Skip to content

[OID4VCI] Migrate JwtCredentialSignerTest, SdJwtCredentialSignerTest #48742

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pskopek wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[OID4VCI] Migrate JwtCredentialSignerTest, SdJwtCredentialSignerTest #48742

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions tests/base/src/test/java/org/keycloak/tests/oid4vc/OID4VCIssuerTestBase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import java.util.stream.Stream;

import org.keycloak.OID4VCConstants;
import org.keycloak.VCFormat;
Expand All @@ -36,19 +37,24 @@
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.common.util.Time;
import org.keycloak.constants.OID4VCIConstants;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.events.EventType;
import org.keycloak.keys.KeyProvider;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oid4vc.issuance.OID4VCAuthorizationDetailsParser;
import org.keycloak.protocol.oid4vc.issuance.TimeProvider;
import org.keycloak.protocol.oid4vc.issuance.mappers.OID4VCGeneratedIdMapper;
import org.keycloak.protocol.oid4vc.issuance.mappers.OID4VCIssuedAtTimeClaimMapper;
import org.keycloak.protocol.oid4vc.model.CredentialScopeRepresentation;
import org.keycloak.protocol.oid4vc.model.CredentialSubject;
import org.keycloak.protocol.oid4vc.model.DisplayObject;
import org.keycloak.protocol.oid4vc.model.OID4VCAuthorizationDetail;
import org.keycloak.protocol.oid4vc.model.VerifiableCredential;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.ComponentRepresentation;
Expand Down Expand Up @@ -135,6 +141,7 @@ public abstract class OID4VCIssuerTestBase {
protected static final Instant TEST_EXPIRATION_DATE = Instant.ofEpochMilli(Time.currentTimeMillis())
.plus(365, ChronoUnit.DAYS)
.truncatedTo(ChronoUnit.SECONDS);
protected static final Instant TEST_ISSUANCE_DATE = Instant.ofEpochSecond(1000);

@InjectRealm(config = VCTestRealmConfig.class)
protected ManagedRealm testRealm;
Expand Down Expand Up @@ -208,6 +215,46 @@ void afterEachBase() {
driver.open("about:blank");
}

public static KeyWrapper getKeyFromSession(KeycloakSession keycloakSession) {
String realmName = keycloakSession.getContext().getRealm().getName();
Logger logger = Logger.getLogger(OID4VCIssuerTestBase.class);
KeyManager keyManager = keycloakSession.keys();
Stream<KeyWrapper> keyWrapperStream = keyManager
.getKeysStream(keycloakSession.getContext().getRealm(), KeyUse.SIG, Algorithm.RS256);
KeyWrapper kw = keyWrapperStream
.peek(k -> logger.warnf("THE KEY: %s - %s in realm %s", k.getKid(), k.getAlgorithm(), realmName))
.findFirst()
.orElseThrow(() -> new RuntimeException("No key was configured"));
logger.warnf("Kid is %s", kw.getKid());
return kw;
}

public static String getKeyIdFromSession(KeycloakSession keycloakSession) {
return getKeyFromSession(keycloakSession).getKid();
}

protected static CredentialSubject getCredentialSubject(Map<String, Object> claims) {
CredentialSubject credentialSubject = new CredentialSubject();
claims.forEach(credentialSubject::setClaims);
return credentialSubject;
}

protected static VerifiableCredential getTestCredential(Map<String, Object> claims) {

VerifiableCredential testCredential = new VerifiableCredential();
testCredential.setId(URI.create(String.format("uri:uuid:%s", UUID.randomUUID())));
testCredential.setContext(List.of(CONTEXT_URL));
testCredential.setType(TEST_TYPES);
testCredential.setIssuer(TEST_DID);
testCredential.setExpirationDate(TEST_EXPIRATION_DATE);
if (claims.containsKey("issuanceDate")) {
testCredential.setIssuanceDate((Instant) claims.get("issuanceDate"));
}

testCredential.setCredentialSubject(getCredentialSubject(claims));
return testCredential;
}

protected CredentialScopeRepresentation getCredentialScope(String scopeName) {
return testRealm.admin().clientScopes().findAll().stream()
.filter(it -> scopeName.equals(it.getName()))
Expand Down
30 changes: 0 additions & 30 deletions ...test/java/org/keycloak/tests/oid4vc/issuance/credentialbuilder/CredentialBuilderTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,11 @@

package org.keycloak.tests.oid4vc.issuance.credentialbuilder;

import java.net.URI;
import java.time.Instant;
import java.util.List;
import java.util.Map;
import java.util.UUID;

import org.keycloak.crypto.AsymmetricSignatureSignerContext;
import org.keycloak.crypto.AsymmetricSignatureVerifierContext;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.SignatureSignerContext;
import org.keycloak.crypto.SignatureVerifierContext;
import org.keycloak.protocol.oid4vc.model.CredentialSubject;
import org.keycloak.protocol.oid4vc.model.VerifiableCredential;
import org.keycloak.tests.oid4vc.OID4VCIssuerTestBase;

