ARC-1234: Rename & Better Generator

Author: thomasrichner-oviva

.gitignore

@@ -2,8 +2,9 @@
 target/
 gesundheitsid/env.properties
 *.iml
-gesundheitsid/dependency-reduced-pom.xml
 .flattened-pom.xml
 *_jwks.json
 env.properties
 *.pem
+federation_registration_form.xml
+dependency-reduced-pom.xml

README.md

@@ -1,23 +1,66 @@
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=oviva-ag_keycloak-gesundheitsid&metric=alert_status&token=64c09371c0f6c1d729fc0b0424706cd54011cb90)](https://sonarcloud.io/summary/new_code?id=oviva-ag_keycloak-gesundheitsid)
 [![Coverage](https://sonarcloud.io/api/project_badges/measure?project=oviva-ag_keycloak-gesundheitsid&metric=coverage&token=64c09371c0f6c1d729fc0b0424706cd54011cb90)](https://sonarcloud.io/summary/new_code?id=oviva-ag_keycloak-gesundheitsid)
 
-# Keycloak Identity Provider for GesundheitsID (eHealthID)
+# OpenID Connect Relying Party for GesundheitsID (eHealthID)
 
 ## Contents
+
+- [ehealthid-rp](./ehealthid-rp) - A standalone application to act as a OpenID Connect (OIDC)
+  Relying Party. Bridges OIDC and Germany's GesundheitsID OpenID federation.
+- [esgen](./esgen) - A script to generate keys and federation registration forms.
 - [gesundheitsid](./gesundheitsid) - A plain Java library to build RelyingParties for GesundheitsID.
-  - API clients
-  - Models for the EntityStatments, IDP list endpoints etc.
-  - Narrow support for the 'Fachdienst' use-case.
+    - API clients
+    - Models for the EntityStatments, IDP list endpoints etc.
+    - Narrow support for the 'Fachdienst' use-case.
+
+## Generate Keys & Register for Federation
+
+In order to participate in the GesundheitsID one needs to register the entity statement of the IDP
+or in this case the relying party here.
+
+To simplify matter, here a script to generate fresh keys as well as the XML necessary to register
+with Gematik.
+
+See [Gematik documentation](https://wiki.gematik.de/pages/viewpage.action?pageId=544316583) for
+details
+on the registration process.
+
+### Generate Fresh Keys and Prepare Registration
+
+```shell
+# a string received from Gematik as part of the registration process
+export MEMBER_ID=FDmyDiGa0112TU
+
+./gen_keys.sh \
+    --issuer-uri=https://mydiga.example.com \
+    --member-id="$MEMBER_ID" \
+    --organisation-name="My DiGA" \
+    --generate-keys
+```
+
+### Re-use Existing Keys and Prepare Registration
+
+```shell
+# a string received from Gematik as part of the registration process
+export MEMBER_ID=FDmyDiGa0112TU
+
+./gen_keys.sh \
+    --issuer-uri=https://mydiga.example.com \
+    --member-id="$MEMBER_ID" \
+    --organisation-name="My DiGA" \
+    --signing-jwks=./sig_jwks.json \
+    --encryption-jwks=./enc_jwks.json
+```
 
