v5.0.3

README.md

@@ -3,24 +3,32 @@
 Project **gemSekIdp-global** consists of 2 subprojects. These are:
 
 * **gsi-server:** "gematik sektoraler IDP" - MVP of a sectoral IDP, used to develop/test the gsi-testsuite
-* **gsi-testsuite:** Approval test suite (Zulassungstests) for sectoral IDPs
+* **gsi-testsuite:** Approval test suite (Zulassungstests) for sectoral IDPs, will be executed as integration tests
 
   <br>
 
-### build project and run unit tests
+### just build project
 
 To quickly check your build environment without running any tests (just build idp sektoral server and testsuite) do in
 project root:
 
 `mvn clean package -Dskip.unittests`
 
-To execute unittests you have to set the environment variable where the tiger test framework find its configuration:
+### build project and run unit tests (skip integration tests == skip testsuite execution)
+
+`mvn clean test -Dskip.inttests`
+
+### build project and run integration tests (unit tests will be executed as well as long as they are not skipped)
+
+To execute integration tests you have to set the environment variable where the tiger test framework find its configuration:
 
 `export TIGER_TESTENV_CFGFILE=tiger-external-Idp.yaml`
 `mvn test`
 
 In order to run the integration tests (= testsuite) follow the instruction listed under "Test an external sectoral IDP".
 
+The key `gsi-server/src/main/resources/keys/ref-es-sig-privkey.pem` can be published and was therefore added for unit tests.
+
 ### Test an external sectoral IDP (e.g. your own server)
 
 - To check test environment, the gsi-server can be used. Just build/start this server and
@@ -34,3 +42,14 @@ In order to run the integration tests (= testsuite) follow the instruction liste
 
