ARC-1233: Basic working version with GesundheitsID

.gitignore

@@ -5,3 +5,4 @@ gesundheitsid/env.properties
 gesundheitsid/dependency-reduced-pom.xml
 .flattened-pom.xml
 *_jwks.json
+env.properties

README.md

@@ -15,7 +15,7 @@
 
 1. Setup your test environment, your own issuer **MUST** serve a **VALID** and **TRUSTED** entity
   statement. See [Gematik docs](https://wiki.gematik.de/pages/viewpage.action?pageId=544316583)
-2. Setup the file `.env.properties` to provide
+2. Setup the file `env.properties` to provide
   the [X-Authorization header](https://wiki.gematik.de/display/IDPKB/Fachdienste+Test-Umgebungen)
   for the Gematik
 3. Setup the JWK sets for signing and encryption keys
@@ -94,6 +94,7 @@ Setting up a proxy with a header filter can get around that limitation though.
 
 ## Helpful Links
 
+- [Gematik Sectoral IDP Specifications v2.0.1](https://fachportal.gematik.de/fachportal-import/files/gemSpec_IDP_Sek_V2.0.1.pdf)
 - [AppFlow - Authentication flow to implement](https://wiki.gematik.de/display/IDPKB/App-App+Flow#AppAppFlow-0-FederationMaster)
 - [Sektoraler IDP - Examples & Reference Implementation](https://wiki.gematik.de/display/IDPKB/Sektoraler+IDP+-+Referenzimplementierung+und+Beispiele)
 - [OpenID Federation Spec](https://openid.net/specs/openid-federation-1_0.html)

gesundheitsid/src/main/java/com/oviva/gesundheitsid/fedclient/api/EntityStatement.java

@@ -2,7 +2,16 @@
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JOSEObjectType;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jose.Payload;
+import com.nimbusds.jose.crypto.ECDSASigner;
+import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.JWKSet;
+import com.oviva.gesundheitsid.util.JsonCodec;
 import java.time.Instant;
 import java.util.List;
 
@@ -38,6 +47,25 @@ public static Builder create() {
     return new Builder();
   }
 
+  public JWSObject sign(ECKey key) {
+    try {
+      var signer = new ECDSASigner(key);
+
+      var h =
+          new JWSHeader.Builder(JWSAlgorithm.ES256)
+              .type(new JOSEObjectType(EntityStatementJWS.ENTITY_STATEMENT_TYP))
+              .keyID(key.getKeyID())
+              .build();
+
+      var jwsObject = new JWSObject(h, new Payload(JsonCodec.writeValueAsString(this)));
+      jwsObject.sign(signer);
+
+      return jwsObject;
+    } catch (JOSEException e) {
+      throw new IllegalArgumentException("failed to sign entity statement", e);
+    }
+  }
+
   @JsonIgnoreProperties(ignoreUnknown = true)
   public record OpenidProvider(
       @JsonProperty("pushed_authorization_request_endpoint")

gesundheitsid/src/main/java/com/oviva/gesundheitsid/fedclient/api/EntityStatementJWS.java

@@ -11,7 +11,7 @@
 
 public record EntityStatementJWS(JWSObject jws, EntityStatement body) implements TemporalValid {
 
-  private static final String ENTITY_STATEMENT_TYP = "entity-statement+jwt";
+  public static final String ENTITY_STATEMENT_TYP = "entity-statement+jwt";
 
   public static EntityStatementJWS parse(String wire) {
     try {

gesundheitsid/src/test/java/com/oviva/gesundheitsid/test/B64Utils.java → gesundheitsid/src/main/java/com/oviva/gesundheitsid/util/B64Utils.java

@@ -1,4 +1,4 @@
-package com.oviva.gesundheitsid.test;
+package com.oviva.gesundheitsid.util;
 
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;

gesundheitsid/src/main/java/com/oviva/gesundheitsid/util/JsonCodec.java

@@ -1,5 +1,6 @@
 package com.oviva.gesundheitsid.util;
 
+import com.fasterxml.jackson.annotation.JsonInclude.Include;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -13,6 +14,7 @@ public class JsonCodec {
     var om = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
 
     om.registerModule(new JoseModule());
+    om.setSerializationInclusion(Include.NON_NULL);
 
