From 2b4d9dc8fcde4cdd5a13d9524b3a80a59376b4b8 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 22 Jun 2020 09:00:57 +0200 Subject: fix problem with JOSE encryption in combination with HSM-Facade add jUnit test for JoseUtils --- .../modules/auth/sl20/utils/JsonSecurityUtils.java | 12 +- .../modules/auth/sl20/utils/SL20Constants.java | 6 +- .../sl20/utils/AbstractJsonSecurityUtilsTest.java | 292 +++++++++++++++++++++ .../sl20/utils/JsonSecurityUtilsHsmKeyTest.java | 41 --- .../utils/JsonSecurityUtilsSoftwareKeyTest.java | 106 ++++++-- .../src/test/resources/data/hsm_ec.crt | 3 + .../src/test/resources/data/hsm_rsa.crt | 3 + .../src/test/resources/data/junit.jks | Bin 3980 -> 5738 bytes .../src/test/resources/data/junit_no_rsa.jks | Bin 0 -> 3510 bytes .../resources/data/junit_without_trustcerts.jks | Bin 2733 -> 0 bytes .../resources/data/junit_without_trustcerts.p12 | Bin 3204 -> 0 bytes .../src/test/resources/data/software_ec.crt | 3 + .../src/test/resources/data/software_rsa.crt | 3 + 13 files changed, 407 insertions(+), 62 deletions(-) create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java delete mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_no_rsa.jks delete mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.jks delete mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12 create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt (limited to 'eaaf_modules/eaaf_module_auth_sl20/src') diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java index 1b824ad1..dae11370 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java @@ -295,6 +295,16 @@ public class JsonSecurityUtils implements IJoseTools { keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), true, FRIENDLYNAME_KEYSTORE); + // set special provider if required + if (keyStore.getSecond() != null) { + log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName()); + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getSuppliedKeyProviderContext().setGeneralProvider( + keyStore.getSecond().getName()); + receiverJwe.setProviderContext(providerCtx); + + } + // validate key from header against key from config final List x5cCerts = receiverJwe.getCertificateChainHeaderValue(); final String x5t256 = receiverJwe.getX509CertSha256ThumbprintHeaderValue(); @@ -336,7 +346,7 @@ public class JsonSecurityUtils implements IJoseTools { // set key receiverJwe.setKey(encryptionCred.getFirst()); - + // decrypt payload return mapper.getMapper().readTree(receiverJwe.getPlaintextString()); diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java index f0557619..c95bcc45 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java @@ -98,7 +98,11 @@ public class SL20Constants { KeyManagementAlgorithmIdentifiers.RSA_OAEP_256; public static final List SL20_ALGORITHM_WHITELIST_KEYENCRYPTION = Collections - .unmodifiableList(Arrays.asList(JSON_ALGORITHM_ENC_KEY_RSAOAEP, JSON_ALGORITHM_ENC_KEY_RSAOAEP256)); + .unmodifiableList(Arrays.asList( + JSON_ALGORITHM_ENC_KEY_RSAOAEP, + JSON_ALGORITHM_ENC_KEY_RSAOAEP256, + KeyManagementAlgorithmIdentifiers.ECDH_ES_A128KW, + KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW)); public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 = ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256; diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java new file mode 100644 index 00000000..ebea35c6 --- /dev/null +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java @@ -0,0 +1,292 @@ +package at.gv.egiz.eaaf.modules.auth.sl20.utils; + +import java.io.IOException; +import java.security.Key; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.Provider; +import java.security.Security; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; + +import org.apache.commons.lang3.RandomStringUtils; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.jose4j.jca.ProviderContext; +import org.jose4j.jwa.AlgorithmConstraints; +import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; +import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers; +import org.jose4j.jwe.JsonWebEncryption; +import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers; +import org.jose4j.lang.JoseException; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import