 - find your generated report (at the end of integration tests)
   here:  [gsi-testsuite/target/site/serenity/index.html](gsi-testsuite/target/site/serenity/index.html)
+
+### run gsi-server locally
+
+- check entity statement:
+  `curl http://localhost:8085/.well-known/openid-federation`
+  will produce a jwt like this:
+
+> **_entity statement:_** `
+eyJhbGciOiJFUzI1NiIsInR5cCI6ImVudGl0eS1zdGF0ZW1lbnQrand0Iiwia2lkIjoicHVrX2lkcF9zaWcifQ.eyJpc3MiOiJodHRwczovL2dzaS5kZXYuZ2VtYXRpay5zb2x1dGlvbnMiLCJzdWIiOiJodHRwczovL2dzaS5kZXYuZ2VtYXRpay5zb2x1dGlvbnMiLCJpYXQiOjE3MDY3OTA1MjEsImV4cCI6MTcwNzM5NTMyMSwiandrcyI6eyJrZXlzIjpbeyJ1c2UiOiJzaWciLCJraWQiOiJwdWtfaWRwX3NpZyIsImt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiTXE5MzNGVF9WOHhkMVRrZkIwcEgwMmQ2Y3gyYm1VUy1ieEh1QnRBMXlmcyIsInkiOiI1dXdmOHBoVWJXSWk5MkNxZ2dsTTk0ZnQtRkM0TUhIODM2a2hzd282cHBvIiwiYWxnIjoiRVMyNTYifSx7InVzZSI6InNpZyIsImtpZCI6InB1a19mZWRfaWRwX3Rva2VuIiwia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJNcTkzM0ZUX1Y4eGQxVGtmQjBwSDAyZDZjeDJibVVTLWJ4SHVCdEExeWZzIiwieSI6IjV1d2Y4cGhVYldJaTkyQ3FnZ2xNOTRmdC1GQzRNSEg4MzZraHN3bzZwcG8iLCJhbGciOiJFUzI1NiJ9XX0sImF1dGhvcml0eV9oaW50cyI6WyJodHRwczovL2FwcC10ZXN0LmZlZGVyYXRpb25tYXN0ZXIuZGUiXSwibWV0YWRhdGEiOnsib3BlbmlkX3Byb3ZpZGVyIjp7Imlzc3VlciI6Imh0dHBzOi8vZ3NpLmRldi5nZW1hdGlrLnNvbHV0aW9ucyIsInNpZ25lZF9qd2tzX3VyaSI6Imh0dHBzOi8vZ3NpLmRldi5nZW1hdGlrLnNvbHV0aW9ucy9qd3MuanNvbiIsIm9yZ2FuaXphdGlvbl9uYW1lIjoiZ2VtYXRpayBzZWt0b3JhbGVyIElEUCIsImxvZ29fdXJpIjoiaHR0cHM6Ly9nc2kuZGV2LmdlbWF0aWsuc29sdXRpb25zL25vTG9nb1lldCIsImF1dGhvcml6YXRpb25fZW5kcG9pbnQiOiJodHRwczovL2dzaS5kZXYuZ2VtYXRpay5zb2x1dGlvbnMvYXV0aCIsInRva2VuX2VuZHBvaW50IjoiaHR0cHM6Ly9nc2kuZGV2LmdlbWF0aWsuc29sdXRpb25zL3Rva2VuIiwicHVzaGVkX2F1dGhvcml6YXRpb25fcmVxdWVzdF9lbmRwb2ludCI6Imh0dHBzOi8vZ3NpLmRldi5nZW1hdGlrLnNvbHV0aW9ucy9QQVJfQXV0aCIsImNsaWVudF9yZWdpc3RyYXRpb25fdHlwZXNfc3VwcG9ydGVkIjpbImF1dG9tYXRpYyJdLCJzdWJqZWN0X3R5cGVzX3N1cHBvcnRlZCI6WyJwYWlyd2lzZSJdLCJyZXNwb25zZV90eXBlc19zdXBwb3J0ZWQiOlsiY29kZSJdLCJzY29wZXNfc3VwcG9ydGVkIjpbInVybjp0ZWxlbWF0aWs6Z2VzY2hsZWNodCIsIm9wZW5pZCIsInVybjp0ZWxlbWF0aWs6ZGlzcGxheV9uYW1lIiwidXJuOnRlbGVtYXRpazp2ZXJzaWNoZXJ0ZXIiLCJ1cm46dGVsZW1hdGlrOmVtYWlsIiwidXJuOnRlbGVtYXRpazphbHRlciIsInVybjp0ZWxlbWF0aWs6Z2VidXJ0c2RhdHVtIiwidXJuOnRlbGVtYXRpazpnaXZlbl9uYW1lIl0sInJlc3BvbnNlX21vZGVzX3N1cHBvcnRlZCI6WyJxdWVyeSJdLCJncmFudF90eXBlc19zdXBwb3J0ZWQiOlsiYXV0aG9yaXphdGlvbl9jb2RlIl0sInJlcXVpcmVfcHVzaGVkX2F1dGhvcml6YXRpb25fcmVxdWVzdHMiOnRydWUsInRva2VuX2VuZHBvaW50X2F1dGhfbWV0aG9kc19zdXBwb3J0ZWQiOlsic2VsZl9zaWduZWRfdGxzX2NsaWVudF9hdXRoIl0sInJlcXVlc3RfYXV0aGVudGljYXRpb25fbWV0aG9kc19zdXBwb3J0ZWQiOnsiYXIiOlsibm9uZSJdLCJwYXIiOlsic2VsZl9zaWduZWRfdGxzX2NsaWVudF9hdXRoIl19LCJpZF90b2tlbl9zaWduaW5nX2FsZ192YWx1ZXNfc3VwcG9ydGVkIjpbIkVTMjU2Il0sImlkX3Rva2VuX2VuY3J5cHRpb25fYWxnX3ZhbHVlc19zdXBwb3J0ZWQiOlsiRUNESC1FUyJdLCJpZF90b2tlbl9lbmNyeXB0aW9uX2VuY192YWx1ZXNfc3VwcG9ydGVkIjpbIkEyNTZHQ00iXSwidXNlcl90eXBlX3N1cHBvcnRlZCI6WyJJUCJdfSwiZmVkZXJhdGlvbl9lbnRpdHkiOnsibmFtZSI6ImdlbWF0aWsgc2VrdG9yYWxlciBJRFAiLCJjb250YWN0cyI6WyJzdXBwb3J0QGlkcDQ3MTEuZGUiLCJpZG1AZ2VtYXRpay5kZSJdLCJob21lcGFnZV91cmkiOiJodHRwczovL2lkcDQ3MTEuZGUifX19.RLW70R4rsmf_4m98pJIDpEWaKImK3QKv2MBRGiL8ImREJv_8srz-niYe5ObxMAJ4mOw1cy3OYkWaDfyY-eeMnw`
+
+Copy this jwt to the clipboard and paste it www.jwt.io to see the content.

