v26.0.0

README.md

@@ -52,7 +52,7 @@ or use docker compose:
 
 ```console
 $ mvn clean install -pl idp-server -am -Dskip.unittests -Dskip.inttests
-$ export appVersion=25.1.1
+$ export appVersion=26.0.0
 $ export serverLoglevel=info (default)
 $ docker-compose --project-name myidp -f docker-compose-ref.yml up -d
 ```

ReleaseNotes.md

@@ -1,3 +1,8 @@
+# Release 26.0.0
+
+- Refactoring Key handling
+- update dependencies
+
 # Release 25.1.1
 
 - IdpJwtProcessor can be instantiated without X509Certificate

idp-client/pom.xml

@@ -7,13 +7,13 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>idp-global</artifactId>
-    <version>25.1.1</version>
+    <version>26.0.0</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
   <groupId>de.gematik.idp</groupId>
   <artifactId>idp-client</artifactId>
 
-  <version>25.1.1</version>
+  <version>26.0.0</version>
   <packaging>jar</packaging>
 
   <dependencies>

idp-commons/pom.xml

@@ -6,12 +6,12 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>idp-global</artifactId>
-    <version>25.1.1</version>
+    <version>26.0.0</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
   <artifactId>idp-commons</artifactId>
 
-  <version>25.1.1</version>
+  <version>26.0.0</version>
 
   <dependencies>
 

idp-commons/src/main/java/de/gematik/idp/authentication/AuthenticationChallengeVerifier.java

@@ -18,13 +18,13 @@
 
 import static de.gematik.idp.brainPoolExtension.BrainpoolAlgorithmSuiteIdentifiers.BRAINPOOL256_USING_SHA256;
 
-import de.gematik.idp.crypto.model.PkiIdentity;
 import de.gematik.idp.exceptions.ChallengeExpiredException;
 import de.gematik.idp.exceptions.ChallengeSignatureInvalidException;
 import de.gematik.idp.exceptions.IdpJoseException;
 import de.gematik.idp.exceptions.NoNestedJwtFoundException;
 import de.gematik.idp.field.ClaimName;
 import de.gematik.idp.token.JsonWebToken;
+import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.time.ZonedDateTime;
 import java.util.Map;
@@ -43,7 +43,7 @@
 @AllArgsConstructor
 public class AuthenticationChallengeVerifier {
 
-  private PkiIdentity serverIdentity;
+  private PublicKey serverPublicKey;
 
   public void verifyResponseAndThrowExceptionIfFail(final JsonWebToken authenticationResponse) {
     final X509Certificate clientCertificate =
@@ -93,7 +93,7 @@ private void performServerSignatureValidationOfNjwt(final JsonWebToken authentic
       throw new ChallengeExpiredException();
     }
     try {
-      serverChallenge.verify(serverIdentity.getCertificate().getPublicKey());
+      serverChallenge.verify(serverPublicKey);
     } catch (final Exception e) {
       throw new ChallengeSignatureInvalidException();
     }

idp-commons/src/main/java/de/gematik/idp/authentication/IdpJwtProcessor.java

@@ -42,7 +42,7 @@ public class IdpJwtProcessor {
 
   private final X509Certificate certificate;
   private final String algorithm;
-  private Optional<String> keyId;
+  private Optional<String> keyId = Optional.empty();
   private PrivateKey privateKey;
 
   public IdpJwtProcessor(final PrivateKey privKey, final String keyId) {
@@ -72,16 +72,13 @@ public IdpJwtProcessor(@NonNull final PkiIdentity identity, final Optional<Strin
   public IdpJwtProcessor(@NonNull final PkiIdentity identity) {
     this(identity.getCertificate());
     privateKey = identity.getPrivateKey();
-    this.keyId = Optional.empty();
   }
 
   public IdpJwtProcessor(@NonNull final X509Certificate certificate) {
     this.certificate = certificate;
-    if (certificate.getPublicKey() instanceof ECPublicKey) {
-      if (((ECPublicKey) certificate.getPublicKey()).getParams() instanceof ECNamedCurveSpec
-          && ((ECNamedCurveSpec) ((ECPublicKey) certificate.getPublicKey()).getParams())
-              .getName()
-              .equals("prime256v1")) {
+    if (certificate.getPublicKey() instanceof final ECPublicKey ecpublickey) {
+      if (ecpublickey.getParams() instanceof final ECNamedCurveSpec ecNamedCurveSpec
+          && ecNamedCurveSpec.getName().equals("prime256v1")) {
         algorithm = "ES256";
       } else {
         algorithm = BRAINPOOL256_USING_SHA256;