 ## End-to-End Test flow with Gematik Reference IDP
 
 **Prerequisites**:
 
 1. Setup your test environment, your own issuer **MUST** serve a **VALID** and **TRUSTED** entity
-  statement. See [Gematik docs](https://wiki.gematik.de/pages/viewpage.action?pageId=544316583)
+   statement. See [Gematik docs](https://wiki.gematik.de/pages/viewpage.action?pageId=544316583)
 2. Setup the file `env.properties` to provide
-  the [X-Authorization header](https://wiki.gematik.de/display/IDPKB/Fachdienste+Test-Umgebungen)
-  for the Gematik
+   the [X-Authorization header](https://wiki.gematik.de/display/IDPKB/Fachdienste+Test-Umgebungen)
+   for the Gematik
 3. Setup the JWK sets for signing and encryption keys
 
 ```java
@@ -72,29 +115,35 @@ See [AuthenticationFlowExampleTest](https://github.com/oviva-ag/keycloak-gesundh
 
 ## Working with Gematik Test Environment
 
-
 ### Gematik Test Sektoraler IdP in Browser
 
-Since the Gematik reference IDP in the Test Environment needs a custom header, it can not be used directly in the browser for authentication.
+Since the Gematik reference IDP in the Test Environment needs a custom header, it can not be used
+directly in the browser for authentication.
 Setting up a proxy with a header filter can get around that limitation though.
 
-**Prerequisite:** Install some Chrome-ish browser like [Thorium](https://github.com/Alex313031/Thorium-MacOS/releases) or Chromium.
+**Prerequisite:** Install some Chrome-ish browser
+like [Thorium](https://github.com/Alex313031/Thorium-MacOS/releases) or Chromium.
+
+1.
+
+launch `mitmweb`: `mitmweb -p 8881 --web-port=8882 --set "modify_headers=/~q & ~d gsi.dev.gematik.solutions/X-Authorization/<value goes here>"`
 
-1. launch `mitmweb`: `mitmweb -p 8881 --web-port=8882`
 2. launch Chrome-like browser
     ```
     /Applications/Thorium.app/Contents/MacOS/Thorium --proxy-server=http://localhost:8881
    ```
-3. setup `modify_headers` option
-    ```mitmproxy
-    # modify_headers filter 
-    /~q & ~d gsi.dev.gematik.solutions/X-Authorization/<value goes here>
-    ```
 
 ## Setup Test VM
 
+For testing the entity statement of the relying party must be publicly available via HTTPS. Setting
+up a quick VM
+with a caddy reverse proxy makes that easy.
+
 ```shell
 
+# adapt as necessary, make sure to set up the corresponding DNS A records
+DOMAIN=mydiga.example.com
+
 sudo apt update
 sudo apt install jq openjdk-17-jre-headless
 
@@ -105,12 +154,12 @@ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo
 sudo apt update
 sudo apt install caddy
 
+# caddy enables itself by default, we don't want it
 sudo systemctl disable --now caddy
 
