package at.gv.egiz.eaaf.core.test.credentials; import static org.junit.Assert.assertThrows; import static org.junit.jupiter.api.Assertions.assertEquals; import java.security.Key; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.Provider; import java.security.Security; import java.security.cert.X509Certificate; import java.util.List; import javax.crypto.SecretKey; import org.apache.commons.lang3.RandomStringUtils; import org.junit.Assert; import org.junit.Before; import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.BeansException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.test.annotation.DirtiesContext; import org.springframework.test.annotation.DirtiesContext.ClassMode; import org.springframework.test.annotation.DirtiesContext.MethodMode; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import com.google.common.base.Optional; import com.google.common.base.Predicates; import com.google.common.base.Throwables; import com.google.common.collect.FluentIterable; import at.asitplus.hsmfacade.provider.HsmFacadeProvider; import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.exceptions.EaafFactoryException; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import at.gv.egiz.eaaf.core.impl.credential.SymmetricKeyConfiguration; import at.gv.egiz.eaaf.core.impl.credential.SymmetricKeyConfiguration.SymmetricKeyType; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap; import io.grpc.StatusRuntimeException; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/spring/test_eaaf_pvp_lazy.beans.xml") @DirtiesContext(classMode = ClassMode.BEFORE_EACH_TEST_METHOD) public class EaafKeyStoreFactoryTest { private static final String HSM_FACASE_HOST = "eid.a-sit.at"; private static final String HSM_FACASE_PORT = "9050"; private static final String HSM_FACASE_SSL_TRUST = "src/test/resources/data/hsm_facade_trust_root.crt"; private static final String HSM_FACASE_USERNAME = "authhandler-junit"; private static final String HSM_FACASE_PASSWORD = "supersecret123"; private static final String PATH_TO_SOFTWARE_KEYSTORE_JKS_WITH_TRUSTED_CERTS = "src/test/resources/data/junit.jks"; private static final String PATH_TO_SOFTWARE_KEYSTORE_JKS = "src/test/resources/data/junit_without_trustcerts.jks"; private static final String PATH_TO_SOFTWARE_KEYSTORE_PKCS12 = "src/test/resources/data/junit_without_trustcerts.p12"; private static final String PATH_TO_HSM_FACADE_TRUST_CERT = "src/test/resources/data/hsm_facade_trust_root.crt"; private static final String SOFTWARE_KEYSTORE_PASSWORD = "password"; private static final String HSM_FACADE_KEY_ALIAS = "authhandler-sign"; @Autowired private DummyAuthConfigMap mapConfig; @Autowired private ApplicationContext context; /** * jUnit test set-up. */ @Before public void testSetup() { mapConfig.clearAllConfig(); Security.removeProvider(HsmFacadeProvider.getInstance().getName()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void startWithoutConfigHsmFacadeConfig() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void buildyStoreWithOutConfig() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); try { keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.01", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void buildyStoreWithPkcs11() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.PKCS11); try { keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.02", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void softwareKeyStoreWithoutConfig() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); try { keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.06", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void softwareKeyStoreWithoutConfigSecond() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.PKCS12); try { keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.06", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void softwareKeyStoreWithoutPassword() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); keyStoreConfig.setSoftKeyStoreFilePath(PATH_TO_SOFTWARE_KEYSTORE_JKS); try { keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.06", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void softwareKeyStoreWithoutPath() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); keyStoreConfig.setSoftKeyStorePassword(SOFTWARE_KEYSTORE_PASSWORD); try { keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.06", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void softwareKeyStoreWithoutType() throws EaafException { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); keyStoreConfig.setSoftKeyStoreFilePath(PATH_TO_SOFTWARE_KEYSTORE_JKS); keyStoreConfig.setSoftKeyStorePassword(SOFTWARE_KEYSTORE_PASSWORD); final Pair keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.assertNotNull("KeyStore is null", keyStore); Assert.assertNotNull("KeyStore is null", keyStore.getFirst()); Assert.assertNull("KeyStore is null", keyStore.getSecond()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void