#2 add debugger to sam, add interface for transfering csr between sam and ssa,...

#2 add debugger to sam, add interface for transfering csr between sam and ssa, rework csr creation in sam to match new bouncycastle classes, missing security provider must be fixed now

#2 add debugger to sam, add interface for transfering csr between sam and ssa,...
#2 add debugger to sam, add interface for transfering csr between sam and ssa, rework csr creation in sam to match new bouncycastle classes, missing security provider must be fixed now
28b89230 · Tobias Assmann · bf204c01 · 28b89230 · 28b89230 · 28b89230
Commit 28b89230 authored Oct 22, 2019 by Tobias Assmann
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,9 @@ packer/

 */_build

+#netbeans
+*/**/nbactions.xml
+
 #eclipse
 .project
 .classpath

--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -21,7 +21,7 @@ services:
    ports:
      - "80:80"
      - "443:443"
-      # The Web UI (enabled by --api.insecure=true)
+      # The Web UI (enabled by --api.insecure=true) remove for prod!
      # see http://localhost:8080/dashboard/
      - "8080:8080"
    networks:
@@ -47,7 +47,7 @@ services:
      - JAVA_OPTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005
    ports:
      #- "127.0.0.1:8443:8443"
-      - "127.0.0.1:5005:5005" # Java Debug Port
+      - "127.0.0.1:5005:5005" # Java Debug Port remove for prod!
    networks:
      reqesidta_net:
        aliases:
@@ -87,7 +87,7 @@ services:
    image: "postgres:11.4"
    container_name: "reqesidta_postgres"
    ports:
-      # Only for debugging purposes
+      # Only for debugging purposes remove for prod!
      - "127.0.0.1:5433:5432"
    environment:
      POSTGRES_USER: ejbca
@@ -113,7 +113,7 @@ services:
    ports:
      - "127.0.0.1:28080:8080"
      #- "127.0.0.1:29990:9990"
-      - "127.0.0.1:9797:9797" # Java Debug Port
+      - "127.0.0.1:9797:9797" # Java Debug Port, remove for prod!
    volumes:
      - ./ssa/dist:/opt/jboss/wildfly/standalone/deployments/:rw
    networks:
@@ -127,7 +127,11 @@ services:
    build:
      context: ./sam
    ports:
-     - "127.0.0.1:38080:8080"
+      - "127.0.0.1:38080:8080"
+      - "127.0.0.1:9798:5005" # Java Debug Port, remove for prod!
+    environment:
+      #JAVA_DEBUG: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 # remove for prod!
+      JAVA_DEBUG: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 # remove for prod!
    networks:
      reqesidta_net:
        aliases:

--- a/docker/sam/Dockerfile
+++ b/docker/sam/Dockerfile
@@ -13,4 +13,4 @@ ENV JAVA_OPTS="-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=tr

 EXPOSE 8080

-ENTRYPOINT exec java $JAVA_OPTS -jar /opt/thorntail.jar
+ENTRYPOINT exec java $JAVA_OPTS $JAVA_DEBUG -jar /opt/thorntail.jar
--- a/docker/ssa/dist/ssa-server.war
+++ b/docker/ssa/dist/ssa-server.war
--- a/interfaces/src/main/java/reqesidta/interfaces/csr/CSRData.java
+++ b/interfaces/src/main/java/reqesidta/interfaces/csr/CSRData.java
+package reqesidta.interfaces.csr;
+/**
+ * Used for transfering CSR data between SAM and SSA. 
+ * @author tobias.assmann@ecsec.de
+ *
+ */
+public class CSRData {
+
+    public byte[] csr;
+
+    public CSRData() {
+    }
+
+    public CSRData(byte[] csr) {
+    	this.csr = csr;
+    }
+}
--- a/ssa-server/sam/src/main/java/reqesidta/sam/csr/rest/CSREndpoint.java
+++ b/ssa-server/sam/src/main/java/reqesidta/sam/csr/rest/CSREndpoint.java
@@ -15,12 +15,15 @@ import javax.ws.rs.InternalServerErrorException;
 import javax.ws.rs.NotFoundException;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
 import javax.ws.rs.core.Response;

 import org.jboss.logging.Logger;

