From 375cf5170b7a97b8ab616b3ecb27f31f629f512e Mon Sep 17 00:00:00 2001
From: Glauco <37829079+rglauco@users.noreply.github.com>
Date: Thu, 28 Mar 2024 19:54:33 +0100
Subject: [PATCH 1/5] chore: updated dependencies
---
starter-kit/pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/starter-kit/pom.xml b/starter-kit/pom.xml
index f053e5e..3350e62 100644
--- a/starter-kit/pom.xml
+++ b/starter-kit/pom.xml
@@ -16,7 +16,7 @@
org.slf4j
slf4j-api
- 1.7.36
+ 2.0.9
@@ -28,13 +28,13 @@
org.slf4j
slf4j-simple
- 1.7.36
+ 2.0.9
test
org.mockito
mockito-core
- 4.2.0
+ 5.10.0
test
@@ -46,7 +46,7 @@
com.github.tomakehurst
wiremock-jre8
- 2.35.1
+ 3.0.1
test
From 32b996a8d6e26b758ee9a6f1b5e6f4c60ddc9a1a Mon Sep 17 00:00:00 2001
From: Glauco <37829079+rglauco@users.noreply.github.com>
Date: Thu, 28 Mar 2024 19:55:27 +0100
Subject: [PATCH 2/5] test: added RSAEncKey tests
---
.../spid/cie/oidc/helper/TestJWTHelper.java | 53 ++++++++++++++-----
.../it/spid/cie/oidc/model/TestTrustMark.java | 5 +-
.../spid/cie/oidc/test/util/RPTestUtils.java | 4 +-
3 files changed, 45 insertions(+), 17 deletions(-)
diff --git a/starter-kit/src/test/java/it/spid/cie/oidc/helper/TestJWTHelper.java b/starter-kit/src/test/java/it/spid/cie/oidc/helper/TestJWTHelper.java
index 42aa386..6fb6efd 100644
--- a/starter-kit/src/test/java/it/spid/cie/oidc/helper/TestJWTHelper.java
+++ b/starter-kit/src/test/java/it/spid/cie/oidc/helper/TestJWTHelper.java
@@ -9,15 +9,11 @@
import java.util.HashMap;
import java.util.Map;
+import com.nimbusds.jose.*;
import org.json.JSONArray;
import org.json.JSONObject;
import org.junit.Test;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jose.JWSObject;
-import com.nimbusds.jose.JWSSigner;
-import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
@@ -65,6 +61,21 @@ public void testClass2() {
assertTrue(rsaKey.getKeyType().equals(KeyType.RSA));
}
+ @Test
+ public void testClass2enc() {
+ RSAKey rsaKey = null;
+ boolean catched = false;
+
+ try {
+ rsaKey = JWTHelper.createRSAEncKey(null, KeyUse.ENCRYPTION);
+ }
+ catch (Exception e) {
+ catched = true;
+ }
+
+ assertFalse(catched);
+ assertTrue(rsaKey.getKeyType().equals(KeyType.RSA));
+ }
@Test
public void testClass3() {
String test = "sample-value";
@@ -145,6 +156,20 @@ public void test_createRSAKey() {
assertFalse(catched);
}
+ @Test
+ public void test_createRSAEncKey() {
+ boolean catched = false;
+
+ try {
+ JWTHelper.createRSAEncKey(JWEAlgorithm.RSA_OAEP_256, KeyUse.ENCRYPTION);
+ }
+ catch(Exception e) {
+ catched = true;
+ }
+
+ assertFalse(catched);
+ }
+
@Test
public void test_fastParseHeader() {
boolean catched = false;
@@ -224,7 +249,7 @@ public void test_getJWKSetAsJSONArray() {
try {
RSAKey rsaKey1 = JWTHelper.createRSAKey(null, KeyUse.SIGNATURE);
- RSAKey rsaKey2 = JWTHelper.createRSAKey(null, KeyUse.ENCRYPTION);
+ RSAKey rsaKey2 = JWTHelper.createRSAEncKey(null, KeyUse.ENCRYPTION);
JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey1, rsaKey2));
@@ -243,9 +268,10 @@ public void test_getJWKSetAsJSONArray() {
