From c33e1e09146d12785234628c555b92d1bfa6d2ac Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Wed, 24 Jan 2024 14:57:39 +0100
Subject: test(signing): add integration test that uses a PKCS11 key

Info: this test only run on local machine because it uses a Yubikey 5 PIV as HSM
---
 .../test/integration/CadesIntegrationHsmTest.java  | 131 ++++++++++++++++++++
 .../moaspss_config/MOASPSSConfiguration_HSM.xml    | 133 +++++++++++++++++++++
 .../resources/testdata/cades/createCades_1_hw.xml  |  15 +++
 3 files changed, 279 insertions(+)
 create mode 100644 moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/CadesIntegrationHsmTest.java
 create mode 100644 moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_HSM.xml
 create mode 100644 moaSig/moa-sig/src/test/resources/testdata/cades/createCades_1_hw.xml

diff --git a/moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/CadesIntegrationHsmTest.java b/moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/CadesIntegrationHsmTest.java
new file mode 100644
index 0000000..4777c59
--- /dev/null
+++ b/moaSig/moa-sig/src/test/java/at/gv/egovernment/moa/spss/test/integration/CadesIntegrationHsmTest.java
@@ -0,0 +1,131 @@
+package at.gv.egovernment.moa.spss.test.integration;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+
+import java.io.IOException;
+import java.lang.reflect.Field;
+
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.apache.commons.lang3.RandomStringUtils;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.BlockJUnit4ClassRunner;
+import org.w3c.dom.Element;
+import org.xml.sax.SAXException;
+
+import at.gv.egovernment.moa.spss.MOAException;
+import at.gv.egovernment.moa.spss.api.cmssign.CMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmssign.CreateCMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureRequest;
+import at.gv.egovernment.moa.spss.api.cmsverify.VerifyCMSSignatureResponse;
+import at.gv.egovernment.moa.spss.api.xmlbind.CreateCMSSignatureRequestParser;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationException;
+import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
+import at.gv.egovernment.moa.spss.server.init.SystemInitializer;
+import at.gv.egovernment.moa.spss.server.invoke.CMSSignatureCreationInvoker;
+import at.gv.egovernment.moa.spss.server.invoke.CMSSignatureVerificationInvoker;
+import at.gv.egovernment.moa.spss.tsl.TSLServiceFactory;
+import at.gv.egovernment.moaspss.util.DOMUtils;
+import iaik.pki.Configurator;
+import iaik.pki.PKIFactory;
+
+@RunWith(BlockJUnit4ClassRunner.class)
+@Ignore
+public class CadesIntegrationHsmTest extends AbstractIntegrationTest {
+
+  CMSSignatureVerificationInvoker verifyCadesInvoker;
+  private CMSSignatureCreationInvoker signCadesInvoker;
+
+  @BeforeClass
+  public static void classInitializer() throws IOException, ConfigurationException,
+      NoSuchFieldException, SecurityException, IllegalArgumentException, IllegalAccessException {
+    jvmStateReset();
+
+    // System.setProperty("java.library.path",
+    // "/home/tlenz/Projekte/moa-id/release/moa-id-auth-3.0.0/pkcs11/linux");
+    // System.setProperty("java.library.path",
+    // "/usr/lib/x86_64-linux-gnu/libykcs11.so");
+
+    final String current = new java.io.File(".").getCanonicalPath();
+    System.setProperty("moa.spss.server.configuration",
+        current + "/src/test/resources/moaspss_config/MOASPSSConfiguration_HSM.xml");
+    moaSpssCore = SystemInitializer.init();
+
+  }
+
+  @AfterClass
