Search in sources :

Example 1 with KeyObjectKeyLoader

use of com.disney.http.auth.client.keyloader.KeyObjectKeyLoader in project groovity by disney.

the class TestKeyObjectKeyLoader method testKeyObjectKeyLoaderBadAlgorithmFormat.

@Test(expected = NoSuchAlgorithmException.class)
public void testKeyObjectKeyLoaderBadAlgorithmFormat() throws Exception {
    KeyObjectKeyLoader loader = new KeyObjectKeyLoader("HmacSHA384", "something else");
    loader.call();
}
Also used : KeyObjectKeyLoader(com.disney.http.auth.client.keyloader.KeyObjectKeyLoader) Test(org.junit.Test)

Example 2 with KeyObjectKeyLoader

use of com.disney.http.auth.client.keyloader.KeyObjectKeyLoader in project groovity by disney.

the class TestKeyObjectKeyLoader method testKeyObjectKeyLoaderBadAHmacFormat.

@Test(expected = NoSuchAlgorithmException.class)
public void testKeyObjectKeyLoaderBadAHmacFormat() throws Exception {
    KeyObjectKeyLoader loader = new KeyObjectKeyLoader("hacm-sha23", "something else");
    loader.call();
}
Also used : KeyObjectKeyLoader(com.disney.http.auth.client.keyloader.KeyObjectKeyLoader) Test(org.junit.Test)

Example 3 with KeyObjectKeyLoader

use of com.disney.http.auth.client.keyloader.KeyObjectKeyLoader in project groovity by disney.

the class TestSignatureAuth method testGeneralSettings.

@Test
public void testGeneralSettings() throws Exception {
    HttpGet request = new HttpGet("http://localhost:8080/");
    HttpClientContext localContext = new HttpClientContext();
    HttpSignatureSigner signer = new HttpSignatureSigner();
    String keyId = "apiUser123";
    String keyValue = "someBase64Secret";
    String headers = "(request-target) host x-date";
    String algorithm = "hmac-sha256";
    // check default header was set
    Assert.assertEquals(AUTHORIZATION_HEADER, signer.getHeaderName());
    // check all contents got set correctly
    signer.setHeaderName(SIGNATURE_HEADER);
    signer.setKeyId(keyId);
    signer.setAlgorithm(algorithm);
    signer.setKeyLoader(new KeyObjectKeyLoader(new SecretKeySpec(keyValue.getBytes(), "HmacSHA256")));
    signer.process(request, localContext);
    // no headers specified, should have added 'Date' header
    Assert.assertEquals(signer.getHeaders().get(0), "Date");
    signer.setHeaders(Arrays.asList(headers.split(" ")));
    signer.process(request, localContext);
    Assert.assertEquals(SIGNATURE_HEADER, signer.getHeaderName());
    String authHeader = getAuthHeader(request);
    String[] signatureParts = authHeader.split(",");
    for (int i = 0; i < signatureParts.length; i++) {
        String attributeString = (signatureParts[i]);
        String[] attributeParts = attributeString.split("=");
        String key = attributeParts[0];
        String value = attributeParts[1];
        if (key == "keyId") {
            Assert.assertEquals(keyId, value);
        } else if (key == "algorithm") {
            Assert.assertEquals(algorithm, value);
        } else if (key == "headers") {
            Assert.assertEquals(headers, value);
        }
    }
}
Also used : SecretKeySpec(javax.crypto.spec.SecretKeySpec) HttpGet(org.apache.http.client.methods.HttpGet) HttpSignatureSigner(com.disney.http.auth.client.signer.HttpSignatureSigner) HttpClientContext(org.apache.http.client.protocol.HttpClientContext) KeyObjectKeyLoader(com.disney.http.auth.client.keyloader.KeyObjectKeyLoader) Test(org.junit.Test)

Example 4 with KeyObjectKeyLoader

use of com.disney.http.auth.client.keyloader.KeyObjectKeyLoader in project groovity by disney.

the class TestSignatureAuth method testRSA.

