From a849dd49daf60128db79311293d7f5c466bd0642 Mon Sep 17 00:00:00 2001 From: Thomas <> Date: Fri, 16 Apr 2021 22:08:42 +0200 Subject: Use custom SSLContext builder to generate BouncyCastle specific TrustManager in case of keys base on HSM-Facade, because SSLContext based on BCJSSE needs BCJSSE TrustManager BCJSSE is not compatible to SunJSSE TrustManager in Java >= 9 --- .../test/http/HttpClientFactoryProdHostTest.java | 98 +++++++++++++++++++++ .../eaaf/core/test/http/HttpClientFactoryTest.java | 96 ++++++++++++++++++++ .../test/resources/data/hsm_ee-RSA_rootcert.crt | 3 + .../src/test/resources/data/hsm_ee_eecert.crt | 3 + .../src/test/resources/data/hsm_ee_rootcert.crt | 3 + .../src/test/resources/data/server_host.crt | 18 ++++ .../src/test/resources/data/ssL_truststore.jks | Bin 0 -> 799 bytes .../src/test/resources/data/ssl_host.jks | Bin 0 -> 2081 bytes 8 files changed, 221 insertions(+) create mode 100644 eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryProdHostTest.java create mode 100644 eaaf_core_utils/src/test/resources/data/hsm_ee-RSA_rootcert.crt create mode 100644 eaaf_core_utils/src/test/resources/data/hsm_ee_eecert.crt create mode 100644 eaaf_core_utils/src/test/resources/data/hsm_ee_rootcert.crt create mode 100644 eaaf_core_utils/src/test/resources/data/server_host.crt create mode 100644 eaaf_core_utils/src/test/resources/data/ssL_truststore.jks create mode 100644 eaaf_core_utils/src/test/resources/data/ssl_host.jks (limited to 'eaaf_core_utils/src/test') diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryProdHostTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryProdHostTest.java new file mode 100644 index 00000000..55c17ee8 --- /dev/null +++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryProdHostTest.java @@ -0,0 +1,98 @@ +package at.gv.egiz.eaaf.core.test.http; + +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.Provider; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; +import java.util.Base64; + +import org.apache.http.client.ClientProtocolException; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpGet; +import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.impl.client.CloseableHttpClient; +import org.junit.Assert; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.annotation.DirtiesContext; +import org.springframework.test.annotation.DirtiesContext.MethodMode; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.http.HttpClientConfiguration; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; +import ch.qos.logback.classic.Level; +import ch.qos.logback.classic.Logger; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration("/spring/test_eaaf_pvp_not_lazy.beans.xml") +@DirtiesContext +public class HttpClientFactoryProdHostTest { + + @Autowired private IHttpClientFactory httpClientFactory; + @Autowired private EaafKeyStoreFactory keyStoreFactory; + + /** + * Initialize full class. + */ + @BeforeClass + public static void classInitializer() { + final Logger logger = (Logger) LoggerFactory.getLogger("org.bouncycastle.jsse"); + logger.setLevel(Level.TRACE); + + } + + /** + * JUnit