+  public static void classReset() throws NoSuchFieldException,
+      SecurityException, IllegalArgumentException, IllegalAccessException {
+
+    // reset TSL client
+    final Field field1 = TSLServiceFactory.class.getDeclaredField("tslClient");
+    field1.setAccessible(true);
+    field1.set(null, null);
+
+    final Field field2 = ConfigurationProvider.class.getDeclaredField("instance");
+    field2.setAccessible(true);
+    field2.set(null, null);
+
+    final Field field3 = PKIFactory.class.getDeclaredField("instance_");
+    field3.setAccessible(true);
+    field3.set(null, null);
+
+    final Field field4 = Configurator.class.getDeclaredField("C");
+    field4.setAccessible(true);
+    field4.set(null, false);
+
+  }
+
+  @Before
+  public void initializer() throws ConfigurationException {
+    verifyCadesInvoker = CMSSignatureVerificationInvoker.getInstance();
+    signCadesInvoker = CMSSignatureCreationInvoker.getInstance();
+
+    setUpContexts(RandomStringUtils.randomAlphabetic(10));
+
+  }
+
+  @Test
+  public void simpleCadesCreationHW() throws MOAException, ParserConfigurationException, SAXException,
+      IOException {
+    // build request
+    final Element cadesReqXml = DOMUtils.parseXmlNonValidating(
+        CadesIntegrationHsmTest.class.getResourceAsStream("/testdata/cades/createCades_1_hw.xml"));
+    final CreateCMSSignatureRequest cadesReq = new CreateCMSSignatureRequestParser().parse(cadesReqXml);
+
+    // perform test
+    final CreateCMSSignatureResponse cadesResp = signCadesInvoker.createCMSSignature(cadesReq, null);
+
+    // validate response
+    assertNotNull("cadesResp", cadesResp);
+    assertNotNull("cadesResp elements", cadesResp.getResponseElements());
+    assertFalse("cadesResp elements", cadesResp.getResponseElements().isEmpty());
+
+    final CMSSignatureResponse cades = (CMSSignatureResponse) cadesResp.getResponseElements().get(0);
+    assertNotNull("cades Sig.", cades.getCMSSignature());
+
+    // signature
+    final VerifyCMSSignatureRequest request = buildVerfifyCmsRequest(
+        org.apache.commons.codec.binary.Base64.decodeBase64(cades.getCMSSignature()),
+        "jUnitSigning",
+        false,
+        true);
+
+    // perform test
+    final VerifyCMSSignatureResponse result = verifyCadesInvoker.verifyCMSSignature(request);
+
+    // verify result
+    assertNotNull("verification result", result);
+    assertEquals("wrong result size", 1, result.getResponseElements().size());
+
+  }
+
+}
diff --git a/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_HSM.xml b/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_HSM.xml
new file mode 100644
index 0000000..f36ed6a
--- /dev/null
+++ b/moaSig/moa-sig/src/test/resources/moaspss_config/MOASPSSConfiguration_HSM.xml
@@ -0,0 +1,133 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--MOA SPSS 1.3 Configuration File created by MOA SPSS Configuration Mapper-->
+<cfg:MOAConfiguration xmlns:cfg="http://reference.e-government.gv.at/namespace/moaconfig/20021122#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+<cfg:Common>
+		<cfg:PermitExternalUris>
+			<cfg:BlackListUri>
+				<cfg:IP>192.168</cfg:IP>
+			</cfg:BlackListUri>			
+		</cfg:PermitExternalUris>
+	</cfg:Common>
+  
+  <cfg:SignatureCreation>
+		<cfg:KeyModules>
+      <cfg:SoftwareKeyModule>
+				<cfg:Id>SKM_junit</cfg:Id>
+				<cfg:FileName>keys/junit_signing.p12</cfg:FileName>
+				<cfg:Password>nichts</cfg:Password>
+			</cfg:SoftwareKeyModule>