+import reqesidta.interfaces.csr.CSRData;
 import reqesidta.sam.config.SAMConfig;
 import reqesidta.sam.csr.utils.CSRFactory;
+import reqesidta.sam.eac.apdu.util.UserEIDIdentity;
 import reqesidta.sam.session.Session;
 import reqesidta.sam.session.SessionStore;

@@ -40,14 +43,16 @@ public class CSREndpoint {

 	@GET
 	@Path("getcsr/{sessionId}")
-	public Response getCSR(@PathParam("sessionId") String sessionId) {
+	@Produces("application/json")
+	public CSRData getCSR(@PathParam("sessionId") String sessionId) {
 //		Session session = getSessionOrThrowNotFound(sessionId);
 		Session session = sessionStore.getNewSession(); //TODO remove and make it real!!
 		CSRFactory csrFac = new CSRFactory();
+		byte[] csr;
 		try {
 			// gen key pair for csr and save to session
 			KeyPair userKeyPair = csrFac.genUserKeyPair();
-			session.set(Session.USER_KEY, userKeyPair);
+			session.setUserKeyPair(userKeyPair);
 			// load sam server keys
 			// TODO: NOT THREADSAFE!!!! For prod this should be a inmemory keystore
 			KeyStore kst = KeyStore.getInstance("PKCS12");
@@ -59,14 +64,18 @@ public class CSREndpoint {
 			// create certificate request with user data from session,
 			// a generated user public key and the sam specific private key 
 			//TODO read args from session!
-			byte[] csr = csrFac.createCSR(userKeyPair.getPublic(),
+			//UserEIDIdentity user = session.getUserEIDIdentity();
+			UserEIDIdentity user = new UserEIDIdentity();
+			user.setGivenNames("givenname");
+			user.setLastNames("lastname");
+			user.setBirthName("birthname");
+			user.setDateOfBirth("19701231");;
+			csr = csrFac.createCSR(userKeyPair.getPublic(),
 					samPrivKey,
-					"givenname", 
-					"surname", 
-					"birthname", 
-					Date.from(LocalDate.of(2014, 2, 14).atStartOfDay(ZoneId.systemDefault()).toInstant()),
-					alias
-					);
+					user.getGivenNames(),
+					user.getLastNames(),
+					user.getBirthName(),
+					user.getDateOfBirth());
 		} catch (Exception e) {
 			log.error(e.getMessage());
 			log.debug(e.getStackTrace());
@@ -74,7 +83,7 @@ public class CSREndpoint {
 			throw new InternalServerErrorException();
 		}

-		return Response.ok("hey").build();
+		return new CSRData(csr);
 	}

 	private Session getSessionOrThrowNotFound(String sessionId) {

--- a/ssa-server/sam/src/main/java/reqesidta/sam/csr/utils/CSRFactory.java
+++ b/ssa-server/sam/src/main/java/reqesidta/sam/csr/utils/CSRFactory.java
@@ -17,6 +17,7 @@ import java.security.KeyPairGenerator;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.SecureRandom;
+import java.security.Security;
 import java.util.Date;

 import org.bouncycastle.asn1.DERPrintableString;
@@ -25,6 +26,7 @@ import org.bouncycastle.asn1.x500.X500NameBuilder;
 import org.bouncycastle.asn1.x500.style.BCStyle;
 import org.bouncycastle.asn1.x509.Time;
 import org.bouncycastle.jce.ECNamedCurveTable;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.OperatorCreationException;
@@ -44,10 +46,14 @@ public class CSRFactory {

 	private final static Logger log = Logger.getLogger(CSRFactory.class);
 	
+	static {
+		Security.addProvider(new BouncyCastleProvider());
+	}
+	
 	public KeyPair genUserKeyPair() throws GeneralSecurityException {
-
+		
+		log.debug("genUserKeyPair: generating user specific key pair ...");
 		ECNamedCurveParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("secp256r1");
-
 		KeyPairGenerator g = KeyPairGenerator.getInstance("EC", "BC");
 		g.initialize(ecSpec, new SecureRandom());
 		KeyPair pair = g.generateKeyPair();
@@ -55,45 +61,15 @@ public class CSRFactory {
 		return pair;
 	}
 	
