Search in sources :

Example 66 with PostEnvironment

use of net.openid.conformance.condition.PostEnvironment in project conformance-suite by openid-certification.

the class FapiBrazilVerifyRedirectUriContainedInSoftwareStatement method evaluate.

@Override
@PreEnvironment(required = "software_statement_assertion", strings = "redirect_uri")
@PostEnvironment(required = "dynamic_registration_request")
public Environment evaluate(Environment env) {
    // Note the non-RFC7591 claim software_redirect_uris that is used in Brazil & UK OpenBanking
    JsonElement redirectUris = env.getElementFromObject("software_statement_assertion", "claims.software_redirect_uris");
    if (redirectUris == null || !redirectUris.isJsonArray()) {
        throw error("software_redirect_uris is software statement is missing or not an array");
    }
    JsonArray redirectUrisArray = redirectUris.getAsJsonArray();
    String redirectUri = env.getString("redirect_uri");
    if (Strings.isNullOrEmpty(redirectUri)) {
        throw error("No redirect_uri found");
    }
    if (!redirectUrisArray.contains(new JsonPrimitive(redirectUri))) {
        throw error("The redirect_uri required for the conformance suite is not present in the software statement, registration must not succeed. Note that when the software statement contains multiple urls they MUST be specified as an array of strings. A single string containing comma separated URLs is not permitted by the specification.", args("required", redirectUri, "present", redirectUrisArray));
    }
    log("Required redirect_uri is present in the software statement", args("required", redirectUri, "present", redirectUrisArray));
    return env;
}
Also used : JsonArray(com.google.gson.JsonArray) JsonPrimitive(com.google.gson.JsonPrimitive) JsonElement(com.google.gson.JsonElement) PostEnvironment(net.openid.conformance.condition.PostEnvironment) PreEnvironment(net.openid.conformance.condition.PreEnvironment)

Example 67 with PostEnvironment

use of net.openid.conformance.condition.PostEnvironment in project conformance-suite by openid-certification.

the class FetchServerKeys method evaluate.

@Override
@PreEnvironment(required = "server")
@PostEnvironment(required = "server_jwks")
public Environment evaluate(Environment env) {
    String jwksUri = env.getString("server", "jwks_uri");
    if (!Strings.isNullOrEmpty(jwksUri)) {
        // do the fetch
        log("Fetching server key", args("jwks_uri", jwksUri));
        try {
            RestTemplate restTemplate = createRestTemplate(env);
            String jwkString = restTemplate.getForObject(jwksUri, String.class);
            log("Found JWK set string", args("jwk_string", jwkString));
            JsonObject jwkSet = JsonParser.parseString(jwkString).getAsJsonObject();
            env.putObject("server_jwks", jwkSet);
            logSuccess("Found server JWK set", args("server_jwks", jwkSet));
            return env;
        } catch (UnrecoverableKeyException | KeyManagementException | CertificateException | InvalidKeySpecException | NoSuchAlgorithmException | KeyStoreException | IOException e) {
            throw error("Error creating HTTP client", e);
        } catch (RestClientException e) {
            String msg = "Fetching server keys from " + jwksUri + " failed";
            if (e.getCause() != null) {
                msg += " - " + e.getCause().getMessage();
            }
            throw error(msg, e);
        } catch (JsonSyntaxException e) {
            throw error("Server JWKs set string is not JSON", e);
        }
    } else {
        throw error("Didn't find jwks_uri in the server configuration");
    }
}
Also used : JsonObject(com.google.gson.JsonObject) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) KeyStoreException(java.security.KeyStoreException) IOException(java.io.IOException) KeyManagementException(java.security.KeyManagementException) JsonSyntaxException(com.google.gson.JsonSyntaxException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) RestTemplate(org.springframework.web.client.RestTemplate) RestClientException(org.springframework.web.client.RestClientException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) PostEnvironment(net.openid.conformance.condition.PostEnvironment) PreEnvironment(net.openid.conformance.condition.PreEnvironment)

Example 68 with PostEnvironment

use of net.openid.conformance.condition.PostEnvironment in project conformance-suite by openid-certification.

the class GenerateFakeMTLSCertificate method evaluate.

