v5.0.1

gematik · Jan 8, 2025 · 0e08210 · 0e08210
1 parent b5aed74
commit 0e08210
Show file tree

Hide file tree

Showing 31 changed files with 438 additions and 208 deletions.
diff --git a/README.md b/README.md
@@ -28,6 +28,11 @@ Assume the entity statement to be tested is under
   of your entity statement (i.e.*oidc/.well-known/openid-federation*)
 * open a shell and enter
 
+The keys
+`gra-server/src/main/resources/keys/ref-privkey.pem`
+`gra-server/src/main/resources/keys/ref-privkey-rotation.pem`
+are added for unit tests only and can be published.
+
 ```bash
 export TIGER_TESTENV_CFGFILE=tiger-external.yaml
 mvn clean verify -Dskip.unittests=true -Dcucumber.filter.tags="@EntityStatement or @SignedJwks"

diff --git a/ReleaseNotes.md b/ReleaseNotes.md
@@ -1,3 +1,13 @@
+# Release 5.0.1
+
+- Java 21
+- switch to docker base image eclipse-temurin:21-jre
+- update dependencies
+- set values for acr/amr in auth code to values from id token
+- add another tls cert in signed_jwks for key rotation
+- change ttl of entity statement to 2 hours
+- read sig key from signed_jwks
+
 # Release 4.1.2
 
 - update dependencies

diff --git a/gra-coverage-report/pom.xml b/gra-coverage-report/pom.xml
@@ -6,7 +6,7 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>gras-global</artifactId>
-    <version>4.1.2</version>
+    <version>5.0.1</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

diff --git a/gra-server/pom.xml b/gra-server/pom.xml
@@ -8,11 +8,11 @@
     <artifactId>gras-global</artifactId>
     <groupId>de.gematik.idp</groupId>
     <relativePath>../pom.xml</relativePath>
-    <version>4.1.2</version>
+    <version>5.0.1</version>
   </parent>
 
   <artifactId>gra-server</artifactId>
-  <version>4.1.2</version>
+  <version>5.0.1</version>
   <packaging>jar</packaging>
 
   <name>gra-server</name>
@@ -50,18 +50,30 @@
       <artifactId>spring-boot-starter-test</artifactId>
       <groupId>org.springframework.boot</groupId>
       <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.mockito</groupId>
+          <artifactId>mockito-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <artifactId>mockito-core</artifactId>
       <groupId>org.mockito</groupId>
-      <version>5.12.0</version>
+      <version>5.15.2</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <artifactId>mockserver-spring-test-listener</artifactId>
       <groupId>org.mock-server</groupId>
       <version>5.15.0</version>
       <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcprov-jdk18on</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <artifactId>idp-commons</artifactId>
@@ -76,9 +88,22 @@
       <groupId>org.springframework</groupId>
     </dependency>
     <dependency>
-      <artifactId>unirest-java</artifactId>
+      <artifactId>unirest-java-core</artifactId>
       <groupId>com.konghq</groupId>
     </dependency>
+    <!-- https://mvnrepository.com/artifact/org.apache.httpcomponents.core5/httpcore5 -->
+    <dependency>
+      <groupId>org.apache.httpcomponents.core5</groupId>
+      <artifactId>httpcore5</artifactId>
+      <version>${version.httpcore5}</version>
+    </dependency>
+    <!-- https://mvnrepository.com/artifact/com.google.code.gson/gson -->
+    <dependency>
+      <groupId>com.google.code.gson</groupId>
+      <artifactId>gson</artifactId>
+      <version>2.11.0</version>
+    </dependency>
+
     <dependency>
       <artifactId>jakarta.validation-api</artifactId>
       <groupId>jakarta.validation</groupId>

diff --git a/gra-server/src/main/docker/Dockerfile b/gra-server/src/main/docker/Dockerfile
@@ -1,4 +1,4 @@
-FROM eclipse-temurin:17-jre
+FROM eclipse-temurin:21-jre
 
 ARG COMMIT_HASH
 ARG VERSION

diff --git a/gra-server/src/main/java/de/gematik/idp/graserver/GraServer.java b/gra-server/src/main/java/de/gematik/idp/graserver/GraServer.java
@@ -19,6 +19,8 @@
 import de.gematik.idp.graserver.configuration.FdAuthServerConfiguration;
 import jakarta.annotation.PostConstruct;
 import java.security.Security;
+import javax.net.ssl.SSLContext;
+import kong.unirest.core.Unirest;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.logging.log4j.core.LoggerContext;
@@ -46,9 +48,10 @@ public static void main(final String[] args) {
   }
 
   private final FdAuthServerConfiguration fdAuthServerConfiguration;
+  private final SSLContext sslContext;
 
   @PostConstruct
-  public void setGrasLogLevel() {
+  public void init() {
     final String loglevel = fdAuthServerConfiguration.getLoglevel();
     final String loggerServer = "de.gematik.idp.graserver";
     final String loggerRequests = "org.springframework.web.filter.CommonsRequestLoggingFilter";
@@ -59,6 +62,9 @@ public void setGrasLogLevel() {
     final LoggerContext loggerContext =
         LoggerContext.getContext(StackLocatorUtil.getCallerClassLoader(2), false, null);
