Merge pull request #33 from rglauco/main

Better Docs for CIE onboarding - Fix jwt revocation signature

examples/relying-party-spring-boot/README.md

@@ -87,7 +87,7 @@ previous chapter instructions replacing `127.0.0.1` with the right hostname
 
 **To be onboarded into CIE Federation**:
 - use always appropriate and valid TLS Certificates
-- use IP from Italian networks for server [CIE Federation servers uses geoblocking]
+- use IP from Italian networks for your server [CIE Federation preproduction servers are using geoblocking]
 - as contact use the same institutional email address as stated into the administrative part [do not use PEC]
 - when copy the federation public key please follow this pattern:
   - ```
@@ -105,4 +105,5 @@ previous chapter instructions replacing `127.0.0.1` with the right hostname
     }
     ```
 - when onboarded, please retrieve the Trust Mark form TA fetch endpoint like this example for preproduction: `https://preprod.oidc.registry.servizicie.interno.gov.it/fetch?sub={your_client_id}` 
-- remember to (put `[` `]` around the Trust Mark when writing the appropriate file
+- remember to (put `[` `]` around the Trust Mark when writing the appropriate file
+- `iat` and `exp` claims must be issued according to the UTC timezone, this is an example command for the webapp: `mvn clean spring-boot:run -Dspring-boot.run.jvmArguments="-Duser.timezone=UTC"`

starter-kit/pom.xml

@@ -16,7 +16,7 @@
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
-			<version>1.7.36</version>
+			<version>2.0.9</version>
 		</dependency>
 
 		<dependency>
@@ -28,13 +28,13 @@
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-simple</artifactId>
-			<version>1.7.36</version>
+			<version>2.0.9</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.mockito</groupId>
 			<artifactId>mockito-core</artifactId>
-			<version>4.2.0</version>
+			<version>5.10.0</version>
 			<scope>test</scope>
 			<exclusions>
 				<exclusion>
@@ -46,7 +46,7 @@
 		<dependency>
 			<groupId>com.github.tomakehurst</groupId>
 			<artifactId>wiremock-jre8</artifactId>
-			<version>2.35.1</version>
+			<version>3.0.1</version>
 			<scope>test</scope>
 		</dependency>
 	</dependencies>

starter-kit/src/main/java/it/spid/cie/oidc/helper/OAuth2Helper.java

@@ -154,7 +154,7 @@ public void sendRevocationRequest(
 				.put("exp", JWTHelper.getExpiresOn())
 				.put("jti", UUID.randomUUID().toString());
 
-			JWKSet jwkSet = JWTHelper.getJWKSetFromJSON(clientConf.getJwksFed());
+			JWKSet jwkSet = JWTHelper.getJWKSetFromJSON(clientConf.getJwksCoreByUse(KeyUse.SIGNATURE));
 
 			String clientAssertion = jwtHelper.createJWS(payload, jwkSet);
 

starter-kit/src/test/java/it/spid/cie/oidc/helper/TestJWTHelper.java

@@ -9,15 +9,11 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import com.nimbusds.jose.*;
 import org.json.JSONArray;
 import org.json.JSONObject;
 import org.junit.Test;
 
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jose.JWSObject;
-import com.nimbusds.jose.JWSSigner;
-import com.nimbusds.jose.Payload;
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jose.jwk.Curve;
 import com.nimbusds.jose.jwk.ECKey;
