreType.JKS);
+    sslServerCertConfig.setFriendlyName("SSL host cert");
+    sslServerCertConfig.setSoftKeyStoreFilePath("src/test/resources/data/ssl_host.jks");   
+    sslServerCertConfig.setSoftKeyStorePassword("password");
+    
+    Pair<KeyStore, Provider> sslServerHostKeyStore = 
+        keyStoreFactory.buildNewKeyStore(sslServerCertConfig);
+    
+    
+    final HttpClientConfiguration clientConfig = new HttpClientConfiguration("jUnit-client");
+    clientConfig.setAuthMode("ssl");
+    clientConfig.buildKeyStoreConfig("hsmfacade", null, null, "authhandler");
+    clientConfig.setSslKeyAlias("authhandler-sign");
+    clientConfig.setDisableTlsHostCertificateValidation(false);
+
+    final CloseableHttpClient client = httpClientFactory.getHttpClient(clientConfig);
+    Assert.assertNotNull("httpClient", client);
+
+    //set-up mock-up web-server with SSL client authentication
+    final Pair<KeyStore, Provider> sslClientKeyStore =
+        keyStoreFactory.buildNewKeyStore(clientConfig.getKeyStoreConfig());
+    final X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst()
+            .getCertificateChain(clientConfig.getSslKeyAlias())[1];
+    final X509Certificate clientEeCert = (X509Certificate) sslClientKeyStore.getFirst()
+        .getCertificateChain(clientConfig.getSslKeyAlias())[0];
+    
+    Key sslKey = sslServerHostKeyStore.getFirst().getKey("ssl", "password".toCharArray());   
+    X509Certificate sslCert = (X509Certificate) sslServerHostKeyStore.getFirst().getCertificate("ssl");
+    KeyPair keyPair = new KeyPair(sslCert.getPublicKey(), (PrivateKey) sslKey);
+    HeldCertificate localhostCertificate = new HeldCertificate(keyPair, sslCert);
+    final HandshakeCertificates serverCertificates = new HandshakeCertificates.Builder()
+        .addTrustedCertificate(clientEeCert)
+        .addTrustedCertificate(clientRootCert)
+        .heldCertificate(localhostCertificate)
+        .build();
+    mockWebServer = new MockWebServer();
+   
+    mockWebServer.useHttps(serverCertificates.sslSocketFactory(), false);
+    mockWebServer.requireClientAuth();
+    mockWebServer.enqueue(new MockResponse().setResponseCode(200)
+        .setBody("Successful auth!"));
+    mockServerUrl = mockWebServer.url("/sp/junit");
+
+    //perform test request
+    final HttpUriRequest httpGet2 = new HttpGet(mockServerUrl.url().toString());
+    final CloseableHttpResponse httpResp2 = client.execute(httpGet2);
+    Assert.assertEquals("http statusCode", 200, httpResp2.getStatusLine().getStatusCode());
+
+  }
+  
 }
-- 
cgit v1.2.3