@Test
public void testRSA() throws Exception {
    HttpGet request = new HttpGet("http://localhost:8080/");
    HttpClientContext localContext = new HttpClientContext();
    HttpSignatureSigner signer = new HttpSignatureSigner();
    signer.setHeaderName(SIGNATURE_HEADER);
    String keyId = "apiUser123";
    String headers = "(request-target) host x-date";
    KeyPair pair = KeyUtils.generateKeyPair();
    PrivateKey privateKey = pair.getPrivate();
    PublicKey publicKey = pair.getPublic();
    KeyObjectKeyLoader privateKeyLoader = new KeyObjectKeyLoader(privateKey);
    signer.setAlgorithm("rsa-sha256");
    signer.setKeyId(keyId);
    signer.setHeaders(Arrays.asList(headers.split(" ")));
    signer.setKeyLoader(privateKeyLoader);
    signer.process(request, localContext);
    SignatureAuthorization testAuth = new SignatureAuthorization();
    testAuth.setAlgorithm("rsa-sha256");
    testAuth.setHeaders(signer.getHeaders());
    String signingString = testAuth.generateSigningString(new ClientAuthorizationRequest(request));
    byte[] encryptedString = signer.doAuthorization(request).getSignature();
    boolean verify = verifyRsa("SHA256withRSA", publicKey, signingString, encryptedString);
    Assert.assertTrue(verify);
    // can choose algorithm
    signer.setAlgorithm("rsa-md5");
    signer.process(request, localContext);
    encryptedString = signer.doAuthorization(request).getSignature();
    verify = verifyRsa("MD5withRSA", publicKey, signingString, encryptedString);
    Assert.assertTrue(verify);
    // wrong keyid, not a key loader so no effect
    signer.setAlgorithm("rsa-sha256");
    signer.setKeyId("something else");
    signer.process(request, localContext);
    encryptedString = signer.doAuthorization(request).getSignature();
    verify = verifyRsa("SHA256withRSA", publicKey, signingString, encryptedString);
    Assert.assertTrue(verify);
    // different headers
    signer.setHeaders(Arrays.asList("host", "x-date"));
    signer.process(request, localContext);
    encryptedString = signer.doAuthorization(request).getSignature();
    verify = verifyRsa("SHA256withRSA", publicKey, signingString, encryptedString);
    Assert.assertFalse(verify);
    // load plain key from file;
    String location = "target/priv.pem";
    File pemFile = new File(location);
    URIParcel.put(pemFile.toURI(), pair);
    URIParcel<KeyPair> pemParcel = new URIParcel<KeyPair>(KeyPair.class, pemFile.toURI());
    signer = new HttpSignatureSigner();
    signer.setHeaderName(SIGNATURE_HEADER);
    signer.setKeyId("defaultValue");
    signer.setAlgorithm("rsa-sha256");
    signer.setHeaders(Arrays.asList(headers.split(" ")));
    signer.setKeyPairLoader(pemParcel);
    signingString = testAuth.generateSigningString(new ClientAuthorizationRequest(request));
    encryptedString = signer.doAuthorization(request).getSignature();
    verify = verifyRsa("SHA256withRSA", publicKey, signingString, encryptedString);
    Assert.assertTrue(verify);
    // try using a KeyStoreLoader
    signer = new HttpSignatureSigner();
    signer.setHeaderName(SIGNATURE_HEADER);
    signer.setAlgorithm("rsa-sha256");
    location = "target/testKeytool.store";
    Map<String, Object> config = new HashMap<String, Object>();
    config.put(KeyStoreValueHandler.KEYSTORE_PASSWORD, "rachel");
    config.put(KeyStoreValueHandler.KEYSTORE_TYPE, "JCEKS");
    URIParcel<KeyStore> parcel = new URIParcel<KeyStore>(KeyStore.class, new File(location).toURI(), config);
    KeyChain chain = new KeyStoreKeyChainImpl(parcel, "".toCharArray());
    KeyChainKeyLoader keystoreLoader = new KeyChainKeyLoader(chain);
    keystoreLoader.setAlias("test");
    signer.setKeyId("test");
    signer.setHeaders(Arrays.asList(headers.split(" ")));
    signer.setKeyLoader(keystoreLoader);
    signer.process(request, localContext);
    signingString = testAuth.generateSigningString(new ClientAuthorizationRequest(request));
    encryptedString = signer.doAuthorization(request).getSignature();
    // check again public key
    KeyStore importedKeystore = parcel.call();
    PublicKey loadedPublicKey = importedKeystore.getCertificate("test").getPublicKey();
    verifyRsa("SHA256withRSA", loadedPublicKey, signingString, encryptedString);
    Assert.assertTrue(verify);
}
Also used : URIParcel(com.disney.uriparcel.URIParcel) HashMap(java.util.HashMap) HttpGet(org.apache.http.client.methods.HttpGet) HttpClientContext(org.apache.http.client.protocol.HttpClientContext) KeyChain(com.disney.http.auth.keychain.KeyChain) KeyStoreKeyChainImpl(com.disney.http.auth.keychain.KeyStoreKeyChainImpl) ClientAuthorizationRequest(com.disney.http.auth.client.ClientAuthorizationRequest) SignatureAuthorization(com.disney.http.auth.SignatureAuthorization) KeyChainKeyLoader(com.disney.http.auth.client.keyloader.KeyChainKeyLoader) HttpSignatureSigner(com.disney.http.auth.client.signer.HttpSignatureSigner) KeyObjectKeyLoader(com.disney.http.auth.client.keyloader.KeyObjectKeyLoader) File(java.io.File) Test(org.junit.Test)

Example 5 with KeyObjectKeyLoader

use of com.disney.http.auth.client.keyloader.KeyObjectKeyLoader in project groovity by disney.

the class TestSignatureAuth method testHmac.