com.fasterxml.jackson.databind.JsonNode; + +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap; +import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml") +public abstract class AbstractJsonSecurityUtilsTest { + + @Autowired protected DummyAuthConfigMap config; + @Autowired protected IJoseTools joseTools; + @Autowired protected EaafKeyStoreFactory keyStoreFactory; + + @BeforeClass + public static void classInitializer() { + Security.addProvider(new BouncyCastleProvider()); + + } + + protected abstract void setRsaSigningKey(); + + protected abstract void setEcSigningKey(); + + protected abstract void setRsaEncryptionKey(); + + protected abstract void setEcEncryptionKey(); + + protected abstract Pair getEncryptionKeyStore() throws EaafException; + + protected abstract String getRsaKeyAlias(); + + protected abstract String getRsaKeyPassword(); + + protected abstract String getEcKeyAlias(); + + protected abstract String getEcKeyPassword(); + + + @Test + public void fullEncryptDecrypt() throws JoseException, EaafException { + String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + + final JsonWebEncryption jwe = new JsonWebEncryption(); + jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW); + jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM); + jwe.setKey(joseTools.getEncryptionCertificate().getPublicKey()); + jwe.setX509CertSha256ThumbprintHeaderValue(joseTools.getEncryptionCertificate()); + jwe.setPayload(payLoad); + + // set special provider if required + Pair rsaEncKeyStore = getEncryptionKeyStore(); + if (rsaEncKeyStore.getSecond() != null) { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( + rsaEncKeyStore.getSecond().getName()); + jwe.setProviderContext(providerCtx); + + } + + String encData = jwe.getCompactSerialization(); + Assert.assertNotNull("JWE Encryption", encData); + + + JsonNode decData = joseTools.decryptPayload(encData); + Assert.assertNotNull("JWE Decryption", decData); + + } + + @Test + public void encryptionRsa() throws JoseException, EaafException { + String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + Pair rsaEncKeyStore = getEncryptionKeyStore(); + Pair key = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + rsaEncKeyStore.getFirst(), getRsaKeyAlias(), getRsaKeyPassword().toCharArray(), + true, "jUnit RSA JWE"); + + final JsonWebEncryption jwe = new JsonWebEncryption(); + jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256); + jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM); + jwe.setKey(key.getSecond()[0].getPublicKey()); + jwe.setPayload(payLoad); + + // set special provider if required + if (rsaEncKeyStore.getSecond() != null) { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( + rsaEncKeyStore.getSecond().getName()); + jwe.setProviderContext(providerCtx); + + } + + String encData = jwe.getCompactSerialization(); + Assert.assertNotNull("JWE", encData); + + + } + + @Test + public void encryptionEc() throws JoseException, EaafException { + String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + Pair rsaEncKeyStore = getEncryptionKeyStore(); + Pair key = EaafKeyStoreUtils.getPrivateKeyAndCertificates( + rsaEncKeyStore.getFirst(), getEcKeyAlias(), getEcKeyPassword().toCharArray(), + true, "jUnit RSA JWE"); + + final JsonWebEncryption jwe = new JsonWebEncryption(); + jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW); + jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM); + jwe.setKey(key.getSecond()[0].getPublicKey()); + jwe.setPayload(payLoad); + + // set special provider if required + if (rsaEncKeyStore.getSecond() != null) { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( + rsaEncKeyStore.getSecond().getName()); + jwe.setProviderContext(providerCtx); + + } + + String encData = jwe.getCompactSerialization(); + + Assert.assertNotNull("JWE", encData); + + + } + + + @Test + public void noTrustedCert() throws CertificateEncodingException, KeyStoreException, + JoseException, IOException, EaafException { + setRsaSigningKey(); + setRsaEncryptionKey(); + + String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + + String jws = joseTools.createSignature(payLoad); + Assert.assertNotNull("Signed msg", jws); + + try { + joseTools.validateSignature( + jws, + keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigOnlyEc()).getFirst(), + getDefaultAlgorithmConstrains()); + Assert.fail("Wrong JOSE Sig not detected"); + + } catch (JoseException e) { + Assert.assertEquals("Wrong errorCode", + "Can NOT select verification key for JWS. Signature verification FAILED", + e.getMessage()); + + } + } + + @Test + public void invalidSignature() throws CertificateEncodingException, KeyStoreException, + JoseException, IOException, EaafException { + setRsaSigningKey(); + setRsaEncryptionKey(); + + String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + + String jws = joseTools.createSignature(payLoad); + Assert.assertNotNull("Signed msg", jws); + + String invalidJws = + jws.substring(0, jws.indexOf(".") + 5) + "dd" + jws.substring(jws.indexOf(".") + 6); + + try { + joseTools.validateSignature( + invalidJws, + keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), + getDefaultAlgorithmConstrains()); + Assert.fail("Wrong JOSE Sig not detected"); + + } catch (JoseException e) { + Assert.assertEquals("Wrong errorCode", + "JWS signature is invalid.", + e.getMessage()); + + } + + } + + @Test + public void validSigningRsa() throws CertificateEncodingException, KeyStoreException, + JoseException, IOException, EaafException { + setRsaSigningKey(); + setRsaEncryptionKey(); + + String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + + String jws = joseTools.createSignature(payLoad); + Assert.assertNotNull("Signed msg", jws); + + VerificationResult verify = joseTools.validateSignature( + jws, + keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), + getDefaultAlgorithmConstrains()); + Assert.assertTrue("wrong verify state", verify.isValidSigned()); + Assert.assertNotNull("JWS Header", verify.getJoseHeader()); + Assert.assertNotNull("JWS Payload", verify.getPayload()); + Assert.assertNotNull("CertChain", verify.getCertChain()); + + + } + + @Test + public void validSigningEc() throws CertificateEncodingException, KeyStoreException, + JoseException, IOException, EaafException { + setEcSigningKey(); + setEcEncryptionKey(); + + String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; + + String jws = joseTools.createSignature(payLoad); + Assert.assertNotNull("Signed msg", jws); + + VerificationResult verify = joseTools.validateSignature( + jws, + keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), + getDefaultAlgorithmConstrains()); + Assert.assertTrue("wrong verify state", verify.isValidSigned()); + Assert.assertNotNull("JWS Header", verify.getJoseHeader()); + Assert.assertNotNull("JWS Payload", verify.getPayload()); + Assert.assertNotNull("CertChain", verify.getCertChain()); + + } + + protected KeyStoreConfiguration getSigTrustStoreConfigValid() { + KeyStoreConfiguration trustConfig = new KeyStoreConfiguration(); + trustConfig.setFriendlyName("jUnit TrustStore"); + trustConfig.setKeyStoreType(KeyStoreType.JKS); + trustConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks"); + trustConfig.setSoftKeyStorePassword("password"); + + return trustConfig; + + } + + protected KeyStoreConfiguration getSigTrustStoreConfigOnlyEc() { + KeyStoreConfiguration trustConfig = new KeyStoreConfiguration(); + trustConfig.setFriendlyName("jUnit TrustStore"); + trustConfig.setKeyStoreType(KeyStoreType.JKS); + trustConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit_no_rsa.jks"); + trustConfig.setSoftKeyStorePassword("password"); + + return trustConfig; + + } + + private AlgorithmConstraints getDefaultAlgorithmConstrains() { + return new AlgorithmConstraints(ConstraintType.WHITELIST, + SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING + .toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()])); + } + +} diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java deleted file mode 100644 index 64987942..00000000 --- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java +++ /dev/null @@ -1,41 +0,0 @@ -package at.gv.egiz.eaaf.modules.auth.sl20.utils; - -import java.security.Security; - -import org.apache.commons.lang3.RandomStringUtils; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.junit.Assert; -import org.junit.BeforeClass; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.test.context.ContextConfiguration; -import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; - -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; - -@RunWith(SpringJUnit4ClassRunner.class) -@ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml") -public class