test set-up. + * + */ + @Before + public void setup() { + + } + + @Test + @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) + public void getCustomClientX509AuthWithHsmFacadeTrustStore() throws EaafException, ClientProtocolException, + IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException, + CertificateEncodingException { + System.setProperty("javax.net.debug", "ssl:handshake"); + + final HttpClientConfiguration clientConfig = new HttpClientConfiguration("jUnit-client"); + clientConfig.setAuthMode("ssl"); + //clientConfig.buildKeyStoreConfig("hsmfacade", null, null, "eid-junit"); + //clientConfig.setSslKeyAlias("rsa-key-1"); + clientConfig.buildKeyStoreConfig("hsmfacade", null, null, "authhandler"); + clientConfig.setSslKeyAlias("authhandler-sign"); + clientConfig.setDisableTlsHostCertificateValidation(false); + + final CloseableHttpClient client = httpClientFactory.getHttpClient(clientConfig); + Assert.assertNotNull("httpClient", client); + + final Pair sslClientKeyStore = + keyStoreFactory.buildNewKeyStore(clientConfig.getKeyStoreConfig()); + final X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst() + .getCertificateChain(clientConfig.getSslKeyAlias())[1]; + final X509Certificate clientEeCert = (X509Certificate) sslClientKeyStore.getFirst() + .getCertificateChain(clientConfig.getSslKeyAlias())[0]; + Base64.getEncoder().encodeToString(clientEeCert.getEncoded()); + + //perform test request + final HttpUriRequest httpGet2 = new HttpGet("https://apps.egiz.gv.at//sslclientcertdemo/"); + final CloseableHttpResponse httpResp2 = client.execute(httpGet2); + Assert.assertEquals("http statusCode", 200, httpResp2.getStatusLine().getStatusCode()); + + } + +} diff --git a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java index baedadc8..c71d8352 100644 --- a/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java +++ b/eaaf_core_utils/src/test/java/at/gv/egiz/eaaf/core/test/http/HttpClientFactoryTest.java @@ -5,9 +5,14 @@ import java.io.IOException; import java.net.HttpURLConnection; import java.net.InetAddress; import java.net.SocketTimeoutException; +import java.security.Key; +import java.security.KeyPair; import java.security.KeyStore; import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; import java.security.Provider; +import java.security.UnrecoverableKeyException; import java.security.cert.X509Certificate; import org.apache.commons.lang3.RandomStringUtils; @@ -20,10 +25,13 @@ import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.entity.ContentType; import org.apache.http.impl.client.CloseableHttpClient; import org.junit.After; +import org.junit.AfterClass; import org.junit.Assert; import org.junit.Before; +import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.test.annotation.DirtiesContext; import org.springframework.test.annotation.DirtiesContext.MethodMode; @@ -32,12 +40,16 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.data.Triple; import at.gv.egiz.eaaf.core.impl.http.HttpClientConfiguration; import at.gv.egiz.eaaf.core.impl.http.HttpUtils; import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; import