Repository: cxf Updated Branches: refs/heads/master 1858ea6bc -> 1ebe682c6
Updating JwsSignatureVerifier to return the algorithm it actually supports Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1ebe682c Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1ebe682c Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1ebe682c Branch: refs/heads/master Commit: 1ebe682c694893295f16b2c56a499a25808b7e45 Parents: 1858ea6 Author: Sergey Beryozkin <[email protected]> Authored: Wed Oct 22 16:44:00 2014 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Oct 22 16:44:00 2014 +0100 ---------------------------------------------------------------------- .../jose/jws/EcDsaJwsSignatureVerifier.java | 3 -- .../jose/jws/HmacJwsSignatureVerifier.java | 29 ++++++++------------ .../security/jose/jws/JwsSignatureVerifier.java | 1 + .../cxf/rs/security/jose/jws/JwsUtils.java | 3 +- .../jose/jws/PublicKeyJwsSignatureVerifier.java | 9 +++--- .../security/jose/jws/JwsCompactHeaderTest.java | 17 ++++++++---- .../jose/jws/JwsCompactReaderWriterTest.java | 12 +++++--- .../cxf/systest/jaxrs/security/jwt/server.xml | 1 + .../systest/jaxrs/security/bob.jwk.properties | 1 + .../jaxrs/security/jws.ec.public.properties | 1 + 10 files changed, 42 insertions(+), 35 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java index 97a8991..6670367 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java @@ -24,9 +24,6 @@ import java.security.spec.AlgorithmParameterSpec; import org.apache.cxf.rs.security.jose.jwa.Algorithm; public class EcDsaJwsSignatureVerifier extends PublicKeyJwsSignatureVerifier { - public EcDsaJwsSignatureVerifier(PublicKey key) { - this(key, null); - } public EcDsaJwsSignatureVerifier(PublicKey key, String supportedAlgo) { this(key, null, supportedAlgo); } http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java index e6ac50d..3bdf335 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java @@ -21,10 +21,9 @@ package org.apache.cxf.rs.security.jose.jws; import java.security.spec.AlgorithmParameterSpec; import java.util.Arrays; -import org.apache.cxf.common.util.Base64Exception; -import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.common.util.crypto.HmacUtils; import org.apache.cxf.rs.security.jose.JoseHeaders; +import org.apache.cxf.rs.security.jose.JoseUtils; import org.apache.cxf.rs.security.jose.jwa.Algorithm; public class HmacJwsSignatureVerifier implements JwsSignatureVerifier { @@ -32,28 +31,18 @@ public class HmacJwsSignatureVerifier implements JwsSignatureVerifier { private AlgorithmParameterSpec hmacSpec; private String supportedAlgo; - public HmacJwsSignatureVerifier(byte[] key) { - this(key, null); + public HmacJwsSignatureVerifier(String encodedKey, String supportedAlgo) { + this(JoseUtils.decode(encodedKey), supportedAlgo); } - public HmacJwsSignatureVerifier(byte[] key, AlgorithmParameterSpec spec) { - this(key, spec, null); + public HmacJwsSignatureVerifier(byte[] key, String supportedAlgo) { + this(key, null, supportedAlgo); } public HmacJwsSignatureVerifier(byte[] key, AlgorithmParameterSpec spec, String supportedAlgo) { this.key = key; this.hmacSpec = spec; this.supportedAlgo = supportedAlgo; } - public HmacJwsSignatureVerifier(String encodedKey) { - this(encodedKey, null); - } - public HmacJwsSignatureVerifier(String encodedKey, String supportedAlgo) { - try { - this.key = Base64UrlUtility.decode(encodedKey); - } catch (Base64Exception ex) { - throw new SecurityException(); - } - this.supportedAlgo = supportedAlgo; - } + @Override public boolean verify(JoseHeaders headers, String unsignedText, byte[] signature) { @@ -71,9 +60,13 @@ public class HmacJwsSignatureVerifier implements JwsSignatureVerifier { protected String checkAlgorithm(String algo) { if (algo == null || !Algorithm.isHmacSign(algo) - || supportedAlgo != null && !supportedAlgo.equals(algo)) { + || !algo.equals(supportedAlgo)) { throw new SecurityException(); } return algo; } + @Override + public String getAlgorithm() { + return supportedAlgo; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java index 82e4f6b..492c676 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java @@ -22,4 +22,5 @@ import org.apache.cxf.rs.security.jose.JoseHeaders; public interface JwsSignatureVerifier { boolean verify(JoseHeaders headers, String unsignedText, byte[] signature); + String getAlgorithm(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index 30e3b8c..c9741a2 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -122,8 +122,9 @@ public final class JwsUtils { theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo); } else { + rsaSignatureAlgo = getSignatureAlgo(props, null); theVerifier = new PublicKeyJwsSignatureVerifier( - (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props)); + (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), rsaSignatureAlgo); } return theVerifier; } http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java index 9f910e8..3ff9d66 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java @@ -31,9 +31,6 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier { private AlgorithmParameterSpec signatureSpec; private String supportedAlgo; - public PublicKeyJwsSignatureVerifier(PublicKey key) { - this(key, null); - } public PublicKeyJwsSignatureVerifier(PublicKey key, String supportedAlgorithm) { this(key, null, supportedAlgorithm); } @@ -57,7 +54,7 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier { protected String checkAlgorithm(String algo) { if (algo == null || !isValidAlgorithmFamily(algo) - || supportedAlgo != null && !supportedAlgo.equals(algo)) { + || !algo.equals(supportedAlgo)) { throw new SecurityException(); } return algo; @@ -65,5 +62,9 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier { protected boolean isValidAlgorithmFamily(String algo) { return Algorithm.isRsaShaSign(algo); } + @Override + public String getAlgorithm() { + return