Skip to content

Commit b97d789

Browse files
tloodutloodu
committed
Update comments
1 parent b7f0863 commit b97d789

File tree

2 files changed

+82
-47
lines changed

2 files changed

+82
-47
lines changed

dev/com.ibm.ws.security.oidc.server_fat.jaxrs.config.commonTest/fat/src/com/ibm/ws/security/openidconnect/server/fat/jaxrs/config/noOP/NoOPEncryptionRSServerTests.java

Lines changed: 41 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -822,9 +822,11 @@ public void NoOPEncryption1ServerTests_SignWithValidAlg_EncryptWithES512_DoNotDe
822822
public void NoOPEncryption1ServerTests_consumeTokenThatWasEncryptedUsingOtherContentEncryptionAlg() throws Exception {
823823

824824
String rpEncryptAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? Constants.SIGALG_ES256 : Constants.SIGALG_RS256;
825+
String keyManagementAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? JwtConstants.KEY_MGMT_KEY_ALG_ES : JwtConstants.DEFAULT_KEY_MGMT_KEY_ALG;
825826

826827
List<NameValuePair> parms = new ArrayList<NameValuePair>();
827828
parms.add(new NameValuePair(JwtConstants.PARAM_CONTENT_ENCRYPT_ALG, JwtConstants.CONTENT_ENCRYPT_ALG_192));
829+
parms.add(new NameValuePair(JwtConstants.PARAM_KEY_MGMT_ALG, keyManagementAlg));
828830
parms.add(new NameValuePair(JwtConstants.PARAM_ENCRYPT_KEY, JwtKeyTools.getComplexPublicKeyForSigAlg(testOPServer.getServer(), rpEncryptAlg)));
829831

830832
genericEncryptTest(rpEncryptAlg, rpEncryptAlg, parms);
@@ -855,14 +857,14 @@ public void NoOPEncryption1ServerTests_consumeTokenThatWasEncryptedUsingOtherKey
855857
@Test
856858
public void NoOPEncryption1ServerTests_JWETypeNotJose() throws Exception {
857859

858-
String encryptAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? Constants.SIGALG_ES256 : Constants.SIGALG_RS256;
860+
String sigAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? Constants.SIGALG_ES256 : Constants.SIGALG_RS256;
859861
String keyManagementAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? JwtConstants.KEY_MGMT_KEY_ALG_ES : JwtConstants.DEFAULT_KEY_MGMT_KEY_ALG;
860862

861863
// We're going to use a test JWT token builder to create a token that has "notJOSE" in the JWE header type field
862864
// the Liberty builder won't allow us to update that field, so, we need to peice a token together
863-
JWTTokenBuilder builder = tokenBuilderHelpers.populateAlternateJWEToken(JwtKeyTools.getPublicKeyFromPem(JwtKeyTools.getComplexPublicKeyForSigAlg(testOPServer.getServer(), encryptAlg)), keyManagementAlg);
865+
JWTTokenBuilder builder = tokenBuilderHelpers.populateAlternateJWEToken(JwtKeyTools.getPublicKeyFromPem(JwtKeyTools.getComplexPublicKeyForSigAlg(testOPServer.getServer(), sigAlg)), keyManagementAlg);
864866
builder.setIssuer("client01");
865-
builder.setAlorithmHeaderValue(encryptAlg);
867+
builder.setAlorithmHeaderValue(sigAlg);
866868
if (testOPServer.getServer().isFIPS140_3EnabledAndSupported()){
867869
builder.setECKey(testOPServer.getServer().getServerRoot() + "/ES256private-key-pkcs#8.pem");
868870
} else {
@@ -872,22 +874,22 @@ public void NoOPEncryption1ServerTests_JWETypeNotJose() throws Exception {
872874
// calling buildJWE will override the header contents
873875
String jwtToken = builder.buildJWE("notJOSE", "jwt");
874876

875-
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(encryptAlg));
877+
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(sigAlg));
876878
positiveTest(updatedTestSettings, jwtToken);
877879

878880
}
879881

880882
@Test
881883
public void NoOPEncryption1ServerTests_JWEContentTypeNotJwt() throws Exception {
882884

883-
String encryptAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? Constants.SIGALG_ES256 : Constants.SIGALG_RS256;
885+
String sigAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? Constants.SIGALG_ES256 : Constants.SIGALG_RS256;
884886
String keyManagementAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? JwtConstants.KEY_MGMT_KEY_ALG_ES : JwtConstants.DEFAULT_KEY_MGMT_KEY_ALG;
885887