+      <cfg:HardwareKeyModule>
+				<cfg:Id>SKM_junit_HW</cfg:Id>
+				<cfg:Name>/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so</cfg:Name>
+				<cfg:SlotId>4</cfg:SlotId>
+				<cfg:UserPIN>149625</cfg:UserPIN>
+			</cfg:HardwareKeyModule>			
+		</cfg:KeyModules>
+    <cfg:KeyGroup>
+			<cfg:Id>KG_junit</cfg:Id>
+			<cfg:Key>
+				<cfg:KeyModuleId>SKM_junit</cfg:KeyModuleId>
+				<cfg:KeyCertIssuerSerial>
+					<dsig:X509IssuerName>CN=MOA-SPSS signing,OU=jUnit Tests,O=EGIZ,C=AT</dsig:X509IssuerName> 
+          <dsig:X509SerialNumber>1619541256</dsig:X509SerialNumber>
+				</cfg:KeyCertIssuerSerial>
+			</cfg:Key>
+		</cfg:KeyGroup>
+		<cfg:KeyGroup>
+			<cfg:Id>KG_junit_HW</cfg:Id>
+			<cfg:Key>
+				<cfg:KeyModuleId>SKM_junit_HW</cfg:KeyModuleId>
+				<cfg:KeyCertIssuerSerial>
+					<dsig:X509IssuerName>CN=tlenz</dsig:X509IssuerName> 
+          <dsig:X509SerialNumber>617051910742288176146451931650085354803420689033</dsig:X509SerialNumber>
+				</cfg:KeyCertIssuerSerial>
+			</cfg:Key>
+		</cfg:KeyGroup>		
+    <cfg:KeyGroupMapping>
+			<cfg:KeyGroupId>KG_junit</cfg:KeyGroupId>
+			<cfg:KeyGroupId>KG_junit_HW</cfg:KeyGroupId>
+		</cfg:KeyGroupMapping>
+		<cfg:XMLDSig>
+      <cfg:CanonicalizationAlgorithm>http://www.w3.org/2001/10/xml-exc-c14n#</cfg:CanonicalizationAlgorithm>
+			<cfg:DigestMethodAlgorithm>http://www.w3.org/2000/09/xmldsig#sha256</cfg:DigestMethodAlgorithm>
+		</cfg:XMLDSig>
+	</cfg:SignatureCreation>
+  
+	<cfg:SignatureVerification>
+		<cfg:CertificateValidation>			
+			<cfg:ConnectionTimeout>10</cfg:ConnectionTimeout>
+			<cfg:ReadTimeout>10</cfg:ReadTimeout>			
+			<cfg:PathConstruction>
+				<cfg:AutoAddCertificates>true</cfg:AutoAddCertificates>
+				<cfg:AutoAddEECertificates>false</cfg:AutoAddEECertificates>
+				<cfg:UseAuthorityInformationAccess>true</cfg:UseAuthorityInformationAccess>
+				<cfg:CertificateStore>
+					<cfg:DirectoryStore>
+						<cfg:Location>certstore</cfg:Location>
+					</cfg:DirectoryStore>
+				</cfg:CertificateStore>
+			</cfg:PathConstruction>
+			<cfg:PathValidation>
+				<cfg:ChainingMode>
+					<cfg:DefaultMode>pkix</cfg:DefaultMode>
+					<cfg:TrustAnchor>
+						<cfg:Identification>
+							<dsig:X509IssuerName>CN=A-Trust-nQual-0,OU=A-Trust-nQual-0,O=A-Trust,C=AT</dsig:X509IssuerName>
+							<dsig:X509SerialNumber>536</dsig:X509SerialNumber>
+						</cfg:Identification>
+						<cfg:Mode>chaining</cfg:Mode>
+					</cfg:TrustAnchor>
+					<cfg:TrustAnchor>
+             <cfg:Identification>
+               <dsig:X509IssuerName>C=AT,O=Hauptverband österr. Sozialvers.,CN=Root-CA 1</dsig:X509IssuerName>
+               <dsig:X509SerialNumber>376503867878755617282523408360935024869</dsig:X509SerialNumber>
+             </cfg:Identification>
+             <cfg:Mode>chaining</cfg:Mode>
+          </cfg:TrustAnchor>
+				</cfg:ChainingMode>
+				<cfg:TrustProfile>
+					<cfg:Id>MOAIDBuergerkarteAuthentisierungsDaten</cfg:Id>
+					<cfg:TrustAnchorsLocation>trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenOhneTestkarten</cfg:TrustAnchorsLocation>
+				</cfg:TrustProfile>
+				<cfg:TrustProfile>
+					<cfg:Id>MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten</cfg:Id>
+					<cfg:TrustAnchorsLocation>trustProfiles/MOAIDBuergerkarteAuthentisierungsDatenMitTestkarten</cfg:TrustAnchorsLocation>
+				</cfg:TrustProfile>
+				<cfg:TrustProfile>
+					<cfg:Id>jUnitSigning</cfg:Id>
+					<cfg:TrustAnchorsLocation>trustProfiles/jUnitSigning</cfg:TrustAnchorsLocation>
