Class ExternalKeyStoreTest


  • public class ExternalKeyStoreTest
    extends java.lang.Object
    This test class validates a LLSEC-External-KeyStore Abstraction Layer implementation.

    It requires the external key store to be provisioned with at least a private key, a certificate chain, a secret key and a trusted certificate (not attached to a key, i.e. with the same alias). Such a PKCS12 keystore is provided in resources, it must be configured with the Application option: -Dej.crypto.mock.externalks.path=${project_loc:/security-testsuite}/src/test/resources/test-keystore.p12

    To configure the tests, set the following properties:

    • com.microej.crypto.test.ExternalKeyStoreTest.keystore.type: the type of the KeyStore to test (see KeyStore.getInstance(String)) (defaults to "EXTERNALKS"),
    • com.microej.crypto.test.ExternalKeyStoreTest.keystore.password: the password of the KeyStore to test (see KeyStore.load(java.io.InputStream, char[])) (defaults to "changeit"),
    • com.microej.crypto.test.ExternalKeyStoreTest.keystore.size: the expected number of entries in the provisioned KeyStore (defaults to 4),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.extractable: whether KeyStore.getKey().getEncoded() returns the raw key bytes for a private key imported via setKeyEntry. Set to false for HSM-backed keystores (e.g. PKCS#11) where the key never leaves the token; set to true for file-backed keystores like PKCS#12 (defaults to true),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.protected.data: a valid private key in protected (PKCS#8 EncryptedPrivateKeyInfo) format, base64-encoded (defaults to a built-in test key),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.data: a valid private key in PKCS#8 encoded format, base64-encoded (defaults to a built-in test key),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.algorithm: the algorithm of the private key (defaults to "RSA"),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.alias: the alias of a valid private key (defaults to "test-entity"),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.tmp.alias: the alias used by tests that mutate a private-key entry (set/delete) so they don't pollute the production private-key alias (defaults to "test-tmp-private"),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.password: the password for this private key (defaults to "changeit"),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.signature.algorithm: the signature algorithm to use for testing the use of the private key from the KeyStore (defaults to "SHA256withECDSA"),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.signature.data: the payload to sign when testing signature with the private key from the KeyStore; the produced signature is verified against the trusted certificate rather than a fixed expected output (defaults to "Hello World!"),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.keyagreement.algorithm: the key agreement algorithm to use for testing key agreement with the private key from the KeyStore (defaults to "ECDH"),
    • com.microej.crypto.test.ExternalKeyStoreTest.privatekey.keyagreement.secret: the expected shared secret (base64-encoded) computed by key agreement between the private key from the KeyStore and the public key from the trusted certificate (defaults to "Lg7mq+j/QKp8sk+zMK0tPmnKvpQhS7yZEAr4Y/HN7JOMp/ePumCoWCY/hA0llZYO"),
    • com.microej.crypto.test.ExternalKeyStoreTest.secretkey.extractable: whether KeyStore.getKey().getEncoded() returns the raw key bytes for a secret key imported via setKeyEntry. Set to false for HSM-backed keystores (e.g. PKCS#11); set to true for file-backed keystores like PKCS#12 (defaults to true),
    • com.microej.crypto.test.ExternalKeyStoreTest.secretkey.data: the encoded secret key data in base64 (defaults to "L83/flz9vi46b8aX57Trqg=="),
    • com.microej.crypto.test.ExternalKeyStoreTest.secretkey.algorithm: the algorithm of the secret key (defaults to "AES"),
    • com.microej.crypto.test.ExternalKeyStoreTest.secretkey.alias: the alias of a valid secret key (defaults to "test-secret"),
    • com.microej.crypto.test.ExternalKeyStoreTest.secretkey.tmp.alias: the alias used by tests that mutate a secret-key entry (set/delete) so they don't pollute the production secret-key alias (defaults to "test-tmp-secret"),
    • com.microej.crypto.test.ExternalKeyStoreTest.secretkey.password: the password for this secret key (defaults to "changeit"),
    • com.microej.crypto.test.ExternalKeyStoreTest.secretkey.cipher.transformation: the cipher transformation to use for testing the use of the secret key from the KeyStore (defaults to "AES/CBC/NoPadding"),
    • com.microej.crypto.test.ExternalKeyStoreTest.secretkey.cipher.payload: the plaintext payload to encrypt when testing the cipher, as a hex string (defaults to "00112233445566778899AABBCCDDEEFF"),
    • com.microej.crypto.test.ExternalKeyStoreTest.secretkey.cipher.iv: the IV used by the cipher, as a hex string (defaults to "00112233445566778899AABBCCDDEEFF"),
    • com.microej.crypto.test.ExternalKeyStoreTest.secretkey.cipher.encrypted: the expected ciphertext (base64-encoded) produced by the cipher on the configured payload/IV (defaults to "vF23ACh1j3eRnVIkfKq9rb+8FpSYLFE3TcthFDnmOcg="),
    • com.microej.crypto.test.ExternalKeyStoreTest.certificate.data: an X.509 certificate (base64-encoded DER) used by mutation tests when importing a trusted-certificate or certificate-chain entry (defaults to a built-in test certificate),
    • com.microej.crypto.test.ExternalKeyStoreTest.certificate.alias: the alias of a valid trusted certificate, not attached to a key (defaults to "test-trusted-cert"),
    • com.microej.crypto.test.ExternalKeyStoreTest.certificate.tmp.alias: the alias used by tests that mutate a trusted-certificate entry (set/delete) so they don't pollute the production certificate alias (defaults to "test-tmp-cert"),
    • com.microej.crypto.test.ExternalKeyStoreTest.certificatechain.alias: the alias of a valid certificate chain (defaults to "test-entity"),
    • com.microej.crypto.test.ExternalKeyStoreTest.certificatechain.length: the expected length of the certificate chain at the certificatechain alias (defaults to 2),
    • Constructor Detail