886888
// We're going to use a test JWT token builder to create a token that has "not_jwt" in the JWE header content type field
887889
// the Liberty builder won't allow us to update that field, so, we need to peice a token together
888-
JWTTokenBuilder builder = tokenBuilderHelpers.populateAlternateJWEToken(JwtKeyTools.getPublicKeyFromPem(JwtKeyTools.getComplexPublicKeyForSigAlg(testOPServer.getServer(), encryptAlg)), keyManagementAlg);
890+
JWTTokenBuilder builder = tokenBuilderHelpers.populateAlternateJWEToken(JwtKeyTools.getPublicKeyFromPem(JwtKeyTools.getComplexPublicKeyForSigAlg(testOPServer.getServer(), sigAlg)), keyManagementAlg);
889891
builder.setIssuer("client01");
890-
builder.setAlorithmHeaderValue(encryptAlg);
892+
builder.setAlorithmHeaderValue(sigAlg);
891893
if (testOPServer.getServer().isFIPS140_3EnabledAndSupported()){
892894
builder.setECKey(testOPServer.getServer().getServerRoot() + "/ES256private-key-pkcs#8.pem");
893895
} else {
@@ -897,7 +899,7 @@ public void NoOPEncryption1ServerTests_JWEContentTypeNotJwt() throws Exception {
897899
// calling buildJWE will override the header contents
898900
String jwtToken = builder.buildJWE("JOSE", "not_jwt");
899901

900-
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(encryptAlg));
902+
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(sigAlg));
901903
String[] msgs = new String[] { MessageConstants.CWWKS1737E_JWT_VALIDATION_FAILURE, MessageConstants.CWWKS6056E_ERROR_EXTRACTING_JWS_PAYLOAD_FROM_JWE, MessageConstants.CWWKS6057E_CTY_NOT_JWT_FOR_NESTED_JWS };
902904

903905
negativeTest(updatedTestSettings, jwtToken, msgs);
@@ -913,17 +915,17 @@ public void NoOPEncryption1ServerTests_JWEContentTypeNotJwt() throws Exception {
913915
@Test
914916
public void NoOPEncryption1ServerTests_simpleJsonPayload() throws Exception {
915917

916-
String encryptAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? Constants.SIGALG_ES256 : Constants.SIGALG_RS256;
918+
String sigAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? Constants.SIGALG_ES256 : Constants.SIGALG_RS256;
917919
String keyManagementAlg = testOPServer.getServer().isFIPS140_3EnabledAndSupported() ? JwtConstants.KEY_MGMT_KEY_ALG_ES : JwtConstants.DEFAULT_KEY_MGMT_KEY_ALG;
918920

919921
List<NameValuePair> extraparms = new ArrayList<NameValuePair>();
920922
extraparms.add(new NameValuePair("token_src", "alternate JWE builder"));
921923
extraparms.add(new NameValuePair(JwtConstants.PARAM_KEY_MGMT_ALG, JwtConstants.KEY_MGMT_KEY_ALG_ES));
922924

923925
// build a jwt token whose payload contains only json data - make sure that we do not allow this format (it's not supported at this time)
924-
String jwtToken = tokenBuilderHelpers.buildAlternatePayloadJWEToken(JwtKeyTools.getPublicKeyFromPem(JwtKeyTools.getComplexPublicKeyForSigAlg(testOPServer.getServer(), encryptAlg)), keyManagementAlg, extraparms);
926+
String jwtToken = tokenBuilderHelpers.buildAlternatePayloadJWEToken(JwtKeyTools.getPublicKeyFromPem(JwtKeyTools.getComplexPublicKeyForSigAlg(testOPServer.getServer(), sigAlg)), keyManagementAlg, extraparms);
925927

926-
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(encryptAlg));
928+
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(sigAlg));
927929
String[] msgs = new String[] { MessageConstants.CWWKS1737E_JWT_VALIDATION_FAILURE, MessageConstants.CWWKS6065E_NESTED_JWS_REQUIRED_BUT_NOT_FOUND };
928930

929931
negativeTest(updatedTestSettings, jwtToken, msgs);
@@ -1048,14 +1050,21 @@ public void NoOPEncryption1ServerTests_RStrustStoreRefOmitted_ECDH_ES() throws E
10481050