idp-commons/src/main/java/de/gematik/idp/authentication/JwtBuilder.java

@@ -132,11 +132,9 @@ public JsonWebToken buildJwt() {
   }
 
   private String determineAlgorithm() {
-    if (signerKey instanceof ECPrivateKey) {
-      if (((ECPrivateKey) signerKey).getParams() instanceof ECNamedCurveSpec
-          && ((ECNamedCurveSpec) ((ECPrivateKey) signerKey).getParams())
-              .getName()
-              .equals("prime256v1")) {
+    if (signerKey instanceof final ECPrivateKey ecPrivateKey) {
+      if (ecPrivateKey.getParams() instanceof final ECNamedCurveSpec ecNamedCurveSpec
+          && ecNamedCurveSpec.getName().equals("prime256v1")) {
         return AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256;
       } else {
         return BRAINPOOL256_USING_SHA256;

idp-commons/src/main/java/de/gematik/idp/data/FederationPrivKey.java

@@ -29,7 +29,7 @@ public class FederationPrivKey {
 
   private final PkiIdentity identity;
   private Optional<Boolean> addX5c;
-  private Optional<String> keyId;
+  private String keyId;
   private Optional<String> use;
 
   public IdpKeyDescriptor buildJwk() {

idp-commons/src/main/java/de/gematik/idp/data/FederationPubKey.java

@@ -16,31 +16,43 @@
 
 package de.gematik.idp.data;
 
-import de.gematik.idp.crypto.model.PkiIdentity;
+import de.gematik.idp.crypto.exceptions.IdpCryptoException;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
 import java.util.Optional;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.Setter;
 
+@Setter
 @AllArgsConstructor
 @RequiredArgsConstructor
 @Getter
 public class FederationPubKey {
 
-  private final PkiIdentity identity;
-  private final String issuer;
-  private final String type;
-  @Setter private Optional<Boolean> addX5c;
-  @Setter private Optional<String> keyId;
-  @Setter private Optional<String> use;
-  @Setter private String url;
+  private Optional<X509Certificate> certificate = Optional.empty();
+  private Optional<PublicKey> publicKey = Optional.empty();
+  private String keyId;
+  private Optional<String> use = Optional.empty();
 
-  public IdpKeyDescriptor buildJwk() {
-    final IdpKeyDescriptor keyDesc =
-        IdpKeyDescriptor.constructFromX509Certificate(
-            identity.getCertificate(), keyId, addX5c.orElse(false));
-    keyDesc.setPublicKeyUse(use.orElse(null));
-    return keyDesc;
+  public IdpKeyDescriptor buildJwkWithX5c() {
+    return IdpKeyDescriptor.constructFromX509Certificate(certificate.orElseThrow(), keyId, true);
+  }
+
+  public IdpKeyDescriptor buildJwkWithoutX5c() {
+    if (publicKey.isPresent()) {
+      final IdpKeyDescriptor keyDesc = IdpKeyDescriptor.createFromPublicKey(publicKey.get(), keyId);
+      use.ifPresent(keyDesc::setPublicKeyUse);
+      return keyDesc;
+    } else if (certificate.isPresent()) {
+      final IdpKeyDescriptor keyDesc =
+          IdpKeyDescriptor.constructFromX509Certificate(certificate.get(), keyId, false);
+      use.ifPresent(keyDesc::setPublicKeyUse);
+      return keyDesc;
+    } else {
+      throw new IdpCryptoException(
+          "FederationPubKey invalid. No PublicKey or certificate present.");
+    }
   }
 }

idp-commons/src/main/java/de/gematik/idp/data/IdpEccKeyDescriptor.java

@@ -20,6 +20,7 @@
 import com.fasterxml.jackson.annotation.JsonInclude.Include;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import de.gematik.idp.crypto.exceptions.IdpCryptoException;
+import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
@@ -48,6 +49,9 @@ public class IdpEccKeyDescriptor extends IdpKeyDescriptor {
   @JsonProperty("alg")
   private String alg;
 