-sudo caddy reverse-proxy --from=t.oviva.io --to=:1234
+sudo caddy reverse-proxy --from=$DOMAIN --to=:1234
 ```
 
-
 ## Helpful Links
 
 - [Gematik Sectoral IDP Specifications v2.0.1](https://fachportal.gematik.de/fachportal-import/files/gemSpec_IDP_Sek_V2.0.1.pdf)

oidc-server/pom.xml renamed to ehealthid-rp/pom.xml

@@ -5,18 +5,19 @@
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
-    <groupId>com.oviva.gesundheitsid</groupId>
-    <artifactId>gesundheitsid-parent</artifactId>
+    <groupId>com.oviva.ehealthid</groupId>
+    <artifactId>ehealthid-parent</artifactId>
     <version>0.0.1-SNAPSHOT</version>
   </parent>
 
-  <artifactId>oidc-server</artifactId>
+  <artifactId>ehealthid-rp</artifactId>
+  <description>Standalone OpenID connect relying party for Germany's eHealthID</description>
   <packaging>jar</packaging>
 
   <dependencies>
     <dependency>
-      <groupId>com.oviva.gesundheitsid</groupId>
-      <artifactId>gesundheitsid</artifactId>
+      <groupId>com.oviva.ehealthid</groupId>
+      <artifactId>ehealthid</artifactId>
       <version>${project.version}</version>
     </dependency>
     <dependency>
@@ -150,7 +151,7 @@
         <configuration>
           <archive>
             <manifest>
-              <mainClass>com.oviva.gesundheitsid.relyingparty.Main</mainClass>
+              <mainClass>com.oviva.ehealthid.relyingparty.Main</mainClass>
             </manifest>
           </archive>
           <descriptorRefs>

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/Main.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/Main.java

@@ -1,25 +1,25 @@
-package com.oviva.gesundheitsid.relyingparty;
+package ehealthid.relyingparty;
 
 import com.nimbusds.jose.jwk.JWKSet;
-import com.oviva.gesundheitsid.auth.AuthenticationFlow;
-import com.oviva.gesundheitsid.fedclient.FederationMasterClientImpl;
-import com.oviva.gesundheitsid.fedclient.api.CachedFederationApiClient;
-import com.oviva.gesundheitsid.fedclient.api.FederationApiClientImpl;
-import com.oviva.gesundheitsid.fedclient.api.InMemoryCacheImpl;
-import com.oviva.gesundheitsid.fedclient.api.JavaHttpClient;
-import com.oviva.gesundheitsid.fedclient.api.OpenIdClient;
-import com.oviva.gesundheitsid.relyingparty.cfg.ConfigProvider;
-import com.oviva.gesundheitsid.relyingparty.cfg.EnvConfigProvider;
-import com.oviva.gesundheitsid.relyingparty.cfg.RelyingPartyConfig;
-import com.oviva.gesundheitsid.relyingparty.fed.FederationConfig;
-import com.oviva.gesundheitsid.relyingparty.poc.GematikHeaderDecoratorHttpClient;
-import com.oviva.gesundheitsid.relyingparty.svc.InMemoryCodeRepo;
-import com.oviva.gesundheitsid.relyingparty.svc.InMemorySessionRepo;
-import com.oviva.gesundheitsid.relyingparty.svc.KeyStore;
-import com.oviva.gesundheitsid.relyingparty.svc.TokenIssuerImpl;
-import com.oviva.gesundheitsid.relyingparty.util.Strings;
-import com.oviva.gesundheitsid.relyingparty.ws.App;
-import com.oviva.gesundheitsid.util.JwksUtils;
+import com.oviva.ehealthid.auth.AuthenticationFlow;
+import com.oviva.ehealthid.fedclient.FederationMasterClientImpl;
+import com.oviva.ehealthid.fedclient.api.CachedFederationApiClient;
+import com.oviva.ehealthid.fedclient.api.FederationApiClientImpl;
+import com.oviva.ehealthid.fedclient.api.InMemoryCacheImpl;
+import com.oviva.ehealthid.fedclient.api.JavaHttpClient;
+import com.oviva.ehealthid.fedclient.api.OpenIdClient;
+import com.oviva.ehealthid.relyingparty.cfg.ConfigProvider;
+import com.oviva.ehealthid.relyingparty.cfg.EnvConfigProvider;
+import com.oviva.ehealthid.relyingparty.cfg.RelyingPartyConfig;
+import com.oviva.ehealthid.relyingparty.fed.FederationConfig;
+import com.oviva.ehealthid.relyingparty.poc.GematikHeaderDecoratorHttpClient;
+import com.oviva.ehealthid.relyingparty.svc.InMemoryCodeRepo;
+import com.oviva.ehealthid.relyingparty.svc.InMemorySessionRepo;
+import com.oviva.ehealthid.relyingparty.svc.KeyStore;
+import com.oviva.ehealthid.relyingparty.svc.TokenIssuerImpl;
+import com.oviva.ehealthid.relyingparty.util.Strings;
+import com.oviva.ehealthid.relyingparty.ws.App;
+import com.oviva.ehealthid.util.JwksUtils;
 import jakarta.ws.rs.SeBootstrap;
 import jakarta.ws.rs.SeBootstrap.Configuration;
 import java.net.URI;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/cfg/ConfigProvider.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/cfg/ConfigProvider.java