softwareKeyStoreWithWrongPath() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); keyStoreConfig.setSoftKeyStoreFilePath("src/test/resources/notexist.jks"); keyStoreConfig.setSoftKeyStorePassword(SOFTWARE_KEYSTORE_PASSWORD); try { keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.06", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void softwareKeyStoreWithWrongPassword() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); keyStoreConfig.setSoftKeyStoreFilePath(PATH_TO_SOFTWARE_KEYSTORE_JKS); keyStoreConfig.setSoftKeyStorePassword("wrong password"); try { keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafFactoryException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.06", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void softwareKeyStoreSuccessJks() throws EaafException { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); keyStoreConfig.setSoftKeyStoreFilePath(PATH_TO_SOFTWARE_KEYSTORE_JKS); keyStoreConfig.setSoftKeyStorePassword(SOFTWARE_KEYSTORE_PASSWORD); keyStoreConfig.validate(); final Pair keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.assertNotNull("KeyStore is null", keyStore); Assert.assertNotNull("KeyStore is null", keyStore.getFirst()); Assert.assertNull("KeyStore is null", keyStore.getSecond()); Assert.assertEquals("Wrong HSM-Facade state", EaafKeyStoreFactory.HsmFacadeStatus.UNKNOWN, keyStoreFactory.checkHsmFacadeStatus()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void softwareKeyStoreAccessOperations() throws EaafException, KeyStoreException { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); keyStoreConfig.setSoftKeyStoreFilePath(PATH_TO_SOFTWARE_KEYSTORE_JKS_WITH_TRUSTED_CERTS); keyStoreConfig.setSoftKeyStorePassword(SOFTWARE_KEYSTORE_PASSWORD); keyStoreConfig.validate(); final Pair keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.assertNotNull("KeyStore is null", keyStore); Assert.assertNotNull("KeyStore is null", keyStore.getFirst()); Assert.assertNull("KeyStore is null", keyStore.getSecond()); //read trusted certs final List trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(keyStore.getFirst()); Assert.assertNotNull("Trusted certs", trustedCerts); Assert.assertEquals("Trusted certs size", 2, trustedCerts.size()); //read priv. key final Pair privCred1 = EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), "meta", "password".toCharArray(), true, "jUnit test"); Assert.assertNotNull("Credential 1", privCred1); Assert.assertNotNull("Credential 1 priv. key", privCred1.getFirst()); Assert.assertNotNull("Credential 1 certificate", privCred1.getSecond()); //read priv. key final Pair privCred2 = EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), "sig", "password".toCharArray(), true, "jUnit test"); Assert.assertNotNull("Credential 2", privCred2); Assert.assertNotNull("Credential 2 priv. key", privCred2.getFirst()); Assert.assertNotNull("Credential 2 certificate", privCred2.getSecond()); //read priv. key final Pair privCred3 = EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), "notexist", "password".toCharArray(), false, "jUnit test"); Assert.assertNull("Credential 3", privCred3); //read priv. key final Pair privCred4 = EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), "meta", "wrong".toCharArray(), false, "jUnit test"); Assert.assertNull("Credential 3", privCred4); try { EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), "meta", "wrong".toCharArray(), true, "jUnit test"); Assert.fail("Wrong password not detected"); } catch (final EaafKeyAccessException e) { Assert.assertEquals("wrong errorcode", "internal.keystore.09", e.getErrorId()); } try { EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), "wrong", "password".toCharArray(), true, "jUnit test"); Assert.fail("Wrong alias not detected"); } catch (final EaafKeyAccessException e) { Assert.assertEquals("wrong errorcode", "internal.keystore.09", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void softwareKeyStoreSuccessPkcs12() throws EaafException { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.PKCS12); keyStoreConfig.setSoftKeyStoreFilePath(PATH_TO_SOFTWARE_KEYSTORE_PKCS12); keyStoreConfig.setSoftKeyStorePassword(SOFTWARE_KEYSTORE_PASSWORD); keyStoreConfig.validate(); final Pair keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.assertNotNull("KeyStore is null", keyStore); Assert.assertNotNull("KeyStore is null", keyStore.getFirst()); Assert.assertNull("KeyStore is null", keyStore.getSecond()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void inlineKeyStoreMissingPath() throws EaafException { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.INLINE); EaafConfigurationException error = assertThrows("wrong exception", EaafConfigurationException.class, () -> keyStoreConfig.validate()); assertEquals("internal.keystore.07", error.getErrorId(), "wrong errorcode"); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void inlineKeyStoreSuccess() throws EaafException { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.INLINE); keyStoreConfig.setSoftKeyStoreFilePath( "pkcs12:keystore?private=src/test/resources/data/certs/privateKey.pem" + "&cert=src/test/resources/data/certs/selfSignedCertificate.pem" + "&cert=src/test/resources/data/certs/issuingCa.pem&cert=certs/BRZStammCA201.pem"); keyStoreConfig.validate(); final