@@ -65,6 +61,21 @@ public void testClass2() {
 		assertTrue(rsaKey.getKeyType().equals(KeyType.RSA));
 	}
 
+	@Test
+	public void testClass2enc() {
+		RSAKey rsaKey = null;
+		boolean catched = false;
+
+		try {
+			rsaKey = JWTHelper.createRSAEncKey(null, KeyUse.ENCRYPTION);
+		}
+		catch (Exception e) {
+			catched = true;
+		}
+
+		assertFalse(catched);
+		assertTrue(rsaKey.getKeyType().equals(KeyType.RSA));
+	}
 	@Test
 	public void testClass3() {
 		String test = "sample-value";
@@ -145,6 +156,20 @@ public void test_createRSAKey() {
 		assertFalse(catched);
 	}
 
+	@Test
+	public void test_createRSAEncKey() {
+		boolean catched = false;
+
+		try {
+			JWTHelper.createRSAEncKey(JWEAlgorithm.RSA_OAEP_256, KeyUse.ENCRYPTION);
+		}
+		catch(Exception e) {
+			catched = true;
+		}
+
+		assertFalse(catched);
+	}
+
 	@Test
 	public void test_fastParseHeader() {
 		boolean catched = false;
@@ -224,7 +249,7 @@ public void test_getJWKSetAsJSONArray() {
 
 		try {
 			RSAKey rsaKey1 = JWTHelper.createRSAKey(null, KeyUse.SIGNATURE);
-			RSAKey rsaKey2 = JWTHelper.createRSAKey(null, KeyUse.ENCRYPTION);
+			RSAKey rsaKey2 = JWTHelper.createRSAEncKey(null, KeyUse.ENCRYPTION);
 
 			JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey1, rsaKey2));
 
@@ -243,9 +268,10 @@ public void test_getJWKSetAsJSONArray() {
 
 		try {
 			RSAKey rsaKey = JWTHelper.createRSAKey(null, KeyUse.SIGNATURE);
+			RSAKey rsaEncKey = JWTHelper.createRSAEncKey(null, KeyUse.ENCRYPTION);
 			ECKey ecKey = createECKey(KeyUse.ENCRYPTION);
 
-			JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey, ecKey));
+			JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey, ecKey, rsaEncKey));
 
 			jsonArray = JWTHelper.getJWKSetAsJSONArray(jwkSet, false);
 		}
@@ -254,17 +280,18 @@ public void test_getJWKSetAsJSONArray() {
 		}
 
 		assertFalse(catched);
-		assertTrue(jsonArray.length() == 2);
+		assertTrue(jsonArray.length() == 3);
 		assertTrue(jsonArray.getJSONObject(0).has("use"));
 
 		catched = false;
 		jsonArray = null;
 
 		try {
 			RSAKey rsaKey = JWTHelper.createRSAKey(null, KeyUse.SIGNATURE);
+			RSAKey rsaEncKey = JWTHelper.createRSAEncKey(null, KeyUse.ENCRYPTION);
 			ECKey ecKey = createECKey(KeyUse.ENCRYPTION);
 
-			JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey, ecKey));
+			JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey, ecKey, rsaEncKey));
 
 			jsonArray = JWTHelper.getJWKSetAsJSONArray(jwkSet, true, false);
 		}
@@ -273,7 +300,7 @@ public void test_getJWKSetAsJSONArray() {
 		}
 
 		assertFalse(catched);
-		assertTrue(jsonArray.length() == 2);
+		assertTrue(jsonArray.length() == 3);
 		assertTrue(jsonArray.getJSONObject(0).has("use"));
 
 		catched = false;
@@ -312,7 +339,7 @@ public void test_getJWKSetFromJSON1() {
 
 		try {
 			RSAKey rsaKey1 = JWTHelper.createRSAKey(null, KeyUse.SIGNATURE);
-			RSAKey rsaKey2 = JWTHelper.createRSAKey(null, KeyUse.ENCRYPTION);
+			RSAKey rsaKey2 = JWTHelper.createRSAEncKey(null, KeyUse.ENCRYPTION);
 
 			JWKSet jwkSet = new JWKSet(Arrays.asList(rsaKey1, rsaKey2));
 
@@ -576,9 +603,9 @@ private String encode64(String value) {
 
 	private static JWKSet createJWKSet() throws Exception {
