From 2b4d9dc8fcde4cdd5a13d9524b3a80a59376b4b8 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Mon, 22 Jun 2020 09:00:57 +0200
Subject: fix problem with JOSE encryption in combination with HSM-Facade add
jUnit test for JoseUtils
---
.../modules/auth/sl20/utils/JsonSecurityUtils.java | 12 +-
.../modules/auth/sl20/utils/SL20Constants.java | 6 +-
.../sl20/utils/AbstractJsonSecurityUtilsTest.java | 292 +++++++++++++++++++++
.../sl20/utils/JsonSecurityUtilsHsmKeyTest.java | 41 ---
.../utils/JsonSecurityUtilsSoftwareKeyTest.java | 106 ++++++--
.../src/test/resources/data/hsm_ec.crt | 3 +
.../src/test/resources/data/hsm_rsa.crt | 3 +
.../src/test/resources/data/junit.jks | Bin 3980 -> 5738 bytes
.../src/test/resources/data/junit_no_rsa.jks | Bin 0 -> 3510 bytes
.../resources/data/junit_without_trustcerts.jks | Bin 2733 -> 0 bytes
.../resources/data/junit_without_trustcerts.p12 | Bin 3204 -> 0 bytes
.../src/test/resources/data/software_ec.crt | 3 +
.../src/test/resources/data/software_rsa.crt | 3 +
13 files changed, 407 insertions(+), 62 deletions(-)
create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
delete mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt
create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt
create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_no_rsa.jks
delete mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.jks
delete mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12
create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt
create mode 100644 eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt
(limited to 'eaaf_modules')
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
index 1b824ad1..dae11370 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
@@ -295,6 +295,16 @@ public class JsonSecurityUtils implements IJoseTools {
keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), true,
FRIENDLYNAME_KEYSTORE);
+ // set special provider if required
+ if (keyStore.getSecond() != null) {
+ log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName());
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(
+ keyStore.getSecond().getName());
+ receiverJwe.setProviderContext(providerCtx);
+
+ }
+
// validate key from header against key from config
final List<X509Certificate> x5cCerts = receiverJwe.getCertificateChainHeaderValue();
final String x5t256 = receiverJwe.getX509CertSha256ThumbprintHeaderValue();
@@ -336,7 +346,7 @@ public class JsonSecurityUtils implements IJoseTools {
// set key
receiverJwe.setKey(encryptionCred.getFirst());
-
+
// decrypt payload
return mapper.getMapper().readTree(receiverJwe.getPlaintextString());
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java
index f0557619..c95bcc45 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20Constants.java
@@ -98,7 +98,11 @@ public class SL20Constants {
KeyManagementAlgorithmIdentifiers.RSA_OAEP_256;
public static final List<String> SL20_ALGORITHM_WHITELIST_KEYENCRYPTION = Collections
- .unmodifiableList(Arrays.asList(JSON_ALGORITHM_ENC_KEY_RSAOAEP, JSON_ALGORITHM_ENC_KEY_RSAOAEP256));
+ .unmodifiableList(Arrays.asList(
+ JSON_ALGORITHM_ENC_KEY_RSAOAEP,
+ JSON_ALGORITHM_ENC_KEY_RSAOAEP256,
+ KeyManagementAlgorithmIdentifiers.ECDH_ES_A128KW,
+ KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW));
public static final String JSON_ALGORITHM_ENC_PAYLOAD_A128CBCHS256 =
ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256;
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
new file mode 100644
index 00000000..ebea35c6
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
@@ -0,0 +1,292 @@
+package at.gv.egiz.eaaf.modules.auth.sl20.utils;
+
+import java.io.IOException;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.Provider;
+import java.security.Security;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+