+				</cfg:TrustProfile>        
+			</cfg:PathValidation>
+			<cfg:RevocationChecking>
+				<cfg:EnableChecking>false</cfg:EnableChecking>
+				<cfg:MaxRevocationAge>0</cfg:MaxRevocationAge>
+				<cfg:ServiceOrder>
+                             <cfg:Service>CRL</cfg:Service>
+                             <cfg:Service>OCSP</cfg:Service>
+                           </cfg:ServiceOrder>
+                           <cfg:Archiving>
+					<cfg:EnableArchiving>false</cfg:EnableArchiving>
+					<cfg:ArchiveDuration>365</cfg:ArchiveDuration>
+					<cfg:Archive>
+						<cfg:DatabaseArchive>
+							<cfg:JDBCURL>jdbc:url</cfg:JDBCURL>
+							<cfg:JDBCDriverClassName>fully.qualified.classname</cfg:JDBCDriverClassName>
+						</cfg:DatabaseArchive>
+					</cfg:Archive>
+				</cfg:Archiving>
+			</cfg:RevocationChecking>
+		</cfg:CertificateValidation>				
+    	<cfg:VerifyTransformsInfoProfile>
+			<cfg:Id>SL20Authblock_v1.0</cfg:Id>
+			<cfg:Location>profiles/SL20_authblock_v1.0.xml</cfg:Location>      
+		</cfg:VerifyTransformsInfoProfile>		
+		<cfg:VerifyTransformsInfoProfile>
+			<cfg:Id>SL20Authblock_v1.0_SIC</cfg:Id>
+			<cfg:Location>profiles/SL20_authblock_v1.0_SIC.xml</cfg:Location>      
+		</cfg:VerifyTransformsInfoProfile>
+    <cfg:VerifyTransformsInfoProfile>
+			<cfg:Id>SL20Authblock_v1.0_OWN</cfg:Id>
+			<cfg:Location>profiles/SL20_authblock_v1.0_own.xml</cfg:Location>      
+		</cfg:VerifyTransformsInfoProfile>    	
+	</cfg:SignatureVerification>
+</cfg:MOAConfiguration>
diff --git a/moaSig/moa-sig/src/test/resources/testdata/cades/createCades_1_hw.xml b/moaSig/moa-sig/src/test/resources/testdata/cades/createCades_1_hw.xml
new file mode 100644
index 0000000..08234fb
--- /dev/null
+++ b/moaSig/moa-sig/src/test/resources/testdata/cades/createCades_1_hw.xml
@@ -0,0 +1,15 @@
+<ns:CreateCMSSignatureRequest xmlns:ns="http://reference.e-government.gv.at/namespace/moa/20020822#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+		<ns:KeyIdentifier>KG_junit_HW</ns:KeyIdentifier>
+		<ns:SingleSignatureInfo SecurityLayerConformity="false" PAdESConformity="false">
+			<ns:DataObjectInfo Structure="enveloping">
+				<ns:DataObject>
+					<ns:MetaInfo>
+            <ns:MimeType>application/securitylayer2+json</ns:MimeType>
+          </ns:MetaInfo>
+          <ns:Content>
+            <ns:Base64Content>ew0KICAiYXBwSWQiOiAiaHR0cHM6Ly9kZW1vU1AiLA0KICAiZnJpZW5kbHlOYW1lIjogIkZpcnN0IERlbW8gU1AiLA0KICAiY291bnRyeUNvZGUiOiAiQVQiLA0KICAiYXV0aCI6IHsNCiAgICAicHJvY2Vzc0lkIjogImFhYmJjY2RkZWVmZjEyMzQiLA0KICAgICJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjI2MS45MCI6ICIxMWFhMjJiYjMzY2M0NGVlIg0KICB9LA0KICAiYXR0cmlidXRlcyI6IHsNCiAgICAidXJuOm9pZDoxLjIuNDAuMC4xMC4yLjEuMS4yNjEuMjAiOiAiTmFjaG5hbWUiLA0KICAgICJ1cm46b2lkOjIuNS40LjQyIjogIlZvcm5hbWUiLA0KICAgICJ1cm46b2lkOjEuMi40MC4wLjEwLjIuMS4xLjU1IjogIkdlYnVydHNkYXR1bSIsDQogICAgInVybjpvaWQ6MS4yLjQwLjAuMTAuMi4xLjEuMTQ5IjogIkJlcmVpY2hzc3BlemlmaXNjaGVzIFBlcnNvbmVua2VubnplaWNoZW4iDQogIH0sDQogICJjb25zdHJhaW5zIjogew0KICAgICJ2YWxpZEZyb20iOiAiMjAxOS0wNC0yOVQwODo1MDo1Ni40NTBaIiwNCiAgICAidmFsaWRUbyI6ICIyMDE5LTA0LTI5VDA5OjUwOjU2LjQ1MFoiDQogIH0sDQogICJ2aWV3Ijogew0KICAgICJ0ZW1wbGF0ZVVSSSI6ICJ3d3cuaGFuZHktc2lnbmF0dXIuYXQvc2VjdXJpdHlsYXllcjIvdGVtcGxhdGUvMjM3NCIsDQogICAgImhhc2hUZW1wbGF0ZSI6ICJBZDkxMmphaGdsYXNkPSINCiAgfQ0KfQ==</ns:Base64Content>
+          </ns:Content>				
+				</ns:DataObject>			
+			</ns:DataObjectInfo>
+		</ns:SingleSignatureInfo>
+	</ns:CreateCMSSignatureRequest>
-- 
cgit v1.2.3