Pair keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.assertNotNull("KeyStore is null", keyStore); Assert.assertNotNull("KeyStore is null", keyStore.getFirst()); Assert.assertNull("KeyStore is null", keyStore.getSecond()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void inlineKeyStoreEccSuccess() throws EaafException { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.INLINE); keyStoreConfig.setSoftKeyStoreFilePath( "pkcs12:keystore?private=src/test/resources/data/certs/privateEcKey.pem" + "&cert=src/test/resources/data/certs/selfSignedEcCertificate.pem" + "&cert=src/test/resources/data/certs/issuingCa.pem&cert=certs/BRZStammCA201.pem"); keyStoreConfig.validate(); final Pair keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.assertNotNull("KeyStore is null", keyStore); Assert.assertNotNull("KeyStore is null", keyStore.getFirst()); Assert.assertNull("KeyStore is null", keyStore.getSecond()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void inlineKeyStoreWrongKeys() throws EaafException { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.INLINE); keyStoreConfig.setSoftKeyStoreFilePath( "pkcs12:keystore?private=src/test/resources/data/certs/privateNotExist.pem" + "&cert=src/test/resources/data/certs/selfSignedCertificate.pem" + "&cert=src/test/resources/data/certs/issuingCa.pem&cert=certs/BRZStammCA201.pem"); keyStoreConfig.validate(); EaafConfigurationException error = assertThrows("wrong exception", EaafConfigurationException.class, () -> keyStoreFactory.buildNewKeyStore(keyStoreConfig)); assertEquals("internal.keystore.15", error.getErrorId(), "wrong errorcode"); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void symmetricSoftwareKeyWithOutConfig() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); SymmetricKeyConfiguration keyConfig = new SymmetricKeyConfiguration(); keyConfig.setFriendlyName("jUnit test"); keyConfig.setKeyType(SymmetricKeyType.PASSPHRASE); try { keyStoreFactory.buildNewSymmetricKey(keyConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.key.00", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void symmetricSoftwareKeyWithOutSalt() { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); SymmetricKeyConfiguration keyConfig = new SymmetricKeyConfiguration(); keyConfig.setFriendlyName("jUnit test"); keyConfig.setKeyType(SymmetricKeyType.PASSPHRASE); keyConfig.setSoftKeyPassphrase(RandomStringUtils.randomAlphanumeric(10)); try { keyStoreFactory.buildNewSymmetricKey(keyConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.key.00", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void symmetricSoftwareKeyValid() throws EaafException { final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertFalse("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); SymmetricKeyConfiguration keyConfig = new SymmetricKeyConfiguration(); keyConfig.setFriendlyName("jUnit test"); keyConfig.setKeyType(SymmetricKeyType.PASSPHRASE); keyConfig.setSoftKeyPassphrase(RandomStringUtils.randomAlphanumeric(10)); keyConfig.setSoftKeySalt(RandomStringUtils.randomAlphanumeric(10)); Pair key = keyStoreFactory.buildNewSymmetricKey(keyConfig); Assert.assertNotNull("Key container is null", key); Assert.assertNotNull("Key is null", key.getFirst()); Assert.assertNull("Provider is not null", key.getSecond()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeNoHostConfig() { context.getBean(EaafKeyStoreFactory.class); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeOnlyHostConfig() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); try { context.getBean(EaafKeyStoreFactory.class); Assert.fail("Missing HSM Facade not detected"); } catch (final BeansException e) { checkMissingConfigException(e); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeMissingPort() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, RandomStringUtils.randomAlphanumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, RandomStringUtils.randomNumeric(10)); try { context.getBean(EaafKeyStoreFactory.class); Assert.fail("Missing HSM Facade not detected"); } catch (final BeansException e) { checkMissingConfigException(e); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeMissingUsername() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, RandomStringUtils.randomNumeric(4)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, RandomStringUtils.randomNumeric(10)); try { context.getBean(EaafKeyStoreFactory.class); Assert.fail("Missing HSM Facade not detected"); } catch (final BeansException e) { checkMissingConfigException(e); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeMissingPassword() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, RandomStringUtils.randomNumeric(4)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, RandomStringUtils.randomAlphanumeric(10)); try { context.getBean(EaafKeyStoreFactory.class); Assert.fail("Missing HSM Facade not detected"); } catch (final BeansException