+import org.apache.commons.lang3.RandomStringUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.jose4j.jca.ProviderContext;
+import org.jose4j.jwa.AlgorithmConstraints;
+import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;
+import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
+import org.jose4j.jwe.JsonWebEncryption;
+import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
+import org.jose4j.lang.JoseException;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import com.fasterxml.jackson.databind.JsonNode;
+
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap;
+import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml")
+public abstract class AbstractJsonSecurityUtilsTest {
+
+ @Autowired protected DummyAuthConfigMap config;
+ @Autowired protected IJoseTools joseTools;
+ @Autowired protected EaafKeyStoreFactory keyStoreFactory;
+
+ @BeforeClass
+ public static void classInitializer() {
+ Security.addProvider(new BouncyCastleProvider());
+
+ }
+
+ protected abstract void setRsaSigningKey();
+
+ protected abstract void setEcSigningKey();
+
+ protected abstract void setRsaEncryptionKey();
+
+ protected abstract void setEcEncryptionKey();
+
+ protected abstract Pair<KeyStore, Provider> getEncryptionKeyStore() throws EaafException;
+
+ protected abstract String getRsaKeyAlias();
+
+ protected abstract String getRsaKeyPassword();
+
+ protected abstract String getEcKeyAlias();
+
+ protected abstract String getEcKeyPassword();
+
+
+ @Test
+ public void fullEncryptDecrypt() throws JoseException, EaafException {
+ String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+
+ final JsonWebEncryption jwe = new JsonWebEncryption();
+ jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW);
+ jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
+ jwe.setKey(joseTools.getEncryptionCertificate().getPublicKey());
+ jwe.setX509CertSha256ThumbprintHeaderValue(joseTools.getEncryptionCertificate());
+ jwe.setPayload(payLoad);
+
+ // set special provider if required
+ Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore();
+ if (rsaEncKeyStore.getSecond() != null) {
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
+ rsaEncKeyStore.getSecond().getName());
+ jwe.setProviderContext(providerCtx);
+
+ }
+
+ String encData = jwe.getCompactSerialization();
+ Assert.assertNotNull("JWE Encryption", encData);
+
+
+ JsonNode decData = joseTools.decryptPayload(encData);
+ Assert.assertNotNull("JWE Decryption", decData);
+
+ }
+
+ @Test
+ public void encryptionRsa() throws JoseException, EaafException {
+ String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+ Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore();
+ Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+ rsaEncKeyStore.getFirst(), getRsaKeyAlias(), getRsaKeyPassword().toCharArray(),
+ true, "jUnit RSA JWE");
+
+ final JsonWebEncryption jwe = new JsonWebEncryption();
+ jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256);
+ jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
+ jwe.setKey(key.getSecond()[0].getPublicKey());
+ jwe.setPayload(payLoad);
+
+ // set special provider if required
+ if (rsaEncKeyStore.getSecond() != null) {
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
+ rsaEncKeyStore.getSecond().getName());
+ jwe.setProviderContext(providerCtx);
+
+ }
+
+ String encData = jwe.getCompactSerialization();
+ Assert.assertNotNull("JWE", encData);
+
+
+ }
+
+ @Test
+ public void encryptionEc() throws JoseException, EaafException {
+ String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+ Pair<KeyStore, Provider> rsaEncKeyStore = getEncryptionKeyStore();
+ Pair<Key, X509Certificate[]> key = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
+ rsaEncKeyStore.getFirst(), getEcKeyAlias(), getEcKeyPassword().toCharArray(),
+ true, "jUnit RSA JWE");
