Add support for selecting a key for decryption using the sha-1 hash in the header
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/179db4aa Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/179db4aa Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/179db4aa Branch: refs/heads/3.0.x-fixes Commit: 179db4aa4090eb244d1aad54e2073f0ade0a6beb Parents: 049a8bd Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Mon Oct 26 16:06:58 2015 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Mon Oct 26 17:08:47 2015 +0000 ---------------------------------------------------------------------- .../rs/security/jose/common/KeyManagementUtils.java | 4 ++-- .../apache/cxf/rs/security/jose/jwe/JweUtils.java | 15 ++++++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/179db4aa/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java index 57929c2..3eb4637 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java @@ -369,12 +369,12 @@ public final class KeyManagementUtils { return props; } public static PrivateKey loadPrivateKey(Message m, Properties props, - List<X509Certificate> inCerts, + X509Certificate inCert, KeyOperation keyOper) { KeyStore ks = loadPersistKeyStore(m, props); try { - String alias = ks.getCertificateAlias(inCerts.get(0)); + String alias = ks.getCertificateAlias(inCert); return loadPrivateKey(ks, m, props, keyOper, alias); } catch (Exception ex) { http://git-wip-us.apache.org/repos/asf/cxf/blob/179db4aa/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 4591bc3..e23f605 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -368,11 +368,24 @@ public final class JweUtils { // Supporting loading a private key via a certificate for now List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain()); KeyManagementUtils.validateCertificateChain(props, chain); + X509Certificate cert = chain == null ? null : chain.get(0); PrivateKey privateKey = - KeyManagementUtils.loadPrivateKey(m, props, chain, KeyOperation.DECRYPT); + KeyManagementUtils.loadPrivateKey(m, props, cert, KeyOperation.DECRYPT); contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm().getJwaName(); keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, inHeaders.getKeyEncryptionAlgorithm()); + } else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) { + X509Certificate foundCert = + KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(), + MessageDigestUtils.ALGO_SHA_1, + m, props); + if (foundCert != null) { + PrivateKey privateKey = + KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT); + contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm().getJwaName(); + keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, + inHeaders.getKeyEncryptionAlgorithm()); + } } else { if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.DECRYPT);