e) { checkMissingConfigException(e); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeMissingTrustedCertificateFile() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, RandomStringUtils.randomNumeric(4)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, RandomStringUtils.randomAlphanumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, "src/test/resources/data/notexist.crt"); try { context.getBean(EaafKeyStoreFactory.class); Assert.fail("Missing HSM Facade not detected"); } catch (final BeansException e) { checkMissingConfigException(e, "internal.keystore.05"); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeMissingWrongTrustedCertificate() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, RandomStringUtils.randomNumeric(4)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, RandomStringUtils.randomAlphanumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, "src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml"); try { context.getBean(EaafKeyStoreFactory.class); Assert.fail("Missing HSM Facade not detected"); } catch (final BeansException e) { checkMissingConfigException(e, "internal.keystore.05"); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeWrongGrpcDeadlineParameter() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, RandomStringUtils.randomNumeric(4)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, RandomStringUtils.randomAlphanumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, "src/test/resources/spring/test_eaaf_pvp_lazy.beans.xml"); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_GRPC_DEADLINE, RandomStringUtils.randomAlphabetic(5)); try { context.getBean(EaafKeyStoreFactory.class); Assert.fail("Missing HSM Facade not detected"); } catch (final BeansException e) { checkMissingConfigException(e, "internal.keystore.05"); } } @Ignore @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeInitialized() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, RandomStringUtils.randomNumeric(4)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, RandomStringUtils.randomAlphanumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, PATH_TO_HSM_FACADE_TRUST_CERT); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_GRPC_DEADLINE, RandomStringUtils.randomNumeric(2)); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); Assert.assertEquals("Wrong HSM-Facade state", EaafKeyStoreFactory.HsmFacadeStatus.UP, keyStoreFactory.checkHsmFacadeStatus()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeWithOutTrustedCertificate() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, RandomStringUtils.randomNumeric(4)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, RandomStringUtils.randomAlphanumeric(10)); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeHealthCheckNoProvider() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, RandomStringUtils.randomNumeric(4)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, RandomStringUtils.randomNumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, RandomStringUtils.randomAlphanumeric(10)); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, PATH_TO_HSM_FACADE_TRUST_CERT); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); Security.removeProvider("HsmFacade"); Assert.assertEquals("Wrong HSM-Facade state", EaafKeyStoreFactory.HsmFacadeStatus.DOWN, keyStoreFactory.checkHsmFacadeStatus()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeAlreadLoaded() { HsmFacadeProvider provider = HsmFacadeProvider.getInstance(); Security.addProvider(provider); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); Assert.assertEquals("Wrong HSM-Facade state", EaafKeyStoreFactory.HsmFacadeStatus.UP, keyStoreFactory.checkHsmFacadeStatus()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeKeyStoreNoKeyStoreName() { configureHsmFacade(); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.HSMFACADE); try { keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.06", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeKeyStoreSuccess() throws EaafException { configureHsmFacade(); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.HSMFACADE); keyStoreConfig.setKeyStoreName("authhandler"); keyStoreConfig.validate(); try { final Pair keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.assertNotNull("KeyStore is null", keyStore); Assert.assertNotNull("KeyStore is null", keyStore.getFirst()); Assert.assertNotNull("KeyStore is null", keyStore.getSecond()); } catch (final StatusRuntimeException e) { // because there is no mockup of HSM facade available // Assert.assertTrue("Wrong exception", e.getMessage().contains("io // exception")); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void symmetricHsmFacadeKeyWithOutConfig() { configureHsmFacade(); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); SymmetricKeyConfiguration keyConfig = new SymmetricKeyConfiguration(); keyConfig.setFriendlyName("jUnit test"); keyConfig.setKeyType(SymmetricKeyType.HSMFACADE); try { keyStoreFactory.buildNewSymmetricKey(keyConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.06", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void