@Test
public void testHmac() throws Exception {
    HttpGet request = new HttpGet("http://localhost:8080/");
    HttpClientContext localContext = new HttpClientContext();
    HttpSignatureSigner signer = new HttpSignatureSigner();
    signer.setHeaderName(SIGNATURE_HEADER);
    String keyId = "apiUser123";
    String keyValue = "someBase64Secret";
    String headers = "(request-target) host x-date";
    String algorithm = "hmac-sha256";
    KeyObjectKeyLoader hmacKey = new KeyObjectKeyLoader(algorithm, keyValue);
    signer.setHeaderName(SIGNATURE_HEADER);
    signer.setKeyId(keyId);
    signer.setKeyLoader(hmacKey);
    signer.setAlgorithm(algorithm);
    signer.process(request, localContext);
    SignatureAuthorization testAuth = new SignatureAuthorization();
    testAuth.setHeaders(signer.getHeaders());
    Assert.assertNotNull(signer.getHeaderName());
    Assert.assertNotNull(getAuthHeader(request));
    String signingString = testAuth.generateSigningString(new ClientAuthorizationRequest(request));
    byte[] expectedResult = signHmac(algorithm, keyValue, signingString);
    byte[] signature = signer.doAuthorization(request).getSignature();
    Assert.assertArrayEquals(expectedResult, signature);
    // bad signing string
    Assert.assertFalse(Arrays.equals(signHmac(algorithm, keyValue, signingString + "invalid"), signature));
    // wrong key
    signer.setKeyLoader(new KeyObjectKeyLoader(algorithm, "differentKeyValue"));
    signer.process(request, localContext);
    signature = signer.doAuthorization(request).getSignature();
    Assert.assertFalse("Wrong Key", Arrays.equals(expectedResult, signature));
    // wrong algorithm
    signer.setAlgorithm("hmac-md5");
    signer.process(request, localContext);
    signature = signer.doAuthorization(request).getSignature();
    Assert.assertFalse("Wrong algorithm", Arrays.equals(expectedResult, signature));
    // wrong headers
    signer.setHeaders(Arrays.asList(headers.split(" ")));
    signer.setAlgorithm(algorithm);
    signer.setKeyLoader(hmacKey);
    signer.process(request, localContext);
    signature = signer.doAuthorization(request).getSignature();
    Assert.assertFalse("Incorrect Headers", Arrays.equals(expectedResult, signature));
    // wrong header order
    signer.setHeaders(Arrays.asList("host (request-target) x-date"));
    signer.process(request, localContext);
    signature = signer.doAuthorization(request).getSignature();
    Assert.assertFalse("Incorrect header order", Arrays.equals(expectedResult, signature));
}
Also used : ClientAuthorizationRequest(com.disney.http.auth.client.ClientAuthorizationRequest) SignatureAuthorization(com.disney.http.auth.SignatureAuthorization) HttpGet(org.apache.http.client.methods.HttpGet) HttpSignatureSigner(com.disney.http.auth.client.signer.HttpSignatureSigner) HttpClientContext(org.apache.http.client.protocol.HttpClientContext) KeyObjectKeyLoader(com.disney.http.auth.client.keyloader.KeyObjectKeyLoader) Test(org.junit.Test)

Aggregations

KeyObjectKeyLoader (com.disney.http.auth.client.keyloader.KeyObjectKeyLoader)11 Test (org.junit.Test)9 HttpSignatureSigner (com.disney.http.auth.client.signer.HttpSignatureSigner)5 KeyChainKeyLoader (com.disney.http.auth.client.keyloader.KeyChainKeyLoader)3 KeyStoreKeyChainImpl (com.disney.http.auth.keychain.KeyStoreKeyChainImpl)3 URIParcel (com.disney.uriparcel.URIParcel)3 HashMap (java.util.HashMap)3 SecretKeySpec (javax.crypto.spec.SecretKeySpec)3 HttpGet (org.apache.http.client.methods.HttpGet)3 HttpClientContext (org.apache.http.client.protocol.HttpClientContext)3 SignatureAuthorization (com.disney.http.auth.SignatureAuthorization)2 ClientAuthorizationRequest (com.disney.http.auth.client.ClientAuthorizationRequest)2 KeyChain (com.disney.http.auth.keychain.KeyChain)2 File (java.io.File)2 URI (java.net.URI)1 Key (java.security.Key)1 KeyStore (java.security.KeyStore)1 List (java.util.List)1 Map (java.util.Map)1 Callable (java.util.concurrent.Callable)1