EPA-111: Fixed tests

oviva-ag · May 14, 2024 · 3052e4f · 3052e4f
1 parent e232089
commit 3052e4f
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 28 deletions.
diff --git a/ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/util/TlsContext.java b/ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/util/TlsContext.java
@@ -9,8 +9,12 @@
 import javax.net.ssl.*;
 
 public class TlsContext {
+
+  private TlsContext() {}
+
   @NonNull
   public static SSLContext fromClientCertificate(@NonNull ECKey ecKey) {
+    // see also:
     // https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/utils/custom-key-store
 
     if (ecKey.getParsedX509CertChain() == null || ecKey.getParsedX509CertChain().isEmpty()) {
@@ -23,7 +27,7 @@ public static SSLContext fromClientCertificate(@NonNull ECKey ecKey) {
 
       var tmf = TrustManagerFactory.getInstance("PKIX");
 
-      // Using null here initialises the TMF with the default trust store.
+      // Using null here initialises with the default trust store.
       tmf.init((KeyStore) null);
 
       ctx.init(
@@ -36,7 +40,7 @@ public static SSLContext fromClientCertificate(@NonNull ECKey ecKey) {
     }
   }
 
-  private static KeyManager[] keyManagerOf(X509Certificate cert, PrivateKey privateKey) {
+  public static KeyManager[] keyManagerOf(X509Certificate cert, PrivateKey privateKey) {
 
     var pw = new char[0];
 

diff --git a/ehealthid-rp/src/test/java/com/oviva/ehealthid/relyingparty/util/TlsContextTest.java b/ehealthid-rp/src/test/java/com/oviva/ehealthid/relyingparty/util/TlsContextTest.java
@@ -13,46 +13,80 @@
 import java.io.IOException;
 import java.net.Socket;
 import java.net.URI;
-import java.net.http.HttpClient;
-import java.net.http.HttpRequest;
-import java.net.http.HttpResponse;
+import java.security.Principal;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Date;
 import java.util.List;
+import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.X509ExtendedTrustManager;
+import javax.net.ssl.X509KeyManager;
+import javax.security.auth.x500.X500Principal;
 import org.bouncycastle.operator.OperatorCreationException;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
-@Disabled("TODO")
 class TlsContextTest {
 
+  private static final String ISSUER = "https://example.com";
+
+  @Test
+  void fromClientCertificate_smoke() throws Exception {
+    var key = generateSigningKey(URI.create(ISSUER));
+
+    var ctx = TlsContext.fromClientCertificate(key);
+    assertNotNull(ctx);
+  }
+
   @Test
-  void t() throws Exception {
+  void fromClientCertificate_noX509() throws Exception {
+    var key =
+        new ECKeyGenerator(Curve.P_256)
+            .keyUse(KeyUse.SIGNATURE)
+            .keyIDFromThumbprint(true)
+            .generate();
+
+    assertThrows(IllegalArgumentException.class, () -> TlsContext.fromClientCertificate(key));
+  }
+
+  @Test
+  void fromClientCertificate_noPrivate() throws Exception {
+    var key = generateSigningKey(URI.create(ISSUER));
+    var pub = key.toPublicJWK();
+
+    assertThrows(IllegalArgumentException.class, () -> TlsContext.fromClientCertificate(pub));
+  }
+
+  @Test
+  void keyManager() throws Exception {
+
+    var key = generateSigningKey(URI.create(ISSUER));
+
+    // when
+    var kms = TlsContext.keyManagerOf(key.getParsedX509CertChain().get(0), key.toPrivateKey());
+
+    // then
+    assertContainsCert(kms, key);
+  }
+
+  void assertContainsCert(KeyManager[] kms, ECKey key) throws JOSEException {
 
-    var key = generateSigningKey(URI.create("https://localhost:4443"));
+    assertEquals(1, kms.length);
+    var km = kms[0];
 
-    var sslContext = TlsContext.fromClientCertificate(key);
+    assertInstanceOf(X509KeyManager.class, km);
+    var x5km = (X509KeyManager) km;
 
-    var httpClient =
-        HttpClient.newBuilder()
-            .connectTimeout(Duration.ofSeconds(10))
-            .sslContext(sslContext)
-            .build();
+    var aliases = x5km.getClientAliases("EC", new Principal[] {new X500Principal("CN=" + ISSUER)});
+    assertEquals(1, aliases.length);
 
-    var req =
-        HttpRequest.newBuilder(URI.create("https://localhost:4443"))
-            .GET()
-            .timeout(Duration.ofSeconds(3))
-            .build();
+    var chain = x5km.getCertificateChain(aliases[0]);
 