+  // added for javadoc plugin
+  public static class IdpEccKeyDescriptorBuilder {}
+
   @Builder
   public IdpEccKeyDescriptor(
       final String[] x5c,
@@ -67,14 +71,25 @@ public IdpEccKeyDescriptor(
 
   public static IdpKeyDescriptor constructFromX509Certificate(
       final X509Certificate certificate, final String keyId, final boolean addX5C) {
-    try {
-      final IdpEccKeyDescriptor.IdpEccKeyDescriptorBuilder descriptorBuilder =
-          IdpEccKeyDescriptor.builder().keyId(keyId).keyType(getKeyType(certificate));
-      if (addX5C) {
-        descriptorBuilder.x5c(getCertArray(certificate));
-      }
+    final IdpEccKeyDescriptor.IdpEccKeyDescriptorBuilder descriptorBuilder =
+        IdpEccKeyDescriptor.builder().keyId(keyId).keyType(getKeyType(certificate));
+    if (addX5C) {
+      descriptorBuilder.x5c(getCertArray(certificate));
+    }
+    return getIdpEccKeyDescriptor(certificate.getPublicKey(), descriptorBuilder);
+  }
+
+  public static IdpKeyDescriptor createFromPublicKey(
+      final PublicKey publicKey, final String keyId) {
+    final IdpEccKeyDescriptor.IdpEccKeyDescriptorBuilder descriptorBuilder =
+        IdpEccKeyDescriptor.builder().keyId(keyId).keyType(getKeyType(publicKey));
+    return getIdpEccKeyDescriptor(publicKey, descriptorBuilder);
+  }
 
-      final BCECPublicKey bcecPublicKey = (BCECPublicKey) (certificate.getPublicKey());
+  private static IdpEccKeyDescriptor getIdpEccKeyDescriptor(
+      final PublicKey publicKey, final IdpEccKeyDescriptorBuilder descriptorBuilder) {
+    try {
+      final BCECPublicKey bcecPublicKey = (BCECPublicKey) publicKey;
       String eccCurveName = "";
       String alg = null;
       if (((ECNamedCurveParameterSpec) bcecPublicKey.getParameters())

idp-commons/src/main/java/de/gematik/idp/data/IdpKeyDescriptor.java

@@ -25,10 +25,10 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import de.gematik.idp.crypto.exceptions.IdpCryptoException;
 import de.gematik.idp.exceptions.IdpJoseException;
+import java.security.PublicKey;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.Base64;
-import java.util.Optional;
 import lombok.AllArgsConstructor;
 import lombok.EqualsAndHashCode;
 import lombok.Getter;
@@ -66,23 +66,36 @@ public static String[] getCertArray(final X509Certificate certificate) {
     }
   }
 
-  public static IdpKeyDescriptor constructFromX509Certificate(final X509Certificate certificate) {
-    return constructFromX509Certificate(certificate, Optional.empty(), true);
+  public static IdpKeyDescriptor constructFromX509Certificate(
+      final X509Certificate certificate, final String keyId) {
+    return constructFromX509Certificate(certificate, keyId, true);
   }
 
   public static IdpKeyDescriptor constructFromX509Certificate(
-      final X509Certificate certificate, final Optional<String> keyId, final boolean addX5C) {
+      final X509Certificate certificate, final String keyId, final boolean addX5C) {
     if (isEcKey(certificate.getPublicKey())) {
-      return IdpEccKeyDescriptor.constructFromX509Certificate(
-          certificate, keyId.orElse(certificate.getSerialNumber().toString()), addX5C);
+      return IdpEccKeyDescriptor.constructFromX509Certificate(certificate, keyId, addX5C);
     } else {
-      return IdpRsaKeyDescriptor.constructFromX509Certificate(
-          certificate, keyId.orElse(certificate.getSerialNumber().toString()), addX5C);
+      return IdpRsaKeyDescriptor.constructFromX509Certificate(certificate, keyId);
+    }
+  }
+
+  public static IdpKeyDescriptor createFromPublicKey(
+      final PublicKey publicKey, final String keyId) {
+
+    if (isEcKey(publicKey)) {
+      return IdpEccKeyDescriptor.createFromPublicKey(publicKey, keyId);
+    } else {
+      throw new IdpCryptoException("Unknown Key-Format encountered!");
     }
   }
 