     JsonCodec.om = om;
   }

gesundheitsid/src/test/java/com/oviva/gesundheitsid/test/JwksUtils.java → gesundheitsid/src/main/java/com/oviva/gesundheitsid/util/JwksUtils.java

@@ -1,15 +1,12 @@
-package com.oviva.gesundheitsid.test;
+package com.oviva.gesundheitsid.util;
 
 import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.jwk.Curve;
 import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.JWKSet;
-import com.oviva.gesundheitsid.crypto.ECKeyPair;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.text.ParseException;
-import java.util.List;
 
 public class JwksUtils {
 
@@ -20,30 +17,35 @@ public static JWKSet load(Path path) {
     try (var fin = Files.newInputStream(path)) {
       return JWKSet.load(fin);
     } catch (IOException | ParseException e) {
-      throw new RuntimeException("failed to load JWKS from '%s'".formatted(path), e);
+      var fullPath = path.toAbsolutePath();
+      throw new RuntimeException(
+          "failed to load JWKS from '%s' ('%s')".formatted(path, fullPath), e);
     }
   }
 
-  public static JWKSet toJwks(ECKeyPair pair) {
+  public static JWKSet toJwks(ECKey key) {
 
     try {
-      var jwk =
-          new ECKey.Builder(Curve.P_256, pair.pub())
-              .privateKey(pair.priv())
-              .keyIDFromThumbprint()
-              .build();
+      if (key.getKeyID() == null || key.getKeyID().isBlank()) {
+        key = new ECKey.Builder(key).keyIDFromThumbprint().build();
+      }
 
-      return new JWKSet(List.of(jwk));
+      return new JWKSet(key);
     } catch (JOSEException e) {
       throw new IllegalArgumentException("bad key", e);
     }
   }
 
-  public static JWKSet toPublicJwks(ECKeyPair pair) {
+  public static JWKSet toPublicJwks(ECKey key) {
     try {
-      var jwk = new ECKey.Builder(Curve.P_256, pair.pub()).keyIDFromThumbprint().build();
 
-      return new JWKSet(List.of(jwk));
+      if (key.getKeyID() == null || key.getKeyID().isBlank()) {
+        key = new ECKey.Builder(key).keyIDFromThumbprint().build();
+      }
+
+      var pub = key.toPublicJWK();
+
+      return new JWKSet(pub);
     } catch (JOSEException e) {
       throw new IllegalArgumentException("bad key", e);
     }

gesundheitsid/src/test/java/com/oviva/gesundheitsid/test/JwsUtils.java → gesundheitsid/src/main/java/com/oviva/gesundheitsid/util/JwsUtils.java

@@ -1,21 +1,20 @@
-package com.oviva.gesundheitsid.test;
+package com.oviva.gesundheitsid.util;
 
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.JWSObject;
 import com.nimbusds.jose.Payload;
 import com.nimbusds.jose.crypto.ECDSASigner;
-import com.nimbusds.jose.jwk.JWKSet;
+import com.nimbusds.jose.jwk.ECKey;
 
 public class JwsUtils {
 
   private JwsUtils() {}
 
-  public static JWSObject toJws(JWKSet jwks, String payload) {
+  public static JWSObject toJws(ECKey key, String payload) {
     try {
-      var key = jwks.getKeys().get(0);
-      var signer = new ECDSASigner(key.toECKey());
+      var signer = new ECDSASigner(key);
 
       var h = new JWSHeader.Builder(JWSAlgorithm.ES256).keyID(key.getKeyID()).build();
 

gesundheitsid/src/test/java/com/oviva/gesundheitsid/auth/AuthenticationFlowExampleTest.java

@@ -14,7 +14,7 @@
 import com.oviva.gesundheitsid.fedclient.api.UrlFormBodyBuilder;
 import com.oviva.gesundheitsid.test.Environment;
 import com.oviva.gesundheitsid.test.GematikHeaderDecoratorHttpClient;
-import com.oviva.gesundheitsid.test.JwksUtils;
+import com.oviva.gesundheitsid.util.JwksUtils;
 import java.io.IOException;
 import java.net.URI;
 import java.net.URLDecoder;

gesundheitsid/src/test/java/com/oviva/gesundheitsid/crypto/JwsVerifierTest.java

@@ -1,26 +1,36 @@
 package com.oviva.gesundheitsid.crypto;
 