ReleaseNotes.md

@@ -1,3 +1,11 @@
+# Release 5.0.3
+
+- refactor key handling, use PrivateKey instead of p12 container when certificate is not required
+- add testcase
+- switch to docker base image eclipse-temurin:17-jre
+- rename docker image
+- update dependencies
+
 # Release 4.0.1
 
 -add test identities

gsi-coverage-report/pom.xml

@@ -6,7 +6,7 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>gemSekIdp-global</artifactId>
-    <version>4.0.1</version>
+    <version>5.0.3</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

gsi-server/pom.xml

@@ -7,13 +7,13 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>gemSekIdp-global</artifactId>
-    <version>4.0.1</version>
+    <version>5.0.3</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 
 
   <artifactId>gsi-server</artifactId>
-  <version>4.0.1</version>
+  <version>5.0.3</version>
   <packaging>jar</packaging>
 
   <name>gsi-server</name>
@@ -27,9 +27,7 @@
     <dependency>
       <groupId>org.projectlombok</groupId>
       <artifactId>lombok</artifactId>
-      <scope>provided</scope>
     </dependency>
-
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-actuator</artifactId>
@@ -58,7 +56,7 @@
     <dependency>
       <groupId>org.mockito</groupId>
       <artifactId>mockito-core</artifactId>
-      <version>5.8.0</version>
+      <version>5.11.0</version>
     </dependency>
     <dependency>
       <groupId>org.mock-server</groupId>
@@ -109,12 +107,12 @@
     <dependency>
       <groupId>com.google.zxing</groupId>
       <artifactId>core</artifactId>
-      <version>3.5.2</version>
+      <version>3.5.3</version>
     </dependency>
     <dependency>
       <groupId>com.google.zxing</groupId>
       <artifactId>javase</artifactId>
-      <version>3.5.2</version>
+      <version>3.5.3</version>
     </dependency>
   </dependencies>
 

gsi-server/src/main/docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:17.0.4.1_1-jre
+FROM eclipse-temurin:17-jre
 
 ARG COMMIT_HASH
 ARG VERSION

gsi-server/src/main/java/de/gematik/idp/gsi/server/KeyConfiguration.java

@@ -17,21 +17,23 @@
 package de.gematik.idp.gsi.server;
 
 import de.gematik.idp.authentication.IdpJwtProcessor;
-import de.gematik.idp.crypto.CryptoLoader;
+import de.gematik.idp.crypto.KeyUtility;
 import de.gematik.idp.crypto.model.PkiIdentity;
 import de.gematik.idp.data.FederationPrivKey;
+import de.gematik.idp.data.FederationPubKey;
 import de.gematik.idp.data.KeyConfig;
 import de.gematik.idp.data.KeyConfigurationBase;
+import de.gematik.idp.file.ResourceReader;
 import de.gematik.idp.gsi.server.configuration.GsiConfiguration;
 import de.gematik.idp.gsi.server.exceptions.GsiException;
 import java.io.IOException;
-import java.io.InputStream;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.Optional;
 import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.core.io.Resource;
 import org.springframework.core.io.ResourceLoader;
-import org.springframework.util.StreamUtils;
 
 @Configuration
 @RequiredArgsConstructor
@@ -41,31 +43,75 @@ public class KeyConfiguration implements KeyConfigurationBase {
   private final GsiConfiguration gsiConfiguration;
 
   @Bean
-  public FederationPrivKey esSigKey() {
-    return getFederationPrivKey(gsiConfiguration.getEsSigKeyConfig());
+  public FederationPrivKey esSigPrivKey() {
+    return getFederationPrivKey(gsiConfiguration.getEsSigPrivKeyConfig());
   }
 
   @Bean
-  public FederationPrivKey tokenSigKey() {
-    return getFederationPrivKey(gsiConfiguration.getTokenSigKeyConfig());
+  public FederationPubKey esSigPubKey() {
+    return getFederationPubkey(gsiConfiguration.getEsSigPubKeyConfig());
   }
 