/**
Expand All @@ -51,26 +43,4 @@ protected SignatureVerifierContext exampleVerifier() {
return new AsymmetricSignatureVerifierContext(keyWrapper);
}

protected static CredentialSubject getCredentialSubject(Map<String, Object> claims) {
CredentialSubject credentialSubject = new CredentialSubject();
claims.forEach(credentialSubject::setClaims);
return credentialSubject;
}

protected static VerifiableCredential getTestCredential(Map<String, Object> claims) {

VerifiableCredential testCredential = new VerifiableCredential();
testCredential.setId(URI.create(String.format("uri:uuid:%s", UUID.randomUUID())));
testCredential.setContext(List.of(CONTEXT_URL));
testCredential.setType(TEST_TYPES);
testCredential.setIssuer(TEST_DID);
testCredential.setExpirationDate(TEST_EXPIRATION_DATE);
if (claims.containsKey("issuanceDate")) {
testCredential.setIssuanceDate((Instant) claims.get("issuanceDate"));
}

testCredential.setCredentialSubject(getCredentialSubject(claims));
return testCredential;
}

}
191 changes: 99 additions & 92 deletions ...ance/signing/JwtCredentialSignerTest.java → ...ance/signing/JwtCredentialSignerTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
* limitations under the License.
*/

package org.keycloak.testsuite.oid4vc.issuance.signing;
package org.keycloak.tests.oid4vc.issuance.signing;

import java.security.PublicKey;
import java.time.Instant;
Expand All @@ -25,9 +25,9 @@
import java.util.UUID;

import org.keycloak.TokenVerifier;
import org.keycloak.admin.client.resource.ComponentsResource;
import org.keycloak.common.VerificationException;
import org.keycloak.common.crypto.CryptoIntegration;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.AsymmetricSignatureVerifierContext;
import org.keycloak.crypto.KeyWrapper;
Expand All @@ -43,122 +43,141 @@
import org.keycloak.protocol.oid4vc.model.CredentialSubject;
import org.keycloak.protocol.oid4vc.model.VerifiableCredential;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.runonserver.RunOnServerException;
import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
import org.keycloak.testframework.annotations.TestSetup;
import org.keycloak.testframework.remote.runonserver.InjectRunOnServer;
import org.keycloak.testframework.remote.runonserver.RunOnServerClient;
import org.keycloak.tests.oid4vc.OID4VCIssuerTestBase;
import org.keycloak.util.JsonSerialization;

import org.jboss.logging.Logger;
import org.junit.Before;
import org.junit.Test;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.fail;


public class JwtCredentialSignerTest extends OID4VCTest {
@KeycloakIntegrationTest(config = OID4VCIssuerTestBase.VCTestServerConfig.class)
public class JwtCredentialSignerTest extends OID4VCIssuerTestBase {

private static final Logger LOGGER = Logger.getLogger(JwtCredentialSignerTest.class);
@InjectRunOnServer
RunOnServerClient runOnServer;

private static final KeyWrapper rsaKey = getRsaKey();

@Before
@BeforeEach
public void setup() {
CryptoIntegration.init(this.getClass().getClassLoader());
}

@Test(expected = CredentialSignerException.class)
@TestSetup
public void configureTestRealm() {
super.configureTestRealm();
ComponentsResource components = testRealm.admin().components();
components.add(getRsaKeyProvider(getRsaKey_Default())).close();
}


@Test
public void testUnsupportedCredentialBody() throws Throwable {
try {
getTestingClient()
.server(TEST_REALM_NAME)
.run(session -> new JwtCredentialSigner(session).signCredential(
new LDCredentialBody(getTestCredential(Map.of())),
new CredentialBuildConfig()
));
} catch (RunOnServerException ros) {
throw ros.getCause();
}
runOnServer.run(session -> {
assertThrows(
CredentialSignerException.class,
() -> {
new JwtCredentialSigner(session).signCredential(
new LDCredentialBody(getTestCredential(Map.of())),
new CredentialBuildConfig()
);
}
);
}
);
}