symmetricHsmFacadeKeyWithOutKeyAlias() { configureHsmFacade(); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); SymmetricKeyConfiguration keyConfig = new SymmetricKeyConfiguration(); keyConfig.setFriendlyName("jUnit test"); keyConfig.setKeyType(SymmetricKeyType.HSMFACADE); keyConfig.setKeyStoreName("authhandler"); try { keyStoreFactory.buildNewSymmetricKey(keyConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafConfigurationException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.key.00", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void symmetricHsmFacadeKeyWrongKeyAlias() { configureHsmFacade(); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); SymmetricKeyConfiguration keyConfig = new SymmetricKeyConfiguration(); keyConfig.setFriendlyName("jUnit test"); keyConfig.setKeyType(SymmetricKeyType.HSMFACADE); keyConfig.setKeyStoreName("authhandler"); keyConfig.setKeyAlias("notExist"); try { keyStoreFactory.buildNewSymmetricKey(keyConfig); Assert.fail("Wrong config not detected"); } catch (final EaafException e) { org.springframework.util.Assert.isInstanceOf(EaafKeyAccessException.class, e, "Wong ExceptionType"); Assert.assertEquals("wrong errorCode", "internal.keystore.09", e.getErrorId()); } } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void symmetricHsmFacadeKeyValid() throws EaafException { configureHsmFacade(); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); SymmetricKeyConfiguration keyConfig = new SymmetricKeyConfiguration(); keyConfig.setFriendlyName("jUnit test"); keyConfig.setKeyType(SymmetricKeyType.HSMFACADE); keyConfig.setKeyStoreName("authhandler"); keyConfig.setKeyAlias("aes-key-1"); Pair key = keyStoreFactory.buildNewSymmetricKey(keyConfig); Assert.assertNotNull("Key container is null", key); Assert.assertNotNull("Key is null", key.getFirst()); Assert.assertNotNull("Provider is null", key.getFirst()); } @Test @DirtiesContext(methodMode = MethodMode.BEFORE_METHOD) public void hsmFacadeKeyStoreSuccessASitTestFacade() throws EaafException, KeyStoreException { configureHsmFacade(); final EaafKeyStoreFactory keyStoreFactory = context.getBean(EaafKeyStoreFactory.class); Assert.assertTrue("HSM Facade state wrong", keyStoreFactory.isHsmFacadeInitialized()); Assert.assertEquals("Wrong HSM-Facade state", EaafKeyStoreFactory.HsmFacadeStatus.UP, keyStoreFactory.checkHsmFacadeStatus()); final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.HSMFACADE); keyStoreConfig.setKeyStoreName("authhandler"); keyStoreConfig.validate(); final Pair keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); Assert.assertNotNull("KeyStore is null", keyStore); Assert.assertNotNull("KeyStore is null", keyStore.getFirst()); Assert.assertNotNull("KeyStore is null", keyStore.getSecond()); //read trusted certs final List trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore( keyStore.getFirst()); Assert.assertNotNull("Trusted certs", trustedCerts); Assert.assertEquals("Trusted certs size", 0, trustedCerts.size()); //read priv. key final Pair privCred1 = EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), HSM_FACADE_KEY_ALIAS, null, true, "jUnit test"); Assert.assertNotNull("Credential 1", privCred1); Assert.assertNotNull("Credential 1 priv. key", privCred1.getFirst()); Assert.assertNotNull("Credential 1 certificate", privCred1.getSecond()); //read priv. key final Pair privCred2 = EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), HSM_FACADE_KEY_ALIAS, "shouldBeIgnord".toCharArray(), true, "jUnit test"); Assert.assertNotNull("Credential 2", privCred2); Assert.assertNotNull("Credential 2 priv. key", privCred2.getFirst()); Assert.assertNotNull("Credential 2 certificate", privCred2.getSecond()); try { EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), "notExist", "wrong".toCharArray(), true, "jUnit test"); Assert.fail("Wrong password not detected"); } catch (final EaafKeyAccessException e) { Assert.assertEquals("wrong errorcode", "internal.keystore.09", e.getErrorId()); } } private void configureHsmFacade() { mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_HOST, HSM_FACASE_HOST); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_PORT, HSM_FACASE_PORT); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_SSLTRUST, HSM_FACASE_SSL_TRUST); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME, HSM_FACASE_USERNAME); mapConfig.putConfigValue(EaafKeyStoreFactory.CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD, HSM_FACASE_PASSWORD); } private void checkMissingConfigException(Exception e) { checkMissingConfigException(e, "internal.keystore.04"); } private void checkMissingConfigException(Exception e, String errorCode) { final Optional eaafException = FluentIterable.from( Throwables.getCausalChain(e)).filter( Predicates.instanceOf(EaafConfigurationException.class)).first(); Assert.assertTrue("Wrong exception", eaafException.isPresent()); Assert.assertEquals("Wrong errorCode", errorCode, ((EaafException) eaafException.get()).getErrorId()); } }