      • ExternalKeyStoreTest

        public ExternalKeyStoreTest()
    • Method Detail

      • testListAliases

        public void testListAliases()
                             throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testListAliasesDoesNotLeakStaleBytes

        public void testListAliasesDoesNotLeakStaleBytes()
                                                  throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testContainsAlias

        public void testContainsAlias()
                               throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testGetKey

        public void testGetKey()
                        throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testGetKeyForInvalidAliasReturnsNull

        public void testGetKeyForInvalidAliasReturnsNull()
                                                  throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testGetKeyForNonKeyAliasReturnsNull

        public void testGetKeyForNonKeyAliasReturnsNull()
                                                 throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testGetCertificate

        public void testGetCertificate()
                                throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testGetCertificateForInvalidAliasReturnsNull

        public void testGetCertificateForInvalidAliasReturnsNull()
                                                          throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testGetCertificateForNonCertificateAliasReturnsNull

        public void testGetCertificateForNonCertificateAliasReturnsNull()
                                                                 throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testGetCertificateChain

        public void testGetCertificateChain()
                                     throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testGetCertificateChainForInvalidAliasReturnsNull

        public void testGetCertificateChainForInvalidAliasReturnsNull()
                                                               throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testCheckEntryType

        public void testCheckEntryType()
                                throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testSetCertificateAndDeleteEntry

        public void testSetCertificateAndDeleteEntry()
                                              throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testSetPrivateKeyProtectedAndDeleteEntry

        public void testSetPrivateKeyProtectedAndDeleteEntry()
                                                      throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testSetSecretKeyAndDeleteEntry

        public void testSetSecretKeyAndDeleteEntry()
                                            throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testDeleteEntryInvalidAlias

        public void testDeleteEntryInvalidAlias()
                                         throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testSetCertificateEntry

        public void testSetCertificateEntry()
                                     throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testSetKeyEntryPrivateKeyAndCertificateChain

        public void testSetKeyEntryPrivateKeyAndCertificateChain()
                                                          throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testSetKeyEntryPrivateKeyProtected

        public void testSetKeyEntryPrivateKeyProtected()
                                                throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testSetKeyEntrySecretKey

        public void testSetKeyEntrySecretKey()
                                      throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testGetCertificateChainForNonCertificateAliasReturnsNull

        public void testGetCertificateChainForNonCertificateAliasReturnsNull()
                                                                      throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testGetCertificateForCertificateChainAliasReturnsFirstCertificate

        public void testGetCertificateForCertificateChainAliasReturnsFirstCertificate()
                                                                               throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testCanUsePrivateKeyFromKeyStoreForSignatureAndVerifyItWithCertificateWithPayload

        public void testCanUsePrivateKeyFromKeyStoreForSignatureAndVerifyItWithCertificateWithPayload()
                                                                                               throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testCanUsePrivateKeyFromKeyStoreForSignatureAndVerifyItWithCertificate

        public void testCanUsePrivateKeyFromKeyStoreForSignatureAndVerifyItWithCertificate()
                                                                                    throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testCanUseSecretKeyFromKeyStoreForCipher

        public void testCanUseSecretKeyFromKeyStoreForCipher()
                                                      throws java.lang.Exception
        Throws:
        java.lang.Exception
      • testCanUsePrivateKeyFromKeyStoreForKeyAgreement

        public void testCanUsePrivateKeyFromKeyStoreForKeyAgreement()
                                                             throws java.lang.Exception
        Throws:
        java.lang.Exception