+
+ final JsonWebEncryption jwe = new JsonWebEncryption();
+ jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW);
+ jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM);
+ jwe.setKey(key.getSecond()[0].getPublicKey());
+ jwe.setPayload(payLoad);
+
+ // set special provider if required
+ if (rsaEncKeyStore.getSecond() != null) {
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
+ rsaEncKeyStore.getSecond().getName());
+ jwe.setProviderContext(providerCtx);
+
+ }
+
+ String encData = jwe.getCompactSerialization();
+
+ Assert.assertNotNull("JWE", encData);
+
+
+ }
+
+
+ @Test
+ public void noTrustedCert() throws CertificateEncodingException, KeyStoreException,
+ JoseException, IOException, EaafException {
+ setRsaSigningKey();
+ setRsaEncryptionKey();
+
+ String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+
+ String jws = joseTools.createSignature(payLoad);
+ Assert.assertNotNull("Signed msg", jws);
+
+ try {
+ joseTools.validateSignature(
+ jws,
+ keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigOnlyEc()).getFirst(),
+ getDefaultAlgorithmConstrains());
+ Assert.fail("Wrong JOSE Sig not detected");
+
+ } catch (JoseException e) {
+ Assert.assertEquals("Wrong errorCode",
+ "Can NOT select verification key for JWS. Signature verification FAILED",
+ e.getMessage());
+
+ }
+ }
+
+ @Test
+ public void invalidSignature() throws CertificateEncodingException, KeyStoreException,
+ JoseException, IOException, EaafException {
+ setRsaSigningKey();
+ setRsaEncryptionKey();
+
+ String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+
+ String jws = joseTools.createSignature(payLoad);
+ Assert.assertNotNull("Signed msg", jws);
+
+ String invalidJws =
+ jws.substring(0, jws.indexOf(".") + 5) + "dd" + jws.substring(jws.indexOf(".") + 6);
+
+ try {
+ joseTools.validateSignature(
+ invalidJws,
+ keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(),
+ getDefaultAlgorithmConstrains());
+ Assert.fail("Wrong JOSE Sig not detected");
+
+ } catch (JoseException e) {
+ Assert.assertEquals("Wrong errorCode",
+ "JWS signature is invalid.",
+ e.getMessage());
+
+ }
+
+ }
+
+ @Test
+ public void validSigningRsa() throws CertificateEncodingException, KeyStoreException,
+ JoseException, IOException, EaafException {
+ setRsaSigningKey();
+ setRsaEncryptionKey();
+
+ String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+
+ String jws = joseTools.createSignature(payLoad);
+ Assert.assertNotNull("Signed msg", jws);
+
+ VerificationResult verify = joseTools.validateSignature(
+ jws,
+ keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(),
+ getDefaultAlgorithmConstrains());
+ Assert.assertTrue("wrong verify state", verify.isValidSigned());
+ Assert.assertNotNull("JWS Header", verify.getJoseHeader());
+ Assert.assertNotNull("JWS Payload", verify.getPayload());
+ Assert.assertNotNull("CertChain", verify.getCertChain());
+
+
+ }
+
+ @Test
+ public void validSigningEc() throws CertificateEncodingException, KeyStoreException,
+ JoseException, IOException, EaafException {
+ setEcSigningKey();
+ setEcEncryptionKey();
+
+ String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
+
+ String jws = joseTools.createSignature(payLoad);
+ Assert.assertNotNull("Signed msg", jws);
+
+ VerificationResult verify = joseTools.validateSignature(
+ jws,
+ keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(),
+ getDefaultAlgorithmConstrains());
+ Assert.assertTrue("wrong verify state", verify.isValidSigned());
+ Assert.assertNotNull("JWS Header", verify.getJoseHeader());
+ Assert.assertNotNull("JWS Payload", verify.getPayload());
+ Assert.assertNotNull("CertChain", verify.getCertChain());
+
+ }
+
+ protected KeyStoreConfiguration getSigTrustStoreConfigValid() {
+ KeyStoreConfiguration trustConfig = new KeyStoreConfiguration();