at.gv.egiz.eaaf.core.impl.utils.StreamUtils; +import ch.qos.logback.classic.Level; +import ch.qos.logback.classic.Logger; import okhttp3.HttpUrl; import okhttp3.mockwebserver.MockResponse; import okhttp3.mockwebserver.MockWebServer; @@ -57,6 +69,27 @@ public class HttpClientFactoryTest { private MockWebServer mockWebServer = null; private HttpUrl mockServerUrl; + /** + * Initialize full class. + */ + @BeforeClass + public static void classInitializer() { + final Logger logger = (Logger) LoggerFactory.getLogger("org.bouncycastle.jsse"); + logger.setLevel(Level.TRACE); + + } + + /** + * Reset test environment. + */ + @AfterClass + public static void classReset() { + System.clearProperty("javax.net.ssl.trustStoreType"); + System.clearProperty("javax.net.ssl.trustStore"); + System.clearProperty("javax.net.ssl.trustStorePassword"); + + } + /** * JUnit test set-up. * @@ -595,4 +628,67 @@ public class HttpClientFactoryTest { } + @Test + @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) + public void getCustomClientX509AuthWithHsmFacadeTrustStore() throws EaafException, ClientProtocolException, + IOException, KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException { + + final String current = new java.io.File(".").getCanonicalPath(); + System.setProperty("javax.net.ssl.trustStoreType", "jks"); + System.setProperty("javax.net.ssl.trustStore", + current + "/src/test/resources/data/ssL_truststore.jks"); + System.setProperty("javax.net.ssl.trustStorePassword", + "password"); + + final KeyStoreConfiguration sslServerCertConfig = new KeyStoreConfiguration(); + sslServerCertConfig.setKeyStoreType(KeyStoreType.JKS); + sslServerCertConfig.setFriendlyName("SSL host cert"); + sslServerCertConfig.setSoftKeyStoreFilePath("src/test/resources/data/ssl_host.jks"); + sslServerCertConfig.setSoftKeyStorePassword("password"); + + Pair sslServerHostKeyStore = + keyStoreFactory.buildNewKeyStore(sslServerCertConfig); + + + final HttpClientConfiguration clientConfig = new HttpClientConfiguration("jUnit-client"); + clientConfig.setAuthMode("ssl"); + clientConfig.buildKeyStoreConfig("hsmfacade", null, null, "authhandler"); + clientConfig.setSslKeyAlias("authhandler-sign"); + clientConfig.setDisableTlsHostCertificateValidation(false); + + final CloseableHttpClient client = httpClientFactory.getHttpClient(clientConfig); + Assert.assertNotNull("httpClient", client); + + //set-up mock-up web-server with SSL client authentication + final Pair sslClientKeyStore = + keyStoreFactory.buildNewKeyStore(clientConfig.getKeyStoreConfig()); + final X509Certificate clientRootCert = (X509Certificate) sslClientKeyStore.getFirst() + .getCertificateChain(clientConfig.getSslKeyAlias())[1]; + final X509Certificate clientEeCert = (X509Certificate) sslClientKeyStore.getFirst() + .getCertificateChain(clientConfig.getSslKeyAlias())[0]; + + Key sslKey = sslServerHostKeyStore.getFirst().getKey("ssl", "password".toCharArray()); + X509Certificate sslCert = (X509Certificate) sslServerHostKeyStore.getFirst().getCertificate("ssl"); + KeyPair