From c9cdc12f87ea6ee188de6862ce4935d9b8ef36ce Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 7 Oct 2020 20:32:11 +0200
Subject: implement work-around to fix possible incompatibility between IAIK
 JCE/Eccelerate and JWS lib in case of ECC keys

---
 .../sl20/utils/AbstractJsonSecurityUtilsTest.java  | 22 ++++----
 .../modules/auth/sl20/utils/JoseUtilsTest.java     | 58 ++++++++++++++++++++++
 2 files changed, 69 insertions(+), 11 deletions(-)
 create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java

(limited to 'eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth')

diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
index 917ef1e0..8516a0ed 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
@@ -9,15 +9,6 @@ import java.security.Security;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
-import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap;
-import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
-
 import org.apache.commons.lang3.RandomStringUtils;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.jose4j.base64url.Base64Url;
@@ -38,6 +29,15 @@ import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
 import com.fasterxml.jackson.databind.JsonNode;
 
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap;
+import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+
 @RunWith(SpringJUnit4ClassRunner.class)
 @ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml")
 public abstract class AbstractJsonSecurityUtilsTest {
@@ -78,7 +78,7 @@ public abstract class AbstractJsonSecurityUtilsTest {
     final JsonWebEncryption jwe = new JsonWebEncryption();
     jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW);
     jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
-    jwe.setKey(joseTools.getEncryptionCertificate().getPublicKey());
+    jwe.setKey(JoseUtils.convertToBcKeyIfRequired(joseTools.getEncryptionCertificate().getPublicKey()));
     jwe.setX509CertSha256ThumbprintHeaderValue(joseTools.getEncryptionCertificate());
     jwe.setPayload(payLoad);
 
@@ -141,7 +141,7 @@ public abstract class AbstractJsonSecurityUtilsTest {
     final JsonWebEncryption jwe = new JsonWebEncryption();
     jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW);
     jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
-    jwe.setKey(key.getSecond()[0].getPublicKey());
+    jwe.setKey(JoseUtils.convertToBcKeyIfRequired(key.getSecond()[0].getPublicKey()));
     jwe.setPayload(payLoad);
 
     // set special provider if required
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java
new file mode 100644
index 00000000..7771ce60
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java
@@ -0,0 +1,58 @@
+package at.gv.egiz.eaaf.modules.auth.sl20.utils;
+
+import java.io.IOException;
+import java.security.NoSuchProviderException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.io.IOUtils;
+import org.jose4j.jwa.AlgorithmConstraints;
+import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
+import org.jose4j.jws.AlgorithmIdentifiers;
+import org.jose4j.lang.JoseException;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.BlockJUnit4ClassRunner;
+
+import at.gv.egiz.eaaf.modules.auth.sl20.utils.JoseUtils.JwsResult;
+
+@RunWith(BlockJUnit4ClassRunner.class)
+public class JoseUtilsTest {
+
+  private static final List<String> BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING = Collections.unmodifiableList(
+      Arrays.asList(
+          AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256,
+          AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512,
+          AlgorithmIdentifiers.RSA_PSS_USING_SHA256,
+          AlgorithmIdentifiers.RSA_PSS_USING_SHA512));
+
+  @Test
+  public void testBindingAuthBlock() throws JoseException, IOException, CertificateException, NoSuchProviderException {
+    
+    final String serializedContent = IOUtils.toString(JoseUtils.class.getResourceAsStream(
+        "/data/bindingAuth1.jws"), "UTF-8");
+        
+    final iaik.x509.X509Certificate trustedCert = new iaik.x509.X509Certificate(JoseUtils.class
+        .getResourceAsStream("/data/bindingAuth1.crt"));
+            
+    final List<X509Certificate> trustedCerts = Arrays.asList(trustedCert);
+    final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT,
+        BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING
+            .toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()]));
+
+    final JwsResult result = JoseUtils.validateSignature(serializedContent, trustedCerts, constraints);
+
+    Assert.assertNotNull("JWS verify result", result);
+    Assert.assertTrue("JWS not valid", result.isValid());
+    Assert.assertNotNull("JWS payload", result.getPayLoad());
+    Assert.assertNotNull("JWS Headers", result.getFullJoseHeader());
+    Assert.assertNotNull("JWS Signercerts", result.getX5cCerts());
+    Assert.assertEquals("Signercerts size", 1, result.getX5cCerts().size());
+    Assert.assertArrayEquals("Signercerts", trustedCert.getEncoded(), result.getX5cCerts().get(0).getEncoded());
+
+  }
+}
-- 
cgit v1.2.3