@Override
@PreEnvironment(required = "mutual_tls_authentication")
@PostEnvironment(required = "fake_mutual_tls_authentication")
public Environment evaluate(Environment env) {
    var extensionOidsNotToCopy = new HashSet<String>();
    KeyPairGenerator generator;
    try {
        generator = KeyPairGenerator.getInstance("RSA");
        generator.initialize(2048);
    } catch (NoSuchAlgorithmException e) {
        throw error(e.getMessage(), e);
    }
    KeyPair kp = generator.generateKeyPair();
    KeyPair cakp = generator.generateKeyPair();
    PublicKey newPubKey = kp.getPublic();
    String certString = env.getString("mutual_tls_authentication", "cert");
    X509Certificate originalCert = generateCertificateFromMTLSCert(certString);
    X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
    v3CertGen.setSubjectDN(originalCert.getSubjectX500Principal());
    v3CertGen.setSignatureAlgorithm(originalCert.getSigAlgName());
    v3CertGen.setPublicKey(newPubKey);
    v3CertGen.setNotAfter(originalCert.getNotAfter());
    v3CertGen.setNotBefore(originalCert.getNotBefore());
    v3CertGen.setIssuerDN(originalCert.getIssuerX500Principal());
    v3CertGen.setSerialNumber(originalCert.getSerialNumber());
    // copy other extensions:
    Set<String> critExts = originalCert.getCriticalExtensionOIDs();
    try {
        if (critExts != null) {
            for (String oid : critExts) {
                if (!clientCertOidsNeverToCopy.contains(oid) && !extensionOidsNotToCopy.contains(oid)) {
                    v3CertGen.copyAndAddExtension(new DERObjectIdentifier(oid), true, originalCert);
                }
            }
        }
        Set<String> nonCritExs = originalCert.getNonCriticalExtensionOIDs();
        if (nonCritExs != null) {
            for (String oid : nonCritExs) {
                if (!clientCertOidsNeverToCopy.contains(oid) && !extensionOidsNotToCopy.contains(oid)) {
                    v3CertGen.copyAndAddExtension(new DERObjectIdentifier(oid), false, originalCert);
                }
            }
        }
    } catch (CertificateParsingException e) {
        throw error("x509 copyAndAddExtension failed", e);
    }
    JcaX509ExtensionUtils jcaX509ExtensionUtils = null;
    try {
        jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
    } catch (NoSuchAlgorithmException e) {
        throw error("JcaX509ExtensionUtils failed", e);
    }
    v3CertGen.addExtension(X509Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(newPubKey));
    X509Certificate cert;
    try {
        v3CertGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(cakp.getPublic()));
        var caPrivateKey = cakp.getPrivate();
        cert = v3CertGen.generate(caPrivateKey, "BC");
    } catch (CertificateEncodingException | NoSuchProviderException | NoSuchAlgorithmException | SignatureException | InvalidKeyException e) {
        throw error("cert.generate failed", e);
    }
    JsonObject mtls = new JsonObject();
    try {
        mtls.addProperty("cert", Base64.getEncoder().encodeToString(cert.getEncoded()));
    } catch (CertificateEncodingException e) {
        throw error("Error encoding certificate", e);
    }
    mtls.addProperty("key", Base64.getEncoder().encodeToString(kp.getPrivate().getEncoded()));
    env.putObject("fake_mutual_tls_authentication", mtls);
    // we could add a ca cert too perhaps
    logSuccess("Generated our own client MTLS certificate based on the supplied one", args("fake_mutual_tls_authentication", mtls));
    return env;
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) KeyPair(java.security.KeyPair) CertificateParsingException(java.security.cert.CertificateParsingException) PublicKey(java.security.PublicKey) JsonObject(com.google.gson.JsonObject) CertificateEncodingException(java.security.cert.CertificateEncodingException) KeyPairGenerator(java.security.KeyPairGenerator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SignatureException(java.security.SignatureException) InvalidKeyException(java.security.InvalidKeyException) DERObjectIdentifier(org.bouncycastle.asn1.DERObjectIdentifier) AuthorityKeyIdentifierStructure(org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure) X509Certificate(java.security.cert.X509Certificate) X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator) NoSuchProviderException(java.security.NoSuchProviderException) HashSet(java.util.HashSet) PostEnvironment(net.openid.conformance.condition.PostEnvironment) PreEnvironment(net.openid.conformance.condition.PreEnvironment)

Example 69 with PostEnvironment

use of net.openid.conformance.condition.PostEnvironment in project conformance-suite by openid-certification.

the class ExtractTLSTestValuesFromOBResourceConfiguration method evaluate.

