From f41a899539773146907eef25b459b4360719fd14 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Mon, 21 Aug 2023 16:49:20 +0200 Subject: feat(sl20): add basic certificate-validity check into JWS validation The check can be disabled by using the configuration property: modules.sl20.security.truststore.need.valid.certificate --- .../test/credentials/EaafKeyStoreFactoryTest.java | 2 +- .../egiz/eaaf/core/test/utils/JoseUtilsTest.java | 72 +++++++++++++++++++++- 2 files changed, 71 insertions(+), 3 deletions(-) (limited to 'eaaf_core_utils/src/test/java/at') diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java index 0d3492a7..47dd4a11 100644 --- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java +++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/credentials/EaafKeyStoreFactoryTest.java @@ -318,7 +318,7 @@ public class EaafKeyStoreFactoryTest { //read trusted certs final List trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(keyStore.getFirst()); Assert.assertNotNull("Trusted certs", trustedCerts); - Assert.assertEquals("Trusted certs size", 2, trustedCerts.size()); + Assert.assertEquals("Trusted certs size", 3, trustedCerts.size()); //read priv. key final Pair privCred1 = EaafKeyStoreUtils.getPrivateKeyAndCertificates( diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/utils/JoseUtilsTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/utils/JoseUtilsTest.java index 43002688..4b51c1ec 100644 --- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/utils/JoseUtilsTest.java +++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/utils/JoseUtilsTest.java @@ -1,7 +1,12 @@ package at.gv.egiz.eaaf.core.test.utils; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThrows; + import java.io.IOException; +import java.security.KeyStore; import java.security.NoSuchProviderException; +import java.security.Provider; import java.security.Security; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; @@ -10,6 +15,7 @@ import java.util.Collections; import java.util.List; import org.apache.commons.io.IOUtils; +import org.apache.commons.lang3.RandomStringUtils; import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; import org.jose4j.jws.AlgorithmIdentifiers; @@ -19,14 +25,23 @@ import org.junit.Assert; import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; -import org.junit.runners.BlockJUnit4ClassRunner; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.utils.JoseUtils; import at.gv.egiz.eaaf.core.impl.utils.JoseUtils.JwsResult; import iaik.security.ec.provider.ECCelerate; import iaik.security.provider.IAIK; +import lombok.SneakyThrows; -@RunWith(BlockJUnit4ClassRunner.class) +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration("/spring/test_eaaf_pvp_lazy.beans.xml") public class JoseUtilsTest { private static final List BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING = Collections.unmodifiableList( @@ -36,6 +51,13 @@ public class JoseUtilsTest { AlgorithmIdentifiers.RSA_PSS_USING_SHA256, AlgorithmIdentifiers.RSA_PSS_USING_SHA512)); + private static final String PATH_TO_SOFTWARE_KEYSTORE_JKS = + "src/test/resources/data/junit.jks"; + private static final String SOFTWARE_KEYSTORE_PASSWORD = "password"; + + @Autowired + EaafKeyStoreFactory keyStoreFactory; + /** *jUnit test class initializer. */ @@ -81,4 +103,50 @@ public class JoseUtilsTest { Assert.assertArrayEquals("Signercerts", trustedCert.getEncoded(), result.getX5cCerts().get(0).getEncoded()); } + + @Test + public void verifyJwsInvalidCertificate() throws JoseException, IOException, CertificateException, + NoSuchProviderException { + + final String serializedContent = IOUtils.toString(JoseUtils.class.getResourceAsStream( + "/data/bindingAuth1.jws"), "UTF-8"); + + final iaik.x509.X509Certificate trustedCert = new iaik.x509.X509Certificate(JoseUtils.class + .getResourceAsStream("/data/bindingAuth1.crt")); + + final List trustedCerts = Arrays.asList(trustedCert); + final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT, + BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING + .toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); + + JoseException error = assertThrows("wrong exception", JoseException.class, + () -> JoseUtils.validateSignature(serializedContent, trustedCerts, constraints, true)); + assertEquals("JOSE signing-certificate is not in validity periode", error.getMessage()); + + + } + + @Test + @SneakyThrows + public void verifyJwsValidCertificate() throws JoseException, IOException, CertificateException, + NoSuchProviderException { + + final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); + keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); + keyStoreConfig.setSoftKeyStoreFilePath(PATH_TO_SOFTWARE_KEYSTORE_JKS); + keyStoreConfig.setSoftKeyStorePassword(SOFTWARE_KEYSTORE_PASSWORD); + + Pair keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); + + String jws = JoseUtils.createSignature(keyStore, "meta", "password".toCharArray(), + RandomStringUtils.randomAlphanumeric(10), false, "jUnit"); + + final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT, + BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING + .toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); + List trustedCertificates = EaafKeyStoreUtils.readCertsFromKeyStore(keyStore.getFirst()); + + JoseUtils.validateSignature(jws, trustedCertificates, constraints, true); + + } } -- cgit v1.2.3