-	/*
-	public byte[] createCRI(PublicKey pubKey, 
-			String givenname, 
-			String surname, 
-			String birthname, 
-			Date dateOfBirth) throws IOException {
-		
-		List<RDN> rdns = new ArrayList<>();
-		rdns.add(new RDN(BCStyle.GIVENNAME, new DERPrintableString(givenname)));
-		rdns.add(new RDN(BCStyle.SURNAME, new DERPrintableString(surname)));
-		rdns.add(new RDN(BCStyle.NAME_AT_BIRTH, new DERPrintableString(birthname)));
-		rdns.add(new RDN(BCStyle.DATE_OF_BIRTH, new Time(dateOfBirth)));
-		
-		CertificationRequestInfo csrInfo = new CertificationRequestInfo(
-			new X500Name(rdns.toArray(new RDN[0])),
-			SubjectPublicKeyInfo.getInstance(pubKey.getEncoded()),
-			null);
-		
-		return csrInfo.getEncoded(ASN1Encoding.DER);
-	}
-	
-	public byte[] signCRI(PrivateKey privateKey, byte[] cri) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
-		
-		Signature signature = Signature.getInstance("SHA256WithDSA");
-		SecureRandom random = new SecureRandom();
-		signature.initSign(privateKey, random);
-		signature.update(cri);
-		
-		return cri;
-	}
-	*/
-	
 	public byte[] createCSR(PublicKey pubKey,
 			PrivateKey privKey,
 			String givenname, 
 			String surname, 
 			String birthname, 
-			Date dateOfBirth,
-			String providerName) throws IOException, OperatorCreationException {
+			Date dateOfBirth) throws IOException, OperatorCreationException {
+		
+		log.debug("createCSR: creating csr ...");
+		
 		// data of the CSR
 		X500NameBuilder x500NameBld = new X500NameBuilder(BCStyle.INSTANCE);
 		x500NameBld.addRDN(BCStyle.GIVENNAME, new DERPrintableString(givenname));
@@ -111,59 +87,4 @@ public class CSRFactory {
 		
 		return req.getEncoded();
 	}
-
-	/*
-	public byte[] genCertReqInfo(PublicKey publicKey, String eduPersonPrincipleName, String normalizedCN, String dfnPrefixes) throws IOException {
-
-		String hashedPrincipleName = null;
-		try {
-			hashedPrincipleName = DatatypeConverter.printHexBinary(
-				MessageDigest.getInstance("SHA-256")
-					.digest(eduPersonPrincipleName.getBytes(StandardCharsets.UTF_8)));
-		} catch (NoSuchAlgorithmException ex) {
-			String msg = "Unable hash the eduPersonPrincipleName for the certificate mapping.";
-			log.error(msg, ex);
-			throw new RuntimeException(msg, ex); //TODO: handle exception
-		}
-
-		RDN[] dfnPrefixesRDN = new X500Name(dfnPrefixes).getRDNs();
-		List<RDN> rdns = new ArrayList<>(2);
-		
-		rdns.addAll(List.of(dfnPrefixesRDN));
-		rdns.add(new RDN(BCStyle.CN, new DERPrintableString(normalizedCN)));
-		rdns.add(new RDN(BCStyle.UID, new DERPrintableString(hashedPrincipleName)));
-
-		CertificationRequestInfo csrInfo = new CertificationRequestInfo(
-			new X500Name(rdns.toArray(new RDN[0])),
-			SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()),
-			null);
-
-		return csrInfo.getEncoded(ASN1Encoding.DER); //TODO: DER or BER?
-	}
-
-	public byte[] buildCSR(byte[] certReqInfo, AlgorithmIdentifier algorithm, byte[] signature) throws IOException {
-
-		CertificationRequestInfo info = CertificationRequestInfo.getInstance(ASN1Sequence.fromByteArray(certReqInfo));
-
-		PKCS10CertificationRequest req = new PKCS10CertificationRequest(
-			new CertificationRequest(
-				info,
-				algorithm,
-				new DERBitString(signature)
-			)
-		);
-
-		return req.getEncoded();
-	}
-
-	public byte[] buildCSR(byte[] certReqInfo, String algorithm, byte[] signature) throws IOException {
-		return buildCSR(certReqInfo, mapAlgorithm(algorithm), signature);
-	}
-
-	private AlgorithmIdentifier mapAlgorithm(String algo) {
-		var algoMapper = new DefaultSignatureAlgorithmIdentifierFinder();
-
-		return algoMapper.find(algo);
-	}
-	*/
 }
--- a/ssa-server/sam/src/main/java/reqesidta/sam/eac/apdu/SecureMessagingException.java
+++ b/ssa-server/sam/src/main/java/reqesidta/sam/eac/apdu/SecureMessagingException.java
@@ -10,15 +10,12 @@