keyPair = new KeyPair(sslCert.getPublicKey(), (PrivateKey) sslKey); + HeldCertificate localhostCertificate = new HeldCertificate(keyPair, sslCert); + final HandshakeCertificates serverCertificates = new HandshakeCertificates.Builder() + .addTrustedCertificate(clientEeCert) + .addTrustedCertificate(clientRootCert) + .heldCertificate(localhostCertificate) + .build(); + mockWebServer = new MockWebServer(); + + mockWebServer.useHttps(serverCertificates.sslSocketFactory(), false); + mockWebServer.requireClientAuth(); + mockWebServer.enqueue(new MockResponse().setResponseCode(200) + .setBody("Successful auth!")); + mockServerUrl = mockWebServer.url("/sp/junit"); + + //perform test request + final HttpUriRequest httpGet2 = new HttpGet(mockServerUrl.url().toString()); + final CloseableHttpResponse httpResp2 = client.execute(httpGet2); + Assert.assertEquals("http statusCode", 200, httpResp2.getStatusLine().getStatusCode()); + + } + } diff --git a/eaaf_core_utils/src/test/resources/data/hsm_ee-RSA_rootcert.crt b/eaaf_core_utils/src/test/resources/data/hsm_ee-RSA_rootcert.crt new file mode 100644 index 00000000..aa83c8d9 --- /dev/null +++ b/eaaf_core_utils/src/test/resources/data/hsm_ee-RSA_rootcert.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +MIICDTCCAbOgAwIBAgIIVLxIFI8kRpkwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAwwHRUMtUm9vdDAeFw0yMDA2MTgwNzM2MTBaFw0yNTA2MTgwNzM2MTBaMDwxGzAZBgNVBAMMEmludC1yc2Eta2V5LTEtMDAwMTERMA8GA1UECgwIc29mdHdhcmUxCjAIBgNVBAUTATEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrM1ocQqtch95Dm21JHi0V35nlWZibsjLqR+g8ERdD1qFgun/X0I/Rbft+KxB8QsDX7UmIjXGdavNcEjY/XcbiJxUcpv7vn/2+x3JxZO6Iye/ut001okICt3OGIqP93ZEnIaTTNhDsK7OnvD/eUjlmuHiTaFq1dZLKYDQlz9jl/9F4axfrz1V7oo60iqFIW+7tlUeh8VGDUPjQpHghzjHXTJv/OIAt752K31Tn8KR3kvkn6WTPo8eOWVaPQ480Dik0e2afTPPJNZJ7BW111IwqBAOKp586yVsQ4XVEF8H64Cq+s+b4/HBboo9TDJKTJvo2yQmcTsahbH+Rlm20ifUTAgMBAAEwCgYIKoZIzj0EAwIDSAAwRQIhANKN/N2Atb5fbeHSB2Myv/JcNf9JonxFe92AOu4f62NNAiBjOEeg4OyJZKPiDl6aqYVtz1Qroo6xzUC9UVA4qNe4LA== +-----END CERTIFICATE----- diff --git a/eaaf_core_utils/src/test/resources/data/hsm_ee_eecert.crt b/eaaf_core_utils/src/test/resources/data/hsm_ee_eecert.crt new file mode 100644 index 00000000..b4c47c78 --- /dev/null +++ b/eaaf_core_utils/src/test/resources/data/hsm_ee_eecert.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +MIIDEzCCArqgAwIBAgIIMrAOP6EqywMwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAwwHRUMtUm9vdDAeFw0yMDA2MTgwNzM2MDlaFw0yNTA2MTgwNzM2MDlaMEMxIjAgBgNVBAMMGWludC1hdXRoaGFuZGxlci1zaWduLTAwMDExETAPBgNVBAoMCHNvZnR3YXJlMQowCAYDVQQFEwExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5j2vR8ZV88fOJzFHmLuPizHXk+aiE0fX8Bu63FqCNa2Vy343u2k+4HVQBWpAtyRej8nL7JQuhFa11YRtVF+Vos9cyUDk482sUlYA2LdAFIuHJP6iTRrrHYdiTskc3FQUm9m9KorVFwnfzqJ40wjn9hD0xKCE0odk9IHA5aLTul0mSMcHQ+MMu2cbelK2TWTEC0wcGum2NrTWukhf0E4/e4SuqMgEUPdHSEaNZLGKZU0kyVtXKK0HCtWF8OKGay4V504dk3qnmRHHO8ik3oyPk2yLipQAPL0bUGMZ7tlRLo5VxJvkZSsJfAzvYn1JzcQIt6bXszQGU/JS6dw7Jq99Ckzox/vk8p1YUPd4tCuUJPXzhFhI7CedHKGItwk7mQf5llgeVJy40sVrFwHLDPufY5mlm9C+gVBs71+ibT/sJ96gCueWqduzDX8fHzeaNVj2NFEx2pT46D5cbRWZBow3+Rx+hpge6SDMzaebpbkgLPX+35D952bMLjm+9T0DulGk1tLL2k4YK+1WWUprlo+rm65OA5FxnO5YxNmGk2Uizu3tSoZMxmXwEWoFfYaMsTt5Not3+CLPjfs6pE4ML9ifAOxW+pPsmanDiNaMiL0/aSddvvkv3lSMRiU9nYh3DuOu6sGIMaPdyYF0V/9Fua2SDZV3QKIbzPbJfEsXFKtjtzUCAwEAATAKBggqhkjOPQQDAgNHADBEAiBHsK819KfxVn91KAmjRjb7zx8TLLBApyaZHXi5HVrYUwIgQbF6u6bXziAWdijlJC0IOWdBuTLWmTvFqBH7uX1HL9c= +-----END