 		RSAKey rsaKey1 = JWTHelper.createRSAKey(JWSAlgorithm.RS256, KeyUse.SIGNATURE);
-		//RSAKey rsaKey2 = JWTHelper.createRSAKey(null, KeyUse.ENCRYPTION);
+		RSAKey rsaKey2 = JWTHelper.createRSAEncKey(JWEAlgorithm.RSA_OAEP_256, KeyUse.ENCRYPTION);
 
-		return new JWKSet(Arrays.asList(rsaKey1));
+		return new JWKSet(Arrays.asList(rsaKey1, rsaKey2));
 	}
 
 	private static String createJWS(JSONObject payload, JSONObject jwks)

starter-kit/src/test/java/it/spid/cie/oidc/helper/TestOAuth2Helper.java

@@ -323,12 +323,13 @@ public void testClass3() {
 					WireMock.forbidden()
 				));
 
-			JWKSet jwks = JWTHelper.getJWKSetFromJWK(options.getJwkFed());
+			//JWKSet jwks = JWTHelper.getJWKSetFromJWK(options.getJwkFed());
+			JWKSet jwks = RPTestUtils.getJwksCoreByUse(JWTHelper.getJWKSetFromJSON(options.getJwkCore()), KeyUse.SIGNATURE);
 
 			FederationEntity clientConf = new FederationEntity();
 
 			clientConf.setSubject(RELYING_PARTY);
-			clientConf.setJwksFed(jwks.toString(false));
+			clientConf.setJwksCore(jwks.toString(false));
 
 			helper.sendRevocationRequest(null, null, SPID_PROVIDER + "test", clientConf);
 		}
@@ -352,12 +353,13 @@ public void testClass3() {
 					WireMock.ok()
 				));
 
-			JWKSet jwks = JWTHelper.getJWKSetFromJWK(options.getJwkFed());
+			//JWKSet jwks = JWTHelper.getJWKSetFromJWK(options.getJwkFed());
+			JWKSet jwks = RPTestUtils.getJwksCoreByUse(JWTHelper.getJWKSetFromJSON(options.getJwkCore()), KeyUse.SIGNATURE);
 
 			FederationEntity clientConf = new FederationEntity();
 
 			clientConf.setSubject(RELYING_PARTY);
-			clientConf.setJwksFed(jwks.toString(false));
+			clientConf.setJwksCore(jwks.toString(false));
 
 			helper.sendRevocationRequest(null, null, SPID_PROVIDER + "test", clientConf);
 		}

starter-kit/src/test/java/it/spid/cie/oidc/model/TestTrustMark.java

@@ -7,6 +7,7 @@
 import java.io.IOException;
 import java.util.Arrays;
 
+import com.nimbusds.jose.JWEAlgorithm;
 import org.json.JSONObject;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
@@ -238,9 +239,9 @@ public void test_validate() {
 
 	private static JWKSet createJWKSet() throws Exception {
 		RSAKey rsaKey1 = JWTHelper.createRSAKey(JWSAlgorithm.RS256, KeyUse.SIGNATURE);
-		//RSAKey rsaKey2 = JWTHelper.createRSAKey(null, KeyUse.ENCRYPTION);
+		RSAKey rsaKey2 = JWTHelper.createRSAEncKey(JWEAlgorithm.RSA_OAEP_256, KeyUse.ENCRYPTION);
 
-		return new JWKSet(Arrays.asList(rsaKey1));
+		return new JWKSet(Arrays.asList(rsaKey1, rsaKey2));
 	}
 
 	/**

starter-kit/src/test/java/it/spid/cie/oidc/test/util/RPTestUtils.java

@@ -94,9 +94,9 @@ public static String createJWS(JSONObject payload, JSONObject jwks)
 
 	public static JWKSet createJWKSet() throws Exception {
 		RSAKey rsaKey1 = JWTHelper.createRSAKey(JWSAlgorithm.RS256, KeyUse.SIGNATURE);
-		//RSAKey rsaKey2 = JWTHelper.createRSAKey(null, KeyUse.ENCRYPTION);
+		RSAKey rsaKey2 = JWTHelper.createRSAEncKey(JWEAlgorithm.RSA_OAEP_256, KeyUse.ENCRYPTION);
 
-		return new JWKSet(Arrays.asList(rsaKey1));
+		return new JWKSet(Arrays.asList(rsaKey1, rsaKey2));
 	}
 
 	public static RelyingPartyOptions getOptions() throws Exception {