@@ -1,4 +1,4 @@
-package com.oviva.gesundheitsid.relyingparty.cfg;
+package com.oviva.ehealthid.relyingparty.cfg;
 
 import java.util.Optional;
 

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/cfg/EnvConfigProvider.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/cfg/EnvConfigProvider.java

@@ -1,4 +1,4 @@
-package com.oviva.gesundheitsid.relyingparty.cfg;
+package com.oviva.ehealthid.relyingparty.cfg;
 
 import java.util.Locale;
 import java.util.Optional;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/cfg/RelyingPartyConfig.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/cfg/RelyingPartyConfig.java

@@ -1,4 +1,4 @@
-package com.oviva.gesundheitsid.relyingparty.cfg;
+package com.oviva.ehealthid.relyingparty.cfg;
 
 import java.net.URI;
 import java.util.List;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/fed/FederationConfig.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/fed/FederationConfig.java

@@ -1,4 +1,4 @@
-package com.oviva.gesundheitsid.relyingparty.fed;
+package com.oviva.ehealthid.relyingparty.fed;
 
 import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.JWKSet;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/fed/FederationEndpoint.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/fed/FederationEndpoint.java

@@ -1,9 +1,9 @@
-package com.oviva.gesundheitsid.relyingparty.fed;
+package com.oviva.ehealthid.relyingparty.fed;
 
-import com.oviva.gesundheitsid.fedclient.api.EntityStatement;
-import com.oviva.gesundheitsid.fedclient.api.EntityStatement.FederationEntity;
-import com.oviva.gesundheitsid.fedclient.api.EntityStatement.Metadata;
-import com.oviva.gesundheitsid.fedclient.api.EntityStatement.OpenIdRelyingParty;
+import com.oviva.ehealthid.fedclient.api.EntityStatement;
+import com.oviva.ehealthid.fedclient.api.EntityStatement.FederationEntity;
+import com.oviva.ehealthid.fedclient.api.EntityStatement.Metadata;
+import com.oviva.ehealthid.fedclient.api.EntityStatement.OpenIdRelyingParty;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Produces;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/poc/Environment.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/poc/Environment.java

@@ -1,4 +1,4 @@
-package com.oviva.gesundheitsid.relyingparty.poc;
+package com.oviva.ehealthid.relyingparty.poc;
 
 import java.io.IOException;
 import java.nio.file.Files;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/poc/GematikHeaderDecoratorHttpClient.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/poc/GematikHeaderDecoratorHttpClient.java

@@ -1,6 +1,6 @@
-package com.oviva.gesundheitsid.relyingparty.poc;
+package com.oviva.ehealthid.relyingparty.poc;
 
-import com.oviva.gesundheitsid.fedclient.api.HttpClient;
+import com.oviva.ehealthid.fedclient.api.HttpClient;
 import java.util.ArrayList;
 
 public class GematikHeaderDecoratorHttpClient implements HttpClient {

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/CodeRepo.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/svc/CodeRepo.java

@@ -1,6 +1,6 @@
-package com.oviva.gesundheitsid.relyingparty.svc;
+package com.oviva.ehealthid.relyingparty.svc;
 
-import com.oviva.gesundheitsid.relyingparty.svc.TokenIssuer.Code;
+import com.oviva.ehealthid.relyingparty.svc.TokenIssuer.Code;
 import java.util.Optional;
 
 public interface CodeRepo {

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/InMemoryCodeRepo.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/svc/InMemoryCodeRepo.java

@@ -1,6 +1,6 @@
-package com.oviva.gesundheitsid.relyingparty.svc;
+package com.oviva.ehealthid.relyingparty.svc;
 
-import com.oviva.gesundheitsid.relyingparty.svc.TokenIssuer.Code;
+import com.oviva.ehealthid.relyingparty.svc.TokenIssuer.Code;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/InMemorySessionRepo.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/svc/InMemorySessionRepo.java

@@ -1,6 +1,6 @@
-package com.oviva.gesundheitsid.relyingparty.svc;
+package com.oviva.ehealthid.relyingparty.svc;
 
-import com.oviva.gesundheitsid.relyingparty.util.IdGenerator;
+import com.oviva.ehealthid.relyingparty.util.IdGenerator;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.Nullable;