try {
RSAKey rsaKey = JWTHelper.createRSAKey(null, KeyUse.SIGNATURE);
+ RSAKey rsaEncKey = JWTHelper.createRSAEncKey(null, KeyUse.ENCRYPTION);
ECKey ecKey = createECKey(KeyUse.ENCRYPTION);
- JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey, ecKey));
+ JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey, ecKey, rsaEncKey));
jsonArray = JWTHelper.getJWKSetAsJSONArray(jwkSet, false);
}
@@ -254,7 +280,7 @@ public void test_getJWKSetAsJSONArray() {
}
assertFalse(catched);
- assertTrue(jsonArray.length() == 2);
+ assertTrue(jsonArray.length() == 3);
assertTrue(jsonArray.getJSONObject(0).has("use"));
catched = false;
@@ -262,9 +288,10 @@ public void test_getJWKSetAsJSONArray() {
try {
RSAKey rsaKey = JWTHelper.createRSAKey(null, KeyUse.SIGNATURE);
+ RSAKey rsaEncKey = JWTHelper.createRSAEncKey(null, KeyUse.ENCRYPTION);
ECKey ecKey = createECKey(KeyUse.ENCRYPTION);
- JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey, ecKey));
+ JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey, ecKey, rsaEncKey));
jsonArray = JWTHelper.getJWKSetAsJSONArray(jwkSet, true, false);
}
@@ -273,7 +300,7 @@ public void test_getJWKSetAsJSONArray() {
}
assertFalse(catched);
- assertTrue(jsonArray.length() == 2);
+ assertTrue(jsonArray.length() == 3);
assertTrue(jsonArray.getJSONObject(0).has("use"));
catched = false;
@@ -312,7 +339,7 @@ public void test_getJWKSetFromJSON1() {
try {
RSAKey rsaKey1 = JWTHelper.createRSAKey(null, KeyUse.SIGNATURE);
- RSAKey rsaKey2 = JWTHelper.createRSAKey(null, KeyUse.ENCRYPTION);
+ RSAKey rsaKey2 = JWTHelper.createRSAEncKey(null, KeyUse.ENCRYPTION);
JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey1, rsaKey2));
@@ -576,9 +603,9 @@ private String encode64(String value) {
private static JWKSet createJWKSet() throws Exception {
RSAKey rsaKey1 = JWTHelper.createRSAKey(JWSAlgorithm.RS256, KeyUse.SIGNATURE);
- //RSAKey rsaKey2 = JWTHelper.createRSAKey(null, KeyUse.ENCRYPTION);
+ RSAKey rsaKey2 = JWTHelper.createRSAEncKey(JWEAlgorithm.RSA_OAEP_256, KeyUse.ENCRYPTION);
- return new JWKSet(Arrays.asList(rsaKey1));
+ return new JWKSet(Arrays.asList(rsaKey1, rsaKey2));
}
private static String createJWS(JSONObject payload, JSONObject jwks)
diff --git a/starter-kit/src/test/java/it/spid/cie/oidc/model/TestTrustMark.java b/starter-kit/src/test/java/it/spid/cie/oidc/model/TestTrustMark.java
index 1736848..be7f698 100644
--- a/starter-kit/src/test/java/it/spid/cie/oidc/model/TestTrustMark.java
+++ b/starter-kit/src/test/java/it/spid/cie/oidc/model/TestTrustMark.java
@@ -7,6 +7,7 @@
import java.io.IOException;
import java.util.Arrays;
+import com.nimbusds.jose.JWEAlgorithm;
import org.json.JSONObject;
import org.junit.AfterClass;
import org.junit.BeforeClass;
@@ -238,9 +239,9 @@ public void test_validate() {
private static JWKSet createJWKSet() throws Exception {
RSAKey rsaKey1 = JWTHelper.createRSAKey(JWSAlgorithm.RS256, KeyUse.SIGNATURE);
- //RSAKey rsaKey2 = JWTHelper.createRSAKey(null, KeyUse.ENCRYPTION);
+ RSAKey rsaKey2 = JWTHelper.createRSAEncKey(JWEAlgorithm.RSA_OAEP_256, KeyUse.ENCRYPTION);