+ trustConfig.setFriendlyName("jUnit TrustStore");
+ trustConfig.setKeyStoreType(KeyStoreType.JKS);
+ trustConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks");
+ trustConfig.setSoftKeyStorePassword("password");
+
+ return trustConfig;
+
+ }
+
+ protected KeyStoreConfiguration getSigTrustStoreConfigOnlyEc() {
+ KeyStoreConfiguration trustConfig = new KeyStoreConfiguration();
+ trustConfig.setFriendlyName("jUnit TrustStore");
+ trustConfig.setKeyStoreType(KeyStoreType.JKS);
+ trustConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit_no_rsa.jks");
+ trustConfig.setSoftKeyStorePassword("password");
+
+ return trustConfig;
+
+ }
+
+ private AlgorithmConstraints getDefaultAlgorithmConstrains() {
+ return new AlgorithmConstraints(ConstraintType.WHITELIST,
+ SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING
+ .toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()]));
+ }
+
+}
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
deleted file mode 100644
index 64987942..00000000
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
+++ /dev/null
@@ -1,41 +0,0 @@
-package at.gv.egiz.eaaf.modules.auth.sl20.utils;
-
-import java.security.Security;
-
-import org.apache.commons.lang3.RandomStringUtils;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.junit.Assert;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
-
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
-
-@RunWith(SpringJUnit4ClassRunner.class)
-@ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml")
-public class JsonSecurityUtilsHsmKeyTest {
-
- @Autowired private IJoseTools joseTools;
-
- @BeforeClass
- public static void classInitializer() {
- Security.addProvider(new BouncyCastleProvider());
-
- }
-
- @Test
- public void simpleSigningTest() throws SL20Exception {
- String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
-
- String jws = joseTools.createSignature(payLoad);
- Assert.assertNotNull("Signed msg", jws);
-
- //VerificationResult verify = joseTools.validateSignature(jws);
- //Assert.assertTrue("wrong verify state", verify.isValidSigned());
-
- }
-
-}
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java
index 5b8acb16..d78bdbd7 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsSoftwareKeyTest.java
@@ -1,42 +1,110 @@
package at.gv.egiz.eaaf.modules.auth.sl20.utils;
-import java.security.Security;
+import java.security.KeyStore;
+import java.security.Provider;
import org.apache.commons.lang3.RandomStringUtils;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Assert;
-import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.util.Base64Utils;
-import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
+
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration("/spring/test_eaaf_sl20.beans.xml")
-public class JsonSecurityUtilsSoftwareKeyTest {
+public class JsonSecurityUtilsSoftwareKeyTest extends AbstractJsonSecurityUtilsTest {
- @Autowired private IJoseTools joseTools;
-
- @BeforeClass
- public static void classInitializer() {
- Security.addProvider(new BouncyCastleProvider());
-
+ @Test
+ public void invalidSignatureRandomString() {
+ try {
+ joseTools.validateSignature(RandomStringUtils.randomAlphabetic(10));
+ Assert.fail("Wrong JOSE Sig not detected");
+
+ } catch (SL20Exception e) {
+ Assert.assertEquals("Wrong errorCode", "sl20.05", e.getErrorId());
+ }
+
}
@Test
- public void simpleSigningTest() throws SL20Exception {
- String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
-
- String jws = joseTools.createSignature(payLoad);
- Assert.assertNotNull("Signed msg", jws);
+ public void invalidSignatureRandomBase64UrlEncoded() {
+ String testValue = Base64Utils.encodeToUrlSafeString(RandomStringUtils.randomAlphanumeric(10).getBytes())
+ + "."
+ + Base64Utils.encodeToUrlSafeString(RandomStringUtils.randomAlphanumeric(10).getBytes())
+ + "."