@Override
@PreEnvironment(required = "resource")
@PostEnvironment(required = { "accounts_resource_endpoint_tls", "accounts_request_endpoint_tls" })
public Environment evaluate(Environment env) {
    try {
        String accountsResourceEndpoint = FAPIOBGetResourceEndpoint.getBaseResourceURL(env, FAPIOBGetResourceEndpoint.Endpoint.ACCOUNTS_RESOURCE);
        if (Strings.isNullOrEmpty(accountsResourceEndpoint)) {
            throw error("Accounts resource endpoint not found");
        }
        JsonObject accountsResourceEndpointTls = TLSTestValueExtractor.extractTlsFromUrl(accountsResourceEndpoint);
        env.putObject("accounts_resource_endpoint_tls", accountsResourceEndpointTls);
        String accountsRequestEndpoint = FAPIOBGetResourceEndpoint.getBaseResourceURL(env, FAPIOBGetResourceEndpoint.Endpoint.ACCOUNT_REQUESTS);
        if (Strings.isNullOrEmpty(accountsRequestEndpoint)) {
            throw error("Accounts resource endpoint not found");
        }
        JsonObject accountsRequestEndpointTls = TLSTestValueExtractor.extractTlsFromUrl(accountsRequestEndpoint);
        env.putObject("accounts_request_endpoint_tls", accountsRequestEndpointTls);
        logSuccess("Extracted TLS information from resource endpoint", args("accounts_resource_endpoint", accountsResourceEndpointTls, "accounts_request_endpoint", accountsRequestEndpointTls));
        return env;
    } catch (MalformedURLException e) {
        throw error("URL not properly formed", e);
    }
}
Also used : MalformedURLException(java.net.MalformedURLException) JsonObject(com.google.gson.JsonObject) PostEnvironment(net.openid.conformance.condition.PostEnvironment) PreEnvironment(net.openid.conformance.condition.PreEnvironment)

Example 70 with PostEnvironment

use of net.openid.conformance.condition.PostEnvironment in project conformance-suite by openid-certification.

the class ExtractUserInfoFromUserInfoEndpointResponse method evaluate.

@Override
@PreEnvironment(strings = "userinfo_endpoint_response")
@PostEnvironment(required = "userinfo")
public Environment evaluate(Environment env) {
    env.removeObject("userinfo");
    String userInfoStr = env.getString("userinfo_endpoint_response");
    try {
        JsonElement elt = JsonParser.parseString(userInfoStr);
        JsonObject userInfo = elt.getAsJsonObject();
        env.putObject("userinfo", userInfo);
        logSuccess("Extracted user info", args("userinfo", userInfo));
        return env;
    } catch (JsonParseException e) {
        throw error("UserInfo endpoint response is not JSON", e);
    } catch (IllegalStateException e) {
        throw error("UserInfo endpoint response is not a JSON object", e);
    }
}
Also used : JsonElement(com.google.gson.JsonElement) JsonObject(com.google.gson.JsonObject) JsonParseException(com.google.gson.JsonParseException) PostEnvironment(net.openid.conformance.condition.PostEnvironment) PreEnvironment(net.openid.conformance.condition.PreEnvironment)

Aggregations

PostEnvironment (net.openid.conformance.condition.PostEnvironment)399 PreEnvironment (net.openid.conformance.condition.PreEnvironment)379 JsonObject (com.google.gson.JsonObject)372 JsonElement (com.google.gson.JsonElement)61 JsonArray (com.google.gson.JsonArray)49 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)22 Instant (java.time.Instant)21 ParseException (java.text.ParseException)17 CertificateException (java.security.cert.CertificateException)16 IOException (java.io.IOException)15 KeyManagementException (java.security.KeyManagementException)15 KeyStoreException (java.security.KeyStoreException)15 UnrecoverableKeyException (java.security.UnrecoverableKeyException)15 InvalidKeySpecException (java.security.spec.InvalidKeySpecException)15 RestClientException (org.springframework.web.client.RestClientException)15 RestTemplate (org.springframework.web.client.RestTemplate)15 JOSEException (com.nimbusds.jose.JOSEException)9 JWK (com.nimbusds.jose.jwk.JWK)9 RestClientResponseException (org.springframework.web.client.RestClientResponseException)9 JWKSet (com.nimbusds.jose.jwk.JWKSet)7