 package reqesidta.sam.eac.apdu;

-import javax.smartcardio.CardException;
-
-
 /**
 * Exception to be thrown in case Secure Messaging fails.
 *
 * @author Arne Stahlbock, ast@bos-bremen.de
 */
-public class SecureMessagingException extends CardException
+public class SecureMessagingException extends Exception
 {

  /**

--- a/ssa-server/sam/src/main/java/reqesidta/sam/session/Session.java
+++ b/ssa-server/sam/src/main/java/reqesidta/sam/session/Session.java
@@ -99,6 +99,14 @@ public class Session {
 		return this.get(EPHEMERAL_KEY, KeyPair.class);
 	}

+	public void setUserKeyPair(KeyPair pair) {
+		this.set(USER_KEY, pair);
+	}
+
+	public Optional<KeyPair> getUserKeyPair() {
+		return this.get(USER_KEY, KeyPair.class);
+	}
+
 	public void setAESKeyMaterial(AESKeyMaterial aesKeyMaterial) {
 		this.set(AES_KEY_MATERIAL, aesKeyMaterial);
 	}

--- a/ssa-server/server/src/main/java/reqesidta/ssa/rest/SSAEndpoint.java
+++ b/ssa-server/server/src/main/java/reqesidta/ssa/rest/SSAEndpoint.java
@@ -22,6 +22,7 @@ import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.client.Client;
 import javax.ws.rs.client.ClientBuilder;
+import javax.ws.rs.client.Invocation;
 import javax.ws.rs.client.WebTarget;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -29,6 +30,7 @@ import javax.ws.rs.core.Response;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

+import reqesidta.interfaces.csr.CSRData;
 import reqesidta.ssa.config.SSAConfig;
 import reqesidta.ssa.session.Session;
 import reqesidta.ssa.session.SessionStore;
@@ -102,7 +104,8 @@ public class SSAEndpoint {
 		log.debug("getCertificates samSessionId: "+samSessionId);
 		Client c = ClientBuilder.newClient();
 		WebTarget webTarget = c.target(this.config.getSamUrl()+"/csr/getcsr");
-		Response samResponse = webTarget.path(samSessionId).request().get();
+		Invocation.Builder invocationBuilder = webTarget.path(samSessionId).request(MediaType.APPLICATION_JSON);
+		CSRData csr = invocationBuilder.get(CSRData.class);

 //		InitResponse response = new InitResponse();
 //		response.tcTokenUrl = "123456";

--- a/ssa-server/server/src/main/resources/reference.conf
+++ b/ssa-server/server/src/main/resources/reference.conf
@@ -3,7 +3,7 @@ ssa-config {
 	sessionCheckAgeInterval: 30,
 	baseUrl: "https://docker.reqesidta.de/ssa-server"
 	eidUrl: "http://poseidas.docker.reqesidta.de:8443/POSeIDAS/service/eid/TR-03130-WSDL.wsdl"
-	samUrl: "http://sam.docker.reqesidta.de:8080/"
+	samUrl: "http://sam.docker.reqesidta.de:8080"
 	ca-config: {
 		caName: 'dummy-caName',
 		cmpAlias: 'dummy-cmp-alias',