+ + Base64Utils.encodeToUrlSafeString(RandomStringUtils.randomAlphanumeric(10).getBytes());
+
+ try {
+ joseTools.validateSignature(testValue);
+ Assert.fail("Wrong JOSE Sig not detected");
+
+ } catch (SL20Exception e) {
+ Assert.assertEquals("Wrong errorCode", "sl20.05", e.getErrorId());
+ }
- VerificationResult verify = joseTools.validateSignature(jws);
- Assert.assertTrue("wrong verify state", verify.isValidSigned());
+ }
+
+ @Override
+ protected void setRsaSigningKey() {
+ config.putConfigValue("modules.sl20.security.sign.alias", "meta");
+
+ }
+
+ @Override
+ protected void setEcSigningKey() {
+ config.putConfigValue("modules.sl20.security.sign.alias", "sig");
+
+ }
+
+ @Override
+ protected void setRsaEncryptionKey() {
+ config.putConfigValue("modules.sl20.security.encryption.alias", "meta");
+
+ }
+
+ @Override
+ protected void setEcEncryptionKey() {
+ config.putConfigValue("modules.sl20.security.encryption.alias", "sig");
}
+
+ @Override
+ protected Pair<KeyStore, Provider> getEncryptionKeyStore() throws EaafException {
+ KeyStoreConfiguration keyConfig = new KeyStoreConfiguration();
+ keyConfig.setFriendlyName("Junit Enc Key Rsa");
+ keyConfig.setKeyStoreType(KeyStoreType.JKS);
+ keyConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks");
+ keyConfig.setSoftKeyStorePassword("password");
+
+ return keyStoreFactory.buildNewKeyStore(keyConfig);
+ }
+
+ @Override
+ protected String getRsaKeyAlias() {
+ return "meta";
+ }
+
+ @Override
+ protected String getRsaKeyPassword() {
+ return "password";
+ }
+
+ @Override
+ protected String getEcKeyAlias() {
+ return "sig";
+ }
+
+ @Override
+ protected String getEcKeyPassword() {
+ return "password";
+ }
}
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt
new file mode 100644
index 00000000..ad780a21
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_ec.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIBQTCB56ADAgECAghqWvzGZbotTjAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdFQy1Sb290MB4XDTIwMDYxODA3MzYwOVoXDTI1MDYxODA3MzYwOVowOzEaMBgGA1UEAwwRaW50LWVjLWtleS0xLTAwMDExETAPBgNVBAoMCHNvZnR3YXJlMQowCAYDVQQFEwExMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMYva5n1ISLX4bZdG9ecGVNVId7OEY4Yjeu+4kk+nbppxNMj6JX5tO2iCCpgHlKC5WWTSJyxSQh3CoLzc8XLUmjAKBggqhkjOPQQDAgNJADBGAiEAiegmUzDThtinnuUwsHXwdr4Y/XUednOyIy7RBeClvyYCIQC/v5NZzg+H6FUrQ2nds2hlB6sD7z5cZPJcqm8+S0wYCw==
+-----END CERTIFICATE-----
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt
new file mode 100644
index 00000000..aa83c8d9
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/hsm_rsa.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIICDTCCAbOgAwIBAgIIVLxIFI8kRpkwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAwwHRUMtUm9vdDAeFw0yMDA2MTgwNzM2MTBaFw0yNTA2MTgwNzM2MTBaMDwxGzAZBgNVBAMMEmludC1yc2Eta2V5LTEtMDAwMTERMA8GA1UECgwIc29mdHdhcmUxCjAIBgNVBAUTATEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrM1ocQqtch95Dm21JHi0V35nlWZibsjLqR+g8ERdD1qFgun/X0I/Rbft+KxB8QsDX7UmIjXGdavNcEjY/XcbiJxUcpv7vn/2+x3JxZO6Iye/ut001okICt3OGIqP93ZEnIaTTNhDsK7OnvD/eUjlmuHiTaFq1dZLKYDQlz9jl/9F4axfrz1V7oo60iqFIW+7tlUeh8VGDUPjQpHghzjHXTJv/OIAt752K31Tn8KR3kvkn6WTPo8eOWVaPQ480Dik0e2afTPPJNZJ7BW111IwqBAOKp586yVsQ4XVEF8H64Cq+s+b4/HBboo9TDJKTJvo2yQmcTsahbH+Rlm20ifUTAgMBAAEwCgYIKoZIzj0EAwIDSAAwRQIhANKN/N2Atb5fbeHSB2Myv/JcNf9JonxFe92AOu4f62NNAiBjOEeg4OyJZKPiDl6aqYVtz1Qroo6xzUC9UVA4qNe4LA==