     log.info("loglevel: {}", loggerContext.getLogger(loggerServer).getLevel());
+
+    Unirest.config().reset();
+    Unirest.config().sslContext(sslContext);
   }
 
   @Bean

diff --git a/gra-server/src/main/java/de/gematik/idp/graserver/KeyConfiguration.java b/gra-server/src/main/java/de/gematik/idp/graserver/KeyConfiguration.java
@@ -45,6 +45,7 @@
 @Configuration
 @RequiredArgsConstructor
 public class KeyConfiguration implements KeyConfigurationBase {
+
   private final ResourceLoader resourceLoader;
 
   private final FdAuthServerConfiguration fdAuthServerConfiguration;
@@ -79,6 +80,12 @@ public FederationPubKey tlsClientPubKey() {
     return getFederationPubKeyFromP12(fdAuthServerConfiguration.getTlsClientPrivKeyConfig());
   }
 
+  @Bean
+  public FederationPubKey tlsClientPubKeyRotation() {
+    return getFederationPubKeyFromP12(
+        fdAuthServerConfiguration.getTlsClientPrivKeyRotationConfig());
+  }
+
   @Bean
   public FederationPrivKey encPrivKey() {
     return getFederationPrivKey(fdAuthServerConfiguration.getEncPrivKeyConfig());

diff --git a/gra-server/src/main/java/de/gematik/idp/graserver/ServerUrlService.java b/gra-server/src/main/java/de/gematik/idp/graserver/ServerUrlService.java
@@ -22,8 +22,8 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
-import kong.unirest.HttpResponse;
-import kong.unirest.Unirest;
+import kong.unirest.core.HttpResponse;
+import kong.unirest.core.Unirest;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
@@ -94,4 +94,16 @@ private Optional<String> getServerUrlFromConfig() {
     return Optional.ofNullable(fdAuthServerConfiguration.getServerUrl())
         .filter(StringUtils::isNotBlank);
   }
+
+    public Optional<String> determineSignedJwksUri(final JsonWebToken entityStmnt) {
+        final Map<String, Object> bodyClaims = entityStmnt.getBodyClaims();
+        final Map<String, Object> metadata =
+                Objects.requireNonNull(
+                        (Map<String, Object>) bodyClaims.get("metadata"), "missing claim: metadata");
+        final Map<String, Object> openidRelyingParty =
+                Objects.requireNonNull(
+                        (Map<String, Object>) metadata.get("openid_provider"),
+                        "missing claim: openid_provider");
+        return Optional.ofNullable((String) openidRelyingParty.getOrDefault("signed_jwks_uri", null));
+    }
 }
diff --git a/...erver/src/main/java/de/gematik/idp/graserver/configuration/FdAuthServerConfiguration.java b/...erver/src/main/java/de/gematik/idp/graserver/configuration/FdAuthServerConfiguration.java
@@ -44,6 +44,7 @@ public class FdAuthServerConfiguration {
   private KeyConfig encPrivKeyConfig;
   private KeyConfig encPubKeyConfig;
   private KeyConfig tlsClientPrivKeyConfig;
+  private KeyConfig tlsClientPrivKeyRotationConfig;
   private String symmetricEncryptionKey;
   private String fedmasterUrl;
   private String fedmasterSigPubKeyFilePath;

diff --git a/gra-server/src/main/java/de/gematik/idp/graserver/configuration/SslConfig.java b/gra-server/src/main/java/de/gematik/idp/graserver/configuration/SslConfig.java
@@ -0,0 +1,74 @@
+/*
+ * Copyright 2025 gematik GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.gematik.idp.graserver.configuration;
+
+import de.gematik.idp.data.KeyConfig;
+import de.gematik.idp.graserver.exceptions.FdAuthServerException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+
+@Configuration
+@RequiredArgsConstructor
+public class SslConfig {
+
+  private final ResourceLoader resourceLoader;
+  private final FdAuthServerConfiguration fdAuthServerConfiguration;
+
+  @Bean
+  public SSLContext sslContext() {
+    return createSSLContext(fdAuthServerConfiguration.getTlsClientPrivKeyConfig(), "00");
+  }
+
+  private SSLContext createSSLContext(
+      final KeyConfig keyConfiguration, final String keystorePassword) {
+    final Resource resource = resourceLoader.getResource(keyConfiguration.getFileName());
+    try (final InputStream is = resource.getInputStream()) {
+      final KeyStore keyStore = KeyStore.getInstance("PKCS12");
+      keyStore.load(is, keystorePassword.toCharArray());
+
+      final KeyManagerFactory kmf =
+          KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+      kmf.init(keyStore, keystorePassword.toCharArray());
+
+      // create SSLContext with client certificate
+      final SSLContext sslContext = SSLContext.getInstance("TLS");
+      sslContext.init(kmf.getKeyManagers(), null, null);
+      return sslContext;
+
+    } catch (final NoSuchAlgorithmException
+        | KeyManagementException
+        | KeyStoreException
+        | UnrecoverableKeyException
+        | CertificateException
+        | IOException e) {
+      throw new FdAuthServerException("Could not create SSL context", e);
+    }
+  }
+}