   @Bean
-  public IdpJwtProcessor jwtProcessorEsSigKey() {
-    return new IdpJwtProcessor(esSigKey().getIdentity(), esSigKey().getKeyId());
+  public FederationPrivKey tokenSigPrivKey() {
+    return getFederationPrivKey(gsiConfiguration.getTokenSigPrivKeyConfig());
   }
 
   @Bean
-  public IdpJwtProcessor jwtProcessorTokenSigKey() {
-    return new IdpJwtProcessor(tokenSigKey().getIdentity(), tokenSigKey().getKeyId());
+  public FederationPubKey tokenSigPubKey() {
+    return getFederationPubkey(gsiConfiguration.getTokenSigPubKeyConfig());
+  }
+
+  @Bean
+  public IdpJwtProcessor jwtProcessorEsSigPrivKey() {
+    return new IdpJwtProcessor(
+        esSigPrivKey().getIdentity().getPrivateKey(), esSigPrivKey().getKeyId());
+  }
+
+  @Bean
+  public IdpJwtProcessor jwtProcessorTokenSigPrivKey() {
+    return new IdpJwtProcessor(
+        tokenSigPrivKey().getIdentity().getPrivateKey(), tokenSigPrivKey().getKeyId());
+  }
+
+  @Bean
+  public PublicKey fedmasterSigKey() throws IOException {
+    return KeyUtility.readX509PublicKey(
+        ResourceReader.getFileFromResourceAsTmpFile(
+            gsiConfiguration.getFedmasterSigPubKeyFilePath()));
   }
 
   private FederationPrivKey getFederationPrivKey(final KeyConfig keyConfiguration) {
-    final Resource resource = resourceLoader.getResource(keyConfiguration.getFileName());
-    try (final InputStream inputStream = resource.getInputStream()) {
-      final PkiIdentity pkiIdentity =
-          CryptoLoader.getIdentityFromP12(StreamUtils.copyToByteArray(inputStream), "00");
-      return getFederationPrivKey(keyConfiguration, pkiIdentity);
+    try {
+      final PrivateKey privateKey =
+          KeyUtility.readX509PrivateKeyPlain(
+              ResourceReader.getFileFromResourceAsTmpFile(keyConfiguration.getFileName()));
+      final PkiIdentity pkiIdentity = new PkiIdentity();
+      pkiIdentity.setPrivateKey(privateKey);
+      final FederationPrivKey federationPrivKey = new FederationPrivKey(pkiIdentity);
+      federationPrivKey.setKeyId(keyConfiguration.getKeyId());
+      federationPrivKey.setUse(Optional.of(keyConfiguration.getUse()));
+      federationPrivKey.setAddX5c(Optional.of(keyConfiguration.isX5cInJwks()));
+      return federationPrivKey;
+    } catch (final IOException e) {
+      throw new GsiException(
+          "Error while loading Gsi-Server Key from resource '"
+              + keyConfiguration.getFileName()
+              + "'",
+          e);
+    }
+  }
+
+  private FederationPubKey getFederationPubkey(final KeyConfig keyConfiguration) {
+    try {
+      final PublicKey publicKey =
+          KeyUtility.readX509PublicKey(
+              ResourceReader.getFileFromResourceAsTmpFile(keyConfiguration.getFileName()));
+      final FederationPubKey federationPubKey = new FederationPubKey();
+      federationPubKey.setPublicKey(Optional.ofNullable(publicKey));
+      federationPubKey.setKeyId(keyConfiguration.getKeyId());
+      federationPubKey.setUse(Optional.of(keyConfiguration.getUse()));
+      return federationPubKey;
     } catch (final IOException e) {
       throw new GsiException(
           "Error while loading Gsi-Server Key from resource '"

gsi-server/src/main/java/de/gematik/idp/gsi/server/configuration/GsiConfiguration.java

@@ -36,7 +36,10 @@ public class GsiConfiguration {
 
   private String serverUrl;
   private String fedmasterUrl;
-  private KeyConfig esSigKeyConfig;
-  private KeyConfig tokenSigKeyConfig;
+  private String fedmasterSigPubKeyFilePath;
+  private KeyConfig esSigPrivKeyConfig;
+  private KeyConfig esSigPubKeyConfig;
+  private KeyConfig tokenSigPrivKeyConfig;
+  private KeyConfig tokenSigPubKeyConfig;
   private String loglevel;
 }