+-----END CERTIFICATE-----
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks
index 59e6ad13..a18df332 100644
Binary files a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks and b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit.jks differ
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_no_rsa.jks b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_no_rsa.jks
new file mode 100644
index 00000000..370cf19e
Binary files /dev/null and b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_no_rsa.jks differ
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.jks b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.jks
deleted file mode 100644
index b5262cb8..00000000
Binary files a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.jks and /dev/null differ
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12 b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12
deleted file mode 100644
index c3fe2681..00000000
Binary files a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/junit_without_trustcerts.p12 and /dev/null differ
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt
new file mode 100644
index 00000000..5311f3f1
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_ec.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIBbTCCARKgAwIBAgIEXjF+qTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJBVDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcwHhcNMjAwMTI5MTI0NjMzWhcNMjcwMTI4MTI0NjMzWjA+MQswCQYDVQQGEwJBVDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxEDAOBgNVBAMMB3NpZ25pbmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASRt7gZRrr4rSEE7Q922oKQJF+mlkwCLZnv8ZzHtH54s4VdyQFIBjQF1PPf9PTn+5tid8QJehZPndcoeD7J8fPJMAoGCCqGSM49BAMCA0kAMEYCIQDFUO0owvqMVRO2FmD+vb8mqJBpWCE6Cl5pEHaygTa5LwIhANsmjI2azWiTSFjb7Ou5fnCfbeiJUP0s66m8qS4rYl9L
+-----END CERTIFICATE-----
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt
new file mode 100644
index 00000000..c70f5031
--- /dev/null
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/resources/data/software_rsa.crt
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIC+jCCAeKgAwIBAgIEXjF+fTANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJBVDENMAsGA1UEBwwERUdJWjEOMAwGA1UECgwFalVuaXQxETAPBgNVBAMMCE1ldGFkYXRhMB4XDTIwMDEyOTEyNDU0OVoXDTI2MDEyODEyNDU0OVowPzELMAkGA1UEBhMCQVQxDTALBgNVBAcMBEVHSVoxDjAMBgNVBAoMBWpVbml0MREwDwYDVQQDDAhNZXRhZGF0YTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK230G3dxNbNlSYAO5Kx/Js0aBAgxMt7q9m+dA35fK/dOvF/GjrqjWsMCnax+no9gLnq6x0gXiJclz6Hrp/YDOfLrJjMpNL/r0FWT947vbnEj7eT8TdY5d6Yi8AZulZmjiCI5nbZh2zwrP4+WqRroLoPhXQj8mDyp26M4xHBBUhLMRc2HV4S+XH4uNZ/vTmb8vBg31XGHCY33gl7/KA54JNGxJdN8Dxv6yHYsm91ZfVrX39W0iYLUNhUCkolwuQmjDVfrExM8BTLIONbf+erJoCm3A9ghZyDYRQ/e69/UEUqDa6XOzykr88INkQscEiAXCDS+EBPMpKo+t3lPIA9r7kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh/2mg4S03bdZy1OVtEAudBT9YZb9OF34hxPtNbkB/V04wSIg1d4TBr5KDhV7CdiUOxPZzHpS8LUCgfGX306FB6NXzh/b67uTOPaE72AB4VIT/Np0fsM7k5WhG9k9NoprIGiqCz2lXcfpZiT+LtSO1vWSYI87wR9KOSWjcw/5i5qZIAJuwvLCQj5JtUsmrhHK75222J3TJf4dS/gfN4xfY2rW9vcXtH6//8WdWp/zx9V7Z1ZsDb8TDKtBCEGuFDgVeU5ScKtVq8qRoUKD3Ve76cZipurO3KrRrVAuZP2EfLkZdHEHqe8GPigNnZ5kTn8V2VJ3iRAQ73hpJRR98tFd0A==
+-----END CERTIFICATE-----
--
cgit v1.2.3