CERTIFICATE----- diff --git a/eaaf_core_utils/src/test/resources/data/hsm_ee_rootcert.crt b/eaaf_core_utils/src/test/resources/data/hsm_ee_rootcert.crt new file mode 100644 index 00000000..fa7b132f --- /dev/null +++ b/eaaf_core_utils/src/test/resources/data/hsm_ee_rootcert.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +MIIBPDCB46ADAgECAghZ0/gtbA6FrjAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdFQy1Sb290MB4XDTIwMDYxODA3MzU1M1oXDTMwMDYxODA3MzU1M1owEjEQMA4GA1UEAwwHRUMtUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIjgL+6qiE9oj2yWCkVm6s7AaYkbDhTptYXTW92MhASiTqxL6g8tr28MlRA2P8HPrNSK9payeMe5QW9Kxn+EMPejIzAhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgWgMAoGCCqGSM49BAMCA0gAMEUCIDq2f4xjYD8pzr+mdzuT8wzePRnj/EatjmimGnvNt3FjAiEArezudh6G+wE+ds6S0dnFxG0o/BrbR0fiRNTQwiZA9ec= +-----END CERTIFICATE----- diff --git a/eaaf_core_utils/src/test/resources/data/server_host.crt b/eaaf_core_utils/src/test/resources/data/server_host.crt new file mode 100644 index 00000000..21d3a1e4 --- /dev/null +++ b/eaaf_core_utils/src/test/resources/data/server_host.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2TCCAcECBGB5WpEwDQYJKoZIhvcNAQELBQAwMTELMAkGA1UEBhMCQVQxDjAM +BgNVBAsMBWpVbml0MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjEwNDE2MDkzNjE3 +WhcNMjQwMTEwMDkzNjE3WjAxMQswCQYDVQQGEwJBVDEOMAwGA1UECwwFalVuaXQx +EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAJVYLzPzq7oBGS5Wer0++rHbp+DWI7srAV1lGHdq8ST6APh/7fEVWpdZDpMY +bOXl6uIiVmMsx/jUhQwOu4rFXThiQlwyQOv57SO7WHqNPqbRs/EUVnzW35aXU/DB +CmkqKyjK/+vuq7tIahlpqrppCzBVC9/Z15U+RMTdnATrohALNJovydH3VSkdkKX0 +5BDx779/8malTgyWTUgl+p3F/91iIIl4ZvIngo2ZYQCFm1nV6jmpErGFkG6YVrO7 +oe3OlGKFiXtqCmq+NSFeXsv/SaXWNUw82pYKuK/5EFSLX49HLBBDI14eOCuVLnGA +H/kG3tGteYMBNzSMmC/kcKgRDnUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAJn2 +a/VbtXGmHe9wmtu8K3noyECfG5fbu9URUjXhCBlXGcdjfz1gzrOHcmaBndk0a566 +R2W0fLvjLpjWChrj7r34EpNYGPMLV2gp3ZkiSGl9kv8mf9iChK6+ga3SlyHJuXXu +gw6eOIAxBrE/vLw+pZtCEV9yPrIydkt19jjejf1wjs5y2G7m5r5pBIh6Wlmmc4f2 +3M6l6Dge78WVdUaU5AeAHjgGgXwULxmLGxi6yiS5HsSeb79oGz9psHbq1EAvwOVY +sLepTbDQvX/VAAG7HOJXhdGM0fRIkM7HFA5+6joTHvAKhuMlFIJ8Y4QIG2QaIBAh +eBBh91x/aB2xOKs+Kg== +-----END CERTIFICATE----- diff --git a/eaaf_core_utils/src/test/resources/data/ssL_truststore.jks b/eaaf_core_utils/src/test/resources/data/ssL_truststore.jks new file mode 100644 index 00000000..4d7bc2f3 Binary files /dev/null and b/eaaf_core_utils/src/test/resources/data/ssL_truststore.jks differ diff --git a/eaaf_core_utils/src/test/resources/data/ssl_host.jks b/eaaf_core_utils/src/test/resources/data/ssl_host.jks new file mode 100644 index 00000000..4ca07595 Binary files /dev/null and b/eaaf_core_utils/src/test/resources/data/ssl_host.jks differ -- cgit v1.2.3