-import static com.oviva.gesundheitsid.test.JwksUtils.toJwks;
-import static com.oviva.gesundheitsid.test.JwsUtils.*;
-import static com.oviva.gesundheitsid.test.JwsUtils.garbageSignature;
-import static com.oviva.gesundheitsid.test.JwsUtils.tamperSignature;
+import static com.oviva.gesundheitsid.util.JwsUtils.*;
+import static com.oviva.gesundheitsid.util.JwsUtils.garbageSignature;
+import static com.oviva.gesundheitsid.util.JwsUtils.tamperSignature;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.JWSObject;
 import com.nimbusds.jose.Payload;
+import com.nimbusds.jose.jwk.Curve;
+import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.JWKSet;
-import com.oviva.gesundheitsid.test.ECKeyPairGenerator;
+import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
 import java.text.ParseException;
+import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
 class JwsVerifierTest {
 
-  private static ECKeyPair ECKEY = ECKeyPairGenerator.generate();
+  private static ECKey ECKEY;
+  private static JWKSet JWKS;
+
+  @BeforeAll
+  static void beforeAll() throws JOSEException {
+    ECKEY = new ECKeyGenerator(Curve.P_256).keyIDFromThumbprint(true).generate();
+    JWKS = new JWKSet(ECKEY);
+  }
 
   @Test
   void verifyEmptyJwks() {
@@ -38,36 +48,30 @@ void verifyNoJwks() {
   @Test
   void verify() throws ParseException {
 
-    var jwks = toJwks(ECKEY);
-
-    var jws = toJws(jwks, "hello world?").serialize();
+    var jws = toJws(ECKEY, "hello world?").serialize();
 
     var in = JWSObject.parse(jws);
 
-    assertTrue(JwsVerifier.verify(jwks, in));
+    assertTrue(JwsVerifier.verify(JWKS, in));
   }
 
   @Test
   void verifyBadSignature() throws ParseException {
 
-    var jwks = toJwks(ECKEY);
-
-    var jws = toJws(jwks, "test").serialize();
+    var jws = toJws(ECKEY, "test").serialize();
 
     jws = tamperSignature(jws);
 
     var in = JWSObject.parse(jws);
 
     // when & then
-    assertFalse(JwsVerifier.verify(jwks, in));
+    assertFalse(JwsVerifier.verify(JWKS, in));
   }
 
   @Test
-  void verifyUnknownKey() throws ParseException {
-
-    var trustedJwks = toJwks(ECKEY);
+  void verifyUnknownKey() throws ParseException, JOSEException {
 
-    var signerJwks = toJwks(ECKeyPairGenerator.generate());
+    var signerJwks = new ECKeyGenerator(Curve.P_256).generate();
 
     var jws = toJws(signerJwks, "test").serialize();
 
@@ -76,32 +80,29 @@ void verifyUnknownKey() throws ParseException {
     var in = JWSObject.parse(jws);
 
     // when & then
-    assertFalse(JwsVerifier.verify(trustedJwks, in));
+    assertFalse(JwsVerifier.verify(JWKS, in));
   }
 
   @Test
   void verifyGarbageSignature() throws ParseException {
-    var jwks = toJwks(ECKEY);
 
-    var jws = toJws(jwks, "test").serialize();
+    var jws = toJws(ECKEY, "test").serialize();
     jws = garbageSignature(jws);
 
     var in = JWSObject.parse(jws);
 
     // when & then
-    assertFalse(JwsVerifier.verify(jwks, in));
+    assertFalse(JwsVerifier.verify(JWKS, in));
   }
 
   @Test
   void verify_badAlg() {
 
-    var jwks = toJwks(ECKEY);
-
     var h = new JWSHeader(JWSAlgorithm.RS256);
     var in = new JWSObject(h, new Payload("hello?"));
 
     // when
-    var e = assertThrows(UnsupportedOperationException.class, () -> JwsVerifier.verify(jwks, in));
+    var e = assertThrows(UnsupportedOperationException.class, () -> JwsVerifier.verify(JWKS, in));
 
     // then
     assertEquals("only supports ES256, found: RS256", e.getMessage());