- return new JWKSet(Arrays.asList(rsaKey1));
+ return new JWKSet(Arrays.asList(rsaKey1, rsaKey2));
}
/**
diff --git a/starter-kit/src/test/java/it/spid/cie/oidc/test/util/RPTestUtils.java b/starter-kit/src/test/java/it/spid/cie/oidc/test/util/RPTestUtils.java
index fb1eb27..de51f44 100644
--- a/starter-kit/src/test/java/it/spid/cie/oidc/test/util/RPTestUtils.java
+++ b/starter-kit/src/test/java/it/spid/cie/oidc/test/util/RPTestUtils.java
@@ -94,9 +94,9 @@ public static String createJWS(JSONObject payload, JSONObject jwks)
public static JWKSet createJWKSet() throws Exception {
RSAKey rsaKey1 = JWTHelper.createRSAKey(JWSAlgorithm.RS256, KeyUse.SIGNATURE);
- //RSAKey rsaKey2 = JWTHelper.createRSAKey(null, KeyUse.ENCRYPTION);
+ RSAKey rsaKey2 = JWTHelper.createRSAEncKey(JWEAlgorithm.RSA_OAEP_256, KeyUse.ENCRYPTION);
- return new JWKSet(Arrays.asList(rsaKey1));
+ return new JWKSet(Arrays.asList(rsaKey1, rsaKey2));
}
public static RelyingPartyOptions getOptions() throws Exception {
From 0992b3ef878bd3ad390a0d19f54b65b36da78712 Mon Sep 17 00:00:00 2001
From: Glauco <37829079+rglauco@users.noreply.github.com>
Date: Fri, 29 Mar 2024 17:22:36 +0100
Subject: [PATCH 3/5] docs: added UTC hint for iat issuance in CIE onboarding
---
examples/relying-party-spring-boot/README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/examples/relying-party-spring-boot/README.md b/examples/relying-party-spring-boot/README.md
index 5b5e350..ee0fc04 100644
--- a/examples/relying-party-spring-boot/README.md
+++ b/examples/relying-party-spring-boot/README.md
@@ -105,4 +105,5 @@ previous chapter instructions replacing `127.0.0.1` with the right hostname
}
```
- when onboarded, please retrieve the Trust Mark form TA fetch endpoint like this example for preproduction: `https://preprod.oidc.registry.servizicie.interno.gov.it/fetch?sub={your_client_id}`
-- remember to (put `[` `]` around the Trust Mark when writing the appropriate file
\ No newline at end of file
+- remember to (put `[` `]` around the Trust Mark when writing the appropriate file
+- `iat` and `exp` claims must be issued according to the UTC timezone, this is an example command for the webapp: `mvn clean spring-boot:run -Dspring-boot.run.jvmArguments="-Duser.timezone=UTC"`
\ No newline at end of file
From 0f818fca99328d9fd0e7b147ec5fd37c7a5aa7a6 Mon Sep 17 00:00:00 2001
From: Glauco <37829079+rglauco@users.noreply.github.com>
Date: Fri, 29 Mar 2024 17:44:44 +0100
Subject: [PATCH 4/5] docs: better clarification for geoblocking for
preproduction CIE servers
---
examples/relying-party-spring-boot/README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/relying-party-spring-boot/README.md b/examples/relying-party-spring-boot/README.md
index ee0fc04..300f48f 100644
--- a/examples/relying-party-spring-boot/README.md
+++ b/examples/relying-party-spring-boot/README.md
@@ -87,7 +87,7 @@ previous chapter instructions replacing `127.0.0.1` with the right hostname