10491051
}
10501052

1053+
/**
1054+
* RSA-OAEP JWE Structure Validation Tests
1055+
* Validates the Social Client's ability to properly validate the structure of JWE
1056+
* (JSON Web Encryption) that use RSA-OAEP as the key management algorithm.
1057+
* The tests validates each aspect of the 5 part JWE structure (JOSE Header, Encrypted Key, IV, Ciphertext, Auth tag)
1058+
*/
1059+
10511060
/**
10521061
* Test that the RS detects that the JWE is invalid as it has too many parts (6) (one of which is completely invalid)
10531062
*
10541063
* @throws Exception
10551064
*/
10561065
@Test
10571066
@SkipJavaSemeruWithFipsEnabledRule
1058-
public void OidcClientEncryptionTests_JWETooManyParts_RSA_OAEP() throws Exception {
1067+
public void OidcClientEncryptionTests_JWETooManyParts_encryption_RSA_OAEP() throws Exception {
10591068

10601069
String jwtToken = createTokenWithSubject("SignRS256EncryptRS256Builder") + "." + badTokenSegment;
10611070

@@ -1073,7 +1082,7 @@ public void OidcClientEncryptionTests_JWETooManyParts_RSA_OAEP() throws Exceptio
10731082
*/
10741083
@Test
10751084
@SkipJavaSemeruWithFipsEnabledRule
1076-
public void OidcClientEncryptionTests_JWETooFewParts_RSA_OAEP() throws Exception {
1085+
public void OidcClientEncryptionTests_JWETooFewParts_encryption_RSA_OAEP() throws Exception {
10771086

10781087
String jwtToken = createTokenWithSubject("SignRS256EncryptRS256Builder");
10791088
String badJweToken = jwtToken.substring(0, jwtToken.lastIndexOf(".") - 1);
@@ -1092,7 +1101,7 @@ public void OidcClientEncryptionTests_JWETooFewParts_RSA_OAEP() throws Exception
10921101
*/
10931102
@Test
10941103
@SkipJavaSemeruWithFipsEnabledRule
1095-
public void OidcClientEncryptionTests_JWE_Part1_isInvalid_RSA_OAEP() throws Exception {
1104+
public void OidcClientEncryptionTests_JWE_Part1_isInvalid_encryption_RSA_OAEP() throws Exception {
10961105

10971106
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(Constants.SIGALG_RS256));
10981107

@@ -1108,7 +1117,7 @@ public void OidcClientEncryptionTests_JWE_Part1_isInvalid_RSA_OAEP() throws Exce
11081117
*/
11091118
@Test
11101119
@SkipJavaSemeruWithFipsEnabledRule
1111-
public void OidcClientEncryptionTests_JWE_Part2_isInvalid_RSA_OAEP() throws Exception {
1120+
public void OidcClientEncryptionTests_JWE_Part2_isInvalid_encryption_RSA_OAEP() throws Exception {
11121121

11131122
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(Constants.SIGALG_RS256));
11141123

@@ -1124,7 +1133,7 @@ public void OidcClientEncryptionTests_JWE_Part2_isInvalid_RSA_OAEP() throws Exce
11241133
*/
11251134
@Test
11261135
@SkipJavaSemeruWithFipsEnabledRule
1127-
public void OidcClientEncryptionTests_JWE_Par3_isInvalid_RSA_OAEP() throws Exception {
1136+
public void OidcClientEncryptionTests_JWE_Par3_isInvalid_encryption_RSA_OAEP() throws Exception {
11281137

11291138
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(Constants.SIGALG_RS256));
11301139

@@ -1140,7 +1149,7 @@ public void OidcClientEncryptionTests_JWE_Par3_isInvalid_RSA_OAEP() throws Excep
11401149
*/
11411150
@Test
11421151
@SkipJavaSemeruWithFipsEnabledRule
1143-
public void OidcClientEncryptionTests_JWE_Part4_isInvalid_RSA_OAEP() throws Exception {
1152+
public void OidcClientEncryptionTests_JWE_Part4_isInvalid_encryption_RSA_OAEP() throws Exception {
11441153

11451154
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(Constants.SIGALG_RS256));
11461155

@@ -1156,7 +1165,7 @@ public void OidcClientEncryptionTests_JWE_Part4_isInvalid_RSA_OAEP() throws Exce
11561165
*/
11571166
@Test
11581167
@SkipJavaSemeruWithFipsEnabledRule
1159-
public void OidcClientEncryptionTests_JWE_Part5_isInvalid_RSA_OAEP() throws Exception {
1168+
public void OidcClientEncryptionTests_JWE_Part5_isInvalid_encryption_RSA_OAEP() throws Exception {
11601169