JsonSecurityUtilsHsmKeyTest { - - @Autowired private IJoseTools joseTools; - - @BeforeClass - public static void classInitializer() { - Security.addProvider(new BouncyCastleProvider()); - - } - - @Test - public void simpleSigningTest() throws SL20Exception { - String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; - - String jws = joseTools.createSignature(payLoad); - Assert.assertNotNull("Signed msg", jws); - - //VerificationResult verify = joseTools.validateSignature(jws); - //Assert.assertTrue("wrong verify state", verify.isValidSigned()); - - } - -} diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java index 5b8acb16..d78bdbd7 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java @@ -1,42 +1,110 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils; -import java.security.Security; +import java.security.KeyStore; +import java.security.Provider; import org.apache.commons.lang3.RandomStringUtils; -import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.junit.Assert; -import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.util.Base64Utils; -import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; + @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/spring/test_eaaf_sl20.beans.xml") -public class JsonSecurityUtilsSoftwareKeyTest { +public class JsonSecurityUtilsSoftwareKeyTest extends AbstractJsonSecurityUtilsTest { - @Autowired private IJoseTools joseTools; - - @BeforeClass - public static void classInitializer() { - Security.addProvider(new BouncyCastleProvider()); - + @Test + public void invalidSignatureRandomString() { + try { + joseTools.validateSignature(RandomStringUtils.randomAlphabetic(10)); + Assert.fail("Wrong JOSE Sig not detected"); + + } catch (SL20Exception e) { + Assert.assertEquals("Wrong errorCode", "sl20.05", e.getErrorId()); + } + } @Test - public void simpleSigningTest() throws SL20Exception { - String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; - - String jws = joseTools.createSignature(payLoad); - Assert.assertNotNull("Signed msg", jws); + public void invalidSignatureRandomBase64UrlEncoded() { + String testValue = Base64Utils.encodeToUrlSafeString(RandomStringUtils.randomAlphanumeric(10).getBytes()) + + "." + + Base64Utils.encodeToUrlSafeString(RandomStringUtils.randomAlphanumeric(10).getBytes()) + + "." + + Base64Utils.encodeToUrlSafeString(RandomStringUtils.randomAlphanumeric(10).getBytes()); + + try { + joseTools.validateSignature(testValue); + Assert.fail("Wrong JOSE Sig not detected"); + + } catch (SL20Exception e) { + Assert.assertEquals("Wrong errorCode", "sl20.05", e.getErrorId()); + } - VerificationResult verify = joseTools.validateSignature(jws); - Assert.assertTrue("wrong verify state", verify.isValidSigned()); + } + + @Override + protected void setRsaSigningKey() { + config.putConfigValue("modules.sl20.security.sign.alias", "meta"); + + } + + @Override + protected void setEcSigningKey() { + config.putConfigValue("modules.sl20.security.sign.alias", "sig"); + + } + + @Override + protected void setRsaEncryptionKey() { + config.putConfigValue("modules.sl20.security.encryption.alias", "meta"); + + } + + @Override + protected void setEcEncryptionKey() { + config.putConfigValue("modules.sl20.security.encryption.alias", "sig"); } + + @Override + protected Pair getEncryptionKeyStore() throws EaafException { + KeyStoreConfiguration keyConfig = new KeyStoreConfiguration(); + keyConfig.setFriendlyName("Junit Enc Key Rsa"); + keyConfig.setKeyStoreType(KeyStoreType.JKS); + keyConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks"); + keyConfig.setSoftKeyStorePassword("password"); + + return keyStoreFactory.buildNewKeyStore(keyConfig); + } + + @Override + protected String getRsaKeyAlias() { + return "meta"; + } + + @Override + protected String getRsaKeyPassword() { + return "password"; + } + + @Override + protected String getEcKeyAlias() { + return "sig"; + } + + @Override + protected String getEcKeyPassword() { + return "password"; + } } diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt new file mode 100644 index 00000000..ad780a21 --- /dev/null +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +MIIBQTCB56ADAgECAghqWvzGZbotTjAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdFQy1Sb290MB4XDTIwMDYxODA3MzYwOVoXDTI1MDYxODA3MzYwOVowOzEaMBgGA1UEAwwRaW50LWVjLWtleS0xLTAwMDExETAPBgNVBAoMCHNvZnR3YXJlMQowCAYDVQQFEwExMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMYva5n1ISLX4bZdG9ecGVNVId7OEY4Yjeu+4kk+nbppxNMj6JX5tO2iCCpgHlKC5WWTSJyxSQh3CoLzc8XLUmjAKBggqhkjOPQQDAgNJADBGAiEAiegmUzDThtinnuUwsHXwdr4Y/XUednOyIy7RBeClvyYCIQC/v5NZzg+H6FUrQ2nds2hlB6sD7z5cZPJcqm8+S0wYCw== +-----END CERTIFICATE----- diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt new file mode 100644 index 00000000..aa83c8d9 --- /dev/null +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +MIICDTCCAbOgAwIBAgIIVLxIFI8kRpkwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAwwHRUMtUm9vdDAeFw0yMDA2MTgwNzM2MTBaFw0yNTA2MTgwNzM2MTBaMDwxGzAZBgNVBAMMEmludC1yc2Eta2V5LTEtMDAwMTERMA8GA1UECgwIc29mdHdhcmUxCjAIBgNVBAUTATEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrM1ocQqtch95Dm21JHi0V35nlWZibsjLqR+g8ERdD1qFgun/X0I/Rbft+KxB8QsDX7UmIjXGdavNcEjY/XcbiJxUcpv7vn/2+x3JxZO6Iye/ut001okICt3OGIqP93ZEnIaTTNhDsK7OnvD/eUjlmuHiTaFq1dZLKYDQlz9jl/9F4axfrz1V7oo60iqFIW+7tlUeh8VGDUPjQpHghzjHXTJv/OIAt752K31Tn8KR3kvkn6WTPo8eOWVaPQ480Dik0e2afTPPJNZJ7BW111IwqBAOKp586yVsQ4XVEF8H64Cq+s+b4/HBboo9TDJKTJvo2yQmcTsahbH+Rlm20ifUTAgMBAAEwCgYIKoZIzj0EAwIDSAAwRQIhANKN/N2Atb5fbeHSB2Myv/JcNf9JonxFe92AOu4f62NNAiBjOEeg4OyJZKPiDl6aqYVtz1Qroo6xzUC9UVA4qNe4LA== +-----END CERTIFICATE----- diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks index 59e6ad13..a18df332 100644 Binary files a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks and b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks differ diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_no_rsa.jks b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_no_rsa.jks new file mode 100644 index 00000000..370cf19e Binary files /dev/null and b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_no_rsa.jks differ diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.jks b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.jks deleted file mode 100644 index b5262cb8..00000000 Binary files a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.jks and /dev/null differ diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12 b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12 deleted file mode 100644 index c3fe2681..00000000 Binary files a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12 and /dev/null differ diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt new file mode 100644 index 00000000..5311f3f1 --- /dev/null +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +MIIBbTCCARKgAwIBAgIEXjF+qTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJBVDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcwHhcNMjAwMTI5MTI0NjMzWhcNMjcwMTI4MTI0NjMzWjA+MQswCQYDVQQGEwJBVDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRt7gZRrr4rSEE7Q922oKQJF+mlkwCLZnv8ZzHtH54s4VdyQFIBjQF1PPf9PTn+5tid8QJehZPndcoeD7J8fPJMAoGCCqGSM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIhANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L +-----END CERTIFICATE----- diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt new file mode 100644 index 00000000..c70f5031 --- /dev/null +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt @@ -0,0 +1,3 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIEXjF+fTANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJBVDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxETAPBgNVBAMMCE1ldGFkYXRhMB4XDTIwMDEyOTEyNDU0OVoXDTI2MDEyODEyNDU0OVowPzELMAkGA1UEBhMCQVQxDTALBgNVBAcMBEVHSVoxDjAMBgNVBAoMBWpVbml0MREwDwYDVQQDDAhNZXRhZGF0YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK230G3dxNbNlSYAO5Kx/Js0aBAgxMt7q9m+dA35fK/dOvF/GjrqjWsMCnax+no9gLnq6x0gXiJclz6Hrp/YDOfLrJjMpNL/r0FWT947vbnEj7eT8TdY5d6Yi8AZulZmjiCI5nbZh2zwrP4+WqRroLoPhXQj8mDyp26M4xHBBUhLMRc2HV4S+XH4uNZ/vTmb8vBg31XGHCY33gl7/KA54JNGxJdN8Dxv6yHYsm91ZfVrX39W0iYLUNhUCkolwuQmjDVfrExM8BTLIONbf+erJoCm3A9ghZyDYRQ/e69/UEUqDa6XOzykr88INkQscEiAXCDS+EBPMpKo+t3lPIA9r7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh/2mg4S03bdZy1OVtEAudBT9YZb9OF34hxPtNbkB/V04wSIg1d4TBr5KDhV7CdiUOxPZzHpS8LUCgfGX306FB6NXzh/b67uTOPaE72AB4VIT/Np0fsM7k5WhG9k9NoprIGiqCz2lXcfpZiT+LtSO1vWSYI87wR9KOSWjcw/5i5qZIAJuwvLCQj5JtUsmrhHK75222J3TJf4dS/gfN4xfY2rW9vcXtH6//8WdWp/zx9V7Z1ZsDb8TDKtBCEGuFDgVeU5ScKtVq8qRoUKD3Ve76cZipurO3KrRrVAuZP2EfLkZdHEHqe8GPigNnZ5kTn8V2VJ3iRAQ73hpJRR98tFd0A== +-----END CERTIFICATE----- -- cgit v1.2.3