**To be onboarded into CIE Federation**:
- use always appropriate and valid TLS Certificates
-- use IP from Italian networks for server [CIE Federation servers uses geoblocking]
+- use IP from Italian networks for your server [CIE Federation preproduction servers are using geoblocking]
- as contact use the same institutional email address as stated into the administrative part [do not use PEC]
- when copy the federation public key please follow this pattern:
- ```
From 12d3bc47807b78adebc972a3894f73fe8182b4fb Mon Sep 17 00:00:00 2001
From: Glauco <37829079+rglauco@users.noreply.github.com>
Date: Thu, 10 Oct 2024 14:05:00 +0200
Subject: [PATCH 5/5] fix: revocation signed with Core key
---
.../java/it/spid/cie/oidc/helper/OAuth2Helper.java | 2 +-
.../java/it/spid/cie/oidc/helper/TestOAuth2Helper.java | 10 ++++++----
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/starter-kit/src/main/java/it/spid/cie/oidc/helper/OAuth2Helper.java b/starter-kit/src/main/java/it/spid/cie/oidc/helper/OAuth2Helper.java
index 2d2c9d9..e01a997 100644
--- a/starter-kit/src/main/java/it/spid/cie/oidc/helper/OAuth2Helper.java
+++ b/starter-kit/src/main/java/it/spid/cie/oidc/helper/OAuth2Helper.java
@@ -154,7 +154,7 @@ public void sendRevocationRequest(
.put("exp", JWTHelper.getExpiresOn())
.put("jti", UUID.randomUUID().toString());
- JWKSet jwkSet = JWTHelper.getJWKSetFromJSON(clientConf.getJwksFed());
+ JWKSet jwkSet = JWTHelper.getJWKSetFromJSON(clientConf.getJwksCoreByUse(KeyUse.SIGNATURE));
String clientAssertion = jwtHelper.createJWS(payload, jwkSet);
diff --git a/starter-kit/src/test/java/it/spid/cie/oidc/helper/TestOAuth2Helper.java b/starter-kit/src/test/java/it/spid/cie/oidc/helper/TestOAuth2Helper.java
index bde5657..2b9f875 100644
--- a/starter-kit/src/test/java/it/spid/cie/oidc/helper/TestOAuth2Helper.java
+++ b/starter-kit/src/test/java/it/spid/cie/oidc/helper/TestOAuth2Helper.java
@@ -323,12 +323,13 @@ public void testClass3() {
WireMock.forbidden()
));
- JWKSet jwks = JWTHelper.getJWKSetFromJWK(options.getJwkFed());
+ //JWKSet jwks = JWTHelper.getJWKSetFromJWK(options.getJwkFed());
+ JWKSet jwks = RPTestUtils.getJwksCoreByUse(JWTHelper.getJWKSetFromJSON(options.getJwkCore()), KeyUse.SIGNATURE);
FederationEntity clientConf = new FederationEntity();
clientConf.setSubject(RELYING_PARTY);
- clientConf.setJwksFed(jwks.toString(false));
+ clientConf.setJwksCore(jwks.toString(false));
helper.sendRevocationRequest(null, null, SPID_PROVIDER + "test", clientConf);
}
@@ -352,12 +353,13 @@ public void testClass3() {
WireMock.ok()
));
- JWKSet jwks = JWTHelper.getJWKSetFromJWK(options.getJwkFed());
+ //JWKSet jwks = JWTHelper.getJWKSetFromJWK(options.getJwkFed());
+ JWKSet jwks = RPTestUtils.getJwksCoreByUse(JWTHelper.getJWKSetFromJSON(options.getJwkCore()), KeyUse.SIGNATURE);
FederationEntity clientConf = new FederationEntity();
clientConf.setSubject(RELYING_PARTY);
- clientConf.setJwksFed(jwks.toString(false));
+ clientConf.setJwksCore(jwks.toString(false));
helper.sendRevocationRequest(null, null, SPID_PROVIDER + "test", clientConf);
}