-    var res = httpClient.send(req, HttpResponse.BodyHandlers.ofString());
-    System.out.println(res.body());
+    var cert = chain[0];
+    assertEquals(key.toPublicKey(), cert.getPublicKey());
   }
 
   private ECKey generateSigningKey(URI issuer)

diff --git a/ehealthid-rp/src/test/resources/fixtures/example_enc_jwks.json b/ehealthid-rp/src/test/resources/fixtures/example_enc_jwks.json
@@ -2,12 +2,12 @@
   "keys": [
     {
       "kty": "EC",
-      "d": "6RrmHekWp_RwY6FNlM46zwt1wFytfVQSYrS2-DDLj7g",
+      "d": "WlqzsmBkqfL3HmSHy8MHB-9-pnL9A8pzSofEKOVNmWQ",
       "use": "enc",
       "crv": "P-256",
       "kid": "test-enc",
-      "x": "M4yMVgv6nV9AHvNCdrFUZ2zLnSD8yXFZBgbLgXU0vAc",
-      "y": "AvE4diGs4teOYHECACyi41UMxPGv8myq-Y7MBZGfwzY"
+      "x": "00G2e-vi6vG_HiOeSGe2Z8D8ihkOsM-X2MgqNMvo1qg",
+      "y": "bTV0l6efZEpU1Tw40Ke_MdMXwuKaoKp8sBvpoKULUX4"
     }
   ]
 }
diff --git a/ehealthid-rp/src/test/resources/fixtures/example_sig_jwks.json b/ehealthid-rp/src/test/resources/fixtures/example_sig_jwks.json
@@ -2,12 +2,15 @@
   "keys": [
     {
       "kty": "EC",
-      "d": "6RrmHekWp_RwY6FNlM46zwt1wFytfVQSYrS2-DDLj7g",
+      "d": "B4ewuC_24S1vZJVSXVt1Fh7FBUVX3Y9WpQKKkX_3zlg",
       "use": "sig",
       "crv": "P-256",
       "kid": "test-sig",
-      "x": "M4yMVgv6nV9AHvNCdrFUZ2zLnSD8yXFZBgbLgXU0vAc",
-      "y": "AvE4diGs4teOYHECACyi41UMxPGv8myq-Y7MBZGfwzY"
+      "x5c": [
+        "MIIBLjCB1qADAgECAghsoROJsUA1QDAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNodHRwczovL2V4YW1wbGUuY29tMB4XDTI0MDQyOTE4Mzk1OFoXDTI0MTAyNzE4Mzk1OFowHjEcMBoGA1UEAxMTaHR0cHM6Ly9leGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABA2Fa+Jcf5nnMVcZOrVmYyaiTTsCjFxMPisQpErauUJl6sSkZFpQLQp9egrSEOM7XQ92Uws8phf93rqUPzphjrYwCgYIKoZIzj0EAwIDRwAwRAIgV7ubSrkZNHinHKczXMhf9foI+XeieftvRjSJ9boGoAwCIDV+IXntNGswSJuLYkpPNR7laG1SPOwMhNxerQ8FlWAv"
+      ],
+      "x": "DYVr4lx_mecxVxk6tWZjJqJNOwKMXEw-KxCkStq5QmU",
+      "y": "6sSkZFpQLQp9egrSEOM7XQ92Uws8phf93rqUPzphjrY"
     }
   ]
 }
diff --git a/start.sh b/start.sh
@@ -1,3 +1,12 @@
 #!/bin/bash
 
+export EHEALTHID_RP_APP_NAME=Awesome DiGA
+export EHEALTHID_RP_BASE_URI=https://t.oviva.io
+export EHEALTHID_RP_FEDERATION_ENC_JWKS_PATH=./enc_t_oviva_io_jwks.json
+export EHEALTHID_RP_FEDERATION_SIG_JWKS_PATH=./sig_t_oviva_io_jwks.json
+export EHEALTHID_RP_FEDERATION_MASTER=https://app-ref.federationmaster.de
+export EHEALTHID_RP_REDIRECT_URIS=https://sso-mydiga.example.com/auth/callback
+export EHEALTHID_RP_ES_TTL=PT5M
+export EHEALTHID_RP_IDP_DISCOVERY_URI=https://sso-mydiga.example.com/.well-known/openid-configuration
+
 java -jar ehealthid-rp/target/ehealthid-rp-jar-with-dependencies.jar