supportedAlgo; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java index 0cc0a07..942a856 100644 --- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java +++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java @@ -18,6 +18,8 @@ */ package org.apache.cxf.rs.security.jose.jws; +import org.apache.cxf.rs.security.jose.jwa.Algorithm; + import org.junit.Assert; import org.junit.Test; @@ -114,21 +116,24 @@ public class JwsCompactHeaderTest extends Assert { public void verifyJwsWithMissingAlgHeaderField() throws Exception { JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(MISSING_ALG_HEADER_FIELD_IN_JWS); - assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY))); + assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY, + Algorithm.HmacSHA256.getJwtName()))); } @Test public void verifyJwsWithTwoAlgHeaderFieldsBogusFieldFirst() throws Exception { JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(TWO_ALG_HEADER_FIELDS_IN_JWS_BOGUS_FIRST); - assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY))); + assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY, + Algorithm.HmacSHA256.getJwtName()))); } @Test public void verifyJwsWithTwoAlgHeaderFieldsBogusFieldLast() throws Exception { JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(TWO_ALG_HEADER_FIELDS_IN_JWS_BOGUS_LAST); - assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY))); + assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY, + Algorithm.HmacSHA256.getJwtName()))); } @Test @@ -137,9 +142,11 @@ public class JwsCompactHeaderTest extends Assert { JwsCompactConsumer jwsConsumerAltered = new JwsCompactConsumer(ALG_HEADER_VALUE_NONE_IN_JWS); - assertTrue(jwsConsumerOriginal.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY))); + assertTrue(jwsConsumerOriginal.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY, + Algorithm.HmacSHA256.getJwtName()))); - assertFalse(jwsConsumerAltered.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY))); + assertFalse(jwsConsumerAltered.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY, + Algorithm.HmacSHA256.getJwtName()))); } http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java index e37b854..6b34b94 100644 --- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java +++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java @@ -129,7 +129,8 @@ public class JwsCompactReaderWriterTest extends Assert { @Test public void testReadJwsSignedByMacSpecExample() throws Exception { JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_SIGNED_BY_MAC); - assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY))); + assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY, + Algorithm.HmacSHA256.getJwtName()))); JwtToken token = jws.getJwtToken(); JoseHeaders headers = token.getHeaders(); assertEquals(JoseConstants.TYPE_JWT, headers.getType()); @@ -176,7 +177,8 @@ public class JwsCompactReaderWriterTest extends Assert { @Test public void testReadJwsWithJwkSignedByMac() throws Exception { JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_WITH_JSON_KEY_SIGNED_BY_MAC); - assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY))); + assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY, + Algorithm.HmacSHA256.getJwtName()))); JwtToken token = jws.getJwtToken(); JoseHeaders headers = token.getHeaders(); assertEquals(JoseConstants.TYPE_JWT, headers.getType()); @@ -223,7 +225,8 @@ public class JwsCompactReaderWriterTest extends Assert { EC_X_POINT_ENCODED, EC_Y_POINT_ENCODED); JwsJwtCompactConsumer jwsConsumer = new JwsJwtCompactConsumer(signedJws); - assertTrue(jwsConsumer.verifySignatureWith(new EcDsaJwsSignatureVerifier(publicKey))); + assertTrue(jwsConsumer.verifySignatureWith(new EcDsaJwsSignatureVerifier(publicKey, + Algorithm.SHA256withECDSA.getJwtName()))); JwtToken token = jwsConsumer.getJwtToken(); JoseHeaders headersReceived = token.getHeaders(); assertEquals(Algorithm.SHA256withECDSA.getJwtName(), headersReceived.getAlgorithm()); @@ -234,7 +237,8 @@ public class JwsCompactReaderWriterTest extends Assert { public void testReadJwsSignedByPrivateKey() throws Exception { JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY); RSAPublicKey key = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED, RSA_PUBLIC_EXPONENT_ENCODED); - assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key))); + assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key, + JoseConstants.RS_SHA_256_ALGO))); JwtToken token = jws.getJwtToken(); JoseHeaders headers = token.getHeaders(); assertEquals(Algorithm.SHA256withRSA.getJwtName(), headers.getAlgorithm()); http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml index d235dfc..b03b94c 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml @@ -71,6 +71,7 @@ under the License. <bean id="hmacSigVerifier" class="org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureVerifier"> <constructor-arg value="AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"/> + <constructor-arg value="HS256"/> </bean> <bean id="jwsHmacInFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwsContainerRequestFilter"> <property name="signatureVerifier" ref="hmacSigVerifier"/> http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties index 8d43f81..b57af21 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties @@ -21,3 +21,4 @@ rs.security.keystore.alias=2011-04-29 rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt rs.security.jwe.content.encryption.algorithm=A128GCM rs.security.jwe.key.encryption.algorithm=RSA-OAEP +rs.security.jws.content.signature.algorithm=RS256 http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties index 9d67710..5178e85 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties @@ -17,3 +17,4 @@ rs.security.keystore.type=jwk rs.security.keystore.alias=ECKey rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt +rs.security.jws.content.signature.algorithm=ES256 \ No newline at end of file