   public static String getKeyType(final X509Certificate certificate) {
-    if (isEcKey(certificate.getPublicKey())) {
+    return getKeyType(certificate.getPublicKey());
+  }
+
+  public static String getKeyType(final PublicKey publicKey) {
+    if (isEcKey(publicKey)) {
       return EllipticCurveJsonWebKey.KEY_TYPE;
     } else {
       return RsaJsonWebKey.KEY_TYPE;

idp-commons/src/main/java/de/gematik/idp/data/IdpRsaKeyDescriptor.java

@@ -53,13 +53,12 @@ public IdpRsaKeyDescriptor(
   }
 
   public static IdpKeyDescriptor constructFromX509Certificate(
-      final X509Certificate certificate, final String keyId, final boolean addX5C) {
+      final X509Certificate certificate, final String keyId) {
     try {
       final IdpRsaKeyDescriptor.IdpRsaKeyDescriptorBuilder descriptorBuilder =
           IdpRsaKeyDescriptor.builder().keyId(keyId).keyType(getKeyType(certificate));
-      if (addX5C) {
-        descriptorBuilder.x5c(getCertArray(certificate));
-      }
+
+      descriptorBuilder.x5c(getCertArray(certificate));
 
       final BCRSAPublicKey bcrsaPublicKey = (BCRSAPublicKey) certificate.getPublicKey();
       descriptorBuilder

idp-commons/src/main/java/de/gematik/idp/data/JwtHelper.java

@@ -20,7 +20,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import de.gematik.idp.authentication.IdpJwtProcessor;
 import de.gematik.idp.exceptions.IdpRuntimeException;
-import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 import java.util.stream.Stream;
 import lombok.AccessLevel;
@@ -53,40 +53,39 @@ public static String invalidateJsonSignature(final String jwsRawString) {
     return String.join(".", splitJws);
   }
 
-  public static IdpJwksDocument getJwks(final FederationPrivKey... federationPrivKeys) {
-    return IdpJwksDocument.builder()
-        .keys(
-            Arrays.stream(federationPrivKeys)
-                .map(
-                    federationPrivKey -> {
-                      final IdpKeyDescriptor keyDesc =
-                          IdpKeyDescriptor.constructFromX509Certificate(
-                              federationPrivKey.getIdentity().getCertificate(),
-                              federationPrivKey.getKeyId(),
-                              federationPrivKey.getAddX5c().orElse(false));
-                      keyDesc.setPublicKeyUse(federationPrivKey.getUse().orElse(null));
-                      return keyDesc;
-                    })
-                .toList())
-        .build();
-  }
-
-  // TODO: IDP-740
   public static IdpJwksDocument getJwks(@NonNull final FederationPubKey... federationPubKeys) {
-    return IdpJwksDocument.builder()
-        .keys(
+    final List<IdpKeyDescriptor> keyDescriptors =
+        new java.util.ArrayList<>(
             Stream.of(federationPubKeys)
+                .filter(federationPubKey -> federationPubKey.getCertificate().isPresent())
                 .map(
                     federationPubKey -> {
                       final IdpKeyDescriptor keyDesc =
                           IdpKeyDescriptor.constructFromX509Certificate(
-                              federationPubKey.getIdentity().getCertificate(),
+                              federationPubKey.getCertificate().orElseThrow(),
                               federationPubKey.getKeyId(),
-                              federationPubKey.getAddX5c().orElse(false));
+                              true);
                       keyDesc.setPublicKeyUse(federationPubKey.getUse().orElse(null));
                       return keyDesc;
                     })
-                .toList())
-        .build();
+                .toList());
+
+    final List<IdpKeyDescriptor> keyDescriptorsWithoutX5c =
+        Stream.of(federationPubKeys)
+            .filter(federationPubKey -> federationPubKey.getPublicKey().isPresent())
+            .map(
+                federationPubKey -> {
+                  final IdpKeyDescriptor keyDesc =
+                      IdpKeyDescriptor.createFromPublicKey(
+                          federationPubKey.getPublicKey().orElseThrow(),
+                          federationPubKey.getKeyId());
+                  keyDesc.setPublicKeyUse(federationPubKey.getUse().orElse(null));
+                  return keyDesc;
+                })
+            .toList();
+
+    keyDescriptors.addAll(keyDescriptorsWithoutX5c);
+
+    return IdpJwksDocument.builder().keys(keyDescriptors).build();
   }
 }