package at.gv.egiz.eaaf.core.test.utils; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertThrows; import java.io.IOException; import java.security.KeyStore; import java.security.NoSuchProviderException; import java.security.Provider; import java.security.Security; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Collections; import java.util.List; import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.RandomStringUtils; import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; import org.jose4j.jws.AlgorithmIdentifiers; import org.jose4j.lang.JoseException; import org.junit.AfterClass; import org.junit.Assert; import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.utils.JoseUtils; import at.gv.egiz.eaaf.core.impl.utils.JoseUtils.JwsResult; import iaik.security.ec.provider.ECCelerate; import iaik.security.provider.IAIK; import lombok.SneakyThrows; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/spring/test_eaaf_pvp_lazy.beans.xml") public class JoseUtilsTest { private static final List BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING = Collections.unmodifiableList( Arrays.asList( AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256, AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512, AlgorithmIdentifiers.RSA_PSS_USING_SHA256, AlgorithmIdentifiers.RSA_PSS_USING_SHA512)); private static final String PATH_TO_SOFTWARE_KEYSTORE_JKS = "src/test/resources/data/junit.jks"; private static final String SOFTWARE_KEYSTORE_PASSWORD = "password"; @Autowired EaafKeyStoreFactory keyStoreFactory; /** *jUnit test class initializer. */ @BeforeClass public static final void classInitializer() { IAIK.addAsProvider(); ECCelerate.addAsProvider(); } /** * jUnit test class cleaner. */ @AfterClass public static final void classFinisher() { Security.removeProvider(IAIK.getInstance().getName()); Security.removeProvider(ECCelerate.getInstance().getName()); } @Test public void testBindingAuthBlock() throws JoseException, IOException, CertificateException, NoSuchProviderException { final String serializedContent = IOUtils.toString(JoseUtils.class.getResourceAsStream( "/data/bindingAuth1.jws"), "UTF-8"); final iaik.x509.X509Certificate trustedCert = new iaik.x509.X509Certificate(JoseUtils.class .getResourceAsStream("/data/bindingAuth1.crt")); final List trustedCerts = Arrays.asList(trustedCert); final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT, BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING .toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); final JwsResult result = JoseUtils.validateSignature(serializedContent, trustedCerts, constraints); Assert.assertNotNull("JWS verify result", result); Assert.assertTrue("JWS not valid", result.isValid()); Assert.assertNotNull("JWS payload", result.getPayLoad()); Assert.assertNotNull("JWS Headers", result.getFullJoseHeader()); Assert.assertNotNull("JWS Signercerts", result.getX5cCerts()); Assert.assertEquals("Signercerts size", 1, result.getX5cCerts().size()); Assert.assertArrayEquals("Signercerts", trustedCert.getEncoded(), result.getX5cCerts().get(0).getEncoded()); } @Test public void verifyJwsInvalidCertificate() throws JoseException, IOException, CertificateException, NoSuchProviderException { final String serializedContent = IOUtils.toString(JoseUtils.class.getResourceAsStream( "/data/bindingAuth1.jws"), "UTF-8"); final iaik.x509.X509Certificate trustedCert = new iaik.x509.X509Certificate(JoseUtils.class .getResourceAsStream("/data/bindingAuth1.crt")); final List trustedCerts = Arrays.asList(trustedCert); final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT, BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING .toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); JoseException error = assertThrows("wrong exception", JoseException.class, () -> JoseUtils.validateSignature(serializedContent, trustedCerts, constraints, true)); assertEquals("JOSE signing-certificate is not in validity periode", error.getMessage()); } @Test @SneakyThrows public void verifyJwsValidCertificate() throws JoseException, IOException, CertificateException, NoSuchProviderException { final KeyStoreConfiguration keyStoreConfig = new KeyStoreConfiguration(); keyStoreConfig.setKeyStoreType(KeyStoreType.JKS); keyStoreConfig.setSoftKeyStoreFilePath(PATH_TO_SOFTWARE_KEYSTORE_JKS); keyStoreConfig.setSoftKeyStorePassword(SOFTWARE_KEYSTORE_PASSWORD); Pair keyStore = keyStoreFactory.buildNewKeyStore(keyStoreConfig); String jws = JoseUtils.createSignature(keyStore, "meta", "password".toCharArray(), RandomStringUtils.randomAlphanumeric(10), false, "jUnit"); final AlgorithmConstraints constraints = new AlgorithmConstraints(ConstraintType.PERMIT, BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING .toArray(new String[BINDING_AUTH_ALGORITHM_WHITELIST_SIGNING.size()])); List trustedCertificates = EaafKeyStoreUtils.readCertsFromKeyStore(keyStore.getFirst()); JoseUtils.validateSignature(jws, trustedCertificates, constraints, true); } }