package at.gv.egiz.eaaf.modules.auth.sl20.utils; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertThrows; import java.security.Key; import java.security.KeyStore; import java.security.Provider; import java.security.cert.X509Certificate; import org.apache.commons.lang3.RandomStringUtils; import org.apache.commons.lang3.StringUtils; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.jose4j.jca.ProviderContext; import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers; import org.jose4j.jwe.JsonWebEncryption; import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers; import org.jose4j.lang.JoseException; import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.test.context.ContextConfiguration; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.utils.JoseUtils; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml") public class JsonSecurityUtilsHsmKeyTest extends AbstractJsonSecurityUtilsTest { /** * Initialize jUnit test. */ @Before public void initialize() { config.putConfigValue("modules.sl20.security.sigalg.rsa", "RS256"); config.putConfigValue("modules.sl20.security.sigalg.ecc", "ES256"); } @Test public void encryptionRsaWithWrongDecryptionKey() throws JoseException, EaafException { final String payLoad = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}"; final Pair rsaEncKeyStore = getEncryptionKeyStore(); final Pair key = EaafKeyStoreUtils.getPrivateKeyAndCertificates( rsaEncKeyStore.getFirst(), getRsaKeyAlias(), getRsaKeyPassword().toCharArray(), true, "jUnit RSA JWE"); final JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_GCM); jwe.setKey(key.getSecond()[0].getPublicKey()); jwe.setPayload(payLoad); // set special provider if required if (rsaEncKeyStore.getSecond() != null) { final ProviderContext providerCtx = new ProviderContext(); providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( rsaEncKeyStore.getSecond().getName()); jwe.setProviderContext(providerCtx); } final String encData = jwe.getCompactSerialization(); Assert.assertNotNull("JWE", encData); //decrypt it again, but by using a wrong key KeyStoreConfiguration keyConfig = new KeyStoreConfiguration(); keyConfig.setFriendlyName("Junit Enc Key Rsa"); keyConfig.setKeyStoreType(KeyStoreType.JKS); keyConfig.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks"); keyConfig.setSoftKeyStorePassword("password"); Pair wrongKeyStore = keyStoreFactory.buildNewKeyStore(keyConfig); final Pair wrongKey = EaafKeyStoreUtils.getPrivateKeyAndCertificates( wrongKeyStore.getFirst(), "meta", "password".toCharArray(), true, "jUnit RSA JWE"); final JsonWebEncryption jweDecrypt = new JsonWebEncryption(); jweDecrypt.setCompactSerialization(encData); jweDecrypt.setKey(JoseUtils.convertToBcKeyIfRequired(wrongKey.getFirst())); // set special provider if required if (wrongKeyStore.getSecond() != null) { final ProviderContext providerCtx = new ProviderContext(); providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName()); providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); jweDecrypt.setProviderContext(providerCtx); } else { final ProviderContext providerCtx = new ProviderContext(); providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); jweDecrypt.setProviderContext(providerCtx); } JoseException error = assertThrows("wrong exception", JoseException.class, () -> jweDecrypt.getPayload()); assertEquals("wrong errorMsg", "RSA-OAEP-256 key unwrap/decrypt failed.", error.getMessage()); } @Override protected void setRsaSigningKey() { config.putConfigValue("modules.sl20.security.sign.alias", "rsa-key-1"); } @Override protected void setEcSigningKey() { config.putConfigValue("modules.sl20.security.sign.alias", "ec-key-1"); } @Override protected void setRsaEncryptionKey() { config.putConfigValue("modules.sl20.security.encryption.alias", "rsa-key-1"); } @Override protected void setEcEncryptionKey() { config.putConfigValue("modules.sl20.security.encryption.alias", "ec-key-1"); } @Override protected Pair getEncryptionKeyStore() throws EaafException { final KeyStoreConfiguration keyConfig = new KeyStoreConfiguration(); keyConfig.setFriendlyName("Junit Enc Key Rsa"); keyConfig.setKeyStoreType(KeyStoreType.HSMFACADE); keyConfig.setKeyStoreName("eid-junit"); return keyStoreFactory.buildNewKeyStore(keyConfig); } @Override protected String getRsaKeyAlias() { return "rsa-key-1"; } @Override protected String getRsaKeyPassword() { return StringUtils.EMPTY; } @Override protected String getEcKeyAlias() { return "ec-key-1"; } @Override protected String getEcKeyPassword() { return StringUtils.EMPTY; } }