11611170
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(Constants.SIGALG_RS256));
11621171

@@ -1165,13 +1174,21 @@ public void OidcClientEncryptionTests_JWE_Part5_isInvalid_RSA_OAEP() throws Exce
11651174

11661175
}
11671176

1177+
/**
1178+
* ECDH-ES JWE Structure Validation Tests
1179+
* Validates the Social Client's ability to properly validate the structure of JWE
1180+
* (JSON Web Encryption) that use ECDH-ES as the key management algorithm.
1181+
* Unlike the RSA-OAEP tests, there is no specific test for Part 2 (Encrypted Key) in the ECDH-ES
1182+
* tests, as ECDH-ES uses direct key agreement (not requiring and effectively ignoring part 2 of the JWE).
1183+
*/
1184+
11681185
/**
11691186
* Test that the RS detects that the JWE is invalid as it has too many parts (6) (one of which is completely invalid)
11701187
*
11711188
* @throws Exception
11721189
*/
11731190
@Test
1174-
public void OidcClientEncryptionTests_JWETooManyParts_ECDH_ES() throws Exception {
1191+
public void OidcClientEncryptionTests_JWETooManyParts_encryption_ECDH_ES() throws Exception {
11751192

11761193
String jwtToken = createTokenWithSubject("SignES256EncryptES256Builder") + "." + badTokenSegment;
11771194

@@ -1188,7 +1205,7 @@ public void OidcClientEncryptionTests_JWETooManyParts_ECDH_ES() throws Exception
11881205
* @throws Exception
11891206
*/
11901207
@Test
1191-
public void OidcClientEncryptionTests_JWETooFewParts_ECDH_ES() throws Exception {
1208+
public void OidcClientEncryptionTests_JWETooFewParts_encryption_ECDH_ES() throws Exception {
11921209

11931210
String jwtToken = createTokenWithSubject("SignES256EncryptES256Builder");
11941211
String badJweToken = jwtToken.substring(0, jwtToken.lastIndexOf(".") - 1);
@@ -1206,7 +1223,7 @@ public void OidcClientEncryptionTests_JWETooFewParts_ECDH_ES() throws Exception
12061223
* @throws Exception
12071224
*/
12081225
@Test
1209-
public void OidcClientEncryptionTests_JWE_Part1_isInvalid_ECDH_ES() throws Exception {
1226+
public void OidcClientEncryptionTests_JWE_Part1_isInvalid_encryption_ECDH_ES() throws Exception {
12101227

12111228
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(Constants.SIGALG_ES256));
12121229

@@ -1221,7 +1238,7 @@ public void OidcClientEncryptionTests_JWE_Part1_isInvalid_ECDH_ES() throws Excep
12211238
* @throws Exception
12221239
*/
12231240
@Test
1224-
public void OidcClientEncryptionTests_JWE_Par3_isInvalid_ECDH_ES() throws Exception {
1241+
public void OidcClientEncryptionTests_JWE_Par3_isInvalid_encryption_ECDH_ES() throws Exception {
12251242

12261243
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(Constants.SIGALG_ES256));
12271244

@@ -1236,7 +1253,7 @@ public void OidcClientEncryptionTests_JWE_Par3_isInvalid_ECDH_ES() throws Except
12361253
* @throws Exception
12371254
*/
12381255
@Test
1239-
public void OidcClientEncryptionTests_JWE_Part4_isInvalid_ECDH_ES() throws Exception {
1256+
public void OidcClientEncryptionTests_JWE_Part4_isInvalid_encryption_ECDH_ES() throws Exception {
12401257

12411258
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(Constants.SIGALG_ES256));
12421259

@@ -1251,7 +1268,7 @@ public void OidcClientEncryptionTests_JWE_Part4_isInvalid_ECDH_ES() throws Excep
12511268
* @throws Exception
12521269
*/
12531270
@Test
1254-
public void OidcClientEncryptionTests_JWE_Part5_isInvalid_ECDH_ES() throws Exception {
1271+
public void OidcClientEncryptionTests_JWE_Part5_isInvalid_encryption_ECDH_ES() throws Exception {
12551272

12561273
TestSettings updatedTestSettings = rsTools.updateRSProtectedResource(testSettings, setAppName(Constants.SIGALG_ES256));
12571274

0 commit comments

Comments
 (0)