// If an unsupported algorithm is provided, signing should reliably fail.
@Test(expected = CredentialSignerException.class)
@Test
public void testUnsupportedAlgorithm() throws Throwable {
try {
getTestingClient()
.server(TEST_REALM_NAME)
.run(session ->
testSignJwtCredential(
session,
getKeyIdFromSession(session),
"unsupported-algorithm",
Map.of())
runOnServer.run(session -> {
assertThrows(
CredentialSignerException.class,
() -> {
testSignJwtCredential(
session,
getKeyIdFromSession(session),
"unsupported-algorithm",
Map.of()
);
}
);
} catch (RunOnServerException ros) {
throw ros.getCause();
}
}
);
}

// If an unknown key is provided, signing should reliably fail.
@Test(expected = CredentialSignerException.class)
@Test
public void testFailIfNoKey() throws Throwable {
try {
getTestingClient()
.server(TEST_REALM_NAME)
.run(session ->
testSignJwtCredential(
session,
"no-such-key",
Algorithm.RS256,
Map.of()));
} catch (RunOnServerException ros) {
throw ros.getCause();
}
runOnServer.run(session -> {
assertThrows(
CredentialSignerException.class,
() -> {
testSignJwtCredential(
session,
"no-such-key",
Algorithm.RS256,
Map.of()
);
}
);
}
);
}

// The provided credentials should be successfully signed as a JWT-VC.
@Test
public void testRsaSignedCredentialWithOutIssuanceDate() {
getTestingClient()
.server(TEST_REALM_NAME)
.run(session ->
testSignJwtCredential(
session,
getKeyIdFromSession(session),
Algorithm.RS256,
Map.of("id", String.format("uri:uuid:%s", UUID.randomUUID()),
"test", "test",
"arrayClaim", List.of("a", "b", "c"))));
public void testRsaSignedCredentialWithOutIssuanceDate() throws Exception {
runOnServer.run(session -> {
testSignJwtCredential(
session,
getKeyIdFromSession(session),
Algorithm.RS256,
Map.of("id", String.format("uri:uuid:%s", UUID.randomUUID()),
"test", "test",
"arrayClaim", List.of("a", "b", "c"))
);

}
);
}

@Test
public void testRsaSignedCredentialWithIssuanceDate() {
getTestingClient()
.server(TEST_REALM_NAME)
.run(session ->
testSignJwtCredential(
session,
getKeyIdFromSession(session),
Algorithm.RS256,
Map.of("id", String.format("uri:uuid:%s", UUID.randomUUID()),
"test", "test",
"arrayClaim", List.of("a", "b", "c"),
"issuanceDate", Instant.ofEpochSecond(10))));
runOnServer.run(session -> {
testSignJwtCredential(
session,
getKeyIdFromSession(session),
Algorithm.RS256,
Map.of("id", String.format("uri:uuid:%s", UUID.randomUUID()),
"test", "test",
"arrayClaim", List.of("a", "b", "c"),
"issuanceDate", Instant.ofEpochSecond(10))
);
}
);
}

@Test
public void testRsaSignedCredentialWithoutAdditionalClaims() {
getTestingClient()
.server(TEST_REALM_NAME)
.run(session ->
testSignJwtCredential(
session,
getKeyIdFromSession(session),
Algorithm.RS256,
Map.of()));
runOnServer.run(session -> {
testSignJwtCredential(
session,
getKeyIdFromSession(session),
Algorithm.RS256,
Map.of()
);
}
);
}


public static void testSignJwtCredential(
KeycloakSession session, String signingKeyId, String algorithm, Map<String, Object> claims) {
CredentialBuildConfig credentialBuildConfig = new CredentialBuildConfig()
Expand Down Expand Up @@ -240,16 +259,4 @@ public static void testSignJwtCredential(
}
}


@Override
public void configureTestRealm(RealmRepresentation testRealm) {
testRealm.setVerifiableCredentialsEnabled(true);

if (testRealm.getComponents() != null) {
testRealm.getComponents().add("org.keycloak.keys.KeyProvider", getRsaKeyProvider(rsaKey));
} else {
testRealm.setComponents(new MultivaluedHashMap<>(
Map.of("org.keycloak.keys.KeyProvider", List.of(getRsaKeyProvider(rsaKey)))));
}
}
}
Loading
Loading