 import java.util.concurrent.ConcurrentHashMap;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/KeyStore.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/svc/KeyStore.java

@@ -1,4 +1,4 @@
-package com.oviva.gesundheitsid.relyingparty.svc;
+package com.oviva.ehealthid.relyingparty.svc;
 
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.jwk.Curve;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/SessionRepo.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/svc/SessionRepo.java

@@ -1,6 +1,6 @@
-package com.oviva.gesundheitsid.relyingparty.svc;
+package com.oviva.ehealthid.relyingparty.svc;
 
-import com.oviva.gesundheitsid.auth.steps.TrustedSectoralIdpStep;
+import com.oviva.ehealthid.auth.steps.TrustedSectoralIdpStep;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import java.net.URI;
 

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/TokenIssuer.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/svc/TokenIssuer.java

@@ -1,7 +1,7 @@
-package com.oviva.gesundheitsid.relyingparty.svc;
+package com.oviva.ehealthid.relyingparty.svc;
 
-import com.oviva.gesundheitsid.auth.IdTokenJWS;
-import com.oviva.gesundheitsid.relyingparty.svc.SessionRepo.Session;
+import com.oviva.ehealthid.auth.IdTokenJWS;
+import com.oviva.ehealthid.relyingparty.svc.SessionRepo.Session;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import java.net.URI;
 import java.time.Instant;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/svc/TokenIssuerImpl.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/svc/TokenIssuerImpl.java

@@ -1,14 +1,14 @@
-package com.oviva.gesundheitsid.relyingparty.svc;
+package com.oviva.ehealthid.relyingparty.svc;
 
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.crypto.ECDSASigner;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
-import com.oviva.gesundheitsid.auth.IdTokenJWS;
-import com.oviva.gesundheitsid.relyingparty.svc.SessionRepo.Session;
-import com.oviva.gesundheitsid.relyingparty.util.IdGenerator;
+import com.oviva.ehealthid.auth.IdTokenJWS;
+import com.oviva.ehealthid.relyingparty.svc.SessionRepo.Session;
+import com.oviva.ehealthid.relyingparty.util.IdGenerator;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import java.net.URI;
 import java.time.Clock;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/util/IdGenerator.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/util/IdGenerator.java

@@ -1,4 +1,4 @@
-package com.oviva.gesundheitsid.relyingparty.util;
+package com.oviva.ehealthid.relyingparty.util;
 
 import java.security.SecureRandom;
 import java.util.Base64;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/util/Strings.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/util/Strings.java

@@ -1,4 +1,4 @@
-package com.oviva.gesundheitsid.relyingparty.util;
+package com.oviva.ehealthid.relyingparty.util;
 
 import java.util.Arrays;
 import java.util.Objects;

oidc-server/src/main/java/com/oviva/gesundheitsid/relyingparty/ws/App.java renamed to ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/ws/App.java

@@ -1,16 +1,16 @@
-package com.oviva.gesundheitsid.relyingparty.ws;
+package com.oviva.ehealthid.relyingparty.ws;
 
 import com.fasterxml.jackson.annotation.JsonInclude.Include;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.jakarta.rs.json.JacksonJsonProvider;
-import com.oviva.gesundheitsid.auth.AuthenticationFlow;
-import com.oviva.gesundheitsid.relyingparty.cfg.RelyingPartyConfig;
-import com.oviva.gesundheitsid.relyingparty.fed.FederationConfig;
-import com.oviva.gesundheitsid.relyingparty.fed.FederationEndpoint;
-import com.oviva.gesundheitsid.relyingparty.svc.KeyStore;
-import com.oviva.gesundheitsid.relyingparty.svc.SessionRepo;
-import com.oviva.gesundheitsid.relyingparty.svc.TokenIssuer;
-import com.oviva.gesundheitsid.util.JoseModule;
+import com.oviva.ehealthid.auth.AuthenticationFlow;
+import com.oviva.ehealthid.relyingparty.cfg.RelyingPartyConfig;
+import com.oviva.ehealthid.relyingparty.fed.FederationConfig;
+import com.oviva.ehealthid.relyingparty.fed.FederationEndpoint;
+import com.oviva.ehealthid.relyingparty.svc.KeyStore;
+import com.oviva.ehealthid.relyingparty.svc.SessionRepo;
+import com.oviva.ehealthid.relyingparty.svc.TokenIssuer;
+import com.oviva.ehealthid.util.JoseModule;
 import jakarta.ws.rs.core.Application;
 import java.util.Set;